SBS Server Migration by Riddhim Dhawan a few tips, tricks and tweaks
Scenario: You are doing a migration from SBS 2003 to SBS 2008 or SBS 2011. You’ve created your answer file, you’ve gotten partway through setup, but it seems to sit forever at this screen:
Eventually, you get this pop-up dialog telling you at it is taking longer than expected, and asking if you want to keep waiting.
What now? Maybe you’ve clicked the yes button once or twice already and waited another 20 minutes with no positive results.
Well, this is what happened to me, and I’ll tell you what I found out about it. Your situation may be different, but check out what I found out, and look for it in yours. If it matches, you might want to give it a try. Hopefully you have a good backup.
After sitting at this screen for way too long, I decided to do some digging. I sent a ctrl-alt-del to the SBS 2008 server and brought up the Task Manager. From there, I opened a CMD prompt, and found my way to C:\Program Files\Windows Small Business Server\Logs. I copied the file to a UNC share on the source SBS server to read it (but you can just use the “type” command in the CMD window and read the last few lines if you want).
The last few lines looked like this:
After MUCH digging, rebooting, retrying, and other things that I will spare you the pain of, I typed “eventvwr” at the CMD prompt, and looked through the event logs. I found, among other things, this event:
Source; GroupPolicy
Event ID: 1006
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller (LDAP Bind function call failed).
Now we’re getting somewhere. I found numerous search results for that one, including a forum where some guys had this error, received a hotfix from Microsoft, and the problem went away. Apparently the problem is caused if you have ever done an authoritative restore on your 2003 domain. When that happens, the msDS-KeyVersionNumber property from the user object “krbtgt” is increased. Windows Server 2008 is not expecting this. Any 2008 DCs that are added to this domain have trouble binding to LDAP and authenticating to AD because of this.
There is a Microsoft KB article about a seemingly completely unrelated topic, with a hotfix link available for download. Microsoft PSS sent these guys this hotfix, and it made that problem go away. It needs to be installed on all Windows 2003 DCs.
Note: One of the commenters posted that if the hotfix is no longer available at Microsoft, it can be found here.
I am doing this upgrade on a virtual server, I have a snapshot, so I figured “What the heck, let’s try it!” and downloaded the hotfix. I ran it on my SBS 2003 server, and said No to the reboot. Lo and Behold, my SBS 2008 migration is proceeding past the error point! It’s looking good!
Use this fix with caution. Your mileage may vary. Make sure you have backups and/or a snapshot before you do it. Best of luck!
Update: Many thanks to all of the commenters. With the comments, this is now a fairly comprehensive SBS migration troubleshooting guide for migrations from SBS 2033 to SBS 2008 or SBS 2011.
I had exactly similar issues. The logs looked the same. You will notice that when you check the operation masters on 2003 SBS server they will show and ERROR on operation master and in AD sites and services the replication link will be missing on the 2008 server.
Out of frustration I rebooted the 2008 server during the setup and hell crashed on me. The source server was in the middle of migration and schema had been changed to a no comming back stage. I did a restore on the source server once when it crashed and started setup again with image on the source server.
I tried to do the install manaully without the answerfile but the same issue. The server is happy until I promote it to a Domain Controller. Then I get the following error message regarding Group Policy:
“The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.”
I started the setup again and got stuck at excatly the same spot. I pressed ctrl+alt+del on 2008 and started eventvwr from task manager. It showed the following errors.
Source; GroupPolicy
Event ID: 1006
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller (LDAP Bind function call failed).
I then installed the hotfix from MS as mentioned in the article and everything was fine.
Thanks guys.
This is what I have learnt.
1. Check clocks are in sync.
2. Check FRS, DNS and DHCP on Source Server ( Some idiot had DNS set it to manual on my server).
3. I was prompted for 2003 SP1 not installed where as I had SP2 on it. ( I added the reg key manually on the 2003 ! Setup is dumb.
HKLM\SOFTWARE\Microsoft\SmallBusinessServer\ServicePackNumber ( = 1) )
4. Check Sysvol permissions.
5. Install the hotfix FIX 226580
http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=939820&kbln=en-us
6. Always take an image backup of source before you start anything. There are things that can go terribly wrong as they went worng with me.
In addition to following I had set DNS for both servers to IP address of new server!
I have just copied the following from a website: ( Credits to them)
Replication Issues.
AD replication is taking longer than normal, do you want to wait for replication
This one happens sometimes. You will install, the AnswerFile gets picked up, and after a few reboots you get a message stating that the AD replication is taking longer than normal, do you want to wait for replication? You have two problems now. First, the Source isn’t replicating properly and you need to fix that problem, and secondly, many times the Destination server has stopped trying to replicate because of the failure.
Source server:
Check that these services are running, this is the most common cause of failure to replicate:
Computer Browser
File Replication Service
Remote Procedure Call (RPC) (and I always start the Locator too, don’t know if it helps but I do)
Server
Workstation
Disable Firewall! If you don’t make a habit of doing so already, the Firewall can really muck up a migration. You probably have a better firewall in your AV program already anyway.
So now you have the problem figured out, let’s get the two to start talking again. There is one registry key on the Source, and two on the Destination which need to be fixed.
Source:
HK_LM\System\CurrentControlSet\Services\NTFrs\Parameters\Backup/Restore\Process at Startup
Change the BurFlags key to D4 on the old server
Dest:
Obviously there is no run, so you need to bring up either Task Manager or a command prompt. I know there is another hotkey for CMD but I don’t remember what it is most of the time, so I just use CTRL+SHIFT+ESC, which brings up Task Manager. File>New Task will get you a run so you can open up the registry. Now change the same BurFlags key to D2 on the new server
Also go find the key HK_LM\System\CurrentControlSet\Services\Netlogon\Parameters and make sure the SysvolReady key says 1, if not change it.
Now stop the NTFrs service on both servers, and start the Source first, then the Destination, and on the Destination server click Yes to wait for the AD replication. If it worked, you should see almost immediate results.
All the best people
Riddhim
SBS2003 to SBS2008 or SBS2011 Migration: Active Directory replication is taking longer than expected.
Scenario: You are doing a migration from SBS 2003 to SBS 2008 or SBS 2011. You’ve created your answer file, you’ve gotten partway through setup, but it seems to sit forever at this screen:
Eventually, you get this pop-up dialog telling you at it is taking longer than expected, and asking if you want to keep waiting.
What now? Maybe you’ve clicked the yes button once or twice already and waited another 20 minutes with no positive results.
Well, this is what happened to me, and I’ll tell you what I found out about it. Your situation may be different, but check out what I found out, and look for it in yours. If it matches, you might want to give it a try. Hopefully you have a good backup.
After sitting at this screen for way too long, I decided to do some digging. I sent a ctrl-alt-del to the SBS 2008 server and brought up the Task Manager. From there, I opened a CMD prompt, and found my way to C:\Program Files\Windows Small Business Server\Logs. I copied the file to a UNC share on the source SBS server to read it (but you can just use the “type” command in the CMD window and read the last few lines if you want).
The last few lines looked like this:
[3212] 081225.202335.1592: Task: There are 0 pending replication operations. [3212] 081225.202335.2530: Setup: Attempting LDAP bind. [3212] 081225.202335.2530: Setup: Bind failed with: A local error occurred. [3212] 081225.202335.2530: Task: Waiting for replication to finishThat sequence repeated a few times. Definitely the choking point. I googled the hell out of that, and only found one item that looked remotely relevant. That guy was having the same symptom. He solved his problem by throwing away his SBS2003 domain and starting from scratch.
After MUCH digging, rebooting, retrying, and other things that I will spare you the pain of, I typed “eventvwr” at the CMD prompt, and looked through the event logs. I found, among other things, this event:
Source; GroupPolicy
Event ID: 1006
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller (LDAP Bind function call failed).
Now we’re getting somewhere. I found numerous search results for that one, including a forum where some guys had this error, received a hotfix from Microsoft, and the problem went away. Apparently the problem is caused if you have ever done an authoritative restore on your 2003 domain. When that happens, the msDS-KeyVersionNumber property from the user object “krbtgt” is increased. Windows Server 2008 is not expecting this. Any 2008 DCs that are added to this domain have trouble binding to LDAP and authenticating to AD because of this.
There is a Microsoft KB article about a seemingly completely unrelated topic, with a hotfix link available for download. Microsoft PSS sent these guys this hotfix, and it made that problem go away. It needs to be installed on all Windows 2003 DCs.
Note: One of the commenters posted that if the hotfix is no longer available at Microsoft, it can be found here.
I am doing this upgrade on a virtual server, I have a snapshot, so I figured “What the heck, let’s try it!” and downloaded the hotfix. I ran it on my SBS 2003 server, and said No to the reboot. Lo and Behold, my SBS 2008 migration is proceeding past the error point! It’s looking good!
Use this fix with caution. Your mileage may vary. Make sure you have backups and/or a snapshot before you do it. Best of luck!
Update: Many thanks to all of the commenters. With the comments, this is now a fairly comprehensive SBS migration troubleshooting guide for migrations from SBS 2033 to SBS 2008 or SBS 2011.
I had exactly similar issues. The logs looked the same. You will notice that when you check the operation masters on 2003 SBS server they will show and ERROR on operation master and in AD sites and services the replication link will be missing on the 2008 server.
Out of frustration I rebooted the 2008 server during the setup and hell crashed on me. The source server was in the middle of migration and schema had been changed to a no comming back stage. I did a restore on the source server once when it crashed and started setup again with image on the source server.
I tried to do the install manaully without the answerfile but the same issue. The server is happy until I promote it to a Domain Controller. Then I get the following error message regarding Group Policy:
“The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.”
I started the setup again and got stuck at excatly the same spot. I pressed ctrl+alt+del on 2008 and started eventvwr from task manager. It showed the following errors.
Source; GroupPolicy
Event ID: 1006
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller (LDAP Bind function call failed).
I then installed the hotfix from MS as mentioned in the article and everything was fine.
Thanks guys.
This is what I have learnt.
1. Check clocks are in sync.
2. Check FRS, DNS and DHCP on Source Server ( Some idiot had DNS set it to manual on my server).
3. I was prompted for 2003 SP1 not installed where as I had SP2 on it. ( I added the reg key manually on the 2003 ! Setup is dumb.
HKLM\SOFTWARE\Microsoft\SmallBusinessServer\ServicePackNumber ( = 1) )
4. Check Sysvol permissions.
5. Install the hotfix FIX 226580
http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=939820&kbln=en-us
6. Always take an image backup of source before you start anything. There are things that can go terribly wrong as they went worng with me.
ANOTHER MIGRATION ANOTHER ERROR
I have just copied the following from a website: ( Credits to them)
Replication Issues.
AD replication is taking longer than normal, do you want to wait for replication
This one happens sometimes. You will install, the AnswerFile gets picked up, and after a few reboots you get a message stating that the AD replication is taking longer than normal, do you want to wait for replication? You have two problems now. First, the Source isn’t replicating properly and you need to fix that problem, and secondly, many times the Destination server has stopped trying to replicate because of the failure.
Source server:
Check that these services are running, this is the most common cause of failure to replicate:
Computer Browser
File Replication Service
Remote Procedure Call (RPC) (and I always start the Locator too, don’t know if it helps but I do)
Server
Workstation
Disable Firewall! If you don’t make a habit of doing so already, the Firewall can really muck up a migration. You probably have a better firewall in your AV program already anyway.
So now you have the problem figured out, let’s get the two to start talking again. There is one registry key on the Source, and two on the Destination which need to be fixed.
Source:
HK_LM\System\CurrentControlSet\Services\NTFrs\Parameters\Backup/Restore\Process at Startup
Change the BurFlags key to D4 on the old server
Dest:
Obviously there is no run, so you need to bring up either Task Manager or a command prompt. I know there is another hotkey for CMD but I don’t remember what it is most of the time, so I just use CTRL+SHIFT+ESC, which brings up Task Manager. File>New Task will get you a run so you can open up the registry. Now change the same BurFlags key to D2 on the new server
Also go find the key HK_LM\System\CurrentControlSet\Services\Netlogon\Parameters and make sure the SysvolReady key says 1, if not change it.
Now stop the NTFrs service on both servers, and start the Source first, then the Destination, and on the Destination server click Yes to wait for the AD replication. If it worked, you should see almost immediate results.
All the best people
Riddhim
No comments:
Post a Comment