Moving Domain Roles
I'm the process of rebuilding my main server from 2003 R2 to 2008 R2.
As part of it to keep my AD intact I have a secondary domain controller running 2008 R1. It's been in for months.
In final prep I was going to transfer all the domain roles over from Svr1 (2003) to Svr2 (2008) and then back to Svr1New (2008 R2)
However when I try to transfer any roles I get an error saying the FMSO holder is not able to be contacted. But it's online and running fine.
My DNS look fine, and I can ping each server from the other. So I'm a little stuck on what to do.
I know I can take the old server offline and forcefully sieze the roles on my secondary DC and then transfer them back - but that seems a harsh way to do it. I'd prefer to do it gracefully than to sieze them.
This is really annoying me, as all the results I can find on this deal with a dead DC going offline in a disaster and then needing to sieze the roles. The only post I can find regarding a graceful transfer where this error occurs with the orginal DC online deals with DNS. But my DNS seems fine.
Any ideas folks?
If not then I'll just have to take the old DC offline, sieze the roles and hope
I presume as you're running a 2008 R1 Server that you've already upgraded the schema and ran /forestprep and /domainprep commands?
You'll need to update the schema on your PDC again (up to 47, for 2008 R2). The firewall on 2008/2008 R2 is quite robust, so for this excercise I would recommend you switch it off.
You need to make sure both your 2003 R2 and 2008 R1 servers can replicate. Check both are nameservers and that they can replicate between each other. Until you can do this, I wouldn't think about 2008 R2 or even seizing roles, that's not a good idea.
I'm guessing you're upgrading at least the 2003 R2, so (once the server can replicate) transfer all roles to your 2008 R1 server (same process as 2000 to 2003 mostly), then demote 2003 R2 as a DC, demote it from the domain, then install 2008 R2.
Don't forget to export DHCP server too ;) Good luck!
Both are happily replicating between each other.
Both are nameservers. Hence why I'm stuck on this!
And I presume you've tried selecting a different Domain Controller on the context menu?
Finally moved the roles. Turns out Sophos Endpoint was doing something funky - despite the Firewall being off and Sophos Tech Support saying it was nothing to do with them!
I'm now having replication issues, namely SYSVOL and NETLOGON. It appears to be a DNS error, although my DNS looks fine. I've even deleted all the entries and rebuilt.
When my old DC is off (which has no roles now) no AD tools can connect to the directory, and the DNS doesn't seem to run properly. With it turned on the AD tools connect (only on new DC as it should be, as there is no AD DB on old DC) and the DNS works fine.
I'm still can't get full replication (even after demoting and re-promoting. I can get DNS running only on new DC but in AD U&C advanced mode the AD dnsNode still points to the old DC. Hence when it's off AD tools won't connect and I've not got a SYSVOL or NETLOGON.
I'm at the verge of chucking all this in and rebuilding the domain from the ground up (not that much hassle anyway, all the client machines - every last one - need to be re-imaged before the end of the summer, along with brand new GPOs) I only have 2 problems 1) The LEA is part way through a Sophos encryption install and 2) I would have to re-create my SHarepoint sites.
Even without the old DC hosting any roles, you should run dcpromo and properly demote it as a domain controller. This will transfer any remaining domain information to your new DC.
I would also demote it from the domain to a workgroup. I have always done both of these just to be 100% the new DC will run without the old one.
Just a thought, did you make your new DC a Global Catalog and have you enabled DNS Zone Transfers (on both your existing and new DC, both Forward and Reverse zones)?
Both are fine.
The DNS just doesn't seem be transfering and when I try and demote the old DC I'm just told it can't find any other DCs in the forest.
It seems like there are some real problems with this entire setup, so I'll start it again. I think now even if I get it replicating away, there are probably many more problems hidden away.
I would switch the Firewall off and make sure Zone Transfers are enabled. It doesn't sound like anything's majorly broken.