mkavinsky
asked on
windows 2016 server migration
Windows 2008 server migration to Windows standard 2016. Im having an issue here after a migration to a new 2016 domain controller. The DC holds all the FSMO roles, is the global catalog server, DHCP, DNS points to it and the client desktop do too. yet I want to DCPromo to demote the 2008 server but before I do that I wanted to make sure everything is healthy and working. If I disconnect or power down the 2008 server all the sudden the client stations lose the internal network name and then shows up as "network 3" or 4...etc.. and not the local domain name.
Then I check on the 2016 server and when I go to open AD its giving me errors that no domain controller can be contacted.
At a command prompt I will run the netdom query fsmo and Ill get the error that the domain either does not exist or could not be contacted.
I will run a DCDiag and most tests come back passed except for:
1) Netlogon test - user credentials does not have permission to permission to perform this operation (yet I am sign on at the primary administrator)
2) replication attempt failed between the 2 servers (error 1256)
3) could not open NTDS service on the 2016 server (error x5, access is denied)
4) unable to connect to NETLOGON share - error 6, network name cannot be found (yet this is being shared?)
5) when the 2008 server was down it also showed:
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... "domain.local" failed test LocatorCheck
when I connect the 2008 server again and run a dcdiag i will get similar errors above except for the last one - but it will still say "All GCs are down"
now the 2008 is no longer a GC but the 2016 server is
Ive been going over this and am not sure what the issue is. DNS and AD seem to replicate just fine when both DCs are running. but i dont want to demote the 2008 server until this is clean
thank you for any help you can provide
Then I check on the 2016 server and when I go to open AD its giving me errors that no domain controller can be contacted.
At a command prompt I will run the netdom query fsmo and Ill get the error that the domain either does not exist or could not be contacted.
I will run a DCDiag and most tests come back passed except for:
1) Netlogon test - user credentials does not have permission to permission to perform this operation (yet I am sign on at the primary administrator)
2) replication attempt failed between the 2 servers (error 1256)
3) could not open NTDS service on the 2016 server (error x5, access is denied)
4) unable to connect to NETLOGON share - error 6, network name cannot be found (yet this is being shared?)
5) when the 2008 server was down it also showed:
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... "domain.local" failed test LocatorCheck
when I connect the 2008 server again and run a dcdiag i will get similar errors above except for the last one - but it will still say "All GCs are down"
now the 2008 is no longer a GC but the 2016 server is
Ive been going over this and am not sure what the issue is. DNS and AD seem to replicate just fine when both DCs are running. but i dont want to demote the 2008 server until this is clean
thank you for any help you can provide
ASKER
thank you for your input but all of that was already done. we had all the clients with static IPs pointing to the new DNS server, the global catalog was manually done and I keep verifying that it is a GC
Is the new server is the same site or same subnet as the as the old server? Check AD Sites and Services and make sure the new DC is in the correct site and all relevant subnets in use by servers and clients are in the list.
ASKER
yes, same physical site, same subnet. everything in AD appears to look fine
Run NET SHARE on new DC. Has Sysvol and Netlogon been replicated ok? Check the DFS Replication event log for errors. It looks to the errors that DFSR replication has not completed yet.
In Powershell, check FSMO and GC status:
Get-ADDomainController -Id servername
Hostname = servername.domain
IsGlobalCatalog = True (or False)
Get-ADDomain
InfrastructureMaster =
PDCEmulator =
RIDMAster =
Get-ADForest
DomainNamingMaster =
SchemaMaster =
Repadmin.exe /replsummary
Download ADReplication Status Tool from Microsoft Download Centre for a graphical view.
In Powershell, check FSMO and GC status:
Get-ADDomainController -Id servername
Hostname = servername.domain
IsGlobalCatalog = True (or False)
Get-ADDomain
InfrastructureMaster =
PDCEmulator =
RIDMAster =
Get-ADForest
DomainNamingMaster =
SchemaMaster =
Repadmin.exe /replsummary
Download ADReplication Status Tool from Microsoft Download Centre for a graphical view.
ASKER
I ran those commands and all are correct - the new 2016 server is the GC and its showing that server name with all of those FSMO roles
But...... sysvol and netlogon are not shared
should I simply share out those folders? Im almost positive I did this already while troubleshooting. either the sharing went away or I never saved what I was doing
But...... sysvol and netlogon are not shared
should I simply share out those folders? Im almost positive I did this already while troubleshooting. either the sharing went away or I never saved what I was doing
No The DC will share those folders automatically when it has finished replicating the \\server\c$\Windows\SYSVOL
Also, check that you are using DFSR and not the old FRS method of replication as FRS. Check services on the old DC server
Open Services.msc on old server.
Is 'File Replication' (FRS) service running or is it disabled?
is 'DFS Namespace' and 'DFS Replication' services running?
If File Replication is still running, then you need to convert it to DFSR on the old DC server , so that replication can complete.
https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/
Also, check that you are using DFSR and not the old FRS method of replication as FRS. Check services on the old DC server
Open Services.msc on old server.
Is 'File Replication' (FRS) service running or is it disabled?
is 'DFS Namespace' and 'DFS Replication' services running?
If File Replication is still running, then you need to convert it to DFSR on the old DC server , so that replication can complete.
https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/
I'm gonna interject for a sec here to say please don't try to migrate SYSVOL to DFSR yet. The migration will fail if SYSVOL isn't replicating, so this issue has to be addressed first. Once it's fixed, then by all means, start that migration; DFSR is better than FRS in every conceivable way.
Since the old DC is running 2008, there's a good chance it's still using FRS. Check the FRS event log on that DC for errors. It may be in a journal wrap or some other state that's preventing the new DC from being able to replicate SYSVOL from it.
Also, don't do this:
Manually sharing SYSVOL and NETLOGON is never the right answer. There's always a better way.
Since the old DC is running 2008, there's a good chance it's still using FRS. Check the FRS event log on that DC for errors. It may be in a journal wrap or some other state that's preventing the new DC from being able to replicate SYSVOL from it.
Also, don't do this:
should I simply share out those folders? Im almost positive I did this already while troubleshooting. either the sharing went away or I never saved what I was doing
Manually sharing SYSVOL and NETLOGON is never the right answer. There's always a better way.
ASKER
The migration was completed 6 months ago. I will not touch the sharing of Sysvol and the netlogon folder. I will check on FRS on the old 2008 DC and see if I can see anything in the logs.
I did see the DFSR replication error on the new server (event 1202) so Im going to look into that as well
thank you for your interjection and your thoughts, greatly appreciated.
I did see the DFSR replication error on the new server (event 1202) so Im going to look into that as well
thank you for your interjection and your thoughts, greatly appreciated.
ASKER
sorry guys, been on another project here the past few days. once I get this all wrapped up I will come back around to this and try to get this knocked out. I appreciate your patience and just wanted to give the courtesy that I have not forgotten here......
I'll let you know what happens in the next few days
thank you
I'll let you know what happens in the next few days
thank you
ASKER
ok, sorry about the delay here. On the original DC (2008) I did check the event logs and am seeing this:
Under the File Replication Service event logs:
Error: 13568
File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL WRAP ERROR
when I run a NET SHARE on the new DC I do not see the SYSVOL or the NETLOGON shares
here are the recent results of the DCDIAG:
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = BP18
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BP
Starting test: Connectivity
......................... BP18 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BP
Starting test: Advertising
Warning: DsGetDcName returned information for \\OLDDC.domain.local, when we were trying to reach BP18.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... BP18 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... BP18 passed test FrsEvent
Starting test: DFSREvent
......................... BP18 passed test DFSREvent
Starting test: SysVolCheck
......................... BP18 passed test SysVolCheck
Starting test: KccEvent
......................... BP18 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... BP18 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... BP18 passed test MachineAccount
Starting test: NCSecDesc
......................... BP18 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\BP18\netlogon)
[BHPA18] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... BP18 failed test NetLogons
Starting test: ObjectsReplicated
......................... BP18 passed test ObjectsReplicated
Starting test: Replications
......................... BP18 passed test Replications
Starting test: RidManager
......................... BP18 passed test RidManager
Starting test: Services
......................... BP18 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:20:37
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:25:38
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:30:39
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:35:39
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:40:40
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:45:41
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:50:41
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:55:42
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:00:43
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:05:43
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:10:44
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:15:32
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doim
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:15:44
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0xC0001B58
Time Generated: 09/09/2018 13:17:16
Event String: The Windows Defender Service service failed to start due to the following error:
An error event occurred. EventID: 0x00000014
Time Generated: 09/09/2018 13:17:22
Event String:
Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.275.948.0).
......................... BP18 failed test SystemLog
Starting test: VerifyReferences
......................... BP18 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... domain.local failed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
Thank you for your help
Under the File Replication Service event logs:
Error: 13568
File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL WRAP ERROR
when I run a NET SHARE on the new DC I do not see the SYSVOL or the NETLOGON shares
here are the recent results of the DCDIAG:
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = BP18
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BP
Starting test: Connectivity
......................... BP18 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BP
Starting test: Advertising
Warning: DsGetDcName returned information for \\OLDDC.domain.local, when we were trying to reach BP18.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... BP18 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... BP18 passed test FrsEvent
Starting test: DFSREvent
......................... BP18 passed test DFSREvent
Starting test: SysVolCheck
......................... BP18 passed test SysVolCheck
Starting test: KccEvent
......................... BP18 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... BP18 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... BP18 passed test MachineAccount
Starting test: NCSecDesc
......................... BP18 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\BP18\netlogon)
[BHPA18] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... BP18 failed test NetLogons
Starting test: ObjectsReplicated
......................... BP18 passed test ObjectsReplicated
Starting test: Replications
......................... BP18 passed test Replications
Starting test: RidManager
......................... BP18 passed test RidManager
Starting test: Services
......................... BP18 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:20:37
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:25:38
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:30:39
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:35:39
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:40:40
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:45:41
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:50:41
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 12:55:42
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:00:43
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:05:43
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:10:44
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:15:32
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doim
An error event occurred. EventID: 0x00000422
Time Generated: 09/09/2018 13:15:44
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doma
An error event occurred. EventID: 0xC0001B58
Time Generated: 09/09/2018 13:17:16
Event String: The Windows Defender Service service failed to start due to the following error:
An error event occurred. EventID: 0x00000014
Time Generated: 09/09/2018 13:17:22
Event String:
Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.275.948.0).
......................... BP18 failed test SystemLog
Starting test: VerifyReferences
......................... BP18 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... domain.local failed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
Thank you for your help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
would it be better if I demoted the 2016 server, transfer the FMSO roles back to the to 2008 server, ran the dcdiag tests again and made sure everything was fine and then try to promote the 2016 server again? Part of my issue is this client is another state away and I have to do as much of this remotely as possible. If there is no other way around the authoritative restore then I guess thats my only option. I was just hoping there was a quicker fix to this mess. Thank you for your input
Unfortunately, none of that will fix the journal wrap; FRS will still be in that state after the 2016 server is demoted.
Don't be intimidated by the authoritative/nonauthorita
Don't be intimidated by the authoritative/nonauthorita
ASKER
I am going to be working on this later this week and will be following your article and advice. Just wanted to keep you posted.
thank you again!
thank you again!
Good deal. Let me know how it goes!
ASKER
ok, so youre right not as intimidating as I thought - nothing like an AD restore.
So here is where its at now, the D4 Authoritative restore seemed to have worked and I did get the correct event log messages as per the knowledgebase article you sent me (both 13566 and 13516 registered). But now I see the event log warning of 13508 stating the File Replication Service is having trouble enabling replication from Win2016 server to the 2008 DC for c:\windows\sysvol\domain using the DNS name win2016.domain.local. FRS will keep retrying.
I can ping the win2016 server from the 2008 server via DNS so I does not appear to be a DNS issue at all.
Should I do the noauthoritative restore on the Win2016 server?
Thank you!
So here is where its at now, the D4 Authoritative restore seemed to have worked and I did get the correct event log messages as per the knowledgebase article you sent me (both 13566 and 13516 registered). But now I see the event log warning of 13508 stating the File Replication Service is having trouble enabling replication from Win2016 server to the 2008 DC for c:\windows\sysvol\domain using the DNS name win2016.domain.local. FRS will keep retrying.
I can ping the win2016 server from the 2008 server via DNS so I does not appear to be a DNS issue at all.
Should I do the noauthoritative restore on the Win2016 server?
Thank you!
Yep, do the non-authoritative restore on the 2016 server and let me know how it goes.
ASKER
ok, will do. when I run a net share command on the new 2016 should I see both the NETLOGON and SYSVOL shares?
ASKER
ok, there we go. much cleaner! with the exception of those group policy errors, everything now looks good. now the NETLOGON and SYSVOL folders have replicated to the new DC and when I run the net share command on the new DC (2016) they both appear.
So now at this time can I transfer the FSMO roles to the new server and work on the demotion process of the old DC?
Thank you again for your patience and help. The resolution was a lot easier than I thought :)
So now at this time can I transfer the FSMO roles to the new server and work on the demotion process of the old DC?
Thank you again for your patience and help. The resolution was a lot easier than I thought :)
Excellent! Yes, you should be able to transfer the FSMO roles and demote the old DC. If you run repadmin /showrepl on both DCs, does it show success for all directory partitions?
ASKER
yes, shows successful on all instances.
Very good. You can proceed with transferring FSMO roles and demoting that server.
ASKER
We are all good!! Everything is now cleaned up and good. Thank you again very much for your time, effort and advice.
Also, any new DC servers do not automatically become Global Catalog servers, so you need to manually enable it on the new server via AD Sites and Services, via server's NTDS settings.