windows 2016 server migration

Windows 2008 server migration to Windows standard 2016.  Im having an issue here after a migration to a new 2016 domain controller.  The DC holds all the FSMO roles, is the global catalog server, DHCP, DNS points to it and the client desktop do too.  yet I want to DCPromo to demote the 2008 server but before I do that I wanted to make sure everything is healthy and working.  If I disconnect or power down the 2008 server all the sudden the client stations lose the internal network name and then shows up as "network 3" or 4...etc.. and not the local domain name.

Then I check on the 2016 server and when I go to open AD its giving me errors that no domain controller can be contacted.  

At a command prompt I will run the netdom query fsmo and Ill get the error that  the domain either does not exist or could not be contacted.  

I will run a DCDiag and most tests come back passed except for:

1) Netlogon test - user credentials does not have permission to permission to perform this operation (yet I am sign on at the primary administrator)
2) replication attempt failed between the 2 servers  (error 1256)
3) could not open NTDS service on the 2016 server (error x5, access is denied)
4) unable to connect to NETLOGON share  - error 6, network name cannot be found  (yet this is being shared?)
5) when the 2008 server was down it also showed:

Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... "domain.local" failed test LocatorCheck


when I connect the 2008 server again and run a dcdiag i will get similar errors above except for the last one - but it will still say "All GCs are down"

now the 2008 is no longer a GC but the 2016 server is

Ive been going over this and am not sure what the issue is.  DNS and AD seem to replicate just fine when both DCs are running.  but i dont want to demote the 2008 server until this is clean

thank you for any help you can provide
mkavinskyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter HutchisonSenior Network Systems SpecialistCommented:
Make sure you update the DNS IP Address list for DHCP for the clients..
Also, any new DC servers do not automatically become Global Catalog servers, so you need to manually enable it on the new server via AD Sites and Services, via server's NTDS settings.
0
mkavinskyAuthor Commented:
thank you for your input but all of that was already done.  we had all the clients with static IPs pointing to the new DNS server, the global catalog was manually done and I keep verifying that it is a GC
0
Peter HutchisonSenior Network Systems SpecialistCommented:
Is the new server is the same site or same subnet as the as the old server? Check AD Sites and Services and make sure the new DC is in the correct site and all relevant subnets in use by servers and clients are in the list.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

mkavinskyAuthor Commented:
yes, same physical site, same subnet.  everything in AD appears to look fine
0
Peter HutchisonSenior Network Systems SpecialistCommented:
Run NET SHARE on new DC. Has Sysvol and Netlogon been replicated ok? Check the DFS Replication event log for errors. It looks to the errors that DFSR replication has not completed yet.

In Powershell, check FSMO and GC status:

Get-ADDomainController -Id servername
  Hostname = servername.domain
  IsGlobalCatalog = True (or False)

Get-ADDomain
  InfrastructureMaster =
  PDCEmulator =
  RIDMAster =
 
Get-ADForest
  DomainNamingMaster =
  SchemaMaster =

Repadmin.exe /replsummary

Download ADReplication Status Tool from Microsoft Download Centre for a graphical view.
0
mkavinskyAuthor Commented:
I ran those commands and all are correct - the new 2016 server is the GC and its showing that server name with all of those FSMO roles

But...... sysvol and netlogon are not shared

should I simply share out those folders? Im almost positive I did this already while troubleshooting. either the sharing went away or I never saved what I was doing
0
Peter HutchisonSenior Network Systems SpecialistCommented:
No The DC will share those folders automatically when it has finished replicating the \\server\c$\Windows\SYSVOL folder contents to the new server. Check contents of this folder on the new server and compare it with the old server.

Also, check that you are using DFSR and not the old FRS method of replication as FRS. Check services on the old DC server
Open Services.msc on old server.
Is 'File Replication' (FRS) service running or is it disabled?
is 'DFS Namespace' and 'DFS Replication' services running?

If File Replication is still running, then you need to convert it to DFSR on the old DC server , so that replication can complete.
https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/
0
DrDave242Commented:
I'm gonna interject for a sec here to say please don't try to migrate SYSVOL to DFSR yet. The migration will fail if SYSVOL isn't replicating, so this issue has to be addressed first. Once it's fixed, then by all means, start that migration; DFSR is better than FRS in every conceivable way.

Since the old DC is running 2008, there's a good chance it's still using FRS. Check the FRS event log on that DC for errors. It may be in a journal wrap or some other state that's preventing the new DC from being able to replicate SYSVOL from it.

Also, don't do this:

should I simply share out those folders? Im almost positive I did this already while troubleshooting. either the sharing went away or I never saved what I was doing

Manually sharing SYSVOL and NETLOGON is never the right answer. There's always a better way.
0
mkavinskyAuthor Commented:
The migration was completed 6 months ago.  I will not touch the sharing of Sysvol and the netlogon folder.    I will check on FRS on the old 2008 DC and see if I can see anything in the logs.

I did see the DFSR replication error on the new server (event 1202) so Im going to look into that as well

thank you for your interjection and your thoughts, greatly appreciated.
0
mkavinskyAuthor Commented:
sorry guys, been on another project here the past few days.  once I get this all wrapped up I will come back around to this and try to get this knocked out.  I appreciate your patience and just wanted to give the courtesy that I have not forgotten here......
I'll let you know what happens in the next few days

thank you
0
mkavinskyAuthor Commented:
ok, sorry about the delay here.   On the original DC (2008) I did check the event logs and am seeing this:

Under the File Replication Service event logs:

Error: 13568
File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL WRAP ERROR

when I run a NET SHARE on the new DC I do not see the SYSVOL or the NETLOGON shares


here are the recent results of the DCDIAG:

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = BP18
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BP18
      Starting test: Connectivity
         ......................... BP18 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BP18
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\OLDDC.domain.local, when we were trying to reach BP18.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... BP18 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... BP18 passed test FrsEvent
      Starting test: DFSREvent
         ......................... BP18 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... BP18 passed test SysVolCheck
      Starting test: KccEvent
         ......................... BP18 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... BP18 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... BP18 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... BP18 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\BP18\netlogon)
         [BHPA18] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... BP18 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... BP18 passed test ObjectsReplicated
      Starting test: Replications
         ......................... BP18 passed test Replications
      Starting test: RidManager
         ......................... BP18 passed test RidManager
      Starting test: Services
         ......................... BP18 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:20:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:25:38
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:30:39
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:35:39
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:40:40
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:45:41
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:50:41
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   12:55:42
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   13:00:43
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   13:05:43
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   13:10:44
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   13:15:32
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\doimain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 09/09/2018   13:15:44
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 09/09/2018   13:17:16
            Event String: The Windows Defender Service service failed to start due to the following error:
         An error event occurred.  EventID: 0x00000014
            Time Generated: 09/09/2018   13:17:22
            Event String:
            Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.275.948.0).
         ......................... BP18 failed test SystemLog
      Starting test: VerifyReferences
         ......................... BP18 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
        ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... domain.local failed test LocatorCheck
      Starting test: Intersite
         ......................... domain.local passed test Intersite



Thank you for your help
0
DrDave242Commented:
Error: 13568
File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL WRAP ERROR

Journal wraps are quite common and, fortunately, easy to fix. This Microsoft KB article lists the steps you'll need to follow, in the section titled Authoritative FRS Restore. Note that you'll be performing those steps on the 2008 server, and it's a good idea to read all of the steps carefully beforehand. The procedure isn't complicated, but it does involve editing the registry. Also, after you perform the authoritative (D4) restore on the 2008 server, you may have to perform a nonauthoritative (D2) restore on the 2016 server, and the steps for that are also shown in that article. In my experience, though, this isn't always necessary; often, an authoritative FRS restore on the problematic DC will be sufficient to allow the other DCs to start replicating SYSVOL from it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mkavinskyAuthor Commented:
would it be better if I demoted the 2016 server, transfer the FMSO roles back to the to 2008 server, ran the dcdiag tests again and made sure everything was fine and then try to promote the 2016 server again?   Part of my issue is this client is another state away and I have to do as much of this remotely as possible.    If there is no other way around the authoritative restore then I guess thats my only option.   I was just hoping there was a quicker fix to this mess.  Thank you for your input
0
DrDave242Commented:
Unfortunately, none of that will fix the journal wrap; FRS will still be in that state after the 2016 server is demoted.

Don't be intimidated by the authoritative/nonauthoritative FRS restore. It's not nearly as big a deal (and doesn't take nearly as long) as an authoritative restore of AD objects, for example. You're really just setting one registry value and restarting the File Replication Service so that the setting will take effect. It is important to understand the difference between setting that value to D2 and D4, though. The differences are explained in the article, but D4 means "This server has the authoritative copy of SYSVOL," whereas D2 means "This server will overwrite its copy of SYSVOL with a copy from another DC."
0
mkavinskyAuthor Commented:
I am going to be working on this later this week and will be following your article and advice.  Just wanted to keep you posted.

thank you again!
0
DrDave242Commented:
Good deal. Let me know how it goes!
0
mkavinskyAuthor Commented:
ok, so youre right not as intimidating as I thought  - nothing like an AD restore.  

So here is where its at now, the D4 Authoritative restore seemed to have worked and I did get the correct event log messages as per the knowledgebase article you sent me (both 13566 and 13516 registered).  But now I see the event log warning of 13508 stating the File Replication Service is having trouble enabling replication from Win2016 server to the 2008 DC for c:\windows\sysvol\domain using the DNS name win2016.domain.local.  FRS will keep retrying.

I can ping the win2016 server from the 2008 server via DNS so I does not appear to be a DNS issue at all.

Should I do the noauthoritative restore on the Win2016 server?

Thank you!
0
DrDave242Commented:
Yep, do the non-authoritative restore on the 2016 server and let me know how it goes.
0
mkavinskyAuthor Commented:
ok, will do.  when I run a net share command on the new 2016 should I see both the NETLOGON and SYSVOL shares?
0
mkavinskyAuthor Commented:
ok, there we go.  much cleaner!  with the exception of those group policy errors, everything now looks good.  now the NETLOGON and SYSVOL folders have replicated to the new DC and when I run the net share command on the new DC (2016) they both appear.

So now at this time can I transfer the FSMO roles to the new server and work on the demotion process of the old DC?

Thank you again for your patience and help.  The resolution was a lot easier than I thought :)
0
DrDave242Commented:
Excellent! Yes, you should be able to transfer the FSMO roles and demote the old DC. If you run repadmin /showrepl on both DCs, does it show success for all directory partitions?
0
mkavinskyAuthor Commented:
yes, shows successful on all instances.
0
DrDave242Commented:
Very good. You can proceed with transferring FSMO roles and demoting that server.
0
mkavinskyAuthor Commented:
We are all good!!  Everything is now cleaned up and good.  Thank you again very much for your time, effort and advice.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.