GP Management and AD Admin Center broken after domain controller migration

I have been working on a domain controller migration from Server 2008 to Server 2012. I first added the new server as a domain controller then added the DHCP and DNS roles. Then over a few days I began migrating data, shares, etc over to the new server. Everything seemed to be going mostly OK. I ran BPA and fixed any problems that were noted. This morning I hoped to complete the migration by moving the FSMO roles using these instructions.

http://jackstromberg.com/2013/10/migrating-domain-controllers-from-server-2008-r2-to-server-2012-r2/

All went as expected and no errors were noted. However now I am having issues with GP management and the AD Adminstrative Center. The FSMO roles have been moved to the new server but the old server has not been demoted yet (I am afraid to completely remove it until the problems have been resolved)

Here is a summary:

1. When running Group policy Management - Error: The network name cannot be found
2. I can open the Group Policy editor and I see all my expected Group Policy Objects listed
3. I am able to check Policy settings and they are correct
4. However I cannot edit any Group Policy Objects - Error: The network name cannot be found,
5. I am able to create new users via Active Directory Users and Computers
6. Active Directory Administrative Center fails - Error: Cannot connect to any domain Error: Cannot find server running ADSW in domain
7. AD Domain Service and AD Web Service are both running. Both have also been restarted without generating any errors
8. SYSVOL and NETLOG are were not being shared on new DC. I have manually shared both
9. I noted an error in Windows log relating to file replication problems for Sysvol and Netlog which might explain why they weren't shared


From Windows Error Log:

Notification of policy change from LSA/SAM has been retried and failed. Error 4312 to save policy change for account S-1-5-83-0 in the default GPOs

Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections.

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete  (The

The File Replication Service is having trouble enabling replication from FS1 to DC for c:\windows\sysvol\domain using the DNS name FS1.glcssm.org. FRS will keep retrying. (FS1 is original server and DC is new server).

File Replication Service is scanning the data in the system volume. Computer DC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL

I would appreciate any advice on how to resolve these issues.
LVL 2
pmckenna11Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pmckenna11Author Commented:
In case someone else has a similar issue, the root problem is that file replication for SYSVOL is failing between the old and new server. All the other errors spring from this root cause. An easy check is to see if net share shows SYSVOL being shared on the new server. It won't appear until replication is with the old server is complete. Here is a link to a page that gives a detailed fix

https://support.microsoft.com/en-us/kb/315457

However I could not complete steps as outlined. Here is what I did instead:

Stop the FRS service on both servers. Then do this on the old server

a.      Click Start, click Run, type regedit, and then click OK.
b.      Locate and then click the BurFlags entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID
c.      Right-click BurFlags, and then click Modify.
d.      Type D4 in the Value Data field (HexaDecimal), and then click OK.

Then on the new server do the same thing but set it is D2. This will set the old server as authoritive and the new as a replica. Then you can force a replication in AD or wait 15 minutes after turning FRS back on on both servers. You will need to restart the FRS service first.

If everything goes well you can then demote and decomission the old server. Make sure that you have moved all the FMSO roles first.

Thanks for all the help guys!!!!!

Second question in a row that has failed to generate any help whatsoever. Probably will be canceling my subscription when it comes up for renewal.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.