Link to home
Start Free TrialLog in
Avatar of GCITech
GCITech

asked on

domain controller migration seems succesful, however....

Customer has a small AD with a server 2003 server, that was the only domain controller, and a new server 2012, that I migrated FSMO roles to. When I run ntdsutil on new server 2012, it reports that it has 5 roles. Schema, Naming Master, PDC, RID, and Infrastructure. If I type "nltest/dsgetdc:mydomainname" it reports DC:\\oldserver2003.
  On server 2003 computer, if I look in Operations Masters  of the domain, it also shows the new server as being PDC, RID, and Infrastructure. If I run DCPromo on the server 2003 to demote it, it reports unable to find another domain controller on the domain, so I quit, there. Also, if I rt. click on the domain in "Active Directory Users and Computers" click properties, and click the Group Policy tab, (on Server 2003 computer), it also reports unable to find a domain controller for the domain, gives 3 options, which I am unsure which to pick, so I quit there. The new server is set as the DNS server for the old server.
      As a side note, that I hope is related to this, all the clients are able to authenticate, and use their network resources, but the only admin account on their local machines, is the local machine acct., and a domain user I had set as an administrator a while back, to accomplish some task, temporarily. The domain admin is no longer an admin on all of the workstations, and previously was. Maybe not related, but I hope so. Any direction will be greatly appreciated, as I will be on-site, to work on it some more.
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

How's your DNS?  Does each server know about the other in their TCP/IP properties?
Have you run DCDIAG /C /E /V on both DCs to determine if everything seems healthy?
Avatar of GCITech
GCITech

ASKER

Thanks for the direction. Ran DCdiag, and it reported  "no global catalog" found, when run from either server. DNS seems correct, as both servers can resolve the other one. After reading some, I also found Sysvol and netlogon are not on new server, and are still on old server. Is the next step to do a "non-authoritative sysvol restore"? I looked at just unchecking Global catalog box on new server, then rechecking it, to see if that fixed it, but when unchecking, it stated that it could not find any others, and no one would be able to log on, if I continued, so I did not. Thanks for the help. Any new suggestions?
After reading some, I also found Sysvol and netlogon are not on new server, and are still on old server. Is the next step to do a "non-authoritative sysvol restore"?
Possibly. First, though, check the File Replication Service event log on the 2003 DC for errors, as you may find one indicating that FRS on that server is in a journal-wrap state. If you do find that this is the case, you'll need to perform an authoritative restore of SYSVOL on that server. From your use of the terminology, I'm assuming you're already looking at the KB article that details the steps for doing so, but here it is, just in case.

That may be enough to get SYSVOL replicating, or you may need to perform a non-authoritative restore on the new DC after performing the authoritative restore on the old one. You should also do this if you don't see any errors in the 2003 DC's FRS event log.
Avatar of GCITech

ASKER

Back on-site today, and you are correct, the sysvol is in journal wrap error. Is it ok to do this authoritative restore during the day, when computer is in use? Fairly small operation with 25 users or so. Thanks for the help.
Yes, it's fine to perform the authoritative restore during business hours. It takes very little time.

To be completely safe, you should consider making a copy of the SYSVOL folder and its contents on that server before beginning the procedure. If anything happens to go wrong, you can always revert to that copy.
Avatar of GCITech

ASKER

Awesome! Did authoritative restore on old server, now new server has sysvol and netlogon folders. I have not done non authoritative restore to new server. Is that still advisable? Also ran dcdiag on both servers, and both report all well. Is now a good time to demote old DC to a server only status, or better to wait a couple of weeks, confirm no more issues?
ASKER CERTIFIED SOLUTION
Avatar of DrDave242
DrDave242
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of GCITech

ASKER

Greatly appreciate you sharing your knowledge!