• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1083
  • Last Modified:

GP Management and AD Admin Center broken after domain controller migration

I have been working on a domain controller migration from Server 2008 to Server 2012. I first added the new server as a domain controller then added the DHCP and DNS roles. Then over a few days I began migrating data, shares, etc over to the new server. Everything seemed to be going mostly OK. I ran BPA and fixed any problems that were noted. This morning I hoped to complete the migration by moving the FSMO roles using these instructions.

http://jackstromberg.com/2013/10/migrating-domain-controllers-from-server-2008-r2-to-server-2012-r2/

All went as expected and no errors were noted. However now I am having issues with GP management and the AD Adminstrative Center. The FSMO roles have been moved to the new server but the old server has not been demoted yet (I am afraid to completely remove it until the problems have been resolved)

Here is a summary:

1. When running Group policy Management - Error: The network name cannot be found
2. I can open the Group Policy editor and I see all my expected Group Policy Objects listed
3. I am able to check Policy settings and they are correct
4. However I cannot edit any Group Policy Objects - Error: The network name cannot be found,
5. I am able to create new users via Active Directory Users and Computers
6. Active Directory Administrative Center fails - Error: Cannot connect to any domain Error: Cannot find server running ADSW in domain
7. AD Domain Service and AD Web Service are both running. Both have also been restarted without generating any errors
8. SYSVOL and NETLOG are were not being shared on new DC. I have manually shared both
9. I noted an error in Windows log relating to file replication problems for Sysvol and Netlog which might explain why they weren't shared


From Windows Error Log:

Notification of policy change from LSA/SAM has been retried and failed. Error 4312 to save policy change for account S-1-5-83-0 in the default GPOs

Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections.

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete  (The

The File Replication Service is having trouble enabling replication from FS1 to DC for c:\windows\sysvol\domain using the DNS name FS1.glcssm.org. FRS will keep retrying. (FS1 is original server and DC is new server).

File Replication Service is scanning the data in the system volume. Computer DC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL

I would appreciate any advice on how to resolve these issues.
0
pmckenna11
Asked:
pmckenna11
1 Solution
 
pmckenna11Author Commented:
In case someone else has a similar issue, the root problem is that file replication for SYSVOL is failing between the old and new server. All the other errors spring from this root cause. An easy check is to see if net share shows SYSVOL being shared on the new server. It won't appear until replication is with the old server is complete. Here is a link to a page that gives a detailed fix

https://support.microsoft.com/en-us/kb/315457

However I could not complete steps as outlined. Here is what I did instead:

Stop the FRS service on both servers. Then do this on the old server

a.      Click Start, click Run, type regedit, and then click OK.
b.      Locate and then click the BurFlags entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID
c.      Right-click BurFlags, and then click Modify.
d.      Type D4 in the Value Data field (HexaDecimal), and then click OK.

Then on the new server do the same thing but set it is D2. This will set the old server as authoritive and the new as a replica. Then you can force a replication in AD or wait 15 minutes after turning FRS back on on both servers. You will need to restart the FRS service first.

If everything goes well you can then demote and decomission the old server. Make sure that you have moved all the FMSO roles first.

Thanks for all the help guys!!!!!

Second question in a row that has failed to generate any help whatsoever. Probably will be canceling my subscription when it comes up for renewal.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now