Domain Controller cannot access \\domain\netlogon causing Auth issues

Similar Messages

• An attempt to resolve the DNS name of a domain controller in the domain being joined has failed.

  "An attempt to resolve the DNS name of a domain controller in the domain being joined has failed." 
  This is the error message I get whenever I try to connect to my servers domain which I just set up earlier today. I have read through a bunch of other threads on the same error message
  but each of them has had different solutions and none of them have helped me. 
  The one thing that I suspect is related to my problem is that I can't ping my domain on the W7 computer I'm trying to connect. I can ping the server, but not the domain. the domain
  i'm using is set up like "domain.local" . 
  Other things that might be relevant. 
  I'v already set up user accounts and a computer under the Server 2012 active domain administrator settings. 
  I'v port forwarded ports 80 and 443 on the server. 
  The server has a static IPv4 IP adress. I haven't done anything with IPv6 
  The W7 computer has a dynamic IP adress, but I don't think it changes. I believe my router is set up to keep it constant, not 100% sure though. 
  Thanks for any help with this, I'm pretty much out of ideas on this. 

  Hi ZachPrinz,
  Firstly, would you please let us know the outputs of ipconfig /all both of the clients and the DC.
  Also, if you run nslookup FQDN of your DC from your clients, what will you receive?
  Meanwhile, regarding the issue, we can refer to
  the similar thread and see how it works.
  More information:
  Troubleshooting Domain Join Error Messages (en-US)
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Adding new domain controller under tree domain

  i have one forest root domain is ABC.com and one tree root domain under this forest is DEF.com ,
  i want to add a new domain controller under tree root domain in windows server 2008 r2? i need steps and DNS configuration on forest or domain level
  Thnx

  If you want to add an additional domain controller to a domain you should promote the new dc with the primary dns in the nic settings of the new dc pointing at the current dc and once promoted you should point the original ip address nic settings to
  the new dc.  I am making the assumption that you are using AD integrated DNS.
  http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• W32tm always on "Local CMOS clock" on virtual domain controller - cannot change to NTP server

  The domain controller (Server 2012R2) is hosted on Hyper-V (Server 2012R2). It is a PDC.
  - firewall disabled
  - cleaned up w32tm:
  net stop w32time
  w32tm /unregister
  w32tm /register
  net start w32time
  - applied ifixit from http://support.microsoft.com/kb/816042 to enable external ntp server de.pool.ntp.org
  - disabled
  VMICTimeProvider in registry
  (HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider\Enabled = 0)
  I can manually query the ntp server de.pool.ntp.org:
  w32tm /stripchart /computer:de.pool.ntp.org /samples:5 /dataonly
  de.pool.ntp.org wird verfolgt [131.188.3.221:123].
  5 Proben werden gesammelt.
  Es ist 24.04.2014 10:07:36.
  10:07:36, +00.0115379s
  10:07:38, -00.0025048s
  10:07:40, -00.0008595s
  10:07:42, -00.0010477s
  10:07:44, -00.0014516s
  But still, w32tm does NOT query the ntp server:
  PS C:\Windows\system32> w32tm /query /source
  Local CMOS clock
  rosch

  Hi rosch,
  Based on your description, please check if disable the "Time synchronization" Integration service. Please refer
  to the following operation.
  In Hyper-V Manager, right click the DC and select “Settings…”.
  In the left panel of Settings, navigate to Integration Services and click it.
  Then in the right panel, please uncheck Time synchronization.
  By the way, please check if can connect to the time server and UDP port was opened for NTP.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Domain User Cannot Access "My Documents" Subfolder

  Hello, I have a users who uses a Windows 7 PC and a Windows 8 Laptop. The user is joined to a Domain and can access the "My Documents" folder and sub folders without an issue on the Windows 7 PC. When the user logs in with the same credentials
  on the Windows 8 Laptop the user can go into the "My documents" folder but 2/10 of the subfolders the user gets a message "You do not have permission to access \\XXXXX\share\user\My Documents\subfolder" of course I changed a few of the
  names for security reasons. I checked the parent directory "My Documents" security permissions and the user has Ownership of the folder as well as "Full Control." The Folder permissions are also applied to all subfolders and files. The
  setting in group policy to create the "My Documents" folder is \\Domain\share\%USERNAME% so that shouldn't be an issue.
  Any help to resolve this would be greatly appreciated.

  Disable this setting and check the results after a reboot 
  Network access: Do not allow anonymous enumeration
  of SAM accounts and shares
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Secondary Domain Controller Not Authenticating Domain Users

  Hi.
  I have a primary domain controller running Win Srv 2012 in USA and i added a secondary domain controller 2012 in the same domain from a different location India, through VPN.so that India user accounts can authenticate by the secondary DC instead of primary
  DC USA
  Installation & replication of AD went fine
  India domain users login is damn slow.
  When i ran the command echo %logonserver% from a india client machine,it displays the USA Primary DC name which means its authenticating the users from USA primary DC.
  Preferred DNS for india client machine is Secondary DC IP and alternate is Primary DC IP USA.
  Please find the dcdiag results below and any help much appreciated
  Performing initial setup:
     Trying to find home server...
     Home Server = server2
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: INDIA\server2
        Starting test: Connectivity
           ......................... server2 passed test Connectivity
  Doing primary tests
     Testing server: INDIA\server2
        Starting test: Advertising
     Warning: DsGetDcName returned information for \\server1.tst.mycompany.com, when we were trying to reach
     server2.
     SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
           ......................... server2 failed test Advertising
        Starting test: FrsEvent
           ......................... server2 passed test FrsEvent
        Starting test: DFSREvent
           There are warning or error events within the last 24 hours after th
           replication problems may cause Group Policy problems.
           ......................... server2 failed test DFSREvent
        Starting test: SysVolCheck
           ......................... server2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... server2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... server2 passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... server2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... server2 passed test NCSecDesc
        Starting test: NetLogons
           Unable to connect to the NETLOGON share! (\\server2\netlogon)
           [server2] An net use or LsaPolicy operation failed with error 67,
           ......................... server2 failed test NetLogons
        Starting test: ObjectsReplicated
           ......................... server2 passed test ObjectsReplicated
        Starting test: Replications
           ......................... server2 passed test Replications
        Starting test: RidManager
           ......................... server2 passed test RidManager
        Starting test: Services
           ......................... server2 passed test Services
        Starting test: SystemLog
           A warning event occurred.  EventID: 0xA004001B
              Time Generated: 02/22/2015   17:10:30
              Event String: Intel(R) 82574L Gigabit Network Connection
           A warning event occurred.  EventID: 0x000727A5
              Time Generated: 02/22/2015   17:11:24
              Event String: The WinRM service is not listening for WS-Manageme
           An error event occurred.  EventID: 0x0000271A
              Time Generated: 02/22/2015   17:11:24
              Event String:
              The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not regist
           A warning event occurred.  EventID: 0xA004001B
              Time Generated: 02/22/2015   17:12:41
              Event String: Intel(R) 82574L Gigabit Network Connection
           A warning event occurred.  EventID: 0x000003F6
              Time Generated: 02/22/2015   17:19:36
              Event String:
              Name resolution for the name mycompany.com timed out after none
           A warning event occurred.  EventID: 0x00001796
              Time Generated: 02/22/2015   17:28:54
              Event String:
              Microsoft Windows Server has detected that NTLM authentication i
  his server. This event occurs once per boot of the server on the first time
           A warning event occurred.  EventID: 0x000727A5
              Time Generated: 02/22/2015   17:33:35
              Event String: The WinRM service is not listening for WS-Manageme
           A warning event occurred.  EventID: 0x00001796
              Time Generated: 02/22/2015   17:35:54
              Event String:
              Microsoft Windows Server has detected that NTLM authentication i
  his server. This event occurs once per boot of the server on the first time
           ......................... server2 failed test SystemLog
        Starting test: VerifyReferences
           ......................... server2 passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValida
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValida
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidat
     Running partition tests on : tst
        Starting test: CheckSDRefDom
           ......................... tst passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... tst passed test CrossRefValidation
     Running enterprise tests on : tst.mycompany.com
        Starting test: LocatorCheck
           ......................... tst.mycompany.com passed test LocatorChec
        Starting test: Intersite
           ......................... tst.mycompany.com passed test Intersite

  Hi.
  I have a primary domain controller running Win Srv 2012 in USA and i added a secondary domain controller 2012 in the same domain from a different location India, through VPN.so that India user accounts can authenticate by the secondary DC instead of primary
  DC USA
  Installation & replication of AD went fine
  India domain users login is damn slow.
  When i ran the command echo %logonserver% from a india client machine,it displays the USA Primary DC name which means its authenticating the users from USA primary DC.
  Preferred DNS for india client machine is Secondary DC IP and alternate is Primary DC IP USA.
  Firstly make sure that you have configured sites and subnets correctly. According to your information which you have two locations, you should have at least 2 sites and 2 subnets associated to them. If you have forgotten to configure subnets of India in your
  site and services and assigned them to the India site you are experiencing this issue. Also make sure if clients in India has appropriate network connectivity to the domain controllers in India.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Group MSA account fail when Domain Controller in Test Domain Fails to start KdsSvc. Event ID 7023

  Yesterday, in my test domain, I created the KDS root key using the Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
  command on a DC that is not the PDC Emulator because it was the server I was on at the time.  Today, when I tried to create gMSA accounts on the PDC emulator, I get:
  Event ID 7023 The Microsoft Key Distribution Service terminated with the following error: An Exception occurred in the service when handling the control request
  I turned on logging on to the KdsSvc and get 2 other errors:
  KdsSvc Event ID 4001: Group Key Distribution Service failed to start. Status 0x80070020
  KdsSvc Event ID 4007: Group Key Distribution Service cannot connect to the domain controller on local host.  Status 0x80070020.  Group Key Distribution Service cannot be started because of the error.  Please contact the administrator to resolve
  the issue.
  I took the opportunity to clean up AD, the Schema, and DNS, but the kds errors continues.  I am replicating successfully, DNS changes are reflected immediately, and when I run the get-KDSRootKey on the failing server, the key is returned.  The
  Get-KdsConfiguration matches the KDS config on the DC that originally ran to create the key.
  I have a pretty strict GPO pushed to my DCs but I am still able to create gMSAs on the other server.  I checked ADS&S and found the msKds-ProvRootKey so I know it is at the domain level, but there is so little documentation on the KdsSvc that I
  am not sure if it is working as planned.  I have tried unassigning several GPO configuration items but I am throwing darts at this point.  I have also uninstalled McAfee AV; IDS/IPS; Firewall.
  With that said, I have questions:
  Will gMSAs still work even though the domain pdc emulator cannot start the service?
  Is the KdsSvc supposed to start only on the server Add-KDSRootKey was originally created?
  What happens if the server the KdsSvc key was created fails and has to be removed from the domain?
  Is there any books or configuration items I can review to learn the KdsSvc better?
  Env:
  Windows Standard Server 2012 R2 x64
  Active Directory 2012 R2 Schema Updated from Windows 2008 R2
  All FSMO roles are on the PDC Emulator which is a Windows 2012 R2 DC
  DCDiag returns no errors or test failures
  Repadmin returns clean results (/showreps & /replsum)
  Windows 2008 R2 Root CA hierarchy (not DCs)
  W32tm services are running with less than 6/10's of a ms difference among the domain.

  Hi,
  For Windows Server 2012, the Windows PowerShell cmdlets default to managing the group Managed Service Accounts instead of the original standalone Managed
  Service Accounts.
  New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group>
  -ServicePrincipalNames <SPN1,SPN2,…>
  Did you use the command abouve?
  Here is a good bolg:
  Windows Server 2012: Group Managed Service Accounts
  http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
  Hope this helps.

• Replace WS2003 domain controller for WS2012 domain controller

  Hi, I think that is a common problem but I haven't found anythink exactly like this, only something similar, but I have a lot of doubts yet.
  The thing is that I have a network with two domain controllers:
  WS2003     - 192.168.0.1, who is the first domain controller I created and is also a file sharing server
  WS2008R2 - 192.168.0.8, who is a  new domain controller I added one year ago.
  Now, I want to replace the first one, keeping the second. One.
  I thinking of removing the first one and replace it with a new machine (WS2012) with the same IP and name host. I need the same host because clients are pointing to it to get the shared files.
  My main fear is that clients get some error related with trust relationship and I will have to rejoin them one by one to the domain.
  As I have another domain controller, Will the global catalog of the new machine be synchronized automaticly with the WS2008R2 domain controller?
  Do I need to demote the old domain controller before add the new one?
  Thanks a lot

  Hi Tomas,
  As pointed by Burakm you should have an additional file server and should avoid using a Domain controller which has priviledged access, to share files. This puts you at a security risk.
  Regarding the requirement of old host name:
  Here is something that would let you keep a different servername and IP, yet allow your users to connect to the old hostname and access the share. Use CNAME records of old server to point it to the new hostname.
  How to Configure Windows Machine to Allow File Sharing with DNS Alias
  You might also look for Distributed File System Shares.
  http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
  NOTE- You can't run in-place upgrade of a 2003 to 2012 DC.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Error message for easy transfer says cannot access domain account?

  After installing Windows 7 onto my current computer with XP, I get the error message about unable to access account domain when files try to transfer. My computer is connected to a LAN main server but even when I log on as the account administrator the new computer with Windows 7 has the same message. What am I doing wrong? The Windows Easy Transfer software does show it is loaded on my computer as well as the main server.

  Ok, lets back up a second here. So you used it to transfer data to a backup - but to where?  Now you've upgraded (or dual boot) Windows 7 - have you joined it to a domain yet? 2nd, did you go to Start/All Programs/Accessories/System Tools/Windows Easy Transfer? You start it up and select Next, you mentioned network, so I'm making assumptions so its just a guess that you backed it up to a network location, however you don't select network (unless the old machine was separate and still running on the network), you'll select An external hard drive or USB flash drive, select This is my new computer, Select Yes, if the drive you backed up to is mapped (if joined to the domain and they map drives for you), then select the drive, double click it if you need to drill down into the folder where your back is and select your *mig file and go. If it isn't mapped, then you could select the computer from the network on which you data is stored and browse through it.  Main server doesn't need software loaded, Windows 7 will take care of it in this scenario.MCSE, MCSA, MCDST
  [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]

• Registered with Verizon My Domain and cannot access email

  I have spent the past TWO DAYS trying to get assistance from Verizon customer support.  I have talked with EIGHT different representatives and none of them know how to help me.
  Last week I registered my verizon.net email with Verizon Your Domain and paid the $19.95 annual fee to keep my email address.  After receiving a confirmation that my transaction was successful and complete, I proceeded to cancel my Verizon home phone and internet service.  Verizon cancelled my email when they cancelled my phone and internet.
  I was told via email from a Verizon Your Domain specialist that I needed Broadband Essentials to keep my email.  I DO NOT NEED INTERNET SERVICE.  I HAVE INTERNET SERVICE.  According to Verizon Your Domain I do not need Verizon internet to keep my email!
  If this isn't bad enough, I've been charged TWICE and I still have no email!
  Can someone please help me?  I followed the instructions to a T and have spent two hours on the phone with absolutely NO RESOLUTION!
  Solved!
  Go to Solution.

  Hi davidsonx5,
  Your issue has been escalated to a Verizon agent. Before the agent can begin assisting you, they will need to collect further information from you. Please go to your profile page for the forum and look at the top of the middle column where you will find an area titled "My Support Cases". You can reach your profile page by clicking on your name beside your post, or at the top left of this page underneath the title of the board.
  Under "My Support Cases" you will find a link to the private board where you and the agent may exchange information. This should be checked on a frequent basis, as the agent may be waiting for information from you before they can proceed with any actions. To ensure you know when they have responded to you, at the top of your support case there is a drop down menu for support case options. Open that and choose "subscribe". Please keep all correspondence regarding your issue in the private support portal.

• Scheduled Task to run as Local System cannot access the Netlogon Share in Windows 8.1

  I've created a Scheduled Task that is setup to run as the local System Account which uses cscript.exe to execute a VBScript residing on the Domain Netlogon Share. It works perfectly on Windows 7, but fails miserably on Windows 8.1. When I open a command
  prompt as the System account and try to run the script from the Netlogon share manually, I get the following error:
  CScript Error: Loading script \\<FullyQualifiedomainName>\Netlogon\xyz.vbs failed (The account used is a computer account. Use your global user account or local user account to access this server. ).
  Is there something different I need to set in Windows 8 to get this to run?
  Thank you!!
  Eric Myers

  Hi Eric,
  What's the result of Arnav's question?
  How did you set it? Please set it as the following steps:
  1.Go to Start > Administrative Tools > Task Scheduler
  2.In the Task Scheduler window double click your task, and on the "General" tab, under "Security options" section,  click the "Change User or Group" button.
  4.Make sure "From this location" is set to the local machine name (to change click "Locations" button and select the local computer name)
  5.Type "SYSTEM" in the text box and press ok . Under "When running the task, use the following user account:" you should see "NT AUTHORITY\SYSTEM".
  Karen Hu
  TechNet Community Support

• Domain Controller (Windows) + Secondary Domain Controller (Mac)

  Can this setup be done to where the windows box would control windows computers, while the secondary controller (xserve) would control the authentication for Macs?

  Hi
  OSX Server can function as a Domain Member in a Windows Server environment. It can’t function as a BDC if the PDC is a Windows Server. The only occasion that OSX Server can function as a BDC to a PDC is when the PDC is an Open Directory Master, in other words another OSX Server. In effect this would be an OD Master and Replica relationship.
  This applied with 10.4 Server. I may be wrong but I’ve not seen anything in the 10.5 Open Directory Admin Manual yet that says different.
  Hope this helps, Tony

• What note when remove an Domain controller from Existing Domain!!!

  Dear everybody,
  My company has 3 Domain controllers at the moment.
  all of them have some functions: DHCP, DNS.
  Now, we have plan to remove an DC/
  So, What note we need to pay attention when remove one of them?
  Thanks for your help!!!

  1. Migrate DHCP first. Using below command
  netsh dhcp server export C:\dhcp.txt all       -old Server
  netsh dhcp server import C:\dhcp.txt all       -New Server.
  2. Enable DNS debug log & see which client still pointing the old DC.
  http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx
  3. Change the DHCP Scope accordingly.
  HTH
  Biswajit
  Regards,
  Biswajit
  MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
  Blog:
    Script Gallary:
  LinkedIn:
  Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

• Deploy Windows Server 2012 R2 domain controller in 2008 domain

  Hi,
  We have three physical windows 2008 enterprise with SP1 32 bit domain controllers, we need to deploy two additional windows 2012 R2 standard as virtual machines on this domain. Do we need to install SP2 on the existing Windows 2008 sp1 DCs or we are fine?
  What are other requirements?  

  It is not required.
  Just your Forest/Domain Functional level should be Windows Server 2003 or higher to be able to add Windows Server 2012 R2 DCs.
  Please note that it is always recommended to have your Windows Operating Systems up-to-date to avoid known security attacks and known bugs.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile