none
Server 2008 to Server 2012 R2 Migration using failover DC Fail

    Question

  • Dear All,

    I shall elaborate the issues we faced with migration of a server 2008 32 Bit to Server 2012 R2 with one domain controller. We executed the below steps,

    1. Post Installation of Server 2012 R2 on the new server, we prepared the forest and the domain for schema version update to server 2012 R2. This was done after joining the Server 2012 R2 to Server 2008 32 Bit Domain using the adprep

    2.Configured Server 2012 R2 as a additional domain controller. Configuration made a replica of the AD and DNS without any issues.

    3.Now i wanted to remove the server 2008 from the data center and do a complete format of the server before upgrading to Server 2012 R2. Also i wanted to do some hardware check as the server is pretty old.

    4. So to execute point number 3 , i did FSMO seize for all the required PDC , naming master, RID master, schema master and infrastructure master by connecting the newly installed server 2012 R2

    Now when i switched off the Server 2008. Openning  Active directory Users and Computers throws a error, the domain is not contactable.

    Switching on the DC with Server 2008 bring all back to normal and we are able to open the AD to see the computers and the accounts on the console.

    5.The GC and DNS are all enabled and fine

    but still even after FSMO seize to new server 2012R2 server, the fail over domain controller is not taking the role of a PDC. My plan is to sync the AD, DNS from Server 2008 to Server 2012 R2 and then to bring in the old server ( After installation of Server 2012R2) as fail over for the Domain Controller.

    Requesting your support and recommendations on this case.

    Thanks,

    Vasanth,


    vaschell

    Monday, May 14, 2018 3:20 AM

All replies

  • Hello,

    Before switching off the server 2008 can you verify this and be sure that you don't have any errors :

    • Replication (repadmin /replsum)
    • Domain controller health (dcdiag) on each DC

    After that verify that DC 2012R2 is a global catalog if not promote it to GC.

    At this point I think you can remove the role domain controller on the 2008 server, change the it from domain to workgroup before switching off the server.

    Best Regards,

    Monday, May 14, 2018 10:00 AM
  • Hi,

    4. So to execute point number 3 , i did FSMO seize for all the required PDC , naming master, RID master, schema master and infrastructure master by connecting the newly installed server 2012 R2

    We should transfer the FSMO roles to new DC instead of seizing them.

    At this point, I would suggest you verify the current FSMO roles owner, you may need demote one of the DCs then perform a metadata cleanup.

    For your reference:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816741(v%3dws.10)

    Two domain controllers performing the same role. Because the original role holder is offline when role seizure occurs, the original role holder is not informed that it is no longer the operations master role holder, which is not a problem if the original role holder stays offline. However, if the original role holder comes back online—for example, if the hardware is repaired or the server is restored from a backup)—it might try to perform the operations master role that it previously owned. If two domain controllers are performing the same operations master role simultaneously, the severity of the effect from duplicate operations master roles varies, depending on the role that was seized. The effect can range from no visible effect to potential corruption of the Active Directory database. Do not allow a former operations master role holder whose role has been seized to return to an online domain controller.

    https://support.microsoft.com/en-us/help/223346/fsmo-placement-and-optimization-on-active-directory-domain-controllers

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control

    A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 15, 2018 2:20 AM
  • Hi,

     

    Was your issue resolved?

     

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, May 20, 2018 3:36 AM