Link to home
Start Free TrialLog in
Avatar of Mike Broderick
Mike BroderickFlag for United States of America

asked on

Windows 2003 SBS DC problems after adding 2012 as DC

I will be migrating from a 2000/2003 to two 2012 DC's over the next 12 months. I have demoted the 2000 DC, Upgraded the forest to 2003, and added the two 2012 DCs. The plan is to have one 2012 server as the production server and the other as a backup DC/backup files.

The problem I am having is when I test the 2012 DC by itself. I bring down the two 2012 DCs then restart the 2012 DC. It comes up, but has severe problems. Exchange doesn't work and after a while neither does the domain function (cannot logon). Please note that the 2012 server is the production, and the 2000 was a backup DC. Then, when I shut down everything, bring up a 2012 DC, then bring up my 2003 server everything works fine.

The first thing I see that looks wrong, in the system event log is an SPNEGO 40960 error from LsaSrv shortly after IPL:

The Security System detected an authentication error for the server LDAP/SVR02.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

There are many 40960 errors, and the other errors seem to indicate a problem with logon servers. They seem to slowly bring the ship down.

What can I do so that the 2003 DC can run without the 2012 DCs? The 2012 DCs are supposed to be backup DCs
SOLUTION
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Which server has the FSMO roles. When you are doing this testing, are you shutting down the DC that holds all the FSMO roles? If so = not good. Move the FSMO roles to the 2012 server and retest.
Avatar of Mike Broderick

ASKER

I did not do anything when running the promotion dialog to accomplish it, but the 2012 servers are GC servers. Note: the 2003 server is a GC server. No, I did not run DCDIAG. I will try it tonight.

All FSMO roles are held by the 2003 server. My test is to shut down the 2012 servers then restart the 2003 server to see if it will run without the 2012 servers. Are you sure you want me to move the roles to a 2012 server?

Thank you for your help.
I guess I misunderstood what you were trying to accomplish. For logon services and Exchange Services to work, the server holding the FSMO roles needs to be running.
Sorry I wasn't clear. Eventually I will move away from the 2003 Server but for now it is the production server. I was treating the 2012 servers as throw-away because nothing was on them. I'd leave them down all night or for a few days, and started noticing problems if I rebooted the 2003 server.

I ran the DCDIAG command. It passed all tests except 2:

    Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [SVR02]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SVR02 failed test Services

The other failure was due to warnings/errors in the event viewer in the last 24 hours. Since replication messages were there, I discounted this section. I can send you the whole file if you want to see it.

Mike
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
One other side note, generally not a good idea to turn off dc's for days on end. That is a recipe for disaster. Think of it this way: Users are changing passwords, logging in, new groups are created, computers are changing their passwords, group policies are being edited. If the 2003 server goes down and has to be rebuilt there is a good chance all of those changes will be lost. its generally better to just let those additional dc's run, it'll cut down on the replication when they come up and will protect you in case of a disaster.
When you say points to itself first, where do you mean? On the network adaptor, each server points to the 2003 server first. When I open the DNS console, I see the 2012 DCs listed before the 2003 server. Should I change them here? If so, how? Will the changes propagate to the other DCs?

Yes, I know that technically there is no backup DCs I was referring to a backup in case one goes down.

Later I'm going to shut down the 2012 machines and retry the dcdiag routine. I'll let you know if I see anything.
No under TCPIP IPv4 of the network adapter. The primary should be the 2003 and secondary should be one of the 2012 servers, and optionally third would be the other 2012.
So under normal conditions the dns server listed first is where the DNS records are registered and then propagated to the other servers. Secondaries are used when primary is unavailable, which is why the secondaries should never point to an ISP dns server.

Changes are replicated via Active Directory replication based on what the KCC calculates should be the replication topology. Yes replication requires DNS only in that all SRV records and host records are registered. Generally speaking dns should be active directory integrated which means that the AD zones are stored in an Application partition either domainDNS or forestDNS depending on the scope of replication. If all servers go to the same server first then that means that your fsmo role holder is updated when each of your dc's register their srv records, making it the single point of truth.

As you get ready to retire the 2003 change the dc's to point their primary dns to where you want the fsmo role holder to be.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you guys for the help. It was a group effort.