none
unable to access server after upgrade to Server2008 R2

    Question

  • I upgraded a 2003 R2 enterprise server, a single domain controller in its own forest (in nutshell one machine in the whole forest) before the upgrade I could ping, remote desktop to it. Everything worked fine.

    After I upgraded to Windows 2008 R2 server, I cannot see, or ping it. Time out is all I get.

    Firewall is OFF, services =disabled.

    DNS Client, Function Discovery Resource Publication, SSDP Discovery, and UPnP Device Host services are running.

    NIC driver up to date. From the server I can go out and ping anything successfully. From LAN cannot do anything.


    David

    Friday, December 14, 2012 1:10 AM

Answers

  • Unfortunately, the issues you are seeing are a few of the caveats of physically "upgrading" a machinem, hence why we normally do not recommend physical upgrades. If there are any issue with the previous OS, or apps installed, incompatible apps and their associated services, prior AV and/or third party firewalls that are incompatible, or even if there were any and they were uninstalled, they still leave remants that cause issues (one that comes to mind is ZoneAlarm and AVG).

    .

    And where did you get that reference to check the registry? Please post any relevant links you read and followed, and any other changes you've made. This will eliminate duplication or redundancy on our part trying to help you, as well as assist whether any changes you made were necessary.

    .

    Now you see one of the reaonse why we recommend two DCs per domain.  Even if you have an old desktop that can handle Windows 2008 R2, we can even use that as a second DC. Or even a laptop! Something ... anything!

    .

    Windows Firewall in the Services list on Windows 2008 R2 shows up as "Windows Firewall." So I am not sure what you mean by "Windows Firewall Authorization Driver." Is that something else you read? If so, what's the link?

    .

    • BFE is the base filtering engine. Do you have RRAS, NAS or NPS installed?
    • Did you disable IPv6? If so, no, don't do it.
    • Make sure all three Windows firewall profiles disabled.
    • Uninstall any antivirus software until we get passed this. Many AV apps affect network traffic functions.

    .

    Let's see:

    • an unedited ipconfig /all
    • results from a net start
    • Any event log errors - use the Copy feature and paste the errors here

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, December 14, 2012 7:16 PM
  • Hi,

    Just add. The following are some articles which describe the detailed steps about how to add Server 2008 R2 to an existed 2003 domain. Hope it helps.

    Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains
    http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(WS.10).aspx

    Upgrading an AD from Server 2003 to Server 2008 or 2008 R2
    http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

    Best Regards,
    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Monday, December 17, 2012 7:14 AM
    Moderator
  • Another one,

    Thought I would run this by someone before I start. this is a new question.

    Have two DCs in the domain, one 2008 R2, other is win 2003 enterprise SP2 and want to upgrade Win 2003 DC to 2008. First will check to make sure all hardware and Microsoft updates are installed. planning to backup AD, and the win 2003 Server, then transfer FSMO roles to existing 2008 DC, and then upgrade to server 2008. Planning to upgrade in place. Am I missing anything else? Cannot afford to screw this up….


    David

    Hi,

    Cross-platform upgrades (x86 to x64 or vice-versa) are not supported.In-place upgrade of 32 bit OS to 64 bit OS is not supported, so you required a hardware capable of supporting 64 bit OS.Also I would not recommend to do inplace upgrade as it results in multiple problem.


    There are a couple of very important considerations, that you should have in mind, before you proceed with your migration scenario.

    --Check, and raise, if necessary, the Domain and Forest functional levels. You cannot upgrade directly from Windows 2000 mixed, or Windows Server 2003 interim domain functional levels at least it should be Windows 2000 native mode.

    --The first Windows Server 2008 Domain Controller in the forest must be a Global Catalog Server, and it cannot be a Read Only Domain Controller, RODC.

    --Ensure that you are using correct adprep tool to prepare the forest.If your current DC is 32bit you need to use adprep32.exe else if it is 64bit OS you need to use adprep.exe.Also make sure that you are using Win2008 R2 DVD & run adprep from an elevated command prompt(Run as administrator).

    Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder.

    Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master, and adprep /domainprep on the infrastructure master.

    Also dont forget to configure authorative time server on the PDC role holder server below is the KB article for the same. http://support.microsoft.com/kb/816042

    Installing the Win2008 DC in Win2003 domain:
    http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx
    http://araihan.wordpress.com/2009/08/25/migrate-from-windows-2003-active-directory-to-windows-2008-active-directory-step-by-step/
    http://markswinkels.nl/2009/01/08/how-to-migrate-a-domain-controller-from-windows-2003-to-windows-2008/

    How to demote/decommision the Servers
    http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx (how to demote a DC)

    http://technet.microsoft.com/en-us/library/cc755937(WS.10).aspx (how to decommisioning a DC)

    http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx (how to removing a DC from a Domain)

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 17, 2012 7:54 AM
  • I have to agree with Ace that in-place upgrade should be avoided at least for the DC. You can't guarantee what might change or not work from the driver to the installed apps. Its bit more work to demote & promote but that is the safest approach i suggest & do it when i'm asked to present my view to the clients.

    Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

    http://awinish.wordpress.com/2011/03/04/upgrade-from-windows-2003-to-20082008-r2-domain-controllers/

    Also, you need to reconfigure time services role when you move DC with PDCe role.

    Windows Time Server Role in AD Forest/Domain  http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, December 17, 2012 12:19 PM
    Moderator

All replies

  • Did you physically upgrade the 2003 DC, or did you add a 2008 R2 server as a replica DC to the existing domain with the 2003 DC in it?

    Is RRAS on it?

    Can you access is by the AD consoles (ADUC, ADSS, ADDT, etc)?

    Or is it just ping is not working? Is pinging important?

    Maybe the antivirus is blocking it. You would be suprised how many times AV is the culprit with their network protection features.

    .

    Note - If I understand your post correctly, you only have one DC. If so, we don't recommend physically upgrading a single DC to a newer operating system. We recommend adding a new server, running 2008 R2 adprep (domain, forest and gpprep), then promoting the new DC, transferring FSMOs, making it a GC, then demoting the old one.

    We also recommend to always have at least two DCs per domain. This will provide a number of advantages, such as fault tolerance, if one is lost, we still have the other so no users, groups or the whole domain is lost, etc.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, December 14, 2012 6:11 AM
  • Unfortunately I cannot have a second computer on this specific network except just one.

    Anyway; I can ping other computers in the network, using join.me or showMyPC services I can connect to remotely view the machine. If I change the IP to DHCP, it gets IP from the network although when I ping that IP still timed out. I cannot access shared folder over the network.

    Then I thought I should turn on firewall as a test, It fails to turn on. The dependency service fails to start.

    Those are Bas Filtering engine and all of it sub systems are starting no problems, but I don’t see  the Windows Firewall Authorization Driver in the services. When I try to start BFE services it tell me access denied, I made sure that the following subkey is inheriting full permissions for the BFE account: HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent

    I am at lost now.


    David

    Friday, December 14, 2012 7:03 PM
  • Unfortunately, the issues you are seeing are a few of the caveats of physically "upgrading" a machinem, hence why we normally do not recommend physical upgrades. If there are any issue with the previous OS, or apps installed, incompatible apps and their associated services, prior AV and/or third party firewalls that are incompatible, or even if there were any and they were uninstalled, they still leave remants that cause issues (one that comes to mind is ZoneAlarm and AVG).

    .

    And where did you get that reference to check the registry? Please post any relevant links you read and followed, and any other changes you've made. This will eliminate duplication or redundancy on our part trying to help you, as well as assist whether any changes you made were necessary.

    .

    Now you see one of the reaonse why we recommend two DCs per domain.  Even if you have an old desktop that can handle Windows 2008 R2, we can even use that as a second DC. Or even a laptop! Something ... anything!

    .

    Windows Firewall in the Services list on Windows 2008 R2 shows up as "Windows Firewall." So I am not sure what you mean by "Windows Firewall Authorization Driver." Is that something else you read? If so, what's the link?

    .

    • BFE is the base filtering engine. Do you have RRAS, NAS or NPS installed?
    • Did you disable IPv6? If so, no, don't do it.
    • Make sure all three Windows firewall profiles disabled.
    • Uninstall any antivirus software until we get passed this. Many AV apps affect network traffic functions.

    .

    Let's see:

    • an unedited ipconfig /all
    • results from a net start
    • Any event log errors - use the Copy feature and paste the errors here

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, December 14, 2012 7:16 PM
  • Solved it the hard way, formated and reinstalled os, everything works now.

    David

    Friday, December 14, 2012 8:05 PM
  • That's one way to do it!

    Either way, glad to hear it's resolved.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, December 15, 2012 10:06 PM
  • Another one,

    Thought I would run this by someone before I start. this is a new question.

    Have two DCs in the domain, one 2008 R2, other is win 2003 enterprise SP2 and want to upgrade Win 2003 DC to 2008. First will check to make sure all hardware and Microsoft updates are installed. planning to backup AD, and the win 2003 Server, then transfer FSMO roles to existing 2008 DC, and then upgrade to server 2008. Planning to upgrade in place. Am I missing anything else? Cannot afford to screw this up….


    David

    Sunday, December 16, 2012 10:55 PM
  • As I said, upgrades aren't recommended. I would recommend a swing upgrade. Get another desktop or laptop, promote it, rebuild the 2003 from scratch to 2008 R2, then promote that, then demote the swing box.

    Make sure you have any 3rd party hard drive Raid controller drivers handy that you may have to provide prior to installation whether swinging with a fresh install or upgrading.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, December 17, 2012 12:13 AM
  • Hi,

    Just add. The following are some articles which describe the detailed steps about how to add Server 2008 R2 to an existed 2003 domain. Hope it helps.

    Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains
    http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(WS.10).aspx

    Upgrading an AD from Server 2003 to Server 2008 or 2008 R2
    http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

    Best Regards,
    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Monday, December 17, 2012 7:14 AM
    Moderator
  • Another one,

    Thought I would run this by someone before I start. this is a new question.

    Have two DCs in the domain, one 2008 R2, other is win 2003 enterprise SP2 and want to upgrade Win 2003 DC to 2008. First will check to make sure all hardware and Microsoft updates are installed. planning to backup AD, and the win 2003 Server, then transfer FSMO roles to existing 2008 DC, and then upgrade to server 2008. Planning to upgrade in place. Am I missing anything else? Cannot afford to screw this up….


    David

    Hi,

    Cross-platform upgrades (x86 to x64 or vice-versa) are not supported.In-place upgrade of 32 bit OS to 64 bit OS is not supported, so you required a hardware capable of supporting 64 bit OS.Also I would not recommend to do inplace upgrade as it results in multiple problem.


    There are a couple of very important considerations, that you should have in mind, before you proceed with your migration scenario.

    --Check, and raise, if necessary, the Domain and Forest functional levels. You cannot upgrade directly from Windows 2000 mixed, or Windows Server 2003 interim domain functional levels at least it should be Windows 2000 native mode.

    --The first Windows Server 2008 Domain Controller in the forest must be a Global Catalog Server, and it cannot be a Read Only Domain Controller, RODC.

    --Ensure that you are using correct adprep tool to prepare the forest.If your current DC is 32bit you need to use adprep32.exe else if it is 64bit OS you need to use adprep.exe.Also make sure that you are using Win2008 R2 DVD & run adprep from an elevated command prompt(Run as administrator).

    Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder.

    Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master, and adprep /domainprep on the infrastructure master.

    Also dont forget to configure authorative time server on the PDC role holder server below is the KB article for the same. http://support.microsoft.com/kb/816042

    Installing the Win2008 DC in Win2003 domain:
    http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx
    http://araihan.wordpress.com/2009/08/25/migrate-from-windows-2003-active-directory-to-windows-2008-active-directory-step-by-step/
    http://markswinkels.nl/2009/01/08/how-to-migrate-a-domain-controller-from-windows-2003-to-windows-2008/

    How to demote/decommision the Servers
    http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx (how to demote a DC)

    http://technet.microsoft.com/en-us/library/cc755937(WS.10).aspx (how to decommisioning a DC)

    http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx (how to removing a DC from a Domain)

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 17, 2012 7:54 AM
  • I have to agree with Ace that in-place upgrade should be avoided at least for the DC. You can't guarantee what might change or not work from the driver to the installed apps. Its bit more work to demote & promote but that is the safest approach i suggest & do it when i'm asked to present my view to the clients.

    Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

    http://awinish.wordpress.com/2011/03/04/upgrade-from-windows-2003-to-20082008-r2-domain-controllers/

    Also, you need to reconfigure time services role when you move DC with PDCe role.

    Windows Time Server Role in AD Forest/Domain  http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, December 17, 2012 12:19 PM
    Moderator