+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 32
  1. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #1

    Default Active Directory Server 2000

    Hey all,

    I frequent the Cisco and Linux forums here but I have an MS question. I am not an MS guy so you might have to talk slowly to me.

    Anyways, I want to upgrade my domain controllers from 2000/2003 to 2008 R2. I first want to test this upgrade process. I installed server 2000 on a PC added it to the domain and made a domain controller. I then had a complete copy of the AD forrest so that was cool. I then moved it to a private network and stuff stopped working.

    I wasn't able to do anything for AD because it couldn't contact the other domain controllers, so I seized control of all the roles I could hoping that would be it. Well it wasn't and now it seems to work even less.

    So my question is how do you pull a working Domain Controller and move it to a private LAN for testing?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #2
    I wish I could answer your question, but I have never done this.

    What I do know is seizing control of the FSMO roles is almost always a bad idea. Something breaks pretty much every time. But I think you already learned that one.
    Reply With Quote Quote  

  4. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #3
    Quote Originally Posted by burbankmarc View Post
    Hey all,

    I frequent the Cisco and Linux forums here but I have an MS question. I am not an MS guy so you might have to talk slowly to me.

    Anyways, I want to upgrade my domain controllers from 2000/2003 to 2008 R2. I first want to test this upgrade process. I installed server 2000 on a PC added it to the domain and made a domain controller. I then had a complete copy of the AD forrest so that was cool. I then moved it to a private network and stuff stopped working.

    I wasn't able to do anything for AD because it couldn't contact the other domain controllers, so I seized control of all the roles I could hoping that would be it. Well it wasn't and now it seems to work even less.

    So my question is how do you pull a working Domain Controller and move it to a private LAN for testing?
    I am not sure why you are doing it the way you are unless you want a test domain? anyway you can build a DC allow it to replicate then move it and seize the roles. BUT you have to do some housekeeping afterwards.

    Your new and seperate domain needs to be treated as if all the other DC's have failed so you need to do a meta data clean as per
    Delete Failed DCs from Active Directory

    You should also remove them from sites and services as this is not done for you.

    Clean up DNS, and run dcdiag /test:dns ignoring any post reboot events anything other than that you would need to be more specific about what is not working.

    Also ignore anything in the event logs right after a DC reboots, in fact what I do is just clear all events and just watch for new ones.


    Just make sure you do not move that DC back to the other network.
    Reply With Quote Quote  

  5. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #4
    Yeah, I did learn that the hard way, which is why I love testing things.

    Ok, so maybe I can't just pull it from a live environment and throw it onto a test environment, but is there a way I can export the AD on the live servers and import it onto my test machine?

    *EDIT*

    Thanks Mojo, let me go test that out and see what I come up with.
    Reply With Quote Quote  

  6. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #5
    Quote Originally Posted by burbankmarc View Post

    Ok, so maybe I can't just pull it from a live environment and throw it onto a test environment, but is there a way I can export the AD on the live servers and import it onto my test machine?
    Well if you allowed it to replicate it should have a copy already, that's how it works, or am I not understanding what you have done?
    Reply With Quote Quote  

  7. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #6
    BTW I would also advise a transitional migration not an upgrade, unless you have a reason for doing so.
    Reply With Quote Quote  

  8. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #7
    Ha, well I tried the metadata cleanup, but the servers weren't listed so I didn't have anything to clean. Now, however I cannot even connect to AD.

    I guess I'll have to wipe the system and start again, no biggie.

    Quote Originally Posted by Mojo_666 View Post
    Well if you allowed it to replicate it should have a copy already, that's how it works, or am I not understanding what you have done?
    Well that's what I was banking on, the replication, which worked perfectly. However, I didn't know that if you pulled it off the network it would break everything.

    I guess I was curious if I could just export AD from one network then import it to my test machine.

    Quote Originally Posted by Mojo_666 View Post
    BTW I would also advise a transitional migration not an upgrade, unless you have a reason for doing so.
    Well I don't know what that means, but sure. I just want to get off these old OS's. So whichever way works best is fine by me.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Aug 2003
    Location
    Pittsburgh
    Posts
    1,948

    Certifications
    MCSE (old), SSCP, CCA, Sec+, P+, L+, and N+
    #8
    What DNS server is your test box pointing to? Itself or one of the other DCs?
    Andy

    2017 Goals: 1 of 5 courses complete, 0 of 2 exams complete
    Reply With Quote Quote  

  10. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #9
    Quote Originally Posted by burbankmarc View Post
    Ha, well I tried the metadata cleanup, but the servers weren't listed so I didn't have anything to clean. Now, however I cannot even connect to AD.

    I guess I'll have to wipe the system and start again, no biggie.



    Well that's what I was banking on, the replication, which worked perfectly. However, I didn't know that if you pulled it off the network it would break everything.

    I guess I was curious if I could just export AD from one network then import it to my test machine.



    Well I don't know what that means, but sure. I just want to get off these old OS's. So whichever way works best is fine by me.
    Well you can get it going, all these things are fixable it's just how much time and effort do you want to spend doing so? I have a few hours to help but you might be better of starting from scratch as its a lab setup...your call.

    Transitional means just that you transition over to 2008, so you would basically build a 2008 DC on to your domain MOVE roles to it, get it all working then decom an old server, rebuild it to 2008 make it a DC and so on until all your DC's are 2008 rather than what is effectivly an OS upgrade.....make sense?
    Reply With Quote Quote  

  11. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #10
    Quote Originally Posted by ajs1976 View Post
    What DNS server is your test box pointing to? Itself or one of the other DCs?
    Just to add to this, pretty much every issue you will have is going to be related to DNS, but this is the first thing to check.

    If it is not pointing to itself then configure it do do so, then at the command prompt type

    "ipconfig/flush dns"
    then
    "net stop netlogon && net start netlogon"

    The run dcdiag /test:dns to find any other dns issue's
    Reply With Quote Quote  

  12. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #11
    Quote Originally Posted by Mojo_666 View Post
    Well you can get it going, all these things are fixable it's just how much time and effort do you want to spend doing so? I have a few hours to help but you might be better of starting from scratch as its a lab setup...your call.

    Transitional means just that you transition over to 2008, so you would basically build a 2008 DC on to your domain MOVE roles to it, get it all working then decom an old server, rebuild it to 2008 make it a DC and so on until all your DC's are 2008 rather than what is effectivly an OS upgrade.....make sense?
    I wouldn't mind fixing these things. I could probably use a deeper understanding of how Microsoft servers work.

    And that was exactly my plan. I was going to put a new 2008 server on the domain, replicate all the data to it, then slowly decomission the 2000/2003 servers.

    Ok, so how would I fix the problem where I can't connect to AD on my test machine?

    Thanks a lot for the help, btw. I appreciate it.
    Reply With Quote Quote  

  13. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #12
    As ajs1976 said, start with the local DNS configuration, post an ipconfig/all output from the DC
    Reply With Quote Quote  

  14. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #13
    Word up, it was the DNS. I can connect to AD and make changes. I removed all the "failed" DCs. So now my test machine is the only one.

    Now, as a test I tried adding my test 2008 server to the domain, but it failed out. It says it can't find the domain. It's DNS server is pointed to the server 2000 test machine.
    Reply With Quote Quote  

  15. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #14
    Quote Originally Posted by burbankmarc View Post
    Word up, it was the DNS. I can connect to AD and make changes. I removed all the "failed" DCs. So now my test machine is the only one.

    Now, as a test I tried adding my test 2008 server to the domain, but it failed out. It says it can't find the domain. It's DNS server is pointed to the server 2000 test machine.
    Happy days, first thing make sure the 2000 box is working ok, no events etc, dcdiag looking ok and so on, make sure you have no firewall running then try again, but again check the ip config of the 2008 box, it needs to be on the same subnet or have a route and it needs to be looking at the dns servers of the domain you are wanting to join etc.

    But make sure the 2000 box is ok as above, maybe even give it a reboot for good luck.
    Reply With Quote Quote  

  16. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #15
    Quote Originally Posted by Mojo_666 View Post
    Happy days, first thing make sure the 2000 box is working ok, no events etc, dcdiag looking ok and so on, make sure you have no firewall running then try again, but again check the ip config of the 2008 box, it needs to be on the same subnet or have a route and it needs to be looking at the dns servers of the domain you are wanting to join etc.
    Don't worry, I got the networking portion.

    There is no firewall.


    Quote Originally Posted by Mojo_666 View Post
    But make sure the 2000 box is ok as above, maybe even give it a reboot for good luck.
    Ok, I also rebooted both of them for good measure.


    DC Diag output

    Code:
    Domain Controller Diagnosis
    
    Performing initial setup:
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: MAPCOM\MAPCOM-HQ-06
          Starting test: Connectivity
             MAPCOM-HQ-06's server GUID DNS name could not be resolved to an
             IP address.  Check the DNS server, DHCP, server name, etc
             Although the Guid DNS name
             (0d46c4b3-096f-4a20-af69-410cc72cdcbe._msdcs.mapcom.local) couldn't be
             resolved, the server name (mapcom-hq-06.mapcom.local) resolved to the
             IP address (172.18.1.1) and was pingable.  Check that the IP address
             is registered correctly with the DNS server.
             ......................... MAPCOM-HQ-06 failed test Connectivity
    
    Doing primary tests
    
       Testing server: MAPCOM\MAPCOM-HQ-06
          Skipping all tests, because server MAPCOM-HQ-06 is
          not responding to directory service requests
    
       Running enterprise tests on : mapcom.local
          Starting test: Intersite
             ......................... mapcom.local passed test Intersite
          Starting test: FsmoCheck
             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
             A Global Catalog Server could not be located - All GC's are down.
    Reply With Quote Quote  

  17. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #16
    This might be a bit off as it's 2000 but Go into sites and services drill down to you Server, expand till you see NTDS, right click > properties and put a check in Global Catalouge.

    Then verify SRV records as per the below articles

    http://support.microsoft.com/kb/241515
    http://support.microsoft.com/kb/241505
    Last edited by Mojo_666; 08-18-2010 at 07:37 PM.
    Reply With Quote Quote  

  18. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #17
    Ok, that was easy enough. What did that do?
    Reply With Quote Quote  

  19. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #18
    You need a Global Catalouge server for your domain, by default this is created on the first DC but as you skipped that part you needed to do it manually.

    Check the edit I made also for the GUID error and follow those links, but this might not cause you an issue short term but good to fix.
    Reply With Quote Quote  

  20. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #19
    Ok well I noticed that I didn't even have DNS services installed. So I installed them and ran dcdiag again, now almost all the tests are passing. I'm still getting an FSMO 1355 error though....lemme grab the output and post it.

    *EDIT*

    ok here's the dcdiag output:

    Code:
     
    Domain Controller Diagnosis 
     
    Performing initial setup: 
       Done gathering initial info. 
     
    Doing initial required tests 
        
       Testing server: MAPCOM\MAPCOM-HQ-06 
          Starting test: Connectivity 
             ......................... MAPCOM-HQ-06 passed test Connectivity 
     
    Doing primary tests 
        
       Testing server: MAPCOM\MAPCOM-HQ-06 
          Starting test: Replications 
             ......................... MAPCOM-HQ-06 passed test Replications 
          Starting test: NCSecDesc 
             ......................... MAPCOM-HQ-06 passed test NCSecDesc 
          Starting test: NetLogons 
             ......................... MAPCOM-HQ-06 passed test NetLogons 
          Starting test: Advertising 
             Fatal Error:DsGetDcName (MAPCOM-HQ-06) call failed, error 1355 
             The Locator could not find the server. 
             ......................... MAPCOM-HQ-06 failed test Advertising 
          Starting test: KnowsOfRoleHolders 
             ......................... MAPCOM-HQ-06 passed test KnowsOfRoleHolders 
          Starting test: RidManager 
             ......................... MAPCOM-HQ-06 passed test RidManager 
          Starting test: MachineAccount 
             ......................... MAPCOM-HQ-06 passed test MachineAccount 
          Starting test: Services 
             ......................... MAPCOM-HQ-06 passed test Services 
          Starting test: ObjectsReplicated 
             ......................... MAPCOM-HQ-06 passed test ObjectsReplicated 
          Starting test: frssysvol 
             Error: No record of File Replication System, SYSVOL started. 
             The Active Directory may be prevented from starting. 
             There are errors after the SYSVOL has been shared. 
             The SYSVOL can prevent the AD from starting. 
             ......................... MAPCOM-HQ-06 passed test frssysvol 
          Starting test: kccevent 
             ......................... MAPCOM-HQ-06 passed test kccevent 
          Starting test: systemlog 
             An Error Event occured.  EventID: 0x8000003E 
                Time Generated: 08/18/2010   14:16:03 
                Event String: This Machine is a PDC of the domain at the root  
             ......................... MAPCOM-HQ-06 failed test systemlog 
        
       Running enterprise tests on : mapcom.local 
          Starting test: Intersite 
             ......................... mapcom.local passed test Intersite 
          Starting test: FsmoCheck 
             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 
             A Global Catalog Server could not be located - All GC's are down. 
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 
             A Time Server could not be located. 
             The server holding the PDC role is down. 
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 
             A Good Time Server could not be located. 
             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 
             A KDC could not be located - All the KDCs are down. 
             ......................... mapcom.local failed test FsmoCheck 
             ................ mapcom.local passed test Intersite 
        Starting test: FsmoCheck 
           Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 
           A Global Catalog Server could not be located - All GC's are down. 
           Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 
           A Time Server could not be located. 
           The server holding the PDC role is down. 
           Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 13 
     
           A Good Time Server could not be located. 
           Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 
           A KDC could not be located - All the KDCs are down. 
           ......................... mapcom.local failed test FsmoCheck 
    are down. 
           ......................... mapcom.local failed test FsmoCheck
    Last edited by burbankmarc; 08-18-2010 at 08:11 PM.
    Reply With Quote Quote  

  21. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #20
    Quote Originally Posted by burbankmarc View Post
    Ok well I noticed that I didn't even have DNS services installed. So I installed them and ran dcdiag again, now almost all the tests are passing. I'm still getting an FSMO 1355 error though....lemme grab the output and post it.
    One to add to your check list for next time..

    While you are checking stuff can you check the DNS has the following zones, I suspect you might be missing the _msdcs zone

    _msdcs
    _sites
    _tcp
    _udp
    Reply With Quote Quote  

  22. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #21
    msdcs is in there, it has my 2000 test machine listed as offering the service.
    Reply With Quote Quote  

  23. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #22
    Ok you should be good to go but it might be worth running "net stop netlogon && net start netlogon" from the command line just to re register the SRV records.

    Once done try adding the 2008 server to the domain again.
    Reply With Quote Quote  

  24. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #23
    Cool thanks for all the help. This has been pretty informative.

    Still cannot connect though. I tried the full domain too of mapcom.local. If I ping mapcom.local from my 2008 server it returns the address of the 2000 DC.
    Reply With Quote Quote  

  25. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #24
    Quote Originally Posted by burbankmarc View Post
    Cool thanks for all the help. This has been pretty informative.

    Still cannot connect though. I tried the full domain too of mapcom.local. If I ping mapcom.local from my 2008 server it returns the address of the 2000 DC.
    What message is being returned? cannot find domain? any remaining errors on dcdiag /test:dns output from the dc?
    Reply With Quote Quote  

  26. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #25
    It says "AD DC for domain mapcom.local could not be contacted" -paraphrased.

    dcdiag /test:dns - tells me that isn't a valid test.

    The FSMO test is still failing, though.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks