Active Directory 2003 to 2012 Migration

quincyprentice
quincyprentice used Ask the Experts™
on
My environment consists of two Windows Server 2003 DCs and I am looking to migrate to a Windows Server 2012 AD.
I started by adding a Windows Server 2012 DC, however,  I have seen some errors in the following:
- In the system log on the 2012 DC I have seen a few 5722, 5723 and 5895 errors.
- Periodically there are very high logon times when logging on to the 2012 DC.
- The BPA on the 2012 DC indicates that the zone _msdcs is not available even though I see it in the DNS management console.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technology and Business Process Advisor
Most Valuable Expert 2013
Commented:
Run DCDIAG on all DCs and resolve whatever errors that are unexplained.
Distinguished Expert 2017

Commented:
Your issue is likely because your 2012 install is missing the file server services Windows 2003 file share services which include the ntfrs components needed to replicate sysvol data which will prevent the new 2012 DC from making sysvol/netlogon available.

Once that is resolved, make sure using sites and services NTDS that this and other servers are global catalog (GC) as well

Author

Commented:
I ran the DCDIAG command as suggested and everything passed except the System Log. Please see output below.

      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:18:31
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the UmRdpService service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:19:01
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the ScDeviceEnum service.
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 10/19/2015   23:19:01
            Event String:
            The Smart Card Device Enumeration Service service failed to start du
e to the following error:
         ......................... NIA-DC-04 failed test SystemLog
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2017

Commented:
Check event log system/security log settings to increase its size as well as whether it should delete old records as needed versus having to wait 7 days. In your case when there were many events, the log could have gotten filled up, and could not add more because of the prior reference limit.

Author

Commented:
Thanks.  I cleared the system event log and re-ran DCDIAG and it passed all of the tests without any issues. However, the log did not appear to be full.  It was set to 2MB and overwrite once it maxed out.

Author

Commented:
Any suggestions on the _msdcs issue in the DNS BPA scan?  I reran the scan after the DCDIAG passed and I still get the error about the _msdcs zone being unavailable.
Distinguished Expert 2017

Commented:
Look at the local DNS server to see what is going on.

There is a DNS prep one had to run.

I think if memory serves, during the dcpromo a warning pops up dealing with that issue.
Distinguished Expert 2017

Commented:
The following link includes steps needed to transition from your current addomain.suffix structure to the split where _msdcs.addomain.suffix is separate/delegated from the addomain.suffix

https://social.technet.microsoft.com/Forums/windowsserver/en-US/175b2a01-1c3f-4c9e-a295-490cbcceb41e/active-directory-integrated-dns-zone-error-in-dns-bpa?forum=winserverDS

Author

Commented:
Thanks Arnold.  So lets get this straight:
My domain current naming structure is:
xxx.yyy.com

There is no _msdcs.xxx.yyy.com zone, however, it does exist as a subfolder inside the xxx.yyy.com.
So that means that I need to create the _msdcs.xxx.yyy.com zone?

The other parts are a bit unclear.  Once I have created the  _msdcs.xxx.yyy.com zone should I delete the existing subfolder inside xxx.yyy.com? And subsequently should I be recreating a delegation for the _msdcs inside of xxx.yyy.com?

Additionally, do I need to have a delegation for the xxx zone inside of yyy.com zone that I also have on my DNS server?
Distinguished Expert 2017

Commented:
You should not delete the inner _msdcs.
The subsequent updates will populate the _msdcs

I think the discussion in the link covered the transition.


Is your setup xxx.yyy.com is a child domain of yyy.com?
Delegation often is only needed when yyy.com exists as its own domain on a different set of DNS servers than the ones that xxx.yyy.com is on.

Author

Commented:
Ok.  
The _msdcs zone has been populated.  I reran the BPA and now I get an error saying that -
      Error      DNS: The DNS server <A.B.C.D> on the Ethernet must resolve PDC resource records for the domain controller.

To answer the question about the domains.
corp.contoso.com - Active Directory Domain

In DNS there is also a zone contoso.com (This allows me to redirect services like www, mail to their internal addresses.)

Inside the contoso.com zone there is a subfolder for corp that just has two host records (2 of the DC's in the domain. Im not sure why the third isn't  there).  Previously, I think that this zone was delegated .
Distinguished Expert 2017

Commented:
Example contoso.com an AD integrated zone to be available on all DCs DNS? Either way add the NS record delegating Corp to all DCs. In this zone, you have to cleanup when a previously delegated DNS server is no longer available, this zone will not be auto managed.

Or you would need to add it to each.......
I suspect the lookup for nslookup -q=srv _ldap_tcp._msdcs.corp.contoso.com (do not have the full name to lookup)

NTDS might not have yet registered the DCs all over the _msdcs. You have DC, sites,.......... That using the nslookup -q=srv is the query to locate a DC, if you have sites, a DC query is site based to get the closest DC to the system needing ........

Author

Commented:
Think I got it resolved.
I ran netdiag /fix on the DC with the PDC role and it was able to re-register the missing DNS records.  The BPA scan now runs without any errors.
Thanks again for your assistance.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial