No announcement yet.

Move AD to new server

  • Filter
  • Time
  • Show
Clear All
new posts

  • Move AD to new server

    I have posted here regarding my attempt to replace a windows 2000 Server which is the AD master, with a new windows 2003 server.

    I have not been able to work on this problem for a couple of months, but now am back on the issue.

    I transferred the roles from the 2000 server to the 2003 server without error. When the client machines had their DNS server IP's changed to the new server, things got sluggy. I couldn't demote the 2000 server from the AD, etc. So I am going to start from step 1.

    1. I have DNS server setup on the new 2003 server. We only want to handle the local PC's on our network, and forward all other requests to our ISP's DNS servers. Is there anything I should check on the 2003 dns server setup to ensure nothing is screwed up and causing me problems ?

    thanks. Once I am sure there are no issues with the dns server setup on the 2003 server, I will move on to getting AD properly moved to the 2003 server.

  • #2
    Re: Move AD to new server

    Any errors in the event viewer?


    • #3
      Re: Move AD to new server

      Did you transfer the all FSMO roles??

      Your internal DNS should be setup with forwarders to forwards any unresolved queries to your ISP.


      • #4
        Re: Move AD to new server

        OK, here is the latest.
        1. Have have dns setup on the windows 2003 server. It appears to be configured correctly as I can ping local names as well as internet names ( I have configured the network on the 2003 server to look to itself for dns.

        2. I transferred all the FSMO roles from the windows 2000 server to the new windows 2003 server. Each transfer yielded a success message.

        3. I set the windows 2003 server as a global catalog, and deselected the windows 2000 server as a global catalog.

        I shutdown the windows 2000 server. I then rebooted the windows 2003 server. The windows 2003 server stuck at "Preparing network connections". It only became "unstuck" when I powered the windows 2000 server back up.

        I modified one of the network PC's to use the windows 2003 server as the dns server, and rebooted it. I was able to login to the domain from the PC.

        Why would the 2003 server hang when the 2000 server was powered down ? I successfully transferred all the roles to the 2003 server.

        Ideas greatly appreciated.



        • #5
          Re: Move AD to new server

          Oh, some more info.

          Errors in the application event viewer:

          Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

          Errors in the directory service viewer:

          Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

          Source domain controller:
          Failing DNS host name:

          NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

          Registry Path:
          HKLM\System\CurrentControlSet\Services\NTDS\Diagno stics\22 DS RPC Client

          User Action:

          1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

          2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

          3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on

          dcdiag /test:dns

          4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

          dcdiag /test:dns

          5) For further analysis of DNS error failures see KB 824449:

          Additional Data
          Error value:
          11004 The requested name is valid, but no data of the requested type was found.

          Second error:
          Active Directory was unable to establish a connection with the global catalog.

          Additional Data
          Error value:
          1355 The specified domain either does not exist or could not be contacted.
          Internal ID:

          just a note:
          SERVER is the old windows 2000 machine.
          dellserver is the new windows 2003 machine.


          • #6
            Re: Move AD to new server

            At what DNS server are the DCs pointing in their network connection properties ?
            Make sure that W2K3 points to itself as primary and to W2K as secondary.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"


            • #7
              Re: Move AD to new server

              The 2003 server points to itself as the primary dns server
              (Lan connection properties). It does not have a secondary
              dns server setting.

              The 2000 server points to itself as the primary dns server.
              It is also a dns server.

              Should I disable the dns server on the 2000 server /


              • #8
                Re: Move AD to new server

                I have seen Global Catalog to work from 2000 to 2000 with no issues had to do 2000 to 2003 first time it was easy with no issues and then last year had to do another one and that just became a mess. I am actually redoing the whole domain including the exchange server from scratch.
                I had the same issue and it eventually messed up every thing including policies, exchange etc.
                I don't know what step people who did it missed but it caused many issues.
                Good luck with every thing.


                • #9
                  Re: Move AD to new server

                  sounds like I need to wipe out the AD and start again.

                  So, I should tranfer the roles back to the windows 2000 server and
                  unjoin the windows 2003 server from the domain ?

                  Then I should power down the windows 2000 server. Then, I should make the
                  windows 2003 server the AD server for a new domain ?

                  A couple of questions:
                  1. Can I use the same domain name without problem ?
                  2. Should I do anything with the permissions and security on the files prior to
                  making the 2003 server a AD server in a new domain ? (2003 server has user
                  files on it as well).
                  3. Since the user have logged into their pc's as users in the domain, when they log
                  back into the domain on their pc's, will they get the same desktop, file access,
                  etc or will they be treated as new users ?

                  thanks in advance.


                  • #10
                    Re: Move AD to new server

                    Don't start again. You cannot use the same domain name or any domain name that the PC's will recognise. Each PC has a profile tied to the domain (by a SID - Security ID). Destroy thye domain and you destroy the SID - never to be recreated. Try to work through the problem - it seems to me you are taking the right steps, but something has not completely transferred. Did you allow enough time for the catalogues to replicate after transferring the GC's?

                    Steven Teiger [SBS-MVP(2003-2009)]
                    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                    We donít stop playing because we grow old, we grow old because we stop playing.


                    • #11
                      Re: Move AD to new server


                      How long should I wait for the catalog to transfer ?


                      • #12
                        Re: Move AD to new server

                        Global Catalog has been checked on the 2003 server for 3 days. The 2000 server is also checked as a global catalog. In addition, the 2000 server is still running a dns server (so both servers are running a dns server).

                        When I shut off the 2000 server, and then reboot the 2003 server, it hangs at preparing network connections for about 10 minutes or so. Then I can log in.
                        Everything runs slow though.

                        Is this due to the fact that the 2000 server is still in the domain, and it tries to contact it when its down ?

                        Should I remove the 2000 server from the domain ?



                        • #13
                          Re: Move AD to new server

                          What DNS server is your 2003 box pointing to??

                          This screams out to me thats its DNS.


                          • #14
                            Re: Move AD to new server

                            the 2003 is pointing to itself for dns.

                            IE tcpip properties. dns server is set to
                            the ip address of the 2003 box.

                            is there a way to verify dns ? I can ping domain names, etc
                            and they resolve just fine.


                            • #15
                              Re: Move AD to new server

                              What other roles or services is this server running??