DC errors, and short term redundancy for peace of mind

spiceuser-80l · 2025-02-23T23:27:10.992Z

We’re long overdue for a new server for DC (and file sharing) VMs for about 100 users, but we’re internally discussing a move from on-prem to a hybrid cloud storage solution like Egnyte so that will determine the specs (primarily storage needs). That said, I can’t quite jump on purchasing anything just yet.

In the meantime, I’m having a hard time making sure what we have in place doesn’t feel like a house of cards. We’ve got a 2012 R2 server that acts as AD/DC and file server and the FSMO roles have been transferred to it. All is “working” - however, all clients are still pointing to an ever older 2008 server (DC1) based on “set L” and "nltest /dsgetdc:domain, nor do clients failover to DC2 when DC1 is disconnected, so there seems to have been a step missed in the transfer. The DHCP server is properly assigning DC2 as DNS1 and DC1 as DNS2, so I’m exactly sure why this is happening. Things appear to be syncing across DCs properly and repl tests confirm that. There are no sysvol or NETLOGON shares on DC2 though after the role transfer.

When I run dcdiag on DC2, I see this error;

Testing server: Default-First-Site-Name\DC2
Starting test: Advertising
Warning: DsGetDcName returned information for \DC1.domain.local
when we were trying to reach DC2
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
…DC2 failed test Advertising

AND

 Starting test: NetLogons
     Unable to connect to the NETLOGON share! (\\DC2\netlogon)
     [DC2] An net use or LsaPolicy operation failed with error 67,
     The network name cannot be found..

I know the only real solution is to replace this ancient setup immediately, but while that gets approved, I’m looking to hopefully sort this issue out and to get some AD/DC redundancy in place in short order, ideally without blowing everything up. I have another 2012 R2 Poweredge onsite that is not in use – should I provision that with a new server OS and set that up as DC? Thanks in advance.

PatrickFarrell · 2025-02-24T03:01:54.355Z

Active Directory DNS Refresher Windows

It’s DNS. It’s always DNS. No, DNS is fine, it’s not DNS, trust me. It was DNS. I’m posting because in the last few weeks we’ve had a few posts that turned out to be misconfigurations with DNS in a domain environment. Things like Domain controllers pointing at themself first for DNS, or having a public DNS server on the NIC of the Domain Controller or the clients. Hopefully this will help some people get out in front of potential issues. The general rules for DNS in an AD E…

Check your DNS first that each points to the other as primary and 127.0.0.1 for secondary. If it doesn’t, correct it, wait a few hours and then check your replication

repadmin /showrepl

Also run

dcdiag /e /v

run the following form both domain controllers and make sure they both agree who has the roles:

netdom query fsmo

Do you hand out the IP address of both domain controllers as DNS for the clients? If not you need to do that.

spiceuser-80l · 2025-02-24T03:50:57.257Z

Thanks, Patrick. After transferring the FSMO roles, I changed each to point to the other as primary and itself (127.0.0.1) as secondary and flushed DNS and it didn’t take. I ended up changing them back to pointing to themselves first and the other second as they were before, but I’ll change it back again and leave it for a few hours this time.

repadmin completes without errors, dcdiag /e /v has some errors I need to sort through (the sysvol and netlogon ones I mentioned jump out). Netdom query fsmo both show DC2 has having the roles.

Clients have DNS set up with DC2 as primary and DC1 as secondary, but still see DC1 as the logon server.

adrian_ych · 2025-02-24T04:29:13.620Z

There ARE issues on your DCs…

All DCs would have an automatically created SYSVOL once propagation and full promote to a DC have successfully taken place. This is regardless of any FMSO roles.
You need to ensure of proper DNS server IPs in EVERY DCs IP address config

Primary DNS Server IP is other DC’s IP
Secondary DNS server is 127.0.0.1
Both DCs can ping each other using IP address, FQDN and host name (else manually add the 2 servers records into every DNS server or run “IPconfig /registerDNS” all on DCs)

Server 2012r2 is EOL so is Server 2008. Please kindly consider migrate to DFSR then introduce 2 DCs running Server 2019 or later as DCs. Then migrate DCs to Server 2019 or later.
Migrate SYSVOL replication to DFS Replication | Microsoft Learn

PatrickFarrell · 2025-02-24T04:55:22.242Z

spiceuser-80l:

Thanks, Patrick. After transferring the FSMO roles, I changed each to point to the other as primary and itself (127.0.0.1) as secondary and flushed DNS and it didn’t take.

Can you elaborate on “it didn’t take” ?

spiceuser-80l · 2025-02-24T05:46:50.370Z

Oh sorry, just meant that it didn’t cause the clients to look to DC2 as the logonserver when DC1 was unavailable during a disconnection test.

adrian_ych · 2025-02-24T06:09:52.746Z

Coz DC2 is not a properly promoted DC (no sysvol)

spiceuser-80l · 2025-02-24T15:24:12.029Z

Understood, what steps should I take to get it properly promoted? Is it just making sure the DNS is set properly? Also, both DCs can ping each other by IP, FQDN and host name.

It’s strange, I have no issues doing things like creating AD users on this DC2 that is supposedly not a proper DC yet.

I’ve seen some suggestions to make this registry edit;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters , change SysvolReady to 1 (it’s currently 0) , but I’m not sure why it never changed on its own.

PatrickFarrell · 2025-02-25T01:49:48.953Z

Do not edit the registry. When did you create the other DC? In the last few weeks or several months ago?

spiceuser-80l · 2025-02-25T02:00:54.025Z

They’ve been in place in tandem for years with DC2 acting as our file server as well. DC1 just had the FSMO roles until recently.

PatrickFarrell · 2025-02-25T02:54:31.525Z

So it’s quite possible that the second “DC” is tombstoned.

If you run this from both DCs, does it show current replication dates/times for each section?

repadmin /showrepl

spiceuser-80l · 2025-02-25T03:47:27.198Z

There doesn’t appear to be any errors (changed the server and domain names to protect the innocent, lol) -

FROM DC1;
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 86caea86-5d1a-4bf7-b10a-b62a94321294
DSA invocationID: abc8ac88-cdab-4611-a731-df9b4d0b442a

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 2c377598-d153-4e83-aee6-78d2b0068746
Last attempt @ 2025-02-24 22:38:38 was successful.

CN=Configuration,DC=domain,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 2c377598-d153-4e83-aee6-78d2b0068746
Last attempt @ 2025-02-24 21:55:27 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 2c377598-d153-4e83-aee6-78d2b0068746
Last attempt @ 2025-02-24 21:55:27 was successful.

DC=DomainDnsZones,DC=domain,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 2c377598-d153-4e83-aee6-78d2b0068746
Last attempt @ 2025-02-24 21:55:27 was successful.

DC=ForestDnsZones,DC=domain,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 2c377598-d153-4e83-aee6-78d2b0068746
Last attempt @ 2025-02-24 21:55:27 was successful.

FROM DC2;
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 2c377598-d153-4e83-aee6-78d2b0068746
DSA invocationID: c7de0474-39b4-4822-ad02-2279fcf7e83d

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 86caea86-5d1a-4bf7-b10a-b62a94321294
Last attempt @ 2025-02-24 22:36:12 was successful.

CN=Configuration,DC=domain,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 86caea86-5d1a-4bf7-b10a-b62a94321294
Last attempt @ 2025-02-24 21:45:41 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 86caea86-5d1a-4bf7-b10a-b62a94321294
Last attempt @ 2025-02-24 21:45:41 was successful.

DC=DomainDnsZones,DC=domain,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 86caea86-5d1a-4bf7-b10a-b62a94321294
Last attempt @ 2025-02-24 21:45:41 was successful.

DC=ForestDnsZones,DC=domain,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 86caea86-5d1a-4bf7-b10a-b62a94321294
Last attempt @ 2025-02-24 21:45:41 was successful.

adrian_ych · 2025-02-25T04:08:32.882Z

spiceuser-80l:

I’ve seen some suggestions to make this registry edit;

I would strongly advise NOT to make such registry changes as they are almost never needed for normal DC promotion.

Why not nuke the DC2008 since it is likely dead already…then install DC2019 or DC2024 (if you have licenses and server CALs) as 2nd DC and/or 3rd DC ?

spiceuser-80l · 2025-02-25T05:33:14.320Z

The idea is to nuke DC2008 (though it isn’t dead yet, just too old to be production)… but I can’t quite do that until I can get the clients to see DC2 as the logonserver.

PatrickFarrell · 2025-02-25T06:15:35.929Z

Do you know if you are doing DFSR or FRS replication?

adrian_ych · 2025-02-25T07:23:11.812Z

spiceuser-80l:

The idea is to nuke DC2008 (though it isn’t dead yet, just too old to be production)… but I can’t quite do that until I can get the clients to see DC2 as the logonserver.

But if a Domain Controller does not automatically create its SYSVOL, that is not a DC ? Something had prevented it from becoming a full DC or operating as a DC (for almost 10-15 years already).

So you are actually running a single DC2012r2 without any redundancy of any sort…

There are easier methods like creating 2nd & 3rd DCs using Server 2019 or later (would confirm that you have migrated top DFSR) & nuking DC2008…else troubleshooting the DC2008 can take weeks or months unless you can roll back to 2010 or earlier to know what had prevented DC2008 from becoming a DC (transfer or seizing of FMSO roles will not affect SYSVOL) ?

spiceuser-80l · 2025-02-25T16:09:39.854Z

PatrickFarrell:

Do you know if you are doing DFSR or FRS replication?

FSR

adrian_ych:

But if a Domain Controller does not automatically create its SYSVOL, that is not a DC ? Something had prevented it from becoming a full DC or operating as a DC (for almost 10-15 years already).

So you are actually running a single DC2012r2 without any redundancy of any sort…

There are easier methods like creating 2nd & 3rd DCs using Server 2019 or later (would confirm that you have migrated top DFSR) & nuking DC2008…else troubleshooting the DC2008 can take weeks or months unless you can roll back to 2010 or earlier to know what had prevented DC2008 from becoming a DC (transfer or seizing of FMSO roles will not affect SYSVOL) ?

I think there’s a little confusion here as to which server is which. DC1 is the 2008, and the server that the clients look to as logonserver. DC1 appears to be “fine”, other than being ancient. DC2 is 2012R2 and has everything replicating to it (we create users in AD here) and now has the FSMO roles. I believe the troubleshooting should be happening on DC2 (2012 R2).

Yeah, the plan is definitely to spin up a new server in the near future.

PatrickFarrell · 2025-02-26T00:00:05.980Z

Take a min to backup your GPOs

learn.microsoft.com

Backup and restore Group Policy in Windows

Learn how to backup, restore, migrate, and copy group policy objects using the Group Policy Management Console in Windows.

That way if anything gets hosed you can restore them.

Seems like AD replication is going okay but not the FRS replication. Ultimately you want to migrate that to DFSR but it has to be healthy first.

Go into event viewer, Appications and Services Logs, File Replication Services. Check this on both DCs.

Are you seeing any Event ID: 13568 or other errors in there?

spiceuser-80l · 2025-02-26T01:00:43.825Z

Thanks for the suggestion. No 13568 errors on either DC.

DC1 (2008) has a bunch of errors stating the following;

The client-side extension could not remove computer policy settings for ‘Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}’ because it failed with error code ‘0x8007000d The data is invalid.’ See trace file for more details.

DC2 (2012 R2) shows these errors;

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See KB5008380—Authentication updates (CVE-2021-42287) - Microsoft Support to learn more.

I’m thinking I want to spin up 2019+ on an older spare server here (would need to purchase license and CALs) and set that up as primary DC as a short term thing, but I’m not even sure I’ll be able to do that with the state of things.

adrian_ych · 2025-02-26T03:32:45.650Z

spiceuser-80l:

I think there’s a little confusion here as to which server is which. DC1 is the 2008, and the server that the clients look to as logonserver. DC1 appears to be “fine”, other than being ancient. DC2 is 2012R2 and has everything replicating to it (we create users in AD here) and now has the FSMO roles. I believe the troubleshooting should be happening on DC2 (2012 R2).

Yeah, the plan is definitely to spin up a new server in the near future.

To be realistic, I would not really care which is DC1 or DC2 ?? But as there is DC2008 & DC2012R2:

DC2008 does not have a SYSVOL, thus it must be first to be nuked
DC2012R2 is having OS EOL, so it should be replaced ASAP (once DC-2 & DC-3 using Server 2019 or later have been introduced).

spiceuser-80l:

DC1 (2008) has a bunch of errors stating the following;

I would think that there are or were a lot more errors especially in the past but like most replication errors, they will stop reporting errors after a while (there will be a log stating that logging will be stopped, as there will be a few logs per minute). Then some error logs will not be there as DC2008 is not a fully promoted DC yet.