Group Policy Objects missing from new DC

[benso37]

Hi,

I built a new server 2008 Standard R2 machine and promoted it to DC using DC promo. I then transitioned our old server 2003 DC to the new one and took the old one offline. The new DC works fine with the exception of a few things missing. My sysvol directory is present and it has the contents of my sysvol from the previous server however, group policy objects for logon,logon,shutdown, are missing from the policies->windows components so none of my scripts are working.

Is there a way to get those options back?

 

[kmcferrin]

Bring the old DC back online and allow replication to complete.

Did you transfer the FSMO roles?

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[58sniper]

How long did you have both DCs online before decommissioning the "old" one? What about other DCs in your environment?

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[benso37]

It's not a big environment so I only gave it about half an hour before shutting the old one down. It hasn't been demoted yet, just shutdown.

I will bring it back up and leave it on for a couple of hours. I just can't do it during work hours because the new server is using the old server IP since they are both DNS and DHCP servers as well.

Yes, I have transferred the FSMO to the new Server.

Thanks all.

 

[kmcferrin]

the new server is using the old server IP since they are both DNS and DHCP servers as well.

You can still change the IP address on the server, you would just need to update the DNS servers listed in your DHCP scopes and on any static device.

It's my personal opinion/best practice that you shouldn't recycle domain controller names or IP addresses specifically for cases just like this.

Once the servers are both up and running you should use the DCDIAG command to verify that directory services is functioning correctly. You should also use REPLMON to monitor the replication process.

Here are some issues that I forsee:

1. The old DC has been offline for a prolonged period and is likely hosting information in AD and DNS that is well out of date. Unfortunately, it is also holding authoritative copies of data such as GPOs. It will be interesting to see how replication goes when they're back online.

2. When you change the IP address of a DC and/or a DNS server, you need to make sure that all of the other DCs/DNS servers can find it. Especially when the new DC/DNS server is using the old one's IP. You may need to manually edit DNS entries to reflect the new IP addresses before they are able to find each other to replicate.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[58sniper]

I agree with kmcferrin.

You need to leave that original DC online for at least a day or so, and should never reuse the name and/or IP for the reasons given.

Once that's done, you should bring another DC online, let it replicate, and then decommission the old one. You should always have a minimum of two DCs. ALWAYS.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[benso37]

If I use a different name for the new DC, wouldn't I have to change the the configuration of all workstations to point to the new domain? In other words, domain1 for the old server and that's what all workstations and other member servers know as the DC. If I name the new DC domain2, how would all workstations, member servers and printers know the new domain name.

This was the only reason I stuck with the old name.

I will make sure both DNS server have the same records before I leave them on for replication. Should be interesting.

 

[58sniper]

Workstations aren't configured for a domain controller. They're configured for a domain. When they boot up and get a DNS address to query, they query the domain and get a reference to a DC in their AD site.

DCs are supposed to be in the same domain, and can be called whatever you want.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[benso37]

Oh...I guess I should clarify.

The old domain controller (DC1) is called something different than the new domain controller (DC2). It's the domain (mydomain.local) that's the same on both the new and old servers.

 

[58sniper]

still arbitrary. No workstation change is required when you have multiple domain controllers (and you should).

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[benso37]

I get that part and I'm glad I don't have to change anything on the workstations.

Unfortunately, I only have one DC. This is how it was setup before I got here. My plan in to get this new server working perfectly, then build a second DC for replication.

Thanks for the help.