AD transition from w2k3 std to w2k3 std R2

Discussion in 'Active Directory' started by Mike, Jun 5, 2009.

  1. Mike

    Mike Guest


    I want to make transition of AD from old hardware to new hardware - from
    w2k3 std SP2 to w2k3 std SP2 R2.

    FSMO roles are still on the old hardware.

    What was done till now:

    1.. schema upgrade from 30 to 31
    2.. dcpromo of new server
    3.. make the new server global catalog
    4.. activation of dns on new server -> replication ok (ad integrated)
    5.. DHCP backup from old server(netsh dhcp server export
    c:\dhcp_backup.txt all)
    6.. DHCP server activation on new server and restore (netsh dhcp server
    import c:\dhcp_backup.txt all)
    7.. Unothorise dhcp on old server - Authorise on new one
    8.. test dhcp on client machines -> dhcp is serving clients and works fine

    In my understanding of AD transition, only step I still need to accomplish
    is FSMO migration from the old one to the new one.

    Before doing that, I was trying to test the new server and user
    authentication. So I take off network cable from the old server and let the
    new server online. DNS resolution was still working and DHCP stopped serving
    the clients. The event log displayed that dhcp cannot confirm the
    authorization on AD server. Is this normal behavior?

    Also, I was unable to connect (remote desktop) to one other server using the
    domain administrator credentials. The message was something like the logon
    was unable to contact the directory.

    On client computers, logon is working normally, but when I tried to see on
    what server client computers authenticate them self (with echo %logonserver%
    in command prompt) the answer was the old server that was offline on that
    moment. So I suppose that the user was not authenticated "online" but
    reacted the same way the computer is at home and verify the login/password
    somehow locally.

    So now, I'm scared to transfer FSMO roles to new server.

    Can someone explain please if I'm doing the things right and maybe propose
    some other test to do and should I be scared to transfer the fsmo roles to
    the new server and if it's possible to go back with the fsmo roles in case
    that nothing is working anymore.

    AD is critical in our environment. If authentication is not responding
    anymore, some of our SAP server can stop responding. Some of SAP services
    start with domain users credentials.

    Many thanks in advance for your help,

    Mike, Jun 5, 2009
    1. Advertisements

  2. Mike

    Marcin Guest

    in the deployment plan you presented, there is no step that would take into
    account changes that need to be applied to DNS configuration - on the new
    domain controller and all domain member computers. You need to change it
    (either manually on the new DC/member servers - or automatically via DHCP
    for client computers) to reference the new DC as the DNS server -
    otherwise, you will likely experience the symptoms you described...

    Marcin, Jun 5, 2009
    1. Advertisements

  3. Paul Bergson [MVP-DS], Jun 5, 2009
  4. Mike

    Mike Guest

    Hi Marcin,

    Yes, I have modified DNS options in the DHCP scope options and make the new
    DNS server primary.

    That's for the client computers! The servers are still pointing to the old
    DNS / DC.

    I will try to change that on the server computers.

    Do you have any idea why DHCP server stopped serving clients once the old
    server was taken offline? From this message it is obvious that the
    authentication is not working, but why if the new one is DC/GC? Or is that
    normal since FSMO are still on the old server?

    Exact message:

    The DHCP service failed to see a directory server for authorization.

    Source DhcpServer

    Event id 1059

    Or remote connection logon with the domain administrator credentials
    Exact message:

    Logon rejected for DOMAIN\Administrator. Error: The specified domain either
    does not exist or could not be contacted.

    Is this also related with the FSMO or may be because the server I was trying
    connect to was pointing the old DNS server?

    Many thanks,

    Mike, Jun 5, 2009
  5. Mike

    Mike Guest

    Thank you Paul,

    I can't decommission the old server yet.

    I didn't tell in my previous post that the OLD hardware/dc is hosting
    exchange 2003 also!

    I know, bad practice, but I have found that config when I've arrived in the
    company :)

    That's the one of the reasons I want to separate the DC from exchange. Once
    finished with the DC transition, I will install new hardware for exchange
    and move mailboxes to that new server. Decommissioning is coming after :)

    But thanks for the link. I have take a look on the article describing the
    steps of decommissioning the DC and only step that I didn't make yet are the
    fsmo roles. But before moving them I would like to be sure that all is
    working fine.

    The new server is using himself for the DNS server in the tcp/ip properties.


    Mike, Jun 5, 2009
  6. Mike

    Mike Guest

    Hello again,

    There is still something that I don't understand.

    Once I have changed the DNS address on servers or client computers and make
    them pointing to the new DNS and once restarted, they are still
    authenticating one other DC's, not on the new one.

    Echo %logonserver% on all computers / server display one of two old DC's,
    none is authenticating on the new DC. Whay's that? How can I be sure that
    the authentication is working and if it's not, how to troubleshoot?

    Am I missing something?

    Many thanks.

    Mike, Jun 5, 2009

  7. Mike,

    That error is stating it cannot contact AD. So this is indicating the
    inability to contact AD is causing this and other problems.

    Can you post some ipconfig /all from all of your DCs, please? This will give
    us a better view of how the DCs are configured in relation to DNS and other



    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check for regional support phone numbers.

    "Efficiency is doing things right; effectiveness is doing the right
    things." - Peter F. Drucker
    Ace Fekay [Microsoft Certified Trainer], Jun 5, 2009
  8. Mike

    Mike Guest



    here is the ipconfig /all from all DC's:

    *******NEW DC******************

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : srv-dc-01
    Primary Dns Suffix . . . . . . . : domain.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : domain.local

    Ethernet adapter SERVER CONNECTION:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Team #1
    Physical Address. . . . . . . . . : CHANGED FOR SEC REASONS
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : //himself //server that
    will be changed

    *************END NEW DC**********************

    ********START OLD DC*********************

    The server that will be replaced (still holding FSMO)

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : srvdc1
    Primary Dns Suffix . . . . . . . : domain.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : domain.local

    Ethernet adapter Teaming:

    Connection-specific DNS Suffix . : domain.local
    Description . . . . . . . . . . . : HP Network Team
    Physical Address. . . . . . . . . : changed for sec. reasons

    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    Primary WINS Server . . . . . . . :

    **********END OLD DC**************************


    Windows IP Configuration

    Host Name . . . . . . . . . . . . : newdev
    Primary Dns Suffix . . . . . . . : domain.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : domain.local

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : domain.local
    Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
    Physical Address. . . . . . . . . : CHANGED FOR SEC REASONS

    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    Primary WINS Server . . . . . . . :


    This morning I have made some tests. I have made pointed some servers to the
    new DNS and before that have disconnected the old DC's (srvdc1 + newdev)
    from the network. Only srv-dc-01 was on line.

    I've restarted other servers and tried to see if the authentication with the
    new DC will work. Ctl-alt-del ... domain admin password and it was ok.
    Command echo %logonserver% displayed srv-dc-01.

    I have noticed that the logon process was little beat slower then usual. I
    have the connected back "srvdc1 and newdev" DC's and tried the logon process
    again. This time it was very fast.
    So for me the problem is sitting in the FSMO roles that still remain on
    "srvdc1" and like the server was not on line may be that the time sync or
    other process was timing out.

    I have then leaved "srvdc1 and newdev" online and restarted the new DC
    "srv-dc-01" and here is the "warning" event logged in the event log:

    Found in : SYSTEM


    TYPE: :warning

    ID : 3096

    DESCRIPTION: The primary Domain Controller for this domain could not be

    But the logon process was successful...

    So reasons for panic or can I transfer FSMO's?

    Many thanks for your advice,

    Mike, Jun 8, 2009
  9. Mike

    Mike Guest

    At this moment it is not possible... I have already mentioned that problem
    to our IT director...
    Wait and see for the moment...
    Yes, all DC's are registered in DNS with A pointer and if DNS server then
    with NS pointer also...
    Ok, I have modified one DC with the real IP and not the
    Done :)

    I have restarted new DC and have the same problem.
    If I try to connect (RDP) to the server I have the problem to login. The
    message is:
    The system cannot log you on due to the following error:
    The specified domain either does not exists or could not be contacted
    Please try again or consult your system administrator.

    Also, I 've constated that the DHCP server can't register to authorise in
    the AD.
    I really don't know what is all about. First time I have the problem of this
    All other servers are authenticating with no problem on other DC's...
    Mike, Jun 8, 2009
  10. Mike

    Jorge Silva Guest

    Network monitor, install it and check what is going on at network level.

    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MVP Directory Services
    Jorge Silva, Jun 8, 2009
  11. Ok, well once you get the Exchange piece migrated you can demote and
    Paul Bergson [MVP-DS], Jun 8, 2009
  12. After 3 minutes of waiting, the system finally let me logon with the domain
    admin credentials.
    I have feeling that for some reasons, some of local services are not ready.
    This time DHCP server registered into AD with no problems.
    I can't find any pointer in the event log concerning this problem besides
    what I've described before
    SOURCE winlogon
    event 1219
    Logon rejected for DOMAIN\administrator. Unable to obtain Terminal Server
    User Configuration. Error: The specified domain either does not exist or
    could not be contacted.


    As Meinolf pointed out, point all DCs to themselves, provided they have DNS
    installed, of course, then chose another DC/DNS server as the second one.

    One main question, what are all your other machines (term serv, client
    machines, etc), pointed to for DNS? The ISP's or the router? Or if only
    internal, which DCs?

    Keep in mind, whenever I see a 'domain can't be contacted' error message,
    that indicates 99% of the time the incorrect DNS servers are configured in a
    machine's IP properties, or the DNS server is down. So if you're only
    bringing up one DC and not the other, and a machine is pointed to that DC
    for DNS, then I can see why this is occuring. All DCs should be up and

    Ace Fekay [Microsoft Certified Trainer], Jun 8, 2009
  13. Mike

    Mike Guest

    I think that my new DC is OK. The problem I've described was displayed only
    when trying to connect from my PC (xp pro).
    Once tried from any other "client computer" I was able directly to open RDP
    session on the new server and no events were loged in the event log.
    I have then switched my computer from manually fixed IP address to automatic
    one and the problem was gone!...
    I really can't explain why, it is probably DNS related, but how?
    In each case, I have backed up system state and transfered fsmo roles to the
    new dc and all seems to work great...
    Wait and see few days...

    Many thanks for your help guys!

    Mike, Jun 8, 2009
  14. Hello Mike,

    Nice to hear that you solved it. Maybe your local machine time was a different
    from the domain time? You said fixed ips are used on it. Was there also one
    for an ISP configured on it?

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Jun 8, 2009
  15. Mike

    Mike Guest

    No, the time is/was ok. I've checked that possibility.
    And no ISP or any other "public" address was used on my ethernet adapter
    besides the local range/ local DNS.
    DNS was pointing to new DC for first and old DC for second.
    WINS was pointing on new DC

    Maybe somwhere in the adapter "cache" was some strange ip address...
    I must precise that I've executed the following on my machine before IP
    address change.
    netsh int ip reset eth.txt
    and netsh winsock reset catalog to reinitialize the ip stack.

    Best regards,

    Mike, Jun 8, 2009

  16. Interesting to know. Thanks for posting that. Maybe a simple ipconfig
    /flushdns would have worked?

    Ace Fekay [Microsoft Certified Trainer], Jun 8, 2009
  17. Mike

    Mike Guest

    netsh int ip reset eth.txt
    Nope, tried and not helped...
    In each case, it is working now. The people are auth. on the server and all
    seems to work nice.
    Will wait now for one or two weeks and then move mailboxes to dedicated
    exchange server.

    So it was really nice from you guys to share your idea with me. It was
    useful when searched the web!

    See you,

    Mike, Jun 9, 2009
  18. It was a pleasure to help you as well! I hope things work out. If you have
    any other problems, these groups are a great resource, as you've found!


    Ace Fekay [Microsoft Certified Trainer], Jun 9, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.