Windows 2012 Server Root Domain Controller Backup

I just setup an Active Directory with 2 sites (VA and NY).  Each site had 2 domain and replication is working perfectly without any issues.  I can use a client machine to join the domain without any issues but when I shutdown my VADCroot Domain Controller to see if I can use a client machine to join the domain It fails with the following error:

An Active Directory Domain Controller (AD DC) for the domain "cookie.local" could not be contacted.

Detailed error shows: DNS was successfully queried for the service location (SRV) resources record used to locate a domain controller for domain "cookie.local":

The query was for the SRV record _ldap_tcp.dc._msdcs.cookie.local
The following domain controllers were identified by the query:
vadcroot.cookie.local, vadc2.cookie.local, nydc.cookie.local, nydc2.cookie.local

However no domain controllers could be contacted
Common causes of this error include:
-Host (A) or (AAAA) records that map the names of the domain controllers to their IP address are missing or contain incorrect addresses
-Domain controllers registered in DNS are not connected to the network or are not running.

I have single domain structure and all my DCs are configure as Global Catalog & DNS with the following
TCP/IP Setup for Domains and clients
--------------------------------------------------------------

From VA Site
MachineName: VADCroot
IP Addr: 192.168.3.100
Subnet: 255.255.255.0
Gateway: 192.168.3.1
Pri DNS: 172.30.10.100 (IP of NYDC)
Sec DNS: 127.0.0.1

MachineName: VADC2
IP Addr: 192.168.3.101
Subnet: 255.255.255.0
Gateway: 192.168.3.1
Pri DNS: 192.168.3.100
Sec DNS: 127.0.0.1

From NY Site
MachineName: NYDC
IP Addr: 172.30.10.100
Subnet: 255.255.255.0
Gateway: 172.30.10.1
Pri DNS: 192.168.3.100 (IP of VADCroot)
Sec DNS: 127.0.0.1

MachineName: NYDC2
IP Addr: 172.30.10.101
Subnet: 255.255.255.0
Gateway: 172.30.10.1
Pri DNS: 192.168.3.100
Sec DNS: 127.0.0.1

Thanks
AnagkazoSystems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi.

Please write down the IPs that you configured as DNS servers at the client computer, too.
0
AnagkazoSystems EngineerAuthor Commented:
I used DNSs of the Domain Controllers in the following order:

Prim DNS: 192.168.3.100
Sec DNS:  172.30.10.100
Sec DNS2:  192.168.3.101
Sec DNS3:  172.30.10.101
0
McKnifeCommented:
Ok. Can the client PC use all of these with nslookup to resolve some test addresses of other domain computers? If yes, please use dcdiag at all DCs and tell us what tests it did not pass successfully.
It would also be interesting to know what
ping cookie.local
returns with that DC online and offline.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

FinServCoCommented:
I believe I read somewhere that 2012 DNS servers should point to themselves first.  It's how I have mine configured.

Your VADC2 is pointing to VADCroot which you had shut down.
0
compdigit44Commented:
I agree with FinServCo. The primary DNS server the server is pointing to is the one you shut down

Also what FSMO roles does your root server host?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AnagkazoSystems EngineerAuthor Commented:
Over the weekend I decided to setup virtualbox to test this out at home.  I did exactly what I explain above then shutdown my root DC (VADCroot).  I configure a virtual Win 7 guest machine with the following IPs (IP Network 10.10.10.0/24 with Prim DNS VADCroot and Sec DNS of NYDC1) and I was able to join the domain without any issues).  I am working on 3 different subnets (192.168.3.0/255, 172.30.10.0/24, and 10.10.0.0/24).  I am working in an environment where multiple client machines with different IP addresses are authenticated through VPN on single forest, single domain, 4 domain controllers.

Frankly,  I don't no much about FSMO roles and I am looking into it to figure it out.  I am a very quick learner and your input is very appreciated.

Thanks
0
AnagkazoSystems EngineerAuthor Commented:
sorry,
I meant 192.168.3.0/24
0
compdigit44Commented:
Can you run dcdiag /v /e >c:\dcdiag.txt on your server so we can see what is going on in your AD environment
0
AnagkazoSystems EngineerAuthor Commented:
Attached is my dcdiag file.

Thanks
dcdiagTEXT.txt
0
AnagkazoSystems EngineerAuthor Commented:
compdigit,

My root server (VADCroot) is hosting all 5 FSMO roles.
0
compdigit44Commented:
Thanks why you cannot add a server / workstation to the domain becuase all FSMO are offline when then server is off.
0
AnagkazoSystems EngineerAuthor Commented:
compdigit44,

I have 2 different simulation similar to the one described above in the virtual environment and when I shutdown the VADCroot (contains all 5 FSMO roles) I am still able to join a workstation without any issues.  It is a single-forest/single-domain AD Infrastructure.  Configured as Site-to-Site replication from VA-Site to NY-Site.  

Thanks
0
FinServCoCommented:
A RID master allocates IDs to domain controllers in batches of 500.  If a DC runs out of IDs and can't contact the RID master then you won't be able to join objects to the domain.

Have you configured your DNS servers to point to their selves first?  If the server with all of the FSMO roles is down, and it's the server all of your other servers are pointing to for DNS, well, you're going to run into issues.  

What if any event log errors are you getting?
0
AnagkazoSystems EngineerAuthor Commented:
Close it.  I rebuild the domain
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.