quincyprentice
asked on
Active Directory 2003 to 2012 Migration
My environment consists of two Windows Server 2003 DCs and I am looking to migrate to a Windows Server 2012 AD.
I started by adding a Windows Server 2012 DC, however, I have seen some errors in the following:
- In the system log on the 2012 DC I have seen a few 5722, 5723 and 5895 errors.
- Periodically there are very high logon times when logging on to the 2012 DC.
- The BPA on the 2012 DC indicates that the zone _msdcs is not available even though I see it in the DNS management console.
I started by adding a Windows Server 2012 DC, however, I have seen some errors in the following:
- In the system log on the 2012 DC I have seen a few 5722, 5723 and 5895 errors.
- Periodically there are very high logon times when logging on to the 2012 DC.
- The BPA on the 2012 DC indicates that the zone _msdcs is not available even though I see it in the DNS management console.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran the DCDIAG command as suggested and everything passed except the System Log. Please see output below.
Starting test: SystemLog
An error event occurred. EventID: 0xC0001B63
Time Generated: 10/19/2015 23:18:31
Event String:
A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the UmRdpService service.
An error event occurred. EventID: 0xC0001B63
Time Generated: 10/19/2015 23:19:01
Event String:
A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the ScDeviceEnum service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 10/19/2015 23:19:01
Event String:
The Smart Card Device Enumeration Service service failed to start du
e to the following error:
......................... NIA-DC-04 failed test SystemLog
Starting test: SystemLog
An error event occurred. EventID: 0xC0001B63
Time Generated: 10/19/2015 23:18:31
Event String:
A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the UmRdpService service.
An error event occurred. EventID: 0xC0001B63
Time Generated: 10/19/2015 23:19:01
Event String:
A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the ScDeviceEnum service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 10/19/2015 23:19:01
Event String:
The Smart Card Device Enumeration Service service failed to start du
e to the following error:
......................... NIA-DC-04 failed test SystemLog
Check event log system/security log settings to increase its size as well as whether it should delete old records as needed versus having to wait 7 days. In your case when there were many events, the log could have gotten filled up, and could not add more because of the prior reference limit.
ASKER
Thanks. I cleared the system event log and re-ran DCDIAG and it passed all of the tests without any issues. However, the log did not appear to be full. It was set to 2MB and overwrite once it maxed out.
ASKER
Any suggestions on the _msdcs issue in the DNS BPA scan? I reran the scan after the DCDIAG passed and I still get the error about the _msdcs zone being unavailable.
Look at the local DNS server to see what is going on.
There is a DNS prep one had to run.
I think if memory serves, during the dcpromo a warning pops up dealing with that issue.
There is a DNS prep one had to run.
I think if memory serves, during the dcpromo a warning pops up dealing with that issue.
The following link includes steps needed to transition from your current addomain.suffix structure to the split where _msdcs.addomain.suffix is separate/delegated from the addomain.suffix
https://social.technet.microsoft.com/Forums/windowsserver/en-US/175b2a01-1c3f-4c9e-a295-490cbcceb41e/active-directory-integrated-dns-zone-error-in-dns-bpa?forum=winserverDS
https://social.technet.microsoft.com/Forums/windowsserver/en-US/175b2a01-1c3f-4c9e-a295-490cbcceb41e/active-directory-integrated-dns-zone-error-in-dns-bpa?forum=winserverDS
ASKER
Thanks Arnold. So lets get this straight:
My domain current naming structure is:
xxx.yyy.com
There is no _msdcs.xxx.yyy.com zone, however, it does exist as a subfolder inside the xxx.yyy.com.
So that means that I need to create the _msdcs.xxx.yyy.com zone?
The other parts are a bit unclear. Once I have created the _msdcs.xxx.yyy.com zone should I delete the existing subfolder inside xxx.yyy.com? And subsequently should I be recreating a delegation for the _msdcs inside of xxx.yyy.com?
Additionally, do I need to have a delegation for the xxx zone inside of yyy.com zone that I also have on my DNS server?
My domain current naming structure is:
xxx.yyy.com
There is no _msdcs.xxx.yyy.com zone, however, it does exist as a subfolder inside the xxx.yyy.com.
So that means that I need to create the _msdcs.xxx.yyy.com zone?
The other parts are a bit unclear. Once I have created the _msdcs.xxx.yyy.com zone should I delete the existing subfolder inside xxx.yyy.com? And subsequently should I be recreating a delegation for the _msdcs inside of xxx.yyy.com?
Additionally, do I need to have a delegation for the xxx zone inside of yyy.com zone that I also have on my DNS server?
You should not delete the inner _msdcs.
The subsequent updates will populate the _msdcs
I think the discussion in the link covered the transition.
Is your setup xxx.yyy.com is a child domain of yyy.com?
Delegation often is only needed when yyy.com exists as its own domain on a different set of DNS servers than the ones that xxx.yyy.com is on.
The subsequent updates will populate the _msdcs
I think the discussion in the link covered the transition.
Is your setup xxx.yyy.com is a child domain of yyy.com?
Delegation often is only needed when yyy.com exists as its own domain on a different set of DNS servers than the ones that xxx.yyy.com is on.
ASKER
Ok.
The _msdcs zone has been populated. I reran the BPA and now I get an error saying that -
Error DNS: The DNS server <A.B.C.D> on the Ethernet must resolve PDC resource records for the domain controller.
To answer the question about the domains.
corp.contoso.com - Active Directory Domain
In DNS there is also a zone contoso.com (This allows me to redirect services like www, mail to their internal addresses.)
Inside the contoso.com zone there is a subfolder for corp that just has two host records (2 of the DC's in the domain. Im not sure why the third isn't there). Previously, I think that this zone was delegated .
The _msdcs zone has been populated. I reran the BPA and now I get an error saying that -
Error DNS: The DNS server <A.B.C.D> on the Ethernet must resolve PDC resource records for the domain controller.
To answer the question about the domains.
corp.contoso.com - Active Directory Domain
In DNS there is also a zone contoso.com (This allows me to redirect services like www, mail to their internal addresses.)
Inside the contoso.com zone there is a subfolder for corp that just has two host records (2 of the DC's in the domain. Im not sure why the third isn't there). Previously, I think that this zone was delegated .
Example contoso.com an AD integrated zone to be available on all DCs DNS? Either way add the NS record delegating Corp to all DCs. In this zone, you have to cleanup when a previously delegated DNS server is no longer available, this zone will not be auto managed.
Or you would need to add it to each.......
I suspect the lookup for nslookup -q=srv _ldap_tcp._msdcs.corp.cont oso.com (do not have the full name to lookup)
NTDS might not have yet registered the DCs all over the _msdcs. You have DC, sites,.......... That using the nslookup -q=srv is the query to locate a DC, if you have sites, a DC query is site based to get the closest DC to the system needing ........
Or you would need to add it to each.......
I suspect the lookup for nslookup -q=srv _ldap_tcp._msdcs.corp.cont
NTDS might not have yet registered the DCs all over the _msdcs. You have DC, sites,.......... That using the nslookup -q=srv is the query to locate a DC, if you have sites, a DC query is site based to get the closest DC to the system needing ........
ASKER
Think I got it resolved.
I ran netdiag /fix on the DC with the PDC role and it was able to re-register the missing DNS records. The BPA scan now runs without any errors.
Thanks again for your assistance.
I ran netdiag /fix on the DC with the PDC role and it was able to re-register the missing DNS records. The BPA scan now runs without any errors.
Thanks again for your assistance.
Once that is resolved, make sure using sites and services NTDS that this and other servers are global catalog (GC) as well