Active Directory 2003 to 2012 Migration

My environment consists of two Windows Server 2003 DCs and I am looking to migrate to a Windows Server 2012 AD.
I started by adding a Windows Server 2012 DC, however,  I have seen some errors in the following:
- In the system log on the 2012 DC I have seen a few 5722, 5723 and 5895 errors.
- Periodically there are very high logon times when logging on to the 2012 DC.
- The BPA on the 2012 DC indicates that the zone _msdcs is not available even though I see it in the DNS management console.
quincyprenticeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Run DCDIAG on all DCs and resolve whatever errors that are unexplained.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
Your issue is likely because your 2012 install is missing the file server services Windows 2003 file share services which include the ntfrs components needed to replicate sysvol data which will prevent the new 2012 DC from making sysvol/netlogon available.

Once that is resolved, make sure using sites and services NTDS that this and other servers are global catalog (GC) as well
0
quincyprenticeAuthor Commented:
I ran the DCDIAG command as suggested and everything passed except the System Log. Please see output below.

      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:18:31
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the UmRdpService service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 10/19/2015   23:19:01
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the ScDeviceEnum service.
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 10/19/2015   23:19:01
            Event String:
            The Smart Card Device Enumeration Service service failed to start du
e to the following error:
         ......................... NIA-DC-04 failed test SystemLog
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

arnoldCommented:
Check event log system/security log settings to increase its size as well as whether it should delete old records as needed versus having to wait 7 days. In your case when there were many events, the log could have gotten filled up, and could not add more because of the prior reference limit.
1
quincyprenticeAuthor Commented:
Thanks.  I cleared the system event log and re-ran DCDIAG and it passed all of the tests without any issues. However, the log did not appear to be full.  It was set to 2MB and overwrite once it maxed out.
0
quincyprenticeAuthor Commented:
Any suggestions on the _msdcs issue in the DNS BPA scan?  I reran the scan after the DCDIAG passed and I still get the error about the _msdcs zone being unavailable.
0
arnoldCommented:
Look at the local DNS server to see what is going on.

There is a DNS prep one had to run.

I think if memory serves, during the dcpromo a warning pops up dealing with that issue.
0
arnoldCommented:
The following link includes steps needed to transition from your current addomain.suffix structure to the split where _msdcs.addomain.suffix is separate/delegated from the addomain.suffix

https://social.technet.microsoft.com/Forums/windowsserver/en-US/175b2a01-1c3f-4c9e-a295-490cbcceb41e/active-directory-integrated-dns-zone-error-in-dns-bpa?forum=winserverDS
1
quincyprenticeAuthor Commented:
Thanks Arnold.  So lets get this straight:
My domain current naming structure is:
xxx.yyy.com

There is no _msdcs.xxx.yyy.com zone, however, it does exist as a subfolder inside the xxx.yyy.com.
So that means that I need to create the _msdcs.xxx.yyy.com zone?

The other parts are a bit unclear.  Once I have created the  _msdcs.xxx.yyy.com zone should I delete the existing subfolder inside xxx.yyy.com? And subsequently should I be recreating a delegation for the _msdcs inside of xxx.yyy.com?

Additionally, do I need to have a delegation for the xxx zone inside of yyy.com zone that I also have on my DNS server?
0
arnoldCommented:
You should not delete the inner _msdcs.
The subsequent updates will populate the _msdcs

I think the discussion in the link covered the transition.


Is your setup xxx.yyy.com is a child domain of yyy.com?
Delegation often is only needed when yyy.com exists as its own domain on a different set of DNS servers than the ones that xxx.yyy.com is on.
0
quincyprenticeAuthor Commented:
Ok.  
The _msdcs zone has been populated.  I reran the BPA and now I get an error saying that -
      Error      DNS: The DNS server <A.B.C.D> on the Ethernet must resolve PDC resource records for the domain controller.

To answer the question about the domains.
corp.contoso.com - Active Directory Domain

In DNS there is also a zone contoso.com (This allows me to redirect services like www, mail to their internal addresses.)

Inside the contoso.com zone there is a subfolder for corp that just has two host records (2 of the DC's in the domain. Im not sure why the third isn't  there).  Previously, I think that this zone was delegated .
0
arnoldCommented:
Example contoso.com an AD integrated zone to be available on all DCs DNS? Either way add the NS record delegating Corp to all DCs. In this zone, you have to cleanup when a previously delegated DNS server is no longer available, this zone will not be auto managed.

Or you would need to add it to each.......
I suspect the lookup for nslookup -q=srv _ldap_tcp._msdcs.corp.contoso.com (do not have the full name to lookup)

NTDS might not have yet registered the DCs all over the _msdcs. You have DC, sites,.......... That using the nslookup -q=srv is the query to locate a DC, if you have sites, a DC query is site based to get the closest DC to the system needing ........
1
quincyprenticeAuthor Commented:
Think I got it resolved.
I ran netdiag /fix on the DC with the PDC role and it was able to re-register the missing DNS records.  The BPA scan now runs without any errors.
Thanks again for your assistance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.