2

I'm no Active Directory Wizard. Here's what I did:

  • Old W2003 R2 PDC needed to be replaced with a new server
  • Rolled out W2008R2 and used DC Promo to add it the domain
  • Due to some DNS issues, had a little problem with replication, but set up DNS on the new server, had them both pointing to it, and replication doesn't seem to have an errors.
  • Rebuilt all the group policies etc.
  • Raised the function level of the Forest and Domain to Server 2003
  • Used all the GUI tools to change every role in all the different Active Directory components to New Server
  • As far as I can tell, from all the instructions on the web, the New Server is the PDC

The problem:

  • When Old Server is running, everything is fine. However when it's not running and New Server boots, it won't load Active Directory and Bootup pauses for 10 minutes+ with some error about unable to contact the PDF emulation or something (more details available on request, I'm just not on site atm).

I need to get the New Server acting properly as the PDC so I can decomission (dc promo) the old server and get rid of it. Because it's SBS it keeps threatening to shut down because there can't be two servers in AD with SBS licensing.

Roles:

Server "commlec.local" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL Naming Master - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL PDC - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL RID - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL Infrastructure - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL –

Possible relevant Event Log entiries (keep in mind these seem to only happen when the New Server is rebooted with the Old Server powered down:

Warning DNS Client 1014
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.COMMLEC.LOCAL timed out after none of the configured DNS servers responded.

Error DfsSvc 14550
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

Warning DNS Client 1014
Name resolution for the name _ldap._tcp.COMMLEC.LOCAL timed out after none of the configured DNS servers responded.

Error DHCP=Server 1059
The DHCP service failed to see a directory server for authorization.

Info DHCP Server 1044
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain COMMLEC.LOCAL, has determined that it is authorized to start. It is servicing clients now.

Error DfsSvc 14550
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

That's the last error, the server then begins operating normally. There's a few more misc errors about being unable to register the servers resources in DNS (which won't start because it's decided it has no AD information), Group Policy failing with no Domain Server and WinRM not creating SPNs (whatever that is).

Community
  • 1
Dom
  • 741
  • 1
  • 8
  • 19
  • 3
    There's no such thing as a PDC (in the sense you're using the term). Have a read of this: http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm and then follow the related links at the bottom, especially the one about transferring FSMO roles. (You shouldn't need to sieze them, as both your DCs are working.) – SmallClanger May 25 '12 at 07:22
  • I've transferred all the roles, one by one, to the New Server, and I've selected Global Catalogue. This is why I'm confused. It has all the roles, Replication seems to be working, but when I boot it without the Old Server running it decides there is no valid Active Directory repository available and it falls over. – Dom May 25 '12 at 08:13
  • Have you checked that DNS is configured correctly on the new server, and that the DNS settings within network card/IPv4 settings on the new server are configured to point to itself, and are not pointing to the old server? – Rob Moir May 25 '12 at 09:19
  • Yep, see comment below. – Dom May 25 '12 at 13:21

4 Answers4

2

Active Directory replication isn't ready yet, and your new domain controller isn't a domain controller unless 13516 is logged and sysvol and netlogon will be shared (sysvol replication has finished). Here are a few steps to take:

  • With NSLookup, check if your new DC can resolve the domain name, itself, and the old DC. Check both forward and reverse lookup
  • Run repadmin /kcc
  • Wait a few minutes
  • Run repadmin /syncall
  • Wait a few minutes
  • If event id 13516 is not logged, run dcdiag and post the output. Also post any error messages that occur performing these steps.
Undo
  • 311
  • 6
  • 19
user1008764
  • 1,176
  • 2
  • 8
  • 12
  • Sorry, I hastily read your post before and didn't look in the File Replication event log but I recommented recently. I do get that event "The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL" – Dom May 25 '12 at 14:00
  • no problem. abive i saw that you have dns clients errors for dns service records. maybe not all service records where created correctly. restart the netlogon service and after that in a cmd run ipconfig /registerdns. also run a dcdiag and post the result here. – user1008764 May 25 '12 at 14:20
1

Put the following code in a .bat-file:

set /p DC=Please provide the name of a domain controller: 
ECHO.
Ntdsutil roles Connections "Connect to server %DC%" Quit "select Operation Target" "List roles for connected server"

And run it (best chances of success while running it on the new DC). It will ask you for some permissions and a promo should open. Can you paste the contents in your question?

It might be possible not all FSMO-roles were transferred.

Bart De Vos
  • 17,911
  • 6
  • 63
  • 82
  • Ntdsutil: roles fsmo maintenance: Connections server connections: Connect to server commlec.local Binding to commlec.local ... Connected to commlec.local using credentials of locally logged on user. server connections: Quit fsmo maintenance: select Operation Target select operation target: List roles for connected server – Dom May 25 '12 at 08:18
  • Server "commlec.local" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LOCAL Naming Master - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LOCAL PDC - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LOCAL RID - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LOCAL Infrastructure - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LOCAL – Dom May 25 '12 at 08:19
1

OMG Solved - this is designed behaviour.

Because SBS is licensed for 1 server in a domain, Server 2008 attempts to contact it and refuses to boot or operate properly without it, even though 2008 has all FSMO roles and the Global Catalogue.

To solve this problem you need to Demote the SBS 2003 server, and verify all SBS 2003 entries in DNS and Sites/Services etc have been removed or converted to a computer account.

My thinking was: After setting up the 2008 server and transferring the FSMO roles, turn off the 2003 server to verify everything is happy, before demoting it and then destroying it.

Reality is: You get no chance to test the transfer with SBS 2003. Once the roles are transferred you have to demote SBS 2003 before 2008 will work.

Dom
  • 741
  • 1
  • 8
  • 19
0

i think you have misconfigured the networkcard on your new server. have you entered the ip address of the old server as dns server on the new one? this could be the reason why all works fine when old server is running and the bootup delay of the new server when old server is down. new server is unable to do dns querys

mario
  • 1
  • Nope. New Server's Primary DNS is itself and Secondary is 127.0.0.1. Old Server's DNS is pointed to the New Server. – Dom May 25 '12 at 09:40
  • on new server check eventlog -> file replication service: is there an event with id 13516? – mario May 25 '12 at 10:13
  • Yep, a short time after boot: The File Replication Service is no longer preventing the computer SERVER from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. Type "net share" to check for the SYSVOL share. – Dom May 25 '12 at 13:42