Active Directory not available after "main: DC died

pyotrek
pyotrek used Ask the Experts™
on
I have a location that still runs on SBS 2008.
I have added new server "DC2016" with Server 2016 and made it DC - transferred all needed data, replicated AD, and turned off the "old" SBS2008.

As soon as I turn off the old SBS2008 I am unable to open Active Directory Users and Computers.
I get following error:

err1.JPG
I think that I had done exactly the same before, and did not have that issue.
I changed the the NIC on the DC23016 to point to itself, seized the FSMO roles, performed "metadata cleanup" to remove old SBS2008, removed any references in the DNS to SBS2008

I've done this "million" times before and this time it gives me hard time - do I have a brain fart?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Did you transfer FSMO roles before shutting down?
If not please transfer FSMO role and try.

Author

Commented:
No I did not transfer FSMO roles. I turned off the old SBS2008 (I want to keep it intact in case I need something off of it), and I seized the FSMO roles.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
That's a problem.  You didn't migrate it properly and you could have corrupted something.  If you wanted the old server available, you should have backed it up first.  Then properly transferred things.

You should have run DCDIAG before you ever promoted the second DC.  Once that cleared, you should have promoted it and run DCDIAG again on both systems to make sure everything was working.  There's so much that SHOULD have been done to get this right.

At this point, I would recommend you either start over - bring the SBS box online (AFTER you destroy the new install so you don't corrupt anything worse) and do things correctly (of course, you'll now have to cleanup the metadata on the SBS system).

If you want to waste time and fight what you have now, you start with DCDIAG on the new DC and try to troubleshoot but honestly, given the mess you have now I would STRONGLY recommend partnering with an expert who has done this before and can get it working properly.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
As commented above you should have a backup of your old DC first.
Then you are supposed to transfer the FSMO roles and test the new server.
Then demote the old one.

Author

Commented:
Hi Lee W :
1. I am running all this on HYPERV - so it is kind of easy to "backstep"
2. I did run DCDIAG before promoting the DC2016 - there was no errors.
3. The original SBS2008 has disconnected NIC - and I have good backup of this as well (since it is quite large in size I do not want to act on this as it will be time consuming to restore, and to be honest I have limited space as well)
4. When both DC's were on line - there was no errors, and I had them running for a week before deciding to disconnect the SBS2008
5. The steps i took are as if my original DC "died".

Obviously I am doing something wrong, but I had done it many times before and it worked - I do not claim that I know 100% what I am doing, but this did not seem too complicated.
Only last month I did very similar scenario for retiring of old SBSs once with SBS2003 and once with SBS2011.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
When you type "net share" in a command prompt what you see in 2016?

Author

Commented:
MAS:

here is what I get:

netshare.JPG
EE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
Your new server is not yet a domain controller to function as a standalone DC.
Replication was incomplete. If possible bring the old server back to production.
Please check eventviewer for related errors.

After that please chekc this as well
https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi

Run this command and make sure replication is happening between servers
repadmin /showrepl
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
You create a mess when you do things this way.  Even when it should work, it doesn't always. FSMO role seizure is NOT the recommended way of doing things because there can be problems.

I strongly recommend you re-evaluate this and keep it clean.  To do this properly, you need to uninstall Exchange and get rid of Exchange information in AD or you'll have problems if you ever bring Exchange in-house again (never say never).

My advice is back out now.  Convert your existing SBS server to a VM and then setup a test environment and to this a few times in a test environment.  Or partner with someone who can you an understanding of why certain things should be done and not done and help you get this working in your production environment without further issues and a future mess.

There are a bunch of things I want to say about configuring and proceeding with minimal effort and concerns, but I feel like they could be preaching and potentially unhelpful depending on how things are configured, so I'll stop here.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
I don't think bringing the old on back online will work because he's already seized the FSMO roles.  It could cause more problems depending on exactly how functional the non-function DC is.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
if it is seized you are messed with your DC as commented by Lee W

Author

Commented:
Lee W:
I have a copy of DC2016 before seizing the FSMO roles - so I think I am good to try what MAS is suggesting. The SBS2008 is not aware of the DC2016 with seized FSMO roles (as it was offline)
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
Good luck.  If you're not exceedingly careful at this point you could turn this form a mess into a disaster.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
You have to be very careful please.
If you have a backup taken before seizure then shutdown 2016 server and restore the backup.

I suggest you partner with a consultant if you are working on production servers and that too the new version of DC and the old DC has 2 version difference. There is lot of changes/improvements.

Author

Commented:
Lee W. and MAS - I appreciate your comments, and I realize my shortcomings.

I have a good backup of original SBS2008 (and DC2016 prior to seizing the FSMO roles)...and still one more day of this weekend to go before I will have to revert my experiments.

I just brought up the DC2016 (prior to seizing FSMO roles) and SBS2008 together, replicated the DC's through  "Active Directory Sites and Services"
So far there is no errors in the Event Viewer on the DC2016 or SBS2008.

BUT - I just noticed that SYSVOL nad NETLOGON shares are missing under \\DC2016
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Please check for eventviewer for file replication errors.

Author

Commented:
MAS:
checked again Event Viewer on both machines and there  is no replication errors.

The C:\Windows\SYSVOL\domain on the DC2016 is empty while on SBS2008 there are appropriate directories and files.

I wonder if adding Server 2016 DC was too much - maybe I should try to do it in steps SBS2008 --> Server 2008 R2 --> Server 2012...etc
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Did you try to make a manual sync?

Author

Commented:
I used Active Directory Sites and Services console and did the "replicate now" the AD connection between both servers.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Do not forget you are trying to replicate from 2008 to 2016.

Author

Commented:
Yes I do this on SBS2008 to DC2016 and I get the message "Active Directory Domain Services has replicated the connections."

Then I go to Even Viewer and check in System log for any errors - which thus far.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
pyotrek,

I want to be clear here - sometimes I'm blunt and others have taken offense.  I am not questioning your ability to learn this.  My concern is that lacking experience and that this is not (apparently) what you do on a regular basis, your missing things and problems are arising.  There are established best practices for a reason and there are things that should be done to ensure a smooth transition now and in the future.  A professionally done migration leaves the network in a state that can be easily moved forward in the future as technology changes.  And a professionally implemented network can result in a better return on investment.  Have you implemented DFS Namespaces?  Volume Shadow Copy?  Group policies for various things like mapped drives?  These should be standard practice and will reduce administrative overhead now and in the future.  They go along with a proper decomissioning of the existing server.  

I encourage learning, but like you wouldn't encourage a nurse to remove your appendix unless you had no choice, I wouldn't encourage someone without pre-established expertise to perform a major operation on a network... without further training and practice.  If you don't need to do this today, take the time and get it right by setting up a test environment and getting comfortable.  Do the migration and demotion of a test SBS server several times.  Get comfortable with how things work AFTER the migration (a proper migration doesn't leave the SBS server unbootable.  It is unusable in the sense that it will shutdown after a short time, but it's still bootable and you can recover files from it.

Anyway, good luck to you.

Author

Commented:
Lee W - no reason to take offence here so it is not taken.

Personally I am believer in Best Practices procedures, and I hope that you will provide your advise when I need it.
It's just that sometimes life is not perfect.

Good night to you.

Author

Commented:
Just an update.
The issue turned out to be related to new DC not creating Netlogon and Sysvol shares.
And that was result of the FRS issues not liking Server 2016 DC being added to SBS2008.

In previous migration from SBS2003 I had added 2008R2 DC prior to bringing 2016DC, and I had no such issues.
I assumed that I can jump from SBS2008 (this server runs Server 2008 not 2008R2) to 2016DC, and it was my mistake.

Since I had this done in HYPERV environment and I kept copies of the VHDs - I would able to recover to previous "stages:" of AD structure, but eventually I overcome the Sysvol missing by applying this:

https://support.microsoft.com/en-us/help/947022/the-netlogon-share-is-not-present-after-you-install-active-directory-d

and eventually copying contents of C;\windows\sysvol\domain folder from original SBS2008 to the new 2016DC - this recreated the Netlogon share.

Author

Commented:
Sorry - mistake - i should have appointed the points to MAS as he pointed me in direction of file replication issue and made me notice that netlogon and sysvol shares are missing.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Glad to know you sort out your issue. Glad to help/guide you.
Correction. Now you can close the question again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial