Announcement

Collapse
No announcement yet.

Removing the last Windows 2003 Domain controller from a new Windows 2008 domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing the last Windows 2003 Domain controller from a new Windows 2008 domain

    Hi,

    I have installed two new Windows 2008R2 servers into my current Windows 2003 domain. I have done the ADprep for the forest and domain. All is working fine. But when I shutdown the last Windows 2003 Domain Controller, users start to experience slow network and log on problems.

    I decided to shutdown the Win2K DC rather than do a dcpromo out. When I shutdown the server users take a long time to log on to the network and also if they try to open a network file from the file server (.doc - .xls) it can take up to 25-50 seconds for the file to open.

    Also we use Group policy to install the desktop wallpaper, some users find that this wallpaper disappears. Other users can log on with no problem and do not loss the wallpaper.

    I have done a dcdiag and before shutting down the 2003 DC all works fine.
    But when I shutdown the 2003 DC I get the following errors:

    C:\>dcdiag
    Directory Server Diagnosis
    Performing initial setup:
    Trying to find home server...
    Home Server = server-DC-1
    * Identified AD Forest.
    Ldap search capabality attribute search failed on server W2003DC-SERV-1, return
    value = 81
    Got error while checking if the DC is using FRS or DFSR. Error:
    Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
    because of this error.
    Done gathering initial info.
    Doing initial required tests
    Testing server: Peterborough\server-DC-1
    Starting test: Connectivity
    ......................... server-DC-1 passed test Connectivity
    Doing primary tests
    Testing server: Peterborough\server-DC-1
    Starting test: Advertising
    ......................... server-DC-1 passed test Advertising
    Starting test: FrsEvent
    ......................... server-DC-1 passed test FrsEvent
    Starting test: DFSREvent
    ......................... server-DC-1 passed test DFSREvent
    Starting test: SysVolCheck
    ......................... server-DC-1 passed test SysVolCheck
    Starting test: KccEvent
    ......................... server-DC-1 passed test KccEvent
    Starting test: KnowsOfRoleHolders
    ......................... server-DC-1 passed test KnowsOfRoleHolders
    Starting test: MachineAccount
    ......................... server-DC-1 passed test MachineAccount
    Starting test: NCSecDesc
    ......................... server-DC-1 passed test NCSecDesc
    Starting test: NetLogons
    ......................... server-DC-1 passed test NetLogons
    Starting test: ObjectsReplicated
    ......................... server-DC-1 passed test ObjectsReplicated
    Starting test: Replications
    [VFMP-SERV-1] DsBindWithSpnEx() failed with error 1722,
    The RPC server is unavailable..
    ......................... server-DC-1 failed test Replications
    Starting test: RidManager
    ......................... server-DC-1 passed test RidManager
    Starting test: Services
    ......................... server-DC-1 passed test Services
    Starting test: SystemLog
    A warning event occurred. EventID: 0x0000008E
    Time Generated: 01/31/2011 10:15:58
    Event String:
    The time service has stopped advertising as a time source because th
    e local clock is not synchronized.
    A warning event occurred. EventID: 0x00000032
    Time Generated: 01/31/2011 10:15:58
    Event String:
    The time service detected a time difference of greater than 128 mill
    iseconds for 90 seconds. The time difference might be caused by synchronization
    with low-accuracy time sources or by suboptimal network conditions. The time ser
    vice is no longer synchronized and cannot provide the time to other clients or u
    pdate the system clock. When a valid time stamp is received from a time service
    provider, the time service will correct itself.
    ......................... server-DC-1 failed test SystemLog
    Starting test: VerifyReferences
    ......................... server-DC-1 passed test VerifyReferences
     
    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation
    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation
    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation
    Running partition tests on : VFM-Services
    Starting test: CheckSDRefDom
    ......................... VFM-Services passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... VFM-Services passed test CrossRefValidation
    Running enterprise tests on : VFM-Services.com
    Starting test: LocatorCheck
    ......................... VFM-Services.com passed test LocatorCheck
    Starting test: Intersite
    ......................... VFM-Services.com passed test Intersite
    C:\>



    As soon as i turn the W2003 DC back on all network issues disappear?

    Would It be a good idea to do an inline upgrade of the windows 2003 Domain controller to a Windows 2008 DC or would doing a DCPROMO out, update the Windows 2008 DC and the network issue would be resolved as the 2008 DC would have been updated that the windows 2003 DC has been removed.

    Any assistance with this problem would be appreciated.

    Regards,
    KJW67

  • #2
    Re: Removing the last Windows 2003 Domain controller from a new Windows 2008 domain

    Is the 2003 box the FSMO holder? If so, transfer them and try again
    Also, are there other GCs available?
    Finally, which DC is the authoritative time source for the domain -- again, transfer that to another DC

    IMHO, demoting the 2003 DC properly should solve everything -- shutting it down will always generate errors as other DCs are looking for it and not finding it.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Removing the last Windows 2003 Domain controller from a new Windows 2008 domain

      Hi Ossian,

      Thanks for your reply.

      I have moved all of the FSMO - Schema - RID and Authoritive time source etc to the new 2008 DC's and double checked that they are the current FSMO role holders.

      I currently have the the new DC's running 2008 as GC's as well as the old Windows 2003 DC.

      I am obvioulsy a litte worried that by removing the last Windows 2003 DC it could cause problems for users accessing network resource and logging in?

      I was hoping that by shutting down the 2003 DC that the AD domain would still work properly and not cause any major log on or access problems as the main FSMO servers are still running?

      Thanks,
      KJW67

      Comment


      • #4
        Re: Removing the last Windows 2003 Domain controller from a new Windows 2008 domain

        Hi Ossian,

        After checking again that the FSMO roles and my DFS was correctly setup and double checking everything. I was only left with doing a DCPROMO.

        So I did and so far so good, files and logon's seem ok and group policy is loading correctly.

        Thanks for your advice.

        Regards,
        KJW67

        Comment


        • #5
          Re: Removing the last Windows 2003 Domain controller from a new Windows 2008 domain

          No problem -- glad to help
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X