Solved

removing broke domain controller...then upgrading to MS Win 2K12

Posted on 2014-04-08
6
410 Views
Last Modified: 2014-11-07
Hello…

The solutions to my problems may have already been answered from other questions. In which case, please refer me to the proper links. Thank you.

The premise…
Our domain consists of multiple Windows 2003 servers and two Windows 2000 servers as the domain controllers. The plan is to move from the two Windows 2000 servers to two Windows 2012 servers as domain controllers. Because there is no direct path to upgrade from Win Server 2000 to Win Server 2012, we need to upgrade the current two domain controllers to Windows 2003 (or Windows 2008) then upgrade to Windows Server 2012.

The short version of the problem….
Of the two current Windows 2000 server domain controllers (DC1 and DC2), DC1 has problems. We get the message, ”There are no endpoints available from the endpoint mapper.” This and other problems affects its ability to replicate and communicate with the DC2. And we cannot transfer FSMO roles between the two DCs because of these problems.

The basic solution to the problem…
From what’s been relayed to me, it appears my best course is: a) to shutdown DC1 and 2) use DC2 to seize the FSMO roles. And move forward from that point. What’s a little unclear to me is once I seize the remaining FSMO roles and move those roles to DC2:
 
“Should I simply run adprep on that single domain controller DC2?” (and move forward to Windows 2012 from there.)

“Or should I promote a new Windows 2000 server to domain controller and once again have two Windows 2000 servers for domain controllers?” (and move forward to Windows 2012 from there.)

And once adprep has run successfully, shouldn’t I simply be able to promote a new Windows Server 2003 (or Windows Server 2008) to domain controller and move some or all the FSMO roles to the Win 2K3 (or Win 2K8) server?

But the underlying point here is that I am past trying to fix DC1. I need to find the best way to: 1) gracefully remove DC1…2) run adprep on the remaining domain controller (whether its DC2 or another domain controller)….and 3) move forward to upgrading to Windows Server 2012 as the final steps. I need to make sure to do whatever is needed before I shutdown and remove DC1.

You input is appreciated and if you have questions, please ask.

Thank you.  

L Long
0
Comment
Question by:LLong29
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
ID: 39987042
You will also need to go through a metadata cleanup to get rid of the old DC1

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

I'd personally probably promote another 2000 box as fast as possible.   Just to have two good working DCs before doing any upgrades, etc.   Just think if DC2 goes down hard right now and you have no good backup?

Thanks

Mike
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 167 total points
ID: 39987227
You simply can't upgrade schema to 2012 version since you are having 2000 DC and schema version

If you have problem with one 2000 DC, you can shutdown problematic DC and seize roles on another DC, this plan is correct
Mike's suggestion is also really very good ! play safe
After that you have to upgrade AD schema to either windows 2008 \ 2008 R2
For that your domain functional level must be at least windows 2000 native mode.
It can be upgraded to 2003 as well, but i do not recommend that since you have option to go to 2008 r2 directly

Once you upgraded schema to 2008 R2, just introduce 2008 r2 ADCs in network and transfer FSMO roles and verify its functionality thoroughly
Then just demote 2000 DCs from network and then you are good to go with 2012 schema upgrade and 2012 DC installation

Mahesh.
0
 

Author Comment

by:LLong29
ID: 39987245
Hello...

Thank you for your comment.

Ever since I have been having problems with DC1, I build a Windows 2000 Server and added it to the domain. That server is literally not doing any work other than being powered up and logged into. It's my "backup Windows 2000 server". My thoughts were to use that server as my "second domain server" after I remove DC1 and seize the roles using DC2.

I considered that if I removed DC1 and got DC2 to run adprep within a day or so maybe I could simply use the single DC. But certainly (as you pointed out) , it makes better sense to maintain two DCs at all times.

And Thank you for the information about the metadata.
0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 
LVL 17

Accepted Solution

by:
Premkumar Yogeswaran earned 166 total points
ID: 39988848
hi,

Check the pre-requisites and required information from the below MS site..

http://technet.microsoft.com/en-us/library/hh994618.aspx

After changing the existing DCs to 2003, follow the below link for upgrading to 2012.

As well as 2012 DC installation.

https://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
0
 

Author Comment

by:LLong29
ID: 39992512
Hello...

Mr. Mahesh, thank you for your information. If its possible, we may pick upgrading to 2008 r2 instead of 2003. But that will depend on some other factors...

And Mr. Premkumar, thank you also for the links you sent. I believe I may have seen one of those links before. But I am happy that more than one source has suggested the same procedure.

Thank all of you gentlemen. We hope to start this procedure within the next week or so.

L Long
0
 

Author Comment

by:LLong29
ID: 40006990
Hello... This is just to let you gentlemen know that we will be shutting down broke DC controller next week April 22nd. We had to delay shutting down broke DC controller because of scheduling concerns. On April 23rd I will post results of the shutdown.   L Long
0

Featured Post

Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question