Netlogon errors after FSMO transfer

[Duran]

Hello, I hope someone can help me, I have just transferred some FSMO roles from a 2k DC to a 2K3 DC, and now the folowing error is appearing in the event log

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 3097
Date: 10/12/2007
Time: 17:06:04
User: N/A
Computer: RDIR-DC1
Description:
This computer is configured to be the primary domain controller of its domain. However, the computer RDIR-SV1 is currently claiming to be the primary domain controller of the domain.

Currently I can still log on, but I dont like it. I have found similar things on google, but none that have got the error after transferring roles. Could someone please explain the reason for this strange behavior?

Regards,
D.

I plug you in, dim the lights,
Electric Barbarella !

 

[mofusjtf]

Did you make your 2k3 server the global catalog server too? The easiest way to transfer the roles is to demote the 2k AD server. It will automatically transfer the roles to the next AD server. Also double check your DNS settings. Make sure your 2k3 server is pointing to itself and using forwarders for Internet DNS.

 

[Duran]

Hello,

Thanks for replying, I did indeed make the w2k3 servers DC holders. I cannot demote the w2k server yet as it is running Exchange 2003, I will have to move that off first.

I have both the W2k3 servers pointing to themselves for Primary DNS.

Regards,
D.

I plug you in, dim the lights,
Electric Barbarella !

 

[markdmac]

Duran, you could be in for a world of hurt since the Exchange is on the old DC.

I ran into a similar situation that ended up requiring MS Support to assist in rectifying. I created an FAQ around that ordeal. faq96-4733

My advice to you is to set up another server (as a member)and install Exchange on it. Use the MoveMailbox wizard to move all your mailboxes. From there you need to configure mail to deliver to the new box instead of the old one and then you will be in good shape to uninstall Exchange.

You are wise to be concerned about this. If you don't address this immediately, people will get locked out of the domain as passwords expire and the two DCs are not replicating changes to each other.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[mofusjtf]

Markdmac is right. Running Exchange on an AD server is will cause lots of problems when moving roles. The only recommended setup of Exchange on AD is in an SBS environment. SBS is designed specifically to do this.

I would follow the steps Markdmac suggested. Move exchange to another server that is not running AD. Then battle the role issue.

 

[Duran]

Hello,

I cant remove exchange yet, as I have nowhere to install it, I intend to do this late december.

Are you saying that just because I have moved the FSMO roles off the server running exchange I am in for a bad time or are you saying that I am in a bad place if I demote the DC running exchange server? I do not intend to demote the DC running exchange until I have moved it off, until then I assumed it was ok.

Should I move the FSMO roles back to the DC with Exchange on it?

Regards,
D.

I plug you in, dim the lights,
Electric Barbarella !

 

[markdmac]

What I am saying is you are in for a world of hurt no matter what as you will likely NOT be able to move the roles back since the Exchange box THINKS it still has the roles to begin with.

You essentially have two DCs right now that are effectively part of two different domains with the same name. Each thinks it is authoritative over the other.

The Exchange piece is only complicating the issue. The DCs are the real concern here.

Grab any workstation and load server on it and Exchange. Do as I suggested above and transfer the mailboxes over. You don't need to make this a permanent place for Exchange. You could even use a virtual machine installation on an external USB drive. That will then let you deal with the 2000 box which is going to need to be forcefully demoted from a DC. Once it is no longer a DC you can rejoin it to the domain as a member and reinstall Exchange on it. Then move your mailboxes back.

Having gone through this, trust me that you want to address this NOW before your users have more problems than you can deal with.

Using the plan I have outlined, you could easily configure a virtual machine on your server during the day. Ensure it is running and can be reached from the Exchange machine.

I suggest the following plan.

1. Connect a USB drive large enough to hold a server install, Exchange and your Exchange databases.
2. Install VirtualPC on the Exchange server.
3. Create a new virtual machine and install Windows 2003, Exchange 2003, Exchange SP2.
4. After hours move all mailboxes and public folders to the new VM.
5. On the new DC, install VirtualPC.
6. Shutdown the VM choosing to SaveState.
7. Move the USB drive to the new DC and start the VM back up.
8. Uninstall Exchange from the 2000 server.
9. Run DCPROMO /FORCEDREMOVAL on the 2000 machine.
10. Join the 2000 machine back to the domain.
11. Install Exchange & SP2
12. Move mailboxes and Public Folders back to the Exchange box.

I feel very confident in stating that if you don't do this ASAP, the first user to change their password is going to have issues with getting locked out. Furthermore, you will have computers getting dropped from the network.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.