question

YousufShahzad-2083 avatar image
0 Votes"
YousufShahzad-2083 asked GaryReynolds commented

Domain Controllers Replication issue

Hello

We have been facing the below issue for a long:

We have two Windows Server 2012 DCs. Both the DCs stopped replicating for a long time and the time exceeds more than 3 years.

I installed/promoted another DC and followed all the steps to replicate with the 1st one but when I create a user in any of the DCs, I need to refresh, and then I can see the change. Both the DCs do not replicate automatically. I did not demote the second faulty DC.

The second issue is when I shut down the first domain, our employees cannot access shared folders and the internet.

All our roles are in our first DC.

Schema Master
Domain Name Master
PDC
RID Pool Manager
Infrastructure Master

What could be the possible solution? Please provide me as soon as possible because we do not have any redundant DC and our first DC is on a virtual machine and that server is creating some problem and can go down anytime.

Regards

windows-active-directorywindows-server-2012
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered YousufShahzad-2083 commented

Hi @YousufShahzad-2083

If you don't force replication, do the objects replicate evenually?
Are the DCs in separate AD sites?
If you run repadmin /replsummary from DC1 do you get any errors reported against the new DC?

The second issues is likely to be related to the client having only the first DC as the primary DNS entry and not being able to resolve names once the first DC is switched off. Now you have a second DC, it would best to add the IP address of the new DC as a secondary DNS entry for clients.

Gary.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi GaryRennolds

If I do not refresh the objects do not replicate.

No DCs are on the same AD site.

If I run repadmin /replsummary from DC1, I found no error for the new 2nd domain, but found the error for the faulty one "Error (1722) The RPC server is unavailable".

Can you please let me know how to include the IP of the new domain in DHCP or any other places. Yes, you are right, I cannot see its IP in the domain. in our DHCP console, I can see the IPs of DC1 and the faulty DC

Time Server IP of DC1, IP of FaultyDC2
Name Servers IP of DC1, IP of FaultyDC2
DNS Servers IP of DC1, IP of FaultyDC2
DNS Domain Name domain name
NTP Server IP of DC1, IP of FaultyDC2

Please assist.

Thanks



0 Votes 0 ·
GaryReynolds avatar image
0 Votes"
GaryReynolds answered GaryReynolds commented

What command are you using to refresh the objects between the domain controllers?

To add the new DC IP address you will need to edit your existing scopes are add the new DC IP address and remove the old one from each of the DHCP options. I believe you are not seeing the new DC's IP address the console as you haven't installed the DHCP roll on the new DC, but you don't need to do that unless you want to setup HA\redundancy for the DHCP service.

You will need to remove the old DC once you have resolved thse issues, as it not doing any good and will probably cause more issues in the long run.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

Gary.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Gary

Actually, when I create an object; suppose a user in DC1 and go to the new DC and click on the refresh button and vice versa then they replicate each other, otherwise no replicatioin.

I do not use any command to refresh.

Yes, I do not see the new DC's IP address in the DHCP console in DC1, and that's I am asking you how to and how many places in DHCP?

Please guide/assist me because I am new in this field and do not have much experience.

Moreover, we have only one DC in working condition and do not have redundancy, hence can't take much risk, you can understand my situation.

May I know what the link is for and on which DC I should perform all these tasks given in the link?

Regards

Yousuf


0 Votes 0 ·

Hi Yousuf,

It sounds like your AD replication is working ok between DC1 and the new DC, ADUC doesn't dynamically update the display when a new object is created on another DC, you have press refresh button to reload the list.

This article provide some details on how to change the dhcp scope option https://www.dtonias.com/configure-dhcp-server-scope-options/#:~:text=In%20the%20DHCP%20console%2C%20expand,in%20the%20Data%20entry%20box.

The links provided by @DSPatrick explain how to remove the old fault DC and cleanup your AD.

Gary.

0 Votes 0 ·

Hi Gary

You did not mention why ADUC does not dynamically update and what's the solution, please?

I will go through the link.

Regards

Yousuf


0 Votes 0 ·
Show more comments
DSPatrick avatar image
0 Votes"
DSPatrick answered YousufShahzad-2083 commented

If the second server has tombstoned the only solution is to size roles (if necessary) to another healthy one
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

remove from network and perform clean up.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

and rebuild the failed one from scratch.

Make sure the DHCP server hands out only healthy / operational domain controllers for DNS.



--please don't forget to upvote and Accept as answer if the reply is helpful--







· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

Hi DSPatrick

As per Gary, both the DCs are replicating manually but not automatically. So some kind of relaxation for me that at least they are replicating.

Now another issue, when I check DHCP in DC1, the entry of 2nd DC in the following was missing

Time server
Name servers
DNS servers
NTP servers

Then, I added/included the IP of the 2nd DC.

Now, the issue is if I check "Network Connection Details" from Network and Sharing Center, our PCs do not achieve the IP address of 2nd DC in "IPV4 DNS Servers".
Rather it is getting the IP address of 1st DC and the faulty DC, and because of this when I shut down 1st DC nobody can access shared folders.

Any solution for this please????

Regards

0 Votes 0 ·

Hi Yousuf,

Make sure that you have updated all the scope options in all the scopes on the DHCP server, and make sure that you remove the old faulty DC as well.

On the workstation, use IPConfig /all from the command prompt to make sure you are seeing all the IP addresses that are assigned by DHCP.

Also you might need to renew the ip address on the network card to pick up the changes, this can be done by typing IPConfig /renew

Gary.

0 Votes 0 ·
Show more comments
DSPatrick avatar image
0 Votes"
DSPatrick answered YousufShahzad-2083 commented

both the DCs are replicating manually but not automatically

Not sure what is meant here?


added/included the IP of the 2nd DC. Now, the issue is if I check "Network Connection Details" from Network and Sharing Center, our PCs do not achieve the IP address

May need to do ipconfig /release, ipconfig /renew

--please don't forget to upvote and Accept as answer if the reply is helpful--











· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Patrick

It means I added Ip of 2nd DC in DHCP scope.

Yes, after ipconfig / renew the clients picked the changes, and now the clients can access the internet and the shared folders but working slow.

But, after shutting down the 1st DC when I try to log in with an old user on my laptop that has never been logged in previously, it gives the below error:

We can't sign you with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again.
If you previously signed in on this device with another credential you can sign in with that credential.

Regards

Yousuf

0 Votes 0 ·

hi Yousuf,

This error happen if the workstation is not able to find a domain controller on the network to authenticate the user credentials against.

Can I assume that when the DC1 is switched on you are able logon from the laptop and you only get this error after DC1 has been switched off?

There are couple of things to check:

  1. Ensure that the laptop has an ip address and logged on once before switching off DC1

  2. Check the ip address details have been updated and the new DC IP address is included in the DNS server list

Are you seeing this problem with just one machine or all machines when the DC1 is switched off? If you want to try troubleshoot the issue it would be helpful to have a machine logged on.

Gary.





0 Votes 0 ·

Hi Gary

Yes, when the DC1 is switched on I am able to logon and only get this error after DC1 is switched off.


Let me tell you some points here that will clarify so many things:


  1. This logon problem is not only with one machine, with all the machines.

  2. When I logon with an old user with DC1 switched on, the user can logon. This is usual and OK.

  3. When I try to logon with that old user with DC1 switched off. even the user can logon but shows "unidentified network", but cannot access shared folders.

  4. If I manually add IP address, subnet mask, default gateway, DNS server in IPv4 NIC, it shows me "Network 2" in active networks rather than showing our domain "company.local",


140568-network-connection.png



and then if I try to access shared folders, it pops up "Enter Network Password" window, and when I enter my Administrator ID & Password, it allows shared folders access.


Usually, when a user is logged on with his user ID on his PC with DC1 & DC2 switched on, they can access both internet and shared folders and that moment if I switch off DC1, then no issue the user can access both internet and the shared folders, but if the user restart the PC then the problem arises and the problem is "Unidentified Network".



Regards






0 Votes 0 ·
Show more comments
DSPatrick avatar image
0 Votes"
DSPatrick answered

We can't sign you with this credential because your domain isn't available.

Sounds like DC2 is somehow broken. dcdiag may be useful. You could also try move roles off, demote, reboot, promo it again.

--please don't forget to upvote and Accept as answer if the reply is helpful--







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered GaryReynolds commented

Hi Yousuf,

If you have restarted the DFS or the Active Directory Domain Services, then you can ignore these warning.

However, if you haven't, I would suggest that you review the event log for the DFS services and see if there are any error being reported:

140987-dfs-eventlog.png



Gary.


dfs-eventlog.png (43.5 KiB)
· 29
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Gary

Please check my comments below

I did not restart DFS.

Below are event logs from DC2

141077-dfs-1.png
141078-dfs-2.png
140969-dfs-3.png
141079-dfs-4.png
141080-dfs-5.png
141144-dfs-6.png



I also checked DNS entry and found "Special Permissions" missing in the new DC, but it is present is the faulty DC.

Maybe if I add the permission, replication starts working or maybe the group policy issue gets resolved.


141134-dns-entry.png


141049-dns-properties.png


Regards


Yousuf


0 Votes 0 ·
dfs-1.png (51.2 KiB)
dfs-2.png (33.6 KiB)
dfs-3.png (31.8 KiB)
dfs-4.png (32.1 KiB)
dfs-5.png (33.0 KiB)
dfs-6.png (50.8 KiB)
dns-entry.png (15.6 KiB)
dns-properties.png (42.4 KiB)

Hi Yousuf,

I can't see all the pictures, but here is an article to resolve your DFRS issue https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dfsr-event-id-2213

If you could re-port the other DNS pictures, I'll have a look.

Gary.

0 Votes 0 ·

Hi Gary

I have shared all the images again.

Please have a look at it and advice me.

Regards

Yousuf

0 Votes 0 ·
Show more comments