Active Directory Server 2000
burbankmarc
Member Posts: 460
Hey all,
I frequent the Cisco and Linux forums here but I have an MS question. I am not an MS guy so you might have to talk slowly to me.
Anyways, I want to upgrade my domain controllers from 2000/2003 to 2008 R2. I first want to test this upgrade process. I installed server 2000 on a PC added it to the domain and made a domain controller. I then had a complete copy of the AD forrest so that was cool. I then moved it to a private network and stuff stopped working.
I wasn't able to do anything for AD because it couldn't contact the other domain controllers, so I seized control of all the roles I could hoping that would be it. Well it wasn't and now it seems to work even less.
So my question is how do you pull a working Domain Controller and move it to a private LAN for testing?
I frequent the Cisco and Linux forums here but I have an MS question. I am not an MS guy so you might have to talk slowly to me.
Anyways, I want to upgrade my domain controllers from 2000/2003 to 2008 R2. I first want to test this upgrade process. I installed server 2000 on a PC added it to the domain and made a domain controller. I then had a complete copy of the AD forrest so that was cool. I then moved it to a private network and stuff stopped working.
I wasn't able to do anything for AD because it couldn't contact the other domain controllers, so I seized control of all the roles I could hoping that would be it. Well it wasn't and now it seems to work even less.
So my question is how do you pull a working Domain Controller and move it to a private LAN for testing?
Comments
What I do know is seizing control of the FSMO roles is almost always a bad idea. Something breaks pretty much every time. But I think you already learned that one.
I am not sure why you are doing it the way you are unless you want a test domain? anyway you can build a DC allow it to replicate then move it and seize the roles. BUT you have to do some housekeeping afterwards.
Your new and seperate domain needs to be treated as if all the other DC's have failed so you need to do a meta data clean as per
Delete Failed DCs from Active Directory
You should also remove them from sites and services as this is not done for you.
Clean up DNS, and run dcdiag /test:dns ignoring any post reboot events anything other than that you would need to be more specific about what is not working.
Also ignore anything in the event logs right after a DC reboots, in fact what I do is just clear all events and just watch for new ones.
Just make sure you do not move that DC back to the other network.
Ok, so maybe I can't just pull it from a live environment and throw it onto a test environment, but is there a way I can export the AD on the live servers and import it onto my test machine?
*EDIT*
Thanks Mojo, let me go test that out and see what I come up with.
Well if you allowed it to replicate it should have a copy already, that's how it works, or am I not understanding what you have done?
I guess I'll have to wipe the system and start again, no biggie.
Well that's what I was banking on, the replication, which worked perfectly. However, I didn't know that if you pulled it off the network it would break everything.
I guess I was curious if I could just export AD from one network then import it to my test machine.
Well I don't know what that means, but sure. I just want to get off these old OS's. So whichever way works best is fine by me.
2017 Goals: 1 of 5 courses complete, 0 of 2 exams complete
Well you can get it going, all these things are fixable it's just how much time and effort do you want to spend doing so? I have a few hours to help but you might be better of starting from scratch as its a lab setup...your call.
Transitional means just that you transition over to 2008, so you would basically build a 2008 DC on to your domain MOVE roles to it, get it all working then decom an old server, rebuild it to 2008 make it a DC and so on until all your DC's are 2008 rather than what is effectivly an OS upgrade.....make sense?
Just to add to this, pretty much every issue you will have is going to be related to DNS, but this is the first thing to check.
If it is not pointing to itself then configure it do do so, then at the command prompt type
"ipconfig/flush dns"
then
"net stop netlogon && net start netlogon"
The run dcdiag /test:dns to find any other dns issue's
I wouldn't mind fixing these things. I could probably use a deeper understanding of how Microsoft servers work.
And that was exactly my plan. I was going to put a new 2008 server on the domain, replicate all the data to it, then slowly decomission the 2000/2003 servers.
Ok, so how would I fix the problem where I can't connect to AD on my test machine?
Thanks a lot for the help, btw. I appreciate it.
Now, as a test I tried adding my test 2008 server to the domain, but it failed out. It says it can't find the domain. It's DNS server is pointed to the server 2000 test machine.
Happy days, first thing make sure the 2000 box is working ok, no events etc, dcdiag looking ok and so on, make sure you have no firewall running then try again, but again check the ip config of the 2008 box, it needs to be on the same subnet or have a route and it needs to be looking at the dns servers of the domain you are wanting to join etc.
But make sure the 2000 box is ok as above, maybe even give it a reboot for good luck.
Don't worry, I got the networking portion.
There is no firewall.
Ok, I also rebooted both of them for good measure.
DC Diag output
Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: MAPCOM\MAPCOM-HQ-06 Starting test: Connectivity MAPCOM-HQ-06's server GUID DNS name could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc Although the Guid DNS name (0d46c4b3-096f-4a20-af69-410cc72cdcbe._msdcs.mapcom.local) couldn't be resolved, the server name (mapcom-hq-06.mapcom.local) resolved to the IP address (172.18.1.1) and was pingable. Check that the IP address is registered correctly with the DNS server. ......................... MAPCOM-HQ-06 failed test Connectivity Doing primary tests Testing server: MAPCOM\MAPCOM-HQ-06 Skipping all tests, because server MAPCOM-HQ-06 is not responding to directory service requests Running enterprise tests on : mapcom.local Starting test: Intersite ......................... mapcom.local passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down.Then verify SRV records as per the below articles
http://support.microsoft.com/kb/241515
http://support.microsoft.com/kb/241505
Check the edit I made also for the GUID error and follow those links, but this might not cause you an issue short term but good to fix.
*EDIT*
ok here's the dcdiag output:
Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: MAPCOM\MAPCOM-HQ-06 Starting test: Connectivity ......................... MAPCOM-HQ-06 passed test Connectivity Doing primary tests Testing server: MAPCOM\MAPCOM-HQ-06 Starting test: Replications ......................... MAPCOM-HQ-06 passed test Replications Starting test: NCSecDesc ......................... MAPCOM-HQ-06 passed test NCSecDesc Starting test: NetLogons ......................... MAPCOM-HQ-06 passed test NetLogons Starting test: Advertising Fatal Error:DsGetDcName (MAPCOM-HQ-06) call failed, error 1355 The Locator could not find the server. ......................... MAPCOM-HQ-06 failed test Advertising Starting test: KnowsOfRoleHolders ......................... MAPCOM-HQ-06 passed test KnowsOfRoleHolders Starting test: RidManager ......................... MAPCOM-HQ-06 passed test RidManager Starting test: MachineAccount ......................... MAPCOM-HQ-06 passed test MachineAccount Starting test: Services ......................... MAPCOM-HQ-06 passed test Services Starting test: ObjectsReplicated ......................... MAPCOM-HQ-06 passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. ......................... MAPCOM-HQ-06 passed test frssysvol Starting test: kccevent ......................... MAPCOM-HQ-06 passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x8000003E Time Generated: 08/18/2010 14:16:03 Event String: This Machine is a PDC of the domain at the root ......................... MAPCOM-HQ-06 failed test systemlog Running enterprise tests on : mapcom.local Starting test: Intersite ......................... mapcom.local passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down. Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 A KDC could not be located - All the KDCs are down. ......................... mapcom.local failed test FsmoCheck ................ mapcom.local passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down. Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 13 A Good Time Server could not be located. Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 A KDC could not be located - All the KDCs are down. ......................... mapcom.local failed test FsmoCheck are down. ......................... mapcom.local failed test FsmoCheckOne to add to your check list for next time..
While you are checking stuff can you check the DNS has the following zones, I suspect you might be missing the _msdcs zone
_msdcs
_sites
_tcp
_udp
Once done try adding the 2008 server to the domain again.
Still cannot connect though. I tried the full domain too of mapcom.local. If I ping mapcom.local from my 2008 server it returns the address of the 2000 DC.
What message is being returned? cannot find domain? any remaining errors on dcdiag /test:dns output from the dc?
dcdiag /test:dns - tells me that isn't a valid test.
The FSMO test is still failing, though.
Maybe it is not valid on server 2000, could you post the output of the FSMO error?
Starting test: FsmoCheck Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error A Global Catalog Server could not be located - All GC's are down.I went through a fix on microsoft's website. Told me to change the value of burflag in the registry, that didn't seem to work though.
However, the 2008 server is now prompted with an authentication box when trying to join the domain. Baby steps, but still good news.
Authentication is not working. Well, that might be misleading, authentication appears to work but it tells me there might all ready be a computer with that name on the domain. I changed the name and it the error still came up.
It tells me to "remove any stale conflicting account"
The do just that, places you need to check Are AD Users and Computers, sites and services or rename the server to something you know 100% has never been used on the domain.
How to upgrade Windows 2000 domain controllers to Windows Server 2003
Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2
By the way, if you have Exchange 2000 you'll have some other things to keep in mind too.
How to remove the first Exchange 2000 Server computer from the site
XADM: Exchange Management Service Remains After You Remove Exchange 2000 Server
Step-by-Step: Migrating Exchange 2000 to Exchange 2003 Using New Hardware
I recently made this exact same journey. We went from a Windows Server 2000 domain to 2008 R2 and from Exchange 2000 to Exchange 2003. The plan was to go from Exchange 2000 to 2010 but we're in a holding pattern until Microsoft and Cisco figure out the issue with Unity 7 and Exchange 2010.
Additionally, I would suggest testing things like this in a completely separate, isolated environment.