Win 2003 / Win 2000 mess 1

[albracco]

Got called in to look at a problem network. There was an existing Windows 2000 DC and someone brought in a new 2003 server. They must not have known how to do a migration, because looking at Active Directory, both are listed as domain controllers, with the forest and domain being at Win 2000 level. Attempting to look at Group policy on the new Win 2003 server brings up an error that basically says there is no domain to connect to. I installed W2003 SP2 and Group Policy management Console. I was then able to see the default group policies( I activated then both), but there are still errors about no domain. I ran DCdiag, and there are a host of failures ( replication, netlogon, FSMOcheck, and more). Also, sysvol on the new server does not show as a share.

I'm thinking this: I confirm that the old server is still functional as a domain controller. I demote the new Win 2003 server to member server. I then run W2003 adprep & forestprep on both servers. I then promote the Win2003 server to DC. If all is well, I transfer the master Roles to it.

Anyone see a problem with this?

 

[gavm99]

I agree with your plan but I would also check the original domain controller using DCDIAG after you have demoted the new server and ran the prep tools.

The reason for doing this is because there might already be problems on the original and therefore you are just pulling these problems back onto the new server.

Good luck!

Gavin Moorhouse

http://www.lucidcomputersolutions.co.uk

 

[albracco]

That's a good suggestion - Thank you!

Anyone else have any comments?

 

[Davetoo]

You run the forest prep and domain prep on the schema master, not on the 2003 server.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[albracco]

The new 2003 server holds all of the Master roles. I suppose I will want to transfer them back to the original server before I do anything?

 

[Davetoo]

Then you have a larger problem that you think. How are you going to transfer the roles back to the 2000 box if it can't see the domain that it's transferring?

You'd better dcdiag both boxes and resolve all those issues first, then re-evaluate and go from there.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[albracco]

Yes, you are correct. I know my first order of business is to get the AD replication working, before I can do anything.

I didn't think it was even possible to bring a Windows 2003 server into A Windows 2000 domain as a DC, and keep the domain at Windows 2000 functional level.

 

[pagy]

Not only is it possible how else would you do it????

You can't up the domain level to Windows 2003 until you have all 2003 domain controllers and if they could not become domain controllers at a domain level of 2000 native we would all be a bit stuck!!!!

A domain running at windows 2000 native can handle windows 2000 DCs and windows 2003 DCs.

http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm

Have you run the dcdiag yet?? You might also want to post other pertinent information such as IP addresses and preferred dns settings on each domain controller


Paul
MCSE 2003
MCTS:Active Directory
MCTS:Network Infrastructure
MCTS:Applications Infrastructure

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[pagy]

Of course it occurred to me that your functional level might be 2000 mixed, in which you can also have 2003 domain controllers.

Paul
MCSE 2003
MCTS:Active Directory
MCTS:Network Infrastructure
MCTS:Applications Infrastructure

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Davetoo]

I suspect the preps weren't run first and the 2003 box really isn't a part of the domain, or at least not properly. You can use the NTDSUTIL to confirm which box has the roles, read here

http://support.microsoft.com/kb/234790

at the bottom.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[albracco]

For Pagy,

It is 2000 mixed. In reference to your previous post, it's quite simple. You use the Win2003 CD on the 2000 server and run adprep and forestprep. You then bring in the 2003 server, promote it to domain controller, transfer all the FSMO roles to it and now you have a Win 2003 domain with a Windows 2000 server as an additional DC.

The other option is to upgrade the 2000 server to 2003 and then bring in the new 2003 server as a new DC.

Those are the only two ways I've done it. I don't see the point of bringing in a 2003 server as DC, but staying with 2000 domain. Why would you do that?

Al

 

[Davetoo]

Page wasn't asking how to do it...but more a rhetorical how else would you do it. Since you already have a 2000 DC and 2003 requires the domain to be at a 2000 functional level, then there's no other option. If it weren't, when you tried to DCPROMO you'd get errors.

Similarly, when you DCPROMO the 2003 controller and the domain/forest hasn't been prepped for 2003, you'll get an error and it won't promo. So...something has gone wrong somewhere.

You would keep it at a 2000 functional level if you were to keep your 2000 DC's.

Also, if this is R2, be sure you run the preps from the 2nd CD.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[albracco]

yes, I read it fast and mis-understood what he was saying.

 

[albracco]

I ran netdiag and dcdiag on the Windows 2003 server. Here is what failed:


NETDIAG:

Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
Machine is a . . . . . . . . . : Primary Domain Controller Emulator
Netbios Domain name. . . . . . : ymca
Dns domain name. . . . . . . . : ymca
Dns forest name. . . . . . . . : ymca
Domain Guid. . . . . . . . . . : {E28601C4-CC6C-4261-A81C-1A1D26BC46B2}
Domain Sid . . . . . . . . . . : S-1-5-21-448539723-1004336348-682003330
Logon User . . . . . . . . . . : Administrator
Logon Domain . . . . . . . . . : ymca




DCDIAG:

Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\NEW-YMCASERVER\netlogon)
[NEW-YMCASERVER] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... NEW-YMCASERVER failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\ymcaserver.ymca, when we were trying to reach NEW-YMCASERVER.
Server is not responding or is not considered suitable.
The DC NEW-YMCASERVER is advertising itself as a DC and having a DS.
The DC NEW-YMCASERVER is advertising as an LDAP server
The DC NEW-YMCASERVER is advertising as having a writeable directory
The DC NEW-YMCASERVER is advertising as a Key Distribution Center
The DC NEW-YMCASERVER is advertising as a time server
The DS NEW-YMCASERVER is advertising as a GC.
......................... NEW-YMCASERVER failed test Advertising

Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034FE
Time Generated: 07/07/2008 03:10:06
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/07/2008 03:17:13
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/07/2008 13:16:11
(Event String could not be retrieved)
......................... NEW-YMCASERVER failed test frsevent

Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
PDC Name: \\new-ymcaserver.ymca
Locator Flags: 0xe00003fd
Time Server Name: \\ymcaserver.ymca
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\ymcaserver.ymca
Locator Flags: 0xe00001fc
KDC Name: \\ymcaserver.ymca
Locator Flags: 0xe00001fc
......................... ymca failed test FsmoCheck

 

[albracco]

More info:

checking the FSMO roles, it seems the new windows 2003 server hold all the roles except for schema master, which is still on the old server.

 

[Davetoo]

Login to the schema and transfer all of the FSMO roles back to it, then try to dcpromo the 2003 server out of the domain.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[albracco]

Well, that was my original plan, but now that I've had a chance to work with the old server, I don't feel good about it. It is SLOW and seems to lose the network connection periodically. I wouldn't feel confidant with that as the only DC. What about trying to transfer the schema Master role to the new server, which would then give it all the roles.

 

[Davetoo]

You want to transfer even more domain roles to a DC that's having domain issues?

Don't you feel that wouldn't be a good idea?

Take any computer, load it up with W2K3 Server and DCPROMO it into the domain (after confirming the forest and domain have been prepped) and see if it has any issues.

There is no way in the world I would rely upon the existing 2003 Server for my domain since it's throwing out all sorts of domain related errors.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[albracco]

true, I'm going to try to see if I can resolve the performance issues on the old server and stick with the original plan.

 

[Davetoo]

Check the logs...it may be trying to sync and having problems doing that.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!