+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Thread, DC Demotion and problems have begun in Technical; Hi Hoping if someone can help me on this major problem I am having. Over the summer we introduced 2008 ...
  1. #1
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25

    DC Demotion and problems have begun

    Hi

    Hoping if someone can help me on this major problem I am having.

    Over the summer we introduced 2008 onto our network, we had an old 2003 server which was the first DC ever created on the network when it was created back in 2004.

    The plan over the summer was to remove all of our 2003 servers and the whole AD structure to run on 2008 only. After some testing we realised that the primary 2003 DC was going to be a bit more difficult to demote as other services relied on it such as old linux boxes we had on the network.

    After months of planning and finally deciding to go ahead and do it, I demoted the 2003 server last night so the network was only running on the 2 2008 DC's DNS server we had on the network. just to point out one of these 2008 servers also has all the FSMO roles and both are AD integreated DNS and global catalogs. so in theory windows services should have worked fine and for the most part that worked, users were able to login and see their files.

    Today though I have noticed some problems which I am hoping someone may have come across. If I dont act these soon I see big problems ahead... I'll list the problems below:

    • One 200R2 member server I am not able to RDP into anymore. It says "remote desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer. Make sure your computers clock is set to the correct time..." As this server is a VM I logged in through the vcenter client and checked the time and it seems to be identitical to my local machine.
    • Both of our file servers which have shares for home documents and shared areas (1 2003 and 1 2008 R2 server) seem to be working but when I look at the permission it seems to show them as SIDS and not with the naming scheme and from what I can see it only shows some users, never shows groups
    • The same 2008 R2 server is also an NPS and active directory certificate server ( this is used for wireless logins using RADIUS). in the event log I am getting all sorts of errors " There is no domain controller available for domain...., on the ad certificate event log I am getting Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=DOMAINNAME-CLANCY-CA,CN=clancy,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAINNAM E,DC=PRI. Operation aborted 0x80004004 (-2147467260).
    • On the 2008 R2 server i am also getting a certificate templates message saying "windows encountered problems emumerating writable domain controllers for the DOMAIN. the format of the specified domain name is invalid.
    • the system cannot log you on due to the following error: the specified domain either does not exist or could not be contacted.


    If anyone could advise if they have come across any of these problems, it would be most appreciated

    Thanks

  2. #2
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,453
    Thank Post
    10
    Thanked 493 Times in 433 Posts
    Rep Power
    111
    Do dcdiag and netdiag show any issues? Also make sure no old DNS entries are left either in dhcp or on the dns server itself. There is always some manual cleanup required after demoting a DC. Make sure the demoted one is not in sites and services for a start.

  3. #3
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    I ran dcdiag on both of the 2008 servers and it passed all tests.

    I am not able to run netdiag, is that a separate download or part of some resources kit?

    I did see in sites and services, the old server, I removed this.

    thanks

  4. #4
    Crispin's Avatar
    Join Date
    Dec 2008
    Location
    Essex
    Posts
    361
    Thank Post
    76
    Thanked 28 Times in 25 Posts
    Rep Power
    20
    Netdiag is no longer included in 2008 and vista...

    From what i've heard you can extract it from the 2003 support tools and it should still work, but I haven't tried it myself...

  5. #5
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    An update:

    I decided to restart the windows 2008 R2 server and now have run into bigger problems. I now cannot log back into the server, when the server starts up it briefly has a network connection and then I just received a request timed out message. Its a virtual machine and even if I try to login to it locally it just hangs, if I boot up in safe mode it does allow me to login.

    What I also did was to repromote the 2003 server in the hope that it will resolve all the problems I was having but that hasn't worked either. I installed AD back onto the machine and whilst that sucessfully actioned, it doesnt seem to be replicating the sysvol data etc from the other servers. If I try to load any of the AD tools I just receive a message which says "naming information cannot be located because: the specified domain either does not exist or could not be contacted..."

    Please Help!

  6. #6

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    One 200R2 member server I am not able to RDP into anymore.
    On both 2008 Servers, have a look at the static IP configuration. Make sure the primary IP is pointing to itself and secondary to the other DC. As for the server time, the easiest solution is to use the NET TIME command in all your logon scripts:

    Code:
    @echo off
    net time \\SERVERNAME /set /yes
    when I look at the permission it seems to show them as SIDS and not with the naming scheme
    Again I suspect that if DNS is mis-configured File Replication is failing. Check the event logs. Once adjusting DNS, manually force replication on both DCs.

    Re-promoting a 2003 Server won't make any difference. Are you absolutely 100% sure you transferred all roles?

  7. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,453
    Thank Post
    10
    Thanked 493 Times in 433 Posts
    Rep Power
    111
    Repromoting a machine that was already demoted is a very bad idea, I've found 2003 barely functional as a member server after demotion let alone using it as a DC again.

    As Michael says check all the roles have been moved. When roles are transferred there is usually an event generated when it has finished.

    How many DCs? There is to 2008R2 and the 2003 one, any more? When you boot the 2008 one, you may have to wait 30 minutes or more for the login prompt to appear if things aren't starting in the right order, even if everything is working properly.

    I suspect that DNS is incorrect on the servers or clients along with old srv records in dns from the old server.

    Two DCs: Primary DNS as eachother, secondary as 127.0.0.1. Forwarders set in DNS for external resolution. Remember to check dhcp to make sure it's using the new servers IPs for DNS. You must not rush into any attempts at fixing these issues as often it will take some time for replication and promotions to complete. Some services will complain on old servers for up to 24 hours until the old DC record has been tombstoned in AD.

    As for the certificates, was the old DC the certificate server? Ideally you want to export the cert store and root certificate and import it on the new DC to make sure old certs are all still valid.

  8. Thanks to DMcCoy from:

    ranj (15th January 2010)

  9. #8
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    Quote Originally Posted by Michael View Post
    On both 2008 Servers, have a look at the static IP configuration. Make sure the primary IP is pointing to itself and secondary to the other DC. As for the server time, the easiest solution is to use the NET TIME command in all your logon scripts:

    Code:
    @echo off
    net time \\SERVERNAME /set /yes


    Again I suspect that if DNS is mis-configured File Replication is failing. Check the event logs. Once adjusting DNS, manually force replication on both DCs.

    Re-promoting a 2003 Server won't make any difference. Are you absolutely 100% sure you transferred all roles?
    Hi yes I confirmed all roles have moved over to the 2008 server.

    I checked this by running

    netdom query fsmo and the replies I got back where all roles were and they were on the 2008 server as expected. Before the summer these roles were on the 2003 server though but ALL were successfully transferred.

  10. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Hi yes I confirmed all roles have moved over to the 2008 server.
    Good - then I do suspect still the issue is DNS related. If you force replication, then wait 5 mins and check the Event Logs, is it reporting as successful? Typically forcing replication manually will fail immediately if DNS is not right.

  11. #10
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    Ok got things working again but not made any progress.

    When I repromoted the 2003 server having just demoted it yesterday, after leaving it for about an hour and chaging the network setting, everything that I mentioned is now working again. SID's dont show up anymore, I can log in via rdp to all the servers again etc etc

    But I still have this damn 2003 server still in the domain which I want to get rid off :-(

    I have logged a support call with Microsoft so hopefully they can help and help me understand what happened when I tried to demote this 2003 server.

    What I dont understand is just by removing AD of this 2003 server the other servers should have continued the role, unless I am missing something and there is some hidden configuration on this legacy 2003 server which I am not aware of.

    If its DNS which is the general consensus on this thread. Are there any tools which can help me to identify any potential problems?

    One thing I have to mention is previously when we had 2003 servers, when we wanted to join a XP, vista client to the domain we could just type in the domainname when joining the computer, our domain name is the name of our school but it now seems we have to type in the netbios name that was given to us when the domain was created which is schoolname.pri. When we type in just schoolname and press return we receive the following error message:

    "The following error occured when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain queensbridge:

    The error was "DNS name does not exist"
    RCODE_NAME_ERROR

    This must be related I am thinking if the problem is DNS.

    Any suggestions? I am going home now can't believe I am here this late on a Friday!

    Thanks for the support given.

  12. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    What I dont understand is just by removing AD of this 2003 server the other servers should have continued the role, unless I am missing something and there is some hidden configuration on this legacy 2003 server which I am not aware of.
    If you didn't transfer any roles either through the GUI or command prompt before demoting the domain controller you should of received lots of prompts warning you this will essentially kill the domain completely. I'm guessing you must have otherwise the domain wouldn't work at all.

    What's even more confusing is the SID configuration would of changed when you demoted, then re-prompted the 2003 domain controller, so I haven't a clue why this has cleared up the problems you were experiencing before.

    You shouldn't need NETBIOS for 2008 Server and XP. Since Windows 2000 DNS has been the default and only Windows 98 for example would require NETBIOS to talk to the domain. Here's a useful guide how to enable/disable NETBIOS.

  13. #12
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,891
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    60
    Just to check your FSMO roles:

    Schema Master, Domain Naming Master, PDC, RID and Infrastructure - you've moved them yeah? onto the same box?

  14. #13
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,453
    Thank Post
    10
    Thanked 493 Times in 433 Posts
    Rep Power
    111
    What does nslookup show the DNS servers as on a DC and client? Are they correct?

  15. #14
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    Quote Originally Posted by IanT View Post
    Just to check your FSMO roles:

    Schema Master, Domain Naming Master, PDC, RID and Infrastructure - you've moved them yeah? onto the same box?
    Yes that correct when I ran the nettdom command ALL FSMO roles were on the 2008 box which is how I wanted it to be.

  16. #15
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    ARRGHHHH

    Rookie mistake this one!!

    The issue mainly was the server that had the problem highlighted above were because in the TCPIP settings I forgot to add the new DNS entries for the new 2008 servers, instead it still had DNS for the server i demoted. Once I put the correct DNS settings in and did an ipconfig /registerdns, all was sorted.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Problems!
    By IanWilliamson in forum Educational Software
    Replies: 16
    Last Post: 13th November 2008, 03:20 PM
  2. one.com and other problems
    By ianaddisonuk in forum EduGeek Joomla 1.5 Package
    Replies: 4
    Last Post: 20th July 2008, 12:33 PM
  3. New PC problems
    By Simcfc73 in forum Hardware
    Replies: 6
    Last Post: 18th October 2006, 12:12 PM
  4. problems so far
    By barryfl in forum ICT KS3 SATS Tests
    Replies: 47
    Last Post: 10th April 2006, 04:50 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •