mkavinsky
asked on
SBS 2011 server after Win2016 migration, shutting down and not cleanly demoting
Experts,
I have quite an issue here that I am just stumped on. Have a client that I did a server migration from SBS2011 to Windows Server 2016 Standard. Pretty straightforward, Win16 Server is a new server, thus the migration and not an upgrade.
Things have been running for several months now but weekly the SBS server just shuts off. nothing logged in the event logs. I had already disabled the Sbcore.exe - which is the file that auto shutdown an SBS server after 21 days I believe once it is no longer the main domain controller (or knows there is a now a new DC). Yet it still will shut down. When the SBS server shuts down, the network just comes to a halt. users cant access files on the Win2016 server, financial software doesnt work (basically nothing is authenticating). Even though the new DC is up and running without issues.
The Win2016 server is the AD, DNS, DHCP, File server. I was just keeping the SBS server running as the print server and some archive storage files.
All the FSMO roles are transferred over just fine and when I do a netdom query FSMO it lists the new server for all of them. Wjhen I go to run a dcpromo to demote the SBS server it tells me it cant find another DC on the network???? so I cancel it until I can figure out what is going on. I dont want to force that SBS server out of there if all the clients are still somehow reporting to it?
the workstations are all pointing to the new DNS server, AD seems to be replicating just fine (so does DNS) between the 2 servers - if I add an account or computer both servers replicate it.
I am just stumped and need to get this resovled because the SBS server just keeps shutting down. I thought it was maybe a sharepoint issue (even though they do not use sharepoint) so i disabled sharepoint services on the SBS server but still no luck
Anyone ever run into this before and how can I "Clean this up" and make sure the Win2016 server is the only DC and I can gracefully demote the SBS server??
thank you
I have quite an issue here that I am just stumped on. Have a client that I did a server migration from SBS2011 to Windows Server 2016 Standard. Pretty straightforward, Win16 Server is a new server, thus the migration and not an upgrade.
Things have been running for several months now but weekly the SBS server just shuts off. nothing logged in the event logs. I had already disabled the Sbcore.exe - which is the file that auto shutdown an SBS server after 21 days I believe once it is no longer the main domain controller (or knows there is a now a new DC). Yet it still will shut down. When the SBS server shuts down, the network just comes to a halt. users cant access files on the Win2016 server, financial software doesnt work (basically nothing is authenticating). Even though the new DC is up and running without issues.
The Win2016 server is the AD, DNS, DHCP, File server. I was just keeping the SBS server running as the print server and some archive storage files.
All the FSMO roles are transferred over just fine and when I do a netdom query FSMO it lists the new server for all of them. Wjhen I go to run a dcpromo to demote the SBS server it tells me it cant find another DC on the network???? so I cancel it until I can figure out what is going on. I dont want to force that SBS server out of there if all the clients are still somehow reporting to it?
the workstations are all pointing to the new DNS server, AD seems to be replicating just fine (so does DNS) between the 2 servers - if I add an account or computer both servers replicate it.
I am just stumped and need to get this resovled because the SBS server just keeps shutting down. I thought it was maybe a sharepoint issue (even though they do not use sharepoint) so i disabled sharepoint services on the SBS server but still no luck
Anyone ever run into this before and how can I "Clean this up" and make sure the Win2016 server is the only DC and I can gracefully demote the SBS server??
thank you
Shaun Vermaak
All clients have the new DC as DNS server? Once everything works with SBS off, you can forcefully remove it (after creating backups of both servers of course)
First, you can't keep SBS around as a print and file server. You have to retire it. EE policies don't cover advice on doing illegal things so that's that. The weekly shutdown is expected.
For the second, so you CAN retire it, dcdiag each server. That the network stops when it shits down meads me to believe that your new DC is not yet advertising. Which makes me thing replication was broken from the jump. Dcdiag and event logs can help figure that out though.
For the second, so you CAN retire it, dcdiag each server. That the network stops when it shits down meads me to believe that your new DC is not yet advertising. Which makes me thing replication was broken from the jump. Dcdiag and event logs can help figure that out though.
Hmmm shits down
Agree with Cliff - EE policies and a strong moral compass (following rules and licensing you agreed to when you installed it - yes you didn't read it because no one does - doesn't mean you're not bound by them) require you to get rid of the server. Want to keep using the hardware? Reload linux, buy another license, etc.
And if it's going off and people have issues logging in and accessing resources, then as Cliff stated, clearly there's something wrong with the AD which is what you should be troubleshooting.
And if it's going off and people have issues logging in and accessing resources, then as Cliff stated, clearly there's something wrong with the AD which is what you should be troubleshooting.
ASKER
Thanks Cliff, let me run a DCDiag and see what I can come up with. Ive used SBS servers before as a member server - theres nothing wrong with licensing for that. It just cant be a domain controller because that does violate licensing. but a Win2008 member server should still work fine once properly demoted. i'll let you know what I come up with . thanks
ASKER
yikes....... heres the DCDiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SBS2011
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SB
Starting test: Connectivity
......................... SBS2011 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SB
Starting test: Advertising
......................... SBS2011 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after
SYSVOL has been shared. Failing SYSVOL replication problems may
Group Policy problems.
......................... SBS2011 failed test FrsEvent
Starting test: DFSREvent
......................... SBS2011 passed test DFSREvent
Starting test: SysVolCheck
......................... SBS2011 passed test SysVolCheck
Starting test: KccEvent
......................... SBS2011 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SBS2011 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SBS2011 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=vidar
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=vidar
......................... SBS2011 failed test NCSecDesc
Starting test: NetLogons
......................... SBS2011 passed test NetLogons
Starting test: ObjectsReplicated
......................... SBS2011 passed test ObjectsReplicated
Starting test: Replications
......................... SBS2011 passed test Replications
Starting test: RidManager
......................... SBS2011 passed test RidManager
Starting test: Services
......................... SBS2011 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00003006
Time Generated: 05/18/2018 11:38:49
Event String:
The SAM database was unable to lockout the account of Administ
due to a resource error, such as a hard disk write failure (the specific e
ode is in the error data) . Accounts are locked after a certain number of
sswords are provided so please consider resetting the password of the acco
ntioned above.
An error event occurred. EventID: 0x00003006
Time Generated: 05/18/2018 12:13:40
Event String:
The SAM database was unable to lockout the account of Administ
due to a resource error, such as a hard disk write failure (the specific e
ode is in the error data) . Accounts are locked after a certain number of
sswords are provided so please consider resetting the password of the acco
ntioned above.
An error event occurred. EventID: 0x00003006
Time Generated: 05/18/2018 12:23:52
Event String:
The SAM database was unable to lockout the account of Administ
due to a resource error, such as a hard disk write failure (the specific e
ode is in the error data) . Accounts are locked after a certain number of
sswords are provided so please consider resetting the password of the acco
ntioned above.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:39
Event String:
Driver PrintBoss 50 required for printer PrintBoss 50 is unkno
ntact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:40
Event String:
Driver Amyuni Document Converter 400 required for printer ABS
iver v400 is unknown. Contact the administrator to install the driver befo
log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:40
Event String:
Driver Microsoft XPS Document Writer v4 required for printer M
ft XPS Document Writer is unknown. Contact the administrator to install th
er before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:42
Event String:
Driver Amyuni Document Converter 400 required for printer ABS
iver v400 (redirected 2) is unknown. Contact the administrator to install
iver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:43
Event String:
Driver Microsoft XPS Document Writer v4 required for printer M
ft XPS Document Writer (redirected 2) is unknown. Contact the administrato
nstall the driver before you log in again.
......................... SBS2011 failed test SystemLog
Starting test: VerifyReferences
......................... SBS2011 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDo
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDo
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValid
Running partition tests on : xxxxx
Starting test: CheckSDRefDom
......................... xxxxx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... xxxxx passed test CrossRefValidation
Running enterprise tests on : xxxxx.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... xxxxx.local failed test LocatorCheck
Starting test: Intersite
......................... xxxxx.local passed test Intersite
does it look like replication needs to be fixed? GC cant be found either. any ideas
thank you very much for the help!
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SBS2011
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SB
Starting test: Connectivity
......................... SBS2011 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SB
Starting test: Advertising
......................... SBS2011 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after
SYSVOL has been shared. Failing SYSVOL replication problems may
Group Policy problems.
......................... SBS2011 failed test FrsEvent
Starting test: DFSREvent
......................... SBS2011 passed test DFSREvent
Starting test: SysVolCheck
......................... SBS2011 passed test SysVolCheck
Starting test: KccEvent
......................... SBS2011 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SBS2011 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SBS2011 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=vidar
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=vidar
......................... SBS2011 failed test NCSecDesc
Starting test: NetLogons
......................... SBS2011 passed test NetLogons
Starting test: ObjectsReplicated
......................... SBS2011 passed test ObjectsReplicated
Starting test: Replications
......................... SBS2011 passed test Replications
Starting test: RidManager
......................... SBS2011 passed test RidManager
Starting test: Services
......................... SBS2011 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00003006
Time Generated: 05/18/2018 11:38:49
Event String:
The SAM database was unable to lockout the account of Administ
due to a resource error, such as a hard disk write failure (the specific e
ode is in the error data) . Accounts are locked after a certain number of
sswords are provided so please consider resetting the password of the acco
ntioned above.
An error event occurred. EventID: 0x00003006
Time Generated: 05/18/2018 12:13:40
Event String:
The SAM database was unable to lockout the account of Administ
due to a resource error, such as a hard disk write failure (the specific e
ode is in the error data) . Accounts are locked after a certain number of
sswords are provided so please consider resetting the password of the acco
ntioned above.
An error event occurred. EventID: 0x00003006
Time Generated: 05/18/2018 12:23:52
Event String:
The SAM database was unable to lockout the account of Administ
due to a resource error, such as a hard disk write failure (the specific e
ode is in the error data) . Accounts are locked after a certain number of
sswords are provided so please consider resetting the password of the acco
ntioned above.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:39
Event String:
Driver PrintBoss 50 required for printer PrintBoss 50 is unkno
ntact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:40
Event String:
Driver Amyuni Document Converter 400 required for printer ABS
iver v400 is unknown. Contact the administrator to install the driver befo
log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:40
Event String:
Driver Microsoft XPS Document Writer v4 required for printer M
ft XPS Document Writer is unknown. Contact the administrator to install th
er before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:42
Event String:
Driver Amyuni Document Converter 400 required for printer ABS
iver v400 (redirected 2) is unknown. Contact the administrator to install
iver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 05/18/2018 12:33:43
Event String:
Driver Microsoft XPS Document Writer v4 required for printer M
ft XPS Document Writer (redirected 2) is unknown. Contact the administrato
nstall the driver before you log in again.
......................... SBS2011 failed test SystemLog
Starting test: VerifyReferences
......................... SBS2011 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDo
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDo
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValid
Running partition tests on : xxxxx
Starting test: CheckSDRefDom
......................... xxxxx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... xxxxx passed test CrossRefValidation
Running enterprise tests on : xxxxx.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... xxxxx.local failed test LocatorCheck
Starting test: Intersite
......................... xxxxx.local passed test Intersite
does it look like replication needs to be fixed? GC cant be found either. any ideas
thank you very much for the help!
"I've used SBS servers before as a member server - theres nothing wrong with licensing for that." That is ABSOLUTELY COMPLETELY WRONG.
If you can find a single authoritative source for that comment, I will eat my crow and humble pie, but I am 99.9999999999999 (and many more) percent sure that is absolutely incorrect. It goes against the very intent of SBS (and *really* messes with CAL needs too.)
As for fixing your DC, I'd need to really dig in to know more. It could be as simple as a journal wrap, or something much more complex. That'd require several more DCDiag tests and careful monitoring of all event logs. When I see lockout failures and hint of resource failures, I start worrying about major database corruption or disk failures. There's enough going on there that I wouldn't want to randomly speculate without a serious deep-dive audit.
If you can find a single authoritative source for that comment, I will eat my crow and humble pie, but I am 99.9999999999999 (and many more) percent sure that is absolutely incorrect. It goes against the very intent of SBS (and *really* messes with CAL needs too.)
As for fixing your DC, I'd need to really dig in to know more. It could be as simple as a journal wrap, or something much more complex. That'd require several more DCDiag tests and careful monitoring of all event logs. When I see lockout failures and hint of resource failures, I start worrying about major database corruption or disk failures. There's enough going on there that I wouldn't want to randomly speculate without a serious deep-dive audit.
ASKER
some things I was looking up was saying I may need to run the adprep all over again? maybe that wasnt completed correctly?
Definitely not. ADPrep updates schemas, not data. You have other things happening.
ASKER
it appears there are FRS errors. logs are showing 13555 and 13552 errors. ran a dcdaig /v and also saw :
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on WIN2016, error 0x5 "Access is denied."
* Checking Service: DnsCache
* Checking Service: NtFrs
NtFrs Service is stopped on [WIN2016]
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... WIN2016 failed test Services
and this:
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\WIN2016\netlogon)
[WIN2016] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... WIN2016 failed test NetLogons
Starting test: ObjectsReplicated
WIN2016 is in domain DC=vidaro,DC=local
Checking for CN=WIN2016,OU=Domain Controllers,DC=vidaro,DC=l
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=WIN2016,CN=Ser
Object is up-to-date on all servers.
......................... WIN2016 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
[Replications Check,WIN2016] DsReplicaGetInfo(PENDING_O
"Replication access was denied."
......................... WIN2016 failed test Replications
the WIN2016 is the new domain controller.
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on WIN2016, error 0x5 "Access is denied."
* Checking Service: DnsCache
* Checking Service: NtFrs
NtFrs Service is stopped on [WIN2016]
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... WIN2016 failed test Services
and this:
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\WIN2016\netlogon)
[WIN2016] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... WIN2016 failed test NetLogons
Starting test: ObjectsReplicated
WIN2016 is in domain DC=vidaro,DC=local
Checking for CN=WIN2016,OU=Domain Controllers,DC=vidaro,DC=l
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=WIN2016,CN=Ser
Object is up-to-date on all servers.
......................... WIN2016 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
[Replications Check,WIN2016] DsReplicaGetInfo(PENDING_O
"Replication access was denied."
......................... WIN2016 failed test Replications
the WIN2016 is the new domain controller.
ASKER
temporarily Ive moved the FSMO roles back to the original SBS server and made sure it was a GC again...... until I can figure out how to fix this and get the 2 DCs to talk and sync here
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
going to be tough to wipe and reinstall. that server in now in production and has all the users data files on it. Can I just dcpromo it back to a member server and then start the migration over? as you said, work through the errors on the SBS and then make the Win2016 a DC again?
Considering so e of the things I saw. I suspect something has clobbered some of the accounts and services. I'd migrate the data off.
ASKER
Thank you very much for your advice and expertise. I do appreciate you taking the time to look into this. I'll be onsite and the client next week and will take care of this
thank you again
thank you again