Active Directory not available after "main: DC died

I have a location that still runs on SBS 2008.
I have added new server "DC2016" with Server 2016 and made it DC - transferred all needed data, replicated AD, and turned off the "old" SBS2008.

As soon as I turn off the old SBS2008 I am unable to open Active Directory Users and Computers.
I get following error:

I think that I had done exactly the same before, and did not have that issue.
I changed the the NIC on the DC23016 to point to itself, seized the FSMO roles, performed "metadata cleanup" to remove old SBS2008, removed any references in the DNS to SBS2008

I've done this "million" times before and this time it gives me hard time - do I have a brain fart?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MASEE Solution Guide - Technical Dept HeadCommented:
Did you transfer FSMO roles before shutting down?
If not please transfer FSMO role and try.
pyotrekAuthor Commented:
No I did not transfer FSMO roles. I turned off the old SBS2008 (I want to keep it intact in case I need something off of it), and I seized the FSMO roles.
Lee W, MVPTechnology and Business Process AdvisorCommented:
That's a problem.  You didn't migrate it properly and you could have corrupted something.  If you wanted the old server available, you should have backed it up first.  Then properly transferred things.

You should have run DCDIAG before you ever promoted the second DC.  Once that cleared, you should have promoted it and run DCDIAG again on both systems to make sure everything was working.  There's so much that SHOULD have been done to get this right.

At this point, I would recommend you either start over - bring the SBS box online (AFTER you destroy the new install so you don't corrupt anything worse) and do things correctly (of course, you'll now have to cleanup the metadata on the SBS system).

If you want to waste time and fight what you have now, you start with DCDIAG on the new DC and try to troubleshoot but honestly, given the mess you have now I would STRONGLY recommend partnering with an expert who has done this before and can get it working properly.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

MASEE Solution Guide - Technical Dept HeadCommented:
As commented above you should have a backup of your old DC first.
Then you are supposed to transfer the FSMO roles and test the new server.
Then demote the old one.
pyotrekAuthor Commented:
Hi Lee W :
1. I am running all this on HYPERV - so it is kind of easy to "backstep"
2. I did run DCDIAG before promoting the DC2016 - there was no errors.
3. The original SBS2008 has disconnected NIC - and I have good backup of this as well (since it is quite large in size I do not want to act on this as it will be time consuming to restore, and to be honest I have limited space as well)
4. When both DC's were on line - there was no errors, and I had them running for a week before deciding to disconnect the SBS2008
5. The steps i took are as if my original DC "died".

Obviously I am doing something wrong, but I had done it many times before and it worked - I do not claim that I know 100% what I am doing, but this did not seem too complicated.
Only last month I did very similar scenario for retiring of old SBSs once with SBS2003 and once with SBS2011.
MASEE Solution Guide - Technical Dept HeadCommented:
When you type "net share" in a command prompt what you see in 2016?
pyotrekAuthor Commented:

here is what I get:

MASEE Solution Guide - Technical Dept HeadCommented:
Your new server is not yet a domain controller to function as a standalone DC.
Replication was incomplete. If possible bring the old server back to production.
Please check eventviewer for related errors.

After that please chekc this as well

Run this command and make sure replication is happening between servers
repadmin /showrepl

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
You create a mess when you do things this way.  Even when it should work, it doesn't always. FSMO role seizure is NOT the recommended way of doing things because there can be problems.

I strongly recommend you re-evaluate this and keep it clean.  To do this properly, you need to uninstall Exchange and get rid of Exchange information in AD or you'll have problems if you ever bring Exchange in-house again (never say never).

My advice is back out now.  Convert your existing SBS server to a VM and then setup a test environment and to this a few times in a test environment.  Or partner with someone who can you an understanding of why certain things should be done and not done and help you get this working in your production environment without further issues and a future mess.

There are a bunch of things I want to say about configuring and proceeding with minimal effort and concerns, but I feel like they could be preaching and potentially unhelpful depending on how things are configured, so I'll stop here.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I don't think bringing the old on back online will work because he's already seized the FSMO roles.  It could cause more problems depending on exactly how functional the non-function DC is.
MASEE Solution Guide - Technical Dept HeadCommented:
if it is seized you are messed with your DC as commented by Lee W
pyotrekAuthor Commented:
Lee W:
I have a copy of DC2016 before seizing the FSMO roles - so I think I am good to try what MAS is suggesting. The SBS2008 is not aware of the DC2016 with seized FSMO roles (as it was offline)
Lee W, MVPTechnology and Business Process AdvisorCommented:
Good luck.  If you're not exceedingly careful at this point you could turn this form a mess into a disaster.
MASEE Solution Guide - Technical Dept HeadCommented:
You have to be very careful please.
If you have a backup taken before seizure then shutdown 2016 server and restore the backup.

I suggest you partner with a consultant if you are working on production servers and that too the new version of DC and the old DC has 2 version difference. There is lot of changes/improvements.
pyotrekAuthor Commented:
Lee W. and MAS - I appreciate your comments, and I realize my shortcomings.

I have a good backup of original SBS2008 (and DC2016 prior to seizing the FSMO roles)...and still one more day of this weekend to go before I will have to revert my experiments.

I just brought up the DC2016 (prior to seizing FSMO roles) and SBS2008 together, replicated the DC's through  "Active Directory Sites and Services"
So far there is no errors in the Event Viewer on the DC2016 or SBS2008.

BUT - I just noticed that SYSVOL nad NETLOGON shares are missing under \\DC2016
MASEE Solution Guide - Technical Dept HeadCommented:
Please check for eventviewer for file replication errors.
pyotrekAuthor Commented:
checked again Event Viewer on both machines and there  is no replication errors.

The C:\Windows\SYSVOL\domain on the DC2016 is empty while on SBS2008 there are appropriate directories and files.

I wonder if adding Server 2016 DC was too much - maybe I should try to do it in steps SBS2008 --> Server 2008 R2 --> Server 2012...etc
MASEE Solution Guide - Technical Dept HeadCommented:
Did you try to make a manual sync?
pyotrekAuthor Commented:
I used Active Directory Sites and Services console and did the "replicate now" the AD connection between both servers.
MASEE Solution Guide - Technical Dept HeadCommented:
Do not forget you are trying to replicate from 2008 to 2016.
pyotrekAuthor Commented:
Yes I do this on SBS2008 to DC2016 and I get the message "Active Directory Domain Services has replicated the connections."

Then I go to Even Viewer and check in System log for any errors - which thus far.
Lee W, MVPTechnology and Business Process AdvisorCommented:

I want to be clear here - sometimes I'm blunt and others have taken offense.  I am not questioning your ability to learn this.  My concern is that lacking experience and that this is not (apparently) what you do on a regular basis, your missing things and problems are arising.  There are established best practices for a reason and there are things that should be done to ensure a smooth transition now and in the future.  A professionally done migration leaves the network in a state that can be easily moved forward in the future as technology changes.  And a professionally implemented network can result in a better return on investment.  Have you implemented DFS Namespaces?  Volume Shadow Copy?  Group policies for various things like mapped drives?  These should be standard practice and will reduce administrative overhead now and in the future.  They go along with a proper decomissioning of the existing server.  

I encourage learning, but like you wouldn't encourage a nurse to remove your appendix unless you had no choice, I wouldn't encourage someone without pre-established expertise to perform a major operation on a network... without further training and practice.  If you don't need to do this today, take the time and get it right by setting up a test environment and getting comfortable.  Do the migration and demotion of a test SBS server several times.  Get comfortable with how things work AFTER the migration (a proper migration doesn't leave the SBS server unbootable.  It is unusable in the sense that it will shutdown after a short time, but it's still bootable and you can recover files from it.

Anyway, good luck to you.
pyotrekAuthor Commented:
Lee W - no reason to take offence here so it is not taken.

Personally I am believer in Best Practices procedures, and I hope that you will provide your advise when I need it.
It's just that sometimes life is not perfect.

Good night to you.
pyotrekAuthor Commented:
Just an update.
The issue turned out to be related to new DC not creating Netlogon and Sysvol shares.
And that was result of the FRS issues not liking Server 2016 DC being added to SBS2008.

In previous migration from SBS2003 I had added 2008R2 DC prior to bringing 2016DC, and I had no such issues.
I assumed that I can jump from SBS2008 (this server runs Server 2008 not 2008R2) to 2016DC, and it was my mistake.

Since I had this done in HYPERV environment and I kept copies of the VHDs - I would able to recover to previous "stages:" of AD structure, but eventually I overcome the Sysvol missing by applying this:

and eventually copying contents of C;\windows\sysvol\domain folder from original SBS2008 to the new 2016DC - this recreated the Netlogon share.
pyotrekAuthor Commented:
Sorry - mistake - i should have appointed the points to MAS as he pointed me in direction of file replication issue and made me notice that netlogon and sysvol shares are missing.
MASEE Solution Guide - Technical Dept HeadCommented:
Glad to know you sort out your issue. Glad to help/guide you.
Correction. Now you can close the question again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.