Server 2012 secondary domain controller or Hyper-v Live replication
Hi all,
For a client am i building new servers.
The setup is simply, two Hyper-v servers and one fileserver.
But, what would be the best setup to do with the DC?
I can install a secondary DC, but i can also choose to make a live replication of the DC in Hyper-V.
What is the best, more important the safest option to choose?
Of course there is a backup running twice a day to make a full backup of the VM's.
Thanks in advance,
Patrick
Honestly, I would recommend standing up a secondary DC. The problem with replication is if something get's hosed on the primary side of things you typically only have a limited amount of time before the bad changes get replicated over to the replica.
It's also a best practice to have multiple DC's for redundancy in your environment.
Similar Messages
-
Server 2012 Secondary Domain Controller not picking up AD nor DNS responsibilities
I had a single Domain Controller providing AD, DNS and DHCP. I went through the steps to add a Secondary Domain Controller. All the AD and DNS info shows up in the Secondary Server, however, when my original Domain Controller is turned
off, the second Domain Controller is not taking over for AD and DNS.Hi Bayousmurf,
Good that you made some progress. However, can you please provide us the information on how you acheived transfering FSMO role to another DC since you had some issue earlier?
Your initial intention was to demote the original DC. Please follow the below link for the steps to demote the DC.
http://technet.microsoft.com/en-in/library/jj574104.aspx
Still if I power off the original DC the new one isn't taking up DNS. Still looking into the DNS...
Can you please elaborate what exactly you are looking for? When you power off original DC, you don't see DNS in new DC? Is your DNS active directory integrated? If not please follow the below procedure to make it as a AD integrated. Once done, then, power
off original DC and look in new DC to see if DNS shows up.
http://www.tomshardware.com/faq/id-1954324/configure-active-directory-integrated-dns-zone-windows-server-2012-dns-server.html
Thanks,
Umesh.S.K -
Unable to edit Default Domain policy on Server 2012 R2 domain controller
Hello,
I recently built a Server 2012 R2 domain controller and added it to my domain. When trying to edit the default domain policy I get the following error:
I can make edits to other GPO objects. All the other domain controllers are Server 2008 and are able to edit that GPO. The issue is on the Server 2012 box only. I've checked the delegated permissions, I'm a domain admin, and have opened
GPMC as administrator. Does anyone know what I'm missing? Thank you for your time.
TinoHi Tino,
>>Could that be the problem?
I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
function level is Windows Server 2008 or above.
Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
DFS-R on 2008 R2 by default?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
Server 2012. This will restore the Sysvol from a healthy DC.
To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs.
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double-click BurFlags.
8. In the Edit DWORD Value dialog box, type D2 and then click OK.
9. Quit Registry Editor, and then switch to the Command box.
10. In the Command box, type net start ntfrs.
11. Quit the Command box.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Hope it helps.
Best regards,
Frank Shen -
Exchange 2007 RTM support with Windows Server 2012 R2 Domain Controller
Hi All,
I have not found any TechNet Article which states about the Windows Server 2012 R2 Active Directory domain controller operating system support with Exchange 2007 RTM, can some one please let me know that does Exchange 2007 RTM supports Windows Server 2012
R2 domain controller operating system, we are in the process of upgrading the domain controllers to 2012 R2 but not the forest and domain functional level to 2012 R2.
thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft LyncThere are several likely reasons for this. The most significant is that Exchange 2007 RTM is no longer supported (outside ot extended support, which is not going to include adding support for new operating systems):
http://support2.microsoft.com/lifecycle/default.aspx?LN=en-us&p1=10926
You'll note from the following -
http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx - that only Exchange 2007 SP3 is currently supported in any environment.
HTH ... -
Windows Server Primary & Secondary Domain Controller Question
lulzchicken wrote:
Right now the DHCP is assigning 192.168.200.1 (DNS server) and 8.8.8.8 (Google's DNS) as DNS servers for each client. I don't necessarilly want to change these assignment settings,Yes, you do. This is absolutely the worst thing you can ever do with DNS. More details why here -> Ramblings of a Sysadmin: How to do DNS correctly
Primary and secondary DNS should ALWAYS be internal.
Your DNS Servers should use FORWARDERS go go out to google. That's the only place that should see google DNS servers in your environment.Hi everyone, thank you for taking the time to listen.
I have successfully implemented an Active Directory setup using a Primary DC and a Secondary DC with Windows Server 2012 R2.
EL1 is my PDC and EL2 is my BDC.
Active Directory is in sync among the two Domain Controllers. Here is my question:
If I were to have a policy (Group Policy) that sets the wallpaper of each client machine to whatever is in the "\\EL1\Wallpaper\wp.jpg" - what would happen if I were to have that Domain Controller fail? That directory is no longer available due to the outage - even though the Backup Domain Controller will still be pushing out the policy (pointing to the down server).
My idea was to have that directory replicated on the Backup Domain Controller, "\\EL2\Wallpaper\wp.jpg" however - the policy will still be looking for the file in the Primary Domain...
This topic first appeared in the Spiceworks Community -
Deploy Windows Server 2012 R2 domain controller in 2008 domain
Hi,
We have three physical windows 2008 enterprise with SP1 32 bit domain controllers, we need to deploy two additional windows 2012 R2 standard as virtual machines on this domain. Do we need to install SP2 on the existing Windows 2008 sp1 DCs or we are fine?
What are other requirements?It is not required.
Just your Forest/Domain Functional level should be Windows Server 2003 or higher to be able to add Windows Server 2012 R2 DCs.
Please note that it is always recommended to have your Windows Operating Systems up-to-date to avoid known security attacks and known bugs.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain
Hi,
Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
We now want to replace these DC`s with Windows Server 2012 R2.
My plan is as follow
- Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
- Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
- Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
- Move FSMO roles from DC2 to DC1 and decomiss DC2
- Change the IP and hostname of the new DC4 to DC2
Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
/Regards AndreasHi,
Only error i got running dcdiag was the following
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=local
......................... DC1 failed test NCSecDesc
Is this a problem ?
I would guess not since im not implementing a RODC ? Ref:
https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
You can ignore it.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Virtual Server 2012 Core - Domain Controller
Thanks for responding guys but as my original post says...
"or even use the RSAT tools, where Active Directory Domain Services just isn't listed."Well the VM is up and running (freshly created yesterday) but I'll be damned if I can: -
Install-WindowsFeature AD-Domain-Services -InstallManagmentTools
It errors with: -
InvalidArgument: (AD-Domain-Services:String)
or even use the RSAT tools, where Active Directory Domain Services just isn't listed.
Any ideas as my best friend Google is letting me down at the moment.
This topic first appeared in the Spiceworks Community -
Upgrade to Server 2012 R2 domain controllers from 2003
I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine WGDDC01, is a Directory Server.
Home Server = WGDDC01
* Connecting to directory service on server WGDDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WGDDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WGDDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WGDDC01
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... WGDDC01 failed test DNS
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : wgd
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : wgd.inet
Starting test: DNS
Test results for domain controllers:
DC: WGDDC01.wgd.inet
Domain: wgd.inet
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
MAC address is B0:83:FE:C1:98:07
IP Address is static
IP address: 10.240.1.23
DNS servers:
10.240.1.23 (WGDDC01) [Valid]
10.240.1.24 (WGDDC02) [Valid]
127.0.0.1 (WGDDC01) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
[Error details: 5 (Type: Win32 - Description: Access is denied
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.240.1.23 (WGDDC01)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
DNS server: 10.240.1.24 (WGDDC02)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: wgd.inet
WGDDC01 PASS WARN n/a n/a n/a
n/a n/a
......................... wgd.inet passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC02
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.24
10.240.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe> -
Questions About Adding First 2012 R2 domain controller to an existing 2008 Domain
Our current domain controllers are all running Server 2008 and are VMs in our local office. We plan to add a new domain controller and also create a new AD site. This new domain controller will be the only domain controller in the new remote
site. It will also be a VM on a new 2012 R2 Hyper-V server at the new remote site.
There is currently only one site (the default first site).
The steps planned are to create a new site to represent the remote location in AD configured with the subnets that apply to the remote site. (Computers in our local office should continue to use the domain controllers in our office and remote PCs should
start using the new domain controller.)
Then build the new domain controller VM, join to the domain as a member server and then promote it to domain controller of the new site.
Are any steps missing?
Do we need to do anything special with time sync settings on Hyper-V or will both the Hyper-V host and the domain controller guest just automatically sync time with the PDC domain controller across a WAN connection at the main site?
Is there a way to prepare the domain/schema for the new 2012 R2 domain controller in advance so that the new domain controller can be installed later without needing Schema Admin or Enterprise admin permissions during the installation?> Where can I find what is correct for 2012 R2 domain controllers running
> on Hyper-V 2012 R2 hosts?
There's no "one fits all" advice on this topic, but I agree with Ahmed:
Within a domain, the DCs provide a hierarchical time source, and since
clients are required to be in sync with DCs, this is a "must be".
If your HV hosts are member of the domain they are hosting, things can
easily go crazy if you do not disable host time sync.
Greetings/Grüße,
Martin
Mal ein
gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me -
coke bottle design refreshment (-: -
Secondary Domain Controller Not Authenticating Domain Users
Hi.
I have a primary domain controller running Win Srv 2012 in USA and i added a secondary domain controller 2012 in the same domain from a different location India, through VPN.so that India user accounts can authenticate by the secondary DC instead of primary
DC USA
Installation & replication of AD went fine
India domain users login is damn slow.
When i ran the command echo %logonserver% from a india client machine,it displays the USA Primary DC name which means its authenticating the users from USA primary DC.
Preferred DNS for india client machine is Secondary DC IP and alternate is Primary DC IP USA.
Please find the dcdiag results below and any help much appreciated
Performing initial setup:
Trying to find home server...
Home Server = server2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: INDIA\server2
Starting test: Connectivity
......................... server2 passed test Connectivity
Doing primary tests
Testing server: INDIA\server2
Starting test: Advertising
Warning: DsGetDcName returned information for \\server1.tst.mycompany.com, when we were trying to reach
server2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... server2 failed test Advertising
Starting test: FrsEvent
......................... server2 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after th
replication problems may cause Group Policy problems.
......................... server2 failed test DFSREvent
Starting test: SysVolCheck
......................... server2 passed test SysVolCheck
Starting test: KccEvent
......................... server2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... server2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... server2 passed test MachineAccount
Starting test: NCSecDesc
......................... server2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\server2\netlogon)
[server2] An net use or LsaPolicy operation failed with error 67,
......................... server2 failed test NetLogons
Starting test: ObjectsReplicated
......................... server2 passed test ObjectsReplicated
Starting test: Replications
......................... server2 passed test Replications
Starting test: RidManager
......................... server2 passed test RidManager
Starting test: Services
......................... server2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0xA004001B
Time Generated: 02/22/2015 17:10:30
Event String: Intel(R) 82574L Gigabit Network Connection
A warning event occurred. EventID: 0x000727A5
Time Generated: 02/22/2015 17:11:24
Event String: The WinRM service is not listening for WS-Manageme
An error event occurred. EventID: 0x0000271A
Time Generated: 02/22/2015 17:11:24
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not regist
A warning event occurred. EventID: 0xA004001B
Time Generated: 02/22/2015 17:12:41
Event String: Intel(R) 82574L Gigabit Network Connection
A warning event occurred. EventID: 0x000003F6
Time Generated: 02/22/2015 17:19:36
Event String:
Name resolution for the name mycompany.com timed out after none
A warning event occurred. EventID: 0x00001796
Time Generated: 02/22/2015 17:28:54
Event String:
Microsoft Windows Server has detected that NTLM authentication i
his server. This event occurs once per boot of the server on the first time
A warning event occurred. EventID: 0x000727A5
Time Generated: 02/22/2015 17:33:35
Event String: The WinRM service is not listening for WS-Manageme
A warning event occurred. EventID: 0x00001796
Time Generated: 02/22/2015 17:35:54
Event String:
Microsoft Windows Server has detected that NTLM authentication i
his server. This event occurs once per boot of the server on the first time
......................... server2 failed test SystemLog
Starting test: VerifyReferences
......................... server2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValida
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValida
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidat
Running partition tests on : tst
Starting test: CheckSDRefDom
......................... tst passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... tst passed test CrossRefValidation
Running enterprise tests on : tst.mycompany.com
Starting test: LocatorCheck
......................... tst.mycompany.com passed test LocatorChec
Starting test: Intersite
......................... tst.mycompany.com passed test IntersiteHi.
I have a primary domain controller running Win Srv 2012 in USA and i added a secondary domain controller 2012 in the same domain from a different location India, through VPN.so that India user accounts can authenticate by the secondary DC instead of primary
DC USA
Installation & replication of AD went fine
India domain users login is damn slow.
When i ran the command echo %logonserver% from a india client machine,it displays the USA Primary DC name which means its authenticating the users from USA primary DC.
Preferred DNS for india client machine is Secondary DC IP and alternate is Primary DC IP USA.
Firstly make sure that you have configured sites and subnets correctly. According to your information which you have two locations, you should have at least 2 sites and 2 subnets associated to them. If you have forgotten to configure subnets of India in your
site and services and assigned them to the India site you are experiencing this issue. Also make sure if clients in India has appropriate network connectivity to the domain controllers in India.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Which Server Version for Domain Controller do I Need
Hello
We are currently running two domain controllers with Server 2003 on them. We have a standard TCP/IP star topology networking including web servers, files servers, sql, iis etc.
We are upgrading 5 of our servers to 2012r2 and are using them as "host" servers for upgraded IIS (2012r2) and WebGrabber (2008r2) servers and these servers will be set up as virtual machines (the IIS and web grabbers) on the hosts.
My question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
Thanks!
Theresa Greene
Theresa GreeneMy question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
At least Windows Server 2012
I highly recommend to upgrade the Domain Controllers to at least Windows Server 2012.
Besides the new functionality described by others in this thread, Windows Server 2012-based Domain Controllers (and beyond) offer virtualization safeguards, building on the VM-GenerationID offered by your new virtualization platform. This functionality helps
to protect your Domain Controllers from USN rollbacks and Lingering Objects. It also unlocks the Domain Controller Cloning functionality, that may help you deploy your five Domain Controllers faster and more streamlined.
More information:
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe
Active Directory
New features in AD DS in Windows Server 2012, Part 13: Domain Controller
Cloning
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
1
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
2
Getting to Windows Server 2012
In terms of getting your Active Directory to Windows Server 2012, there's good news and slightly bad news. The bad news is you can't in-place upgrade your Domain Controllers to Windows Server 2012. The good news: This makes the transition scenario
more appealing.
Instead of upgrading your Domain Controllers on their physical hardware, and, then, convert them to virtual machines, you can build new virtual Windows Server 2012 Domain Controllers, while your Windows Server 2003 Domain Controllers remain running.
Then, when you're ready to get rid of your Windows Server 2003 Domain Controllers, you simply demote them and remove them from your network. I've written a detailed step-by-step on this:
Transitioning your Windows Server
2003 Domain Controllers to Windows Server 2012 -
Bind Mavericks to Windows Server 2012 R2 domain
I have a Windows 2012 R2 domain controller (only one in the domain) with the forest and domain in native (not mixed) mode.
I am trying to bind a Mavericks Macbook Pro to the domain.
I have checked that I can ping the domain and domain controller by name and IP address.
I have set the NTP on the Macbook to use the domain controller as the time source.
I even set the "Prefer this domain server" to the domain controller.
When I attempt bind the Macbook, the time tested message of "Authentication server could not be contacted."
Any suggestions? Something about Windows Server 2012 R2 that I am missing? I admit that I am just learning Windows
Server 2012 R2, so it is possible my lack of knowledge of it is the adding to the problem.
Thank you in advance!I have 3 Server 2012 DC's here on my network. No issues binding Macs to the DC. I haven't had the time to roll out R2 DCs yet, but will be doing so shortly as I am now done with some other upgrades. I would roll out one right now so I can test this for you, but don't have the time...sorry man.
One of the most important thing with AD is DNS. 1 of my 3 AD's is my DNS and DHCP server. I have not had to mess with any special settings, just let my Mac get it's IP from the DC and then bind away. Are your windows machines (if you have any) on the same LAN able to bind? Also make sure the account you are logged into the mac with is an Admin on the local mac.
Remove all the custom info you put in, keep it simple, I have never had to fill in any of those details, and make sure you use the FQDN of your DC (host.domain.com). Once you put in the FQDN, does the utility recognize the Domain and then ask for the AD admin credentials? If yes, then thats a good sign.
Let me know if it's still not working. Also make sure you are using the correct login and password, the admin of your DC.
Is your DC virtual or Physical? Do you have the firewall enabled on your DC? Are you using wireless or wired?
I'm sure you will get this... S12R2 is really sweet, all my Hyper-V hosts are S12R2. -
Secondary domain controller not able to connect from work stations.
We are using primary and secondary domain controllers. In which the secondary domain controller act as a replication server. actually the problem occurs while accessing the secondary domain controller from work stations I get the following error:
"The trust relationship between this workstation and the primary domain failed".
Any one please give as a solution.
Thank you.Hi,
Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain.
There might be multiple reasons for this kind of behavior.
Here are a few of them:
Single SID has been assigned to multiple computers.
If the Secure Channel is Broken between Domain controller and workstations
If there are no SPN or DNS Host Name mentioned in the computer account attributes
Outdated NIC Drivers.
According your description, the second one may be the cause of your problem.
When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required).
Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.
If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other.
A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting
to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.
Follow below link which explains typical symptoms when Secure channel broken,
Typical Symptoms when secure channel is broken
http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
For detailed information, please refer to the link below,
Troubleshooting AD: Trust Relationship between Workstation and Primary Domain failed
http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx
Hope this helps.
Steven Lee
TechNet Community Support -
Biztalk 2013 R2 with Windows Server 2003 R2 Domain Controller
Hello, I have a client right who has a Windows Server 2003 R2 domain controller with active directory installed. Is there any reason why I can't install Biztalk 2013 on a Windows Server 2012 R2 box and add it to that farm to use active directory?
Thanks in advance,
-AdamBizTalk Server is only going to use the User Groups created in Domain Controller so ideally i don't think there will be any compatibility issue. Also there isn't any microsoft article which talks about BizTalk compatibility with respect to domain controller.
You will have to create all the Windows Groups and User Accounts in AD, before BizTalk Server configuration.
Windows Groups and User Accounts in BizTalk Server
Thanks,
Prashant
Please mark this post accordingly if it answers your query or is helpful.
Maybe you are looking for
-
Purchase ledger and General Ledger account codes
I am looking for information about how Oracle Financials works in respect of "codes" if that is what they are called within the Module. I am an accountant as well as a developer, and I have equivalent information about a number of other accounting pa
-
Since Firefox joined with Yahoo, I have been receiving Daily Spam Emails, never have I had so many since this merger. Plus only 3/4 of many received Emails are shown on the screen, the rest are cut off.. Thank you
-
Why doesMail maddengly keep attempting to send with an old deleted account?
Every now and then, Mail "decides" to use an old account to send from. I've been back into preferences and cancelled the account. No such account exists at my server. It was only registered in Mail. It is unable to send these emails using the cancell
-
Having trouble installing photography package PS+LR
I own hardcopies of CS6 and Lightroom 5. I just purchased the $10/mo photographys package to get CC and LR updates. When I attempt to download CC photoshop, my computer goes to my previous version of PS, not CC. I haven't even tried to install Li
-
Dear All, This is the tip of an iceberg: I was surfing and had an interesting crash. More later on Monday. Short question: Is it my newbie fault? The website? My little olde classic blueberry? All the best, Irene