SBS Migration to Server 2003 STANDARD

Prev: Blocked by cbl.abuseat.org
Next: sbs2008 standard Outlook 2007 client always asks for credentials

From: pcraig11 on 26 May 2010 16:26

---

HELP ME PLEASE!!

I have a huge problem. I have a SBS 2003 PDC which held all the FSMO
roles, obviously, but was also a SQL Server. I added a second Server,
which is Server 2003 R2, with SQL server also installed, which was
promoted to a DC (but the NetLogon and SYSVOL never worked correctly and
only the PDC can authenticate users--but thats because of SBS if i'm not
mistaken??)

So anyway, I know you arent supposed to run SQL on your DC's, but in our
case it was just the best solution.

Here is the problem now. I need to replace the SBS server. Its coming
off-line completely. I have added a new DC to the domain, which is
server 2008 standard. Here is where I am at.

-I promoted the 2008 server to a domain controller successfully (well
except for the FRS issues)
-I installed SQL server on the new domain controller..and our front end
software which cost a lot of $$ to have done, so I cant go back and
start over)
-I tranferred all of the FSMO roles to the 2008 DC and followed all the
steps to make it my PDC.
-HOWEVER, because I cannot successfully replicate the NETLOGON and
SYSVOL shares, users cannot authenticate through the new PDC. event 1308
in FRS log, btw.
-I want to just get rid of the SBS server all together, but I cant
because when I try to demote it, it tells me it cannot establish an LDAP
connection to the new server....however, AD appears to have replicated,
I can make changes that replicate across all the DC's...but I cant get
the NETLOGON and SYSVOL shares to work right.

Is what I am trying to do even possible? Can you just drop a SBS server
off a domain and expect this to work? I looked into the SBS transition
pack...but I would rather not spend the money, especially since this
server is just coming off line completely.

THe biggest problem now, is that since I transferred the FSMO roles, the
only server that DOES authenticate users, keeps shutting down with a
violation of EULA event....because its no longer the PDC.

Please let me know what I have to do!! Can I simply upgrade the SBS
server software to Server 2003 R2? Will that fix these issues?

Thanks in advance for your help!


--
pcraig11
------------------------------------------------------------------------
pcraig11's Profile: http://forums.techarena.in/members/224993.htm
View this thread: http://forums.techarena.in/small-business-server/1340886.htm

http://forums.techarena.in

From: Dave Nickason [SBS MVP] on 26 May 2010 18:10

---

You can't just install R2 over the top of SBS, that won't work. Did you
disable the firewall on the new server? If not, that's almost certainly the
problem. On the new server, go to Services, stop the Windows Firewall
service, and set the startup type to Disabled. Restart it and see if
replication succeeds then. If not, open a cmd prompt run "dcdiag" without
the quotes - anything useful in the results, or in the System or Application
logs on either server?


"pcraig11" <pcraig11.4bl6xa(a)DoNotSpam.com> wrote in message
news:pcraig11.4bl6xa(a)DoNotSpam.com...
>
> HELP ME PLEASE!!
>
> I have a huge problem. I have a SBS 2003 PDC which held all the FSMO
> roles, obviously, but was also a SQL Server. I added a second Server,
> which is Server 2003 R2, with SQL server also installed, which was
> promoted to a DC (but the NetLogon and SYSVOL never worked correctly and
> only the PDC can authenticate users--but thats because of SBS if i'm not
> mistaken??)
>
> So anyway, I know you arent supposed to run SQL on your DC's, but in our
> case it was just the best solution.
>
> Here is the problem now. I need to replace the SBS server. Its coming
> off-line completely. I have added a new DC to the domain, which is
> server 2008 standard. Here is where I am at.
>
> -I promoted the 2008 server to a domain controller successfully (well
> except for the FRS issues)
> -I installed SQL server on the new domain controller..and our front end
> software which cost a lot of $$ to have done, so I cant go back and
> start over)
> -I tranferred all of the FSMO roles to the 2008 DC and followed all the
> steps to make it my PDC.
> -HOWEVER, because I cannot successfully replicate the NETLOGON and
> SYSVOL shares, users cannot authenticate through the new PDC. event 1308
> in FRS log, btw.
> -I want to just get rid of the SBS server all together, but I cant
> because when I try to demote it, it tells me it cannot establish an LDAP
> connection to the new server....however, AD appears to have replicated,
> I can make changes that replicate across all the DC's...but I cant get
> the NETLOGON and SYSVOL shares to work right.
>
> Is what I am trying to do even possible? Can you just drop a SBS server
> off a domain and expect this to work? I looked into the SBS transition
> pack...but I would rather not spend the money, especially since this
> server is just coming off line completely.
>
> THe biggest problem now, is that since I transferred the FSMO roles, the
> only server that DOES authenticate users, keeps shutting down with a
> violation of EULA event....because its no longer the PDC.
>
> Please let me know what I have to do!! Can I simply upgrade the SBS
> server software to Server 2003 R2? Will that fix these issues?
>
> Thanks in advance for your help!
>
>
> --
> pcraig11
> ------------------------------------------------------------------------
> pcraig11's Profile: http://forums.techarena.in/members/224993.htm
> View this thread:
> http://forums.techarena.in/small-business-server/1340886.htm
>
> http://forums.techarena.in
>

From: Cliff Galiher - MVP on 27 May 2010 04:25

---

First, on a technical level, there is no such thing as a "PDC" in an Active
Directory domain. That was an NT4 concept long since dead.

Secondly, you are mistaken that other servers could not authenticate because
of SBS. It *is* a requirement that SBS holds all FSMO roles, but those
roles are not related to authentication. They are only used internally by
AD to define certain delegated privileges (ridiculously oversimplified, but
not important for the purpose of this conversation.) The role that allows
authentication is called a "global catalog" server and there can be multiple
global catalog servers in a domain, so adding a second GC does *not* break
SBS licensing.

Finally, yes, you *can* add other DCs to an SBS domain, transfer roles, and
decommission the SBS server. You aren't yet there.

Here is what I'd do. Transfer the FSMO roles back to SBS. This should
hopefully get you back to a consistent state and SBS will stop shutting
down.

Then use the tools that windows makes available to address your AD issues.
netdiag, dcdiag, and the IT Health Scanner come to mind, as well as the SBS
BPA.

Once you've resolved all of those, your second DC issues will also be
resolved in the process. Then transferring the FSMO roles will be trivial
and the SBS server can be demoted with no issues.

-Cliff


"pcraig11" <pcraig11.4bl6xa(a)DoNotSpam.com> wrote in message
news:pcraig11.4bl6xa(a)DoNotSpam.com...
>
> HELP ME PLEASE!!
>
> I have a huge problem. I have a SBS 2003 PDC which held all the FSMO
> roles, obviously, but was also a SQL Server. I added a second Server,
> which is Server 2003 R2, with SQL server also installed, which was
> promoted to a DC (but the NetLogon and SYSVOL never worked correctly and
> only the PDC can authenticate users--but thats because of SBS if i'm not
> mistaken??)
>
> So anyway, I know you arent supposed to run SQL on your DC's, but in our
> case it was just the best solution.
>
> Here is the problem now. I need to replace the SBS server. Its coming
> off-line completely. I have added a new DC to the domain, which is
> server 2008 standard. Here is where I am at.
>
> -I promoted the 2008 server to a domain controller successfully (well
> except for the FRS issues)
> -I installed SQL server on the new domain controller..and our front end
> software which cost a lot of $$ to have done, so I cant go back and
> start over)
> -I tranferred all of the FSMO roles to the 2008 DC and followed all the
> steps to make it my PDC.
> -HOWEVER, because I cannot successfully replicate the NETLOGON and
> SYSVOL shares, users cannot authenticate through the new PDC. event 1308
> in FRS log, btw.
> -I want to just get rid of the SBS server all together, but I cant
> because when I try to demote it, it tells me it cannot establish an LDAP
> connection to the new server....however, AD appears to have replicated,
> I can make changes that replicate across all the DC's...but I cant get
> the NETLOGON and SYSVOL shares to work right.
>
> Is what I am trying to do even possible? Can you just drop a SBS server
> off a domain and expect this to work? I looked into the SBS transition
> pack...but I would rather not spend the money, especially since this
> server is just coming off line completely.
>
> THe biggest problem now, is that since I transferred the FSMO roles, the
> only server that DOES authenticate users, keeps shutting down with a
> violation of EULA event....because its no longer the PDC.
>
> Please let me know what I have to do!! Can I simply upgrade the SBS
> server software to Server 2003 R2? Will that fix these issues?
>
> Thanks in advance for your help!
>
>
> --
> pcraig11
> ------------------------------------------------------------------------
> pcraig11's Profile: http://forums.techarena.in/members/224993.htm
> View this thread:
> http://forums.techarena.in/small-business-server/1340886.htm
>
> http://forums.techarena.in
>

From: pcraig11 on 27 May 2010 08:47

---

Thanks for the quick responses. I have disabled the Firewall on the new
server, and I will monitor the replication process. When I was
troubleshooting this issue before, I ran dcdiag and was getting a
Netlogon error, cant connect to the netlogon share...however, that was
before I disabled the firewall...so i will check again, and post
results. Also, I think I will heed your advice and bring the FSMO roles
back over to the SBS server for now. However, when it was set up that
way before, and I ran dcdiag and netdiag on the SBS server, I couldnt
find anything that would indicate an AD problem. Once I do tfr the roles
back, I will post the results of that DC diag also. Thanks again for the
help...I will post again today.

Thanks


--
pcraig11
------------------------------------------------------------------------
pcraig11's Profile: http://forums.techarena.in/members/224993.htm
View this thread: http://forums.techarena.in/small-business-server/1340886.htm

http://forums.techarena.in

From: pcraig11 on 27 May 2010 09:20

---

Ok, so the FSMO roles were transferred back to the SBS server. Here is
the results for dcdiag on the NEW Server (Server 2008)

C:\Users\NCraig>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = THEGIANTNUT
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\THEGIANTNUT
Starting test: Connectivity
......................... THEGIANTNUT passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\THEGIANTNUT
Starting test: Advertising
Warning: DsGetDcName returned information for
\\THEBIGNUT.tristatefast.local, when we were trying to reach
THEGIANTNUT.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... THEGIANTNUT failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause
Group Policy problems.
......................... THEGIANTNUT passed test FrsEvent
Starting test: DFSREvent
......................... THEGIANTNUT passed test DFSREvent
Starting test: SysVolCheck
......................... THEGIANTNUT passed test SysVolCheck
Starting test: KccEvent
......................... THEGIANTNUT passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... THEGIANTNUT passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... THEGIANTNUT passed test
MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=tristatefast,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=tristatefast,DC=local
......................... THEGIANTNUT failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share!
(\\THEGIANTNUT\netlogon)
[THEGIANTNUT] An net use or LsaPolicy operation failed with
error 67,
The network name cannot be found..
......................... THEGIANTNUT failed test NetLogons
Starting test: ObjectsReplicated
......................... THEGIANTNUT passed test
ObjectsReplicated
Starting test: Replications
......................... THEGIANTNUT passed test Replications
Starting test: RidManager
......................... THEGIANTNUT passed test RidManager
Starting test: Services
......................... THEGIANTNUT passed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0x00000457
Time Generated: 05/27/2010 08:23:43
Event String:
Driver Brother MFC-7420 USB Printer required for printer
Nick's Desk
is unknown. Contact the administrator to install the driver before you
log in a
gain.
An Error Event occurred. EventID: 0x00000457
Time Generated: 05/27/2010 08:23:43
Event String:
Driver Brother MFC-7420 USB Printer required for printer
!!TRISTATE0
4!Brother MFC-7420 USB Printer is unknown. Contact the administrator to
install
the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 05/27/2010 08:23:44
Event String:
Driver Brother PC-FAX v.2.1 required for printer Brother
PC-FAX v.2.
1 is unknown. Contact the administrator to install the driver before you
log in
again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 05/27/2010 08:23:45
Event String:
Driver HP LaserJet 4200/4300 PCL6 required for printer
Pick_Tickets_
Seekonk is unknown. Contact the administrator to install the driver
before you l
og in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 05/27/2010 08:23:47
Event String:
Driver Brother HL-6050D/DN series required for printer
Worcester is
unknown. Contact the administrator to install the driver before you log
in again

 |  Next  |  Last
Pages: 1 2 3
Prev: Blocked by cbl.abuseat.org
Next: sbs2008 standard Outlook 2007 client always asks for credentials