| Author | Messages | |
bwatson
Posts:0
 | | 12/10/2008 5:07 PM |
| Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
| | | |
| Gil
Posts:311
| | 12/10/2008 5:11 PM |
| Event logs?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn't replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get...
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
| | | |
| bdesmond
Posts:977
| | 12/10/2008 5:17 PM |
| DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep verifies this. You just have to change the DN of the FSMO for each app NC to a valid DC. There's a script in the KB to do it for you if you want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn't replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get...
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
| | | |
| bwatson
Posts:0
| | 12/10/2008 5:23 PM |
| Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
| | | |
| PARRIS
Posts:291
| | 12/10/2008 5:25 PM |
| This KB has a couple of pointers in it, which may be worth checking out.
http://support.microsoft.com/?id=838179
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:02
To: ActiveDir@mail.activedir.org
Subject: AD: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all
the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and
forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain
controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd
like so you can see if everything is kosher), I ended up with a replica of
our domain running on a single Windows 2003 R2 Domain Controller virtual
machine. I performed a metadata cleanup and shaved the domain down to just
a single site for now. Then I promoted in another Windows Server 2003 R2
virtual machine and the domain controller promotion went just fine. So I'm
left with.
Two domain controllers that contain all the data of our production domain
running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary DNS
server, and DC1 is pointed at itself for DNS as the primary. Netdiag and
DCDiag come up completely clean, replication is working fine between the two
domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue.
I ran into what sounds to be the typical issue when trying to do the adprep
/rodcprep portion and I had to delete the forestdnszones and domaindnszones
partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain as a
member server. This went fine. Then I began the dcpromo process, and while
it appeared as though it was carrying along fine, when it reached the end,
it said it couldn't replicate the information and if there was another
available domain controller that it would attempt to replicate again after
the reboot.
After the reboot, I logged in with my domain administrator account, and none
of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services. None
would launch.
I then logged in with the built-in domain administrator account, and with
this account, I was able to launch all the MMCs and look at stuff. So I go
into the Sites and Services MMC and try to force replication from the 2008
DC to the 2003 DC to see what happens, and this is the error I get.
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force replication
from either of the 2003 DCs to the 2008 DC, that direction of replication
works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs
DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your <http://abcnews.go.com/print?id=5351908>
co-workers?
| | | |
| Gil
Posts:311
| | 12/10/2008 5:27 PM |
| I'd look at the first handful of errors and see what they indicated.
DCDIAG is a thought as well.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine. The domain seems to have a real problem with the promotion of a 2008 DC and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two application partitions. There was no data in there anyway and I was able to recreate the default application partitions afterwards without issue.
Gil - The 2003DCs have event log entries basically saying the same thing I said in my initial email As for the 2008DC, it's event logs are filled with numerous errors, I would have to literally export the event log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep verifies this. You just have to change the DN of the FSMO for each app NC to a valid DC. There's a script in the KB to do it for you if you want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn't replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get...
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
| | | |
| PARRIS
Posts:291
| | 12/10/2008 5:46 PM |
| Just a thought - what version of the Schema does the existing DC's report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003
With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the new
2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine. The
domain seems to have a real problem with the promotion of a 2008 DC and
complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was able to
recreate the default application partitions afterwards without issue.
Gil - The 2003DCs have event log entries basically saying the same thing I
said in my initial email As for the 2008DC, it's event logs are filled with
numerous errors, I would have to literally export the event log and attach
them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app NC to
a valid DC. There's a script in the KB to do it for you if you want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all
the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and
forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain
controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd
like so you can see if everything is kosher), I ended up with a replica of
our domain running on a single Windows 2003 R2 Domain Controller virtual
machine. I performed a metadata cleanup and shaved the domain down to just
a single site for now. Then I promoted in another Windows Server 2003 R2
virtual machine and the domain controller promotion went just fine. So I'm
left with.
Two domain controllers that contain all the data of our production domain
running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary DNS
server, and DC1 is pointed at itself for DNS as the primary. Netdiag and
DCDiag come up completely clean, replication is working fine between the two
domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue.
I ran into what sounds to be the typical issue when trying to do the adprep
/rodcprep portion and I had to delete the forestdnszones and domaindnszones
partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain as a
member server. This went fine. Then I began the dcpromo process, and while
it appeared as though it was carrying along fine, when it reached the end,
it said it couldn't replicate the information and if there was another
available domain controller that it would attempt to replicate again after
the reboot.
After the reboot, I logged in with my domain administrator account, and none
of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services. None
would launch.
I then logged in with the built-in domain administrator account, and with
this account, I was able to launch all the MMCs and look at stuff. So I go
into the Sites and Services MMC and try to force replication from the 2008
DC to the 2003 DC to see what happens, and this is the error I get.
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force replication
from either of the 2003 DCs to the 2008 DC, that direction of replication
works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs
DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your <http://abcnews.go.com/print?id=5351908>
co-workers?
| | | |
| bwatson
Posts:0
| | 12/10/2008 6:40 PM |
| Mark - Both 2003 DCs are showing as Schema version 44 and so is the
problematic 2008 DC.
Gil - DCDiag on both of the 2003 DCs continue to come up clean with only
a single error stating that it found a SYSVOL replication error in the
event log.
As for the DCDiag on the 2008 DC. It fails the Advertising test stating
that the directory service on the 2008DC has not finished initializing.
So to summarize, it is saying it cannot function as a domain controller
yet until it completes this initial synchronization.
After the Advertising test, it repeats the same errors in the event logs
over and over about replication not being able to complete due to an
"Active Directory Domain Services schema mismatch".
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris
(Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's
report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows
2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
| | | |
| bwatson
Posts:0
| | 12/11/2008 12:52 PM |
| I found an event log entry on the 2008 DC that is pointing at a user
account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the
source directory service at the following network address because of an
Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema
before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain
Controller presents no issues, but a Windows 2008 Domain Controller
does.
Also, what is the lowest time that you can set the tombstone lifetime
to? Can it be set down to 1 day? For some reason I thought I
remembered that the lowest value can only actually be 2 days. I'd like
to get this user account purged as quickly as possible so I can continue
testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris
(Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's
report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows
2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
| | | |
| dloder
Posts:131
| | 12/11/2008 2:27 PM |
| How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so all objects are already present and are not evaluated by the replication engine.
Take a metadata dump of the object and you likely have some unknown attribute values on the object.
We experienced that in a test forest once. If the invalid object[s] is[are] only on one DC, demote it. Otherwise, the only way to recover is to delete the invalid objects and have their tombstone flushed. Then normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest DR recovery plans where speed is more important than DIT integrity checks.
2 days is minimum TSL.
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
.ExternalClass p.EC_MsoNormal, .ExternalClass li.EC_MsoNormal, .ExternalClass div.EC_MsoNormal
{margin-bottom:.0001pt;font-size:11.0pt;font-family:'Calibri','sans-serif';}
.ExternalClass a:link, .ExternalClass span.EC_MsoHyperlink
{color:blue;text-decoration:underline;}
.ExternalClass a:visited, .ExternalClass span.EC_MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
.ExternalClass span.EC_EmailStyle17
{font-family:'Calibri','sans-serif';color:windowtext;}
.ExternalClass span.EC_EmailStyle18
{font-family:'Calibri','sans-serif';color:#000066;font-weight:bold;}
.ExternalClass span.EC_EmailStyle19
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass span.EC_EmailStyle20
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass span.EC_EmailStyle21
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass .EC_MsoChpDefault
{font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;}
.ExternalClass div.EC_Section1
{page:Section1;}
I found an event log entry on the 2008 DC that is pointing at a user account that for whatever reason is presenting an issue.
EventID: 1203 – Level: Warning
The Directory service count not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,….
Active Directory Domain Services will attempt to synchronize the schema before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I’m trying to figure out why promoting in a Windows 2003 R2 Domain Controller presents no issues, but a Windows 2008 Domain Controller does.
Also, what is the lowest time that you can set the tombstone lifetime to? Can it be set down to 1 day? For some reason I thought I remembered that the lowest value can only actually be 2 days. I’d like to get this user account purged as quickly as possible so I can continue testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris (Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought – what version of the Schema does the existing DC’s report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35 Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the new 2008DC and everything seemed to be there.
What’s odd is that the promotion of the second 2003 DC went just fine. The domain seems to have a real problem with the promotion of a 2008 DC and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two application partitions. There was no data in there anyway and I was able to recreate the default application partitions afterwards without issue.
Gil – The 2003DCs have event log entries basically saying the same thing I said in my initial email As for the 2008DC, it’s event logs are filled with numerous errors, I would have to literally export the event log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there’s a KB on this. Basically there is a infrastructure FSMO of sort for app NCs that isn’t maintained. RODCPrep verifies this. You just have to change the DN of the FSMO for each app NC to a valid DC. There’s a script in the KB to do it for you if you want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you’d like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I’m left with…
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn’t replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get…
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
| | | |
| bwatson
Posts:0
| | 12/11/2008 6:49 PM |
| I normally promo by running dcpromo on a machine that was freshly
installed from scratch and is already joined to the domain. I let the
dcpromo process go ahead and replicate the schema, configuration and
domain partitions. I never skip that process.
Is there something about that process that I should change? Afterall,
like I said earlier in the emails, the promotions of the 2003 server
went without a hitch. It's the 2008 server that is having a major
problem with all this for some reason.
Well, it turns out that the issue is not just with a single user
account.
I delete the user account in question, push replication, and replication
fails on another user account. Follow the same process, and I get an
error on another account.
At first, I thought I may have found something in common with all of
these user account, the event log would only complain of disabled user
accounts. User accounts that had been disabled for quite some time. So
since I was dealing with a replica of my production domain, I just went
ahead and purged all the disabled user accounts.
Now the event log errors that are cropping up are pointing to active
user accounts that have schema issues.
How can I determine whether there is a schema issue with the way the
User object is defined in the schema?
I just find it strange that the ADPREP portion of the 2008 upgrade went
perfectly fine. A Windows 2003 server can be promoted to a DC just
fine. But a Windows 2008 promotion completely bombs big time.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, December 11, 2008 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so
all objects are already present and are not evaluated by the replication
engine.
Take a metadata dump of the object and you likely have some unknown
attribute values on the object.
We experienced that in a test forest once. If the invalid object[s]
is[are] only on one DC, demote it. Otherwise, the only way to recover
is to delete the invalid objects and have their tombstone flushed. Then
normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest
DR recovery plans where speed is more important than DIT integrity
checks.
2 days is minimum TSL.
________________________________
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
I found an event log entry on the 2008 DC that is pointing at a user
account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the
source directory service at the following network address because of an
Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema
before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain
Controller presents no issues, but a Windows 2008 Domain Controller
does.
Also, what is the lowest time that you can set the tombstone lifetime
to? Can it be set down to 1 day? For some reason I thought I
remembered that the lowest value can only actually be 2 days. I'd like
to get this user account purged as quickly as possible so I can continue
testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris
(Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's
report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows
2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
| | | |
| Gil
Posts:311
| | 12/11/2008 7:44 PM |
| Any chance that the ADPREP was from a different version of WS08 (e.g. an RC or something)?
FWIW, I always promo a non-domain-joined machine, but I can't believe that has anything to do with it.
-g
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Thursday, December 11, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I normally promo by running dcpromo on a machine that was freshly installed from scratch and is already joined to the domain. I let the dcpromo process go ahead and replicate the schema, configuration and domain partitions. I never skip that process.
Is there something about that process that I should change? Afterall, like I said earlier in the emails, the promotions of the 2003 server went without a hitch. It's the 2008 server that is having a major problem with all this for some reason.
Well, it turns out that the issue is not just with a single user account.
I delete the user account in question, push replication, and replication fails on another user account. Follow the same process, and I get an error on another account.
At first, I thought I may have found something in common with all of these user account, the event log would only complain of disabled user accounts. User accounts that had been disabled for quite some time. So since I was dealing with a replica of my production domain, I just went ahead and purged all the disabled user accounts.
Now the event log errors that are cropping up are pointing to active user accounts that have schema issues.
How can I determine whether there is a schema issue with the way the User object is defined in the schema?
I just find it strange that the ADPREP portion of the 2008 upgrade went perfectly fine. A Windows 2003 server can be promoted to a DC just fine. But a Windows 2008 promotion completely bombs big time.
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, December 11, 2008 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so all objects are already present and are not evaluated by the replication engine.
Take a metadata dump of the object and you likely have some unknown attribute values on the object.
We experienced that in a test forest once. If the invalid object[s] is[are] only on one DC, demote it. Otherwise, the only way to recover is to delete the invalid objects and have their tombstone flushed. Then normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest DR recovery plans where speed is more important than DIT integrity checks.
2 days is minimum TSL.
________________________________
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
I found an event log entry on the 2008 DC that is pointing at a user account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain Controller presents no issues, but a Windows 2008 Domain Controller does.
Also, what is the lowest time that you can set the tombstone lifetime to? Can it be set down to 1 day? For some reason I thought I remembered that the lowest value can only actually be 2 days. I'd like to get this user account purged as quickly as possible so I can continue testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris (Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35 Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine. The domain seems to have a real problem with the promotion of a 2008 DC and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two application partitions. There was no data in there anyway and I was able to recreate the default application partitions afterwards without issue.
Gil - The 2003DCs have event log entries basically saying the same thing I said in my initial email As for the 2008DC, it's event logs are filled with numerous errors, I would have to literally export the event log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep verifies this. You just have to change the DN of the FSMO for each app NC to a valid DC. There's a script in the KB to do it for you if you want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn't replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get...
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
| | | |
| bwatson
Posts:0
| | 12/12/2008 12:22 PM |
| Oh how I wish it could be something as simple as a different version of
ADPREP.
I used ADPREP from the very same ISO I used to install the OS. Straight
from Microsoft's licensing website.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, December 11, 2008 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Any chance that the ADPREP was from a different version of WS08 (e.g. an
RC or something)?
FWIW, I always promo a non-domain-joined machine, but I can't believe
that has anything to do with it.
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Thursday, December 11, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I normally promo by running dcpromo on a machine that was freshly
installed from scratch and is already joined to the domain. I let the
dcpromo process go ahead and replicate the schema, configuration and
domain partitions. I never skip that process.
Is there something about that process that I should change? Afterall,
like I said earlier in the emails, the promotions of the 2003 server
went without a hitch. It's the 2008 server that is having a major
problem with all this for some reason.
Well, it turns out that the issue is not just with a single user
account.
I delete the user account in question, push replication, and replication
fails on another user account. Follow the same process, and I get an
error on another account.
At first, I thought I may have found something in common with all of
these user account, the event log would only complain of disabled user
accounts. User accounts that had been disabled for quite some time. So
since I was dealing with a replica of my production domain, I just went
ahead and purged all the disabled user accounts.
Now the event log errors that are cropping up are pointing to active
user accounts that have schema issues.
How can I determine whether there is a schema issue with the way the
User object is defined in the schema?
I just find it strange that the ADPREP portion of the 2008 upgrade went
perfectly fine. A Windows 2003 server can be promoted to a DC just
fine. But a Windows 2008 promotion completely bombs big time.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, December 11, 2008 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so
all objects are already present and are not evaluated by the replication
engine.
Take a metadata dump of the object and you likely have some unknown
attribute values on the object.
We experienced that in a test forest once. If the invalid object[s]
is[are] only on one DC, demote it. Otherwise, the only way to recover
is to delete the invalid objects and have their tombstone flushed. Then
normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest
DR recovery plans where speed is more important than DIT integrity
checks.
2 days is minimum TSL.
________________________________
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
I found an event log entry on the 2008 DC that is pointing at a user
account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the
source directory service at the following network address because of an
Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema
before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain
Controller presents no issues, but a Windows 2008 Domain Controller
does.
Also, what is the lowest time that you can set the tombstone lifetime
to? Can it be set down to 1 day? For some reason I thought I
remembered that the lowest value can only actually be 2 days. I'd like
to get this user account purged as quickly as possible so I can continue
testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris
(Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's
report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows
2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
| | | |
| Gil
Posts:311
| | 12/12/2008 12:48 PM |
| I reread your original post, and I was wondering, is there any chance that the metadata or DNS data you brought over from the production environment wasn't properly cleaned up to reflect the VM environment? And you're sure that there's no way the VMs are somehow communicating with the production environment?
-g
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, December 12, 2008 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Oh how I wish it could be something as simple as a different version of ADPREP.
I used ADPREP from the very same ISO I used to install the OS. Straight from Microsoft's licensing website.
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, December 11, 2008 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Any chance that the ADPREP was from a different version of WS08 (e.g. an RC or something)?
FWIW, I always promo a non-domain-joined machine, but I can't believe that has anything to do with it.
-g
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Thursday, December 11, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I normally promo by running dcpromo on a machine that was freshly installed from scratch and is already joined to the domain. I let the dcpromo process go ahead and replicate the schema, configuration and domain partitions. I never skip that process.
Is there something about that process that I should change? Afterall, like I said earlier in the emails, the promotions of the 2003 server went without a hitch. It's the 2008 server that is having a major problem with all this for some reason.
Well, it turns out that the issue is not just with a single user account.
I delete the user account in question, push replication, and replication fails on another user account. Follow the same process, and I get an error on another account.
At first, I thought I may have found something in common with all of these user account, the event log would only complain of disabled user accounts. User accounts that had been disabled for quite some time. So since I was dealing with a replica of my production domain, I just went ahead and purged all the disabled user accounts.
Now the event log errors that are cropping up are pointing to active user accounts that have schema issues.
How can I determine whether there is a schema issue with the way the User object is defined in the schema?
I just find it strange that the ADPREP portion of the 2008 upgrade went perfectly fine. A Windows 2003 server can be promoted to a DC just fine. But a Windows 2008 promotion completely bombs big time.
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, December 11, 2008 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so all objects are already present and are not evaluated by the replication engine.
Take a metadata dump of the object and you likely have some unknown attribute values on the object.
We experienced that in a test forest once. If the invalid object[s] is[are] only on one DC, demote it. Otherwise, the only way to recover is to delete the invalid objects and have their tombstone flushed. Then normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest DR recovery plans where speed is more important than DIT integrity checks.
2 days is minimum TSL.
________________________________
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
I found an event log entry on the 2008 DC that is pointing at a user account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain Controller presents no issues, but a Windows 2008 Domain Controller does.
Also, what is the lowest time that you can set the tombstone lifetime to? Can it be set down to 1 day? For some reason I thought I remembered that the lowest value can only actually be 2 days. I'd like to get this user account purged as quickly as possible so I can continue testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris (Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35 Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine. The domain seems to have a real problem with the promotion of a 2008 DC and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two application partitions. There was no data in there anyway and I was able to recreate the default application partitions afterwards without issue.
Gil - The 2003DCs have event log entries basically saying the same thing I said in my initial email As for the 2008DC, it's event logs are filled with numerous errors, I would have to literally export the event log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep verifies this. You just have to change the DN of the FSMO for each app NC to a valid DC. There's a script in the KB to do it for you if you want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn't replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get...
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
| | | |
| bwatson
Posts:0
| | 12/12/2008 1:35 PM |
| Hi Gil,
Here's the steps I followed to create my replica environment and to make
sure it is not speaking to anything in the production environment.
* Created Windows Server 2003 R2 Virtual Machine.
* Promoted it as a Domain Controller in our production environment.
* Transferred all FSMO roles to it.
* Shutdown virtual domain controller and took a snapshot of it.
* Powered it back up.
* Transferred all FSMO roles back off of the virtual machine to the
original holder.
* Demoted virtual Domain Controller so production environment would
remain clean.
* Shutdown the virtual machine.
* I transferred the virtual machine to a completely separate VLAN that
has routing disabled.
* I reverted the virtual machine back to its snapshot.
* Powered the virtual machine back on with it's virtual NIC
disconnected.
* I performed a complete metadata cleanup using NTDSUTIL removing all
extra sites and domain controllers. Leaving just this single virtual
domain controller in the environment.
* Cleaned out all the DNS entries that originally pointed to other
production domain controllers.
* I reconfigured the IP addressing on the virtual Domain Controller so
it's in a completely different subnet and did not configure the virtual
Domain Controller with a gateway so it most certainly could not leave
the subnet.
* I created static A and PTR records for the new IP address that this
virtual Domain Controller has.
* I reconnected the virtual NIC and ran a DCDiag and NetDiag that turned
up clean.
* I promoted in a second virtual Windows 2003 R2 server which went
without a hitch. Full replication was successful during the promotion
and both DCs show clean DCDiag and NetDiag results.
* I extended the 2003 R2 schema to 2008 using ADPREP from the same ISO
that I used to build my Windows Server 2008 virtual machine which I
downloaded from the Microsoft Licensing website. Both Forestprep and
Domainprep went through with no errors.
* I promoted in my first virtual Windows 2008 server and the server
completely refuses to replicate due to a schema mismatch.
This was the exact same process I used to test my domain upgrade from
Windows 2000 to Windows 2003 R2 a couple years back, and it worked
flawlessly. I don't think my process is the issue, but if you see
something in there that seems to be out of place, please let me know.
I'm just not seeing any solutions to this yet unfortunately.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Friday, December 12, 2008 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I reread your original post, and I was wondering, is there any chance
that the metadata or DNS data you brought over from the production
environment wasn't properly cleaned up to reflect the VM environment?
And you're sure that there's no way the VMs are somehow communicating
with the production environment?
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, December 12, 2008 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Oh how I wish it could be something as simple as a different version of
ADPREP.
I used ADPREP from the very same ISO I used to install the OS. Straight
from Microsoft's licensing website.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, December 11, 2008 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Any chance that the ADPREP was from a different version of WS08 (e.g. an
RC or something)?
FWIW, I always promo a non-domain-joined machine, but I can't believe
that has anything to do with it.
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Thursday, December 11, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I normally promo by running dcpromo on a machine that was freshly
installed from scratch and is already joined to the domain. I let the
dcpromo process go ahead and replicate the schema, configuration and
domain partitions. I never skip that process.
Is there something about that process that I should change? Afterall,
like I said earlier in the emails, the promotions of the 2003 server
went without a hitch. It's the 2008 server that is having a major
problem with all this for some reason.
Well, it turns out that the issue is not just with a single user
account.
I delete the user account in question, push replication, and replication
fails on another user account. Follow the same process, and I get an
error on another account.
At first, I thought I may have found something in common with all of
these user account, the event log would only complain of disabled user
accounts. User accounts that had been disabled for quite some time. So
since I was dealing with a replica of my production domain, I just went
ahead and purged all the disabled user accounts.
Now the event log errors that are cropping up are pointing to active
user accounts that have schema issues.
How can I determine whether there is a schema issue with the way the
User object is defined in the schema?
I just find it strange that the ADPREP portion of the 2008 upgrade went
perfectly fine. A Windows 2003 server can be promoted to a DC just
fine. But a Windows 2008 promotion completely bombs big time.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, December 11, 2008 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so
all objects are already present and are not evaluated by the replication
engine.
Take a metadata dump of the object and you likely have some unknown
attribute values on the object.
We experienced that in a test forest once. If the invalid object[s]
is[are] only on one DC, demote it. Otherwise, the only way to recover
is to delete the invalid objects and have their tombstone flushed. Then
normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest
DR recovery plans where speed is more important than DIT integrity
checks.
2 days is minimum TSL.
________________________________
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
I found an event log entry on the 2008 DC that is pointing at a user
account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the
source directory service at the following network address because of an
Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema
before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain
Controller presents no issues, but a Windows 2008 Domain Controller
does.
Also, what is the lowest time that you can set the tombstone lifetime
to? Can it be set down to 1 day? For some reason I thought I
remembered that the lowest value can only actually be 2 days. I'd like
to get this user account purged as quickly as possible so I can continue
testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris
(Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's
report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows
2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
| | | |
| austin
Posts:49
| | 12/12/2008 2:30 PM |
| Hi Ben,
The steps you followed seem to be straight forward enough and should
work.
There are however times when a DCpromo might fail and you get a schema
mismatch error.
I haven't personally seen this happen on a WS2k8 DCpromo but I can only
imagine the causes might be similar.
The KB here might offer you some clues to chase down on:
http://support.microsoft.com/kb/838179
Regards,
/Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 12 December 2008 18:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Hi Gil,
Here's the steps I followed to create my replica environment and to make
sure it is not speaking to anything in the production environment.
* Created Windows Server 2003 R2 Virtual Machine.
* Promoted it as a Domain Controller in our production environment.
* Transferred all FSMO roles to it.
* Shutdown virtual domain controller and took a snapshot of it.
* Powered it back up.
* Transferred all FSMO roles back off of the virtual machine to the
original holder.
* Demoted virtual Domain Controller so production environment would
remain clean.
* Shutdown the virtual machine.
* I transferred the virtual machine to a completely separate VLAN that
has routing disabled.
* I reverted the virtual machine back to its snapshot.
* Powered the virtual machine back on with it's virtual NIC
disconnected.
* I performed a complete metadata cleanup using NTDSUTIL removing all
extra sites and domain controllers. Leaving just this single virtual
domain controller in the environment.
* Cleaned out all the DNS entries that originally pointed to other
production domain controllers.
* I reconfigured the IP addressing on the virtual Domain Controller so
it's in a completely different subnet and did not configure the virtual
Domain Controller with a gateway so it most certainly could not leave
the subnet.
* I created static A and PTR records for the new IP address that this
virtual Domain Controller has.
* I reconnected the virtual NIC and ran a DCDiag and NetDiag that turned
up clean.
* I promoted in a second virtual Windows 2003 R2 server which went
without a hitch. Full replication was successful during the promotion
and both DCs show clean DCDiag and NetDiag results.
* I extended the 2003 R2 schema to 2008 using ADPREP from the same ISO
that I used to build my Windows Server 2008 virtual machine which I
downloaded from the Microsoft Licensing website. Both Forestprep and
Domainprep went through with no errors.
* I promoted in my first virtual Windows 2008 server and the server
completely refuses to replicate due to a schema mismatch.
This was the exact same process I used to test my domain upgrade from
Windows 2000 to Windows 2003 R2 a couple years back, and it worked
flawlessly. I don't think my process is the issue, but if you see
something in there that seems to be out of place, please let me know.
I'm just not seeing any solutions to this yet unfortunately.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Friday, December 12, 2008 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I reread your original post, and I was wondering, is there any chance
that the metadata or DNS data you brought over from the production
environment wasn't properly cleaned up to reflect the VM environment?
And you're sure that there's no way the VMs are somehow communicating
with the production environment?
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, December 12, 2008 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Oh how I wish it could be something as simple as a different version of
ADPREP.
I used ADPREP from the very same ISO I used to install the OS. Straight
from Microsoft's licensing website.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, December 11, 2008 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Any chance that the ADPREP was from a different version of WS08 (e.g. an
RC or something)?
FWIW, I always promo a non-domain-joined machine, but I can't believe
that has anything to do with it.
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Thursday, December 11, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I normally promo by running dcpromo on a machine that was freshly
installed from scratch and is already joined to the domain. I let the
dcpromo process go ahead and replicate the schema, configuration and
domain partitions. I never skip that process.
Is there something about that process that I should change? Afterall,
like I said earlier in the emails, the promotions of the 2003 server
went without a hitch. It's the 2008 server that is having a major
problem with all this for some reason.
Well, it turns out that the issue is not just with a single user
account.
I delete the user account in question, push replication, and replication
fails on another user account. Follow the same process, and I get an
error on another account.
At first, I thought I may have found something in common with all of
these user account, the event log would only complain of disabled user
accounts. User accounts that had been disabled for quite some time. So
since I was dealing with a replica of my production domain, I just went
ahead and purged all the disabled user accounts.
Now the event log errors that are cropping up are pointing to active
user accounts that have schema issues.
How can I determine whether there is a schema issue with the way the
User object is defined in the schema?
I just find it strange that the ADPREP portion of the 2008 upgrade went
perfectly fine. A Windows 2003 server can be promoted to a DC just
fine. But a Windows 2008 promotion completely bombs big time.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, December 11, 2008 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so
all objects are already present and are not evaluated by the replication
engine.
Take a metadata dump of the object and you likely have some unknown
attribute values on the object.
We experienced that in a test forest once. If the invalid object[s]
is[are] only on one DC, demote it. Otherwise, the only way to recover
is to delete the invalid objects and have their tombstone flushed. Then
normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest
DR recovery plans where speed is more important than DIT integrity
checks.
2 days is minimum TSL.
________________________________
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
I found an event log entry on the 2008 DC that is pointing at a user
account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the
source directory service at the following network address because of an
Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema
before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain
Controller presents no issues, but a Windows 2008 Domain Controller
does.
Also, what is the lowest time that you can set the tombstone lifetime
to? Can it be set down to 1 day? For some reason I thought I
remembered that the lowest value can only actually be 2 days. I'd like
to get this user account purged as quickly as possible so I can continue
testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris
(Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's
report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows
2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
This message may contain confidential information and is intended only for the individual named.
If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
If verification is required please request a digitally signed version.
| | | |
| bwatson
Posts:0
| | 12/15/2008 12:48 PM |
| Thanks Austin,
I'm going to run through that KB article and see if anything in there
can help clear up this issue. It sure isn't looking good so far though.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Austin Osuide
Sent: Friday, December 12, 2008 11:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Hi Ben,
The steps you followed seem to be straight forward enough and should
work.
There are however times when a DCpromo might fail and you get a schema
mismatch error.
I haven't personally seen this happen on a WS2k8 DCpromo but I can only
imagine the causes might be similar.
The KB here might offer you some clues to chase down on:
http://support.microsoft.com/kb/838179
Regards,
/Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 12 December 2008 18:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Hi Gil,
Here's the steps I followed to create my replica environment and to make
sure it is not speaking to anything in the production environment.
* Created Windows Server 2003 R2 Virtual Machine.
* Promoted it as a Domain Controller in our production environment.
* Transferred all FSMO roles to it.
* Shutdown virtual domain controller and took a snapshot of it.
* Powered it back up.
* Transferred all FSMO roles back off of the virtual machine to the
original holder.
* Demoted virtual Domain Controller so production environment would
remain clean.
* Shutdown the virtual machine.
* I transferred the virtual machine to a completely separate VLAN that
has routing disabled.
* I reverted the virtual machine back to its snapshot.
* Powered the virtual machine back on with it's virtual NIC
disconnected.
* I performed a complete metadata cleanup using NTDSUTIL removing all
extra sites and domain controllers. Leaving just this single virtual
domain controller in the environment.
* Cleaned out all the DNS entries that originally pointed to other
production domain controllers.
* I reconfigured the IP addressing on the virtual Domain Controller so
it's in a completely different subnet and did not configure the virtual
Domain Controller with a gateway so it most certainly could not leave
the subnet.
* I created static A and PTR records for the new IP address that this
virtual Domain Controller has.
* I reconnected the virtual NIC and ran a DCDiag and NetDiag that turned
up clean.
* I promoted in a second virtual Windows 2003 R2 server which went
without a hitch. Full replication was successful during the promotion
and both DCs show clean DCDiag and NetDiag results.
* I extended the 2003 R2 schema to 2008 using ADPREP from the same ISO
that I used to build my Windows Server 2008 virtual machine which I
downloaded from the Microsoft Licensing website. Both Forestprep and
Domainprep went through with no errors.
* I promoted in my first virtual Windows 2008 server and the server
completely refuses to replicate due to a schema mismatch.
This was the exact same process I used to test my domain upgrade from
Windows 2000 to Windows 2003 R2 a couple years back, and it worked
flawlessly. I don't think my process is the issue, but if you see
something in there that seems to be out of place, please let me know.
I'm just not seeing any solutions to this yet unfortunately.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Friday, December 12, 2008 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I reread your original post, and I was wondering, is there any chance
that the metadata or DNS data you brought over from the production
environment wasn't properly cleaned up to reflect the VM environment?
And you're sure that there's no way the VMs are somehow communicating
with the production environment?
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, December 12, 2008 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Oh how I wish it could be something as simple as a different version of
ADPREP.
I used ADPREP from the very same ISO I used to install the OS. Straight
from Microsoft's licensing website.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, December 11, 2008 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
Any chance that the ADPREP was from a different version of WS08 (e.g. an
RC or something)?
FWIW, I always promo a non-domain-joined machine, but I can't believe
that has anything to do with it.
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Thursday, December 11, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I normally promo by running dcpromo on a machine that was freshly
installed from scratch and is already joined to the domain. I let the
dcpromo process go ahead and replicate the schema, configuration and
domain partitions. I never skip that process.
Is there something about that process that I should change? Afterall,
like I said earlier in the emails, the promotions of the 2003 server
went without a hitch. It's the 2008 server that is having a major
problem with all this for some reason.
Well, it turns out that the issue is not just with a single user
account.
I delete the user account in question, push replication, and replication
fails on another user account. Follow the same process, and I get an
error on another account.
At first, I thought I may have found something in common with all of
these user account, the event log would only complain of disabled user
accounts. User accounts that had been disabled for quite some time. So
since I was dealing with a replica of my production domain, I just went
ahead and purged all the disabled user accounts.
Now the event log errors that are cropping up are pointing to active
user accounts that have schema issues.
How can I determine whether there is a schema issue with the way the
User object is defined in the schema?
I just find it strange that the ADPREP portion of the 2008 upgrade went
perfectly fine. A Windows 2003 server can be promoted to a DC just
fine. But a Windows 2008 promotion completely bombs big time.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, December 11, 2008 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
How do you normally promo?
IFM?
IFM does not do object level replication. The DIT is taken intact so
all objects are already present and are not evaluated by the replication
engine.
Take a metadata dump of the object and you likely have some unknown
attribute values on the object.
We experienced that in a test forest once. If the invalid object[s]
is[are] only on one DC, demote it. Otherwise, the only way to recover
is to delete the invalid objects and have their tombstone flushed. Then
normal replication-based promo will start working.
IFM is nice, but this is its true risk. We use IFM strictly for forest
DR recovery plans where speed is more important than DIT integrity
checks.
2 days is minimum TSL.
________________________________
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Date: Thu, 11 Dec 2008 09:48:49 -0800
From: bwatson@appsig.com
To: ActiveDir@mail.activedir.org
I found an event log entry on the 2008 DC that is pointing at a user
account that for whatever reason is presenting an issue.
EventID: 1203 - Level: Warning
The Directory service count not replicate the following object from the
source directory service at the following network address because of an
Active Directory Domain Services schema mismatch.
Object:
CN=RandomUserAccount,....
Active Directory Domain Services will attempt to synchronize the schema
before attempting to synchronize the following directory partition.
Directory partition:
DC=appsig,DC=com
I'm trying to figure out why promoting in a Windows 2003 R2 Domain
Controller presents no issues, but a Windows 2008 Domain Controller
does.
Also, what is the lowest time that you can set the tombstone lifetime
to? Can it be set down to 1 day? For some reason I thought I
remembered that the lowest value can only actually be 2 days. I'd like
to get this user account purged as quickly as possible so I can continue
testing.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris
(Lists)
Sent: Wednesday, December 10, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] Domain 2008 Upgrade issues
Just a thought - what version of the Schema does the existing DC's
report?
13 Windows 2000 Server
30 Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows
2003 With Service Pack 2
31 Windows Server 2003 R2
44 Windows Server 2008 RTM
Regards,
Mark Parris
Base IT Ltd.
Active Directory & Infrastructure Management Consultancy
Tel: 01372 740373
Mob: 07801 690596
Registered in England and Wales. Number 3540460. Registered Office: 35
Ballards Lane, London, N3 1XW, England.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: 10 December 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AD: RE: [ActiveDir] Domain 2008 Upgrade issues
Brian - I checked in DNS to see if all the entries were listed for the
new 2008DC and everything seemed to be there.
What's odd is that the promotion of the second 2003 DC went just fine.
The domain seems to have a real problem with the promotion of a 2008 DC
and complains of schema issues.
I was able to work through the rodcprep portion by just removing the two
application partitions. There was no data in there anyway and I was
able to recreate the default application partitions afterwards without
issue.
Gil - The 2003DCs have event log entries basically saying the same thing
I said in my initial email As for the 2008DC, it's event logs are
filled with numerous errors, I would have to literally export the event
log and attach them to this email to give anyone a decent look at them.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, December 10, 2008 2:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
DNS issue maybe?
As far as the rodcprep, there's a KB on this. Basically there is a
infrastructure FSMO of sort for app NCs that isn't maintained. RODCPrep
verifies this. You just have to change the DN of the FSMO for each app
NC to a valid DC. There's a script in the KB to do it for you if you
want
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give
all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain
and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if
you'd like so you can see if everything is kosher), I ended up with a
replica of our domain running on a single Windows 2003 R2 Domain
Controller virtual machine. I performed a metadata cleanup and shaved
the domain down to just a single site for now. Then I promoted in
another Windows Server 2003 R2 virtual machine and the domain controller
promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production
domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and
both are global catalog servers. DC2 is pointed to DC1 as the primary
DNS server, and DC1 is pointed at itself for DNS as the primary.
Netdiag and DCDiag come up completely clean, replication is working fine
between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without
issue. I ran into what sounds to be the typical issue when trying to do
the adprep /rodcprep portion and I had to delete the forestdnszones and
domaindnszones partition. Once I did this, adprep /rodcprep carried
along just fine.
Things began to really go wrong when I attempted to promote in my first
Windows Server 2008 Domain Controller. I first joined it to the domain
as a member server. This went fine. Then I began the dcpromo process,
and while it appeared as though it was carrying along fine, when it
reached the end, it said it couldn't replicate the information and if
there was another available domain controller that it would attempt to
replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and
none of the MMCs would work. It complained of me not having appropriate
permissions to launch these MMCs such as ADUC, and Sites and Services.
None would launch.
I then logged in with the built-in domain administrator account, and
with this account, I was able to launch all the MMCs and look at stuff.
So I go into the Sites and Services MMC and try to force replication
from the 2008 DC to the 2003 DC to see what happens, and this is the
error I get...
The following error occurred during the attempt to synchronize naming
context appsig.com from Domain Controller 2003DC2 to Domain Controller
2008DC1: The replication operation failed because of a schema mismatch
between the servers involved.
However when I go into Sites and Services and attempt to force
replication from either of the 2003 DCs to the 2008 DC, that direction
of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the
2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking
first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?
<http://abcnews.go.com/print?id=5351908>
________________________________
This message may contain confidential information and is intended only
for the individual named.
If you are not the named addressee you should not disseminate,
distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a result of
e-mail transmission.
If verification is required please request a digitally signed version.
________________________________
| | | |
| chaselton
Posts:78
| | 12/16/2008 10:45 AM |
| I'm sorry I don't have any helpful tips to contribute, but when you've got the issue sorted out, I would love to see the steps you took to migrate your production environment to VMWare. It would be extremely useful for us when we decide to move to 2008.
-CJH
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn't replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get...
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
| | | |
| chaselton
Posts:78
| | 12/16/2008 10:53 AM |
| Sorry, ignore...I missed your response where you detailed your steps
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Cynthia Haselton
Sent: Tuesday, December 16, 2008 9:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain 2008 Upgrade issues
I'm sorry I don't have any helpful tips to contribute, but when you've got the issue sorted out, I would love to see the steps you took to migrate your production environment to VMWare. It would be extremely useful for us when we decide to move to 2008.
-CJH
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, December 10, 2008 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain 2008 Upgrade issues
Sorry to hit the list with such a lengthy issue, but I wanted to give all the relevant info. This one has me really scratching my head.
We currently run a single Windows 2003 R2 domain and forest. The domain and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10 domain controllers.
In an effort to test an upgrade to a full Windows 2008 Domain/Forest I created a replica of our domain by utilizing VMWare.
Without going into the steps I took to do this (I can detail them if you'd like so you can see if everything is kosher), I ended up with a replica of our domain running on a single Windows 2003 R2 Domain Controller virtual machine. I performed a metadata cleanup and shaved the domain down to just a single site for now. Then I promoted in another Windows Server 2003 R2 virtual machine and the domain controller promotion went just fine. So I'm left with...
Two domain controllers that contain all the data of our production domain running in a single domain, single forest, and single site.
One domain controller holds all the FSMO roles, both are DNS server, and both are global catalog servers. DC2 is pointed to DC1 as the primary DNS server, and DC1 is pointed at itself for DNS as the primary. Netdiag and DCDiag come up completely clean, replication is working fine between the two domain controllers and everything appears to be healthy.
I was able to perform the adprep /forestprep and /domainprep without issue. I ran into what sounds to be the typical issue when trying to do the adprep /rodcprep portion and I had to delete the forestdnszones and domaindnszones partition. Once I did this, adprep /rodcprep carried along just fine.
Things began to really go wrong when I attempted to promote in my first Windows Server 2008 Domain Controller. I first joined it to the domain as a member server. This went fine. Then I began the dcpromo process, and while it appeared as though it was carrying along fine, when it reached the end, it said it couldn't replicate the information and if there was another available domain controller that it would attempt to replicate again after the reboot.
After the reboot, I logged in with my domain administrator account, and none of the MMCs would work. It complained of me not having appropriate permissions to launch these MMCs such as ADUC, and Sites and Services. None would launch.
I then logged in with the built-in domain administrator account, and with this account, I was able to launch all the MMCs and look at stuff. So I go into the Sites and Services MMC and try to force replication from the 2008 DC to the 2003 DC to see what happens, and this is the error I get...
The following error occurred during the attempt to synchronize naming context appsig.com from Domain Controller 2003DC2 to Domain Controller 2008DC1: The replication operation failed because of a schema mismatch between the servers involved.
However when I go into Sites and Services and attempt to force replication from either of the 2003 DCs to the 2008 DC, that direction of replication works fine.
It looks like all the DNS entries for the 2008DC are in place in the 2003DCs DNS.
Any thoughts on this sort of behavior? Any place I should start looking first for an answer?
Thanks,
~Ben
________________________________________
Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
| | | |
| Christian Stockhausen
Posts:2
| | 12/16/2008 5:44 PM |
| Hi Ben,
are there vmware shared folders installed on any vm in your test
environment?
Christian
On Tue, Dec 16, 2008 at 4:48 PM, Cynthia Haselton <chaselton@uchicago.edu>wrote:
> Sorry, ignore…I missed your response where you detailed your steps
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Cynthia Haselton
> *Sent:* Tuesday, December 16, 2008 9:41 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Domain 2008 Upgrade issues
>
>
>
> I'm sorry I don't have any helpful tips to contribute, but when you've got
> the issue sorted out, I would love to see the steps you took to migrate your
> production environment to VMWare. It would be extremely useful for us when
> we decide to move to 2008.
>
>
>
> -CJH
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *WATSON, BEN
> *Sent:* Wednesday, December 10, 2008 4:02 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Domain 2008 Upgrade issues
>
>
>
> Sorry to hit the list with such a lengthy issue, but I wanted to give all
> the relevant info. This one has me really scratching my head.
>
>
>
> We currently run a single Windows 2003 R2 domain and forest. The domain
> and forest are running in Windows 2003 DFL/FFL. We have 9 sites and 10
> domain controllers.
>
>
>
> In an effort to test an upgrade to a full Windows 2008 Domain/Forest I
> created a replica of our domain by utilizing VMWare.
>
>
>
> Without going into the steps I took to do this (I can detail them if you'd
> like so you can see if everything is kosher), I ended up with a replica of
> our domain running on a single Windows 2003 R2 Domain Controller virtual
> machine. I performed a metadata cleanup and shaved the domain down to just
> a single site for now. Then I promoted in another Windows Server 2003 R2
> virtual machine and the domain controller promotion went just fine. So I'm
> left with…
>
>
>
> Two domain controllers that contain all the data of our production domain
> running in a single domain, single forest, and single site.
>
>
>
> One domain controller holds all the FSMO roles, both are DNS server, and
> both are global catalog servers. DC2 is pointed to DC1 as the primary DNS
> server, and DC1 is pointed at itself for DNS as the primary. Netdiag and
> DCDiag come up completely clean, replication is working fine between the two
> domain controllers and everything appears to be healthy.
>
>
>
> I was able to perform the adprep /forestprep and /domainprep without
> issue. I ran into what sounds to be the typical issue when trying to do the
> adprep /rodcprep portion and I had to delete the forestdnszones and
> domaindnszones partition. Once I did this, adprep /rodcprep carried along
> just fine.
>
>
>
> Things began to really go wrong when I attempted to promote in my first
> Windows Server 2008 Domain Controller. I first joined it to the domain as a
> member server. This went fine. Then I began the dcpromo process, and while
> it appeared as though it was carrying along fine, when it reached the end,
> it said it couldn't replicate the information and if there was another
> available domain controller that it would attempt to replicate again after
> the reboot.
>
>
>
> After the reboot, I logged in with my domain administrator account, and
> none of the MMCs would work. It complained of me not having appropriate
> permissions to launch these MMCs such as ADUC, and Sites and Services. None
> would launch.
>
>
>
> I then logged in with the built-in domain administrator account, and with
> this account, I was able to launch all the MMCs and look at stuff. So I go
> into the Sites and Services MMC and try to force replication from the 2008
> DC to the 2003 DC to see what happens, and this is the error I get…
>
>
>
> *The following error occurred during the attempt to synchronize naming
> context appsig.com from Domain Controller 2003DC2 to Domain Controller
> 2008DC1: The replication operation failed because of a schema mismatch
> between the servers involved.*
>
> * *
>
> However when I go into Sites and Services and attempt to force replication
> from either of the 2003 DCs to the 2008 DC, that direction of replication
> works fine.
>
>
>
> It looks like all the DNS entries for the 2008DC are in place in the
> 2003DCs DNS.
>
>
>
> Any thoughts on this sort of behavior? Any place I should start looking
> first for an answer?
>
>
>
> Thanks,
>
> ~Ben
>
>
>
> ________________________________________
>
> Want to know how to annoy your co-workers?<http://abcnews.go.com/print?id=5351908>
>
>
>
| | | |
|
|