Issues transitioning from 2003 to 2008...
-
Wednesday, July 23, 2008 10:32 PMI am in the process of transitioning my single domain to 2008 and am having some issues. I had absolutely no issues in my 2003 environment and am only having issues with my new 2008 domain controllers.
My process was as follows:
1. I demoted all but one of my 2003 domain controllers. This last DC held all 5 master rolls.
2. I ran ADPREP with all options including the RODC option.
3. I then installed my first 2008 Server and promoted it with no errors. (this machine was a VM on VMware ESX Server)
4. I verified that replication was occurring with no errors by manually replicating through sites and services.
5. My first sign of an issue was the GPMC kept throwing an error every time i would click on a GPO or try to create a new one. "the network name cannot be found."
6. I then ran DCDIAG and it failed 7 of the tests. (advertising, knowsofroleholders, ncsesdesc, netlogons, replications, services, systemlog)
7. I began to suspect the VMware was blocking something so i tried a physical server and have encountered the same issues.
Just for fun i unplugged my 2003 DC to see if i could authenticate any clients to either of the 2008 DCs and was unable.
I have tried every possible thing i can think of and have been scouring the internet for weeks on this and cannot seem to come up with anything that helps.
I would greatly appreciate any possible suggestions you guys might have.
Thanks.
Josh Kelly (MCSA)- Edited by JoshKelly13 Thursday, July 24, 2008 3:17 PM typing error...
All Replies
-
Thursday, July 24, 2008 3:08 PM
Here is my DCDIAG...
Directory Server DiagnosisPerforming initial setup:
Trying to find home server...
Home Server = 2008-DC1
* Identified AD Forest.
Done gathering initial info.Doing initial required tests
Testing server: SITENAME\2008-DC1
Starting test: Connectivity
......................... 2008-DC1 passed test ConnectivityDoing primary tests
Testing server: SITENAME\2008-DC1
Starting test: Advertising
Warning: DsGetDcName returned information for
\\2003-dc1.domain.net, when we were trying to reach
2008-DC1.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... 2008-DC1 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... 2008-DC1 passed test FrsEvent
Starting test: DFSREvent
......................... 2008-DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... 2008-DC1 passed test SysVolCheck
Starting test: KccEvent
......................... 2008-DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
Warning: 2008-DC1 could not resolve the name for role
Infrastructure Update Owner.
The name error was Not Found.
......................... 2008-DC1 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... 2008-DC1 passed test MachineAccount
Starting test: NCSecDesc
Fatal Error: Cannot retrieve SID
......................... 2008-DC1 failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\2008-dc1\netlogon)
[2008-DC1] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... 2008-DC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... 2008-DC1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,2008-DC1] DsReplicaGetInfo(PENDING_OPS, NULL)
failed, error 0x2105 "Replication access was denied."
......................... 2008-DC1 failed test Replications
Starting test: RidManager
......................... 2008-DC1 passed test RidManager
Starting test: Services
......................... 2008-DC1 passed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0x40011006
Time Generated: 07/24/2008 08:07:55
Event String:
The connection was aborted by the remote WINS. Remote WINS may not b
e configured to replicate with the server.
An Error Event occurred. EventID: 0x40011006
Time Generated: 07/24/2008 08:37:55
Event String:
The connection was aborted by the remote WINS. Remote WINS may not b
e configured to replicate with the server.
......................... 2008-DC1 failed test SystemLog
Starting test: VerifyReferences
......................... 2008-DC1 passed test VerifyReferencesRunning partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidationRunning partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidationRunning partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidationRunning partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidationRunning partition tests on : eagles
Starting test: CheckSDRefDom
......................... eagles passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidationRunning enterprise tests on : domain.net
Starting test: LocatorCheck
......................... domain.net passed test
LocatorCheck
Starting test: Intersite
......................... domain.net passed test
Intersite -
Tuesday, July 29, 2008 2:20 AM
Hi,
Most of your errors point to DNS name resolution. Is your 2008 server pointed to the working 2003 DC for DNS, and is the 2003 server running DNS with your domain zone hosted? Are the SYSVOL and NETLOGON shares listed when you run 'net share' on the 2008 server?You might also be seeing http://support.microsoft.com/kb/939820 (check for the events listed there in symptoms section and apply the SAMSRV fix to your 2003 DC, then reboot it).
DCDIAG is mostly helpful in telling you to look at logs in more detail - examing the DS, FRS, SYSTEM, and APP event logs will probably give you more details.
Ned Pyle [MSFT] Enterprise Platforms Support - DS -
Tuesday, July 29, 2008 10:49 AMModerator
Hello,
Please allow me to confirm that my understandings are correct first. As I understand it, the issue is:
You are in the progress of transitioning from Windows Server 2003 to Windows Server 2008 on VMware. You promote a Windows Server 2008 to the Windows Server 2003 domain where one Windows Server 2003 DC holds all 5 FSMO roles. Errors are prompted in the DCDIAG.
If I have misunderstood your concerns please feel free to let me know.
=========================
- Agree with Ned that most errors are related to name resolving.
Please also run the Directory Service MPS report both on the Windows Server 2003 server and Windows Server 2008 server and pay attention to the NETDIAG log for any errors.
Netdiag Examples
http://technet2.microsoft.com/windowsserver/en/library/a30a40db-7171-464b-bfc2-ba21b15896f71033.mspx
- Also verify whether the SYSVOL share on the PDC (Windows Server 2003 DC) are properly shared and the Window Server 2008 DC gets the SYSVOL folder replicated correctly. If the SYSVOL folder doesn't get replicated properly between two DCs, we can perform the following steps to re-synchronize the SYSVOL folder manually:
1. On both controllers, stop the FRS, and then set the service startup type value for the FRS to Disabled.
2. On the Windows Server 2003 domain controller, configure the SYSVOL replica set to be authoritative. This reference domain controller will contain the authoritative copy of the SYSVOL tree for all other members of the replica set. Other domain controllers in the domain will directly or transitively replicate from this reference domain controller.
To configure the SYSVOL replica set to be authoritative, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the BurFlags entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID
- Right-click BurFlags, and then click Modify.
- Type D4 in the Value Data field (HexaDecimal), and then click OK.
3. On the Windows Server 2008 domain controllers, configure the FRS to be non-authoritative.
To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the BurFlags entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID
- On the Edit menu, point to New, and then click DWORD Value
- Type D2 for the name of the DWORD, and then press ENTER.
4. On both domain controllers, restart FRS, and then verify that SYSVOL has been synchronized. The service startup type for the FRS should be set to Automatic again.
For your reference:
How to rebuild the SYSVOL tree and its content in a domain
http://support.microsoft.com/kb/315457/
Information needed:
=========================
For the further troubleshooting, could you please provide the directory service MPS report both on Windows Server 2003 DC and the Windows Server 2008 DC?
Microsoft Product Support's Reporting Tools (MPSRPT_DirSvc.EXE)
-----------------------
Please send the MPS report CAB files to tfwst@microsoft.com with the following three lines in the email body:
Issues transitioning from 2003 to 2008...
http://forums.technet.microsoft.com/en-US/winserverDS/thread/9fb7c600-4dce-4e16-9f49-ec6daefaa3ff
Miles Li - MSFT
If you have any questions or concerns, please do not hesitate to let me know.
- Marked As Answer by JoshKelly13 Monday, August 04, 2008 10:26 PM
-
Tuesday, July 29, 2008 4:34 PM
Thanks for the reply guys.
------------------------------------------------------------------------------------------------------------------------
Ned,
I agree that these symptoms appear to point to DNS. Both servers house DNS via AD Integrated Zones and both servers have the 2003 server as their primary DNS server. Both servers can ping each other's FQDN. The 2008 servers I have promoted did so with no errors and found the pre-existing DCs just fine. Also, I have a network of over 5000 workstations and 100 or so servers and have never had any name resolution issues (with 2003 that is).
As for the shares, neither exist. It appears that they were not created during promotion for some reason.
And for the link you provided, I am not experiencing any of the symptoms or errors described.
-----------------------------------------------------------------------------------------------------------------------
Miles,
Just to clarify:
2003 Server w/ all 5 FSMO roles - Physical Server (no problems)
2008 Server - Virtual Server on vmware ESX 3.5 (DCDIAG results provided)
2008 Server - Physical Server (same issues as 2008 virtual server)
The SYSVOL is properly shared on the PDC (2003).
I will send you those CAB files shortly...
-----------------------------------------------------------------------------------------------------------------------
Thanks again.
Josh Kelly -
Tuesday, July 29, 2008 4:49 PMMiles,
The MPS reporting tool did not generate the CAB files...
There are a ton of logs, txt files, etc. but nothing in the cab directory.
Thanks.
Josh Kelly -
Wednesday, July 30, 2008 2:02 AM If SYSVOL is not shared than these various errors would be expected (this is because if SYSVOL is not shared a DC is considered 'not ready' and will not advertise. If you manually exam the FRS event log, it's likely you will see errors/warnings that FRS is having problems.
On the 2008 server, you can run through the steps to reinitiaize FRS and the SYSVOL folder: http://support.microsoft.com/kb/840674
Despite the fact that this article refers to 200/2003, it is 100% accurate for win2008 running SYSVOL with FRS.
Aside - since CAB creation is not working, you can just zip the folder with all its files and send those to Miles.
Ned Pyle [MSFT] Enterprise Platforms Support - DS- Marked As Answer by JoshKelly13 Monday, August 04, 2008 10:26 PM
-
Wednesday, July 30, 2008 1:43 PMWhat could cause it to not create these shares??
Josh Kelly -
Wednesday, July 30, 2008 4:36 PMThat makes sense...
I am seeing the following messages in the FRS Log:
This appears after the reboot following promotion...
File Replication Service is initializing the system volume with data from another domain controller. Computer 2008-DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share (I checked... not there...)
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
This appears 2 minutes later...
The File Replication Service is having trouble enabling replication from 2003-DC1.domain.net to 2008-DC2 for c:\windows\sysvol\domain using the DNS name 2003-DC1.domain.net. FRS will keep retrying.Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name 2003-DC1.domain.net from this computer. (I can ping the FQDN from this machine...)
[2] FRS is not running on 2003-DC1.domain.net. (FRS is running on this machine...)
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
I also verified that i can browse the shared SYSVOL directory of the 2003 DC directly from the machine i got these messages on...
Thanks.
Josh Kelly- Edited by JoshKelly13 Wednesday, July 30, 2008 7:14 PM left something out
-
Monday, August 04, 2008 5:46 PM
Thanks for the help on the SYSVOL issue. I had to do a combination of things to get my SYSVOL replicating correctly, but I have successfully accomplished that now.
However, a couple of issues still remain that are giving me some grief. The DCDIAG of the 2003 machine passes flawlessly, but there are still some errors on the 2008 side of things.
The 2008 DC now holds all 5 FSMO roles.
Here are the remaining errors of the DCDIAG for the 2008 DC:Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=2008-DC,CN=Servers,CN=SITENAME,CN=S
ites,CN=Configuration,DC=domain,DC=net
Role Domain Owner = CN=NTDS Settings,CN=2008-DC,CN=Servers,CN=SITENAME,CN=S
ites,CN=Configuration,DC=domain,DC=net
Role PDC Owner = CN=NTDS Settings,CN=2008-DC,CN=Servers,CN=SITENAME,CN=Site
s,CN=Configuration,DC=domain,DC=net
Role Rid Owner = CN=NTDS Settings,CN=2008-DC,CN=Servers,CN=SITENAME,CN=Site
s,CN=Configuration,DC=domain,DC=net
Warning: 2008-DC could not resolve the name for role
Infrastructure Update Owner.
The name error was Not Found.
......................... 2008-DC failed test KnowsOfRoleHolders (THIS SERVER HOLDS THIS ROLE)
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC 2008-DC.
* Security Permissions Check for
DC=ForestDnsZones,DC=domain,DC=net
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=domain,DC=net
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=net
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=net
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=net
(Domain,Version 3)
Fatal Error: Cannot retrieve SID
......................... 2008-DC failed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\2008-DC\netlogon
Verified share \\2008-DC\sysvol
[2008-DC] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... 2008-DC failed test NetLogons
Starting test: Replications
* Replications Check
[Replications Check,2008-DC] DsReplicaGetInfo(PENDING_OPS, NULL)
failed, error 0x2105 "Replication access was denied."
......................... 2008-DC failed test Replications
Any help will be greatly appreciated.
Thanks.
Josh Kelly -
Monday, August 04, 2008 10:25 PM
The learning curve for Server 2008 can be a brutal one if you let it get the best of you...
Apparently, if you run DCDIAG through the command line without right-clicking and specifying "Run as Administrator" you get all kinds of errors...
Doing just the opposite of that corrected all four of the errors above.
Thanks for the help with the SYSVOL/Replication issues i was having Ned and Miles.
I greatly appreciate your time.
Thanks.
Josh Kelly- Marked As Answer by JoshKelly13 Monday, August 04, 2008 10:26 PM
.png)
