Adding a 2003 DC to an existing 2000 AD

[Guest]

We currently have a domain with 2 W2K DCs, one primary and a member. The
primary has been upgraded to SP4. I noted one article in the Knowledgebase
concerning hotfixes and service packs but they stop at SP3. With my current
configuration should I expect any problems running adprep and what things
should I be looking out for?

Thanks,

Ted

 

[Paul Bergson [MVP-DS]]

Microsoft recommends (It should be requires but it isn't) that all dc's are
at sp4. If not then you need to make sure all the Windows 2000 domain
controllers must have an Ntdsa.dll file whose date stamp and version is
later than June 4th, 2001 and 5.0.2195.3673. If you can apply sp4 I would
do it.

For more info see the link below, specifically step 2:
http://support.microsoft.com/kb/325379

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks for the info. I also noted on our servers event viewer that we have
some error conditions pertaining to group policy in the Application Log and
warnings in the DNS Server Log. I'm not to concerned about the DNS warnings.
However, I'm a little reluctant in running the the ADPREP while there are
errors concerning group policy. What do you think?

 

[Danny Sanders]

I'm not to concerned about the DNS warnings.

However, I'm a little reluctant in running the the ADPREP while there are
errors concerning group policy. What do you think?

Solve those DNS warnings. AD is TOTALLY tied to DNS. Solve those DNS errors
and the group policy errors may go away.

hth
DDS

 

[Paul Bergson [MVP-DS]]

I agree, resolve the dns issues.

Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

When complete search for fail, error and warning messages.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks for the info. I ran the diagnostics you suggested and I have numerous
errors on both systems. However, I have found something extremely troubling.
I went to run the DNS manager on our secondary DC and noted that DNS manager
was not available. I also noted the Active Directory Manager for Users and
Computers was not available. Is this normal?

 

[Paul Bergson [MVP-DS]]

Normally it should be but I don't think that is very troubling. Just add
via the installs I gave to you from an earlier post.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Paul,

I finally got the 2000 Server problems fixed. Now I am trying to add the
2003 Server to the 2000 Domain. I ran adprep /forestprep and the adprep
/domainprep on the 2000 Server with no problems. I then attempted to make
the 2003 Server an additional DC. The wizard errors out stating that I need
to run adprep first. Can a 2003 Server be an additional DC to a 2000 domain?
Or do I have to upgrade the 2000 Server to 2003?

Ted

 

[Paul Bergson [MVP-DS]]

I'm guessing you are going to 2003 R2, because of that you need to run
ADPREP from disk2.

http://support.microsoft.com/kb/917385

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks for the info. Does it matter that I already ran ADPREP from the first
disk or will the ADPREP from the second disk just overwrite the first?

Ted

 

[Paul Bergson [MVP-DS]]

No problem. Just rerun

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Win1980]

Hi I am aslo trying to add a new win2k3 r2 to my win2k group of servers and have encounter the following errors:

Adprep verified the state of operation cn=ad3c7909-b154-4c16-8bf7-2c3a7870bb3d,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=portrust,DC=com.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.

Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=portrust,DC=com.

LDAP API ldap_modify_s() finished, return code is 0x33

ADPREP was unable to modify the default security descriptor on object CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=portrust,DC=com.

[Status/Consequence]

Adprep attempts to merge the existing default security descriptors with the new access control entry (ACE).

[User Action]

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.

Adprep encountered an LDAP error.

Error code: 0x33. Server extended error code: 0x20d9, Server error message: 000020D9: SvcErr: DSID-030A05F8, problem 5001 (BUSY), data 33

Adprep set the value of registry key System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed to 1

Adprep was unable to update forest-wide information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20070718141932 directory for more information.


I have 3 old servers that i am planning to decomission and migrated them to the new win2k3 servers. After i ran adprep the above errors appear. 2 of the servers are ad and the 3th is a exchange 5.5 server.

Thanks
Winston