Everyone in my company authenticate in this domain (DC was Windows 2003 en-us), it got infected, had to replace it. Followed the steps in this document. Transferred all the FSMO roles to the new VM 2008 R2, including infrastructure master and global catalog (since I will remove the Win2003 DC, and only one DC will be on the domain). These are the entries that were previously on my Linux DNS:
---
win20003 A 160.160.95.1
b3f9f4f9-b575-4797-8c43-d180163ca7c8._msdcs IN CNAME win2003
; global catalog servers
_gc._tcp IN SRV 0 100 3268 win2003
_ldap._tcp.gc._msdcs IN SRV 0 100 389 win2003
_ldap._tcp.Primeiro-site-padrao._sites.gc._msdcs IN SRV 0 100 389 win2003
; ldap servers
_ldap._tcp IN SRV 0 100 389 win2003
_ldap._tcp.dc._msdcs IN SRV 0 100 389 win2003
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 win2003
---
and now are these
---
win2003 A 160.160.95.1
b3f9f4f9-b575-4797-8c43-d180163ca7c8._msdcs.subdominio.empresa.br IN CNAME win2003
4bf38388-e750-4646-9ed5-529aaabf1457._msdcs.subdominio.empresa.br IN CNAME win2003
win2008r2 A 160.160.95.2
87afea7b-f06e-48c7-a00e-da1d8d3ac9a0._msdcs.subdominio.empresa.br IN CNAME win2008r2
; global catalog servers
_gc._tcp IN SRV 0 100 3268 win2008r2
_ldap._tcp.gc._msdcs IN SRV 0 100 389 win2008r2
_ldap._tcp.Primeiro-site-padrao._sites.gc._msdcs IN SRV 0 100 389 win2008r2
; ldap servers
_ldap._tcp IN SRV 0 100 389 win2008r2
_ldap._tcp.dc._msdcs IN SRV 0 100 389 win2008r2
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 win2008r2
; global catalog servers
;_gc._tcp IN SRV 1 100 3268 win2003
;_ldap._tcp.gc._msdcs IN SRV 1 100 389 win2003
;_ldap._tcp.Primeiro-site-padrao._sites.gc._msdcs IN SRV 1 100 389 win2003
; ldap servers
_ldap._tcp IN SRV 1 100 389 win2003
_ldap._tcp.dc._msdcs IN SRV 1 100 389 win2003
;_ldap._tcp.pdc._msdcs IN SRV 1 100 389 win2003
---
The problem is that the VM 2008 says it cannot find Win2003 DC, (event id 2092, replication error because "target account name is incorrect"), and cannot replicate to it (initial replication, when machine starts), and, therefore, it cannot assume its roles, cannot consider them valid. I end up installing DNS on Win 2008 (I did not do that when following the steps in the above link). At some point, when trying to fix it, I right clicked the old DC (2003) and clicked the reset machine menu option(Domain computers -> Domain Controllers), don't know if that changed the machine id, it was b3f9f4f9-b575-4797-8c43-d180163ca7c8. Now both id's are on the DNS, pointing to Win2003
I verified from the Win2003, all roles belong to the 2008 server. I am afraid to demote 2003 and loose all users and computers entries, that would ruin my life. Everyone (almost 200 people) would have to create new accounts.
Any ideas?
Bookmarks