Solved

Domain does not exist or could not be contacted on DC- after migration to W12 R2 from SbS 2011

Posted on 2016-08-20
11
35 Views
Last Modified: 2016-09-08
I migrated SBS 2011 to Windows 2012 R2 and all seemed to go well.  Removed Exchange and SharePoint from SBS, transferred all the roles to W2012, same with DHCP, etc.  Replication between the two was working fine.  I then went to dcpromo out the SBS server but it said it could not contact the domain.  I went ahead and forced the removal knowing I had backups (both are VMs and had their virtual files backed up on the host).

Right after the migration, I added several clients to the domain, no problem, so domain access was not a problem.  But now I have an orphaned server, 2012.  Much to my horror, I was unable to restore the .vhd file for SBS. I;s there for over two weeks but none will restore,

So I tried restoring the 2012 file and could do that, but rebooting with the older disk gives me the exact same error.

I figured this was a DNS issue, and sure enough, msdcs.<domain> was not  zone.  When I created it, it got populated exactly as I think it should.  I compared it to DNS in another domain I have access to, and it is complete.

When I first tried NSLOOKUP, I got no results and it apparantly seemed to use IPV6 address of ::1.  I unchecked that protocol on the network adapter (it was that way on my reference server), but still got no server found.  After adding the msdcs zone, NSLOOKUP seems to work:

C:\Users\<user>>nslookup
Default Server:  hd-dc.<domain>.com
Address:  192.168.10.15

> set type=all
> _ldap._tcp.dc._msdcs.<domain>.com
Server:  hd-dc.<domain>.com
Address:  192.168.10.15

_ldap._tcp.dc._msdcs<domain>.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = hd-dc.<domain>.com
hd-dc<domain>.com  internet address = 192.168.10.15
>


However, when I run dcdiag I get this at the end

Starting test: LocatorCheck
   Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
   A Global Catalog Server could not be located - All GC's are down.
   Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
   A Time Server could not be located.
   The server holding the PDC role is down.
   Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
   1355
   A Good Time Server could not be located.
   Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
   A KDC could not be located - All the KDCs are down.


I then ran ntdsutil to check on roles.  I could not connect to the domain but could connect to the server.  When I tried to seize a role, I got an error but it listed all five roles as belonging to that server.  Assume the error was because it already held the role.

I then tried to do a metadata cleanup but it won't run because it can't connect to the domain.  So I ran ADI Edit and while I couldn't connect to the domain I connected to the server.  I found two instances where the old server was referenced and deleted them.

Finally I removed several roles from the server that weren't really deployed yet.  Lots of restarts of NETLOGON, Active Directory Services and reboots on the server.

Now when I run nslookup, it reolves properly BUT I get the following message:

Server:  hd-dc.<domain>.com
Address:  192.168.10.15

DN request timed out
*** Request to hd-dc.<domain<,com timed-out


Completely stumped on where to go from here.  I am focused on DNS, is that correct?  If so, what else can I do?  If not, where else to look?
0
Comment
Question by:lmheimendinger
11 Comments
 
LVL 9

Expert Comment

by:bas2754
Comment Utility
In the Event logs, what does it show for Active Directory and DNS?  It seems like your DNS is probably integrated into AD and that the DNS is either not coming up or it is not properly stored in AD.

First Off:

1.  Is your DNS server actually started? It appears so based on your post, but something to be sure of.

2.  Is your DNS server on the 2012 server set to the proper address for resolution (i.e - itself)?  Microsoft says NOT to use 127.0.0.1 but that may be something you try.  The server should be pointing to its internal IP for DNS and the DNS server should be set to listen on that IP.

3.  Assuming bot of the above are correct, have tried running the following series of commands?

-  dcdiag /fix
- netdiag /fix

* You may need to fix any additonal errors that may show from the above commans, however if it isn't too great an issue, they should resolve the problem for you...

- ipconfig /flushdns
- ipconfig /registerdns
- net stop server
- net start server

* Run the commands in the order listed above


Now look through the event logs for Active Directory, DNS, etc and see if you find any clues about what is going on there.

You have done so much already that it is hard to determine what exactly when wrong.  I can say that you should not ever manually remove a server unless it is literally dead or unrecoverable.  It is much, much better to demote the server properly.  It seems like in the initial setup, the new server did not get all the roles properly migrated before the SBS server was forced out of AD.

Let me know what happens with the commands above.
0
 

Author Comment

by:lmheimendinger
Comment Utility
1.  DNS is started on the server.  Been working in it a lot!  Service shows started as well.
2. IPv4 has DNS pointing to itself, have tried with and without 127.0.0.1.
3. dcdiag /fix generates the same list of errors that dcdiag alone does, listed in my original post.
4.  Did the ipconfig stuff, rebooted afterwards, but will stop and start server and see if that does anything.
5.I agree on dcpromo, but my plan was to see if I could just do the cleanup and if not,  restore the server.  Well, that should reinforce not to make assumptions about backups.

I will mention several "almost" things.  I can modify windows security by adding or altering users, but instead of the location showing the domain, it simply shows the DC.  But all the users are there.

I can do NSLOOKUP from client machines that also resolves correctly when it first executes, then gets the time out. I can ping around the network using computer names or fully qualified ones and get resolved, so DNS must be working...
0
 
LVL 9

Expert Comment

by:bas2754
Comment Utility
Did you make sure the 2012 server is set as a Global Catalog server? Seems like a silly thing to check but I've seen that issue once or twice where a DC was installed and one removed as you are describing but the new DC was never setup as a Global Carlos server.
0
 

Author Comment

by:lmheimendinger
Comment Utility
I certainly did set it to be a global catalog, and through AD Sites I also unchecked global catalog for the now disappeared SBS server.  I DNS, there is a container gc which has ldap records pointing to the server.  

However you may be onto something.  I ran dsmod to query the server -isgc and got back a blank reply.  I then tried the command to set it to gc and got back could not find the domain.  Any clues as what else to try?
0
 
LVL 9

Expert Comment

by:bas2754
Comment Utility
I think at this point it all comes down to just how important it is to maintain the current active directory structure vs simply deleting the ad configuration and starting it all over from scratch.

If it is absolutely critical to keep the ad configuration on a server as it is or actually as it was, then it may become necessary to call Microsoft and see if there's anything they can do to try to recover this.

Sometimes we search for a fix to the broken piece vs just replacing it.   The replacement is a pain but may be faster in the event details than trying to fix what is broken.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
After restoring have you followed this advice from MS?

https://support.microsoft.com/en-us/kb/316790

What are the DNS settings for the DC? It should be pointing to its own IP as primary DNS (in a single DC scenario) otherwise another DC in the site with itself as secondary and 127.0.0.1 as tertiary.

Make sure that the time service is running. Have you set your new DC as the authoritative for the domain and is looking to a valid time server?

Run:
repadmin /options

It should say "Current Options: IS_GC" in the output if the server is a GC. Otherwise run:

repadmin /options +is_gc

Run the following to make sure that the time service info is updated and the DC tries to reregister all its relevant records:

W32tm /config /reliable:yes /update
dcdiag /fix
netdiag /fix
0
 
LVL 1

Expert Comment

by:saumik belel
Comment Utility
* Go through DNS Manager, expand all the sections and just manually delete the records that correspond to the old Server.

* Remove the old domain controller entry from Active Directory Sites and Services.

*  If you are using DHCP remove the old DNS server entry.

* Run this command to check errors on your DNS server "dcdiag /test:dns".

* Run this command to check active directory errors "Dcdiag /q"

* Check time source on PDC server "w32tm /query /source". Make sure it is syncing time from external source.

Net Stop W32Time
W32tm /config /syncfromflags:manual /manualpeerlist:"pool.ntp.org"
W32tm /config /reliable:yes
Net Start W32Time
W32tm /config /update
W32tm /resync

* Kindly take a look at the below document, hope it helps.
How to remove data in Active Directory after an unsuccessful domain controller demotion.
https://support.microsoft.com/en-in/kb/216498
1
 

Author Comment

by:lmheimendinger
Comment Utility
I was finally able to run metadata cleanup which detected the lost DC and removed it.  But dcdiag /test:dns is still showing some traces of it.  It's IP address was 192.168.10.2 and the hd-dc DC is 192.168.10.15.  I think a big problem that the test showed is the missing IPv6 records for the server in DNS.  How the heck do I get that?  I enabled it on the NIC, did IPCONFIG /ALL and grabbed the result (sort of) but still got the same missing errors.

Here is the result of dcdiag /c

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = HD-DC

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\HD-DC

      Starting test: Connectivity

         ......................... HD-DC passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\HD-DC

      Starting test: Advertising

         Fatal Error:DsGetDcName (HD-DC) call failed, error 1355

         The Locator could not find the server.

         ......................... HD-DC failed test Advertising

      Starting test: CheckSecurityError

         No KDC found for domain <DOMAIN>.com in site

         Default-First-Site-Name (1355, NULL)

         [HD-DC] Unable to contact a KDC for the destination domain in it's own

         site.  This means either there are no available KDC's for this domain

         in the site, *including* the destination DC itself, or we're having

         network or packet fragmentation issues connecting to it.  We'll check

         packet fragmentation connection to the destination DC, make

         recommendations, and continue.

          The KDC on HD-DC isn't responsive, please verify that it's running

         and advertising.

         No KDC found for domain <DOMAIN>.com in site (ALL SITES) (1355,

         NULL)

         [HD-DC] Unable to contact a KDC for the destination domain.  If no KDC

         for the destination domain is available, replication will be blocked!

         If there is some KDC for that domain available, check network

         connectivity issues or see possible packet fragmentation issues above.

         [HD-DC] No security related replication errors were found on this DC!

         To target the connection to a specific source DC use /ReplSource:<DC>.

         ......................... HD-DC passed test CheckSecurityError

      Starting test: CutoffServers

         ......................... HD-DC passed test CutoffServers

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... HD-DC failed test FrsEvent
0
 

Author Comment

by:lmheimendinger
Comment Utility
The issue is fixed.

The first problem was that SYSVOL got corrupted by having both the policies and scripts folders go missing.  This was causing NETLOGON and SYSVOL shares to disappear after a reboot even though they were manually created.  Making a register change allowed them to be created and operate correctly.  The only downside is that the group policies will need to be created.

Once that was done, AD services became available again, and with some minor tweaks here and there, the domain is back in good shape once more.  I will post some particulars of the above later.
1
 

Accepted Solution

by:
lmheimendinger earned 0 total points
Comment Utility
  1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\ and take a backup via export
[list=2]there was a sysvol seeding key created which was pointing towards the old domain controller, which should not be there since the same had been cleanup. We had the backup of the registry so we deleted the sysvol hardcoded key[/list]
[list=3]from the command line, net stop ntfrs[/list]
[list=4]Regedit to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets and in the sysvol replication guid updated the value to D4 [/list]
[list=5]created the policies folder in the sysvol folder since the same was missing.[/list]
[list=6]Using the command line utility initiated the command net start ntfrs[/list]
[list=7]opened the event viewer and verified that we had the event ID 13516 registered which showed that the netlogon and sysvol were now registered and the domain controller was now advertising itself as a domain controller.[/list]
[list=8]command line utility  initiated the command dcgpofix to restore the default domain policies and the default domain controller policies.[/list]
[list=9]dcdiag /v to verify all required tests working[/list]
[list=10]Net stop dns, net stop netlogon, net start dns and net start netlogon[/list]

That should fix it.
0
 

Author Closing Comment

by:lmheimendinger
Comment Utility
this worked very well
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Suggested Solutions

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now