Hello: After the "typical" domain lost connectivity error between two domain controllers in different sites (with I dont know if lingering objects), after trying an autorithy restore (D4 in the main site and D2 in the secondary), and after trying to migrate fsmo roles and create a new domain controller to recover all, i have a difficult situation now, problems with clients that cannot access to network resources from sometimes ip, sometimes name: DC01 (main site, we will love to do this the main one again, the right database): DNS problems, nslookup is not working and DFSR -1202 errors are in the event viewer (and 13562 NTFRS errors). You cann add the dns console only from DC03. Can resolve DC02 from ping but not DC03. you cannot edit GPOs (error the system cannot find the path), and it is displayed an error that cannot find one GPO (cannot say which one, one of the tops). Errors 1865, 1311 and 1566 in the directory service event viewer. DC02 (secondary site): DNS ok. Cannot access some GPos, event viewer 1058 and 4. Event viewer errors 1925 and 1645, about DC01 not to be recognise as an account (SPN). Cannot access the gpos too. DC03: new DC in the main site. DNS ok, but you cannot access ibchdc00 from here. Cannot access the gpos too. We stuck in the middle of fsmo migration, so at this moment DC02 see a different fsmo role assingment than the other 2. We tried again with ntdsutil the migration, it was not displayed error, but still the same: From DC01: all roles are in DC03 From DC02: Master of schema, Domain Names and PDC, are in DC03. RID and infraestructure are in DC02. From DC03: all roles are in DC03 From the site and services you can replicate from DC01 to DC02, but not to DC03. From DC02 to DC03 yes, but not from DC03 to DC01 or DC02. From DC03 you cannot replicate to anyone. I can show you dcdiag, thanks at all. SP

Well, I think the problem with the network adapter its most an outcome of the resolution and dns problem, that is my big point. I checked all of the dns servers configured in the clients and domain controllers and are ok. I think its more the file replication issue, the ports used for that are not up, but the service yes (and we have reboot it, even the complete server)

ports used for that are not up then you'll want to resolve this problem as first step. --please don't forget to Accept as answer if the reply is helpful--

ok, i had been recovering the environment. At this point i have DC01 fully recovered (and with domain profile network working) and DC02 fully recovered (and with domain profile network working). The main thing is that there is no replication, not working, if I execute port query Domain and Trust scan: From DC01 to DC02 : (I put only some of then, the others are ok) TCP port 42 (nameserver service): NOT LISTENING TCP port 88 (kerberos service): LISTENING UDP port 88 (kerberos service): LISTENING or FILTERED Starting portqry.exe -n 172.16.1.211 -e 137 -p UDP ... portqry.exe -n 172.16.1.211 -e 137 -p UDP exits with return code 0x80000003. UDP port 138 (netbios-dgm service): LISTENING or FILTERED TCP port 139 (netbios-ssn service): LISTENING From DC02 to DC01 : (I put only some of then, the others are ok) TCP port 42 (nameserver service): NOT LISTENING UDP port 88 (kerberos service): LISTENING or FILTERED Starting portqry.exe -n 172.16.2.105 -e 137 -p UDP ... portqry.exe -n 172.16.2.105 -e 137 -p UDP exits with return code 0x80000003. UDP port 138 (netbios-dgm service): LISTENING or FILTERED TCP port 139 (netbios-ssn service): LISTENING In Sites and services of active directory : From DC01: Site01-DC01: there is automatic generation conexion and its ok if I tested it. Site02-DC02: there is no automatic generation conection, If i create it, it didnt work. From DC02: Site01-DC01: there is automatic generation conexion but if I tested it, it fails. Site02-DC02: there is no automatic generation conection, If i create it, it didnt work. I can access from 2 DCs to resource domain shares, and there are sysvol, netlogon and domain, scripts etc folders... The clients are all without trusted relationship with the domain, if you readded to it , it is recover in that way, but there is still no access to network shares, not netbios or dns name, not by ip. thanks

ok, i had been recovering the environment Are you restoring from backups? What is meant?

I had to restore DC01 from backup, leaving alone that domain controller (the DC02 was always offline). Then I applied D4 procedure to DC01 and delete all the metada of DC02. Then I depromoted forcelly DC02 (always offline, without network link) and when DC02 was out of the domain again (workgroup), i connected again to the network and join the domain and promoted again as domain controller.

Active Directory problems, replication. Help!

JSP 1

Hello:

After the "typical" domain lost connectivity error between two domain controllers in different sites (with I dont know if lingering objects), after trying an autorithy restore (D4 in the main site and D2 in the secondary), and after trying to migrate fsmo roles and create a new domain controller to recover all, i have a difficult situation now, problems with clients that cannot access to network resources from sometimes ip, sometimes name:

DC01 (main site, we will love to do this the main one again, the right database): DNS problems, nslookup is not working and DFSR -1202 errors are in the event viewer (and 13562 NTFRS errors). You cann add the dns console only from DC03. Can resolve DC02 from ping but not DC03. you cannot edit GPOs (error the system cannot find the path), and it is displayed an error that cannot find one GPO (cannot say which one, one of the tops). Errors 1865, 1311 and 1566 in the directory service event viewer.
DC02 (secondary site): DNS ok. Cannot access some GPos, event viewer 1058 and 4. Event viewer errors 1925 and 1645, about DC01 not to be recognise as an account (SPN). Cannot access the gpos too.
DC03: new DC in the main site. DNS ok, but you cannot access ibchdc00 from here. Cannot access the gpos too.

We stuck in the middle of fsmo migration, so at this moment DC02 see a different fsmo role assingment than the other 2. We tried again with ntdsutil the migration, it was not displayed error, but still the same:

From DC01: all roles are in DC03
From DC02: Master of schema, Domain Names and PDC, are in DC03. RID and infraestructure are in DC02.
From DC03: all roles are in DC03

From the site and services you can replicate from DC01 to DC02, but not to DC03. From DC02 to DC03 yes, but not from DC03 to DC01 or DC02. From DC03 you cannot replicate to anyone.

I can show you dcdiag,

thanks at all.
SP

Hannah Xiong 6,276 Reputation points

2020-08-11T02:38:45.57+00:00

Hello,

Thank you so much for posting here.

May I know the current situation of our issue? Hope the provided information is helpful to you.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong
JSP 1 Reputation point

2020-08-11T06:42:56.763+00:00
Hello!

We opened a Microsoft support ticket, the action plan is:

Deploy a new domain controller in site 2, from DC01 in site 1.

Elevate domain functional level from 2003 to at least 2008 (or 2012).

Change replication to DFSR.

We are now with this, i will let you know thanks to all
Hannah Xiong 6,276 Reputation points

2020-08-12T01:48:27.683+00:00

Hello,

You are welcome. Thank you so much for your feedback.

Thank you for sharing the action plan here. It will be very beneficial for other community members who have similar questions. Hope our issue will be resolved soon. Thanks again.

Best regards,
Hannah Xiong

14 answers

JSP 1 Reputation point

2020-08-08T15:29:28.26+00:00

Well, I think the problem with the network adapter its most an outcome of the resolution and dns problem, that is my big point. I checked all of the dns servers configured in the clients and domain controllers and are ok.

I think its more the file replication issue, the ports used for that are not up, but the service yes (and we have reboot it, even the complete server)
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Anonymous

2020-08-08T15:32:39.29+00:00

ports used for that are not up

then you'll want to resolve this problem as first step.

--please don't forget to Accept as answer if the reply is helpful--
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
JSP 1 Reputation point

2020-08-09T12:46:54.703+00:00

ok, i had been recovering the environment. At this point i have DC01 fully recovered (and with domain profile network working) and DC02 fully recovered (and with domain profile network working). The main thing is that there is no replication, not working, if I execute port query Domain and Trust scan:

From DC01 to DC02: (I put only some of then, the others are ok)
TCP port 42 (nameserver service): NOT LISTENING
TCP port 88 (kerberos service): LISTENING
UDP port 88 (kerberos service): LISTENING or FILTERED
Starting portqry.exe -n 172.16.1.211 -e 137 -p UDP ...
portqry.exe -n 172.16.1.211 -e 137 -p UDP exits with return code 0x80000003.
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING

From DC02 to DC01: (I put only some of then, the others are ok)

TCP port 42 (nameserver service): NOT LISTENING
UDP port 88 (kerberos service): LISTENING or FILTERED
Starting portqry.exe -n 172.16.2.105 -e 137 -p UDP ...
portqry.exe -n 172.16.2.105 -e 137 -p UDP exits with return code 0x80000003.
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING

In Sites and services of active directory:
From DC01:
Site01-DC01: there is automatic generation conexion and its ok if I tested it.
Site02-DC02: there is no automatic generation conection, If i create it, it didnt work.

From DC02:
Site01-DC01: there is automatic generation conexion but if I tested it, it fails.
Site02-DC02: there is no automatic generation conection, If i create it, it didnt work.

I can access from 2 DCs to resource domain shares, and there are sysvol, netlogon and domain, scripts etc folders...

The clients are all without trusted relationship with the domain, if you readded to it , it is recover in that way, but there is still no access to network shares, not netbios or dns name, not by ip.

thanks
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Anonymous

2020-08-09T12:51:21.77+00:00

ok, i had been recovering the environment

Are you restoring from backups? What is meant?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
JSP 1 Reputation point

2020-08-09T14:33:26.357+00:00

I had to restore DC01 from backup, leaving alone that domain controller (the DC02 was always offline). Then I applied D4 procedure to DC01 and delete all the metada of DC02. Then I depromoted forcelly DC02 (always offline, without network link) and when DC02 was out of the domain again (workgroup), i connected again to the network and join the domain and promoted again as domain controller.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Active Directory problems, replication. Help!

14 answers

Your answer