Replacing domain controller - what did i miss? 3

[SimonDavis]

Hi folks.

I'm trying to remove our old domain controller from the network, and have tried to configure a new server to take over its role.

The problem I have is that when I take the old server down, it kills the network. Nobody can browse anything - it asks for a user/password (which doesn't work). When I fire up the old server, it all works OK.

I did the following (both servers are win2k server, sp4);

- Installed AD on the new server.
- Installed DNS on the new server.
- Seized all FSMO roles to the new server.
- Installed DHCP on the new server
- Checked the new server as a global catalog server.

This was all done 24 hours ago, so i'd assume everything that is going to be updated has been updated.

This is on a single domain, nothing complicated.

Anything obvious I have missed? Do I need to do something special wIth the old server to persuade it to let go of something?

Thanks

 

[Davetoo]

You DCPROMO'd the new server in, but did you DCPROMO the old server out of the domain?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[SimonDavis]

Thanks Davetoo - no, I just shut it down.

I'm slightly nervous of doing anything that I can't easily revert - I'd hate to kill the old one entirely before I have a functioning network, but can you confirm that I must do that, and also do you think the 'symptoms' I am seeing would be caused because of it?

 

[Davetoo]

You may have missed one of the roles, so double check that all of the roles, including schema master, are on your new DC. You can do it manually, but also when you DCPROMO the old one out it will automatically assign all of it's roles to the new DC. Most admins like to do it themselves first though.

Double check that all FSMO roles are assigned to your new server.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[GrimR]

No don't dcpromo it out, everything should work with it down or even if you just pull out the network cable.
Check that the new server has replicated.
Check that the new server has static IP and that the DNS server points to itself.
Check that it has it's own A record
Can you ping the server from client machines and access shares etc.

and run
cmd /k DCdiag /test:Knowsofroleholders /v
to see that that server holds the FSMO roles.

 

[SimonDavis]

Thanks to both of you.

GrimR, can I just clarify;

- How do I check it has replicated?
- New server has static IP - I assume you also mean pointing at itself in the TCP/IP properties - it was pointing to the old one, and I have now changed it.
- There are entries in dns on the new server for the new server, both a host and (same as parent folder) in the forward lookup zone, and as a pointer in the reverse lookup zone.
- Access to the network all falls over when the 'old' DC is taken down, so that's a negative.

I tried the suggestion you made, but my server says 'DCdiag' isn't recognised.

 

[SimonDavis]

Kind of nuts.

Now, with the old DC down, I can ping everything from any station, so TCP/IP is all OK.

I can browse everything else on the network from the new DC.

But none of the other computers on the network can browse anything. They can all ping, but that's it.

Sometimes I really hate computers.

 

[Davetoo]

Did you change the DHCP to point to the new server for client DNS?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[SimonDavis]

Hi Dave.

I think so - the new server is specified as the DNS server in the scope options and the server options in the DHCP snapin.

The stations are being given the correct config - they have the new server specified as their dns server.

I'm rather foggy about dns - have never really understood it well. I think it's probably OK, as TCP/IP stuff ll seems OK. It appears that it's browsing that is an issue, the new server is the only one that can 'explore' anything else.

Thanks again for your help.

 

[SimonDavis]

Just to say - the problem might have changed slightly, or it may just be that win2k and XP behave differently. If I try to browse anything from a different server (nether the old or the new DC), I get a imple message stating 'there are currently no logon servers available to service the logon request'.

The only reference to that I can see on MS site is where another domain is involved, which isn't the case here.

 

[SimonDavis]

OK, sorry for wittering on here, but I'm hacking away and finding more info.

Semi progress . . . if I try to browse another server from my XP station, I get a box asking me to login. If I enter the administrator name and pass, I get access to the resource.

This doesn't work for other XP stations - presumably becuase administrator isn't a local account.

The same goes for shares on servers - even though a share might have permissions for everybody to access, I can only get into it if I use the admin login.

Any idea what that should be telling me?

 

[Davetoo]

Is the Net Logon service running on your new DC?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[SimonDavis]

Hi Dave,

Yes, that's running. I just restarted to be sure anyway.

I've just been looking at the event viewer, and I notice a whole bunch of the same error - 'windows cannot determine the user or computer name . Return value (1355).

Google brings up a lot of returns, so far haven't found anything helpful, but I'm ploughing through it now.

Thanks.

 

[Davetoo]

It seems like the new server did not properly get the AD information when you DCPROMO'd it.

Are there any errors pertaining to the server being promoted to a domain controller?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[technome]

From a wks run Ipconfig /all, what are the results..are you getting default gateway, IP address, DNS servers etc.

On the server...
Download the windows support tools, specifically get DcDiag.exe and NetDiag.exe, run them in verbose mode, as in
DcDiag /v
NetDiag /v

What errors do you get?


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[GrimR]

do as technome suggest before proceeding. [and as you probably know dcdiag /v > c:\dcdiag.txt so you can post results if need be].

Run dssite.msc -> server -> ntds and right click the link and select replicate. While you there make sure Global Catalog is ticked.
Check replication = Start -> Run cmd /k repadmin /showreps to see if replication took place. If that fails have a look here

http://support.microsoft.com/kb/249256

Is the subnet mask the same on the new server?
If you do a nslookup <servername>, what happens?
Have you authorized the DHCP once you remove the old one, and enabled DNS dynamic updates?
Try enabling WINS.
BTW unplug the network cable from the old server into the new one, eliminate any VLAN issues, you haven't told us about.

New server has static IP - I assume you also mean pointing at itself in the TCP/IP properties - it was pointing to the old one, and I have now changed it.

Hope you left both in there, and in DNS that's both servers have replicate to all Name servers, and make sure name servers are listed.

 

[SimonDavis]

OK, here we go . . .!

The IPconfig looks OK to me, the new server is pointing to itself as dns server. GrimR, when you say I should leave the old entry for the dns server as well, I'm wondering if that's correct, as that is the server I'm trying to take offline.

For the time being I have set everything to use the new servers dns service only. The two appear to be synchronised OK, all the entries look the same.

I ran the two diag programs, obviously there is too much to paste here, but I noticed the following;

(old server is called 'main', new server is called 'exchange2')

DCdiag;

++++++++++

Starting test: Advertising
Warning: DsGetDcName returned information for \\main.mydomain.com, when we were trying to reach EXCHANGE2.
Server is not responding or is not considered suitable.
The DC EXCHANGE2 is advertising itself as a DC and having a DS.
The DC EXCHANGE2 is advertising as an LDAP server
The DC EXCHANGE2 is advertising as having a writeable directory
The DC EXCHANGE2 is advertising as a Key Distribution Center
The DC EXCHANGE2 is advertising as a time server
The DS EXCHANGE2 is advertising as a GC.
......................... EXCHANGE2 failed test Advertising

++++++++

Test 'services' failed, but that looks to be becuase SMTP service is stopped, which I don't want running anyway - or do I? We are not running any mail services on the network.

++++++++

frssysvol test reports a number of error messages, but they stopped appearing yesterday morning, and the test frssysvol is reported as a pass. I assume this is OK?

++++++++++

This wasn't very helpful;

Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x800004F1
Time Generated: 04/10/2008 08:34:48
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 04/10/2008 08:34:48
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 04/10/2008 08:34:48
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 04/10/2008 08:34:48
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 04/10/2008 08:34:48
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 04/10/2008 08:34:48
(Event String could not be retrieved)
......................... EXCHANGE2 failed test kccevent

++++++++++++

This lot seems to be OK, but there are a lot of references to the old server, which I assume will be a problem;

Starting test: FsmoCheck
GC Name: \\main.mydomain.com
Locator Flags: 0xe00001fc
PDC Name: \\exchange2.mydomain.com
Locator Flags: 0xe00001fd
Time Server Name: \\main.mydomain.com
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\main.mydomain.com
Locator Flags: 0xe00001fc
KDC Name: \\main.mydomain.com
Locator Flags: 0xe00001fc
......................... mydomain.com passed test FsmoCheck

++++++++++++++


Apart from that, everything seems to have passed.

Perhaps I'll see if anything obvious strikes anyone before I start on the netdiag results, as there are a lot of them.

Just to note - these tests were run on the new server, but with the old server still running. I'm going to re-run them with the old server unplugged as see what the differences are.

Thanks a lot for your help people!

 

[GrimR]

well I can see main still holds the FSMO roles except 1

 

[SimonDavis]

Hi GrimR,

Yes - kind of strange. When I go through the admin snapins for FSMO roles, it all shows the new server as the role holder, but obviously something is messed up.

I have decided that seeing what a mess this all is, I am going to set up an entirely new network. The purpose of this exercise was to simplify our setup - I am pretty much the only person here who knows anything about computers (which isn't saying much) and I'm leaving. We have 5 servers at the moment, I am cutting that down to 2. I have moved our mail from Exchange to an ISP webmail based system, so all we really need is a fileserver, and an ISA server.

I do apologise for wasting all your time - to be honest having looked at the results of all these diagnostic programs, it's kind of overwhelming to know where to start, and considering our simple requirements I just concluded that 3 - 4 hours setting up a new network is almost certainly better than the 3 - 4 days I have already spent trying to fix the old one. It has evolved over 7 years, and it's kind of messy now.

I sincerely thank you all for your help though.

 

[Davetoo]

Just a thought, especially if you have just a few users. I'd DCPROMO the new server out...wait 24 hours, DCPROMO it back in, wait 24 hours, then DCPROMO the old DC out.

If that doesn't work, well, you still have local logon to the fileservers, etc., to retreive the data and transfer ownwership to the new users you'll have to create in the new domain.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.