How to create a working Secondary DC from a Primary DC running on SBS 2008

I have a SBS 2008 system that I am planning to replace very soon.  We had hired someone to create a secondary domain controller (RODC) on a WS2012 R2 server a couple of years ago which I thought was operational but I don't think it was completely successful.  I attempted to create a third domain controller recently on a WS2016 server and it also doesn't seem to function properly.  When I run DCDIAG on the primary (SBS 2008) system it runs successfuly except for  some syslog errors.  On the WS2012 RODC DCDIAG fails the Advertising, FrsEvent and KCCEvent.  The latest one I created fails Advertising but passes the rest with some warnings.  But in both cases SYSVOL is not replicating.  I would like a fully operational secondary DC that can take over as a primary DC when I transition the SBS 2008 system to WS2016.

I have searched around and it would seem that I should be able to create a secondary DC from  the SBS 2008 system.  Just not sure why my attempts are failing.
TfedProcess Control & IT ManagerAsked:
Who is Participating?
 
TfedConnect With a Mentor Process Control & IT ManagerAuthor Commented:
FInally set up the SBS 2008 server into a virtual test environment.  Went through a number of iterations using BurFlags and Enable Journal Wrap Automatic Restore but neither would resolve the Journal Wrap error.  After digging through the web i discovered the following link:

https://social.technet.microsoft.com/Forums/en-US/6bb1c861-d09e-4046-b0e0-d811523dd7ae/corruption-of-nt-file-replication-database?forum=smallbusinessserver

Using the following steps cleared the journal wrap error:

net stop netlogon
net stop ntfrs
ren %SystemRoot%\ntfrs\jet\ntfrs.jdb ntfrs.old
ren %SystemRoot%\ntfrs\jet\sys\edb.chk edb.old
ren %SystemRoot%\ntfrs\jet\log\edb.log edblog.old
ren %SystemRoot%\ntfrs\jet\log\res1.log res1.old
ren %SystemRoot%\ntfrs\jet\log\res2.log res2.old
net start ntfrs
net start netlogon

After this I elevated the domain level up to 2008 and was able to add a secondary DC (VM) running WS2016 and the replication worked as it should.

The next step will be to try it in the real world.
0
 
Cliff GaliherConnect With a Mentor Commented:
If you are having errors, you need to address the errors. Even if they seem minor. It may also be worth deleting and cleaning up the failing DCs before trying again. New DCs only start advertising after other DCs report healthy to avoid conflicts.
0
 
TfedProcess Control & IT ManagerAuthor Commented:
I'm not getting errors on the Primary other that syslog errors which I understand shouldn't be an issue.  The reason I tried creating the third DC was my attempt at starting over.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Cliff GaliherCommented:
If you didn't clean out or clean up the second DC, the third was going to fail before you even started.  I'd still do what I recommended.  "only" syslog errors are still errors.
0
 
TfedProcess Control & IT ManagerAuthor Commented:
Cliff,

I cleared the system log in the event view and the DCDIAG runs without errors.  As far as removing/deleting the two secondary DCs, what is the best method for doing that?

Thanks,
Ted
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Not sure who you hired or why you wanted an RoDC - There are scenarios where they make sense, but I suspect it was a misunderstanding of what an RoDC does and how it works.

I agree with Cliff, get rid of the existing DCs and start clean.  IDEALLY, partner with someone who has experience in this.  You can create a Gig here (though you don't seem to want them) or browse though expert profiles and pick someone who knows what they are doing.

Let me stress, I'd consider you VERY UNWISE if you go ahead and do this yourself without the appropriate experience/AD knowledge, but in short, I would:

Demote both the RoDC and the new DC you tried to create.  If DCPROMO fails to demote, then use /FORCEREMOVAL switch.  Then you'll need to remove them from AD itself - I usually use Dan Petri's https://www.petri.com/delete_failed_dcs_from_ad as a guideline/checklist.  Don't forget to remove the DNS entries and the entry from Sites and Services for removed DCs.  Then run DCDIAG /C /E /V and ensure everything checks out.  Once AD is healthy again, user server manager to promote the 2016 server to a DC.  Once promoted, run DCDIAG /C /E /V on EACH DC and correct any unexpected errors.

Don't forget, the new DC should be virtual!

At a minimum if you don't want to partner with an experienced professional, setup a test network (virtualization is great!) and do this a couple of times to get at least a little experience and do it on a network where you can ask questions and the consequences aren't potentially disastrous if you mess up.
0
 
TfedProcess Control & IT ManagerAuthor Commented:
Maybe a dumb question, but what is a Gig?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
https://www.experts-exchange.com/gigs/

According to your question, you are not accepting them.  When you asked the question, you unchecked the box:
Allow members to recommend freelance Gig projects or Live mentor requests to solve my project.
0
 
Kev TomCommented:
SBS 2008 uses FRS to replicate SYSVOL by default but the latest version of Server 2016 does not support FRS and only supports DFSR. You will need to set SBS 2008 to use DFSR for replication and that will resolve these issues.

Steps: https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/
0
 
TfedProcess Control & IT ManagerAuthor Commented:
Would it be best to delete the secondary DC first and then do an upgrade to DFSR on the SBS 2008 server and then create a new SDC?
0
 
TfedProcess Control & IT ManagerAuthor Commented:
I went ahead and tried to do the migration to DFS with bad results.

I elevated the forest & domain on the PDC from 2003 level to 2008 first.  Didn't see any issues or error come up.
I ran the DCDIAG afterwards and it showed an error regarding NTFRS Journal Wrap Errors.
So I followed a procedure for Enable Journal Wrap Automatic Restore which moved everything from sysvol to a new folder called NtFrs_PreExisting___See_EventLog.
Since then I have lost my domain and sysvol and netlogon have disappeared when running net share.
Without the sysvol and netlogon the domain won't reestablish itself.

Any ideas on how to get that restored with out doing a full restore of the system from backup?

Thanks,
Ted
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
So I followed a procedure for Enable Journal Wrap Automatic Restore which moved everything from sysvol to a new folder called
NtFrs_PreExisting___See_EventLog.
What procedure did you follow?  Link please.

And are you now working on a test network or still trying to do this on a live network?
0
 
TfedProcess Control & IT ManagerAuthor Commented:
0
 
Cliff GaliherCommented:
Can't go back now. The very first thing that article states is a step to make a backup.

Then that process assumes a working DC elsewhere to replicate from. Which you apparently don't have. And the first comment on that article points out that assumption and serves as a good warning. With only one DC, it can't "restore" a working copy.

Time to brush off that backup. And as some advice don't run commands from the internet if you don't understand what they are going to do. Someone could post a blog post claiming to fix an error but that installs malware just as easily. Consider any information on the net "untrusted." That would have saved you from this mess.

And if you don't have time to dig in and learn, hire someone.
0
 
TfedProcess Control & IT ManagerAuthor Commented:
I did do a shadow copy before starting that process.  would I not be able to copy the sysvol folder from the shadow copy and then follow the procedure in Lee's response?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
In my opinion, you're digging yourself a deeper and deeper hole.  Maybe you get lucky and fix things... but I think with each misstep you're moving closer to a complete network rebuild or an even more expensive session with a consultant to fix the problems.
0
 
TfedProcess Control & IT ManagerAuthor Commented:
Going to do a restore and proceed from there.  Thanks so far for your input!
0
 
TfedProcess Control & IT ManagerAuthor Commented:
After the restore is complete, I will need to clean up the metadata that is there for the SDC that is no longer there.  I would following the procedures outlined in:
https://social.technet.microsoft.com/wiki/contents/articles/3984.domain-controller-demotion-and-metadata-cleanup.aspx

or

https://support.microsoft.com/en-us/help/216498/how-to-remove-data-in-active-directory-after-an-unsuccessful-domain-co

I had tried doing some clean up on the failed domain, but the data kept coming back every time I reentered the DNS Manager.  I'm hoping that it was because of the fact that it wasn't functioning properly.
0
 
Kev TomConnect With a Mentor Commented:
I would also suggest getting a consultant to assist you with this.

If you are still going ahead with the restore then the steps would be:

1) Demote the 2012 and 2016 DCs + remove them from the domain and do the metadata cleanup on the SBS server
2) Check AD health on the SBS 2008 server
3) Raise Forest level
3) FRS to DFSR
4) Add 2016 server and promote to DC
0
 
TfedProcess Control & IT ManagerAuthor Commented:
Kev,

Your list of things to do are exactly what I was planning to do, except I checked the AD health after the forest/domain level upgrade.  That's when I started chasing the journal wrap error.  My plan now is to wait until my new servers arrive on-site and then I will have an environment where I can create a virtual machine to test with.

The reason I was asking about the metadata is that the other DCs have already been demoted, but the restored server wouldn't be aware of that as the restore point was from 4:00AM this morning before I removed the last DCs after that.

Thx!
Ted
0
 
Kev TomConnect With a Mentor Commented:
You will then have to manually remove the 2012 & 2016 DCs on the restored SBS server.

https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/

Also remove all remaining DNS entries pointing to the offline DCs.

Check AD health and wait some time for everything to normalize and to ensure that everything is working before making further changes.

Make backups before and after each step
0
 
TfedProcess Control & IT ManagerAuthor Commented:
Kev,

Appreciate the help!  Will try to get the metadata cleaned up and then I will wait until the new servers arrive before doing much more.

Thanks!
Ted
0
 
TfedProcess Control & IT ManagerAuthor Commented:
The other answers didn't suggest looking at repairing the FRS database as outlined my response.  The solution was found on another technical service website.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.