Link to home
Start Free TrialLog in
Avatar of quincyprentice
quincyprenticeFlag for Saint Kitts and Nevis

asked on

Active Directory 2003 to 2012 Migration

My environment consists of two Windows Server 2003 DCs and I am looking to migrate to a Windows Server 2012 AD.
I started by adding a Windows Server 2012 DC, however,  I have seen some errors in the following:
- In the system log on the 2012 DC I have seen a few 5722, 5723 and 5895 errors.
- Periodically there are very high logon times when logging on to the 2012 DC.
- The BPA on the 2012 DC indicates that the zone _msdcs is not available even though I see it in the DNS management console.
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Your issue is likely because your 2012 install is missing the file server services Windows 2003 file share services which include the ntfrs components needed to replicate sysvol data which will prevent the new 2012 DC from making sysvol/netlogon available.

Once that is resolved, make sure using sites and services NTDS that this and other servers are global catalog (GC) as well
Avatar of quincyprentice


I ran the DCDIAG command as suggested and everything passed except the System Log. Please see output below.

      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:18:31
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the UmRdpService service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:19:01
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the ScDeviceEnum service.
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 10/19/2015   23:19:01
            Event String:
            The Smart Card Device Enumeration Service service failed to start du
e to the following error:
         ......................... NIA-DC-04 failed test SystemLog
Check event log system/security log settings to increase its size as well as whether it should delete old records as needed versus having to wait 7 days. In your case when there were many events, the log could have gotten filled up, and could not add more because of the prior reference limit.
Thanks.  I cleared the system event log and re-ran DCDIAG and it passed all of the tests without any issues. However, the log did not appear to be full.  It was set to 2MB and overwrite once it maxed out.
Any suggestions on the _msdcs issue in the DNS BPA scan?  I reran the scan after the DCDIAG passed and I still get the error about the _msdcs zone being unavailable.
Look at the local DNS server to see what is going on.

There is a DNS prep one had to run.

I think if memory serves, during the dcpromo a warning pops up dealing with that issue.
The following link includes steps needed to transition from your current addomain.suffix structure to the split where _msdcs.addomain.suffix is separate/delegated from the addomain.suffix
Thanks Arnold.  So lets get this straight:
My domain current naming structure is:

There is no zone, however, it does exist as a subfolder inside the
So that means that I need to create the zone?

The other parts are a bit unclear.  Once I have created the zone should I delete the existing subfolder inside And subsequently should I be recreating a delegation for the _msdcs inside of

Additionally, do I need to have a delegation for the xxx zone inside of zone that I also have on my DNS server?
You should not delete the inner _msdcs.
The subsequent updates will populate the _msdcs

I think the discussion in the link covered the transition.

Is your setup is a child domain of
Delegation often is only needed when exists as its own domain on a different set of DNS servers than the ones that is on.
The _msdcs zone has been populated.  I reran the BPA and now I get an error saying that -
      Error      DNS: The DNS server <A.B.C.D> on the Ethernet must resolve PDC resource records for the domain controller.

To answer the question about the domains. - Active Directory Domain

In DNS there is also a zone (This allows me to redirect services like www, mail to their internal addresses.)

Inside the zone there is a subfolder for corp that just has two host records (2 of the DC's in the domain. Im not sure why the third isn't  there).  Previously, I think that this zone was delegated .
Example an AD integrated zone to be available on all DCs DNS? Either way add the NS record delegating Corp to all DCs. In this zone, you have to cleanup when a previously delegated DNS server is no longer available, this zone will not be auto managed.

Or you would need to add it to each.......
I suspect the lookup for nslookup -q=srv (do not have the full name to lookup)

NTDS might not have yet registered the DCs all over the _msdcs. You have DC, sites,.......... That using the nslookup -q=srv is the query to locate a DC, if you have sites, a DC query is site based to get the closest DC to the system needing ........
Think I got it resolved.
I ran netdiag /fix on the DC with the PDC role and it was able to re-register the missing DNS records.  The BPA scan now runs without any errors.
Thanks again for your assistance.