Replication errors after replacing Win2012 Domain Controllers with Win2022 with the same names and IPs

Ax Plains 0 Reputation points
2023-11-09T17:57:12.8933333+00:00

Hi all

I have replaced 2 DCs (Win2012 R2) in a root domain with 2 Win2022 newer ones by demoting them: obviously one at a time, adding a new server in its place with the same name and same IP address after checking that every trace of the old one had disappeared from AD and DNS.

There is also a child domain (2 DCs Win2012 also) which I want to replace the same way.

All four DCs are Global Catalogs, and all are DNS servers (AD integrated).

At the end of the upgrade of the root, replication works, DNS objects are replicated in all servers, but BPA Scan reports these errors on both child domain DCs only:

  • DNS: The DNS server 10.x.x.x on Ethernet must resolve names in the primary DNS domain zone
  • DNS: The DNS server 127.0.0.1 on Ethernet must resolve names in the primary DNS domain zone

(The 10.x.x.x being the other domain controller as primary DNS server).

Also, in the event log there are replication errors with the root domain DCs:

  • Event IDs 1926: "The attempt to establish a replication link to a read-only directory partition with the following parameters failed. Error value: 5 Access is denied."

This does not occur on the new root domain DCs, they seem to replicate with the child domain just fine.

For some reason, the "old" child domain DCs don't recognize themselves as DNS servers, even if everything works through the AD forest. Everything resolves, nslookup works both ways etc.

I tried to add a third DC (Win 2022) to the child domain (still Win 2012) but the process showed:
"DNS cannot be installed on this domain controller because this domain does not host DNS."

Anyone has some idea on how to solve this?

Thank you very much in advance!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,166 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Dave Patrick 417.4K Reputation points MVP
    2023-11-09T18:26:45.6233333+00:00

    Please run;

    Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
    repadmin /showrepl >C:\repl.txt (run on any domain controller)
    ipconfig /all > C:\%computername%.txt (run on EVERY domain controller)

    Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs of any found. (no evtx files)

    then put unzipped text files up on OneDrive and share a link.


  2. Dave Patrick 417.4K Reputation points MVP
    2023-11-10T15:19:55.3933333+00:00

    no more endpoints available from the endpoint mapper

    I usually see this one when some process (replication in this case) that uses dynamic ports does not complete or close cleanly and at next call gets next higher available port until we eventually run out.

    netstat -aon
    

    should show this result, and a reboot should release the ports at least temporarily. I'd check that all involved got the Domain network firewall profile and that the required ports are flowing between networks.

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions

    Also each domain controller at a minimum should have own static ip address listed for DNS primary and loopback as secondary so a small correction there.

    --please don't forget to close up the thread here by marking answer if the reply is helpful--


  3. Dave Patrick 417.4K Reputation points MVP
    2023-11-11T14:05:49.6533333+00:00