mmsi
asked on
Issues after demoting a BDC in preparation of promoting a newer server
Hello Experts,
I apologize for the length, but a lot has happened…
Background:
So, recently several of my clients have been having spotty issues with a new password reset loop issue, apparently after a windows client update that seems to cause some issue syncing passwords with AD on domains running anything less than 2008 functional level. Neither here nor there at this point, but that’s what prompted me to begin raising Domain Functional Levels. A couple of my clients were no problem, they already had server 2008 or 2012 with no older servers so it was as easy as just selecting a higher level. One client did have an old 2003 server which I easily demoted with no issue then increased the functional level on their 2012 server, again no problem.
Now onto my largest client, which of course, gave me trouble. When I originally took on this client a few years ago they had two Win2000 boxes as their PDC and BDC. The BDC was having hardware issues so I quickly demoted and removed it and promoted a Win2008 server as their BDC which I later made their PDC, making the other old working Win2000 server the BDC (Original PDC). I’ve been wanting to remove that old Win2000 AD server for a while now and in light of some of these password reset loop issues I began to finally do so. I double checked to make sure the Win2008, which has been the PDC Server for years now, had all of the Operation Master Roles, RID, PDC, Infrastructure, and was a GC, which both the PDC and BDC confirmed.
I began to run dcpromo on the Win2000 BDC and here’s where issues began, first it wouldn’t shutdown the NetLogon service through dcpromo, alright I’ll shut it down and run it again. Ran dcpromo again and it made it to the point where it said, something along the lines of, it couldn’t communicate with the Win2008 AD server, which I knew was just to remove any references of itself from the domain. So now I restarted dcpromo and forcibly removed it from the domain, and no issues there, and by the way I did not check the option saying it was the last DC. I then removed any references to the old Win2000 server from the Win2008 server in AD Sites and Services, and from the Domain Controllers OU in AD Users and Computers, really no unexpected results thus far. So, now that everything looked normal and after testing some authentication I felt confident I could fully decommission the old Win2000 server, and now begin the issues…
Issue:
Immediately after powering down the Win2000 Server and Restarting the Win2008 Server, the Win2008 server wouldn’t open any AD Consoles saying it couldn’t locate an AD GC Server *eek* and users immediately were unable to access any network resources (files and printers). I began to panic thinking the entire AD had been wiped out. Against my better judgment, I powered on the old Win2000 Server and connected it to the network and oddly (to me anyway maybe coincidence) the Win2008 Server suddenly found itself as being the GC and everything was peachy again. Also, yesterday when trying to add a member server as the new BDC it popped up saying the current domain functional level was still 2000, when the Win2008 server clearly shows 2008. Additionally sysvol and netlogon shares were missing which following the workaround here https://support.microsoft.com/en-us/kb/947022 at least got the sysvol shared again, however the entire C:\Windows\SYSVOL\sysvol\m
So after mulling it over for a while, it seems like a DNS issue, right? Well with things running smoothly again I called it a night and returned early this morning for some further testing. I stopped DNS on the old server, disconnected it from the network, restarted the Win2008 server and everything still seems fine. I’ve left the old server disconnected now for over 3 hours and still no issues. Ran ipconfig /flushdns on the Win2008 server, still no issues. Dcdiag shows a couple failures (which I’ll attach) but nothing that appears to be affecting AD consoles or Users access. I’m now at a complete loss, nothing I’ve done seemed to be an immediate fix, nor anything I felt was that eureka moment, which is usually always the case.
So I’m reaching out to you for your thoughts on the situation, input on the current dcdiag errors, and why after upgrading the domain functional level to 2008 would dcpromo on the new BDC say it was 2000? I’ve not tried to run dcpromo again since.
Thanks,
Josh
I apologize for the length, but a lot has happened…
Background:
So, recently several of my clients have been having spotty issues with a new password reset loop issue, apparently after a windows client update that seems to cause some issue syncing passwords with AD on domains running anything less than 2008 functional level. Neither here nor there at this point, but that’s what prompted me to begin raising Domain Functional Levels. A couple of my clients were no problem, they already had server 2008 or 2012 with no older servers so it was as easy as just selecting a higher level. One client did have an old 2003 server which I easily demoted with no issue then increased the functional level on their 2012 server, again no problem.
Now onto my largest client, which of course, gave me trouble. When I originally took on this client a few years ago they had two Win2000 boxes as their PDC and BDC. The BDC was having hardware issues so I quickly demoted and removed it and promoted a Win2008 server as their BDC which I later made their PDC, making the other old working Win2000 server the BDC (Original PDC). I’ve been wanting to remove that old Win2000 AD server for a while now and in light of some of these password reset loop issues I began to finally do so. I double checked to make sure the Win2008, which has been the PDC Server for years now, had all of the Operation Master Roles, RID, PDC, Infrastructure, and was a GC, which both the PDC and BDC confirmed.
I began to run dcpromo on the Win2000 BDC and here’s where issues began, first it wouldn’t shutdown the NetLogon service through dcpromo, alright I’ll shut it down and run it again. Ran dcpromo again and it made it to the point where it said, something along the lines of, it couldn’t communicate with the Win2008 AD server, which I knew was just to remove any references of itself from the domain. So now I restarted dcpromo and forcibly removed it from the domain, and no issues there, and by the way I did not check the option saying it was the last DC. I then removed any references to the old Win2000 server from the Win2008 server in AD Sites and Services, and from the Domain Controllers OU in AD Users and Computers, really no unexpected results thus far. So, now that everything looked normal and after testing some authentication I felt confident I could fully decommission the old Win2000 server, and now begin the issues…
Issue:
Immediately after powering down the Win2000 Server and Restarting the Win2008 Server, the Win2008 server wouldn’t open any AD Consoles saying it couldn’t locate an AD GC Server *eek* and users immediately were unable to access any network resources (files and printers). I began to panic thinking the entire AD had been wiped out. Against my better judgment, I powered on the old Win2000 Server and connected it to the network and oddly (to me anyway maybe coincidence) the Win2008 Server suddenly found itself as being the GC and everything was peachy again. Also, yesterday when trying to add a member server as the new BDC it popped up saying the current domain functional level was still 2000, when the Win2008 server clearly shows 2008. Additionally sysvol and netlogon shares were missing which following the workaround here https://support.microsoft.com/en-us/kb/947022 at least got the sysvol shared again, however the entire C:\Windows\SYSVOL\sysvol\m
So after mulling it over for a while, it seems like a DNS issue, right? Well with things running smoothly again I called it a night and returned early this morning for some further testing. I stopped DNS on the old server, disconnected it from the network, restarted the Win2008 server and everything still seems fine. I’ve left the old server disconnected now for over 3 hours and still no issues. Ran ipconfig /flushdns on the Win2008 server, still no issues. Dcdiag shows a couple failures (which I’ll attach) but nothing that appears to be affecting AD consoles or Users access. I’m now at a complete loss, nothing I’ve done seemed to be an immediate fix, nor anything I felt was that eureka moment, which is usually always the case.
So I’m reaching out to you for your thoughts on the situation, input on the current dcdiag errors, and why after upgrading the domain functional level to 2008 would dcpromo on the new BDC say it was 2000? I’ve not tried to run dcpromo again since.
Thanks,
Josh
ASKER
I then removed any references to the old Win2000 server from the Win2008 server in AD Sites and Services, and from the Domain Controllers OU in AD Users and Computers
See attached for what our DNS looks like. There are a couple references to the old Win2000 server, but not being as familiar with manually setting AD DNS settings I was hesitant to make any serious changes without some support first.
DHCP has was handled by the old Win2000 Server years ago but was shut off and has been handled by our router since. DNS on that router has pointed to the Win2008 Server since.
DNS-Config.jpg
ASKER
Forgot to attach that dcdiag
dcdiag.txt
dcdiag.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks @FoxLuv. Will do. I was just hesitant.
ASKER
Done.
Nothing was in reverse lookup, the only references to the old server was what I had in that screenshot.
Any thoughts on that dcdiag?
How about making that member server the new BDC, give it a shot?
Nothing was in reverse lookup, the only references to the old server was what I had in that screenshot.
Any thoughts on that dcdiag?
How about making that member server the new BDC, give it a shot?
There is no PDC or BDC, this is old technology you are referring to. You have AD in a multimaster scenario. If you are running 2008 or 2012 domain controllers you are fine. Are you running one domain or multidomains. Either make sure all your domain controllers have the Global catalog enabled or if not, do not have the global catalog enabled on your PDC emulator.
ref link: https://www.sole.dk/how-to-place-fsmo-and-global-catalog-roles-in-active-directory/
ref link: https://www.sole.dk/how-to-place-fsmo-and-global-catalog-roles-in-active-directory/
Beef up the 2000 box with ram make sure you update the bios, any firmware, etc. Install 2008r2, if you have it 2012r2 even better, add it to the domain, then promote it to a domain controller as an addition domain controller in your domain and you are good to go. It will replicate all your DNS and so forth. This is why you had to make sure that any and all dead entries are clean in your DNS , so that you do not have issues.
ASKER
Even if the hardware were compatible with Windows 2008 it is junk and the domain is already at 2008 functional level so that 2000 server is now useless to me unless those issues pop up again.
So, those issues yesterday must have just been due to those bad DNS entries, huh? I was shocked that the long existing 2008 AD server couldn't even identify itself as the GC even with it's own IP and localhost in TCP/IP DNS settings. I'll let it run for a day then try promoting the other 2008 server again.
So, those issues yesterday must have just been due to those bad DNS entries, huh? I was shocked that the long existing 2008 AD server couldn't even identify itself as the GC even with it's own IP and localhost in TCP/IP DNS settings. I'll let it run for a day then try promoting the other 2008 server again.
And a point of note. There has not been any such thing as a PDC or a BDC since Windows NT4.
All domain controllers are equal and capable of having any and all roles/functions assigned to them.
The concept of a PDC and BDC is long dead and confusing.
All domain controllers are equal and capable of having any and all roles/functions assigned to them.
The concept of a PDC and BDC is long dead and confusing.
That is where my confusion came in when you were referring to promotion I thought you were referring to redoing the 2000 box. Add the ip of one of the present domain controllers to the primary dns entry of the 2008 box you want to promote. After successful promotion to a domain controller set the primary dns entry to the ip of itself and the secondary to any of your domain controllers.
dns.JPG
dns.JPG
You have stated you removed the old 2000 dc from AD users and computers and sites and services. YOu have not stated that you removed any entries of it from DNS, forward and reverse lookups. Secondly if you are running dhcp verify that the 2000 Dc is removed from being pushed to the clients as a DNS server via your dhcp settings. Check your name servers, etc in DHCP and remove the 2000 DC. screenshot attached
-12dhcp.JPG