3

Ok so here's our setup:
We have 2 Windows 2003 Domain Controllers. I am trying to replace them with Windows 2008 R2.

The 2003 servers are named DC01 and DC02. The 2008 R2 servers are DC1 and DC2.

I prepared the Windows Server 2003 Forest Schema for a Domain Controller that runs Windows Server 2008 or Windows Server 2008 R2. Then with both of the new servers up as member servers I ran dcpromo on DC1 using the advanced option and added it successfully to my existing domain. It's roles are GC, DNS and Active Directory Domain Services. I transferred The PDC Emulator, RID Pool Manager, and Infrastructure Master roles to DC1. The Schema Master and Domain Naming master are still on DC01.

The first issue that I'm encountering is when I dcpromo the DC2 and select "Replicate data over the network from and existing domain controller" I select that I want to replicate from DC1 and I get the following error:

Failed to identify the requested replica partner (dc1.xxx.org) as a valid domain controller with a machine account for (DC2$). This is likely due to either the machine account not being replicated to this domain controller because of replication latency or the domain controller not advertising the Active Directory Domain Services. Please consider retrying the operation with \dc01.xxx.org as the replica partner. "The server is unwilling to process the request.

Is this because the Schema Master and Domain Naming Master roles are still on the old DC01? And if so, if I transfer Schema Master and Domain Naming Master roles to DC1 what is the risk or breaking my AD? I'm a little paranoid because this process HAS to be transparent. ANY down time or interruption will result in me getting a verbal ass kicking from my I.T. Director.

Both of the new servers DNS point the the old DNS servers (DC01 and DC02) not themselves by the way.

Ben Campbell
  • 557
  • 4
  • 16
Chris
  • 31
  • 2
  • Hmm, did you check if the directory data - especially the machine account for DC2 - has replicated to DC1? – the-wabbit Oct 25 '11 at 15:51
  • Umm. Not sure exactly how to do that, but there is a machine account in AD Users and Computers for DC2 if thats what you mean.Thanks for the help! – Chris Oct 27 '11 at 18:49
  • http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/04/08/upgrading-your-active-directory-to-windows-server-2008.aspx follow the steps in this blog, also i remember an issue with some of the domainprep and forestprep commands because i was running them on a 32bit system but moving to a 64bit system, i beleive i had to run them from the cd on the 64bit system but i am not 100% certain it has been awhile – Jeff Nov 17 '11 at 18:46
  • I like how the warning message pleads with you. "*Please* consider doing this thing under the exact circumstances we planned for in our use cases." – Ryan Ries Mar 04 '14 at 04:22

1 Answers1

1

It rather sounds like a strange replication or authentication problem. It certainly does not come from domain and schema master roles not have been moved to the new DCs. I would advise against moving roles as this truly might break something - although probably not permanently.

You should try the following steps:

  • remove DC2 from the domain, delete its machine account and re-join it
  • use the Windows Server 2003 netdiag and dcdiag tools on DC01 and DC02 to check for possible problems with network services configuration or directory services contents
  • use the Windows Server 2008 dcdiag tool to check for possible networking or directory problems on DC1
  • try temporatily disabling the firewall on DC1 and re-try replication (just in case your firewall rules screwed up for some reason)
the-wabbit
  • 40,319
  • 13
  • 105
  • 169