Share via

Performance issue - How to maintain a trust relationship between the primary and backup DC that are Windows server 2019?

Anonymous
2023-12-05T15:41:02+00:00

We've done an in-place upgrade from Windows server 2012 R2 few months ago to Windows server 2019 and we've noticed that our Active Directory isn't working properly. We have a primary and backup domain controller both are on Windows server 2019. We seem to have a trust relationship between both DCs and a permissions issue on the primary.
Question 1) Do we need to raise the domain functional level to Windows server 2016? If yes, what's the impact? Question 2) How to maintain trust relationship between both servers?
Question 3) Why the permissions are not as they used to be and how do we know what has changed after the upgrade?

We've also noticed that after changing few things on the domain everybody is locked out and can't log into the domain for few hours. Is it a known issue on Windows server 2019?

Windows for business Windows Server Directory services Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-12-06T02:25:36+00:00

    Hi Rama Massamba,

    Thank you for reaching out to Microsoft customer support. I'll be happy to assist you with your questions.

    1. Raising the domain functional level to Windows Server 2016 is not necessary to maintain a trust relationship between the primary and backup DCs. However, it is recommended to raise the domain functional level to take advantage of new features and improvements in Windows Server 2016. The impact of raising the domain functional level depends on the features and applications that are being used in your environment. Before raising the domain functional level, it is recommended to test the compatibility of your applications and services with Windows Server 2016.
    2. To maintain a trust relationship between the primary and backup DCs, you need to ensure that both DCs are properly configured and synchronized. You can use the Active Directory Domains and Trusts console to manage trust relationships between domains. You can also use the Repadmin tool to check the replication status between DCs and troubleshoot any issues.
    3. After upgrading from Windows Server 2012 R2 to Windows Server 2019, there may be changes in the default permissions and settings. It is recommended to review the changes and adjust the permissions and settings accordingly. You can use the Group Policy Management Console to manage group policies and settings. To determine what has changed after the upgrade, you can compare the settings and permissions before and after the upgrade using tools such as the Security Configuration Wizard or the Security Compliance Manager.

    Regarding the issue of users being locked out after making changes to the domain, this is not a known issue in Windows Server 2019. It is possible that the changes made have caused a disruption in the domain services. It is recommended to review the event logs and use tools such as the Active Directory Replication Status Tool to troubleshoot the issue.

    I hope this information helps. Let me know if you have any further questions or concerns.

    Best regards,

    Qiuyang

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2023-12-07T11:09:53+00:00

    Hi Qiuyang,

    Thank you for the above information.

    1. How do we test it? Will that be virtually for do we need to have another physical server? Replicating our current infrastructure on Windows server 2016 will take us weeks.
    2. Both DCs replicate but the backup DC is a bit slow to update. How do we maintain a trust relationship between computers and primary DC?

    Kind regards,

    0 comments
  3. Anonymous
    2023-12-08T03:02:32+00:00

    Hi Rama Massamba,

    I'm glad to assist you with your questions.

    1. To test Active Directory replication, you can use the Active Directory Replication Status Tool (ADREPLSTATUS) which is a free tool provided by Microsoft. This tool can help you identify replication errors and latency issues. You can install it on any computer that has network connectivity to your domain controllers. You don't need to have another physical server to test it.
    2. To maintain a trust relationship between computers and the primary DC, you need to ensure that both DCs are replicating properly. If the backup DC is slow to update, you may need to troubleshoot the replication issue. You can use the ADREPLSTATUS tool to identify any replication errors. Once you have resolved the replication issue, you can verify that the trust relationship is working by testing authentication and access to resources.

    I hope this helps. Let me know if you have any further questions.

    Best regards,

    Qiuyang

    0 comments