Shahid99 Posted August 7, 2012 Share Posted August 7, 2012 Hello All, How are you? I need your help on this migration im doing on my Domain Controller which is Windows Server 2003 to Windows Server 2008...Well actually, i did the migration by following these steps:http://computech.in/2011/08/step-by-step-guide-to-migrate-and-move-roles-from-server-2003-domain-to-server-2008-r2-domain/however, when i got to the last step all i didn't demote the DC, so few hrs passed...all users couldn't access the network drives and once they restarted their computer they couldn't log in:here is the prompt they were receiving:"The local policy of this system does not permit you to logon"The new server became the global catalog so therefore everything got messed up(all because i didnt demote the DC(WINDOW SERVER 2003).I removed the second domain contoller, took off active directory and deleted the server from sites and trust.Now, i just reinstalled the new server again(new machine 2k8) if i want to follow the whole procedure again will i be able to rerunadprep32 /forestprep? how can i rerun adprep? please help me out!!! Also, i didnt change the tcp ip address from old dc to new dc....(new dc 2k8 was just added to the domain with a different ip(i thought once i am done with eveyrhting i will bring down the main dc(2k3) and assign that address to new dc(2k8) Thank You!!! Link to comment Share on other sites More sharing options...
Tripredacus Posted August 7, 2012 Share Posted August 7, 2012 however, when i got to the last step all i didn't demote the DC, so few hrs passed...all users couldn't access the network drives and once they restarted their computer they couldn't log in:I don't think it is required for you to demote the old DC. If it has no roles it can just sit there. Last time I did a migration I did this... however I left a role on the old DC because I got an error xfer it... and also put DNS on there. BUT my question is this (since you aren't too clear on this):Were your users able to work properly during those few hours after the promo, but before they got the error? Link to comment Share on other sites More sharing options...
Shahid99 Posted August 7, 2012 Author Share Posted August 7, 2012 Yes users were able to work properly during those few hours after the promo...but than all of a sudden this happen....right now im trying to figure out how i can redo the whole process? 1. I can't run adprep32 /forestprepthis is the output:C:\Documents and Settings\Administrator.VAKIFBANK-DC>cd \win2k8\support\adprepC:\win2k8\support\adprep>adprep32 /forestprepADPREP WARNING:Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.[user Action]If ALL your existing Windows 2000 Active Directory Domain Controllers meet thisrequirement, type C and then press ENTER to continue. Otherwise, type any otherkey and press ENTER to quit.cForest-wide information has already been updated.[status/Consequence]Adprep did not attempt to rerun this operation.C:\win2k8\support\adprep>adprep32 /domainprepRunning domainprep ...Domain-wide information has already been updated.[status/Consequence]Adprep did not attempt to rerun this operation.C:\win2k8\support\adprep>adprep32 /domainprep /gpprepRunning domainprep ...Domain-wide information has already been updated.[status/Consequence]Adprep did not attempt to rerun this operation.No Group Policy Object (GPO) updates needed, or GPO information has already been updated.[status/Consequence]Adprep did not attempt to rerun this operation.Oh fyi: Schema Version IS (47)System Schema Version (31) Link to comment Share on other sites More sharing options...
Tripredacus Posted August 7, 2012 Share Posted August 7, 2012 C:\win2k8\Are you using a custom install?Also, what is the current Domain Functional Level? Link to comment Share on other sites More sharing options...
Shahid99 Posted August 7, 2012 Author Share Posted August 7, 2012 Yes, my current domain controller don't have CD drive so therefore i downloaded the ISO for win 2008 r 2 and than extract the content to C: Local drive\ win2k8(i created this folder) extract everything in here......so now the directory is "C:\win2k8\support\adprep"Current domain functional level is: Windows Server 2003 Link to comment Share on other sites More sharing options...
Shahid99 Posted August 7, 2012 Author Share Posted August 7, 2012 should i go ahead and do dcpromo on window server 2008(new machine) and add a existing domain ? ;) Link to comment Share on other sites More sharing options...
allen2 Posted August 7, 2012 Share Posted August 7, 2012 Most likely when your first tried, the policies didn't replicate properly as the default gpo from 2008 are a lot more restrictive than the 2003 ones. Before stopping the 2003 or transfering the roles or even allow it to authenticate users (using active directory sites and services), you need to be sure that everything is properly replicated on the new DC (login scripts/gpo = the whole sysvol). Also check that the 2008 DC policies after it is a computer member are set like the windows 2003 DC. Link to comment Share on other sites More sharing options...
Shahid99 Posted August 8, 2012 Author Share Posted August 8, 2012 Allen, Right now the new server (windows server 2008 r2) has been added to the domain (member server)so i can see the domain if i go to Administrative tools\Active Directory Users and Computeri can see policies,users,workstations,authentications and etc....NOTE: I DIDN'T ADD THE 2008 R2 server to an existing server by (dcpromo) yet!!!Im so lost!! please kindly tell me briefly the next step for this migration.....Once again: Before adprep32 ran successfully, but due to problems which i stated above i had to reinstall the windows server 2008 r2 from scratch. I deleted active directory, dns zone, cname and etc etcright now on Windows Server 2003 (Domain Controller)schema version REG_DWORD 0x000002f (47) When i ran metadata cleanup this is the output:metadata cleanup: select operation targetselect operation target: list domainsFound 1 domain(s)0 - DC=exampleny,DC=com ("exampleny" (up there i see my old domain controller) select operation target: list servers in siteNo active site list.............................................................i already removed DNs zone, Zone properties and also for AD sites and services ( i only see my domain controller there) Now, pls, tell me what my next step should be(just to be on the safe side)i appreciate it ! Link to comment Share on other sites More sharing options...
allen2 Posted August 8, 2012 Share Posted August 8, 2012 I would do the dcpromo on Windows 2008 R2 and set it as a DC without any roles and not GC just add dns server integration or do it manually (before if done manually) and create a dedicated site for the 2008 DC disallow user authentication.Then i would check if everything is still working properly for users and check if AD replications are working (should take one hour). Then check the policies on the 2008 DC and compare them with the windows 2003 DC as there might be a gap as policies models aren't stored in sysvol anymore. Next step would be checking if the 2008 DC allow clients to logon as usual (still using active directory sites and services and use a small subnet the test clients). Then set it as GC and then transfer roles with ntdsutil (of course after each step check if there are side effects).The usual problems are the policies which you might need to recreate/reset entirely on the windows 2008R2 depending on the settings who were on the windows 2003 DC as compatibility isn't always there (and that was most like the problem you already encountered). Link to comment Share on other sites More sharing options...
Shahid99 Posted August 8, 2012 Author Share Posted August 8, 2012 Alright Allen i will try those steps in the meantime , when you say disallow user authentication what do you mean by that? p Link to comment Share on other sites More sharing options...
allen2 Posted August 9, 2012 Share Posted August 9, 2012 If you set the 2008 DC in active directory site and services in another subnet by putting it in another site and setting this site to only allow authentication of client of a subnet you don't use for production or don't use at all then no client should be able to use the 2008 DC. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now