Share via

DC Problem in Windows Server 2012R2

Nabeel 26 Reputation points
2020-11-25T10:50:34.647+00:00

DCFSVM1, DCFSVM2 and DCFS3 are all DC's, File Servers (running DFRS) and DNS Servers running Windows Server 2012R2.

DCFSVM1 (192.168.1.105) & DCFSVM2 (192.168.1.106) are unable to access 'Active Directory Users and Computers' unless DCFS3 (192.168.1.107) is turned on.

The Following error comes on DCFSVM1 and DCFSVM2 if DCFS3 is off:

42456-error.png

Each DC has the other 2 DC's IP address in TCP/IPv4 DNS settings, and also in last is 127.0.0.1.

DFRS is running fine on all 3 servers (Files are syncing correctly).

DCFSVM1 and DCFSVM2 have been formatted and reinstalled a couple of times since installed whereas DCFS3 has remained in same state since installed.

I checked DNS Manager and there were 2 entries of FS1 and FS2 (old PC's) and deleted them.

There was an entry in DNS Manager of FS1.dl37.com pointing to 192.168.1.105 which I changed to DCFSVM1.dl37.com (I don't remember where this was).

But the errors are still there. These changes did not correct the problem.

These are some events in Server Manager of DCFSVM1:

--------------------------------------------------

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=dl37,DC=com

User Action:

  1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
  2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
  3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

---------------------------------------------------------------------------

Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

Source domain controller:
DCFSVM1
Failing DNS host name:
b42d45ad-310e-43c3-9f5a-c721acbcaa4a._msdcs.dl37.com

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

  1. If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
  2. Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \<source DC name>" or "ping <source DC name>".
  3. Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

dcdiag /test:dns

  1. Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

  1. For further analysis of DNS error failures see KB 824449:
    http://support.microsoft.com/?kbid=824449

Additional Data
Error value:
11001 No such host is known.

---------------------------------------------

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DCFSVM2.dl37.com. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.

Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 07A577BE-C0A6-4A93-BEA4-A071CB272007
Replication Group Name: Domain System Volume
Replication Group ID: E16AFD99-F259-4077-AAE1-3DC783107755
Member ID: 6435E54E-D49A-49AA-8340-9BD33240A8AE
Read-Only: 0

-------------------------------------------------------------

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

-------------------------------------------------------

1 event in Server Manager of DCFS3:

The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 2421 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.

To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group.

Additional Information:
Error: 9061 (The replicated folder has been offline for too long.)
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 07A577BE-C0A6-4A93-BEA4-A071CB272007
Replication Group Name: Domain System Volume
Replication Group ID: E5365EDF-05D4-4E8C-9B80-4170893FB51

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other

12 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-11-25T13:23:17.403+00:00

    Please run;

    Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
    repadmin /showrepl >C:\repl.txt
    ipconfig /all > C:\dc1.txt
    ipconfig /all > C:\dc2.txt
    ipconfig /all > C:\dc3.txt

    then put unzipped text files up on OneDrive and share a link.

  2. Nabeel 26 Reputation points
    2020-11-28T08:20:15.493+00:00

    Link: https://1drv.ms/u/s!AkQ520rVLl6ujzLK9ItAb1VnEyDm?e=ufyaRM

    Please note the actual Domain Name is the one mentioned in the text/log files, not the one posted above in my post (I had changed it in my post due to privacy)

    Forgive me, but I didn't ask whether I should run the following 2 commands from all DC's or only one particular DC:

    Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
    repadmin /showrepl >C:\repl.txt

    So I ran the command in all the 3 DC's and have saved them with the following file names:
    dcdiag (dc1).log
    dcdiag (dc2).log
    dcdiag (dc3).log
    repl (dc1).txt
    repl (dc2).txt
    repl (dc3).txt

    0 comments
  3. Anonymous
    2020-11-28T13:41:44.857+00:00

    After correcting these ones I'd work through the numerous event log errors. If problems persist after corrections then put up a new set of files to look at.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  4. Nabeel 26 Reputation points
    2020-12-01T12:33:39.197+00:00

    Hi,

    • I have given each domain controller it's own static ip address in DNS on connection properties, but still I am facing the same error.

    New Link for ipconfig /all: https://1drv.ms/u/s!AkQ520rVLl6ujzyan8vdjB2UBDb8?e=xY786i

    (in this case, if I ever have to format and reinstall the DC, how will I promote it to DC if only it's own static ip address is listed for DNS on connection properties?)

    • I have removed the VPN role, but still facing the same error.

    New Link for ipconfig /all: https://1drv.ms/u/s!AkQ520rVLl6ujzyan8vdjB2UBDb8?e=xY786i

    • The method which you mentioned, I have used exactly that when I removed the DC1 and DC2:

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

    44084-capture.png

    • For this event log error in Server Manager of DCFS3:

    The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 2421 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.

    To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group.

    Additional Information:
    Error: 9061 (The replicated folder has been offline for too long.)
    Replicated Folder Name: SYSVOL Share
    Replicated Folder ID: 07A577BE-C0A6-4A93-BEA4-A071CB272007
    Replication Group Name: Domain System Volume
    Replication Group ID: E5365EDF-05D4-4E8C-9B80-4170893FB51

    Can I use this the below method and maybe all errors will be corrected?

    https://social.technet.microsoft.com/Forums/ie/en-US/c57791e6-c4f4-4e8f-9a74-eab985ecf614/event-id-4012-the-dfs-replication-service-stopped-replication?forum=winserverDS

    44008-capture.png

    0 comments
  5. Anonymous
    2020-12-01T14:20:48.733+00:00

    how will I promote it to DC if only it's own static ip address is listed for DNS on connection properties

    Before promotion use other DCs address for DNS, after promo you can change it.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.