Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Transferring FSMO Roles Server 2003 to 2008

Status
Not open for further replies.

acabezas7

MIS
Mar 5, 2007
71
US
Hi everyone,

Ok so I had one Windows 2003 Domain Controller in my domain and I recently implemented Windows 2008 Domain Controller and transfered FSMO roles over to my new 2008 DC. Everything went well with tranferring FSMO roles. But every wednesday I perform maintenance reboot of all my servers. Now when I reboot my DC's my 2008 DC boots up first and I login but when I try and open up Active Directory Users and Computers I get an error and it doesnt load. But not when I bring my 2003 DC back online I can open up Active Directory Users and Computers on my windows 2008 DC. Now I thought after moving my FSMO roles from 2003 DC I can go ahead and demote this DC and have my forest with just 2008 DC's but apparently thats not the issue but looks like the 2008 DC's is relying on my 2003 DC. Can someone please help me. Thanks
 
You didn't mention what the error was. But when you open ADUC, what server is it trying to connect to? When you have it open, right click on Active Directory Users and Computers on the left side, and choose Change Domain Controller.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
I forget the error it gives me I will have to perform it again to copy down error. When I open ADUC it doesnt connect to any domain controller and when I right click and go to change domain controller the list was blank and does not show my other list of DC.
 
Hi Cajuntank,

OK they both report the same server as holding all 5 FSMO
roles: See below

Windows 2008 DC - Current FSMO role holder

C:\>netdom query fsmo /domain:riepf.com
Schema master PHSRIDCDC01.riepf.com
Domain naming master PHSRIDCDC01.riepf.com
PDC PHSRIDCDC01.riepf.com
RID pool manager PHSRIDCDC01.riepf.com
Infrastructure master PHSRIDCDC01.riepf.com
The command completed successfully.

Windows 2003 DC - Previous FSMO role holder

Server "oscar" knows about 5 roles
Schema - CN=NTDS Settings,CN=PHSRIDCDC01,CN=Servers,CN=West,CN=Sites,CN=Configuration,DC=riepf,DC=com
Domain - CN=NTDS Settings,CN=PHSRIDCDC01,CN=Servers,CN=West,CN=Sites,CN=Configuration,DC=riepf,DC=com
PDC - CN=NTDS Settings,CN=PHSRIDCDC01,CN=Servers,CN=West,CN=Sites,CN=Configuration,DC=riepf,DC=com
RID - CN=NTDS Settings,CN=PHSRIDCDC01,CN=Servers,CN=West,CN=Sites,CN=Configuration,DC=riepf,DC=com
Infrastructure - CN=NTDS Settings,CN=PHSRIDCDC01,CN=Servers,CN=West,CN=Sites,CN=Configuration,DC=riepf,DC=com
 
Well that's good. A couple of things I would look at now, would be your Global Catalog server and DNS. Make the 2008 DC a Global Catalog server and also check DNS config. Since you had the single DC, your zone might have been a Primary instead of an Active Directory Integrated. Don't know where your DNS config stands between the two, but that could definitely be the culprit if the 2003 box isn't up and your 2008 is hunting for DNS on it(2003) instead of itself(2008). Hope that helps. Let me know.
 
Try this next time you do your reboots (keep the 2003 DC offline while you do the following). Create a new empty management console (start | run | mmc) and add the ADUC snap- in, point it at your 2008 server and save the console as ADUC2 (or whatever you want to name it).
If you open up the ADUC using your ADUC2 saved file instead of the one located in administrative tools then it should save your settings and point to your desired server. There might be something cached weird in the existing default ADUC that's still wanting to authenticate to the 2003 box.

Also, in regards to the NIC teaming, I have read a couple of issues with doing anything other than failover only (no load balancing) on DC's. Do some google searches for yourself on that matter.

 
Ok my 2008 DC is a global catalog server already. My DNS is Active Directory Intergrated. This is how my setup use to be before Windows 2008 DC. I had two 2003 DC's I then implemented 2008 DC and demote my second 2003 DC leaving me with my first DC which was the other 2003 box and my windows 2008 DC. But my DNS zone is Active Directory intergrated. Thats why I dont understand what else could be causing this issue. Thanks for your reponse any other ideas would be greatly appreciated.
 
Since they are both AD integrated, are the servers pointing locally to themselves for the first DNS address under TCP/IP v4 at the network adapter settings?
 
Yes they are pointing to themselves for the first DNS entry.
 
Have you run DcDiag.exe and NetDiag.exe, with the /v switch, on both servers? any critical errors?
NetDiag is not included in 2008, 2003 version will work.


........................................
Chernobyl disaster..a must see pictorial
 
Any update on this? I noticed that one of my remarks for some reason got time stamped further up the list so I don't know if you saw that one from me...so here it is again.

"Try this next time you do your reboots (keep the 2003 DC offline while you do the following). Create a new empty management console (start | run | mmc) and add the ADUC snap- in, point it at your 2008 server and save the console as ADUC2 (or whatever you want to name it).
If you open up the ADUC using your ADUC2 saved file instead of the one located in administrative tools then it should save your settings and point to your desired server. There might be something cached weird in the existing default ADUC that's still wanting to authenticate to the 2003 box.

Also, in regards to the NIC teaming, I have read a couple of issues with doing anything other than failover only (no load balancing) on DC's. Do some google searches for yourself on that matter."


 
I noticed that one of my remarks for some reason got time stamped further up the list so I don't know if you saw that one from me...
I think your time stamp falls during the DST change, which would explain the improper ordering.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Ok I finally was able to perform my reboots and get the exact error message. Like I explained earlier I have
1 Windows 2003 DC - Which held the FMSO roles at once

2 Windows 2008 DC - One of them now holds FSMO roles

Now when I turn of my Windows 2003 server my email stops working. All messages get stuck in queue and am running Exchange 2007 and also when I open up ADUC on my Windows 2008 DC I get the following error message:

Naming information cannot be located for the following reason: The server is not operational.

If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 Server Service Pack 3 or later is installed on the DC, or use the Windows 2000 administration tools.

Please any help would be greatly appreciated.
 
a long shot but have you checked in DNS under your forward look up zone the SOA and Host (A) records are pointing to the correct 2008 server?

I am running exchange 03, I dont remember all the exact locations, but have you checked the properties of every single item in exch sys mngr to see if something needs to point to your new 2008 ip address?

and if I am not mistaken, BOTH servers SHOULD NOT all 5 fsmo roles. In my 03 environment our main DC in our colocation holds all 5 roles, our backup dc in our office also shows that colo server as holding the roles.

our child domains show the schema and domain role held by the colo server and the child domain DC only holds the PDC, RID & Infrastructure.

Schema CN=NTDS Settings CN=BARDC001
Domain CN=NTDS Settings CN=BARDC001
PDC CN=NTDS Settings CN=BAFSRV01
RID CN=NTDS Settings CN=BAFSRV01
Infrastructure CN=NTDS Settings CN=BAFSRV02

I know you dont have a child but just as an example.

And my root domain show all 5 as BARDC001

Just some ideas.

 
Hi Thanks for the reply. I just checked my SOA on my 2008 DC under the forward lookup zone for my domain and it points to my 2008 DC. I did see one thing when I right click SOA and go to properties underneath General Tab for Replication: Its set to - To all domain controllers in this domain (for Windows 2000 compatibility)

Should this be set to All DNS servers in this forest:
or
To all DNS server in this domain:

Do you think this might be the issue I am facing? Thanks
 
mine is set to:
"To all DNS servers in the Active Directory domain xyz.net"

it doesnt hurt to change it and try it out.

have you looked into the fsmo issue? I am pretty sure you cant have both offering the same roles to objects on the network.
 
Ok i will change it.

I dont have both offering FSMO roles to objects on the network. All FSMO roles are on my 2008 DC.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top