adprep /domainprep /gpprep fails

Hey there, thanks for reading my question. I am having problems adding a new
Server 2008 x64 as domain controller in an existing 2003 forest.

The entire situation is a bit embaressing, so I should tell you ahead of
time that I am new to IT, and I've likely made mistakes. Please bear with me.

We have an old 2003 server that functioned as dc. It is not valid, and we
can no longer log into it. (I should mention that I do no support piracy, and
as such, have worked very hard to bring everything here to a professional
level)

We have invested in a brand new 2008 server which I want to replace the 2003
completely. The 2003 is an old unreliable computer, and I do not want it
performing any domain level function anymore.

Since I cannot log into the old 2003 to run adprep, I can't promote the 2008
to dc. My idea to work around this was create a hyper-v virtual machine with
2003, transfer roles to the 2003 virtual machine, and run adprep from there.
I did this, but am stuck with a couple differant issues:

1) After forestprep succeeded, domainprep /gpprep fails
log says
Adprep unable to update domain information
Adprep requires access to existing domain-wide information from the
infrastructure master in order to complete this operation.

notes:
-I made sure the sysvol reg key is correct
-this virtual machine dc is infrastructure master, as well as all other fsmo
roles

2) Ignoring this error, I attempted to use dcpromo on 2008 anyway, however
warnings that I do not understand convinced me not to continue without asking
for help. The warning I received says: A delegation for this DNS server
cannot be created because the authoritative parent zone cannot be found or it
does not run Windows DNS server. To enable reliable DNS name resolution from
outside the domain *FQDN*, you should create a delegation to this DNS server
manually in the parent zone. Do you want to continue?

What do I do now???? The old 2003 is still running, serving up dc, and now
I've got a virtual machine 2003 running as another, neither of which are
valid, and I need to get rid of, and 2008 sitting here, just waiting to get a
peice of the action.

Any help is well appreciated! Thanks

Hi

Can you login in the old server and run the dcdiag and netdiag tools from MS
Support Tools?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

> Since I cannot log into the old 2003 to run adprep, I can't promote the
> 2008
> to dc. My idea to work around this was create a hyper-v virtual machine
> with
> 2003, transfer roles to the 2003 virtual machine, and run adprep from
> there.
> I did this, but am stuck with a couple differant issues:

why are you not able to logon to the DC, but you are able to promote an
additional DC? Both require domain admin permissions, so that is kinda
strange to me

I would make the environment as healthy as possible, install new HW/SW and
kick out the old stuff

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"ryguy" <> wrote in message
news:9DE93F37-E359-4D27-91AF-...
> Hey there, thanks for reading my question. I am having problems adding a
> new
> Server 2008 x64 as domain controller in an existing 2003 forest.
>
> The entire situation is a bit embaressing, so I should tell you ahead of
> time that I am new to IT, and I've likely made mistakes. Please bear with
> me.
>
> We have an old 2003 server that functioned as dc. It is not valid, and we
> can no longer log into it. (I should mention that I do no support piracy,
> and
> as such, have worked very hard to bring everything here to a professional
> level)
>
> We have invested in a brand new 2008 server which I want to replace the
> 2003
> completely. The 2003 is an old unreliable computer, and I do not want it
> performing any domain level function anymore.
>
> Since I cannot log into the old 2003 to run adprep, I can't promote the
> 2008
> to dc. My idea to work around this was create a hyper-v virtual machine
> with
> 2003, transfer roles to the 2003 virtual machine, and run adprep from
> there.
> I did this, but am stuck with a couple differant issues:
>
> 1) After forestprep succeeded, domainprep /gpprep fails
> log says
> Adprep unable to update domain information
> Adprep requires access to existing domain-wide information from the
> infrastructure master in order to complete this operation.
>
> notes:
> -I made sure the sysvol reg key is correct
> -this virtual machine dc is infrastructure master, as well as all other
> fsmo
> roles
>
> 2) Ignoring this error, I attempted to use dcpromo on 2008 anyway, however
> warnings that I do not understand convinced me not to continue without
> asking
> for help. The warning I received says: A delegation for this DNS server
> cannot be created because the authoritative parent zone cannot be found or
> it
> does not run Windows DNS server. To enable reliable DNS name resolution
> from
> outside the domain *FQDN*, you should create a delegation to this DNS
> server
> manually in the parent zone. Do you want to continue?
>
> What do I do now???? The old 2003 is still running, serving up dc, and now
> I've got a virtual machine 2003 running as another, neither of which are
> valid, and I need to get rid of, and 2008 sitting here, just waiting to
> get a
> peice of the action.
>
> Any help is well appreciated! Thanks

Thank you Jorge, but I do not believe you understood me completely, so I will
clarify.

I cannot log into the desktop of the original DC because wpa is invalid. To
work around this I installed another 2003 server as a virtual machine on
another computer to run forestprep and domainprep. But domainprep produced
errors.

I can use this virtual machine to do anything now, but errors are occuring.
I need assitance with the errors that I listed in the original message re:
domainprep. The errors are what I need help with now. I have access to a DC
to perform the required steps.

dcdiag results:
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\AT-6CE49F618025\netlogon)
[AT-6CE49F618025] An net use or LsaPolicy operation failed with
error 1
203, No network provider accepted the given network path..
......................... AT-6CE49F618025 failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\server-room.ambutrans.l
ocal, when we were trying to reach AT-6CE49F618025.
Server is not responding or is not considered suitable.
......................... AT-6CE49F618025 failed test Advertising

Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... AT-6CE49F618025 failed test frsevent


"Jorge Silva" wrote:

> Hi
>
> Can you login in the old server and run the dcdiag and netdiag tools from MS
> Support Tools?
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
>

netdiag results:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the
local
machine. This machine is not working properly as a DC.


"Jorge Silva" wrote:

> Hi
>
> Can you login in the old server and run the dcdiag and netdiag tools from MS
> Support Tools?
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
>

ahhhhh. now I understand

ok, try the following

introduce a NEW w2k3 DC into the existing domain (which is just 1 DC) and
also make it a GC and a DNS server. After the promotion the domain will have
two DCs, one unhealthy and one healthy
from the healthy DC start exporting stuff that needs to be exported (.e.g
DHCP stuff, etc.)
Shutdown the UNhealthy DC
on the healthy DC clean the AD metadata of the UNhealhty DC
on the healthy DC seize ALL FSMO to the healthy DC

use the following commands to check the health of the healthy DC:
DCDIAG /C /D /V
GPOTOOL /CheckAcl /Verbose

if thats OK do:
ADPREP /FORESTPREP
ADPREP /RODCPREP (if you want to use RODCs, does not hurt if you do this!)
ADPREP /DOMAINPREP /GPPREP

Install the W2K8 DC, make it a GC, a DNS server and transfer the FSMO roles
to the W2K8 DC
demote the healthy w2k3 DC and remove from domain

it should be something like this

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Ryguy" <> wrote in message
news:2FA0F36C-BA12-4A54-A6BF-...
> Thank you Jorge, but I do not believe you understood me completely, so I
> will
> clarify.
>
> I cannot log into the desktop of the original DC because wpa is invalid.
> To
> work around this I installed another 2003 server as a virtual machine on
> another computer to run forestprep and domainprep. But domainprep produced
> errors.
>
> I can use this virtual machine to do anything now, but errors are
> occuring.
> I need assitance with the errors that I listed in the original message re:
> domainprep. The errors are what I need help with now. I have access to a
> DC
> to perform the required steps.
>

things have become pretty desperate for me

i can't get a healthy dc to replicate from the unhealthy. strange though,
cause i've promoted the new 2008 server already, and it's also running a vm
of 2003 server, also a dc. all three dc's are unhealthy! the first one, the
one I'm trying to replace, I can't log into it, but it continues to run. The
second one in the vm, and the third, the 2008, neither of which are charing
sysvol, so replication isn't successfull?! the event logs mention a few
things, but nothing concrete. Anyone have any suggestions?

Please see two messages i've replied to this one. The first message contains
event log entries, and the second one the results of dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = ATSERV
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\ATSERV
Starting test: Connectivity
......................... ATSERV passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\ATSERV
Starting test: Advertising
Warning: DsGetDcName returned information for
\\server-room.atdomain.local, when we were trying to reach ATSERV.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... ATSERV failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
Group Policy problems. Failing SYSVOL replication problems may cau
......................... ATSERV passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
Group Policy problems. Failing SYSVOL replication problems may cau
......................... ATSERV failed test DFSREvent
Starting test: SysVolCheck
......................... ATSERV passed test SysVolCheck
Starting test: KccEvent
......................... ATSERV passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ATSERV passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ATSERV passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=atdomain,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=atdomain,DC=local
......................... ATSERV failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\ATSERV\netlogon)
[ATSERV] An net use or LsaPolicy operation failed with error 67,
Win32 Error 67.
......................... ATSERV failed test NetLogons
Starting test: ObjectsReplicated
......................... ATSERV passed test ObjectsReplicated
Starting test: Replications
......................... ATSERV passed test Replications
Starting test: RidManager
......................... ATSERV passed test RidManager
Starting test: Services
......................... ATSERV passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x80040020
Time Generated: 06/25/2008 19:40:53
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Warning Event occurred. EventID: 0x80040020
Time Generated: 06/25/2008 19:40:53
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Warning Event occurred. EventID: 0x80040020
Time Generated: 06/25/2008 19:40:53
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Warning Event occurred. EventID: 0x8000001D
Time Generated: 06/25/2008 19:41:23
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Warning Event occurred. EventID: 0x00000C18
Time Generated: 06/25/2008 19:41:30
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Warning Event occurred. EventID: 0x80001421
Time Generated: 06/25/2008 19:41:51
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Warning Event occurred. EventID: 0x8000A000
Time Generated: 06/25/2008 19:41:53
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Error Event occurred. EventID: 0xC0001B81
Time Generated: 06/25/2008 19:42:08
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Error Event occurred. EventID: 0xC0001B58
Time Generated: 06/25/2008 19:42:08
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Error Event occurred. EventID: 0xC0001B81
Time Generated: 06/25/2008 19:42:08
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
An Error Event occurred. EventID: 0xC0001B58
************************************************** **********************************
This repetition of errors continues for three pages!!!
I am breaking here, and continuing, for the sanity of this thread!
************************************************** **********************************
......................... ATSERV failed test SystemLog
Starting test: VerifyReferences
Some objects relating to the DC ATSERV have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS
Settings,CN=ATSERV,CN=Servers,CN=Default-First-Site-Name,CN=
Sites,CN=Configuration,DC=atdomain,DC=local
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

......................... ATSERV failed test VerifyReferences


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Running partition tests on : atdomain
Starting test: CheckSDRefDom
......................... atdomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ATSERV failed test SystemLog
Starting test: VerifyReferences
Some objects relating to the DC ATSERV have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS
Settings,CN=ATSERV,CN=Servers,CN=Default-First-Site-Name,CN=
Sites,CN=Configuration,DC=atdomain,DC=local
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

......................... ATSERV failed test VerifyReferences


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Running partition tests on : atdomain
Starting test: CheckSDRefDom
......................... atdomain passed test CheckSDRefDom
Starting test: CrossRefValidation

Years later I stumbled upon this while googling, and I see that I neglected to inform you all of my solution!

I used the task sceheduling service to remotely to execute the commands I couldn't execute locally. Finally I got that old DC off the network, and life there've been no issues since (3 years later).

> On Monday, June 23, 2008 7:41 PM rygu wrote:

> Hey there, thanks for reading my question. I am having problems adding a new
> Server 2008 x64 as domain controller in an existing 2003 forest.
>
> The entire situation is a bit embaressing, so I should tell you ahead of
> time that I am new to IT, and I've likely made mistakes. Please bear with me.
>
> We have an old 2003 server that functioned as dc. It is not valid, and we
> can no longer log into it. (I should mention that I do no support piracy, and
> as such, have worked very hard to bring everything here to a professional
> level)
>
> We have invested in a brand new 2008 server which I want to replace the 2003
> completely. The 2003 is an old unreliable computer, and I do not want it
> performing any domain level function anymore.
>
> Since I cannot log into the old 2003 to run adprep, I can't promote the 2008
> to dc. My idea to work around this was create a hyper-v virtual machine with
> 2003, transfer roles to the 2003 virtual machine, and run adprep from there.
> I did this, but am stuck with a couple differant issues:
>
> 1) After forestprep succeeded, domainprep /gpprep fails
> log says
> Adprep unable to update domain information
> Adprep requires access to existing domain-wide information from the
> infrastructure master in order to complete this operation.
>
> notes:
> -I made sure the sysvol reg key is correct
> -this virtual machine dc is infrastructure master, as well as all other fsmo
> roles
>
> 2) Ignoring this error, I attempted to use dcpromo on 2008 anyway, however
> warnings that I do not understand convinced me not to continue without asking
> for help. The warning I received says: A delegation for this DNS server
> cannot be created because the authoritative parent zone cannot be found or it
> does not run Windows DNS server. To enable reliable DNS name resolution from
> outside the domain *FQDN*, you should create a delegation to this DNS server
> manually in the parent zone. Do you want to continue?
>
> What do I do now???? The old 2003 is still running, serving up dc, and now
> I've got a virtual machine 2003 running as another, neither of which are
> valid, and I need to get rid of, and 2008 sitting here, just waiting to get a
> peice of the action.
>
> Any help is well appreciated! Thanks


>> On Tuesday, June 24, 2008 5:12 AM Jorge Silva wrote:

>> Hi
>>
>> Can you login in the old server and run the dcdiag and netdiag tools from MS
>> Support Tools?
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory Services


>>> On Tuesday, June 24, 2008 6:21 AM Jorge de Almeida Pinto [MVP - DS] wrote:

>>> why are you not able to logon to the DC, but you are able to promote an
>>> additional DC? Both require domain admin permissions, so that is kinda
>>> strange to me
>>>
>>> I would make the environment as healthy as possible, install new HW/SW and
>>> kick out the old stuff
>>>
>>> --
>>>
>>> Cheers,
>>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>>
>>>
>>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>>> ------------------------------------------------------------------------------------------
>>> * How to ask a question --> http://support.microsoft.com/?id=555375
>>> ------------------------------------------------------------------------------------------
>>> * This posting is provided "AS IS" with no warranties and confers no rights!
>>> * Always test ANY suggestion in a test environment before implementing!
>>> ------------------------------------------------------------------------------------------
>>> ------------------------------------------------------------------------------------------
>>> "ryguy" <> wrote in message
>>> news:9DE93F37-E359-4D27-91AF-...


>>>> On Tuesday, June 24, 2008 11:59 AM Rygu wrote:

>>>> Thank you Jorge, but I do not believe you understood me completely, so I will
>>>> clarify.
>>>>
>>>> I cannot log into the desktop of the original DC because wpa is invalid. To
>>>> work around this I installed another 2003 server as a virtual machine on
>>>> another computer to run forestprep and domainprep. But domainprep produced
>>>> errors.
>>>>
>>>> I can use this virtual machine to do anything now, but errors are occuring.
>>>> I need assitance with the errors that I listed in the original message re:
>>>> domainprep. The errors are what I need help with now. I have access to a DC
>>>> to perform the required steps.


>>>>> On Tuesday, June 24, 2008 12:18 PM Rygu wrote:

>>>>> dcdiag results:
>>>>> Starting test: NetLogons
>>>>> Unable to connect to the NETLOGON share! (\\AT-6CE49F618025\netlogon)
>>>>> [AT-6CE49F618025] An net use or LsaPolicy operation failed with
>>>>> error 1
>>>>> 203, No network provider accepted the given network path..
>>>>> ......................... AT-6CE49F618025 failed test NetLogons
>>>>> Starting test: Advertising
>>>>> Warning: DsGetDcName returned information for
>>>>> \\server-room.ambutrans.l
>>>>> ocal, when we were trying to reach AT-6CE49F618025.
>>>>> Server is not responding or is not considered suitable.
>>>>> ......................... AT-6CE49F618025 failed test Advertising
>>>>>
>>>>> Starting test: frsevent
>>>>> There are warning or error events within the last 24 hours after the
>>>>> SYSVOL has been shared. Failing SYSVOL replication problems may
>>>>> cause
>>>>> Group Policy problems.
>>>>> ......................... AT-6CE49F618025 failed test frsevent
>>>>>
>>>>>
>>>>> "Jorge Silva" wrote:


>>>>>> On Tuesday, June 24, 2008 12:19 PM Rygu wrote:

>>>>>> netdiag results:
>>>>>> Domain membership test . . . . . . : Failed
>>>>>> [WARNING] Ths system volume has not been completely replicated to the
>>>>>> local
>>>>>> machine. This machine is not working properly as a DC.
>>>>>>
>>>>>>
>>>>>> "Jorge Silva" wrote:


>>>>>>> On Tuesday, June 24, 2008 12:20 PM Jorge de Almeida Pinto [MVP - DS] wrote:

>>>>>>> ahhhhh. now I understand
>>>>>>>
>>>>>>> ok, try the following
>>>>>>>
>>>>>>> introduce a NEW w2k3 DC into the existing domain (which is just 1 DC) and
>>>>>>> also make it a GC and a DNS server. After the promotion the domain will have
>>>>>>> two DCs, one unhealthy and one healthy
>>>>>>> from the healthy DC start exporting stuff that needs to be exported (.e.g
>>>>>>> DHCP stuff, etc.)
>>>>>>> Shutdown the UNhealthy DC
>>>>>>> on the healthy DC clean the AD metadata of the UNhealhty DC
>>>>>>> on the healthy DC seize ALL FSMO to the healthy DC
>>>>>>>
>>>>>>> use the following commands to check the health of the healthy DC:
>>>>>>> DCDIAG /C /D /V
>>>>>>> GPOTOOL /CheckAcl /Verbose
>>>>>>>
>>>>>>> if thats OK do:
>>>>>>> ADPREP /FORESTPREP
>>>>>>> ADPREP /RODCPREP (if you want to use RODCs, does not hurt if you do this!)
>>>>>>> ADPREP /DOMAINPREP /GPPREP
>>>>>>>
>>>>>>> Install the W2K8 DC, make it a GC, a DNS server and transfer the FSMO roles
>>>>>>> to the W2K8 DC
>>>>>>> demote the healthy w2k3 DC and remove from domain
>>>>>>>
>>>>>>> it should be something like this
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Cheers,
>>>>>>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>>>>>>
>>>>>>>
>>>>>>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>>>>>>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>>>>>>> ------------------------------------------------------------------------------------------
>>>>>>> * How to ask a question --> http://support.microsoft.com/?id=555375
>>>>>>> ------------------------------------------------------------------------------------------
>>>>>>> * This posting is provided "AS IS" with no warranties and confers no rights!
>>>>>>> * Always test ANY suggestion in a test environment before implementing!
>>>>>>> ------------------------------------------------------------------------------------------
>>>>>>> ------------------------------------------------------------------------------------------
>>>>>>> "Ryguy" <> wrote in message
>>>>>>> news:2FA0F36C-BA12-4A54-A6BF-...


>>>>>>>> On Wednesday, June 25, 2008 8:42 PM Rygu wrote:

>>>>>>>> things have become pretty desperate for me
>>>>>>>>
>>>>>>>> i can't get a healthy dc to replicate from the unhealthy. strange though,
>>>>>>>> cause i've promoted the new 2008 server already, and it's also running a vm
>>>>>>>> of 2003 server, also a dc. all three dc's are unhealthy! the first one, the
>>>>>>>> one I'm trying to replace, I can't log into it, but it continues to run. The
>>>>>>>> second one in the vm, and the third, the 2008, neither of which are charing
>>>>>>>> sysvol, so replication isn't successfull?! the event logs mention a few
>>>>>>>> things, but nothing concrete. Anyone have any suggestions?
>>>>>>>>
>>>>>>>> Please see two messages i've replied to this one. The first message contains
>>>>>>>> event log entries, and the second one the results of dcdiag


>>>>>>>>> On Wednesday, June 25, 2008 8:44 PM Rygu wrote:

>>>>>>>>> Event log for replication:
>>>>>>>>> -The DFS Replication service has detected that replication group Domain
>>>>>>>>> System Volume was removed from the configuration
>>>>>>>>> -The DFS Replication service has detected that all replicated folders on
>>>>>>>>> volume C: have been disabled or deleted
>>>>>>>>> -The DFS Replication service is not replicating the SYSVOL replicated
>>>>>>>>> folder. If the domain controller was demoted and the DFS Replication service
>>>>>>>>> has been replicating SYSVOL, this event is expected and no user action is
>>>>>>>>> required
>>>>>>>>> -The DFS Replication service detected that the replicated folder at local
>>>>>>>>> path C:\Windows\SYSVOL\domain has been removed from configuration


>>>>>>>>>> On Wednesday, June 25, 2008 8:50 PM Rygu wrote:

>>>>>>>>>> Directory Server Diagnosis
>>>>>>>>>>
>>>>>>>>>> Performing initial setup:
>>>>>>>>>> Trying to find home server...
>>>>>>>>>> Home Server = ATSERV
>>>>>>>>>> * Identified AD Forest.
>>>>>>>>>> Done gathering initial info.
>>>>>>>>>>
>>>>>>>>>> Doing initial required tests
>>>>>>>>>>
>>>>>>>>>> Testing server: Default-First-Site-Name\ATSERV
>>>>>>>>>> Starting test: Connectivity
>>>>>>>>>> ......................... ATSERV passed test Connectivity
>>>>>>>>>>
>>>>>>>>>> Doing primary tests
>>>>>>>>>>
>>>>>>>>>> Testing server: Default-First-Site-Name\ATSERV
>>>>>>>>>> Starting test: Advertising
>>>>>>>>>> Warning: DsGetDcName returned information for
>>>>>>>>>> \\server-room.atdomain.local, when we were trying to reach ATSERV.
>>>>>>>>>> SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
>>>>>>>>>> ......................... ATSERV failed test Advertising
>>>>>>>>>> Starting test: FrsEvent
>>>>>>>>>> There are warning or error events within the last 24 hours after the
>>>>>>>>>> Group Policy problems. Failing SYSVOL replication problems may cau
>>>>>>>>>> ......................... ATSERV passed test FrsEvent
>>>>>>>>>> Starting test: DFSREvent
>>>>>>>>>> There are warning or error events within the last 24 hours after the
>>>>>>>>>> Group Policy problems. Failing SYSVOL replication problems may cau
>>>>>>>>>> ......................... ATSERV failed test DFSREvent
>>>>>>>>>> Starting test: SysVolCheck
>>>>>>>>>> ......................... ATSERV passed test SysVolCheck
>>>>>>>>>> Starting test: KccEvent
>>>>>>>>>> ......................... ATSERV passed test KccEvent
>>>>>>>>>> Starting test: KnowsOfRoleHolders
>>>>>>>>>> ......................... ATSERV passed test KnowsOfRoleHolders
>>>>>>>>>> Starting test: MachineAccount
>>>>>>>>>> ......................... ATSERV passed test MachineAccount
>>>>>>>>>> Starting test: NCSecDesc
>>>>>>>>>> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
>>>>>>>>>> Replicating Directory Changes In Filtered Set
>>>>>>>>>> access rights for the naming context:
>>>>>>>>>> DC=ForestDnsZones,DC=atdomain,DC=local
>>>>>>>>>> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
>>>>>>>>>> Replicating Directory Changes In Filtered Set
>>>>>>>>>> access rights for the naming context:
>>>>>>>>>> DC=DomainDnsZones,DC=atdomain,DC=local
>>>>>>>>>> ......................... ATSERV failed test NCSecDesc
>>>>>>>>>> Starting test: NetLogons
>>>>>>>>>> Unable to connect to the NETLOGON share! (\\ATSERV\netlogon)
>>>>>>>>>> [ATSERV] An net use or LsaPolicy operation failed with error 67,
>>>>>>>>>> Win32 Error 67.
>>>>>>>>>> ......................... ATSERV failed test NetLogons
>>>>>>>>>> Starting test: ObjectsReplicated
>>>>>>>>>> ......................... ATSERV passed test ObjectsReplicated
>>>>>>>>>> Starting test: Replications
>>>>>>>>>> ......................... ATSERV passed test Replications
>>>>>>>>>> Starting test: RidManager
>>>>>>>>>> ......................... ATSERV passed test RidManager
>>>>>>>>>> Starting test: Services
>>>>>>>>>> ......................... ATSERV passed test Services
>>>>>>>>>> Starting test: SystemLog
>>>>>>>>>> An Warning Event occurred. EventID: 0x80040020
>>>>>>>>>> Time Generated: 06/25/2008 19:40:53
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Warning Event occurred. EventID: 0x80040020
>>>>>>>>>> Time Generated: 06/25/2008 19:40:53
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Warning Event occurred. EventID: 0x80040020
>>>>>>>>>> Time Generated: 06/25/2008 19:40:53
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Warning Event occurred. EventID: 0x8000001D
>>>>>>>>>> Time Generated: 06/25/2008 19:41:23
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Warning Event occurred. EventID: 0x00000C18
>>>>>>>>>> Time Generated: 06/25/2008 19:41:30
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Warning Event occurred. EventID: 0x80001421
>>>>>>>>>> Time Generated: 06/25/2008 19:41:51
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Warning Event occurred. EventID: 0x8000A000
>>>>>>>>>> Time Generated: 06/25/2008 19:41:53
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Error Event occurred. EventID: 0xC0001B81
>>>>>>>>>> Time Generated: 06/25/2008 19:42:08
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Error Event occurred. EventID: 0xC0001B58
>>>>>>>>>> Time Generated: 06/25/2008 19:42:08
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Error Event occurred. EventID: 0xC0001B81
>>>>>>>>>> Time Generated: 06/25/2008 19:42:08
>>>>>>>>>> EvtFormatMessage failed, error 15100 Win32 Error 15100.
>>>>>>>>>> (Event String (event log = System) could not be retrieved, error
>>>>>>>>>> 0x3afc)
>>>>>>>>>> An Error Event occurred. EventID: 0xC0001B58
>>>>>>>>>> ************************************************** **********************************
>>>>>>>>>> This repetition of errors continues for three pages!!!
>>>>>>>>>> I am breaking here, and continuing, for the sanity of this thread!
>>>>>>>>>> ************************************************** **********************************
>>>>>>>>>> ......................... ATSERV failed test SystemLog
>>>>>>>>>> Starting test: VerifyReferences
>>>>>>>>>> Some objects relating to the DC ATSERV have problems:
>>>>>>>>>> [1] Problem: Missing Expected Value
>>>>>>>>>> Base Object:
>>>>>>>>>> CN=NTDS
>>>>>>>>>> Settings,CN=ATSERV,CN=Servers,CN=Default-First-Site-Name,CN=
>>>>>>>>>> Sites,CN=Configuration,DC=atdomain,DC=local
>>>>>>>>>> Base Object Description: "DSA Object"
>>>>>>>>>> Value Object Attribute Name: serverReferenceBL
>>>>>>>>>> Value Object Description: "SYSVOL FRS Member Object"
>>>>>>>>>> Recommended Action: See Knowledge Base Article: Q312862
>>>>>>>>>>
>>>>>>>>>> ......................... ATSERV failed test VerifyReferences
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : ForestDnsZones
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... ForestDnsZones passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... ForestDnsZones passed test
>>>>>>>>>> CrossRefValidation
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : DomainDnsZones
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... DomainDnsZones passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... DomainDnsZones passed test
>>>>>>>>>> CrossRefValidation
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : Schema
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... Schema passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... Schema passed test CrossRefValidation
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : Configuration
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... Configuration passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... Configuration passed test
>>>>>>>>>> CrossRefValidation
>>>>>>>>>> Running partition tests on : atdomain
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... atdomain passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... ATSERV failed test SystemLog
>>>>>>>>>> Starting test: VerifyReferences
>>>>>>>>>> Some objects relating to the DC ATSERV have problems:
>>>>>>>>>> [1] Problem: Missing Expected Value
>>>>>>>>>> Base Object:
>>>>>>>>>> CN=NTDS
>>>>>>>>>> Settings,CN=ATSERV,CN=Servers,CN=Default-First-Site-Name,CN=
>>>>>>>>>> Sites,CN=Configuration,DC=atdomain,DC=local
>>>>>>>>>> Base Object Description: "DSA Object"
>>>>>>>>>> Value Object Attribute Name: serverReferenceBL
>>>>>>>>>> Value Object Description: "SYSVOL FRS Member Object"
>>>>>>>>>> Recommended Action: See Knowledge Base Article: Q312862
>>>>>>>>>>
>>>>>>>>>> ......................... ATSERV failed test VerifyReferences
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : ForestDnsZones
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... ForestDnsZones passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... ForestDnsZones passed test
>>>>>>>>>> CrossRefValidation
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : DomainDnsZones
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... DomainDnsZones passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... DomainDnsZones passed test
>>>>>>>>>> CrossRefValidation
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : Schema
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... Schema passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... Schema passed test CrossRefValidation
>>>>>>>>>>
>>>>>>>>>> Running partition tests on : Configuration
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... Configuration passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation
>>>>>>>>>> ......................... Configuration passed test
>>>>>>>>>> CrossRefValidation
>>>>>>>>>> Running partition tests on : atdomain
>>>>>>>>>> Starting test: CheckSDRefDom
>>>>>>>>>> ......................... atdomain passed test CheckSDRefDom
>>>>>>>>>> Starting test: CrossRefValidation