This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 37%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
In short:
memberserver 2008 r2 can ping server 2019 std DC and do nslookups, but then trying to access \dc01 or joining the domain the whole memberserver is blocked, even ping
Long story:
I had a client with an SBS2011 domain. Let's say the virtual domaincontroller was called DC01 (the 'sbsserver', so it was server 2008 r2). There was a physical memberserver WEB01 which hosts an internal website.
DC01 was replaced by a server 2019 standard server "DC02" by adding it to the domain, replication, migrating to dfrs and cutting of the old DC as it didn't demote nicely. After cleaning up all old dns records, replication, ADUC, checking for metadata using ntdsutil the old server was officially 'exit'.
Because of a lot of external software, configuration, licensing, etc the client demanded that the new server was renamed to the old servername, including changing to the old ip-address. I said I head that was a bad idea, never reuse old dc names, but the client was convinced the benefits outweighed the possible problems. So we did.
New setup:
server 2019 std as DC (gc) with name "DC01" at the old ip address. A memberserver called MGT01, als server 2019 std and the physical server web01 with server 2008 r2. DNS fully checked and updates with correct name and ip. So far so good, everything was working except for some smb1 clients, we had to "temporarily" reinstall smb1 support.
Now the problem:
we use veeam to back-up both the virtual DC01 and the physical WEB01. The back-up gave errors and mentioned errors with authentication and domain stuff. Naturally I suspected dns problems. Some logs said the domain rd dc could not be found.
As the DNS on web01 was point at dc01 and other server could access dns and dc01 without problems I thought it might have something to do with security and kerberos as dc01 was replaced but the web01 hadn't rebooted since. I tried to reboot web01, tried to reset the computeraccount of web01, unjoined the domain and could join again?!
The strange part:
I reboot web01, I can ping dc01 from web01 and web01 from dc01. As soon as I try to join the domain or access \dc01, the ping stops from both sides. Same for mgt01. I can ping mgt01 from web01 and web01 from mgt01, but as soon as I try to access \mgt01 then ping is stopped. It seems WEB01 is completely blocked as I cannot access dns on DC01 anymore either. That explains why the domainjoin is failing.
All servers have MS firewall disabled (for testing), AV is installed but not a version with firewall.
I tried to delete all dns records for WEB01, clearing arp tables, rebooting... nothing helped... untill.... I gave web01 another ip.
Ping successfull, access to \dc01 with domainaccount credentials no problem, domain join no problem. Hurray! Except all clients have software point at the old ip of WEB01. I tried changing WEB01 backup to the old ip after joining the domain while using another ip, but the problems came back. So it seems the problem is tied to that specific IP. Not sure how windows is blocking an ip with firewall disabled. The WEB01 will be decomissioned soon but I want to know the source of the problem as the IP might get reused in a while and the the problems might be back...
I'm out of ideas.... anyone?
I think the blockage is temporaily as I went from keyboard and came back ping was working again. I don't think I rebooted in between
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
trying to join the domain
Please run;
Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemmember.txt
then put unzipped text files up on OneDrive and share a link.
https://1drv.ms/u/s!Ar1UMDq5qGJQgTqC_nc3gtelue_7?e=ZP3jIO
Because of privacy I did a search and replace:
I replaced dc name with dc
I replaced domain name with domain or domain.local where applicable
I replaced member name with member
member now has ip .117, problem ip is .115
Multi-homing a domain controller will always cause no end to grief for active directory domain DNS. I'd remove the RRAS role. Install RRAS role on a member server. Since this one was a show stopper I did not look at other files. After corrections if problems persist then put up a new set of files to look at.
--please don't forget to Accept as answer if the reply is helpful--
Hi DSPatrick, thanks for your prompt reply.
We have dozens of small companies that only have 1 server and have the rras role installed on the dc, including server 2019. I do understand your opinion about problems with multi-homing but I haven't had this problem at any server in my 20 years of servermanagement, including equal servers that are live today. And also it won't explain why the problem is work-around-able by using another IP. I have no option to change the RRAS at the moment, so please keep up your efforts for helping me.
Note: I already disabled ipv6 at the dc as that might have been a problem but it didn't help. That's logical as another ip4 address at the member fixes the problem. I have a feeling it might have something to do with secure negotiation with the DC from the old IP or such... But again, removing from and adding back to the domain should have solved that and also the ip change should not fix that. I can't get my head around the fact that only that ip is blocked. I already checked for double ip addresses, but no go.
Regardless it is a bad practice and causes unexpected results which you are now experiencing. A better option for a single server deployment is to install the hyper-v role on host, then stand up to virtual machine guests. One for active directory domain services and other one for applications, etc.
--please don't forget to Accept as answer if the reply is helpful--