Windows 2008 DC with Windows 2003 Primary DC. Windows 2008 Errors

[silvercas]

I'm trying to get a Windows 2008 DC into my Windows 2003 Active Directory environment. Right now I only have one Windows 2003 Domain Controller. This is all taking place in a LAB enviornment.

I start by doing all the ADPREPs switches outlined in the TECHNET article. I use the ADPREP via the Windows 2008 CD on the Windows 2003 DC. I even include the one for RODC. I change the forrest and domain functionality level to windows 2003.

When I join the 2008 to the DC, 2008 gives me errors in the System Log. The errors are; LSA EventID:40961, Group Policy EventId:1055, Netlogon EventID:5775. There are 0 errors on the Windows 2003 DC. Also via the 2008 box I am unable to manage the 2003 dns server. The 2008 box says it only capable of managing Windows 2000 or higher. But via the 2003 box I am able to manage the Windows 2008 dns server. Lastly via Active Directory Sites and Services when I try to replicate now the 2008 machine (via the 2008 machine) gives me access denied errors.

The system log errors will go away if I leave the machine on all night but return once the 2008 DC is rebooted.

Any tips?

 

[kmcferrin]

Has the 2008 box ever successfully been joined to the domain AND promoted to a DC?

Also, the domain/forest prep from the 2008 disc should only be necessary if you're upgrading the functional level to 2008. Otherwise you'd use the 2003 version. What you are doing with domain/forest prep is configuring the schema to support the features of that particular functional level. If you're not going to the 2008 functional level, you don't need to change the schema.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[silvercas]

the 2008 has sucessfully been joined to the domain and promoted to a DC. Problem is these errors in the system log

Are you sure about the domain forestprep? See below link.

http://technet2.microsoft.com/windo...7771-4a31-8113-6e57c090987b1033.mspx?mfr=true

 

[Davetoo]

Assuming you've already done the legwork, what is the jist of the errors you're seeing on the 2008 box?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[silvercas]

i have done a lot of research and something to me seems off with 2008. the jist is the registration of DNS records and the group policies being applied. as I stated the errors clear overnight and return with a reboot. I noticied that the ethernet adapter which is a broadcomm in a dell 1950 when I logon has a yellow warning on it that clears after a few seconds. wondering if the network adapter is a slow starter.

 

[silvercas]

ok the DNS errors I have gotten have disappeared after removing the below KB from MS. Im now just left with 40961, 1066 errors.

According to Microsoft Security Advisory (935964), the RPC remote management can be disabled by taking the following steps:

1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
2. Navigate to the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
3. On the 'Edit' menu select 'New' and then click 'DWORD Value'.
4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.
5. Double click on the newly created value and change the value's data to 4.

Restart the DNS service for the change to take effect

 

[netometer]

Hi,

1. When you run DCPROMO on the Windows Server 2008 there is a log file – DCPromoUI.log, created under %systemroot%\debug\

Could you take a look at this file and post errors entries here? What about errors in the event logs?

2. What result do you get from the command “NETDOM QUERY FSMO”? Both servers should give you the same answer.

3. Do you have child objects under the Server objects in AD Sites and Services? What happens when you force a replication – from the W2k3 -> W2k8 and in the opposite direction.

4. When you run the “NET SHARE” command on the W2k8 server do you see the NETLOGON and SYSVOL shares?

5. Did you check the AD health status of the Windows Server 2003 AD before you joined the W2k8 DC – NetDiag, DCDiag etc? Sometimes problems with AD prevent the new W2k8 from successfully replicating and becoming a DC.

There is a series of Step-by-Step videos about migrating to Windows Server 2008 which you might find useful – I think your scenario is this one:

http://www.netometer.com/video/tutorials/windows-dc-2008-add-upgrade

Regards,



Dean

http://www.netometer.com

Online Screencasts and Video-Tutorials

 

[silvercas]

netometer thanks for replying. I just got back to doing this today

1. i have the log but I dont see an error that stands out. there is alot of error checking

2. they both say the original server name which is correct

3. when I force replication from win2k3 to win2k8 it works

from win2k8 to win2k3 it says access denied to win2k8 machine. this only fails from the win2k8 machine the win2k3 machine is fine with both ways

4. net share I see all the results

5. netdiag and dcdiag on the original server are a-ok

 

[silvercas]

What should the DNS settings be on the 2nd AD, DS, DNS Windows 2008 Server? Should they be the windows 2008 box itself? Or should it be the initial windows 2003 server with AD,DS, DNS and new windows 2008 server?

If I only put the 2008 server I get event viewer errors

Thanks