Replace win2008r2 domain controllers with win2012r2

Similar Messages

• Windows 2008 R2 domain controllers with Windows 2003 forest functional level Supported after Windows 2003 support ends in July 2015

  Hi
  Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
  Thanks

  When Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
  So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Cannot have multiple domain controllers with Essentials role in 2012 R2 Standard/Datacenter

  Microsoft's Technet post on deploying Essentials Role in an existing AD environment states the following:
  "The online service integration features only work when the server is a domain controller. Also, integration cannot be initiated if there are multiple domain controllers in the environment. The product team is investigating possible solutions."
  http://blogs.technet.com/b/sbs/archive/2013/10/28/enabling-multiple-instances-of-windows-server-essentials-experience-in-your-environment.aspx
  Microsoft Essentials Role product team, can you let us know when this will be fixed? I will not be installing Essentials as a Role if I cannot have multiple domain controllers.
  As soon as I add another domain controller the Essentials role no longer functions as designed.
  This is quite an oversight by your team. Can we have an ETA for a fix to this please?
  Here are more with the same issue:
  http://social.technet.microsoft.com/Forums/en-US/ed34abe9-6412-415d-950a-50c9675deb2e/unable-to-register-essentials-experience-role-with-microsoft-online-services?forum=2012R2EssentialsPreview

  Hi. We can't give ETA. Most user there that help does not work for Microsoft. (and if a Microsoft's employee help, then it's on it's free time at home or during break)
  Thus, for that reason, please call the support to get a good answer on the ETA is it's planned or not. Be advised that the essential's version replaced the SBS, thus it target small office, such limitation can stay for a long time IMO.
  Regards, Philippe

• Two Domain Controllers with the Same Name

  So I was working on setting up our new branch office DC. Anyway, the server failed to join the domain the first time because it upgraded the AD schema (This was our first 2012 R2 server) and the schema wasn't synced to all the other remote offices. So I
  forced a sync, joined the server as a workstation, then made it a domain controller.
  Anyway, after that the server would show itself as a DC in Active Directory, but all the other servers believed it was just a workstation. So, I removed Active Directory from the server (I had to force the removal). I reset the computer account on the local
  DCs, then rejoined it to the domain and made it a domain controller again. This time, it appeared as a Domain Controller on the other DCs in the domain.
  Now for the issue --- I've now got two objects for the server under AD Sites and Services. One of them doesn't appear to have any AD DS connections. The other has connections, but not all of them work correctly (I get errors when I tell certain connections
  to sync).
  What should I do to fix this?
  I'm still in the setup phase of this, so I can do anything I want with this particular server. I was thinking I would demote from a Domain Controller, remove it from the domain. Then use ntdsutil to cleanup any other metadata that is hanging around in AD (Something
  like: https://support.microsoft.com/KB/216498?wa=wsignin1.0 )
  Does anyone else have suggestions on what I should do to fix this? --- I'm being overly cautious here as I do not want to mess anything up in Active Directory.
  Thanks!
   

  I have not done a metadata cleanup.... I was asking if I should.
  The connections on the valid server appeared to be working before I deleted them (Maybe it took a while to replicate ? )
  So I went through and deleted all the AD Sites and Services connections from both servers (The broken server had 5 connections to the same DC in another site). Anyway, I ran repadmin /kcc and it regenerated a connection to a server in the remote site, but
  it also generated a connection between the two servers with the same name. I ran dcdiag after I did the repadmin /kcc. Anyway it shows:
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = DC-01-CLE
  * Identified AD Forest.
  Done gathering initial info.
  Doing initial required tests
  Testing server: Cleveland\DC-01-CLE
  Starting test: Connectivity
  ......................... DC-01-CLE passed test Connectivity
  Testing server:
  Cleveland\DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e
  Starting test: Connectivity
  [DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e]
  DsBindWithSpnEx() failed with error 5,
  Access is denied..
  Got error while checking LDAP and RPC connectivity. Please check your
  firewall settings.
  DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e failed test
  Connectivity
  Doing primary tests
  Testing server: Cleveland\DC-01-CLE
  Starting test: Advertising
  ......................... DC-01-CLE passed test Advertising
  Starting test: FrsEvent
  ......................... DC-01-CLE passed test FrsEvent
  Starting test: DFSREvent
  ......................... DC-01-CLE passed test DFSREvent
  Starting test: SysVolCheck
  ......................... DC-01-CLE passed test SysVolCheck
  Starting test: KccEvent
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 09:58:02
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 09:58:02
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 09:58:02
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 09:58:11
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 09:58:11
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 09:58:11
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 10:03:37
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 10:03:37
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  A warning event occurred. EventID: 0x80000785
  Time Generated: 12/15/2014 10:03:37
  Event String:
  The attempt to establish a replication link for the following writable directory partition failed.
  ......................... DC-01-CLE passed test KccEvent
  Starting test: KnowsOfRoleHolders
  ......................... DC-01-CLE passed test KnowsOfRoleHolders
  Starting test: MachineAccount
  ......................... DC-01-CLE passed test MachineAccount
  Starting test: NCSecDesc
  ......................... DC-01-CLE passed test NCSecDesc
  Starting test: NetLogons
  ......................... DC-01-CLE passed test NetLogons
  Starting test: ObjectsReplicated
  ......................... DC-01-CLE passed test ObjectsReplicated
  Starting test: Replications
  ......................... DC-01-CLE passed test Replications
  Starting test: RidManager
  ......................... DC-01-CLE passed test RidManager
  Starting test: Services
  ......................... DC-01-CLE passed test Services
  Starting test: SystemLog
  A warning event occurred. EventID: 0x00001795
  Time Generated: 12/15/2014 10:03:37
  Event String:
  The program lsass.exe, with the assigned process ID 600, could not authenticate locally by using the target name LDAP/a23a13d0-8434-4344-bd6b-24fdf5576329._msdcs.mydomain.local. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
  ......................... DC-01-CLE passed test SystemLog
  Starting test: VerifyReferences
  ......................... DC-01-CLE passed test VerifyReferences
  Testing server:
  Cleveland\DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e
  Skipping all tests, because server
  DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e is not responding to
  directory service requests.
  Running partition tests on : DomainDnsZones
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test
  CrossRefValidation
  Running partition tests on : ForestDnsZones
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test
  CrossRefValidation
  Running partition tests on : Schema
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Running partition tests on : Configuration
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Running partition tests on : mydomain
  Starting test: CheckSDRefDom
  ......................... mydomain passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... mydomain passed test CrossRefValidation
  Running enterprise tests on : mydomain.local
  Starting test: LocatorCheck
  ......................... mydomain.local passed test LocatorCheck
  Starting test: Intersite
  Doing intersite inbound replication test on site Cleveland:
  ......................... mydomain.local passed test Intersite
  I've attached a screenshot of AD Sites and Services. Please note I've erased some info for privacy reasons (The site the other DC is in has been erase as well as part of its name).
  Picture of AD Sites and Services

• DNS issues with replaced domain controllers

  I have slight issue I hope some one can help with.
  We recently replaced some domain controllers in our 2 core sites the process we followed is as below:-
  moved FSMO roles to different already working servers
  demoted the old domain controllers and decommissioned.
  built virtual machine replacements with the same names.
  depromo'd the servers
  ran all the tests and it reported everything was fine.
  moved the fsmo roles to the new servers.
  repeated this for the remaining servers.
  this was our 2003 domain to free up physical space but our new 2013 domain what will exist separately until all our applications our tested.
  however the problem we now have is that non domain controllers have issues registering against the new servers despite being able to do look-ups against them all (replication testing looks fine). one of our regional DC's seems to have taken over as the primary
  replica. as changes made else where disappeared but changes made there got replicated out perfectly.
  I have managed to resolve this particular issue by added the domain controllers back into several locations in DNS manually (maining forward lookup zones>my domain>_tcp )but we still experience the odd issue with servers not registering in DNS properly
  (although it's a lot better since the I did the above)
  so basically does any one have a idea on what could have caused this issue and how I can resolve?

  should the demotion not automatically remove it from sites and services automatically (it could well be this if not) the question then becomes how do we resolve the issues we have now.
  Hello,
  NO, as you can demote a DC and it still may run site-aware services like DFS and for this reason a DC is NOT automatically removed from AD sites and services during demotionprocess.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Allow log on through Remote Desktop Services Group Policy for Domain Controllers

  Hello,
  We want to allow our Helpdesk Operators to be able to connect to Domain Controllers with the Remote Desktop Services. This is by default not allowed but according to many sites, it should be able to configure by using a Group Policy.
  We made a new Group Policy with the setting 'Allow log on through Remote Desktop Services' and 'Allow log on locally' (as an extra for testing) and applied Security Filtering to only use it for a specific Security Group. Our test user is a member of this
  security group and should be able to access the Domain Controllers now. However this isn't working.
  The error message we receive upon trying to connect:
  The connection was denied because the user account is not authorized for remote login.
  For troubleshooting, we also applied the Security Group for that setting in the Default Domain Controllers Policy but that doesn't seem to work either. We want to avoid customization on our Default Domain Controllers Policy but this was just a test case
  for solving our problem.
  What should we do to solve our problem?
  I hope to hear from you soon.
  Thanks in advance.

  Hi, I just found out what the problem was. This site helped me alot:
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  In my case, I had the group added to the Allow Logon Through Remote Desktop Services but was not added to the Builtin\Remote Desktop Users group. After knowing this I made some changes to our situation and are now using the builtin\Remote Desktop Users group
  rather than a new self made Security Group. I also added the Remote Desktop Users to the Allow Logon Through Remote Desktop Service in the Default Domain Controllers Policy as this is not done by default. By default only the Domain Administrators are able
  to logon through remote desktop services.
  You do not need the 'Log on Locally' permission within the Group Policies.
  In short:
  Add the desired users/groups to the 'Builtin\Remote Desktop Users' security group.
  Add the 'Builtin\Remote Desktop Users' security group to the 'Allow Logon Through Remote Desktop Services' within the 'Default Domain Controllers Policy'.
  Thank you anyway for the fast reply.
  Have a nice day!

• Help with Powershell script to gather eventlogs from all Domain Controllers

  I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I
  assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.
  $log = "Application"
  $date = get-date -format MM-dd-yyyy
  $now = get-date
  $subtractDays = New-Object System.TimeSpan 5,0,0,0,0
  $then = $Now.Subtract($subtractDays)
  $Computers = Get-ADDomainController -filter *
  ForEach-Object -InputObject $Computers  -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}
  Invoke-Expression $env:TEMP\Applicationlog.htm
  Thanks,
  Rich

  Also, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet. 
  I would re-write the loop part of the script like this:
  $log = "Application"
  $date = get-date -format MM-dd-yyyy
  $now = get-date
  $subtractDays = New-Object System.TimeSpan 5,0,0,0,0
  $then = $Now.Subtract($subtractDays)
  $Computers = Get-ADDomainController -filter *
  foreach ($Computer in $computers) {
  Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
  select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
  Invoke-Expression .\Applicationlog.htm
  Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

• Using Windows 8.1 With Older Domain Controllers

  Is there any document that would specify types of incompatibility we might expect when using Windows 8.1 with older domain controllers, either Windows 2000 or Windows 2003?    
  I assume at minimum that these older domain controllers would not have group policies that are able to support the full security policy feature set of Windows 8.1?    For such cases, how do we configure security policy on those 8.1 domain member
  computers?   Would we use LocalGPO.wsf to import a local security policy, then join the computer to the domain to override just the settings that are supported by the domain controller and windows 8.1 in common?
  Will

  Hi,
  You could refer to below guide to complete your migration process:
  Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2
  http://blogs.technet.com/b/canitpro/archive/2014/04/02/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
  Meanwhile, about the details how to migrate the doamin controller, I would like to suggest you consult Windows Server Forum for more professional help:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Karen Hu
  TechNet Community Support

• Announcing the availability of enabling Windows Server 2012 R2 Essentials' integration of Microsoft online services in environments with multiple domain controllers

  In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that
  have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials. 
  I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed.  This update adds support for both Azure
  Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server.
  For more information, please go to
  http://support.microsoft.com/kb/2974308

  Hi JoeBeck,
  Thanks for the comment. Could you please tell which link you clicked to download?
  Please go to PinPoint check details and start download
  http://pinpoint.microsoft.com/en-US/applications/Dynamics-CRM-Online-Add-in-12884966386
  Thanks,
  Shanghai Wicresoft

• Essentials 2012 R2 Exchange Integration with Multiple Domain Controllers

  Attempting to integrate Exchange Server 2012 with the Essentials wizard results in the error message: "This task must be performed on the domain controller." I've found several threads that speculate this is because there are multiple domain controllers
  in the domain. Is there a workaround or patch available to resolve this issue? Why wouldn't Microsoft want the redundancy of multiple DCs?
  Thanks.

  Hi HartmannTek,
  I agree with Robert.
  We can get the following information from the article:
  Services Integration Overview for Windows Server 2012 R2 Essentials - Part 1. Please refer to.
  Currently, the Services Integration features, including Windows Azure Active Directory integration, Office
  365 integration, Windows Intune integration, and on-premises Exchange integration, are only supported in a single domain controller environment. In addition, the integration wizard must be run on a domain controller.
  Hope this helps.
  Best regards,
  Justin Gu

• I am replacing a Domain Controller (Windows 2003 Server) with a 2012 box. Can I have the Certificate authority exist in both locations during the process?

  Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully? Will it impact the users in any way or cause problems?

  > Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully?
  no. You have to uninstall CA role before you uninstall Domain Controller role from existing server.
  this is why it is not recommended to keep CA role on domain controllers.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• Clustering Configuration with Primary & Secondary Domain Controllers

  Hello.
  I am trying to configure Failover Clustering on my Server 2012 computers.
  I have a primary domain, as well as a secondary domain.
  We will call them dc1.domain.com and dc2.domain.com.
  I have Failover Clustering Manager installed on both servers.
  Upon adding them both to the Create A Cluster Wizard, I receive the following error message on my report.
  (My account is fairly new, so it will not let me attach an image, but I assure you, it is safe)
  s14.postimg.org/lssjm2vu9/Screenshot_1.png

  More that trying to avoid clustering domain controllers, you simply cannot do it.  Active Directory has high availability built into it.  It is known as multimaster, meaning there is no primary and secondary domain controllers.  All are 'masters',
  meaning you can make changes on any domain controller and the change will be replicated to the other DCs.
  If you only have two physical servers and you want to cluster them, you will first need to install the Hyper-V role on the servers (it is not recommended to install both Hyper-V and Domain Controller on the same box, so we will get this fixed).  Once
  you have Hyper-V installed, build a VM on each server, join them to the domain, and promote them to domain controllers.  On one of the VMs, seize the FSMO roles from the FSMO master.  Then demote the physical hosts from being domain controllers. 
  You can now form a cluster of the two physical servers.
  . : | : . : | : . tim

• Upgrade to Server 2012 R2 domain controllers from 2003

  I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
  We had two Server 2003 domain controllers and one of them was failing.  I raised the forest functional level of our old primary domain controllers to 2003.  I built the first replacement Server 2012 R2 domain controller.  Added the AD DS roles
  and promoted it as a domain controller.  I let it sit for a couple days.  The FSMO roles were currently being handled by our other 2003 domain controller.  Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
  server and demoted it.  Once demoted I shut it down and pulled it out of the rack.  I then built our second 2012 R2 server and gave it the same IP as the failing one.  Installed the AD DS roles and integrated DNS as prompted by the wizard. 
  I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master.  Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network.  I then demoted
  the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again.  I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
  just not a second subnet that is through a hardware firewall.  I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
  Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\username>dcdiag /v /test:dns
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine WGDDC01, is a Directory Server.
     Home Server = WGDDC01
     * Connecting to directory service on server WGDDC01.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
  AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
  ,CN=Sites,CN=Configuration,DC=wgd,DC=inet
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
  AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
  Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
  Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 2 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\WGDDC01
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           Determining IP4 connectivity
           * Active Directory RPC Services Check
           ......................... WGDDC01 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\WGDDC01
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           See DNS test in enterprise tests section for results
           ......................... WGDDC01 failed test DNS
     Running partition tests on : DomainDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : ForestDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Schema
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Configuration
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : wgd
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running enterprise tests on : wgd.inet
        Starting test: DNS
           Test results for domain controllers:
              DC: WGDDC01.wgd.inet
              Domain: wgd.inet
                 TEST: Authentication (Auth)
                    Authentication test: Successfully completed
                 TEST: Basic (Basc)
                    The OS
                    Microsoft Windows Server 2012 R2 Standard (Service Pack level:
   0.0)
                    is supported.
                    NETLOGON service is running
                    kdc service is running
                    DNSCACHE service is running
                    DNS service is running
                    DC is a DNS server
                    Network adapters information:
                    Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
                       MAC address is B0:83:FE:C1:98:07
                       IP Address is static
                       IP address: 10.240.1.23
                       DNS servers:
                          10.240.1.23 (WGDDC01) [Valid]
                          10.240.1.24 (WGDDC02) [Valid]
                          127.0.0.1 (WGDDC01) [Valid]
                    The A host record(s) for this DC was found
                    The SOA record for the Active Directory zone was found
                    Warning: no DNS RPC connectivity (error or non Microsoft DNS s
  erver is running)
                    [Error details: 5 (Type: Win32 - Description: Access is denied
           Summary of test results for DNS servers used by the above domain
           controllers:
              DNS server: 10.240.1.23 (WGDDC01)
                 All tests passed on this DNS server
                 Name resolution is functional._ldap._tcp SRV record for the fores
  t root domain is registered
              DNS server: 10.240.1.24 (WGDDC02)
                 All tests passed on this DNS server
                 Name resolution is functional._ldap._tcp SRV record for the fores
  t root domain is registered
           Summary of DNS test results:
  Auth Basc Forw Del  Dyn  RReg Ext
              Domain: wgd.inet
                 WGDDC01                      PASS WARN n/a  n/a  n/a 
  n/a  n/a
           ......................... wgd.inet passed test DNS
        Test omitted by user request: LocatorCheck
        Test omitted by user request: Intersite
  C:\Users\dsmythe>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WGDDC01
     Primary Dns Suffix  . . . . . . . : wgd.inet
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : wgd.inet
  Ethernet adapter WGD_INET:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.240.1.1
     DNS Servers . . . . . . . . . . . : 10.240.1.23
                                         10.240.1.24
                                         127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  When I try to bind a machine to the domain I get an error message that says "
  The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
  The error was: "This operation returned because the timeout period expired."
  (error code 0x000005B4 ERROR_TIMEOUT)
  The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
  The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
  10.240.1.24
  10.240.1.23
  Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
  Please let me know if I'm missing something or if there are other things I can check.
  Thanks!
  I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2.  All clients in the environment are Windows XP Pro or above.  The XP Pro boxes will be going away as
  soon as our vendor supports their software to run on Windows 7.

  We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
  domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error.  An Active Directory Domain Controller for the domain wgd.inet could not be contacted.  It seems that this is just a DNS issue for one
  particular subnet (10.240.2.0/24).  This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
  When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out.  The route is there and I can watch it connect through our hardware firewall over port 53.
  DC01
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\dsmythe>netdom query fsmo
  Schema master               WGDDC01.wgd.inet
  Domain naming master        WGDDC01.wgd.inet
  PDC                         WGDDC01.wgd.inet
  RID pool manager            WGDDC01.wgd.inet
  Infrastructure master       WGDDC01.wgd.inet
  The command completed successfully.
  C:\Users\dsmythe>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WGDDC01
     Primary Dns Suffix  . . . . . . . : wgd.inet
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : wgd.inet
  Ethernet adapter WGD_INET:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.240.1.1
     DNS Servers . . . . . . . . . . . : 10.240.1.23
                                         10.240.1.24
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Users\dsmythe>
  DC02
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\dsmythe>netdom query fsmo
  Schema master               WGDDC01.wgd.inet
  Domain naming master        WGDDC01.wgd.inet
  PDC                         WGDDC01.wgd.inet
  RID pool manager            WGDDC01.wgd.inet
  Infrastructure master       WGDDC01.wgd.inet
  The command completed successfully.
  C:\Users\dsmythe>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WGDDC02
     Primary Dns Suffix  . . . . . . . : wgd.inet
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : wgd.inet
  Ethernet adapter NIC1:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.240.1.1
     DNS Servers . . . . . . . . . . . : 10.240.1.24
                                         10.240.1.23
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Users\dsmythe>

• Fetch client IP addresses from the Netlogon.log file of all domain controllers in the domain

  Hi,
  The event ID 5807 is logged in the system logs of domain controllers as a result of which the IP addresses for the missing subnets are logged in Netlogon.log under %systemroot%/debug. The end goal is to fetch the IP addresses along with rest of the respective
  attributes from the Netlogon.log for all the domain controllers in the domain. I have the following script however, it gives me a 0KB file despite the fact that the Netlogon.log on the DC contains ample entries from last two months. 
  function GetDomainControllers {
      $DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
      return $DCs
  function GetNetLogonFile ($server) {
      $path= '\\' + $server + '\c$\windows\debug\netlogon.log'
      try {$netlogon=get-content -Path $path -ErrorAction stop}
      catch { "Can't open $path"}
      #reverse the array's order to the end of the file
      [array]::Reverse($netlogon)
      $IPs=@()
      foreach ($line in $netlogon) {
          #split the line into pieces using a space as the delimiter
          $splitline=$line.split(' ')
          #Get the date stamp which is in the mm/dd format
          $logdate=$splitline[0]
          #split the date
          $logdatesplit=($logdate.split('/'))
          [int]$logmonth=$logdatesplit[0]
  #last month and this month
          if (($logmonth -eq $thismonth) -or ($logmonth -eq $lastmonth)) {
              #only push it into an array if it matches an IP address format
              if ($splitline[5] -match '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'){
                  $objuser = new-object system.object
                  $objuser | add-member -type NoteProperty -name IPaddress -value $splitline[5]
                  $objuser | add-member -type NoteProperty -name Computername -value $splitline[4]
                  $objuser | add-member -type NoteProperty -name Server -value $server
                  $objuser | add-member -type NoteProperty -name Date -value $splitline[0]
                  $objuser | add-member -type NoteProperty -name Time -value $splitline[1]
                  $IPs+=$objuser
          } else {
              #break out of loop if the date is not this month or last month
              break
      return $IPs
  #Get last month's date
  $thismonth=(get-date).month
  $lastmonth=((get-date).addmonths(-1)).month
  #get all the domain controllers
  $DomainControllers=GetDomainControllers
  #Get the Netlogon.log from each DC
  Foreach ($DomainController in $DomainControllers) {
      $IPsFromDC=GetNetLogonFile($DomainController)
      $allIPs+=$IPsFromDC
  $allIPs | Sort-Object -Property IPaddress -Unique | Export-Csv "E:\bin\NetlogonIPs.csv"
  PLEASE HELP!!

  Hi jrv,
  Thanks a lot for your help.
  I understand you cannot keep on iterating the code for me. However, I am stuck at this error :-
  ERROR : Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."
  After the following code finishes executing, I get the following output :-
  $csv=cat c:\windows\debug\netlogon.log |
  %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}|
  ConvertFrom-Csv -Delimiter '|' -header time,message
  time message
  04/14 01:18:45
  NO_CLIENT_SITE: ServerX 10.x.x.x
  04/14 01:17:45
  NO_CLIENT_SITE: ServerY 10.x.x.x
  04/14 01:17:44
  NO_CLIENT_SITE: ServerY 10.x.x.x
  04/14 01:17:43
  NO_CLIENT_SITE: ServerX 10.x.x.x
  However, I get the above mentioned error at the following line :-
  $csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
  I would later want to run the query just for logs from past day.
  Entire code is as follows :-
  function GetDomainControllers {
      $DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
      return $DCs
  function GetNetLogonFile ($server) {
      $path= 'C:\Test\netlogon.log'
      try {$netlogon=get-content -Path $path -ErrorAction stop}
      catch { "Can't open $path"}
      #reverse the array's order to the end of the file
      [array]::Reverse($netlogon)
      foreach ($line in $netlogon) {
     $csv=  $netlogon | %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}| ConvertFrom-Csv -Delimiter '|' -header time,message | Out-Gridview
     $csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
  #get all the domain controllers
  $DomainControllers=GetDomainControllers
  #Get the Netlogon.log from each DC
  Foreach ($DomainController in $DomainControllers) {
      GetNetLogonFile($DomainController)
  Please help!! Any help will be highly appreciated.

• Replace WS2003 domain controller for WS2012 domain controller

  Hi, I think that is a common problem but I haven't found anythink exactly like this, only something similar, but I have a lot of doubts yet.
  The thing is that I have a network with two domain controllers:
  WS2003     - 192.168.0.1, who is the first domain controller I created and is also a file sharing server
  WS2008R2 - 192.168.0.8, who is a  new domain controller I added one year ago.
  Now, I want to replace the first one, keeping the second. One.
  I thinking of removing the first one and replace it with a new machine (WS2012) with the same IP and name host. I need the same host because clients are pointing to it to get the shared files.
  My main fear is that clients get some error related with trust relationship and I will have to rejoin them one by one to the domain.
  As I have another domain controller, Will the global catalog of the new machine be synchronized automaticly with the WS2008R2 domain controller?
  Do I need to demote the old domain controller before add the new one?
  Thanks a lot

  Hi Tomas,
  As pointed by Burakm you should have an additional file server and should avoid using a Domain controller which has priviledged access, to share files. This puts you at a security risk.
  Regarding the requirement of old host name:
  Here is something that would let you keep a different servername and IP, yet allow your users to connect to the old hostname and access the share. Use CNAME records of old server to point it to the new hostname.
  How to Configure Windows Machine to Allow File Sharing with DNS Alias
  You might also look for Distributed File System Shares.
  http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
  NOTE- You can't run in-place upgrade of a 2003 to 2012 DC.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.