Upgrading Active Directory W2K3 to W2K8

Keeping in the spirit of my blog title "Tangent Thoughts" this is another Tangent to my recent post "Known Issues for Upgrading Active Directory to Windows Server 2008R2 from Windows 2003".  This post has two parts: 1. Everything you ever wanted to know about troubleshooting Windows Server 2008 R2 (First 5 links) and 2.A "Notes from the field" collection of errors discovered before, during and after an  actual AD upgrade from Windows Server 2003R2.  The table below is a trace record of Event IDs discovered as well as a collection from MS Support of general AD upgrade errors with KB links for remediation.  The focus is primarily on the Errors and Warnings from the Applications and Systems logs on the Windows 2003 and 2008 Servers.


  THE Kit and Kaboodle! "Troubleshooting Windows Server 2008 R2 Includes :

Directory Service Event ID /Note




Source: DCOM

Additional Reference

1006, 1030


The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).  KB929852



KB976586 Error in Windows 7 or Windows Server 2008 R2 when unlocking a computer or switching users

 1058, 1129  Microsoft-Windows-GroupPolicy

 Event ID1058, Event ID 1129



Support KB

1396 Logon Failure


DCDIAG reports that the Active Directory Replications has failed with error  “1396: Logon failure: The target account name is incorrect."


User Profile Service

KB2661663 Stale user profile folders are not deleted completely in Windows 7 or in Windows Server 2008 R2



KB2102154 Troubleshooting Active Directory operations that fail with error 1722: The RPC server is unavailable


Group Policy Registry

KB2386730 An item-level targeting security group filter in Group Policy preferences settings does not work on a computer that is running Windows Server 2008 R2 or Windows 7 in a disjoint namespace



error code when you perform a system state backup operation

5136 Directory Service Changes


The Account Name, Account Domain, and Security ID fields are not populated in event ID 5136 for "Directory Service Changes" on a computer that is running Windows Server 2008 or Windows Server 2008 R2


Source: MSDTC


5788, 5799



8028, 6016


DFSR SYSVOL Fails to Migrate or Replicate, SYSVOL not shared



KB2021446 Troubleshooting Active Directory operations that fail with error 8524: The DSA operation is unable to proceed because of a DNS lookup failure


Access Encrypted Files after upgrade.  How to Backup the EFS Recovery Agent should be done 1st to preserve the EFS Recovery Agent

If the 1st DC from the source forest no longer exists, you cannot recover the EFS Domain Recovery Agent! PSGetSID This sysinternals utility will quickly help you to identify what the first DC was in the source domain.  RIDs are created sequentially, so the lowest number of all DCs will be the first.

Event 7030

McAfee ePolicy service account

Based on error seems that the service account needs interactive logon on the DCs

Import GPO fails

Message = “The Version Option is invalid”

Forum Post Must use same GPMC version for exporting and importing e.g. if Exported with GPMC 1.0, must import with the same.

 Active Directory Administrative Center

 FIPS-140 policy

 In our test lab, we had a group policy for FIPS-140.  Once it was applied, the administrator could open Active Directory Users and Computers, but not the newer AD Administrative Center.  Removing the policy allowed the ADAC