Solved

removing broke domain controller...then upgrading to MS Win 2K12

Posted on 2014-04-08
6
385 Views
Last Modified: 2014-11-07
Hello…

The solutions to my problems may have already been answered from other questions. In which case, please refer me to the proper links. Thank you.

The premise…
Our domain consists of multiple Windows 2003 servers and two Windows 2000 servers as the domain controllers. The plan is to move from the two Windows 2000 servers to two Windows 2012 servers as domain controllers. Because there is no direct path to upgrade from Win Server 2000 to Win Server 2012, we need to upgrade the current two domain controllers to Windows 2003 (or Windows 2008) then upgrade to Windows Server 2012.

The short version of the problem….
Of the two current Windows 2000 server domain controllers (DC1 and DC2), DC1 has problems. We get the message, ”There are no endpoints available from the endpoint mapper.” This and other problems affects its ability to replicate and communicate with the DC2. And we cannot transfer FSMO roles between the two DCs because of these problems.

The basic solution to the problem…
From what’s been relayed to me, it appears my best course is: a) to shutdown DC1 and 2) use DC2 to seize the FSMO roles. And move forward from that point. What’s a little unclear to me is once I seize the remaining FSMO roles and move those roles to DC2:
 
“Should I simply run adprep on that single domain controller DC2?” (and move forward to Windows 2012 from there.)

“Or should I promote a new Windows 2000 server to domain controller and once again have two Windows 2000 servers for domain controllers?” (and move forward to Windows 2012 from there.)

And once adprep has run successfully, shouldn’t I simply be able to promote a new Windows Server 2003 (or Windows Server 2008) to domain controller and move some or all the FSMO roles to the Win 2K3 (or Win 2K8) server?

But the underlying point here is that I am past trying to fix DC1. I need to find the best way to: 1) gracefully remove DC1…2) run adprep on the remaining domain controller (whether its DC2 or another domain controller)….and 3) move forward to upgrading to Windows Server 2012 as the final steps. I need to make sure to do whatever is needed before I shutdown and remove DC1.

You input is appreciated and if you have questions, please ask.

Thank you.  

L Long
0
Comment
Question by:LLong29
6 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
Comment Utility
You will also need to go through a metadata cleanup to get rid of the old DC1

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

I'd personally probably promote another 2000 box as fast as possible.   Just to have two good working DCs before doing any upgrades, etc.   Just think if DC2 goes down hard right now and you have no good backup?

Thanks

Mike
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 167 total points
Comment Utility
You simply can't upgrade schema to 2012 version since you are having 2000 DC and schema version

If you have problem with one 2000 DC, you can shutdown problematic DC and seize roles on another DC, this plan is correct
Mike's suggestion is also really very good ! play safe
After that you have to upgrade AD schema to either windows 2008 \ 2008 R2
For that your domain functional level must be at least windows 2000 native mode.
It can be upgraded to 2003 as well, but i do not recommend that since you have option to go to 2008 r2 directly

Once you upgraded schema to 2008 R2, just introduce 2008 r2 ADCs in network and transfer FSMO roles and verify its functionality thoroughly
Then just demote 2000 DCs from network and then you are good to go with 2012 schema upgrade and 2012 DC installation

Mahesh.
0
 

Author Comment

by:LLong29
Comment Utility
Hello...

Thank you for your comment.

Ever since I have been having problems with DC1, I build a Windows 2000 Server and added it to the domain. That server is literally not doing any work other than being powered up and logged into. It's my "backup Windows 2000 server". My thoughts were to use that server as my "second domain server" after I remove DC1 and seize the roles using DC2.

I considered that if I removed DC1 and got DC2 to run adprep within a day or so maybe I could simply use the single DC. But certainly (as you pointed out) , it makes better sense to maintain two DCs at all times.

And Thank you for the information about the metadata.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 17

Accepted Solution

by:
Premkumar Yogeswaran earned 166 total points
Comment Utility
hi,

Check the pre-requisites and required information from the below MS site..

http://technet.microsoft.com/en-us/library/hh994618.aspx

After changing the existing DCs to 2003, follow the below link for upgrading to 2012.

As well as 2012 DC installation.

https://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
0
 

Author Comment

by:LLong29
Comment Utility
Hello...

Mr. Mahesh, thank you for your information. If its possible, we may pick upgrading to 2008 r2 instead of 2003. But that will depend on some other factors...

And Mr. Premkumar, thank you also for the links you sent. I believe I may have seen one of those links before. But I am happy that more than one source has suggested the same procedure.

Thank all of you gentlemen. We hope to start this procedure within the next week or so.

L Long
0
 

Author Comment

by:LLong29
Comment Utility
Hello... This is just to let you gentlemen know that we will be shutting down broke DC controller next week April 22nd. We had to delay shutting down broke DC controller because of scheduling concerns. On April 23rd I will post results of the shutdown.   L Long
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now