We are upgrading our single 2003 domain controller (DC1) to two 2012 R2 controllers (DC2 in Sevenoaks and DC3 in Manchester (different site in Sites and Services for Manchester)). DCpromo (the wizard anyway) went through without a hitch on both new servers. I went to demote DC1 and it suggested there were no valid DCs on the domain and that it would be a mighty bad idea.
On closer inspection I noticed that DC2 and DC3 had no SYSVOL or NETLOGON shares.
Running a DCDiag on DC2 showed the following error:
Starting test: Advertising
Warning: DsGetDcName returned information for \\mfb-dc1.mortgages4business.local, when we were trying to reach
MFB-DC2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... MFB-DC2 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
repadmin /showrepl shows no errors on DC2. So I'm thinking DNS, you can find the ipconfig for DC2 here, and the ipconfig for DC1 here - everything points to DC1, the 2003 box, which is what I want for replication purposes until SYSVOL etc are created successfully.
On DC2 there are no directory services errors at all, on DC1 things are a little more unhappy - every 15 minutes there is a batch of 12 errors and warnings created.
Four of these (1865 warnings): "The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site." Four 1311 errors (more of the same). Four 1566 errors: "All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable. Site: CN=Manchester..."
If I run DCDiag on DC1, I get some replication errors - these relate to DC3 though (the server on the other network).
[Replications Check,MFB-DC1] A recent replication attempt failed:
From MFB-DC3 to MFB-DC1
Naming Context: DC=DomainDnsZones,DC=mortgages4business,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2015-03-14 00:45:12.
The last success occurred at 2015-03-13 22:00:11.
1 failures have occurred since the last success.
[Replications Check,MFB-DC1] A recent replication attempt failed:
From MFB-DC3 to MFB-DC1
Naming Context: CN=Schema,CN=Configuration,DC=mortgages4business,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2015-03-14 00:45:15.
The last success occurred at 2015-03-13 21:45:09.
1 failures have occurred since the last success.
The guid-based DNS name 4b35c4ab-6da8-40c5-8a74-4f8ee6e12954._msdcs.mortgages4business.local
is not registered on one or more DNS servers.
All servers can ping each other and DNS looks good. All three servers have _msdcs.mortgages4business.local registered.
Edit: In DC3s logs, under file replication logs, I find: The File Replication Service is having trouble enabling replication from mfb-dc1.mortgages4business.local to MFB-DC3 for c:\windows\sysvol\domain using the DNS name mfb-dc1.mortgages4business.local. FRS will keep retrying. So perhaps my DNS theory isn't far wrong - mad thing is I can pin mfb-dc1...
What am I missing? Is this something to do with the other site? It can't replicate to DC3 so it gives up and doesn't replicate to the local DC2?
I can't add a comments, due to reputation, but I'm a 10+ year AD guy, so please allow me a little grace on the answer.
Firstly, there are no replication errors, because the DC isn't advertising itself.
I presume, all DC's are also DNS servers. If not, make it so. You will want two DNS servers in the domains after the 2k3 box is decomm'ed.
DC01 is pointing to itself for DNS, while that was fine with one DC, now it's not. citation: https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx
Change the DNS client IP settings of DC01 to be:
Change the DNS client IP settings of DC02 to be:
Change the DNS Client IP settings of DC03 to be
So 01 and 03 should point to 02, 02 should point to 01. Leave IPv6 (the ::1) enabled on the 2012 servers, AD DS isn't supported with it disabled.
This line suggested this was the issue, that and known best practices:
Run DCdiag /fix on all three servers, it might be netdiag /fix on the 2003. This will re/register all srv records for the DC's. That should resolve your DNS issues. Give it 5 minutes, run from an elevated cmd line:
This will sync the domain. Give it a couple of hours and see what going on with more dcdiags. If that doesn't work I would think about firewalls. Where is DC01, Sevenoaks or Manchester. Are all Ports open? https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx But I wouldn't worry that it's the issue at this stage.