Demoting 2003 domain controllers
Hi Guys,
We have been running in a mixed mode domain for a while now (2003 and 2008r2) and I have been given the go-ahead to demote the 2003 DC's.
Now before I demote them I want to be sure that these servers are being used for anything, i.e ldap services etc.....
Instead of turning them off can I just disable the net-logon service for a few days?
Also these servers are not dns servers.
Thanks
Are the DCs GCs? If they are, they may be chosen at logon time. You may want to no longer make them a GC.
You can run echo %logonserver% at a few clients to see if they are using the DC as a logon server (not necessarily a GC).
Here are some other things to look at that may help.
Remove a Current Operational Domain Controller from Active Directory
http://blogs.msmvps.com/acefekay/2010/10/09/remove-a-current-operational-domain-controller-from-active-directory/
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Similar Messages
-
Upgrade to Server 2012 R2 domain controllers from 2003
I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine WGDDC01, is a Directory Server.
Home Server = WGDDC01
* Connecting to directory service on server WGDDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WGDDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WGDDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WGDDC01
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... WGDDC01 failed test DNS
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : wgd
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : wgd.inet
Starting test: DNS
Test results for domain controllers:
DC: WGDDC01.wgd.inet
Domain: wgd.inet
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
MAC address is B0:83:FE:C1:98:07
IP Address is static
IP address: 10.240.1.23
DNS servers:
10.240.1.23 (WGDDC01) [Valid]
10.240.1.24 (WGDDC02) [Valid]
127.0.0.1 (WGDDC01) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
[Error details: 5 (Type: Win32 - Description: Access is denied
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.240.1.23 (WGDDC01)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
DNS server: 10.240.1.24 (WGDDC02)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: wgd.inet
WGDDC01 PASS WARN n/a n/a n/a
n/a n/a
......................... wgd.inet passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC02
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.24
10.240.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe> -
Upgrading windows server 2003 domain controller to windows server 2008
Hello friedns :
We have a company with about 2000 users , and two windows server 2003 domain controllers , one of them acts as a primary domain controller , and the other acts as secondary domain controller , all the FSMO s are on the primary DC ,we have decided to upgrade all of our servers from windows server 2003 to windows server 2008 , the first step is to upgrade the domain controllers to windows server 2008 , our domain controllers are so sensitive and has to be active 24 hours a day , i have stress upgrading it to windows server 2008 , what is the best solution to upgrade it with no risk ?
( i have an opinion but i am not sure and i dont have any guide about it , i want to install a windows server 2008 and promote it as an additional domain controller to the windows server 2003 DC and the transfer all the FSMOs to it , and then promote the first domain controller !!! is that possible ? if yes , is there any guide about it? )
If there is a guide available for it please let me know . (Specially if there is a tip & trick)
thank you guys.
Network is my LOVEHi,
This TechNet online article might be helpful for you.
How to Upgrade Domain Controllers to Windows Server 2008 or Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx
For your convenience, I have list some general steps for your reference.
Since the following operation have potential damage to Active Directory database, it is highly suggested that you'd better perform a full backup of Active Directory (System State) firstly. Also it is better to test the following procedure in a similar lab environment first.
General Steps:
=============
1. Verify the new server's TCP/IP configuration has been pointed to the current DNS server.
2. Make the new server become a member server of the current Windows Server 2003 domain first.
3. Upgrade the Windows Server 2003 forest schema to Windows Server 2008 schema with the "adprep /forestprep" command on old server.
Please run the "adprep.exe /forestprep" command from the Windows Server 2008 installation disk on the schema master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
Drive:\sources\ADPREP\adprep.exe /forestprep
4. Upgrade the Windows 2003 domain schema with the "adprep /domainprep" command on old server.
Please run the "adprep.exe /domainprep" command from the Windows Server 2008 installation disk on the infrastructure master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
Drive:\sources\ADPREP \adprep.exe /domainprep
5. Insert Windows Server 2008 Installation Disc in the new server.
6. Run "dcpromo" on new server to promote it as an additional domain controller in existing Windows 2003 domain, afterwards you may verify the installation of Active Directory.
Please refer to:
How to Verify an Active Directory Installation in Windows Server 2003
http://support.microsoft.com/kb/816106
7. Verify the new server's TCP/IP configuration has been pointed to current DNS server.
8. Enable Global Catalog on new server and manually Check Replication Topology and afterwards manually trigger replication (Replicate Now) to synchronize Active Directory database between 2 replicas.
Please note: It will some time to replicate GC between DC, please wait some time with patience.
9. Disable Global Catalog on the old DC.
10. Transfer all the FSMO roles from the old DC to the new DC.
Please refer to:
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801
11. Verify that the old DNS Server Zone type is Active Directory-Integrated. If not, please refer to:
How To: Convert DNS Primary Server to Active Directory Integrated
http://support.microsoft.com/kb/816101
Note: Active Directory Integrated-Zone is available only if DNS server is a domain controller.
12. Install DNS component on new server and configure it as a new DNS Server (Active Directory Integrated-Zone is preferred). All the DNS configuration should be replicated to the new DNS server with Active Directory Replication.
13. Make all the clients change TCP/IP configuration to point to new server as DNS.
14. You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the new DNS server.
Please note: It is a good practice to make the old DC offline for several days and check whether everything works normally with the new server online. If so, you may let the old DC online and run DCPROMO to demote it.
Hope it helps.
Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. -
I need to find domain controllers that have been removed but never demoted.
Here's the story...
I came on an Active Directory administrator for an organization which has 600+ domain controllers, most running Server 2003, but I have some Server 2008R2. Throughout all this time the organization has had DCs that have stopped working, crashed or failed
for some reason and all the IT department has done is created another domain controller name it the same thing with an (A), (B) appended to the name and then never removed any of the failed controllers from the directory.
Thing is this has been going on for quite some time, don’t know for sure how long as I am still trying to clean up DNS replication problems and have been having to go around and reset machine passwords for the forest. What I need to be able to do is to script
something that will return all the failed DCs so that I can go into the directory and use NTDUTIL to clean the machines. I don’t want to go into the directory and remove a machine that’s still out there. No one in the organization has a list or record of failed
machines.
You can see this may be a gargantuan task, but I need to be able to make it easier on
myself by finding the machines first and cleaning out DNS, cleaning the DCs out of the “Sites” and cleaning them out of the directory.
Appreciate any help I can get…Hi,
Thanks for posting in the forum.
Regarding your question, maybe we should remove these orphaned DC from AD, please try to refer to the following articles to perform the cleanup task.
How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846
Complete Step by Step to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
Metadata Cleanup of a Domain controller
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
Here is a similar thread as reference, hope it helps.
Remove References of a Failed DC/Domain
http://social.technet.microsoft.com/Forums/windowsserver/en-US/87516188-731a-4b7f-a4cc-06ce4ad27b19/remove-references-of-a-failed-dcdomain
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
URGENT!! Demoted SBS server and now no other Domain Controllers are functioning
Last night we were demoting a 2003 SBS in a domain. We have 3 other domain controllers that were online and appeared to be functional. All were shown in Sites and Services as GC. However, after demoting the SBS server, our other Domain controllers are not
functioning as GCs or as DCs.
I can get into Sites and Services if I let it fail when it tries to connect to the domain and then tell it to connect to the specific domain controller. But then things don't look quite right. I can't see all the tabs when I drill down to NTDS Settings and
go to properties. The only tabs that show up are Security and Attribute Editor. Same thing with ADUC, I only get some of the tabs. It is like only half of AD is there.
I need some urgent help if anyone can assist.Hi,
In order to identify the cause, I suggest you run
DCDiag command on a Domain Controller, and post out the results for troubleshooting:
Dcdiag
http://technet.microsoft.com/en-us/library/cc731968.aspx
What does DCDIAG actually… do?
http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx
Best Regards,
Amy Wang -
Network Location not showing domain name in Server 2012 R2 after demoting 2003 PDC
The single active NIC in my new Server 2012 R2 no longer shows the Network Location of "DOMAIN.LOCAL" like it did before I demoted the only Server 2003 domain controller. The NIC now shows "NETWORK" as the Network Location.
The registry still shows a Profile with the correct PROFILENAME in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
but that name does not show up in the Network List Manager Policies inside Local Security Policy.
The 2012 R2 Srv has all of the FSMO roles, Client PC's can connect to the domain but will not get new map drives from a script, they must be created manually. My Quickbooks Enterprise clients cannot see the QB Server Manager on this server and I think it
is related to this issue because of firewall restrictions.
The Windows Firewall pointed me in this direction because the "Private Networks" is connected to my NIC named "Network" but the Firewall "Domain Networks" is reported as "Not connected."
Any Help is appreciated,
CrazyDogHi,
Based on my research,
Network Location Awareness (NLA) service expects to be able to enumerate the
domain’s forest name to choose the right network profile for the connection. The service does this by calling
DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller.
If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.
Therefore, I suggest you check the DNS settings on DCs and other domain-joined machines, which should point to the existing DC as preferred DNS server, and secondary DC as alternate DNS server, IP address of demoted DC should be
removed. In addition, please do not use loopback IP address.
Here are some articles below I suggest you refer to:
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx
Network Location Awareness
http://technet.microsoft.com/en-us/library/cc753545(v=WS.10).aspx
Complete Step by Step to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
Best Regards.
Amy -
Hi
Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
ThanksWhen Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Hi,
What is the proper way to demote a Windows 2003 Domain Controller running SQL Server 2008 WorkGroup Edition?
I will be migrating AD from Win 2003 to 2012....
Thanks in advanced.Running SQL on a domain controller is highly not recommended for performance reasons and for complexities it introduces in the management of both systems (You are already facing this situation now).
I would recommend proceeding like the following before demoting your domain controller:
Install a new SQL server on a member server
Migrate your databases to the new SQL server
Once done, you can safely demote your DC.
More if you ask them here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=sqlserver
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Compatibility Exchange Server 2003 SP2 and Domain controllers Windows Server 2008 R2
Hi all, I have this scenario:
- Two Domain Controllers Windows Server 2003 R2 SP2
- Two mail servers Exchange Server 2003 with the following version:
6.5 (Build 7638.2 Service Pack 2)
I want to upgrade my domain controllers to Windows Server 2008 R2.
My question is whether exchange Server 2003 6.5 (Build 7638.2 Service Pack 2) is supported with Domain Controllers Windows Server 2008 R2.
Can you tell me some official Microsoft website where this reflected?
regards
Microsoft Certified IT Professional Server AdministratorExchange Server 2003 SP2 supports DCs running Windows Server 2008 R2. These DCs should be RWDCs and not RODCs:
Exchange 2003 SP2 will now be supported against writeable Windows Server 2008 R2 Active Directory Servers. Additionally, with the General Availability of Exchange Server 2010, and those looking to standardize on Windows
Server 2008 R2 we have enhanced the supportability of forest and domain functional levels up to Windows Server 2008 R2. This change is effective immediately on Exchange 2003 SP2.
Reference: http://blogs.technet.com/b/exchange/archive/2009/11/30/3408893.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Prepare 2003 Forest/Domain for 2008 R2 or 2012 Domain Controllers
Hi,
I would be grateful if you could help me with this:
We have a single Forest/Single Domain structure which is managed by 4 Windows Server 2003 Std Edition. We are now trying to add a Server 2008 R2 as a domain controller. I have followed lots of articles on MS and other website with regards to preparing the
Forest and domain before promoting the new server and here is what I got so far:
Schema master - Windows 2003 SE
FFL/DFL both set to 2003
Run Adprep32.exe (found it on 2008 R2 disc) /forestprep and the outcome was:
lDAPDisplayName "uidNumber" defined for object "CN=VintelauidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value uidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=Vintela-uidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.0" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gidNumber" defined for object "CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.1" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gecos" defined for object "CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gecos and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.2" defined for object CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.2" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "unixHomeDirectory" defined for object "CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value unixHomeDirectory and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.3" defined for object CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.3" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "loginShell" defined for object "CN=VintelaloginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value loginShell and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=Vintela-loginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.4" and resolve this inconsistency. Then run adprep again.
On the Schema master, run AD Schema, MMC and deactivated the object for Vintela. run the adprep32 /forestprep again and still the same result.
Would you please advise what else can/must be done? anyone knows anything on Vintela (Quest VAS) and how to get rid of it?
thanks for your help in advance.Hi,
Thanks for your post.
In this case, the most cause may be the OIDS are in conflict with the 2008 /forestprep. Could you please let me know if the forest functional level is 2003? If not, please raise it to 2003.
For the information about how to raise functional level, please refer to the articles as below:
What Are Active Directory Functional Levels?
http://technet.microsoft.com/en-us/library/cc787290(WS.10).aspx
Raise the Domain Functional Level
http://technet.microsoft.com/en-us/library/cc753104.aspx
Raise the Forest Functional Level
http://technet.microsoft.com/en-us/library/cc730985.aspx
What is the Impact of Upgrading the Domain or Forest Functional Level?
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Besides, for the best practice, we can back up all domain controllers’ system state for the unexpected issues. Here is one article related to backup Active Directory.
Backing up Active Directory
http://technet.microsoft.com/en-us/library/cc961924.aspx
I hope this information is helpful for you. If there is anything that requires further clarification, please don’t hesitate to let me know.
Best regards,
Ann
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
is not available.
Help please!Hi,
As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC.
If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
are different site then check the ports are open on firewall.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
If issue reoccurs, post dcdiag /q result.
NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
Active Directory Metadata Cleanup
http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights. -
DNS issues with replaced domain controllers
I have slight issue I hope some one can help with.
We recently replaced some domain controllers in our 2 core sites the process we followed is as below:-
moved FSMO roles to different already working servers
demoted the old domain controllers and decommissioned.
built virtual machine replacements with the same names.
depromo'd the servers
ran all the tests and it reported everything was fine.
moved the fsmo roles to the new servers.
repeated this for the remaining servers.
this was our 2003 domain to free up physical space but our new 2013 domain what will exist separately until all our applications our tested.
however the problem we now have is that non domain controllers have issues registering against the new servers despite being able to do look-ups against them all (replication testing looks fine). one of our regional DC's seems to have taken over as the primary
replica. as changes made else where disappeared but changes made there got replicated out perfectly.
I have managed to resolve this particular issue by added the domain controllers back into several locations in DNS manually (maining forward lookup zones>my domain>_tcp )but we still experience the odd issue with servers not registering in DNS properly
(although it's a lot better since the I did the above)
so basically does any one have a idea on what could have caused this issue and how I can resolve?should the demotion not automatically remove it from sites and services automatically (it could well be this if not) the question then becomes how do we resolve the issues we have now.
Hello,
NO, as you can demote a DC and it still may run site-aware services like DFS and for this reason a DC is NOT automatically removed from AD sites and services during demotionprocess.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Installing a Windows 2012 Domain Controller into a 2000/2003 domain with Exchange 2003
Hello,
I have a client that we are planning to migrate to 2012 over time. They currently have a Windows 200 DC and 2 member servers running Windows 2003, one of which is running Exchange 2003.
We first are going to introduce a 2012 server into the domain and my plan was to DCPromo the 2003 server that isn't running Exchange and raise domain level to 2003 and then demote the 2000 server. I was then going to install the
2012 server into the domain and make it a backup Domain Controller for the time being and leave the newly promoted Windows 2003 server as the primary Domain Controller with all the roles and global catalog. My question is will Exchange 2003 still function
normally in this scenario?
I've been doing research and read some things about Exchange 2003 not working with 2012 Domain Controllers, but I was thinking if the 2003 is still the primary, it might work. We will eventually migrate to 2003, they just don't want to
do it all at once, due to costs and other issues.
Thanks.I didn't ask if it was supported, I just wanted to know if Exchange 2003 would continue
to function if the Windows 2003 DC still held all the FSMO roles and Global Catalog.
A not supported situation means that it is a situation where Microsoft made no testing or do not guarantee that you can operate with no problems. Following a not supported scenario could be done but is on your own risk.
If it won't, can the 2012 server be a member server in the 2003 AD? The 2000
DC it is replacing, just shares files on the network in addition to being the lone AD server
Yes, it can be a member server.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Unable to bind MacBook Pro (running 10.6 - Snow Leopard ) to Windows Server 2003 domain
Hi there, I've been working on this problem for a few hours now (and a few hours last Thursday) and don't feel I'm getting anywhere, so I'm reaching out for help....
My organisation has just purchased a new MacBook Pro, running Snow Leopard (OSX 10.6) and as a Technical Support Engineer I have been asked to configure it for an end user.
I am currently trying to join it to our corporate domain, which is a Windows Server 2003 domain operating at the Windows Server 2003 Native domain functional level.
The MacBook is configured to use DHCP, and has been assigned valid IP address, DNS servers etc by the DHCP server. It can resolve all names on our network, including the names of our domain controllers. When I use nslookup to resolve the name of the domain "my_domain.local" it returns a list of DC's on the domain, which would indicate to me that name resolution is working perfectly. It is using our primary DNS server, 'Ponus' to resolve these names - Ponus is also the Domain Controller in this site.
To attempt to join the MacBook to the domain I have created a computer account for it on the domain, in the Computers container. I have gone into System/Library/Core Services and run the Directory Utility.
In the directory Utility I have ticked Active Directory and clicked on it to edit. The 'Forest' field is greyed out and set to 'Automatic', in the 'Domain' field I have entered my_domain.local, which is the FQDN of my domain. I click Bind and when prompted enter my Domain Admin username and password (in the 'Create Computer Account in:' field it displays correctly as CN=Computers,DC=my_domain,DC=local.)
When I click OK I get the message: Invalid domain. An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest (e.g., ads.company.com).
I have attempted writing the domain as my_domain.local, my_domain.local., MY_DOMAIN.LOCAL and MY_DOMAIN.LOCAL. but I get the same error each time. I have checked and rechecked DNS is resolving OK, and cannot see why it cannot find the Domain and Forest from the FQDN that I am entering. Even so I tried creating records in the hosts file on the MacBook to point to the main Domain Controller at this site (Ponus) but this didn't change anything.
I have seen a few people report the same issue online but the responses tend to fizzle out before anyone gets to the bottom of it. I have seen some indication that people with an understore (_) in their domain name, or with a .local domain name may experience issues with joining Mac hosts, however these details are very vague and if true there must be a workaround.
If anyone could help me with this I would greatly appreciate it, I'm running out of time to complete this work and have run out of things to try.
I have an inkling that this is due to the Mac for some reason not reading the SRV records for the DCs and LDAP in DNS, or to do with the Mac looking only at one SRV record (ie. there is one for a new DC that we haven't deployed yet), not being able to reach this and giving up, but I'm clutching at straws really with my limited knowledge of the Macs process for joining the domain.
Many many thanks,Hi there,
A simple suggestion , please make sure both MacBook Pro clock and the server clock are the same meaning the hour/Min/ sec both should match. A least difference of 3 seconds is fine.
I had faced this problem in many place and only solution was to match the time and it will bind immediatly. -
Communication issues between domain controllers
Hi everyone,
I am experiencing some problems in communication between domain controllers in our organization
We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
service pack 1 and is virtual.
I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
Thank you very much.
Best regards.
David.This sounds like a NIC issue, which is odd since it is a virtual machine. Have you checked the host for any logs about the client?
I think the first thing I would do is destroy the current virtual NIC card and add a new one. Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.
Maybe you are looking for
-
I have ipad 3 & daughter new ipad mini with RD. She has nano and I have classic. Her nano syncs to her own laptop and mine to my desktop. I bought iTunes Match and authorised both iPads and both iPods. I have now enabled iTunes Match in my ipad and w
-
Smpatch in remote mode RMIERROR
Any thoughts on what am I missing here? I've tried this multiple ways. smpatch analyze runs fine in local mode on all machines I'm testing. I have not seen remote mode work once. (i) First scenario, I enabled wbem to accept remote connections. Then,
-
Differentiate between Items and Customer Items
Differentiate between Items and Customer Items pls try to give information about this thanx
-
White Balance - Eye Dropper and Monitor Calibration
Does the eye dropper correctly set the white point even if the monitor is not correctly calibrated? I do calibrate monthly with the XRite but I'm not sure that the calibration is perfect. I use a grey card, and the eye dropper in LR. So even though I
-
My IPAD Air won't swipe to access programs. How can I get into the IPAD?
I have an IPAD Air that won't swipe to turn on any of the programs. I can't access anything including the home screen. Is there a way to bypass the "swipe" to get in? Of course, the warranty just ended.