Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Win 2003 / Win 2000 mess 1

Status
Not open for further replies.

albracco

IS-IT--Management
Jun 10, 2004
62
US
Got called in to look at a problem network. There was an existing Windows 2000 DC and someone brought in a new 2003 server. They must not have known how to do a migration, because looking at Active Directory, both are listed as domain controllers, with the forest and domain being at Win 2000 level. Attempting to look at Group policy on the new Win 2003 server brings up an error that basically says there is no domain to connect to. I installed W2003 SP2 and Group Policy management Console. I was then able to see the default group policies( I activated then both), but there are still errors about no domain. I ran DCdiag, and there are a host of failures ( replication, netlogon, FSMOcheck, and more). Also, sysvol on the new server does not show as a share.

I'm thinking this: I confirm that the old server is still functional as a domain controller. I demote the new Win 2003 server to member server. I then run W2003 adprep & forestprep on both servers. I then promote the Win2003 server to DC. If all is well, I transfer the master Roles to it.

Anyone see a problem with this?
 
Well, I have the old server behaving much better. So I tried to transfer the Operations master role to it, but I get an error that the current holder of that role can not be contacted. So I had to seize the roles. Now the old server has all of the roles. I'm going to leave it like that for now and see how it goes, before doing anything else.
 
Doing some more diagnostics:


dcdiag /v /test:fsmocheck



Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine new-ymcaserver, is a DC.
* Connecting to directory service on server new-ymcaserver.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\NEW-YMCASERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... NEW-YMCASERVER passe



Running enterprise tests on : ymca
Test omitted by user request: Intersite
Starting test: FsmoCheck
GC Name: \\ymcaserver.ymca
Locator Flags: 0xe00001fc
Error: The server returned by DsGetDcName() did not match DsListRoles() for the PDC
PDC Name: \\new-ymcaserver.ymca
Locator Flags: 0xe00003fd
Time Server Name: \\ymcaserver.ymca
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\ymcaserver.ymca
Locator Flags: 0xe00001fc
KDC Name: \\ymcaserver.ymca
Locator Flags: 0xe00001fc
......................... ymca passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS


Looks like the 2003 server thinks it has the PDC role, but here are the results of some other commands:


nltest /dclist:ymca ...
ymcaserver.ymca [PDC] [DS] Site: Default-First-Site-Name
new-ymcaserver.ymca [DS] Site: Default-First-Site-Name

netdom query fsmo ...
domain role owner ymcaserver.ymca
pdc role owner ymcaserver.ymca
RID pool manager ymcaserver.ymca
infrastructure owner ymcaserver.ymca

Those all appear as they should.

Are we looking at removing the 2003 server from the domain using the manual method as described here?

 
Which server is holding the schema master at the moment?? it's not shown in the netdom query fmso

Paul
MCSE 2003
MCTS:Active Directory
MCTS:Network Infrastructure
MCTS:Applications Infrastructure

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
right now, all fsmo roles are back on the original 2000 server. I determined that by using ntdsutil on the 2000 server. (As an aside, when I tried to use the mmc snap-in, there was no "Active Directory Schema" snap-in when I clicked "add")Anyway, I tried demoting the 2003 server, but it failed with a DSA error. So I think I'm looking at performing the steps in that Microsoft article about cleaning up Active Directory after a failed demotion.
 
Ok - I did the metadata cleanup, so AD on the 2000 server is now OK. But now I have this 2003 server that thinks it is still a domain controller but cannot be demoted. Is there anything else to be done with this 2003 server besides a complete re-install?

And thank you to everyone for your comments...

Al
 
Best bet is to wipe it and re-install

Paul
MCSE 2003
MCTS:Active Directory
MCTS:Network Infrastructure
MCTS:Applications Infrastructure

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
I agree with Paul...wipe the entire server clean and do a fresh installation and try again.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
OK folks - I thank you for your assistance. I will give them the bad news. This is for a non-profit, so I was just trying to find a less expensive route for them than having to rebuild the server. Oh well...
 
Not a lot of expense related to rebuilding a server. Surely since this is a non-profit a good consultant would offer to do it for free in his or her spare time.



I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
A good consultant with spare time? That's an oxymoron - only bad consultants have spare time - LOL. Anyway, I've already "donated" at least a day of my time diagnosing the mess they were left with. Sure, rebuilding a server is easy, but getting all their ancient applications running again is a different matter. You should see this mess!
 
We here at Tek-Tips have donated a lot of time and effort as well to assist you in correcting this problem without benefit of any compensation.

What you decide to do from here on out is your decision to make, obviously.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top