Solved

AD - First Server 2012 AD DS / DNS member hosed

Posted on 2013-07-01
7
587 Views
Last Modified: 2013-07-02
Hello.  I have 4 existing DC's in the forest, at server 2003 functional level.  All other DC's are either Server 2003 or Server 2008.  I am wanting to decommission the 2003's and move them to 2012's so that we can work towards a higher functional level.  First things first, I build a server 2012 instance, disable firewall, run updates, and add the role.

First attempt: It fails.  Turns out joining the domain did not create itself a computer account in AD like normal.  No problem.  Remove/re-add from domain and make sure computer account is present and in the 'Domain Controllers' group.

Second attempt: It seemingly succeeds and reboots.  I have confirmed that the forest & domain were prepped and at the proper level.  However, It is not showing up as an available controller in ADUC and has all sorts of errors.  It says I need to promote, but there is an error:

DC Error 1
I cannot continue.  The DNS portion comes up with access denied.  If I open up ADUC and manually point it at the server, it does show data.  So I know the initial replication succeeded.    The Best Practices Analyzer has 68 errors:

DC Error 2
My install seems completely hosed... where should I turn next?  I could just re-format... but then i'm guessing this partially completed AD server is "stuck" somewhere in AD.  I have attempted a demotion, which fails with access denied.  I have not tried the 'Force' option yet.

Good times with Microsoft...
0
Comment
Question by:admineo
7 Comments
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39291644
If the server wa promoted as DC open the command prompt and run dcdiag /q and post the log with ipconfig /all details of DC.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39291653
What is the new server pointing to for its DNS settings?

Can you check your schema version   http://adisfun.blogspot.com/2013/06/windows-server-2012-r2-preview-schema.html   

I want to see if that completed?

Thanks

Mike
0
 

Author Comment

by:admineo
ID: 39291667
@Sandeshdubey:  See Attached.  Thanks

@mkline71:  Schema is at 56.  DNS is pointed to another DC and then itself.  You can see in the ipconfig attached.
dcdiag.txt
ipconfig.txt
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39291732
From the log it is clear that netlogon share is missing.Check the sysvol and netlogon share are available or not.Ran net share command to check the same.If the sysvol and netlogon share is missing that server will not act as DC.

Check the sysvol folder are the policies and script folder replicated or not.If it is not replicated you need to perform authorative and non authorative of sysvol folder to fix the same.http://support.microsoft.com/kb/290762

Kindly take the backup of the sysvol folder of DCs that is copy paste the content of the sysvol to temp location and perform the authorative and non authorative restore of sysvol as mentioned before.
0
 
LVL 9

Expert Comment

by:Zenvenky
ID: 39291745
Before you proceed with Sandesh's comments, I would suggest you to fix Time Synchronisation. I'm sure it is a Time Sync issue.  PDCe role holder shall point to external Time server for time sync and rest all machines in the domain shall point to PDC for time sync. Check these links for better understanding.

Authoritative Time Server

DNS Best Practices
0
 
LVL 13

Accepted Solution

by:
Jaihunt earned 500 total points
ID: 39292611
The target name used was LDAP/DE13EFCA-8F92-4C97-8E31-9CDED5EE1D
52._msdcs.xxxxDOM.local

Have you tried reset the computer account password through netdom?

http://sumoomicrosoft.blogspot.com/2012/07/reset-domain-controller-computer-account.html
0
 

Author Closing Comment

by:admineo
ID: 39293093
This was absolutely the issue.  Thanks Jaihunt!

I tried the 'Repadmin /syncall' and got some crazy errors.  I followed the rest of the steps and it worked itself out.  Both AD & DNS seem to be happy.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question