question

Josiahbrainard-8986 avatar image
0 Votes"
Josiahbrainard-8986 asked DaisyZhou-MSFT commented

Cant add new Domain Controller

Hello all and thanks in advance for any help. (sorry if i dont format something properly, first time posting here)

I am trying to migrate a clients domain from a server running 2008R2 to and server running 2019.
their domain is ad.clientdomain.com according to the 2008 DC


the first issue happens when i try to add the new 2019 server to the domain. i go to add the domain and type in ad.clientdomain.com and i get the below error.


 Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.
 The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "ad.clientdomain.com":
 The error was: "DNS name does not exist."
 (error code 0x0000232B RCODE_NAME_ERROR)
 The query was for the SRV record for _ldap._tcp.dc._msdcs.ad.clientdomain.com
 Common causes of this error include the following:
 - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:
 192.168.254.2
 - One or more of the following zones do not include delegation to its child zone:
 ad.clientdomain.com
 clientdomain.com
 com
 . (the root zone)

i can get around this by changing the domain name that i am trying to join from ad.clientdomain.com to clientdomain. but, after it joins i can this error

 changing the promary domain DNS name of this computer to "" failed. the name will remain "ad.clientdomain.com".
    
 the specified domain either does not exist or could not be contected.

after it reboots and i try to promote it to a DC it says it cannot contact to domain controller

I have the old DC set as the DNS server on the new server



let me know if more info is needed.
thanks again for any help!

-Josiah





windows-active-directorywindows-dhcp-dns
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Josiahbrainard-8986,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @Josiahbrainard-8986,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·

@DaisyZhou-MSFT
this is still at the same just as broken as when i started. not sure what to try at this point. seems like the current DC is broken, but it also still works enough to let computers join the domain and login.

0 Votes 0 ·
DSPatrick avatar image DSPatrick Josiahbrainard-8986 ·

Did you follow my suggestion? What errors are present in the event logs since last boot?




0 Votes 0 ·
EricXiao-2896 avatar image EricXiao-2896 Josiahbrainard-8986 ·

all firewall off-ed? anti-virus firewall as well?

0 Votes 0 ·

I know the windows firewall is off. Microsoft security essentials are running, should I turn that off too?

0 Votes 0 ·
Show more comments
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Josiahbrainard-8986,

Thank you for posting here.

Please confirm the following information at your convenience:
1.How many Domains do you have in your AD domain?
2.How many DCs in each domain if you have multiple domains?
3.What are the operating system of all DCs?
4.Are all DCs in your domain also DNS servers?

As I understand:
The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.

5.What is the forest/domain functional level? Should be at least Windows Server 2008 functional level.
6.What is the SYSVOL replication engine? FRS or DFSR? Should be DFSR.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.


For your request, you want to add a server 2019 to the existing domain, we can set one IP address of active DC/DNS server as its Preferred DNS.

Then try to join this server 2019 to domain and provide one domain credential.

After adding the server 2019 to domain, then check the information before we promoting server 2019 as DC.

Before we do any change in existing AD domain environment, we had better do:
1.Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
forest/domain functional level should be at least Windows Server 2008 functional level
2.SYSVOL replication should be DFSR.
3.Back up all domain controllers.
4.Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
5.Check we can update gpupdate /force on each DC successfully.

Based on the description "after it reboots and i try to promote it to a DC it says it cannot contact to domain controller", which DC do you specify when you select replication partner?

73259-any.png


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou



any.png (134.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Josiahbrainard-8986 avatar image
0 Votes"
Josiahbrainard-8986 answered

Hello and thank you for the reply.

  1. only 1 domain

  2. only 1 DC on the 1 domain

  3. windows server 2008 R2

  4. yes?

  5. domain function level is 2008

  6. looks like that registry subkey exists but is set to 0. so I guess I am using FRS.

I will be trying to follow the steps you gave me this afternoon will post results

thank you

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Josiahbrainard-8986 avatar image
0 Votes"
Josiahbrainard-8986 answered DaisyZhou-MSFT commented

I ran DCDIAG /v and got this in the output

 Doing initial required tests
    
    Testing server: Default-First-Site-Name\CLIENTSERVER
       Starting test: Connectivity
          * Active Directory LDAP Services Check
          The host 2e660063-3e0a-4ba7-9737-726faa6cd755._msdcs.ad.clientdomain.com
          could not be resolved to an IP address. Check the DNS server, DHCP,
          server name, etc.
          Got error while checking LDAP and RPC connectivity. Please check your
          firewall settings.
          ......................... CLIENTRSERVER failed test Connectivity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Josiahbrainard-8986,

It seem there is issue about only one DC.

We should ensure this DC works fine.

Then migrate FRS to DFSR.

At last, promote server 2019 to DC 2019.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

I'd check the domain controller has own static ip address listed for DNS and no others such as router or public DNS. Then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service, then check results.

--please don't forget to Accept as answer if the reply is helpful--






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Josiahbrainard-8986 avatar image
0 Votes"
Josiahbrainard-8986 answered

Just checked, the Domain controller does have itself listed as the only DNS server.

ran ipconfig /flushdns, ipconfig /registerdns, restarted the netlogon services, then re ran the dcdiag /v and got the same resaults

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt


then put unzipped text files up on OneDrive and share a link.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Josiahbrainard-8986 avatar image
0 Votes"
Josiahbrainard-8986 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

What's the history here? That one is not operational in any respect.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Josiahbrainard-8986 avatar image
0 Votes"
Josiahbrainard-8986 answered

not really sure, i know this is and has always been the only DC here. and it works at least a little bit, i am able to join the new server to the domain and log in with a domain user.

not sure what history would be helpful here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Skipping all tests, because server clientserver is not responding to directory service requests.

Seems badly broken right now. Might check the event logs for more clues.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.