steve paul said:
after completing upgrade to windows 2003 r2 (added 1st 2003 server in 1st
site) all works but after transferring fsmo roles from win2k srvr to new 2k3
srvr, the following error showed up on my new role master 2003 domain
controller (one error for each of my other 3 sites):
Site '2' does not have any LDAP servers for non-domain NC
'ForestDnsZones.mydomain.com'. LDAP servers in site '1' have been
automatically selected to cover site '2' for non-domain NC
'ForestDnsZones.mydomain.com' based on configured Directory Server
replication costs.
I don't really understand what this is trying to tell me and therefore
cannot determine how severe it is. any light you can shed would be
appreciated
thanks
The ForestDnsZones and the DomainDnsZones partitions are not supported with Windows 2000 AD. Did you create the partitions? The error is indicating that the partition in that site does not exist, but it can't on a 2000 machine. So basically this error or message is just saying Site 1 DC will be the LDAP server for these partitions.
Did you change the zone scope or anything with the DNS zone on the 2003 server's DNS console?
Rule of thumb when you have a mixed domain such as with 2000 and 2003 (R2 or not), and DNS is installed on both or all DCs, try not to administer any of the zones using the 2003 DCs, because 2003 and above have additional features that a 2000 DC does not support, and will cause issues.
Case in point, if you go into Site1's 2003 DC, go into the zone properties, and choose either the middle button (which puts the zone in the DomainDnsZones partition), or the top button (which puts it in the ForestDnsZones partition), and Site 2's DC is still 2000, then you've just created a duplicate zone issue in the AD database. This will require cleaning it up using ADSI Edit. If you are familiar with ADSI Edit, check the DomainNC, DomainDnsZones and ForestDnsZones partitions for any zone names that begin with "In Progress..." or "CNF..." with a long GUID after it. If so, they are dupes and must be cleaned up. I can post additional information, if needed concerning the steps involved.
Here are some additional reading that may help out to at least double check that everything else is ok:
======================================================================================================
Upgrading DCs from 2000 to 2003:
Do you have Exchange 2000 in use?
If so, you may get an error running adprep/forest prep beacuse of mangled
attributes, follow this article:
Windows Server 2003 adprep -forestprep Command Causes Mangled Attributes in
Windows 2000 Forests That Contain Exchange 2000 Servers:
http://support.microsoft.com/kb/314649
You should upgrade the machine that holds the token for the the Schema
Master and Domain Name Master. If you don't want to upgrade it (say if it's
too old), then run the adprep /forestprep on the existing Schema Master,
then install a fresh DC with 2003, then move those roles over to it. Don't
forget the GC as well. After that, you can choose any order you like.
More info:
How to upgrade Windows 2000 domain controllers to Windows Server 2003:
http://support.microsoft.com/kb/325379
Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain:
http://support.microsoft.com/kb/555040
Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders
http://support.microsoft.com/kb/305476
This just a summary. There are numerous other scenarios and issues as well,
depending on what else has been installed, and if the Schema has been
altered by other non-Microsoft programs, which can cause issues.
++
Also take a look at this by Jorge:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/110.aspx
As far as the FSMO, I mentioned the DNM and SM, and moving the GC over to the machine that is the DNM. After that you can transfer the other roles, which will be no problem, and highly recommended. Move DNS over to the new ones too by installing DNS, then just wait for the next replication, and the zone auto appears in DNS. Then uninstall (don't delete the zones) off the 2000 DCs. If you delete the zone, then it removes it from AD. Don't mess with the zone replication scopes yet until after the current 2000 DNS servers have been uninstalled. Then you can change the scope. Then after you've verified everything's operational and working, demote the old DCs. Once ALL of the 2000 are gone, you can raise the level to 2003 for the domain and forest.
Also in a mixed 2000 and 2003/2008 environment, be careful with DNS. Only administer DNS using the lowest level DC if possible due to the additional features on the newer DCs are not supported in the older versions. If you use the newer DCs, do NOT change the replication scopes, or this will cause issues. Please adminster them from the lowest common denominator, or it may introduce problems.
======================================================================================================
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(e-mail address removed)
For urgent issues, you may want to contact Microsoft PSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay