Avatar of quincyprentice
quincyprentice
Flag for Saint Kitts and Nevis asked on

Active Directory 2003 to 2012 Migration

My environment consists of two Windows Server 2003 DCs and I am looking to migrate to a Windows Server 2012 AD.
I started by adding a Windows Server 2012 DC, however,  I have seen some errors in the following:
- In the system log on the 2012 DC I have seen a few 5722, 5723 and 5895 errors.
- Periodically there are very high logon times when logging on to the 2012 DC.
- The BPA on the 2012 DC indicates that the zone _msdcs is not available even though I see it in the DNS management console.
Microsoft Legacy OSActive DirectoryWindows Server 2012Windows Server 2003

Avatar of undefined
Last Comment
quincyprentice

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Lee W, MVP

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
arnold

Your issue is likely because your 2012 install is missing the file server services Windows 2003 file share services which include the ntfrs components needed to replicate sysvol data which will prevent the new 2012 DC from making sysvol/netlogon available.

Once that is resolved, make sure using sites and services NTDS that this and other servers are global catalog (GC) as well
quincyprentice

ASKER
I ran the DCDIAG command as suggested and everything passed except the System Log. Please see output below.

      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:18:31
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the UmRdpService service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:19:01
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the ScDeviceEnum service.
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 10/19/2015   23:19:01
            Event String:
            The Smart Card Device Enumeration Service service failed to start du
e to the following error:
         ......................... NIA-DC-04 failed test SystemLog
arnold

Check event log system/security log settings to increase its size as well as whether it should delete old records as needed versus having to wait 7 days. In your case when there were many events, the log could have gotten filled up, and could not add more because of the prior reference limit.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
quincyprentice

ASKER
Thanks.  I cleared the system event log and re-ran DCDIAG and it passed all of the tests without any issues. However, the log did not appear to be full.  It was set to 2MB and overwrite once it maxed out.
quincyprentice

ASKER
Any suggestions on the _msdcs issue in the DNS BPA scan?  I reran the scan after the DCDIAG passed and I still get the error about the _msdcs zone being unavailable.
arnold

Look at the local DNS server to see what is going on.

There is a DNS prep one had to run.

I think if memory serves, during the dcpromo a warning pops up dealing with that issue.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold

The following link includes steps needed to transition from your current addomain.suffix structure to the split where _msdcs.addomain.suffix is separate/delegated from the addomain.suffix

https://social.technet.microsoft.com/Forums/windowsserver/en-US/175b2a01-1c3f-4c9e-a295-490cbcceb41e/active-directory-integrated-dns-zone-error-in-dns-bpa?forum=winserverDS
quincyprentice

ASKER
Thanks Arnold.  So lets get this straight:
My domain current naming structure is:
xxx.yyy.com

There is no _msdcs.xxx.yyy.com zone, however, it does exist as a subfolder inside the xxx.yyy.com.
So that means that I need to create the _msdcs.xxx.yyy.com zone?

The other parts are a bit unclear.  Once I have created the  _msdcs.xxx.yyy.com zone should I delete the existing subfolder inside xxx.yyy.com? And subsequently should I be recreating a delegation for the _msdcs inside of xxx.yyy.com?

Additionally, do I need to have a delegation for the xxx zone inside of yyy.com zone that I also have on my DNS server?
arnold

You should not delete the inner _msdcs.
The subsequent updates will populate the _msdcs

I think the discussion in the link covered the transition.


Is your setup xxx.yyy.com is a child domain of yyy.com?
Delegation often is only needed when yyy.com exists as its own domain on a different set of DNS servers than the ones that xxx.yyy.com is on.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
quincyprentice

ASKER
Ok.  
The _msdcs zone has been populated.  I reran the BPA and now I get an error saying that -
      Error      DNS: The DNS server <A.B.C.D> on the Ethernet must resolve PDC resource records for the domain controller.

To answer the question about the domains.
corp.contoso.com - Active Directory Domain

In DNS there is also a zone contoso.com (This allows me to redirect services like www, mail to their internal addresses.)

Inside the contoso.com zone there is a subfolder for corp that just has two host records (2 of the DC's in the domain. Im not sure why the third isn't  there).  Previously, I think that this zone was delegated .
arnold

Example contoso.com an AD integrated zone to be available on all DCs DNS? Either way add the NS record delegating Corp to all DCs. In this zone, you have to cleanup when a previously delegated DNS server is no longer available, this zone will not be auto managed.

Or you would need to add it to each.......
I suspect the lookup for nslookup -q=srv _ldap_tcp._msdcs.corp.contoso.com (do not have the full name to lookup)

NTDS might not have yet registered the DCs all over the _msdcs. You have DC, sites,.......... That using the nslookup -q=srv is the query to locate a DC, if you have sites, a DC query is site based to get the closest DC to the system needing ........
quincyprentice

ASKER
Think I got it resolved.
I ran netdiag /fix on the DC with the PDC role and it was able to re-register the missing DNS records.  The BPA scan now runs without any errors.
Thanks again for your assistance.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.