Domain Controllers Replication issue

Yousuf Shahzad 26

Hello

We have been facing the below issue for a long:

We have two Windows Server 2012 DCs. Both the DCs stopped replicating for a long time and the time exceeds more than 3 years.

I installed/promoted another DC and followed all the steps to replicate with the 1st one but when I create a user in any of the DCs, I need to refresh, and then I can see the change. Both the DCs do not replicate automatically. I did not demote the second faulty DC.

The second issue is when I shut down the first domain, our employees cannot access shared folders and the internet.

All our roles are in our first DC.

Schema Master
Domain Name Master
PDC
RID Pool Manager
Infrastructure Master

What could be the possible solution? Please provide me as soon as possible because we do not have any redundant DC and our first DC is on a virtual machine and that server is creating some problem and can go down anytime.

Regards

6 answers

Gary Reynolds 9,391 Reputation points

2021-10-11T10:59:51.903+00:00

Hi @Yousuf Shahzad

If you don't force replication, do the objects replicate evenually?
Are the DCs in separate AD sites?
If you run repadmin /replsummary from DC1 do you get any errors reported against the new DC?

The second issues is likely to be related to the client having only the first DC as the primary DNS entry and not being able to resolve names once the first DC is switched off. Now you have a second DC, it would best to add the IP address of the new DC as a secondary DNS entry for clients.

Gary.
Please sign in to rate this answer.
Yousuf Shahzad 26 Reputation points

2021-10-11T11:31:55.683+00:00

Hi GaryRennolds

If I do not refresh the objects do not replicate.

No DCs are on the same AD site.

If I run repadmin /replsummary from DC1, I found no error for the new 2nd domain, but found the error for the faulty one "Error (1722) The RPC server is unavailable".

Can you please let me know how to include the IP of the new domain in DHCP or any other places. Yes, you are right, I cannot see its IP in the domain. in our DHCP console, I can see the IPs of DC1 and the faulty DC

Time Server IP of DC1, IP of FaultyDC2
Name Servers IP of DC1, IP of FaultyDC2
DNS Servers IP of DC1, IP of FaultyDC2
DNS Domain Name domain name
NTP Server IP of DC1, IP of FaultyDC2

Please assist.

Thanks
Sign in to comment
Gary Reynolds 9,391 Reputation points

2021-10-11T11:46:47.8+00:00

What command are you using to refresh the objects between the domain controllers?

To add the new DC IP address you will need to edit your existing scopes are add the new DC IP address and remove the old one from each of the DHCP options. I believe you are not seeing the new DC's IP address the console as you haven't installed the DHCP roll on the new DC, but you don't need to do that unless you want to setup HA\redundancy for the DHCP service.

You will need to remove the old DC once you have resolved thse issues, as it not doing any good and will probably cause more issues in the long run.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

Gary.
Please sign in to rate this answer.
Yousuf Shahzad 26 Reputation points

2021-10-11T12:09:30.367+00:00

Hi Gary

Actually, when I create an object; suppose a user in DC1 and go to the new DC and click on the refresh button and vice versa then they replicate each other, otherwise no replicatioin.

I do not use any command to refresh.

Yes, I do not see the new DC's IP address in the DHCP console in DC1, and that's I am asking you how to and how many places in DHCP?

Please guide/assist me because I am new in this field and do not have much experience.

Moreover, we have only one DC in working condition and do not have redundancy, hence can't take much risk, you can understand my situation.

May I know what the link is for and on which DC I should perform all these tasks given in the link?

Regards

Yousuf

Gary Reynolds 9,391 Reputation points

2021-10-11T12:49:44.7+00:00

Hi Yousuf,

It sounds like your AD replication is working ok between DC1 and the new DC, ADUC doesn't dynamically update the display when a new object is created on another DC, you have press refresh button to reload the list.

This article provide some details on how to change the dhcp scope option https://www.dtonias.com/configure-dhcp-server-scope-options/#:~:text=In%20the%20DHCP%20console%2C%20expand,in%20the%20Data%20entry%20box.

The links provided by @Dave Patrick explain how to remove the old fault DC and cleanup your AD.

Gary.

Yousuf Shahzad 26 Reputation points

2021-10-11T13:56:55.08+00:00

Hi Gary

You did not mention why ADUC does not dynamically update and what's the solution, please?

I will go through the link.

Regards

Yousuf

Gary Reynolds 9,391 Reputation points

2021-10-11T20:05:35.353+00:00

Hi Yousuf,

There is no problem to solve, that is how ADUC works, this doesn't mean that AD replication is not working, you are just refreshing what ADUC is displaying.

Gary.
Sign in to comment
Dave Patrick 426K Reputation points MVP

2021-10-11T12:20:27.14+00:00

If the second server has tombstoned the only solution is to size roles (if necessary) to another healthy one
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

remove from network and perform clean up.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

and rebuild the failed one from scratch.

Make sure the DHCP server hands out only healthy / operational domain controllers for DNS.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.
Dave Patrick 426K Reputation points MVP

2021-10-12T13:59:19.13+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

Yousuf Shahzad 26 Reputation points

2021-10-13T07:29:19.767+00:00

Hi DSPatrick

As per Gary, both the DCs are replicating manually but not automatically. So some kind of relaxation for me that at least they are replicating.

Now another issue, when I check DHCP in DC1, the entry of 2nd DC in the following was missing

Time server
Name servers
DNS servers
NTP servers

Then, I added/included the IP of the 2nd DC.

Now, the issue is if I check "Network Connection Details" from Network and Sharing Center, our PCs do not achieve the IP address of 2nd DC in "IPV4 DNS Servers".
Rather it is getting the IP address of 1st DC and the faulty DC, and because of this when I shut down 1st DC nobody can access shared folders.

Any solution for this please????

Regards

Gary Reynolds 9,391 Reputation points

2021-10-13T07:46:53.647+00:00

Hi Yousuf,

Make sure that you have updated all the scope options in all the scopes on the DHCP server, and make sure that you remove the old faulty DC as well.

On the workstation, use IPConfig /all from the command prompt to make sure you are seeing all the IP addresses that are assigned by DHCP.

Also you might need to renew the ip address on the network card to pick up the changes, this can be done by typing IPConfig /renew

Gary.

Yousuf Shahzad 26 Reputation points

2021-10-13T08:11:46.91+00:00

Hi Gary

Great!!

I have done this and now I can see the result.

If I do not remove the entry of IP of old faulty DC from those places (Time servers, Name servers, ...........), will it create any problem in the future?

Also, should I demote the old faulty DC permanently from our system?

Regards

Yousuf

Gary Reynolds 9,391 Reputation points

2021-10-13T08:23:58.06+00:00

Hi Yousuf,

It's not good practice to leave the old IP addresses in place as it could cause usual, unknown behaviour, performance issues or delays for the workstations. You should remove the old entries, the sooner the better.

You should demote the old DC, but you might still need to complete a meta data cleanup as described in the links shared by DSPatrick. If you are happy with the AD and client access at the moment and you are not seeing any major issues, maybe give yourself a week to let everything settle and then remove the old DC from the AD.

Gary.

Yousuf Shahzad 26 Reputation points

2021-10-13T08:39:31.16+00:00

Hi Gary

Noted

I will check client access with the current setting and then will get back to you.

The main issue is if I shut down the 1st DC, the clients cannot access the shared folders, and hopefully this time they can access them. Let's see.

Regards

Yousuf

Gary Reynolds 9,391 Reputation points

2021-10-13T09:41:27.793+00:00

I'm assuming that the shared folders are on a different server and not on DC1?

If they are on a different server, and as long as DNS is installed on the new DC and the clients have the new DC entry in their DNS IPconfig they should still be able to access the shared folders when DC1 is switched off.

Gary.

Yousuf Shahzad 26 Reputation points

2021-10-14T06:16:05.677+00:00

Hi Gary

Yes, the shared folders are on a different server.

Now they can access the shared folders.

Now one more issue arose which I have mentioned in Patrick's reply.

Regards

Yousuf
Sign in to comment
Dave Patrick 426K Reputation points MVP

2021-10-13T13:12:39.547+00:00

both the DCs are replicating manually but not automatically

Not sure what is meant here?

added/included the IP of the 2nd DC. Now, the issue is if I check "Network Connection Details" from Network and Sharing Center, our PCs do not achieve the IP address

May need to do ipconfig /release, ipconfig /renew

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.
Yousuf Shahzad 26 Reputation points

2021-10-14T06:11:18.85+00:00

Hi Patrick

It means I added Ip of 2nd DC in DHCP scope.

Yes, after ipconfig / renew the clients picked the changes, and now the clients can access the internet and the shared folders but working slow.

But, after shutting down the 1st DC when I try to log in with an old user on my laptop that has never been logged in previously, it gives the below error:

We can't sign you with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again.
If you previously signed in on this device with another credential you can sign in with that credential.

Regards

Yousuf

Gary Reynolds 9,391 Reputation points

2021-10-14T06:39:06.39+00:00

hi Yousuf,

This error happen if the workstation is not able to find a domain controller on the network to authenticate the user credentials against.

Can I assume that when the DC1 is switched on you are able logon from the laptop and you only get this error after DC1 has been switched off?

There are couple of things to check:

Ensure that the laptop has an ip address and logged on once before switching off DC1

Check the ip address details have been updated and the new DC IP address is included in the DNS server list

Are you seeing this problem with just one machine or all machines when the DC1 is switched off? If you want to try troubleshoot the issue it would be helpful to have a machine logged on.

Gary.

Yousuf Shahzad 26 Reputation points

2021-10-14T10:09:36.693+00:00

Hi Gary

Yes, when the DC1 is switched on I am able to logon and only get this error after DC1 is switched off.

Let me tell you some points here that will clarify so many things:

This logon problem is not only with one machine, with all the machines.

When I logon with an old user with DC1 switched on, the user can logon. This is usual and OK.

When I try to logon with that old user with DC1 switched off. even the user can logon but shows "unidentified network", but cannot access shared folders.

If I manually add IP address, subnet mask, default gateway, DNS server in IPv4 NIC, it shows me "Network 2" in active networks rather than showing our domain "company.local",

and then if I try to access shared folders, it pops up "Enter Network Password" window, and when I enter my Administrator ID & Password, it allows shared folders access.

Usually, when a user is logged on with his user ID on his PC with DC1 & DC2 switched on, they can access both internet and shared folders and that moment if I switch off DC1, then no issue the user can access both internet and the shared folders, but if the user restart the PC then the problem arises and the problem is "Unidentified Network".

Regards

Gary Reynolds 9,391 Reputation points

2021-10-14T11:16:37.44+00:00

hi Yousuf,

The issue is likely that when you switch off DC1, this also includes the DHCP server. So when you connect the laptop, the machine is not getting an IP address, and hence the Unidentified Network error. You can confirm this be running the ipconfig /renew command and see if you get an IP address. Also you could test it again with the laptop switched on and connected to the network before DC1 is switched, that way the laptop will have an IP address.

If this is the case you can configure DHCP on your two DCs in a number of different fail-over configurations to remove this single server dependencies.

You can find the details here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn338976(v=ws.11)

Gary.

Yousuf Shahzad 26 Reputation points

2021-10-14T11:39:03.647+00:00

Also, I have found in RSoP for both the DCs

In DC2

Computer Configuration
Software Settings
Windows Settings
Administrative Templates (Missing)

In DC1

Administrative Templates (Not missing)

!

The link you shared says "Page not found".

Regards

Gary Reynolds 9,391 Reputation points

2021-10-14T11:58:10.507+00:00

Here is the link again dn338978(v=ws.11)

I can't see the second screenshot.

Gary Reynolds 9,391 Reputation points

2021-10-14T12:13:48.433+00:00

This might help https://learn.microsoft.com/en-US/troubleshoot/windows-client/group-policy/create-and-manage-central-store

Yousuf Shahzad 26 Reputation points

2021-10-14T13:30:49.223+00:00

Hi Gary

DC1

DC2

Gary Reynolds 9,391 Reputation points

2021-10-15T22:28:56.737+00:00

Hi Yousuf,

Just checking if there is any update on this one?

Gary.

Yousuf Shahzad 26 Reputation points

2021-10-17T06:55:51.147+00:00

Hi Gary

Please check below DFS REplication Health Report which I run on DC2.

Regards

Yousuf
Sign in to comment
Dave Patrick 426K Reputation points MVP

2021-10-14T13:01:31.657+00:00

We can't sign you with this credential because your domain isn't available.

Sounds like DC2 is somehow broken. dcdiag may be useful. You could also try move roles off, demote, reboot, promo it again.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.

0 comments No comments
Sign in to comment