Hello: After the "typical" domain lost connectivity error between two domain controllers in different sites (with I dont know if lingering objects), after trying an autorithy restore (D4 in the main site and D2 in the secondary), and after trying to migrate fsmo roles and create a new domain controller to recover all, i have a difficult situation now, problems with clients that cannot access to network resources from sometimes ip, sometimes name: DC01 (main site, we will love to do this the main one again, the right database): DNS problems, nslookup is not working and DFSR -1202 errors are in the event viewer (and 13562 NTFRS errors). You cann add the dns console only from DC03. Can resolve DC02 from ping but not DC03. you cannot edit GPOs (error the system cannot find the path), and it is displayed an error that cannot find one GPO (cannot say which one, one of the tops). Errors 1865, 1311 and 1566 in the directory service event viewer. DC02 (secondary site): DNS ok. Cannot access some GPos, event viewer 1058 and 4. Event viewer errors 1925 and 1645, about DC01 not to be recognise as an account (SPN). Cannot access the gpos too. DC03: new DC in the main site. DNS ok, but you cannot access ibchdc00 from here. Cannot access the gpos too. We stuck in the middle of fsmo migration, so at this moment DC02 see a different fsmo role assingment than the other 2. We tried again with ntdsutil the migration, it was not displayed error, but still the same: From DC01: all roles are in DC03 From DC02: Master of schema, Domain Names and PDC, are in DC03. RID and infraestructure are in DC02. From DC03: all roles are in DC03 From the site and services you can replicate from DC01 to DC02, but not to DC03. From DC02 to DC03 yes, but not from DC03 to DC01 or DC02. From DC03 you cannot replicate to anyone. I can show you dcdiag, thanks at all. SP

Hi, When you perform a medata cleanup and force the DC demotion , if the demoted DC hold a FSMO role you have to seize the role to another DC. then if you want to promote again as domain controller it's recommended to rebuild from scratch as mentioned by David before the Domain controller promotion.

Hello: Update: Finally we did the mentioned plan: ->Remove completely (with metadacleanup etc..) the old DC02 in site 2. ->Elevate domain functional level from 2003 to at least 2008. ->Change replication to DFSR. ->Deploy a new domain controller in site 2, from DC01 in site 1. This new domain controler DC2 is a RODC, without DNS. We have a copy of the main DNS in another server (not domain controller). All about replication is ok from active directory replication status tool and from dcdiag and repl, etc. commands, but we have the "known" issue of having the old SRV records in DNS (from the "old removed completely" DC02) and even repeat SRV records from the DC01 both in capital records, and only the current one in low records. DC01 (the DNS server) is Windows 2012R2. We have check all about a good configuration in network interfaces, restarting, etc, but if you delete manually that SRV records, they are recreated inmediately automatically so its not possible to delete it. We also check this: https://support.microsoft.com/en-gb/help/4496901/windows-dns-registers-duplicate-srv-records-for-a-dc But is for 2016/2019 server versions, not 2012 R2. Anyone with this issue? thanks at all.

*** I mean capital and low letters.

The last thing I have tried, but without success: https://social.technet.microsoft.com/Forums/sqlserver/en-US/44d57abb-9544-4758-81e6-147a3de8cc66/cannot-delete-old-srv-records-of-demoted-dcs-in-dns?forum=winserverDS

Active Directory problems, replication. Help!

JSP 1

Hello:

After the "typical" domain lost connectivity error between two domain controllers in different sites (with I dont know if lingering objects), after trying an autorithy restore (D4 in the main site and D2 in the secondary), and after trying to migrate fsmo roles and create a new domain controller to recover all, i have a difficult situation now, problems with clients that cannot access to network resources from sometimes ip, sometimes name:

DC01 (main site, we will love to do this the main one again, the right database): DNS problems, nslookup is not working and DFSR -1202 errors are in the event viewer (and 13562 NTFRS errors). You cann add the dns console only from DC03. Can resolve DC02 from ping but not DC03. you cannot edit GPOs (error the system cannot find the path), and it is displayed an error that cannot find one GPO (cannot say which one, one of the tops). Errors 1865, 1311 and 1566 in the directory service event viewer.
DC02 (secondary site): DNS ok. Cannot access some GPos, event viewer 1058 and 4. Event viewer errors 1925 and 1645, about DC01 not to be recognise as an account (SPN). Cannot access the gpos too.
DC03: new DC in the main site. DNS ok, but you cannot access ibchdc00 from here. Cannot access the gpos too.

We stuck in the middle of fsmo migration, so at this moment DC02 see a different fsmo role assingment than the other 2. We tried again with ntdsutil the migration, it was not displayed error, but still the same:

From DC01: all roles are in DC03
From DC02: Master of schema, Domain Names and PDC, are in DC03. RID and infraestructure are in DC02.
From DC03: all roles are in DC03

From the site and services you can replicate from DC01 to DC02, but not to DC03. From DC02 to DC03 yes, but not from DC03 to DC01 or DC02. From DC03 you cannot replicate to anyone.

I can show you dcdiag,

thanks at all.
SP

Hannah Xiong 6,276 Reputation points

2020-08-11T02:38:45.57+00:00

Hello,

Thank you so much for posting here.

May I know the current situation of our issue? Hope the provided information is helpful to you.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong
JSP 1 Reputation point

2020-08-11T06:42:56.763+00:00
Hello!

We opened a Microsoft support ticket, the action plan is:

Deploy a new domain controller in site 2, from DC01 in site 1.

Elevate domain functional level from 2003 to at least 2008 (or 2012).

Change replication to DFSR.

We are now with this, i will let you know thanks to all
Hannah Xiong 6,276 Reputation points

2020-08-12T01:48:27.683+00:00

Hello,

You are welcome. Thank you so much for your feedback.

Thank you for sharing the action plan here. It will be very beneficial for other community members who have similar questions. Hope our issue will be resolved soon. Thanks again.

Best regards,
Hannah Xiong

14 answers

Thameur-BOURBITA 33,006 Reputation points

2020-08-09T15:59:22.45+00:00

Hi,

When you perform a medata cleanup and force the DC demotion , if the demoted DC hold a FSMO role you have to seize the role to another DC. then if you want to promote again as domain controller it's recommended to rebuild from scratch as mentioned by David before the Domain controller promotion.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
JSP 1 Reputation point

2020-09-09T11:19:10.35+00:00

Hello:

Update:

Finally we did the mentioned plan:

->Remove completely (with metadacleanup etc..) the old DC02 in site 2.
->Elevate domain functional level from 2003 to at least 2008.
->Change replication to DFSR.
->Deploy a new domain controller in site 2, from DC01 in site 1. This new domain controler DC2 is a RODC, without DNS. We have a copy of the main DNS in another server (not domain controller).

All about replication is ok from active directory replication status tool and from dcdiag and repl, etc. commands, but we have the "known" issue of having the old SRV records in DNS (from the "old removed completely" DC02) and even repeat SRV records from the DC01 both in capital records, and only the current one in low records. DC01 (the DNS server) is Windows 2012R2. We have check all about a good configuration in network interfaces, restarting, etc, but if you delete manually that SRV records, they are recreated inmediately automatically so its not possible to delete it.

We also check this: https://support.microsoft.com/en-gb/help/4496901/windows-dns-registers-duplicate-srv-records-for-a-dc But is for 2016/2019 server versions, not 2012 R2.

Anyone with this issue?

thanks at all.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
JSP 1 Reputation point

2020-09-09T11:20:00.57+00:00

*** I mean capital and low letters.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
JSP 1 Reputation point

2020-09-11T08:05:21.913+00:00

The last thing I have tried, but without success: https://social.technet.microsoft.com/Forums/sqlserver/en-US/44d57abb-9544-4758-81e6-147a3de8cc66/cannot-delete-old-srv-records-of-demoted-dcs-in-dns?forum=winserverDS
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Active Directory problems, replication. Help!

14 answers

Your answer