Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Domain Controller upgrade failure - help needed to sort out the mess

Posted on 2016-07-17
4
Medium Priority
?
94 Views
Last Modified: 2016-07-20
We have 3 x DC's on site.  We are in the process of upgrading them all to 2012r2.

Yesterday I began with first one, a 2008r2 machine ("DC3") which I was doing an in-place upgrade to 2012r2 (yeah, I know that this was a mistake now).

This server does NOT have any FSMO roles.

Everything seemed to go fine with the in-place upgrade until I installed the 250+ Windows updates.  When I rebooted the server just hang on the loading screen.  I tried everything to get it going, but I had no luck.  After trying to fix boot records etc the machine was even trying to boot into its old 2008r2 OS.  Not good.

In the end I had to admit defeat and rebuild the machine from scratch.  I gave it the same name and IP address.

However, as I was not able to cleanly demote this DC I had to perform a metadata cleanup.

Once I had completed the metadata cleanup, I added the rebuilt DC to the domain and promoted it via the GUI.  I had a couple of snags regarding the GUI hanging on "Creating the NTDS settings object", but I was able to resolve it by following this fix:  

https://andernetwork.wordpress.com/2013/04/02/active-directory-2012-installation-stalls-at-the-creating-the-ntds-settings-object/ 

(in particular the comment by fulloutpullin)

So, everything appeared to complete OK, but I have some problems....

1.) If I look in AD sites and Services, the new DC is there but the NTDS settings are empty.
2.) If I open DNS on one of the other two DC's and try to add DC3 it fails.
3.) I cannot ping or RDP to DC3 (the firewall is off)

I need help to know what to do next!  

Should I attempt to fix the problem?
Should I demote DC3 again (hoping it does it cleanly), rebuild the server from scratch and start again with a different name and IP?
0
Comment
Question by:fieldj
  • 2
4 Comments
 

Author Comment

by:fieldj
ID: 41716328
I have been doing some research and wonder if I problem might be caused by the fact that I set the DNS settings on the NIC on DC3 as follows BEFORE configuring DNS...

Preferred  DNS Server XXX.XX.4.21 (this is DC3's own IP)
Second: XXX.XX.4.26 (DC1)
Third: XXX.XX.4.33 (DC2)
Fourth: 127.0.0.1

I am wondering if I have created a DNS 'island'?  (although the blogs etc I have read seem to suggest this is only an issue with Server 2003 and earlier).
0
 
LVL 20

Accepted Solution

by:
Mal Osborne earned 2000 total points
ID: 41716352
If this were me, I would rebuild the box from bare metal in a heartbeat. Patch it fully prior to making it a DC.

Although upgrading a DC is technically supported, I would advise strongly against it.  This path rarely fails, and is usually way easier and cleaner than upgrading.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 41719896
It wouldn't hurt to change the DNS settings so that it only uses the other two DCs for DNS until all of the issues are ironed out.

3.) I cannot ping or RDP to DC3 (the firewall is off)

The firewall service isn't stopped, is it? That causes all kinds of network-related issues in my experience.
0
 

Author Comment

by:fieldj
ID: 41720255
HI all,

Just to confirm I had to rip this up and start from the beginning again - with a different name for the DC.

Doe to the problems I had during setup, I also couldnt cleanly demote it so had to do a metacleanup again.

I think the DNS settings were certainly causing complications.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
This is an article on how to answer questions, earn points and become an expert.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question