DC migration from 2008 to 2012

We've just finished adding a new Windows Server 2012 R2 DC to our existing 2008 R2 AD environment.  Everything appeared to go smoothly in the transition but we have some follow-up questions.  

1.  When I run "netdom query fsmo", it shows 3 of the roles being held by the new PDC, but 2 (schema master and domain naming master) are still assigned to the old PDC.  Why is this, and what do I need to do to transfer the roles so I can demote the old PDC?  Does this have anything to do with this message I got during migration?

"A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “treyresearch5.net”. Otherwise, no action is required."

2.  When I run "net time" from any client (including the new PDC), it still shows the old PDC as the time source.  I've run

w32tm /config /syncfromflags:manual /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /reliable:yes /update
net stop w32time && net start w32time

on the new PDC and

w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time && net start w32time

on the old one, and all clients still show the old PDC as the time server.  What do I need to do to ensure the new PDC is the only time server?

3.  Is it possible to swap the IP addresses of the old and new PDCs so the new one has the same IP the old one did and nothing has to change with client connections?  If so, at what point do I make the swap and is there anything else that needs to be done in conjunction with this?
Who is Participating?
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
I am assuming you transferred the domain roles (PDC, RID and Infrastructure Master) using Active Directory Users and Computers?

You need to do the following...
Register the AD Schema Snapin
Register Schema snapin (technet)

From there you can open the mmc console for the AD schema (this is where you transfer the Schema role to another domain controller in your environment.

Also for the Domain Naming Master Role you need to do the following...
- Open Domains and Trusts
- right click the Active Directory Domains and Trusts
- select operations Master
- Click the Change button and select the domain controller you want to move the role to

Also, once the schema role has been moved over to another DC you are going to need to setup an authoritative time sources as well.

Configure Authoritative Time Source

Once you have successfully moved the roles to another DC you can demote the old DC.

verify that the roles have been moved using the netdom verify fsmo

I would also recommend performing a DCDIAG to ensure that there are no issues with replication before demoting the old DC.

fallriverelectricAuthor Commented:
Thanks for that.  I was able to get the schema master and the domain naming master roles transferred successfully.  However, I've followed the article you linked to for the time service, and the clients are still showing the old PDC as the time server.  What do I need to do to fix this?  

Also, does anyone know if it is possible to swap the IP addresses of the old and new PDCs so the new one has the same IP the old one did and nothing has to change with client connections?  If so, at what point do I make the swap and is there anything else that needs to be done in conjunction with this?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

For 1st question
,nothing is wrong.
see below thread

For 2nd question:
The process is correct
Check on new PDC if Event ID 35 and 37 are reporting
also check with below commands if time server configuration is successful
w32tm /query /source
w32tm /query /status

On client machines you can run below commands in .bat via GPO startup script

w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time


For 3rd question:
No need to swap IP
It doesn't help
Ensure that AD replication and dns name resolution happening correctly and on new DC ensure that sysvol and netlogon is shared out
Check event 1394 in directory event logs
fallriverelectricAuthor Commented:
Question 2: Event IDs 35 and 37 are both reporting on the new PDC, and I can see where it had previously shown in the events that it was receiving time from the old PDC, but all the newer events show the external time source I specified.  So that's good, but I tried running

w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
on a client (Windows 7) machine and just got an error (The system cannot find the file specified 0x80070002).  I wouldn't really want to have to do this on every single client machine either, is there another option?  

Question 3: We would like to swap IPs so that we don't have to change the DNS server setting for all the clients who have static IP addresses pointing to the old PDC as a DNS server.  So I'm not sure what you mean by it doesn't help?
fallriverelectricAuthor Commented:
Update: I tested shutting down the original PDC to see what "net time" would return on a client, and even though it took a few seconds longer the first time I ran it, it did return the new PDC name and time.  It ran quickly after that.  When I powered the old PDC back up, the client is back to reporting to it.  Does this mean the new PDC is effectively operating as a time source and I can safely demote and remove the original PDC?  I don't really understand why the old one is the preferred source when it's running.
Will SzymkowskiSenior Solution ArchitectCommented:
Do you have a GPO in place to point to the old PDC in question? If you do maybe the policy has not applied to your machine. Also have you setup the external time source on the new PDC server?

fallriverelectricAuthor Commented:
No, we aren't pointing to it in any GPOs.  For the external time source, I set a peer list of 4 ntp sites.
it_saigeConnect With a Mentor DeveloperCommented:
Here is a previous EE PAQ on configuring time services:


As for your IP question, you mention that you have workstations with static IP's.  Not completely frowned upon because, hey, sometimes you need to use static IP's.  However, if I could make a suggestion, why not use DHCP reservations instead of manually configuring each workstation?  Using a DHCP reservation allows for you to statically assign IP's but gives you the benefit of:
Ensuring that all clients on the network use the same scheme
Ensures less probability of IP conflicts
Allows easier administration

If you cannot (or do not want to) do this, it's not really a problem, just a suggestion.  As for the IP change, you just want to make sure before you change the IP address, that you clean up your DNS by ensuring that all records for the old server have been removed (DCPROMO should take care of this, but it's not uncommon for some cleanup to be required).

Once you ensure that all records have been cleared, it's really just a simple matter of changing the IP address.  The clients *should* essentially continue to work with very little fuss (although you may need to have them do a release and renew of their ip address or even a reboot).

MaheshConnect With a Mentor ArchitectCommented:
Have you run command from elevated command prompt on win7 client?
Probably you could run that command from elevated command prompt within C:\windows\system32 if you want to run it manually

Like I said already, you could create .bat file and put it as startup script in GPO and apply it to OU containing computers

Also there is no harm that client is fetching its time from old PDC because as a NTP client it can fetch time from any DC within same Site, that's not an problem

U already got event ID 35 and 37 on new PDC, so everything is configured correctly and you can safely demote old PDC provided that you have clear other production dependencies if any
fallriverelectricAuthor Commented:
Thanks to all for the help.  

Will - we were able to transfer the remaining roles successfully.  

Mahesh - running the command from an elevated prompt did allow me to run it, but after doing so it still shows the old PDC.  However as you mentioned it doesn't matter because it can fetch time from any DC and does so when I shut the old one down temporarily.  

Saige - thanks for the tips on DHCP reservations, that's definitely something we are going to look into doing, and will also follow your instructions on IP swap when we are ready to remove the original.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.