Preparation for Migration testing

Discussion in 'Server Migration' started by TC, Apr 28, 2010.

  1. TC

    TC Guest

    Dear all,

    I want to copy the production DC to an separate network for migration
    testing ( from Windows 2000 to Windows 2008 R2)
    Our existing DC is an windows 2000 Server, we don't have Exchange server.

    Is it the step like this

    1) add a windows 2000 server as the secondary domain controller.
    2) create a new global catalog on the second domain controller
    3) move the testing 2nd domain controller to separate network
    4) change FSMO role the testing domain.
    5) Add the windows 2008 R2 server as domain control
    6) change FSMO role to the new windows 2008 R2

    Questions
    1) Is the above step correct?
    2) What should be prepared in the Windows 200 server before we join the
    windows 2008 machine as a domain controller?
    3) One of our vendor suggested that we 1st add a windows 2003 r2 server as
    domain controller and then upgrade it to windows 2008 R2. Is it necessary?

    Thanks for your help.
     
    TC, Apr 28, 2010
    #1
    1. Advertisements

  2. Hello TC,

    You can do it that way. On the test DC you have to seize the FSMO roles and
    then NEVER connet it back with the production domain.
    http://support.microsoft.com/kb/255504

    On the production domain you have to remove the test DC also from AD database
    as you can NEVER connect it back to demote correct, FSMO of course leave
    untouched here:
    http://support.microsoft.com/kb/555846/en-us

    For adding the Windows server 2008 machine see my blog:
    http://msmvps.com/blogs/mweber/arch...ws-server-2008-or-windows-server-2008-r2.aspx

    There is no need to add a Windows server 2003 DC to the domain before.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 28, 2010
    #2
    1. Advertisements

  3. TC

    TC Guest

    Thanks a lot for your suggestion.

    Our company's client are still main windows XP and windows 2000. May I know
    any known issue find already for Windows 2008 R2 and Windows XP (32bit
    client).
     
    TC, Apr 29, 2010
    #3
  4. TC

    TC Guest

    I find in the dcdiag output when I setup prepare the 2nd domain in production
    to replicate the DC for testing.

    the Kccevent test failed, what wrong? Thanks for help.

    Starting test: frssysvol
    * The File Replication Service Event log test
    The SYSVOL has been shared, and the AD is no longer
    prevented from starting by the File Replication Service.
    There are errors after the SYSVOL has been shared.
    The SYSVOL can prevent the AD from starting.
    An Warning Event occured. EventID: 0x800034C4
    Time Generated: 04/29/2010 18:12:46
    Event String: The File Replication Service is having trouble

    enabling replication from adcAD to adcPC06 for

    c:\winnt\sysvol\domain using the DNS name

    adcAD.masked.loc. FRS will keep retrying.

    Following are some of the reasons you would see

    this warning.



    [1] FRS can not correctly resolve the DNS name

    adcAD.masked.loc from this computer.

    [2] FRS is not running on

    adcAD.masked.loc.

    [3] The topology information in the Active

    Directory for this replica has not yet replicated

    to all the Domain Controllers.



    This event log message will appear once per

    connection, After the problem is fixed you will

    see another event log message indicating that the

    connection has been established.
    An Warning Event occured. EventID: 0x800034C5
    Time Generated: 04/29/2010 18:16:50
    Event String: The File Replication Service has enabled

    replication from adcAD to adcPC06 for

    c:\winnt\sysvol\domain after repeated retries.
    ......................... adcPC06 passed test frssysvol
    Starting test: kccevent
    * The KCC Event log test
    An Information Event occured. EventID: 0x40000456
    Time Generated: 04/29/2010 18:30:37
    (Event String could not be retrieved)
    ......................... adcPC06 failed test kccevent
     
    TC, Apr 29, 2010
    #4
  5. Hello TC,

    They can still operate in a Windows server 2008 domain.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 29, 2010
    #5
  6. Hello TC,

    Please post an unedited ipconfig /all from the problem DC and the exisiting
    DC/DNS server.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 29, 2010
    #6
  7. TC

    TC Guest

    from the DC with problem.


    Windows 2000 IP Configuration



    Host Name . . . . . . . . . . . . : abcpc06
    Primary DNS Suffix . . . . . . . : masked.loc
    Node Type . . . . . . . . . . . . : Hybrid

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : masked.loc

    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connection
    Physical Address. . . . . . . . . : 00-08-02-5A-C2-1D

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.10.67

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.10.2

    DNS Servers . . . . . . . . . . . : 192.168.10.67
    192.168.10.20
    Primary WINS Server . . . . . . . : 192.168.10.20


    from the DC/DNS

    Windows 2000 IP Configuration



    Host Name . . . . . . . . . . . . : abcAD
    Primary DNS Suffix . . . . . . . : masked.loc
    Node Type . . . . . . . . . . . . : Hybrid

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : masked.loc

    Ethernet adapter Local Area Connection 2:



    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server
    Adapter #2
    Physical Address. . . . . . . . . : 00-1E-0B-D9-C9-C8

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.10.20

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.10.2

    DNS Servers . . . . . . . . . . . : 192.168.10.20
    Primary WINS Server . . . . . . . : 192.168.10.20
     
    TC, Apr 30, 2010
    #7
  8. TC

    TC Guest

    Dear Meinolf Weber,

    I can finally run the dcdiag and netdiag without error. Any thing else I
    should be tested before I separate the testing domain controller?

    Regards,
    TC.
     
    TC, May 4, 2010
    #8
  9. Hello TC,

    Run also "repadmin /showrepl dc* /verbose /all /intersite" without the quotes
    to control replication.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 4, 2010
    #9
  10. TC

    TC Guest

    TC, May 6, 2010
    #10
  11. TC

    TC Guest

    Output for repadmin /showreps ABCPC06, is it look ok? Can I start separate
    the network for migration testing?

    Default-First-Site-Name\ABCPC06
    DSA Options : IS_GC
    objectGuid : 3b171f2e-dd8c-418c-9a11-9079f8553424
    invocationID: 3088dbba-324e-4597-9d35-46db53198055

    ==== INBOUND NEIGHBORS ======================================

    CN=Schema,CN=Configuration,DC=masked,DC=loc
    Default-First-Site-Name\ABCAD via RPC
    objectGuid: 2e122413-24e7-4b70-8619-0d6bceac6357
    Address: 2e122413-24e7-4b70-8619-0d6bceac6357._msdcs.masked.loc
    ntdsDsa invocationId: a4649009-ad70-4559-aff6-583cf5ab0a1b
    WRITEABLE SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
    USNs: 485984/OU, 485984/PU
    Last attempt @ 2010-05-06 12:56.09 was successful.

    CN=Configuration,DC=masked,DC=loc
    Default-First-Site-Name\ABCAD via RPC
    objectGuid: 2e122413-24e7-4b70-8619-0d6bceac6357
    Address: 2e122413-24e7-4b70-8619-0d6bceac6357._msdcs.masked.loc
    ntdsDsa invocationId: a4649009-ad70-4559-aff6-583cf5ab0a1b
    WRITEABLE SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
    USNs: 486046/OU, 486046/PU
    Last attempt @ 2010-05-06 13:32.22 was successful.

    DC=masked,DC=loc
    Default-First-Site-Name\ABCAD via RPC
    objectGuid: 2e122413-24e7-4b70-8619-0d6bceac6357
    Address: 2e122413-24e7-4b70-8619-0d6bceac6357._msdcs.masked.loc
    ntdsDsa invocationId: a4649009-ad70-4559-aff6-583cf5ab0a1b
    WRITEABLE SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
    USNs: 486070/OU, 486070/PU
    Last attempt @ 2010-05-06 13:41.20 was successful.

    ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

    CN=Schema,CN=Configuration,DC=masked,DC=loc
    Default-First-Site-Name\ABCAD via RPC
    objectGuid: 2e122413-24e7-4b70-8619-0d6bceac6357
    Address: 2e122413-24e7-4b70-8619-0d6bceac6357._msdcs.masked.loc
    WRITEABLE
    Added @ 2010-04-29 18:11.56.

    CN=Configuration,DC=masked,DC=loc
    Default-First-Site-Name\ABCAD via RPC
    objectGuid: 2e122413-24e7-4b70-8619-0d6bceac6357
    Address: 2e122413-24e7-4b70-8619-0d6bceac6357._msdcs.masked.loc
    WRITEABLE
    Added @ 2010-04-29 18:11.56.

    DC=masked,DC=loc
    Default-First-Site-Name\ABCAD via RPC
    objectGuid: 2e122413-24e7-4b70-8619-0d6bceac6357
    Address: 2e122413-24e7-4b70-8619-0d6bceac6357._msdcs.masked.loc
    WRITEABLE
    Added @ 2010-04-29 18:11.55.
     
    TC, May 6, 2010
    #11
  12. Hello TC,

    The output looks ok for me. So it seems that you can go on.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 6, 2010
    #12
  13. TC

    TC Guest

    Thanks Meinolf,

    I remove the ABCAD from the testing server ABCPC06 and seize the 5 FSMO roles

    Remove ABCAD from domain controller

    The below message apprear where I seize RID master. As I one have one DC, I
    think I still need to seize it, is it?

    The select server is not a direct replication partner of the previous RID
    master. It is recommended that only direct replication partners be promoted
    to be the RID master



    1) run ntdsutil
    2) ntdsutil: type "medadata cleanup"
    3) metadata cleanup: type "connections"
    4) server connections: type "connect to server ABCpc06"
    display "Connected to ABCpc06 using credentials of locally logged on user"
    5) server connections: type "quit"
    6) metadata cleanup: type "select operation target"
    7) select operation target: type "list domains"
    display...
    Found 1 domain(s)
    0 - DC=masked,DC=loc
    8) select operation target: type "select domain 0"
    display...
    No current site
    Domain - DC=masked,DC=loc
    No current server
    No current Naming Context
    9) select operation target: type "list sites"
    Found 1 site(s)
    0 - CN=Default-First-Site-Name,CN=sites,CN=Configuration,DC=masked,DC=loc
    10) select operation target: type "select site 0"
    display...
    Found 1 site(s)
    Site -
    CN=Default-First-Site-Name,CN=sites,CN=Configuration,DC=masked,DC=loc
    Domain - DC=masked,DC=loc
    No current server
    No current Naming Context
    11) select operaton target: type "list servers in site"
    display...
    Found 2 server(s)
    0 -
    CN=ABCAD,CN=Servers,CN=Default-First-Site-Name,CN=sites,CN=Configuration,DC=masked,DC=loc
    1 -
    CN=ABCPC06,CN=Servers,CN=Default-First-Site-Name,CN=sites,CN=Configuration,DC=masked,DC=loc
    12) select operation target: type "select server 0"
    display...
    Site -
    CN=Default-First-Site-Name,CN=sites,CN=Configuration,DC=masked,DC=loc
    Domain - DC=masked,DC=loc
    Server -
    CN=ABCAD,CN=Servers,CN=Default-First-Site-Name,CN=sites,CN=Configuration,DC=masked,DC=loc
    DSA object - CN=NTDS
    Settings,CN=ABCAD,CN=Servers,CN=Default-First-Site-Name,CN=sites,CN=Configuration,DC=masked,DC=loc
    DNS host name - ABCAD.masked.loc
    Computer object - CN=ABCAD, OU=Domain Controllers,DC=masked,DC=loc
    NO current Naming Context
    13) select operation target: type "quit"
    14) metadata cleanup: type "remove selected server"
    confirm the remove
    15) type "quit" on each menu
    display...
    Disconnecting from ABCpc06 ...
    16) Remove entry for ABCAD from _msdc from DNS
    17) run adsiedit.msc
    18) Expand Domain NC, Expand DC=masked,DC=loc
    19) Expand OU=Domain Controllers
    20) Select Property, select "userAccountControl" in "Select aproperty to view.
    21) click "Clear", change value to 4096, click "set"
    22) Right CN=ABCAD, click delete
    23) Expand Domain NC, Expand DC=masked,DC=loc
    24) Expand CN=System
    25) Expand CN=File Replication Service
    26) Expand CN=Domain System Volume (SYSVOL share)
    27) Right click "delete"
    28) in DNS, right click masked.loc, remove ABCad.masked.loc from Name Servers
    29) delete the domain form Active Directory Sites and Services
    30) expense sites, Default-First-Site-Name, Server
    31) delete the ABCAD


    SEIZE fSMO role
    1) start cmd, run ntdsutil
    2) ntdsutil: type "roles"
    3) fsmo maintenance: type "connections"
    4) server connections: type "connect to server abcpc06"
    display..
    Binding to abcpc06 ...
    Connected to abcpc06 using credentials of locally logged on user
    5) server connections: type "quit"
    6) fsmo maintenance: "type "seize domain naming master"
    7) fsmo maintenance: "type "seize infrastructure master"
    8) fsmo maintenance: "type "seize PDC"
    9) fsmo maintenance: "type "seize RID master"
    10) fsmo maintenance: "type "seize schema master"
     
    TC, May 11, 2010
    #13
  14. TC

    TC Guest

    Also, I get the below error


    WinMgmt event id 42:
    WMI ADAP was unable to create object Win32_PerfRawData_DNS_DNS for
    Performance Library DNS because no value was found for property index 2984 in
    the 009 subkey
     
    TC, May 11, 2010
    #14
  15. TC

    TC Guest

    I find 2 issues in the testing server.

    1 No WINS server, 2 net time /setsntp is not set. The issue fixed, I can
    proceed the migration test.
     
    TC, May 12, 2010
    #15
  16. TC

    TC Guest

    I get some error after the migration in new server


    Event ID: 2092

    This server is the owner of the following FSMO role, but does not consider
    it valid. For the partition which contains the

    FSMO, this server has not replicated successfully with any of its partners
    since this server has been restarted. Replication

    errors are preventing validation of this role.

    Operations which require contacting a FSMO operation master will fail until
    this condition is corrected.

    FSMO Role: DC=ourdomain,DC=loc


    Event ID: 1206
    Active Directory Domain Services could not resolve the following DNS host
    name of the source domain controller to an IP address. This error prevents
    additions, deletions and changes in Active Directory Domain Services from
    replicating between one or more domain controllers in the forest. Security
    groups, group policy, users and computers and their passwords will be
    inconsistent between domain controllers until this error is resolved,
    potentially affecting logon authentication and access to network resources.

    Source domain controller:
    abcpc06 <- old server
    Failing DNS host name:
    GID._msdcs.ourdomain.loc



    The DFS Replication service failed to contact domain controller to access
    configuration information. Replication is stopped. The service will try again
    during the next configuration polling cycle, which will occur in 60 minutes.
    This event can be caused by TCP/IP connectivity, firewall, Active Directory
    Domain Services, or DNS issues.


    Event ID: 1400
    Active Directory Web Services could not find a server certificate with the
    specified certificate name. A certificate is

    required to use SSL/TLS connections. To use SSL/TLS connections, verify that
    a valid server authentication certificate from a

    trusted Certificate Authority (CA) is installed on the machine.

    Certificate name: sjrpc73.ourdomain.loc


    Event ID: 14550

    The DFS Namespace service could not initialize cross forest trust
    information on this domain controller, but it will

    periodically retry the operation. The return code is in the record data.
     
    TC, May 20, 2010
    #16
  17. TC

    kj [SBS MVP] Guest

    Make sure the DNS clients are using a common AD DNS server. Post
    ipconfig/all if you need confirmation or believe you already have DNS
    configured properly.
     
    kj [SBS MVP], May 20, 2010
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.