jmgallo
asked on
2008 R2 DCPromo on SBS2003 Domain
I’ve done a bunch of NT to SBS2003, SBS03 to 08, etc., not sure if I’m just missing something stupid or what. I have a SBS2003 (all patched) that I’m migrating to a bunch of non-SBS 2008 R2 SP1 servers on Hyper-V. I started looking into AD/DNS when the one Mac can connect fine to the old SBS2003 server (with Mac services) but not the 2008 R2 DC. I then promoted my 2nd 2008 DC, Mac can connect to netlogon share just fine. DCPromo 1st 2008 DC back down, then back up, still same thing (no, I didn’t test file share when it was a member server). Since 2nd DC has been up for a while (almost 24 hours), I figured I would change the DNS settings on it to only point to 127.0.0.1 (instead of also pointing to SBS server), restart times when from roughly 90 seconds to over 5 minutes, network location went from Domain to Public, and I have a bunch of AD & DNS errors, and Windows Firewall on 2008 is off. ASUC won’t come up on 2008 server as it says the domain is unavailable. If I switch the DNS client on the server to just point to SBS and 127.0.0.1 as secondary, all is fine again. But obvioiusly something isn't working.
My process for dcpromo is to just run dcpromo without AD Services or DNS roles installed, at which point DCPromo installs them. I also found TechNet cc708131 that says when running DCPromo, uncheck/clear the DNS Server during DCPromo (same screen as Global Catalog), although I’m not sure why you’d want to do this? Should I let it use the SBS DNS, and then add 2008 DNS later? But nowhere does it state adding DNS. I prefer to have DCPromo install/setup DNS, that way I know I can't screw anything up by doing it manually.
Only thing I can think of is something happened when I ran Forest/Domain prep on SBS, but would 2008 DCPromo bark if it found anything missing/wrong? I reran Forest/Domain prep using R2 SP1 media on the SBS server, but it says they've already been run.
Thanks,
Joe
My process for dcpromo is to just run dcpromo without AD Services or DNS roles installed, at which point DCPromo installs them. I also found TechNet cc708131 that says when running DCPromo, uncheck/clear the DNS Server during DCPromo (same screen as Global Catalog), although I’m not sure why you’d want to do this? Should I let it use the SBS DNS, and then add 2008 DNS later? But nowhere does it state adding DNS. I prefer to have DCPromo install/setup DNS, that way I know I can't screw anything up by doing it manually.
Only thing I can think of is something happened when I ran Forest/Domain prep on SBS, but would 2008 DCPromo bark if it found anything missing/wrong? I reran Forest/Domain prep using R2 SP1 media on the SBS server, but it says they've already been run.
Thanks,
Joe
ASKER
yup, 32, that much I know. dcdiag on sbs or 2008, or both? Yeah, I've always let dcpromo due the DNS install/setup, not sure what the technet article says to leave it unchecked...and that on top of that, doesn't reference installed DNS at all. Must assume you're going to leave SBS.
dcdiag on both will be fine.
Are you going to remove SBS 2003 server at some point?
Are you going to remove SBS 2003 server at some point?
Good article from demazter if you are going to remove SBS 2003 server
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html
You can let dcpromo *add* DNS, but your server's DNS settings should point to SBS until replication has completed. After all, on a DC, DNS is AD integrated, which means AD must be fully replicated to populate the DNS entries, and AD can't replicate if an existing AD server cannot be found, contacted and replication initiated....and how does another AD server get found? DNS. In short, DNS needs to point to an *existing* AD (not the new) server until you see, in event logs, that AD has completed replication.
-Cliff
-Cliff
ASKER
I know about replication, but I figured I left them alone long enough to replicate. One's been running for 40 hours or so before I started making troubleshooting changes to it, and it's a small domain. Although the SBS is WAY overloaded. Doing mailbox moves to Exch2010 was fun. After moving a few it would just be unresponsive, sometimes we could shut it down gracefully, other times we couldn't. 3 times we had to press and hold power in order to get it to powercycle, once Exch DB got corrupt, had a blast cleaning and getting it to mount.
Is there some way to speed up/force replication (if that's the issue)? And yes, I had already found that article, great article.
As you can see SBS dcdiag is coming up roses, although there's 3 (I think) errors that both 08 boxes share, and then File1 has another. So I'm looking into those now.
SBS2003-dcdiag.txt
file1-dcdiag.txt
admin-dcdiag.txt
Is there some way to speed up/force replication (if that's the issue)? And yes, I had already found that article, great article.
As you can see SBS dcdiag is coming up roses, although there's 3 (I think) errors that both 08 boxes share, and then File1 has another. So I'm looking into those now.
SBS2003-dcdiag.txt
file1-dcdiag.txt
admin-dcdiag.txt
ASKER
Forgot to mention, that yes, we absolutely are getting rid of it (even though Exchange Store repairs can be fun). But we have wait a few more weeks before we can move some of the last stuff off because of tax date of 4/15.
I know there's a event ID to look for for when AD is completed replication, but for some reason I can't find out what it is. I know I've used that before to determine when it's done, could be lack of sleep!
I know there's a event ID to look for for when AD is completed replication, but for some reason I can't find out what it is. I know I've used that before to determine when it's done, could be lack of sleep!
ASKER
Just found this EE post, which talks about one of the errors being a bug with 2008, and can be ignored if you're not doing a RODC. But then the solution also states that it's a issue with the Windows Firewall being on, when running dcdiag against a remote server, running it locally they come back fine. But the issue is, I did run them locally on all 3!
Here is an article about the RODC error this is fine.
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_3645-Dcdiag-fails-for-NCSecDesc-test-on-Windows-2008-Domain-Controllers.html
If you look in the dcdiag really nothing jumps out except for some replication errors but could have been from the install.
run repadim /syncall
if you change the DNS settings to point to the actual IP address of the server instead of 127.0.0.1 this might fix the problem as well since you are running multiple domain controllers 127.0.0.1 shouldn't be used. Go to Network binding make sure IPv4 is listed first in the binding order. Second disable all unsed NICs as well. Make sure your primary NIC is listed first in binding order
http://thebackroomtech.com/2009/01/15/howto-edit-network-card-bindings-in-windows-server-2008/
Run dcdiag /fix
Post dcdiag /test:dns
You could be having issues with DNS not fully replicating. Check your DNS zone see if you have the same zones as SBS server. Dcdiag /fix might fix the problems as well.
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_3645-Dcdiag-fails-for-NCSecDesc-test-on-Windows-2008-Domain-Controllers.html
If you look in the dcdiag really nothing jumps out except for some replication errors but could have been from the install.
run repadim /syncall
if you change the DNS settings to point to the actual IP address of the server instead of 127.0.0.1 this might fix the problem as well since you are running multiple domain controllers 127.0.0.1 shouldn't be used. Go to Network binding make sure IPv4 is listed first in the binding order. Second disable all unsed NICs as well. Make sure your primary NIC is listed first in binding order
http://thebackroomtech.com/2009/01/15/howto-edit-network-card-bindings-in-windows-server-2008/
Run dcdiag /fix
Post dcdiag /test:dns
You could be having issues with DNS not fully replicating. Check your DNS zone see if you have the same zones as SBS server. Dcdiag /fix might fix the problems as well.
ASKER
Since the 127 loopback is causing the issues right now, both 2008 DC's are pointing back to the SBS IP address, as well as SBS is pointing to it's own IP (not loopback). What do you mean by mulitple DC's not using loopback? When using multiple DC's, the actually IP address if itself should be used, instead of loopback?
Also, this is virtual, so only one NIC. The three commands (repadim, and 2 dcdiag's), should I run those from all servers?
Also, this is virtual, so only one NIC. The three commands (repadim, and 2 dcdiag's), should I run those from all servers?
ASKER
Ran sync on all, will test in morning and post dcdiag dns results. ty.
Yeah you should always use the actual IP address of the server not loopback. You can get away with using loopback in a single domain controller environment but when you have multiple DNS issues can arise.
Make sure you check your Binding to make sure IPv4 is listed first.
Did sync all pass?
Make sure you check your Binding to make sure IPv4 is listed first.
Did sync all pass?
ASKER
That's what I thought about the DNS Client on the DNS server, to use the actual IP and not loopback. But in troubleshooting this, I haven't found any doc or post that states that. And why the hell after all this time, does DCPromo still put the loopback into IP settings? Is it not smart enough to put in the actual IP?!
I also checked bindings, IP is listed first, and there's only one NIC to check.
OK, here are all 3 dcidag DNS test results. I have Admin server in here twice, because as you can see SBS2003 and File1 are fine, but the first Admin one failed on (SRV & A record). But I think the first time I ran it was either right before or right after I changed it's DNS client's secondary DNS from loopback to it's actual IP (primary is/was the SBS). The second time I ran it, you can see it passed.
Anything else I should be doing/checking before I switch the two 2008 servers to point to only themselves? Win FW is off on all servers. EventID's? I can't seem to find out the event ID I need to look for to say AD repl is complete. In Admin I'm seeing 4013 (DNS can't start until AD has completed sync), then minute later events 2 & 4 saying DNS is started and has loaded all zones.
I need to go to a kids b-day party, so going to wait until I come back (in 4-5 hours) until I repoint them to just themselves and try another reboot.
sbs-dnsdiag.txt
file1-dnsdiag.txt
admin-dns.txt
admin-dns-2.txt
I also checked bindings, IP is listed first, and there's only one NIC to check.
OK, here are all 3 dcidag DNS test results. I have Admin server in here twice, because as you can see SBS2003 and File1 are fine, but the first Admin one failed on (SRV & A record). But I think the first time I ran it was either right before or right after I changed it's DNS client's secondary DNS from loopback to it's actual IP (primary is/was the SBS). The second time I ran it, you can see it passed.
Anything else I should be doing/checking before I switch the two 2008 servers to point to only themselves? Win FW is off on all servers. EventID's? I can't seem to find out the event ID I need to look for to say AD repl is complete. In Admin I'm seeing 4013 (DNS can't start until AD has completed sync), then minute later events 2 & 4 saying DNS is started and has loaded all zones.
I need to go to a kids b-day party, so going to wait until I come back (in 4-5 hours) until I repoint them to just themselves and try another reboot.
sbs-dnsdiag.txt
file1-dnsdiag.txt
admin-dns.txt
admin-dns-2.txt
ASKER
I'm going to kick my ___ if this is something stupid I'm missing! But at least I'll know it's fixed!
Still same thing, both 2008 DC's have been pointing to SBS as primary and themselves as secondary (non-loopback) for 6+ hours. Pointed them to themselves only, and again they take 5 minutes (actually one (File1 takes the same sub-2minutes) to reboot. But result is the same, NIC shows public network instead of domain, and launching ADUC doesn't start because no DC found.
And I've checked, they are replicating, as there is plenty of info in DNS on the two 2008 servers. Could it because old server is slow? But I'm seeing event id's 2 & 4 saying DNS has started and all zones are ready (when they're pointing to SBS).
I'm attaching DCDiag /Test:DNS of both 2008 servers while they're just pointing to themselves, I haven't started to research the errors yet.
file1-postswitch.txt
admin-postswitch.txt
Still same thing, both 2008 DC's have been pointing to SBS as primary and themselves as secondary (non-loopback) for 6+ hours. Pointed them to themselves only, and again they take 5 minutes (actually one (File1 takes the same sub-2minutes) to reboot. But result is the same, NIC shows public network instead of domain, and launching ADUC doesn't start because no DC found.
And I've checked, they are replicating, as there is plenty of info in DNS on the two 2008 servers. Could it because old server is slow? But I'm seeing event id's 2 & 4 saying DNS has started and all zones are ready (when they're pointing to SBS).
I'm attaching DCDiag /Test:DNS of both 2008 servers while they're just pointing to themselves, I haven't started to research the errors yet.
file1-postswitch.txt
admin-postswitch.txt
ASKER
Preliminary research shows the first error an issue/bug with DCDiag when the running it from the DC when the DC is on a NIC team, but that it's only a bug with DCDiag. You can contact MS and they'll give you the updated version, or run DCDiag from another machine, pointing it to the DC. But it's just DCDiag, not the AD/DNS itself. This concerned me at first as I am running this on a 3 NIC team, but the team is on Hyper-V Parent, not the actual DC. Also, this is running on a Hyper-V Cluster.
ASKER
I'm still baffled, but figured I'd post an update before retiring for the night.
I left Admin running (just pointing to itself) for a while before switching it back. I noticed that after 2 hours, events 2 & 4 show up (just like when pointing to SBS) saying DNS is up and zones have synced up and are ready. Tried AD U&C, it comes up. Network location still shows unknown public network though, and reboot time is still 6 minutes.
For the heck of it, I ran DCDiag/test:dns, and although there's a bunch of:
"DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.
Overall result of DCDiag is a 'pass'.
I left Admin running (just pointing to itself) for a while before switching it back. I noticed that after 2 hours, events 2 & 4 show up (just like when pointing to SBS) saying DNS is up and zones have synced up and are ready. Tried AD U&C, it comes up. Network location still shows unknown public network though, and reboot time is still 6 minutes.
For the heck of it, I ran DCDiag/test:dns, and although there's a bunch of:
"DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.
Overall result of DCDiag is a 'pass'.
ASKER
I opened a ticket with Microsoft. He got back to me this morning saying to disable firewall (doh!, forgot to mention I already did) and to disable IP6 via registry if not used? I did, but didn't solve the issue.
How did you disable IPv6? Did you go through the registry and disable?
Check you DNS zones do you have the same zones on all DNS servers?
Seems like DNS is not started quick enough when rebooting.
http://support.microsoft.com/kb/2001093
Check you DNS zones do you have the same zones on all DNS servers?
Seems like DNS is not started quick enough when rebooting.
http://support.microsoft.com/kb/2001093
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just a lot of back and forth with Microsoft resolving this issue.
Are you running adprep32?
Seems like there is some type of replication issue.
Run dcdiag post results