Replace win2008r2 domain controllers with win2012r2
My environment: Single win2008 r2 forest w/3 win2008r2 domains
I need to replace the 2 root domain controllers (that also run DNS & WINS) with new hardware and was considering installing them as Win2012R2.
I have no plans to upgrade the DC’s in the 2 Win2008r2 child domains.
Since there will be schema changes, are there any concerns with having the root DC’s be win2012R2 and the child domains win2008r2?
Thanks
Thanks for both answers.
My main concern are the oddball 3rd party apps, some of which still run on win2003 servers. Even if the vendor/developer confirm their apps are compatible with win2012 domain controllers, my internal programmers are still nervous. It took me
months to convince them it was ok to upgrade the domain & forest functional levels to win2008r2.
Again Thanks
Similar Messages
-
Hi
Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
ThanksWhen Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Cannot have multiple domain controllers with Essentials role in 2012 R2 Standard/Datacenter
Microsoft's Technet post on deploying Essentials Role in an existing AD environment states the following:
"The online service integration features only work when the server is a domain controller. Also, integration cannot be initiated if there are multiple domain controllers in the environment. The product team is investigating possible solutions."
http://blogs.technet.com/b/sbs/archive/2013/10/28/enabling-multiple-instances-of-windows-server-essentials-experience-in-your-environment.aspx
Microsoft Essentials Role product team, can you let us know when this will be fixed? I will not be installing Essentials as a Role if I cannot have multiple domain controllers.
As soon as I add another domain controller the Essentials role no longer functions as designed.
This is quite an oversight by your team. Can we have an ETA for a fix to this please?
Here are more with the same issue:
http://social.technet.microsoft.com/Forums/en-US/ed34abe9-6412-415d-950a-50c9675deb2e/unable-to-register-essentials-experience-role-with-microsoft-online-services?forum=2012R2EssentialsPreviewHi. We can't give ETA. Most user there that help does not work for Microsoft. (and if a Microsoft's employee help, then it's on it's free time at home or during break)
Thus, for that reason, please call the support to get a good answer on the ETA is it's planned or not. Be advised that the essential's version replaced the SBS, thus it target small office, such limitation can stay for a long time IMO.
Regards, Philippe -
Two Domain Controllers with the Same Name
So I was working on setting up our new branch office DC. Anyway, the server failed to join the domain the first time because it upgraded the AD schema (This was our first 2012 R2 server) and the schema wasn't synced to all the other remote offices. So I
forced a sync, joined the server as a workstation, then made it a domain controller.
Anyway, after that the server would show itself as a DC in Active Directory, but all the other servers believed it was just a workstation. So, I removed Active Directory from the server (I had to force the removal). I reset the computer account on the local
DCs, then rejoined it to the domain and made it a domain controller again. This time, it appeared as a Domain Controller on the other DCs in the domain.
Now for the issue --- I've now got two objects for the server under AD Sites and Services. One of them doesn't appear to have any AD DS connections. The other has connections, but not all of them work correctly (I get errors when I tell certain connections
to sync).
What should I do to fix this?
I'm still in the setup phase of this, so I can do anything I want with this particular server. I was thinking I would demote from a Domain Controller, remove it from the domain. Then use ntdsutil to cleanup any other metadata that is hanging around in AD (Something
like: https://support.microsoft.com/KB/216498?wa=wsignin1.0 )
Does anyone else have suggestions on what I should do to fix this? --- I'm being overly cautious here as I do not want to mess anything up in Active Directory.
Thanks!
I have not done a metadata cleanup.... I was asking if I should.
The connections on the valid server appeared to be working before I deleted them (Maybe it took a while to replicate ? )
So I went through and deleted all the AD Sites and Services connections from both servers (The broken server had 5 connections to the same DC in another site). Anyway, I ran repadmin /kcc and it regenerated a connection to a server in the remote site, but
it also generated a connection between the two servers with the same name. I ran dcdiag after I did the repadmin /kcc. Anyway it shows:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-01-CLE
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Cleveland\DC-01-CLE
Starting test: Connectivity
......................... DC-01-CLE passed test Connectivity
Testing server:
Cleveland\DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e
Starting test: Connectivity
[DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e]
DsBindWithSpnEx() failed with error 5,
Access is denied..
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e failed test
Connectivity
Doing primary tests
Testing server: Cleveland\DC-01-CLE
Starting test: Advertising
......................... DC-01-CLE passed test Advertising
Starting test: FrsEvent
......................... DC-01-CLE passed test FrsEvent
Starting test: DFSREvent
......................... DC-01-CLE passed test DFSREvent
Starting test: SysVolCheck
......................... DC-01-CLE passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 09:58:02
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 09:58:02
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 09:58:02
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 09:58:11
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 09:58:11
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 09:58:11
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 10:03:37
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 10:03:37
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 12/15/2014 10:03:37
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
......................... DC-01-CLE passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-01-CLE passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-01-CLE passed test MachineAccount
Starting test: NCSecDesc
......................... DC-01-CLE passed test NCSecDesc
Starting test: NetLogons
......................... DC-01-CLE passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-01-CLE passed test ObjectsReplicated
Starting test: Replications
......................... DC-01-CLE passed test Replications
Starting test: RidManager
......................... DC-01-CLE passed test RidManager
Starting test: Services
......................... DC-01-CLE passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001795
Time Generated: 12/15/2014 10:03:37
Event String:
The program lsass.exe, with the assigned process ID 600, could not authenticate locally by using the target name LDAP/a23a13d0-8434-4344-bd6b-24fdf5576329._msdcs.mydomain.local. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
......................... DC-01-CLE passed test SystemLog
Starting test: VerifyReferences
......................... DC-01-CLE passed test VerifyReferences
Testing server:
Cleveland\DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e
Skipping all tests, because server
DC-01-CLE\0ACNF:203cf49f-8cb3-4915-b122-be31ddd6e10e is not responding to
directory service requests.
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : mydomain
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Running enterprise tests on : mydomain.local
Starting test: LocatorCheck
......................... mydomain.local passed test LocatorCheck
Starting test: Intersite
Doing intersite inbound replication test on site Cleveland:
......................... mydomain.local passed test Intersite
I've attached a screenshot of AD Sites and Services. Please note I've erased some info for privacy reasons (The site the other DC is in has been erase as well as part of its name).
Picture of AD Sites and Services -
DNS issues with replaced domain controllers
I have slight issue I hope some one can help with.
We recently replaced some domain controllers in our 2 core sites the process we followed is as below:-
moved FSMO roles to different already working servers
demoted the old domain controllers and decommissioned.
built virtual machine replacements with the same names.
depromo'd the servers
ran all the tests and it reported everything was fine.
moved the fsmo roles to the new servers.
repeated this for the remaining servers.
this was our 2003 domain to free up physical space but our new 2013 domain what will exist separately until all our applications our tested.
however the problem we now have is that non domain controllers have issues registering against the new servers despite being able to do look-ups against them all (replication testing looks fine). one of our regional DC's seems to have taken over as the primary
replica. as changes made else where disappeared but changes made there got replicated out perfectly.
I have managed to resolve this particular issue by added the domain controllers back into several locations in DNS manually (maining forward lookup zones>my domain>_tcp )but we still experience the odd issue with servers not registering in DNS properly
(although it's a lot better since the I did the above)
so basically does any one have a idea on what could have caused this issue and how I can resolve?should the demotion not automatically remove it from sites and services automatically (it could well be this if not) the question then becomes how do we resolve the issues we have now.
Hello,
NO, as you can demote a DC and it still may run site-aware services like DFS and for this reason a DC is NOT automatically removed from AD sites and services during demotionprocess.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Allow log on through Remote Desktop Services Group Policy for Domain Controllers
Hello,
We want to allow our Helpdesk Operators to be able to connect to Domain Controllers with the Remote Desktop Services. This is by default not allowed but according to many sites, it should be able to configure by using a Group Policy.
We made a new Group Policy with the setting 'Allow log on through Remote Desktop Services' and 'Allow log on locally' (as an extra for testing) and applied Security Filtering to only use it for a specific Security Group. Our test user is a member of this
security group and should be able to access the Domain Controllers now. However this isn't working.
The error message we receive upon trying to connect:
The connection was denied because the user account is not authorized for remote login.
For troubleshooting, we also applied the Security Group for that setting in the Default Domain Controllers Policy but that doesn't seem to work either. We want to avoid customization on our Default Domain Controllers Policy but this was just a test case
for solving our problem.
What should we do to solve our problem?
I hope to hear from you soon.
Thanks in advance.Hi, I just found out what the problem was. This site helped me alot:
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
In my case, I had the group added to the Allow Logon Through Remote Desktop Services but was not added to the Builtin\Remote Desktop Users group. After knowing this I made some changes to our situation and are now using the builtin\Remote Desktop Users group
rather than a new self made Security Group. I also added the Remote Desktop Users to the Allow Logon Through Remote Desktop Service in the Default Domain Controllers Policy as this is not done by default. By default only the Domain Administrators are able
to logon through remote desktop services.
You do not need the 'Log on Locally' permission within the Group Policies.
In short:
Add the desired users/groups to the 'Builtin\Remote Desktop Users' security group.
Add the 'Builtin\Remote Desktop Users' security group to the 'Allow Logon Through Remote Desktop Services' within the 'Default Domain Controllers Policy'.
Thank you anyway for the fast reply.
Have a nice day! -
Help with Powershell script to gather eventlogs from all Domain Controllers
I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I
assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
ForEach-Object -InputObject $Computers -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}
Invoke-Expression $env:TEMP\Applicationlog.htm
Thanks,
RichAlso, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet.
I would re-write the loop part of the script like this:
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
foreach ($Computer in $computers) {
Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
Invoke-Expression .\Applicationlog.htm
Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) -
Using Windows 8.1 With Older Domain Controllers
Is there any document that would specify types of incompatibility we might expect when using Windows 8.1 with older domain controllers, either Windows 2000 or Windows 2003?
I assume at minimum that these older domain controllers would not have group policies that are able to support the full security policy feature set of Windows 8.1? For such cases, how do we configure security policy on those 8.1 domain member
computers? Would we use LocalGPO.wsf to import a local security policy, then join the computer to the domain to override just the settings that are supported by the domain controller and windows 8.1 in common?
WillHi,
You could refer to below guide to complete your migration process:
Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2
http://blogs.technet.com/b/canitpro/archive/2014/04/02/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
Meanwhile, about the details how to migrate the doamin controller, I would like to suggest you consult Windows Server Forum for more professional help:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
Karen Hu
TechNet Community Support -
In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that
have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials.
I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed. This update adds support for both Azure
Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server.
For more information, please go to
http://support.microsoft.com/kb/2974308Hi JoeBeck,
Thanks for the comment. Could you please tell which link you clicked to download?
Please go to PinPoint check details and start download
http://pinpoint.microsoft.com/en-US/applications/Dynamics-CRM-Online-Add-in-12884966386
Thanks,
Shanghai Wicresoft -
Essentials 2012 R2 Exchange Integration with Multiple Domain Controllers
Attempting to integrate Exchange Server 2012 with the Essentials wizard results in the error message: "This task must be performed on the domain controller." I've found several threads that speculate this is because there are multiple domain controllers
in the domain. Is there a workaround or patch available to resolve this issue? Why wouldn't Microsoft want the redundancy of multiple DCs?
Thanks.Hi HartmannTek,
I agree with Robert.
We can get the following information from the article:
Services Integration Overview for Windows Server 2012 R2 Essentials - Part 1. Please refer to.
Currently, the Services Integration features, including Windows Azure Active Directory integration, Office
365 integration, Windows Intune integration, and on-premises Exchange integration, are only supported in a single domain controller environment. In addition, the integration wizard must be run on a domain controller.
Hope this helps.
Best regards,
Justin Gu -
Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully? Will it impact the users in any way or cause problems?
> Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully?
no. You have to uninstall CA role before you uninstall Domain Controller role from existing server.
this is why it is not recommended to keep CA role on domain controllers.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool. -
Clustering Configuration with Primary & Secondary Domain Controllers
Hello.
I am trying to configure Failover Clustering on my Server 2012 computers.
I have a primary domain, as well as a secondary domain.
We will call them dc1.domain.com and dc2.domain.com.
I have Failover Clustering Manager installed on both servers.
Upon adding them both to the Create A Cluster Wizard, I receive the following error message on my report.
(My account is fairly new, so it will not let me attach an image, but I assure you, it is safe)
s14.postimg.org/lssjm2vu9/Screenshot_1.pngMore that trying to avoid clustering domain controllers, you simply cannot do it. Active Directory has high availability built into it. It is known as multimaster, meaning there is no primary and secondary domain controllers. All are 'masters',
meaning you can make changes on any domain controller and the change will be replicated to the other DCs.
If you only have two physical servers and you want to cluster them, you will first need to install the Hyper-V role on the servers (it is not recommended to install both Hyper-V and Domain Controller on the same box, so we will get this fixed). Once
you have Hyper-V installed, build a VM on each server, join them to the domain, and promote them to domain controllers. On one of the VMs, seize the FSMO roles from the FSMO master. Then demote the physical hosts from being domain controllers.
You can now form a cluster of the two physical servers.
. : | : . : | : . tim -
Upgrade to Server 2012 R2 domain controllers from 2003
I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine WGDDC01, is a Directory Server.
Home Server = WGDDC01
* Connecting to directory service on server WGDDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WGDDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WGDDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WGDDC01
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... WGDDC01 failed test DNS
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : wgd
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : wgd.inet
Starting test: DNS
Test results for domain controllers:
DC: WGDDC01.wgd.inet
Domain: wgd.inet
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
MAC address is B0:83:FE:C1:98:07
IP Address is static
IP address: 10.240.1.23
DNS servers:
10.240.1.23 (WGDDC01) [Valid]
10.240.1.24 (WGDDC02) [Valid]
127.0.0.1 (WGDDC01) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
[Error details: 5 (Type: Win32 - Description: Access is denied
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.240.1.23 (WGDDC01)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
DNS server: 10.240.1.24 (WGDDC02)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: wgd.inet
WGDDC01 PASS WARN n/a n/a n/a
n/a n/a
......................... wgd.inet passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC02
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.24
10.240.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe> -
Fetch client IP addresses from the Netlogon.log file of all domain controllers in the domain
Hi,
The event ID 5807 is logged in the system logs of domain controllers as a result of which the IP addresses for the missing subnets are logged in Netlogon.log under %systemroot%/debug. The end goal is to fetch the IP addresses along with rest of the respective
attributes from the Netlogon.log for all the domain controllers in the domain. I have the following script however, it gives me a 0KB file despite the fact that the Netlogon.log on the DC contains ample entries from last two months.
function GetDomainControllers {
$DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
return $DCs
function GetNetLogonFile ($server) {
$path= '\\' + $server + '\c$\windows\debug\netlogon.log'
try {$netlogon=get-content -Path $path -ErrorAction stop}
catch { "Can't open $path"}
#reverse the array's order to the end of the file
[array]::Reverse($netlogon)
$IPs=@()
foreach ($line in $netlogon) {
#split the line into pieces using a space as the delimiter
$splitline=$line.split(' ')
#Get the date stamp which is in the mm/dd format
$logdate=$splitline[0]
#split the date
$logdatesplit=($logdate.split('/'))
[int]$logmonth=$logdatesplit[0]
#last month and this month
if (($logmonth -eq $thismonth) -or ($logmonth -eq $lastmonth)) {
#only push it into an array if it matches an IP address format
if ($splitline[5] -match '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'){
$objuser = new-object system.object
$objuser | add-member -type NoteProperty -name IPaddress -value $splitline[5]
$objuser | add-member -type NoteProperty -name Computername -value $splitline[4]
$objuser | add-member -type NoteProperty -name Server -value $server
$objuser | add-member -type NoteProperty -name Date -value $splitline[0]
$objuser | add-member -type NoteProperty -name Time -value $splitline[1]
$IPs+=$objuser
} else {
#break out of loop if the date is not this month or last month
break
return $IPs
#Get last month's date
$thismonth=(get-date).month
$lastmonth=((get-date).addmonths(-1)).month
#get all the domain controllers
$DomainControllers=GetDomainControllers
#Get the Netlogon.log from each DC
Foreach ($DomainController in $DomainControllers) {
$IPsFromDC=GetNetLogonFile($DomainController)
$allIPs+=$IPsFromDC
$allIPs | Sort-Object -Property IPaddress -Unique | Export-Csv "E:\bin\NetlogonIPs.csv"
PLEASE HELP!!Hi jrv,
Thanks a lot for your help.
I understand you cannot keep on iterating the code for me. However, I am stuck at this error :-
ERROR : Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."
After the following code finishes executing, I get the following output :-
$csv=cat c:\windows\debug\netlogon.log |
%{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}|
ConvertFrom-Csv -Delimiter '|' -header time,message
time message
04/14 01:18:45
NO_CLIENT_SITE: ServerX 10.x.x.x
04/14 01:17:45
NO_CLIENT_SITE: ServerY 10.x.x.x
04/14 01:17:44
NO_CLIENT_SITE: ServerY 10.x.x.x
04/14 01:17:43
NO_CLIENT_SITE: ServerX 10.x.x.x
However, I get the above mentioned error at the following line :-
$csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
I would later want to run the query just for logs from past day.
Entire code is as follows :-
function GetDomainControllers {
$DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
return $DCs
function GetNetLogonFile ($server) {
$path= 'C:\Test\netlogon.log'
try {$netlogon=get-content -Path $path -ErrorAction stop}
catch { "Can't open $path"}
#reverse the array's order to the end of the file
[array]::Reverse($netlogon)
foreach ($line in $netlogon) {
$csv= $netlogon | %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}| ConvertFrom-Csv -Delimiter '|' -header time,message | Out-Gridview
$csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
#get all the domain controllers
$DomainControllers=GetDomainControllers
#Get the Netlogon.log from each DC
Foreach ($DomainController in $DomainControllers) {
GetNetLogonFile($DomainController)
Please help!! Any help will be highly appreciated. -
Replace WS2003 domain controller for WS2012 domain controller
Hi, I think that is a common problem but I haven't found anythink exactly like this, only something similar, but I have a lot of doubts yet.
The thing is that I have a network with two domain controllers:
WS2003 - 192.168.0.1, who is the first domain controller I created and is also a file sharing server
WS2008R2 - 192.168.0.8, who is a new domain controller I added one year ago.
Now, I want to replace the first one, keeping the second. One.
I thinking of removing the first one and replace it with a new machine (WS2012) with the same IP and name host. I need the same host because clients are pointing to it to get the shared files.
My main fear is that clients get some error related with trust relationship and I will have to rejoin them one by one to the domain.
As I have another domain controller, Will the global catalog of the new machine be synchronized automaticly with the WS2008R2 domain controller?
Do I need to demote the old domain controller before add the new one?
Thanks a lotHi Tomas,
As pointed by Burakm you should have an additional file server and should avoid using a Domain controller which has priviledged access, to share files. This puts you at a security risk.
Regarding the requirement of old host name:
Here is something that would let you keep a different servername and IP, yet allow your users to connect to the old hostname and access the share. Use CNAME records of old server to point it to the new hostname.
How to Configure Windows Machine to Allow File Sharing with DNS Alias
You might also look for Distributed File System Shares.
http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
NOTE- You can't run in-place upgrade of a 2003 to 2012 DC.
Regards,
Satyajit
Please “Vote As Helpful”
if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.
Maybe you are looking for
-
How do you (or can you) play songs from your ipod on itunes?
Im trying to play my the songs on my iPod with itunes that I just installed on my friends laptop. The problem is, the place where it says Charles's (me) Laptop, the songs are all grayed out and I cant select any of them.
-
Lumia 925 Volume software limit?
Hey guys, Just made the switch back to Windows Phone after a long stint with iOS and Windows Mobile before that.. Anyway. It seems the output of the Lumia's headphone jack is limited in software by some means. I have an aftermarket pair of headphone
-
Dreamweaver 8 Certification Help
Hi, I am new to this message borad and would like your loving guidance in regards to the Dreamweaver 8 Developer Exam. I have been working for 8 years now in client side and server side web development and I would like to get certified in everything
-
How assign CO's to respective users at Portal
Hi Friends, I have developed a webdynpro application with GP Interface, I have 3 callable object corresponds to three Views. Now I want that whenever a user logs in to portal, only the respective View should be visible to him, not the whole process/a
-
How to compile a java file Dynamically !!!!
Hi all The problem is I have a dynamically created java file ,and i want to compile that file dynamically itself. The file name is stored in a string, I am using ECLIPSE editor.. How do i compile this java file (which is stored in a string) dynamical