Upgrading Active Directory W2K3 to W2K8
Keeping in the spirit of my blog title "Tangent Thoughts" this is another Tangent to my recent post "Known Issues for Upgrading Active Directory to Windows Server 2008R2 from Windows 2003". This post has two parts: 1. Everything you ever wanted to know about troubleshooting Windows Server 2008 R2 (First 5 links) and 2.A "Notes from the field" collection of errors discovered before, during and after an actual AD upgrade from Windows Server 2003R2. The table below is a trace record of Event IDs discovered as well as a collection from MS Support of general AD upgrade errors with KB links for remediation. The focus is primarily on the Errors and Warnings from the Applications and Systems logs on the Windows 2003 and 2008 Servers.
NOTES FROM THE FIELD :)
THE Kit and Kaboodle! "Troubleshooting Windows Server 2008 R2 Includes :
Directory Service Event ID /Note |
Source |
Comments |
Source: DCOM |
||
1006, 1030 |
Microsoft-Windows-GroupPolicy |
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). KB929852 |
1015 |
Microsoft-Windows-Wininit |
KB976586 Error in Windows 7 or Windows Server 2008 R2 when unlocking a computer or switching users |
| 1058, 1129 | Microsoft-Windows-GroupPolicy | |
1202 |
SceCli |
|
1396 Logon Failure |
|
DCDIAG reports that the Active Directory Replications has failed with error “1396: Logon failure: The target account name is incorrect." |
1533 |
User Profile Service |
KB2661663 Stale user profile folders are not deleted completely in Windows 7 or in Windows Server 2008 R2 |
1722 |
|
KB2102154 Troubleshooting Active Directory operations that fail with error 1722: The RPC server is unavailable |
4106 |
Group Policy Registry |
KB2386730 An item-level targeting security group filter in Group Policy preferences settings does not work on a computer that is running Windows Server 2008 R2 or Windows 7 in a disjoint namespace |
5 |
|
error code when you perform a system state backup operation |
5136 Directory Service Changes |
Microsoft-Windows-Security-Auditing |
The Account Name, Account Domain, and Security ID fields are not populated in event ID 5136 for "Directory Service Changes" on a computer that is running Windows Server 2008 or Windows Server 2008 R2 |
Source: MSDTC |
|
|
5788, 5799 |
NETLOGON |
|
8028, 6016 |
|
DFSR SYSVOL Fails to Migrate or Replicate, SYSVOL not shared |
8524 |
Microsoft-Windows-ActiveDirectory_DomainService |
KB2021446 Troubleshooting Active Directory operations that fail with error 8524: The DSA operation is unable to proceed because of a DNS lookup failure |
Access Encrypted Files after upgrade. How to Backup the EFS Recovery Agent should be done 1st to preserve the EFS Recovery Agent |
If the 1st DC from the source forest no longer exists, you cannot recover the EFS Domain Recovery Agent! PSGetSID This sysinternals utility will quickly help you to identify what the first DC was in the source domain. RIDs are created sequentially, so the lowest number of all DCs will be the first. |
|
Event 7030 |
McAfee ePolicy service account |
Based on error seems that the service account needs interactive logon on the DCs |
Import GPO fails |
Message = “The Version Option is invalid” |
Forum Post Must use same GPMC version for exporting and importing e.g. if Exported with GPMC 1.0, must import with the same. |
Active Directory Administrative Center |
In our test lab, we had a group policy for FIPS-140. Once it was applied, the administrator could open Active Directory Users and Computers, but not the newer AD Administrative Center. Removing the policy allowed the ADAC |