2nd PDC does not replicate any more

Hi
I have one PDC server 2008R2 (D2R03Q02)  holding all FSMO roles and a second PDC server 2012R2 (PowerT130) who is not replicating any more since more than a month.

on PDC1 the command repadmin /showrepl shows no erros
on PDC2 the command repadmin /showrepl contains several errors

the netdom query FSMO shows all roles on PDC D2R03Q02

Connectivity: I can ping both servers

If I try to transfer FSMO to the second PDC PowerT130 I get the  ERROR The current Operations master is offline. The role cannot be transferred.
But the PDC D2R03Q02 is up and running and I can ping it from the second PDC.

Dcdiag show many errors and warnings on both PDC

Errors related to Ldap for example

or warnings like :

Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355
A Good Time Server could not be located.

I attached The complet Dcdiag report dcdia.txt


DNSLINT command look good

DNSLint Report

System Date: Fri Jul 20 23:42:26 2018

Command run:

dnslint /ad 192.168.1.6 /s 192.168.1.7 /v

 Root of Active Directory Forest:

    Ecole.Schulz.Local
Active Directory Forest Replication GUIDs Found:
 
DC: D2R03Q02
GUID: 1a3677e0-7a77-413b-b70d-f0ede03ff7af

DC: POWERT130
GUID: 3b114b99-edb5-4ed2-af3d-1bcd88514c8b


Total GUIDs found: 2


The following 3 DNS servers were checked for records related to AD forest replication:

DNS server: User Specified DNS Server
IP Address: 192.168.1.7
 UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
 Authoritative name server: d2r03q02.Ecole.Schulz.Local
Hostmaster: hostmaster.Ecole.Schulz.Local
Zone serial number: 58474
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
 d2r03q02.ecole.schulz.local 192.168.1.7
 powert130.ecole.schulz.local 192.168.1.6




Alias (CNAME) and glue (A) records for forest GUIDs from server:
 CNAME: 1a3677e0-7a77-413b-b70d-f0ede03ff7af._msdcs.Ecole.Schulz.Local
Alias: d2r03q02.Ecole.Schulz.Local
Glue: 10.132.74.7

CNAME: 3b114b99-edb5-4ed2-af3d-1bcd88514c8b._msdcs.Ecole.Schulz.Local
Alias: powert130.Ecole.Schulz.Local
Glue: 192.168.1.6


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0




DNS server: d2r03q02.ecole.schulz.local
IP Address: 192.168.1.7
 UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
 Authoritative name server: d2r03q02.Ecole.Schulz.Local
Hostmaster: hostmaster.Ecole.Schulz.Local
Zone serial number: 58474
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
 powert130.ecole.schulz.local 192.168.1.6
 d2r03q02.ecole.schulz.local 192.168.1.7




Alias (CNAME) and glue (A) records for forest GUIDs from server:
 CNAME: 1a3677e0-7a77-413b-b70d-f0ede03ff7af._msdcs.Ecole.Schulz.Local
Alias: d2r03q02.Ecole.Schulz.Local
Glue: 10.132.74.7

CNAME: 3b114b99-edb5-4ed2-af3d-1bcd88514c8b._msdcs.Ecole.Schulz.Local
Alias: powert130.Ecole.Schulz.Local
Glue: 192.168.1.6


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0




DNS server: powert130.ecole.schulz.local
IP Address: 192.168.1.6
 UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
 Authoritative name server: powert130.Ecole.Schulz.Local
Hostmaster: hostmaster.Ecole.Schulz.Local
Zone serial number: 58491
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
 d2r03q02.ecole.schulz.local 192.168.1.7
 d2r03q02.ecole.schulz.local 32.2.178.174
 powert130.ecole.schulz.local 192.168.1.6
 powert130.ecole.schulz.local 42.2.18.30




Alias (CNAME) and glue (A) records for forest GUIDs from server:
 CNAME: 1a3677e0-7a77-413b-b70d-f0ede03ff7af._msdcs.Ecole.Schulz.Local
Alias: d2r03q02.Ecole.Schulz.Local
Glue: 10.132.74.7

CNAME: 3b114b99-edb5-4ed2-af3d-1bcd88514c8b._msdcs.Ecole.Schulz.Local
Alias: powert130.Ecole.Schulz.Local
Glue: 192.168.1.6


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0




Notes:
Zone serial numbers were not identical on every DNS server


Could anybody give me a hint, what to do ?

Thank a lot for your help

Enzo
dcdia.txt
Enzo MataforaIT CoordinatorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Is SysVol and Netlogon shared on both DCs?  What's the status of Repadmin /showrepl?  If it's been LESS than 60 days since they last communicated you can resurrect the broken system.  If it's been more than you have demote it and repromote it if you want it to be a DC (though you'll have to go through a metadata cleanup before repromote and you'll likely have to use /forceremoval on the one with the issues.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi Lee,
thanks a lot for your answer.
ntlohon and sysvol are shared.
Actually the last successful replication was on may 23rd
so its 59 days ago (!)
repadmin /showrepl on 2nd Pdc (server 2012) tells me that and shows errors.
repadmin /showrepl on PDC1 (server 2008r2) is Ok all successful.
I can logon on both PDC
but from the Second Pdc I cannot access to shared folders on PDC1.
What do you mean by resurrect?
thanks for your help
Enzo
Enzo MataforaIT CoordinatorAuthor Commented:
Hi Lee,
Hereby two print screens of the dcdiag errors I see on both servers
I dont know if this can help

Thanks again
dcdiag_errors_PDC1-master-role-holde.png
dcdiag_errors_PDC2.png
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Peter HutchisonSenior Network Systems SpecialistCommented:
Note, after 60 days, tombstoning occurs and it may not be possible to restart replication. You will have to decommision the 2nd DC and create a new 2nd DC to ensure replication works again by dcpromoting it.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi Peter,
Thanks for replying, yes in fact I had to do a forcefull demotion and I am cleaning the metadata on the PDC1, before promoting it again as a DC.
Have a nice day

Enzo
Member_8145579Commented:
Thank you very much for your reply.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi all,
After having demoted my DC made my metadata cleanup on DC1 and uninstalled and reinstalled AD DS on de demoted DC I tried to promote it again as a DC but he is not able to contact the AD domain controller.

I ca ping it using the ip address, but if a ping it using the name of the computer I get an answer showing me a old IP address the DC1 had before we changed router and LAN configuration. I have thi issue ionly on the second DC I would like to join the domain and to promote it as a DC again. Note I had to demote it forcefully.

Thanks for any hints

EM
Lee W, MVPTechnology and Business Process AdvisorCommented:
Did you run a DCDIAG to see what further problems you may have on that "good" DC?
Enzo MataforaIT CoordinatorAuthor Commented:
Hi Lee,
Yes I did, and all tests passed except systemlog test where there are some warnings abd errors concerning missing drivers for printers and one controller error on a HD drive

The only problem I encounter now is when I try to promote the demoted DC, it can't finf the active Directory controller.  I can ping on both Servers when I ping the IP address but when I try to ping the name of the current DC it won't. I think this must be a network card adapter issue, I'll tell you tomorrow if  I can fix it.
Fortunately the school I work as freelance admin is closed for summer holidays. My objective is to join the second domain server (srv 2012)  again, and transfer all master roles from the old server 2008 to the new one, waiting for the replacement of the old svr 2008.

Thanks again for your help

Regards

Enzo
DrDave242Senior Support EngineerCommented:
I ca ping it using the ip address, but if a ping it using the name of the computer I get an answer showing me a old IP address the DC1 had before we changed router and LAN configuration.

It sounds like you've got some stale records in DNS.

Launch the DNS Manager console on DC1 and look in the domain forward lookup zone for the host (A) record with DC1's name. If you find one with an incorrect address, delete that record. Other places in DNS to look for that old address include the DomainDnsZones and ForestDnsZones folders in the domain forward lookup zone, and the gc folder inside the _msdcs.domain forward lookup zone. If you find records in any of these locations with addresses that are no longer held by any DCs in your domain, delete those records.

Once you're done deleting records, run ipconfig /flushdns and ipconfig /registerdns on DC1. Then, for good measure, restart its Netlogon service, though this isn't strictly necessary.

To help purge stale records from DNS in the future, you may want to consider enabling aging and scavenging. I highly recommend reading this article closely before doing so, though.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi thanks again, I did this, checked all records as you told me, Did what you said but still I cannot promote it or simply join the domain.
I get followign errors se attached errors.docx file

I can ping the name of DC1 from other clients and it resolves correctly with the correct ip address. I only encounter the ping issue from the demoted server.

Strangely one of the 2 networkcard identifies the domain
and I can even see the server on the network from DC2 (see attached file  network cards)
but cannot access it it sais the path cannot be found.

Sorry to bother you with this but I think the solution should not be far

Thanks

Enzo
errors.rtf
network-cards.rtf
DrDave242Senior Support EngineerCommented:
Can you disable all NICs on that server except the one that can see the domain, then make sure that NIC is configured to use only DC1 for DNS? After doing so, run ipconfig /flushdns to clear everything out of the resolver cache, then try joining the domain again.

Also, the NIC configuration appears to indicate that this server is a Hyper-V host. If that's true, it should only be a Hyper-V host and shouldn't run any other roles, for both technical and licensing reasons. If you need another DC, I highly recommend creating a VM for that purpose rather than promoting the host.
Enzo MataforaIT CoordinatorAuthor Commented:
Ok I did this also but I still cannot join the domain i
if a put a static ip it doesnt identify the domain any more, if i put it on dhcp it identifies it again but I still get the old DC1 IP when I ping the name and times out.
If I try to join the domain I get Domain cannot be contacted
The DC1 works properly I can access it from any other client and ping it correctly, So I guess the issue must be on the demoted DC2.

Ipconfig /all on DC2 shows that it has a IP address from the scope of the dhcp on DC1 and dns suffix of the domain (see attached file)
I really don't get it?

I installed the Hyper-V role just for training purposes at the beginning, I don't use it and can remove it
ipconfig-DC2.rtf
DrDave242Senior Support EngineerCommented:
What is 192.168.1.7? Is that DC1?

If so, what output do you get when you type nslookup ecole.schulz.local 192.168.1.7 on DC2?
Enzo MataforaIT CoordinatorAuthor Commented:
Hi
I get following output see attached file
Enzo MataforaIT CoordinatorAuthor Commented:
sorry clicked on wron button
here the file
nslookup-from-second-server.png
Enzo MataforaIT CoordinatorAuthor Commented:
and thanks for reading my questions
Enzo MataforaIT CoordinatorAuthor Commented:
Hi everybody
I think my fault I found one more record of the old dc in the dns, now I cag get access to d^the shares on dc1 so I think I getting closer to the solution, but here its late now so I will go on tomorrow with a clearer head.

Thanks a lot for all your comments and help. was really helpful.

Tell you tomorrow if I can finally promote this server :)

Best regards

Enzo
Enzo MataforaIT CoordinatorAuthor Commented:
Hi guys, sorry to bother you again, but I still caanot promot,
When I start the promote process it finds the domain and then I get the error "An active Domain Controller for the domain could not be found (see attached file)
I attach also th ipconfig of DC2.
I can see the DC1 on the network from the not promoting server  ask me for credentials but cannot access (yesterday night I could acces to the shares.  (see attached file (network and shares)

I am getting nuts

Thanks for your help

Regards
Enzo
promote-fail.rtf
ipconfig.rtf
network-and-shares.rtf
Enzo MataforaIT CoordinatorAuthor Commented:
And I still get the old IP adrees of DC1 when I ping the name or FQDN of DC1 drom the demoted server 2012
Enzo MataforaIT CoordinatorAuthor Commented:
Hi guys, so now I can ping the dc server name and it resolves ok also ip I ping the domain ecole.schulz.local it resolves
but still cannot join the domain. I gues I came one step further

Thnaks for your help
DrDave242Senior Support EngineerCommented:
Is it still giving the same error when you try to join the domain, or does it say something else now?
Enzo MataforaIT CoordinatorAuthor Commented:
Hi DrDave242,

Now if I ping the server name D2R03Q02 or the domain ecole.schulz.local it resolves OK
If I ping the FQDN of the server D2R03Q02.ecole.schulz.local it times out and I see the old IP address of the DC1

If I try to join the server at the domain throug Computer/domain Changes I get the message "The network path was not found"
If I try to promote the server 2012 to a DC with server manager it stucks with the error "An active domain controller for the domain ecole.schulz.local could not be contacted

Yesterday I uninstalled and reinstallen the second NIC, I will do the same with the first NIC to see if it helps.


Thanks
Enzo
Enzo MataforaIT CoordinatorAuthor Commented:
After havin uninstalled and reinstalled NIC 1
I cannot ping Server Name anymore and get again old ip address :(

So Im not getting any further...
Peter HutchisonSenior Network Systems SpecialistCommented:
Open regedit on the server and check TCP/IP and IP address settings here:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Enzo MataforaIT CoordinatorAuthor Commented:
Hi Peter,
Thanks, I checked the register on DC1 and there are two records containin still old ip adresses, can I simply delete them, I am not a register specialist so I prefer to ask?

Thanks for your help
Regards
Enzo
Peter HutchisonSenior Network Systems SpecialistCommented:
Yes, just edit the values and remove the old IP addresses and any gateway/router addresses as well.

If you have configured static addresses and then delete the network adapters, the static entries are not removed as well. So, before removing adapters, change the settings from static to dhcp and then remove the network adapter.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi Peter,
thanks for your precious help, but just to be on the safe side as I really don't master Registry issues and I have now only one DC running

I enclose two print screens form the registry of the running DC where I see old IP adresses and gateways

What can I delete or modify ?
Thanks for your answer

Enzo
registry1.png
registry2.png
DrDave242Senior Support EngineerCommented:
If I ping the FQDN of the server D2R03Q02.ecole.schulz.local it times out and I see the old IP address of the DC1

Can you run nslookup d2r03q02.ecole.schulz.local from a command prompt on DC2 and post the output?

Also, please run net share from a command prompt on D2R03Q02 and confirm that the SYSVOL and NETLOGON shares are listed in the output.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi DrDave

Here enclosed the two outputs they seem ok to me.

Thanks for your help
netshare-dc1.png
nslookup-dc1.png
DrDave242Senior Support EngineerCommented:
Why did nslookup return two addresses for D2R03Q02? What is 178.174.7.238?
Enzo MataforaIT CoordinatorAuthor Commented:
Thi is a public Ip address I usecfor rdp
DrDave242Senior Support EngineerCommented:
That may not be a good idea for a few reasons. There have long been issues with multihomed domain controllers. There's a very old KB article that talks about this, although I'm not certain it's still applicable. I've researched this a bit and found a number of discussion threads saying that multihomed DCs are still problematic, though.

It's also not a good idea from a security perspective to have a DC directly connected to the Internet. Since that NIC has a public IP, I'm assuming it's not behind a router. Since you're using it for RDP, you most likely have TCP port 3389 open. That's a very common attack vector, and even if you've changed the RDP listening port, it's still quite risky to have the DC exposed like that.

Security concerns aside, you don't want that DC registering its public IP address in the internal DNS, or you'll have internal machines trying to connect to it on that address intermittently because of the way round robin works. To prevent this, go to the TCP/IPv4 properties of that NIC, select Advanced, and then select the DNS tab. Uncheck the box labeled Register this connection's addresses in DNS. Run ipconfig /flushdns and ipconfig /registerdns, then check DNS again to see if that address is still there.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi DrDave,
Yes I understand your concerns, but I need to have distance access to the server as my main word is in another location and I had to access from distance, but I agree on your security concerns.

I just did what you told me and unchecked "Register this connection's addresses in DNS" after dnsflush and register the address is still there.

My main concern at the moment is to ad a second DC to assure replication and to transfer master roles to the newer SVR 2012 (who I had to demote forcefully because it was not replicating any more). We are going to receive soon another winserver 2016 to replace the actuel DC1 (svr2008R2).
Thanks for your help
Enzo MataforaIT CoordinatorAuthor Commented:
I cleaned Registry of DC1 from old IPs, did all the stuff  listed in the different posts above, but when I try to ping the DC from the demoted server it resolves correctly when I ping the IP of the dc1 but when I ping the name server it shows still an old IP and times out.
Enzo MataforaIT CoordinatorAuthor Commented:
If I ping DC1 from any other client in the domain it resolves correctly, I can even access dc1 from my personal Notebook via Wifi connection and ping the I, the servername or FQDN and it resolves all correctly, so I assume the problem must be on the demoted server.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi guys,
I got a step further, now I can ping the IP and the servername from my demoted server 2012. I can connect to the shares on DC1 \\D2R03Q02

But I still cannot join the domain.

If I ping thh FQDN I still get this old 10.132.74.7 IP address who was the old statisc IP of DC1 which now is 192.168.1.7

I thin I wait the arrival of the new server and see if I have the same problems to join or promote to DC.

Thanksa lot  anyway for your help
DrDave242Senior Support EngineerCommented:
If I ping thh FQDN I still get this old 10.132.74.7 IP address who was the old statisc IP of DC1 which now is 192.168.1.7

What's the exact FQDN you're pinging when you get that result?
Enzo MataforaIT CoordinatorAuthor Commented:
D2R03Q02.ecole.schulz.local
DrDave242Senior Support EngineerCommented:
Since nslookup doesn't return that address, it's coming from somewhere besides DNS. Since other machines don't resolve the name to that address, check the hosts file on the demoted server. Maybe it's in there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Enzo MataforaIT CoordinatorAuthor Commented:
Yes I think it must be still on this ex DC2 Server who I had to demote forcefully, I'll check thanks for the hint.
Enzo MataforaIT CoordinatorAuthor Commented:
Yes there was it, in the hosts file I removed it, I reboot and see what happens
Enzo MataforaIT CoordinatorAuthor Commented:
Or should I write the new IP in the hosts file?
DrDave242Senior Support EngineerCommented:
Nope, just remove it and let DNS handle resolution of that name.
Enzo MataforaIT CoordinatorAuthor Commented:
ok
Enzo MataforaIT CoordinatorAuthor Commented:
I can ping ad logon on the shares of DC1 from the server but when I try to join the domain
I get the attache error

And if I try to promote it from the server mannager it doesnt fint an active directory controller
errror-when-trying-to-join-domain.png
DrDave242Senior Support EngineerCommented:
Check DNS for the SRV record mentioned in that error. Let me know if it's there.
Enzo MataforaIT CoordinatorAuthor Commented:
Hi Guys, I guess it was the different inputs of the different contributor who helped solve my problem, but specially the remarks from DrDavid242 about Hosts file and NIC adapters  reinstall, and the remarks about clean up some registry keys were essential-

Thanks a lot guys
Enzo MataforaIT CoordinatorAuthor Commented:
Hi guys, The server promoted as DC and is replicating nov correctly.
Thanks a lot for your help, I really appreciate. Excellent forum.

So now I can relax for the week end :)

Best rerads from Geneva Switzerland
Enzo MataforaIT CoordinatorAuthor Commented:
Thanks a lot for your help.
DrDave242Senior Support EngineerCommented:
You're welcome! I'm glad it's working now!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
R

From novice to tech pro — start learning today.