Windows Server 2012R2 DC slow logins after taking Windows 2003 DC offline

I recently introduced a Windows Server 2012R2 domain controller into my environment since it was going to replace a Windows 2003R2 domain controller at some point.  I went through all of the proper installation procedures including preparing the forest and domain to receive the new 2012R2 DC.  Everything was working just fine, i.e. the netlogon share replicated fine, all group policies replicated fine, etc.  They seemed to co-exist just fine.  I transferred all FSMO roles and hosted applications from the 2003 server to the 2012R2 server in preparation to decommission it.  To make sure things were going to be ok without it, I just powered down the 2003 DC to see if the 2012 server was going to be ok with everything.  The next morning, people were saying it took forever to log in on some machines and I even had a couple of Windows 7 machines say the trust relationship failed so I had to leave the domain and rejoin to fix it.  I am not sure where to start.  The new DC is the only DNS server right now but I am going to add one very soon.  All clients use the new DC as the DNS server and get the addressing via DHCP.

I am not seeing anything weird in Event Viewer on the 2012R2 DC.  Where would you recommend I start in trying to troubleshoot the slow logons?  I have not powered the 2003 DC back on and have no plans to demote it and decommission it totally until I get this figured out.
Steve BantzIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you do a ipconfig /all on a typical computer do they show the correct dhcp & dns server or the old one?
does your new server have IP6 enabled?
Steve BantzIT ManagerAuthor Commented:
Yes.  They show as receiving the address from the 2012R2 DC's DHCP service and also show it as the DNS server.  I do have both IPv4 and IPv6 enabled on the 2012DC.  The DNS server shows it is listening on both IPv4 and 6.
Will SzymkowskiSenior Solution ArchitectCommented:
Based on the comments, I would have thought maybe you had DNS entries for the 2003 server on your clients. Based on your comments i guess not.

Is the 2003 DC decommissioned yet or is it still in play? Run the below commands to get some more info...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

netdom query fsmo
netdom query dc

Run these commands from both DC's (if they are both still in the environment).

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Steve BantzIT ManagerAuthor Commented:
If I run a dcdiag on the 2012R2DC it passes everything.  I am seeing an event 769 in Event Viewer on the 2012DC that has me a bit confused.  File attached. DNS event 769
Steve BantzIT ManagerAuthor Commented:
Will, the 2003R2 server is still a domain controller, I just have it turned off to see what is happening.  I didn't try all of the repl commands because there is nothing to replicate with right at the moment since I have the 2003 server powered off.  netdom query fsmo showed the new 2012 DC as the holder of all 5 roles.  Netdom query dc shows the 2003 server and the 2012 server as available domain controllers.
In DHCP did you change the DNS server IP address that DHCP hands out?  Also check any static IP settings for the DNS ie  managed switches, printers, router.  the windows 7 machines check that ivp6 on nic enabled that could cause the trust issue.  Check DNS on the 12 server make sure it wasn't using the 03 server as forwarder.  I know you have to install DHCP and DNS on the 2012 but assuming those features were added after the server promoted to a DC and that you configured them for either load sharing or fail over
Will SzymkowskiSenior Solution ArchitectCommented:
Active Directory highly depends on DNS. Under the folder for your internal domain there are several SRV records these are queried at random based on the site you are in. If both of these machines are in the same site it will create conflicts because clients will still reference the 2003 DC because there are SRV records associated with this 2003 domain controller.

A lot of users think powering off a server (Exchange, DC) etc will be a good test to see if anything breaks and yes in fact as you can see causes many issues. SRV records are very important in regards to client finding where they can get services from.

If you have IP that are present that are not pingable (like your 2003 DC) there is a timeout period before it will actually query the next IP in the list. Because you only have 2 DC's in your environment the users have a higher probability of hitting the 2003 DC. Where if you have 3 or 4 DC's in the same site your clients will not experience as many issues because there are more DC;s online, but they will still experience the odd timeout when it tries to query for services that are not available.

But you are probably wondering if I only have the client pointing to 2012 DC for DNS why would they reference SRV records for another DC? When you point to the DC for DNS it provides the requests for lookup info it still has the same SRV entries with the 2003 DC IP associated to it which is when you get delays and timeouts.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BantzIT ManagerAuthor Commented:
Will, thanks for the great explanation and that makes perfect sense.  I did demote the 2003 DC and things seem to be going well.  It hadn't occurred to me until you pointed it out that clients will continue to look for the powered off DC by chance by looking for the SRV records.  Now that the 2003 DC has written itself out of AD, things seem fine.
Will SzymkowskiSenior Solution ArchitectCommented:
Excellent! Glad it's resolved.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.