Announcement

Collapse
No announcement yet.

Upgrading Active Directory, need a little help... please

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Upgrading Active Directory, need a little help... please

    First off, I'm new to this forum, and I signed up here because this site shows up allot in google searches, and this site has helped allot when I'm troubleshooting problems...

    So a quick thanks to everyone here, and more thanks to anyone who responds to my issue...

    I administer a small network (about 20 servers), and my new task is to fix active directory and upgrade from 2 server 2000 DCs to 2 server 2008 DCs. This is my first time troubleshooting active directory, and I am starting to have a hard time...

    I haven't had to touch AD until now, and it turns out that it is very broke...

    Sorry for all the background, here is my issues:

    DCs:
    servernames: server2000 and s2400
    server2000 is the PDC and holds all the roles
    s2400 is suppose to be just the backup domain controller

    Replication has not been happening since 2004, I have been working through all of the events in the event viewer one at a time, and I was able to get replication going from server2000 to s2400 (for a couple of days), I cannot get replication to work from s2400 to server2000!

    I think I got ahead of myself because once replication was happening one way I tried to run adprep /forestprep then adprep /domainprep which completed successfully. But I still cannot run dcpromo on the new 08 server (it still saying that I have to run adprep /forest prep.....)

    Turns out that replication is no longer happening from server2000 to s2400 now because of a "schema mismatch"

    I ran the adprep command because i was hoping that I didn't have to fix all the issues with the 2 current DCs (they are many)

    s2400:
    1. ntds kcc event 1265 (access is denied)
    2. in Active directory Sites and Services if I "replicate now" from server2000 i get "The naming context is in the process of being removed or is not replicated from the specified server"
    3. If I "replicate now" from s2400 I get "The target principal name is incorrect"

    server2000:
    1. if I "replicate now" from server2000 i get "The naming context is in the process of being removed or is not replicated from the specified server"
    2. if I "replicate now" from s2400 I get "The following operation failed because of a schema mismatch between the servers involved"

    Both:
    in the system log: mrxSmb event 8003 - The master browser has received a server announcement from the computer XSERVE that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A01FF9F8-5E20-4F9B-A9. The master browser is stopping or an election is being forced.

    XSERVE is the only Mac server we have and I don't know if this is part of the problem, I can't seem to find much info on what this is or what is happening, but there are tons of these errors...

    I have been working on this for weeks, and have already resolved many issues, these are the remaining issues, and I have tried many, many solutions to fix this...

    If I am understanding this correctly...

    S2400 is having a problem communicating to server2000 through the secrure channel. And all fixes I have found and tried fail... I don't think it's a dns issue, as I can always resolve all computers by name, I don't know allot about dns either but I've had someone who knows look at it, and they concur that dns seems to be working correctly.

    I have attached the output of dcdiag, netdiag, repadmin.

    My hope is that someone here has dealt with this kind of thing before, and can point me in the right direction, of course I don't want anyone to work to hard on this problem, but any tips or help would be awesome.

    Ultimately, I want to turn off both of these servers and bring up 2 2008 server domain controllers. Is there an easier way to do that? I've been told that I need to fix the old ones first in order to add the new ones, If I want to do this correctly. I am about ready to just start a new domain, and join everyone to it, and forget about the old broken one...


    Anyway, thank again to anyone that responds...
    Attached Files

  • #2
    Re: Upgrading Active Directory, need a little help... please

    You say you are about to build a new domain like it is a bad thing - is it?

    If you only have 20 servers, I could see keeping one functional DC (move all fsmo to it) in the old domain, (try to) create a trust, migrate all users, workstations, servers, ditch old domain and rebuild old DCs as DCs in the new domain.

    Be glad your domain is small enough to be rebuildable like that, it's always nice to start fresh. You probably know more about AD than you, or whoever set it up back then, did. Which means you can build it with proper structure, planning for delegation etc.

    As for fixing the current issue, in case you have to to build the trust
    DCdiag mentions schema mismatch..

    Which server holds the most current data? Does it hold the fsmo roles?
    Are both servers on the same version and sp level of Windows?
    Has exchange been installed since replication started failing?
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

    Comment


    • #3
      Re: Upgrading Active Directory, need a little help... please

      Thanks for the quick reply gepeto

      You say you are about to build a new domain like it is a bad thing - is it?

      If you only have 20 servers, I could see keeping one functional DC (move all fsmo to it) in the old domain, (try to) create a trust, migrate all users, workstations, servers, ditch old domain and rebuild old DCs as DCs in the new domain.
      That is what I would like to do, I guess I'm not quite sure of the implications of doing that, I failed to mention that there are about 60 workstations (all XP)that connect to the domain...

      I need to make this as transparent as possible to all the users... I'm going to test this idea in my test environment, but I'm wondering, have you had luck migrating profiles from one domain to another?

      I am also wondering, is there any way to create a new domain and ditch the old one but keep the same domain name? Probably not huh?

      As for fixing the current issue, in case you have to to build the trust
      DCdiag mentions schema mismatch..

      Which server holds the most current data? Does it hold the fsmo roles?
      Are both servers on the same version and sp level of Windows?
      I would really like to fix the current issues, like I said, I really need to try and make this almost invisible to all the users.

      But, it seems like it is so broken, every time I think I have fixed one of the issues... two more issues pop up.

      Also, it seems that each of the DCs are doing half of the job, the s2400 seems to be handling the Kerberose and Netlogon services, and server2000 is handling all DNS and AD services...

      So I don't think I can move all roles to one and demote the other, our network seems to be dependent on both of them.

      Having said that... I wish I could just shut down the old servers and bring up the new ones, I know it's not that easy, but how can I do this and keep the same domain.com

      thanks again

      Comment


      • #4
        Re: Upgrading Active Directory, need a little help... please

        About the problems

        Creating two domains with the same name would be a good idea on totally separated networks. Don't do that if you plan to migrate user accounts and have a trust.

        When I mentionned roles, I was thinking of the FSMO roles. This article explains how to find which servers are the role masters:

        http://support.microsoft.com/?scid=k...234790&x=9&y=9

        Obviously, your DNS will need to be properly working on whatever DC you would keep. Is your zone AD integrated?

        About the migration

        To make it transparent, usually, if both domains worked fine, you could migrate servers by small batches to the new domain , since you only have 60. Using the trust, users on the old domain can still acccess them.
        Once all servers are moved, move batches of users along with their workstation.*

        Look up USMT (user state migration tool) for your profile migrations, it is very flexible. It will allow you to take a backup of a user's profile, and restore it after joining the workstation to the new domain.

        Use pwdmig to be able to copy the passwords over.

        sidhistory will let you carry over the old user's sid, for permission compatibility.

        So as you can see, there are a lot of tools available to let you migrate domains. They usually work much better when the source domain works fine though.
        Since your domain is relatively small, try doing as much as you can manually while still using the tools that are useful for bigger migrations, that way you will get to learn how to do it when you have a job with 800 servers and 15 000 workstations


        *depending on your setup, it might be easier to move users first and servers later. I bet you would be able to pull that off pretty easily, just instruct users to logon with their old domain\user when they access servers that have not been moved.
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: Upgrading Active Directory, need a little help... please

          Thanks again for the advice gepeto...

          After some discussion with the boss, it is decided that we need to keep the same domain. So, creating a new domain and migrating everyone is not an option, now I need to try to fix the broken domain controllers...

          The server2000 holds all of the roles by the way, i was trying to say that even though server2000 is the PDC and holds all of the roles, out network is very dependent on the s2400. The s2400 seems to be handling the kerberos and netlogon services. And server2000 seems to be handling DNS and most AD services.

          So, unfortunately, if there is a problem with either of these two servers, then the whole network goes down.

          I'm spending way too much time trying to fix these broken DCs.

          Since these two servers are sooo broke in different ways, can I do this...

          1. Bring up a third 2000 server, and make it the PDC and move all of the roles to it.

          2. Bring up a forth 2000 server, and make it the BDC, and verify that replication is working between the two new ones.

          3. demote both of the current DC, (server2000, and s2400) and shut them off...

          4. Then if I have the two new ones working correctly, I can move forward by introducing my two server08 DC, then I can finally install exchange 07...

          Will, this work... any thoughts... any body...

          Thanks again!

          Comment


          • #6
            Re: Upgrading Active Directory, need a little help... please

            You can try - however, I don't think adding a new domain controller in such a situation will even be doable.

            I would - during a weekend if possible - demote the worst DC. Then, get the remaining one working properly - perfectly. Then, promote other DCs.
            VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

            Comment


            • #7
              Re: Upgrading Active Directory, need a little help... please

              I was thinking about this hevily over the weekend, and I came up with that same solution. I have determined that even though server2000 is supposed to be the PDC... The network seems to be about 70% dependent on the s2400.

              What I'm thinking of doing now is moving all roles to the s2400 and demoting the server2000 machine.

              I'll work on getting that machine all straightened out, if I get it working correctly as the only DC on our network, will I be able to add a server 08 DC? Or will I need to bring up another server 2000 DC and get replication working before I can add a server 08 DC...

              Also, I've been reading about transferring the fsmo roles, while it seems straight forward... Is there anything that I need to be aware of when transferring the roles??

              Thanks again

              Comment


              • #8
                Re: Upgrading Active Directory, need a little help... please

                FSMO Roles: The very important thing to know is if you SEIZE a role (not move...used when move does not work) , NEVER plug back the old master on the network. Ever. That's it.

                As for adding a 2008 server, you should have no problem doing it on a functional domain with only one existing domain controller.

                Good luck
                VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                Comment


                • #9
                  Re: Upgrading Active Directory, need a little help... please

                  Well, it turns out that I can't move all the roles to the s2400, I tried, and when I demoted server2000, and shut it off, it broke the network, Also I could not run adprep on the s2400 because "Adprep encountered a Win32 error.
                  Error code: 0x1f Error message: A device attached to the system is not functioning" which is wrong, all devices are working. Anyway, I had to revert back to the snapshots. I forgot to mention that the domain controllers had been virtualized before I started working here.

                  They work as long as they stay in the state they are in.

                  I am going in circles trying to work this out, I have decided to put this job on hold for now, I'm going to have another meeting about this, and maybe convince my boss that we need to at least bring up a new domain just for all the servers and then maybe I can bring up exchange 07 on the new domain...

                  I will understand if you don't want to help me with this problem anymore, I really don't want to work on it anymore either.....

                  Thanks again, I really appreciate all you have done to help me out...

                  Comment


                  • #10
                    Re: Upgrading Active Directory, need a little help... please

                    I'm only replying as I was following the promotion thread so apologies for stepping on toes if I have.

                    There are known issues with virtualising domain controllers
                    This is a bit of a read:
                    http://vmetc.com/2008/03/17/domain-c...or-not-to-p2v/
                    so far I have always added virtual domain controllers as fresh rather than p2v etc but others may have had more luck.

                    I suppose the key bit is "every bit of info can be important!"
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: Upgrading Active Directory, need a little help... please

                      Yes indeed. P2Ving a DC is a really really bad thing (if that's what was done). I must've posted half a dozen time about the reasons why this should not be done.

                      DO NOT TAKE VIRTUAL MACHINE SNAPSHOTS OR IMAGES OF DOMAIN CONTROLLERS.

                      This will BREAK replication by creating a USN rollback situation.

                      Now, restore a system state backup on this system you probably just broke again!

                      And after that: get rid of one of the DCs and get the other one working perfectly, that is a must. Why were you trying to run ADprep? Trying to add the 2008 machine right away? Give it a small stabilization period before you do that..
                      VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                      Comment


                      • #12
                        Re: Upgrading Active Directory, need a little help... please

                        A little more info, I guess I should have clarified this...

                        server2000 was virtualized before I got here because the hardware was failing...

                        s2400 is a physical machine in the production environment...

                        However I have virtual copies of both that I'm working with in my test environment (They are on their own virtual network)

                        The output I supplied in my very first post is from the machines in the production environment...

                        I was aware of the problems of using p2v on domain controllers, however, the vms in my test environment act and react the same in the physical environment...

                        Edit: Yup, now that I reverted to snapshots in my test environment, the vms seem to be screwed up more than they were...

                        Edit: And yeah, I know I should have given it a small stabilization period before running adprep, but I've been working on this for months, so I'm just getting a little frustrated, I was hoping that if I could get it working on the vms first then I could finally do this on the production machines...
                        Last edited by jcup; 23rd September 2008, 20:47.

                        Comment


                        • #13
                          Re: Upgrading Active Directory, need a little help... please

                          No offence is meant, just getting the full picture.

                          Personally (and I would definitely wait for other input) I would get full backups of the live DCs and restore them onto separated VM DCs.
                          I would then force remove and clean each one from each others AD so you end up with 2 separated DCs sitting on their own with clean AD (force the fsmo roles where appropriate).
                          You can then look at each one and see if it is holding a good working copy of AD.
                          You may find one of them is a bag of nails and the other is working ok (I hope anyway).

                          Once you have determined which is ok you should unplug the faulty one from your live network (after full backups again of both) and remove it from AD (forcing roles where appropriate). Run DCDiag/Netdiag etc and make sure it is happy then add in another DC ASAP and let it replicate, possibly add another DC to be sure as well.
                          Once you are happy you can check your ADPrep etc.
                          cheers
                          Andy

                          Please read this before you post:


                          Quis custodiet ipsos custodes?

                          Comment


                          • #14
                            Re: Upgrading Active Directory, need a little help... please

                            Non taken of course...

                            And I very much appreciate the input, I'm going to take some time off from doing this, In fact I think I'm going to take a few vacation days. I'll revisit this problem, when I come back.

                            Thanks again to you, and thanks again gepeto...

                            Comment

                            Working...
                            X