New Primary Domain Controller won't start Active Directory unless Old DC is booted

active-directory windows-server-2008-r2 domain-controller windows-server-2003-r2

I'm no Active Directory Wizard. Here's what I did:

  • Old W2003 R2 PDC needed to be replaced with a new server
  • Rolled out W2008R2 and used DC Promo to add it the domain
  • Due to some DNS issues, had a little problem with replication, but set up DNS on the new server, had them both pointing to it, and replication doesn't seem to have an errors.
  • Rebuilt all the group policies etc.
  • Raised the function level of the Forest and Domain to Server 2003
  • Used all the GUI tools to change every role in all the different Active Directory components to New Server
  • As far as I can tell, from all the instructions on the web, the New Server is the PDC

The problem:

  • When Old Server is running, everything is fine. However when it's not running and New Server boots, it won't load Active Directory and Bootup pauses for 10 minutes+ with some error about unable to contact the PDF emulation or something (more details available on request, I'm just not on site atm).

I need to get the New Server acting properly as the PDC so I can decomission (dc promo) the old server and get rid of it. Because it's SBS it keeps threatening to shut down because there can't be two servers in AD with SBS licensing.

Roles:

Server "commlec.local" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL Naming Master - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL PDC - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL RID - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL Infrastructure - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=DFSN,CN=Sites,CN=Configuration,DC=COMMLEC,DC=LO‌​CAL –

Possible relevant Event Log entiries (keep in mind these seem to only happen when the New Server is rebooted with the Old Server powered down:

Warning DNS Client 1014
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.COMMLEC.LOCAL timed out after none of the configured DNS servers responded.

Error DfsSvc 14550
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

Warning DNS Client 1014
Name resolution for the name _ldap._tcp.COMMLEC.LOCAL timed out after none of the configured DNS servers responded.

Error DHCP=Server 1059
The DHCP service failed to see a directory server for authorization.

Info DHCP Server 1044
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain COMMLEC.LOCAL, has determined that it is authorized to start. It is servicing clients now.

Error DfsSvc 14550
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

That's the last error, the server then begins operating normally. There's a few more misc errors about being unable to register the servers resources in DNS (which won't start because it's decided it has no AD information), Group Policy failing with no Domain Server and WinRM not creating SPNs (whatever that is).


Active Directory replication isn't ready yet, and your new domain controller isn't a domain controller unless 13516 is logged and sysvol and netlogon will be shared (sysvol replication has finished). Here are a few steps to take:

  • With NSLookup, check if your new DC can resolve the domain name, itself, and the old DC. Check both forward and reverse lookup
  • Run repadmin /kcc
  • Wait a few minutes
  • Run repadmin /syncall
  • Wait a few minutes
  • If event id 13516 is not logged, run dcdiag and post the output. Also post any error messages that occur performing these steps.

Put the following code in a .bat-file:

set /p DC=Please provide the name of a domain controller: 
ECHO.
Ntdsutil roles Connections "Connect to server %DC%" Quit "select Operation Target" "List roles for connected server"

And run it (best chances of success while running it on the new DC). It will ask you for some permissions and a promo should open. Can you paste the contents in your question?

It might be possible not all FSMO-roles were transferred.


OMG Solved - this is designed behaviour.

Because SBS is licensed for 1 server in a domain, Server 2008 attempts to contact it and refuses to boot or operate properly without it, even though 2008 has all FSMO roles and the Global Catalogue.

To solve this problem you need to Demote the SBS 2003 server, and verify all SBS 2003 entries in DNS and Sites/Services etc have been removed or converted to a computer account.

My thinking was: After setting up the 2008 server and transferring the FSMO roles, turn off the 2003 server to verify everything is happy, before demoting it and then destroying it.

Reality is: You get no chance to test the transfer with SBS 2003. Once the roles are transferred you have to demote SBS 2003 before 2008 will work.

Related

Nginx - when tunnel the url redirects without port number
Windows Server 2008 - Strange DNS resolution between clients and server
How can one run a prologue script as root in gridengine?
How can I route a SMTP message by FROM domain (not To, CC, or BCC)
Backup of KVM raw-images
How to update sources.list for Debian 4.0 Etch?
Apache 2.4 Require exclude ip range
Cisco ASA Nat 8.4
Create iPXE UEFI bootable image for QEMU/Libvirt with custom next-server and filename
Apache automatically stops each sunday. Why?
Managing and auditing existing Cisco firewall access control and routing rules [closed]
How to redirect an specific url with specific variables in iis