none
Migrating Windows Server ADDC, DNS, and DCHP from Windows 2003 to Windows 2012r2 RRS feed

  • Question

  • Hello,

    I have 2 DC's -1-2003 and second one that was 2016.

    The secondary domain controller (Windows server 2016) went belly up and I was tasked with building a new one. What I noticed was the System admin who had built it before put it on a server that was over kill. Thus, I re-purposed that server for other things, and began with a fresh 2012r2 build on an entirely different machine. (Mainly because he didn't have any backups taken anyway).

    I decided this would be a great opportunity to upgrade and get off of 2003 and spring board to 2016 or 2019. The 2003 server is a AC/DC, DNS and DHCP server. I am using 2012r2 as a stepping stone to get up to the 2016 or 2019 edition, so essentially I will be doing this exercise 2 more times.

    Anyway.. I began by following an article about migrating from 2003 to 2016

    Replication (ADDC/DNS) between the 2 servers seems good, and I got all the way to switching the 5 FSMO roles, which worked smoothly. My issue is this: I wanted to test before going onto the part about demoting the 2003 server, so I unplugged the network cable. I was able to login to my machine still (on the domain) but doing something as simple as sending a skype message, checking email, getting out to the web stopped working. I plug the 2003 server network cable back in, everything works again.

    I am at my wits-end as I can not even think about demoting the 2003 server until I 100% know that the those issues are resolved. Please help!

    Tuesday, November 12, 2019 3:58 PM

Answers

  • Vicky,

    The reply was "kind of" helpful in the sense that it gave good advise, but ended up not being the solution. As I mentioned in my previous posts, the fact that I could authenticate and sign in with the new DC did not point me to metadata clean up, which was suggested to be ran on my only existing, functioning DC. 

    The issue, was in fact, found in some DNS settings as I suggested it might be. Specifically, there were some forwarders being used within the properties tab that were pointed back to the 2003 windows server. The other thing was a couple of root hints were not being validated so that needed to be cleared up.

    Lastly, not that I believe it had any baring on it, but the dcdiag cmd brought back an error about read-only domain controlling doesn't have replicating directory, and had to change the access rights to clear that.

    After those things were complete, I have been running the new dc by itself with no issues.


    • Marked as answer by Joseph12345IBS Tuesday, November 26, 2019 3:39 PM
    Tuesday, November 26, 2019 3:26 PM

All replies

  • Might check the DHCP server has been updated to hand out the address of new DC for DNS. As to the skype issue, might ask over here.

    https://social.technet.microsoft.com/Forums/en-US/home?forum=sfbfr

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, November 12, 2019 4:03 PM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Vicky

      

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 14, 2019 12:58 AM
  • I migrated the existing DHCP config over to the new DC, but did not start the service as I thought it was was just for assigning ip's for machines that are dynamic. (Thus the 2003 DC is still acting as the DHCP server). I can give that a try. As for the skype issue, that was just an example to explain that it seems network communication stopped both internally/externally. (email broke, messengers, web surfing, etc.)

    I read in this <https://techencyclopedia.wordpress.com/2017/02/02/windows-server-migration-2003-to-2016/> that all you have to do is uninstall the old DC from 2003. However, this article <https://www.wintips.org/how-to-migrate-active-directory-server-2003-to-active-directory-server-2016-step-by-step/> states that after you uninstall the 2003 DC, you should change the Static IP on the 2003 server to something else or disconnect it, and change the static ip on the new DC to the old DC's ip. (Something about "in order to match the already configured DNS settings on your network."

    I was wondering if that could be my problem? What is the "best practice" way? As it sits right now, the new DC has a new unique ip address and I did not plan on using the previous DC's ip, but if it simplifies things I will.

    I am just concerned that I am going to demote that 2003 DC, the internet issue will persist, and I will not be able to bring the 2003 back online, and thus be stuck with no way back. (Hence why I was trying to test before I demote it.) 

    Thursday, November 14, 2019 3:27 PM
  • Oh yeah, and when I say I just migrated the DHCP settings, I mean they match whatever was on the 2003 server. Would that mean it has the ip address of the 2003 server and thus back up that second articles statement that I should make the new 2012 server have the same ip as the old 2003 server?
    Thursday, November 14, 2019 3:30 PM
  • If you demoted the 2003, then it is fine to leave it to live on as a member server with same address.

    Not clear on what you're saying about DHCP. If the network has a DHCP server then its imperative that it hands out the static ip address(s) of new domain controller(s) for DNS.

    Also check that other members with static assigned have been updated with the new domain controller addresses listed for DNS

     (please don't forget to mark helpful replies as answer)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Thursday, November 14, 2019 3:38 PM
  • Oh yeah, and when I say I just migrated the DHCP settings, I mean they match whatever was on the 2003 server. Would that mean it has the ip address of the 2003 server and thus back up that second articles statement that I should make the new 2012 server have the same ip as the old 2003 server?

    Simpler method is to edit the DHCP scope to hand out the new addresses.

     

     

    (please don't forget to mark helpful replies as answer)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Thursday, November 14, 2019 3:43 PM
  • I thought it worked but doesn't appear so. I noticed within that screen, it was referencing the 2003 DC and the other DC that broke. I added the 2012 DC to 006 DNS page, removed the broken DC. I then unplugged the 2003 DC, and change the ip on the 2012 DC to the 2003's ip. For a split second.. I was able to send messages in skype, load web pages just fine, etc. and network traffic seemed to flow. Then it stopped. Any other suggestions to what the issue could be? :/ 
    Thursday, November 14, 2019 5:16 PM
  • Sounds like the new domain controller is not functional.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, November 14, 2019 5:21 PM
  • I think it is functioning as far as a DC. I think it is likely something I am missing with the DNS/DHCP settings.

    Recap: 

    2003DC is working and is replicating to Windows Server 2012r2.

    The 2003 DC also acts as a DNS server and DHCP. (To my knowledge, that is it all it houses.)

    I switched over all 5 FSMO roles to the Windows 2012r2 server. (Successful)

    I copied over the exact configs for the DNS and DHCP from the 2003 server to 2012 without changing anything.

    I did as you asked about the DHCP and added the new 2012 DC. 

    My test involves unplugging the 2003 DC's network cable, going to a workstation, and signing in with domain account(s). (Success). 

    I can ping internally fine, and externally to 8.8.8.8. (Success)

    I try to send a skype message, check email, or go to a webpage like facebook, microsoft, etc. it acts like it wants to load/send but can not. (Failure.)

    While the 2003 DC was unplugged, I changed the 2012 DC's ip to the 2003 ip's and I could have swore for a split second, I was able to search webpages, and everything worked as expected, but then it didn't.

    I change the ip of the new DC back to it original, as well as the old 2003 DC, plugged it back in and everything worked again. 

    Seems there has to be something about that 2003 server that is not set up correctly in the 2012 server.


    Thursday, November 14, 2019 5:39 PM
  • I'd check the domain controller and problem member both have the static ip address of DC listed for DNS and no others such as router or public DNS

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, November 14, 2019 5:42 PM
  • I'm going to show that I am a lot of green behind the ears, but can you explain? I am very new at this, and have never migrated a DC before. thanks in advance!
    Thursday, November 14, 2019 7:45 PM
  • Please run;

    • Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt
    • ipconfig /all > C:\dc3.txt
    • ipconfig /all > C:\problemworkstation.txt

    then put unzipped text files up on OneDrive and share a link.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, November 14, 2019 7:58 PM
  • https://1drv.ms/u/s!AmshoDTZ4NqzhAgMPqdf6eSViFvY?e=MvC1TL

    DC 1 is the 2003 DC

    DC 2 is the 2016 DC

    dcdiag and repl was ran off the 2016 DC.

    problemworkstation is from my desk.

    Please let me know if you require more.

    Thursday, November 14, 2019 8:35 PM
  • 1.) Appears WIN-QET7DNS47E7 is getting an IPv6 address from an IPv6 DHCP server on network.

    I'd suggest to disable any IPv6 DHCP servers (router?) otherwise it must be configured correctly

    2.) Invalid service type: RpcSs on KERMIT, current value WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

    to fix this run from elevated credentials;

    sc config rpcss type= share

    4.) FRS can not correctly resolve the DNS name kermit.ibsoft.local

    may be related to the IPv6 issues

    5.) IsmServ Service is stopped on [WIN-QET7DNS47E7]

    start the service (should be Automatic start)

    6.) problemworkstation is from my desk.

    the multiple adapters may be problematic, not the best one to be testing from

     

    May be others but this is a start.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Thursday, November 14, 2019 9:15 PM
  • 1.) Appears WIN-QET7DNS47E7 is getting an IPv6 address from an IPv6 DHCP server on network.

    If by router you mean our 1 single wi fi device, that is all we have in our office. Not sure why that server is showing any ipv6 settings as it is all unchecked in the settings AND all adapter cards (minus the 1) is disabled. 

    2.) Invalid service type: RpcSs on KERMIT, current value WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

    Completed successfully.

    3.) ROUGE-ONE needs some cleanup

    Yes Rogue 1 was what the previous sys ad had started, but after he left, nobody knew he added it as a domain and someone re-purposed it without taking the ADDC off first. I was having trouble getting it out of Kermits config (the working domain). I will look at the article and try again.

    4.) FRS can not correctly resolve the DNS name kermit.ibsoft.local

    Not sure how to handle this if I can not correct #1.

    5.) IsmServ Service is stopped on [WIN-QET7DNS47E7]

    It is auto but wasn't started. It is now.

    6.) problemworkstation is from my desk.

    I uploaded a nice(er) config to the previous one note link. (problemstation2.txt)

    I also noticed that when I was trying to connect to WiFi, the DHCP service was not running on either DC. (It should have been running on WIN-QETXXXXXXXX machine). Could this be why earlier when I changed the ip address of the the WIN-Q server to .93 (Kermits ip), that everything seemed to work for a couple mins? (This is in relation to you saying change the scope options 006 DNS on the 2016 server.)

    Thursday, November 14, 2019 10:13 PM
  • The router was just one thought, windows could also be handing out IPv6, which is fine as long as it's configured correctly. The tunnel adapter may or may not be problematic but removing suspected issues is a part of all problem solving.

    Another option is to demote the 2016, do the required metadata cleanup, then work to get health on 2003 to 100%, and event log clear of all errors before trying again.

    I didn't bother to look at "problemworkstation" again because at this point domain health is broken.

      

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, November 14, 2019 10:38 PM
  • It may not be the cleanest but that data is replicated from a working domain stuck in the year 2003 to a 2012 server.

    I disconnected the Ethernet cable from the 2003 again, and changed the ip of the 2012 server to what the 2003 was, .93 (as the article link I provided earlier suggested). It worked.. kind of. I was able to email, and talk in skype to co workers, and with immediate reaction (no delay). At least until I went into the DNS settings and selected "Clear Cache" from the 2012 server.

    I believe this boils down to DNS name resolution. For example, I can ping an outside ip such as 8.8.8.8 and get a response, but I can't ping google.com. Or, a webpage will try to load, and it throw a DNS host name unresolved error. Then as it retry's, it gets through (after 10-15 seconds everytime). Looking over a couple settings within DNS, I noticed things referenced to the WIN-QTXXXXX server (2016), it's ip is "unkown" where the 2003 servers is known within the forward lookup zones.

    I am not an expect by any means, but if I am seeing DNS errors, I am going to look there.. if that makes sense.

    Thursday, November 14, 2019 11:05 PM
  • Sorry, but no this method doesn't make any sense. The only sensible method is to get back to something clean and stable, then work from there.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, November 14, 2019 11:20 PM
  • The reason I didn't take the time to try and delete the orphaned DCS's on my working DC is because when I try to remove them, I receive "You do not have sufficient privileges to delete CN=<COMPUTERNAME>,OUDomainController,DC=<domainname>, or this object is protected from accidental deletion." (The second part can not be true as I have Advanced features on in the View tab and the check box is clearly unmarked within the properties of the orphaned DC.) 

    I am signed on as the Domain admin, running Active Directory User and Computer as Administrator. Is there somewhere I need to go to give myself privilege?

    Scanning over your provided article, within the 2003 DC itself, I was unable to connect to the 2003 server (Error DsBindW error 0x6d5 (The security context is invalid). I hopped onto the 2012 DC and connected to the 2003 server from there. 

    This is what i got the first time:

    select operation target: list servers in site
    no current site
    No current siteDomain - DC=<domainname>, DC=localNo current serverNo current Naming contextSelect operation target: 

    I tried again and then got this:

    Found 1 server(s)
    0 - (null)
    select operation target:

    Shouldn't it have found 4 since I have the 2003 server, 2012 server, and the 2 orphaned servers?

    I do not want to risk selecting something that is null, and deleting it if it is one of my 2 active servers. :((((

    • At the command prompt, type ntdsutil, and then press ENTER.
    • Type metadata cleanup, and then press ENTER.
    • Type connections and press ENTER.
    • Type connect to server servername, and then press ENTER.
    • Type quit, and then press ENTER.
    • Type select operation target and press ENTER.
    • Type list domains and press ENTER.
    • Type select domain number and press ENTER
    • Type list sites and press ENTER.
    • Type select site number and press ENTER
    • Type list servers in site and press ENTER.
    • Type select server number
    • Type quit and press ENTER.
    • Type remove selected server and press ENTER.
    • Type quit, and then press ENTER at each menu quit the Ntdsutil utility.


    Friday, November 15, 2019 2:52 PM
  • I do not want to risk selecting something that is null, and deleting it if it is one of my 2 active servers. :((((


    Then it may be simpler and more intuative to use the GUI methods mentioned in same article.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, November 15, 2019 2:59 PM
  • I am a little confused.. and maybe it is just total lack of knowledge on my part so please bare with me.. you have been very patient thus far. ;)

    I go into ADSS, select the server whose metadata I want to clean up. I see my 2 servers that are online. Step 1 says delete the NTDS settings of the domain controller that was forcibly removed.. the problem is I do not see the 2 DC's that were removed. 

    I only see the 2 that are online and functioning. Isn't that the point of metadata clean up? To delete orphaned DC's that you can not demote properly through the service manager? Did I misunderstand? Or does cleaning up the Metadata remove junk that is left over within an active domain controller without actually deleting it or demoting it?

    1. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings object, and then click Delete.
    2. In the Active Directory Sites and Services dialog box, click Yes to confirm the NTDS Settings deletion.
    3. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
    4. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
    5. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
    6. Right-click the domain controller that was forcibly removed, and then click Delete.
    7. In the Active Directory Domain Services dialog box, click Yes to confirm the domain controller deletion.
    Friday, November 15, 2019 3:20 PM
  •  Isn't that the point of metadata clean up? To delete orphaned DC's that you can not demote properly through the service manager? Did I misunderstand? 

    Yes, your understanding is correct. Then I'd work on the other problems as higher priority steps. 

    Demote the 2016, then work to get health on 2003 to 100%, and event log clear of all errors before trying again.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, November 15, 2019 3:40 PM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Vicky

      

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 1:51 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Vicky

      

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 22, 2019 12:55 AM
  • Vicky,

    The reply was "kind of" helpful in the sense that it gave good advise, but ended up not being the solution. As I mentioned in my previous posts, the fact that I could authenticate and sign in with the new DC did not point me to metadata clean up, which was suggested to be ran on my only existing, functioning DC. 

    The issue, was in fact, found in some DNS settings as I suggested it might be. Specifically, there were some forwarders being used within the properties tab that were pointed back to the 2003 windows server. The other thing was a couple of root hints were not being validated so that needed to be cleared up.

    Lastly, not that I believe it had any baring on it, but the dcdiag cmd brought back an error about read-only domain controlling doesn't have replicating directory, and had to change the access rights to clear that.

    After those things were complete, I have been running the new dc by itself with no issues.


    • Marked as answer by Joseph12345IBS Tuesday, November 26, 2019 3:39 PM
    Tuesday, November 26, 2019 3:26 PM