Mahlon Otero
asked on
Rebuild Active Directory Domain
I've been having non-stop issues migrating my 2012 Windows Server to Windows Server 2016 Essentials for the past 3 weeks.
I resolved multiple errors during the migration only to find that Essentials 2016 isn't a viable upgrade from 2012 Standard. I installed 2016 Standard and attempted a migration but I'm getting DFSR errors again and the migration won't go through.
At this point I'm thinking it will be best to move back to Essentials 2016 and rebuild the domain. The current domain is fairly small with only about 8~ users so I don't think it would be too large of a task to take care of.
How might I go about rebuilding the domain while keeping as many settings and users intact as possible? My client is getting tired of waiting and just want it to be done. I need to get the entire migration completed before the end of the night or they won't be very happy.
Thanks for your help!
I resolved multiple errors during the migration only to find that Essentials 2016 isn't a viable upgrade from 2012 Standard. I installed 2016 Standard and attempted a migration but I'm getting DFSR errors again and the migration won't go through.
At this point I'm thinking it will be best to move back to Essentials 2016 and rebuild the domain. The current domain is fairly small with only about 8~ users so I don't think it would be too large of a task to take care of.
How might I go about rebuilding the domain while keeping as many settings and users intact as possible? My client is getting tired of waiting and just want it to be done. I need to get the entire migration completed before the end of the night or they won't be very happy.
Thanks for your help!
ASKER
I have some backups I can likely restore from if needed, this DC has been having issues since I came into the picture though. I don't know if restoring from a backup will do any good.
I ran AD cleanup after removing 2016 Essentials and before adding 2016 Standard to the domain. I used the same name and ip as before.
The domain looks like it was started with 2012, but I'm not sure as I'm new to this company.
Here's the result of DCDIAG:
Doing primary tests
Testing server: Default-First-Site-Name\DC
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC2012 failed test DFSREvent
Starting test: SystemLog
An error event occurred. EventID: 0x0000271A
Time Generated: 03/24/2019 17:27:56
Event String:
The server {9BA05972-F6A8-11CF-A442-0
A warning event occurred. EventID: 0x80050004
Time Generated: 03/24/2019 17:30:02
Event String:
Broadcom BCM5709C #44: The network link is down. Check to make sure the network cable is properly connected
.
An error event occurred. EventID: 0xC0000001
Time Generated: 03/24/2019 17:30:03
Event String:
Initiator failed to connect to the target. Target IP address and TCP Port number are given in dump data.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/24/2019 17:30:12
Event String:
Name resolution for the name 5111fcbe-0b4e-4167-971c-d5
the configured DNS servers responded.
A warning event occurred. EventID: 0x00000071
Time Generated: 03/24/2019 17:30:22
Event String:
iSCSI discovery via SendTargets failed with error code 0xefff0003 to target portal *192.168.254.254 0003260
ROOT\ISCSIPRT\0000_0 .
A warning event occurred. EventID: 0x00000079
Time Generated: 03/24/2019 17:30:22
Event String:
The firewall exception to allow Internet Storage Name Server (iSNS) client functionality is not enabled. iSN
S client functionality is not available.
An error event occurred. EventID: 0xC0000001
Time Generated: 03/24/2019 17:30:22
Event String:
Initiator failed to connect to the target. Target IP address and TCP Port number are given in dump data.
An error event occurred. EventID: 0xC0000046
Time Generated: 03/24/2019 17:30:22
Event String:
Error occurred when processing iSCSI logon request. The request was not retried. Error status is given in th
e dump data.
An error event occurred. EventID: 0x00000067
Time Generated: 03/24/2019 17:32:07
Event String:
Timeout waiting for iSCSI persistently bound volumes. If there are any services or applications that use inf
ormation stored on these volumes then they may not start or may report errors.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/24/2019 17:32:18
Event String: The LogMeIn Kernel Information Provider service failed to start due to the following error:
An error event occurred. EventID: 0xC0FF05DC
Time Generated: 03/24/2019 17:32:20
Event String:
The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\S
P\Parameters\TrapConfigura
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:25
Event String:
The Security System detected an authentication error for the server ldap/DC2012.domain.com. The failure c
ode from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
A warning event occurred. EventID: 0x00000420
Time Generated: 03/24/2019 17:32:32
Event String:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dyna
mic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials fo
r Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the D
HCP Administrative tool.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server LDAP/DC2012. The failure code from au
thentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server LDAP/Localhost. The failure code from au
thentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server ldap/DC2012.domain.com/dom
COM. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon serv
ice was not started.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server LDAP/DC2012.domain.com/dom
.COM. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon serv
ice was not started.
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/24/2019 17:32:33
Event String:
The WinRM service failed to create the following SPNs: WSMAN/DC2012.domain.com; WSMAN/DC2012.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/24/2019 17:32:36
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you s
hould use only static IPv6 addresses.
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:43
Event String:
Controller event log: PD 00(e0x20/s0) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:44
Event String:
Controller event log: PD 01(e0x20/s1) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:44
Event String:
Controller event log: PD 02(e0x20/s2) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:45
Event String:
Controller event log: PD 03(e0x20/s3) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000006C
Time Generated: 03/24/2019 17:33:06
Event String:
Status 0x00001069 determining that device interface \\?\{8e7bd593-6e6c-4c52-86
30e83&0&01#{2accfe60-c130-
HBA then this error can be ignored.
......................... DC2012 failed test SystemLog
I ran AD cleanup after removing 2016 Essentials and before adding 2016 Standard to the domain. I used the same name and ip as before.
The domain looks like it was started with 2012, but I'm not sure as I'm new to this company.
Here's the result of DCDIAG:
Doing primary tests
Testing server: Default-First-Site-Name\DC
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC2012 failed test DFSREvent
Starting test: SystemLog
An error event occurred. EventID: 0x0000271A
Time Generated: 03/24/2019 17:27:56
Event String:
The server {9BA05972-F6A8-11CF-A442-0
A warning event occurred. EventID: 0x80050004
Time Generated: 03/24/2019 17:30:02
Event String:
Broadcom BCM5709C #44: The network link is down. Check to make sure the network cable is properly connected
.
An error event occurred. EventID: 0xC0000001
Time Generated: 03/24/2019 17:30:03
Event String:
Initiator failed to connect to the target. Target IP address and TCP Port number are given in dump data.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/24/2019 17:30:12
Event String:
Name resolution for the name 5111fcbe-0b4e-4167-971c-d5
the configured DNS servers responded.
A warning event occurred. EventID: 0x00000071
Time Generated: 03/24/2019 17:30:22
Event String:
iSCSI discovery via SendTargets failed with error code 0xefff0003 to target portal *192.168.254.254 0003260
ROOT\ISCSIPRT\0000_0 .
A warning event occurred. EventID: 0x00000079
Time Generated: 03/24/2019 17:30:22
Event String:
The firewall exception to allow Internet Storage Name Server (iSNS) client functionality is not enabled. iSN
S client functionality is not available.
An error event occurred. EventID: 0xC0000001
Time Generated: 03/24/2019 17:30:22
Event String:
Initiator failed to connect to the target. Target IP address and TCP Port number are given in dump data.
An error event occurred. EventID: 0xC0000046
Time Generated: 03/24/2019 17:30:22
Event String:
Error occurred when processing iSCSI logon request. The request was not retried. Error status is given in th
e dump data.
An error event occurred. EventID: 0x00000067
Time Generated: 03/24/2019 17:32:07
Event String:
Timeout waiting for iSCSI persistently bound volumes. If there are any services or applications that use inf
ormation stored on these volumes then they may not start or may report errors.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/24/2019 17:32:18
Event String: The LogMeIn Kernel Information Provider service failed to start due to the following error:
An error event occurred. EventID: 0xC0FF05DC
Time Generated: 03/24/2019 17:32:20
Event String:
The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\S
P\Parameters\TrapConfigura
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:25
Event String:
The Security System detected an authentication error for the server ldap/DC2012.domain.com. The failure c
ode from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
A warning event occurred. EventID: 0x00000420
Time Generated: 03/24/2019 17:32:32
Event String:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dyna
mic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials fo
r Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the D
HCP Administrative tool.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server LDAP/DC2012. The failure code from au
thentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server LDAP/Localhost. The failure code from au
thentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server ldap/DC2012.domain.com/dom
COM. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon serv
ice was not started.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server LDAP/DC2012.domain.com/dom
.COM. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon serv
ice was not started.
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/24/2019 17:32:33
Event String:
The WinRM service failed to create the following SPNs: WSMAN/DC2012.domain.com; WSMAN/DC2012.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/24/2019 17:32:36
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you s
hould use only static IPv6 addresses.
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:43
Event String:
Controller event log: PD 00(e0x20/s0) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:44
Event String:
Controller event log: PD 01(e0x20/s1) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:44
Event String:
Controller event log: PD 02(e0x20/s2) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000091F
Time Generated: 03/24/2019 17:32:45
Event String:
Controller event log: PD 03(e0x20/s3) is not a certified drive: Controller 0 (PERC 6/i Integrated)
A warning event occurred. EventID: 0x0000006C
Time Generated: 03/24/2019 17:33:06
Event String:
Status 0x00001069 determining that device interface \\?\{8e7bd593-6e6c-4c52-86
30e83&0&01#{2accfe60-c130-
HBA then this error can be ignored.
......................... DC2012 failed test SystemLog
You have many errors to unpack.
Open a command window, net share
Sysvol/netlogon services might not have been shared.
Restoring from backup must only be undertaken if you are confident of when this backup was taken and previously tested its restoration in a lab/test environment.
With all that was attempted
You may want to look at ldiff/cvde Export of existing object, then reimporting them on the2016 that will be setup as a brand new AD
Untangling all the current AD errors would be the first and only thing.
This seems to be the basis of your issue.
There is as part of the multitude of errors a DNS entry of the dc2012 that does not trust itself.
Dfsutils is
How many users exist in your environments?
How many workstations, system.
Question whether starting the 2016 AD from scratch ...... Would be safer/quicker and starting from a clean slate.
The data of the users can be restored/copied.
Open a command window, net share
Sysvol/netlogon services might not have been shared.
Restoring from backup must only be undertaken if you are confident of when this backup was taken and previously tested its restoration in a lab/test environment.
With all that was attempted
You may want to look at ldiff/cvde Export of existing object, then reimporting them on the2016 that will be setup as a brand new AD
Untangling all the current AD errors would be the first and only thing.
This seems to be the basis of your issue.
There is as part of the multitude of errors a DNS entry of the dc2012 that does not trust itself.
Dfsutils is
How many users exist in your environments?
How many workstations, system.
Question whether starting the 2016 AD from scratch ...... Would be safer/quicker and starting from a clean slate.
The data of the users can be restored/copied.
ASKER
Sysvol and netlogon are both being shared.
I'm not super confident in the backups, so I would prefer to keep on moving forward.
There's 8 workstations in total.
What can I give you to help point me in the right direction?
I'm not super confident in the backups, so I would prefer to keep on moving forward.
There's 8 workstations in total.
What can I give you to help point me in the right direction?
8 workstations, how many users?
Backup the data on the 2012, restore on 2016.
setup the 2016 as a new ad domain.
Export objects from the 2012 import them into 2016
This should maintain object sids. Referencing and allow you to migrate data.
Before you proceed, with any approach, double check, plan it out.
Are you consoderaing virtualization of the servers?
2016 can have four VMs.
The essential when roles transferred might have
Backup the data on the 2012, restore on 2016.
setup the 2016 as a new ad domain.
Export objects from the 2012 import them into 2016
This should maintain object sids. Referencing and allow you to migrate data.
Before you proceed, with any approach, double check, plan it out.
Are you consoderaing virtualization of the servers?
2016 can have four VMs.
The Security System detected an authentication error for the server ldap/DC2012.domain.com/domain.com@DO MAIN
COM. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon serv
ice was not started.
A warning event occurred. EventID: 0x0000A000
Time Generated: 03/24/2019 17:32:32
Event String:
The Security System detected an authentication error for the server LDAP/DC2012.domain.com/domain.com@DO MAIN
.COM. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon serv
ice was not started.
The essential when roles transferred might have
Might as well give users back their current passwords. Export and import their password hashes.
https://www.experts-exchange.com/articles/32998/Two-way-Password-Synchronization-from-one-Active-Directory-Domain-to-another-using-DSInternals.html
https://www.experts-exchange.com/articles/32998/Two-way-Password-Synchronization-from-one-Active-Directory-Domain-to-another-using-DSInternals.html
ASKER
@arnold
Today I found that this domain has been going since the Windows XP era and the structure of it is poorly done.
Here is what I plan on doing:
I know the passwords to each user account, and I only have 8 users so it shouldn't be too big of a task to remove and re-add the users.
Is there anything else I should add to my plan in order to successfully rebuild the domain while keeping the majority of my users desktop settings and files intact? I don't mind recreating the permissions, DNS entries, file shares, or printers since it is all a mess to begin with.
Thanks!
Today I found that this domain has been going since the Windows XP era and the structure of it is poorly done.
Here is what I plan on doing:
- Backup 2012 Active Directory
- Remove all user accounts from 2012 domain
- Transfer shared files off of 2012 server
- Unplug and decommission 2012
- Create domain on 2016 server (using same domain name)
- Join users to 2016 domain
- Transfer files onto 2016 server
- Add and share printers and files
I know the passwords to each user account, and I only have 8 users so it shouldn't be too big of a task to remove and re-add the users.
Is there anything else I should add to my plan in order to successfully rebuild the domain while keeping the majority of my users desktop settings and files intact? I don't mind recreating the permissions, DNS entries, file shares, or printers since it is all a mess to begin with.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your help @arnold & @Shaun Vermaak.
I'll perform the domain migration this week and make a new post if I have any issues.
I'll perform the domain migration this week and make a new post if I have any issues.
Use dcdiag to determine the health of your AD on the 2012.
Make sure to preserve any backups you have of the AD prior to your work/attempts at migration.
If memory serves, when 2016 essential was joined the prior question indicated that ad domain roles were transferred.
Before joining the 2016, metadata, AD cleanup us needed to remove all references to the prior 2016 essentials system to avoid issues of name reuse.
Which I suspect you have and the issues relate to the remnant records.
Last resort, hopefully you facked up the 2012 Ad just before your 2016 .......
After cleanup, performing an authoritative restore........
Check your AD domain/forest level.
Was this aD started with 2012, or it is a projection of prior versions?