I just migrated a 2003 domain to 2012 R2. Things were working ok & then XP clients became AD stupid.
Steps I took:
Added a VM 2012 R2 DC to the domain. Server had DNS installed. Ran dcdiag & bpa and resolved any issues.
About a week later I moved all roles over to the VM DC.
Tore down one of the NT2003 DCs (not VM) and rebuit it as a 2012 R2 DC w/DNS. Ran dcdiag & bpa and resolved any issues. Had problems with DNS scavenging removing some static records. readded records & made sure the "Delete
record when it becomes stale" was unchecked on all static records (all fwd & rev zones).
Moved all roles from the VM DC to the hardware DC.
After a week I tore down the 2nd (& last) nt2003 DC (not VM) and rebuilt it as a 2012 R2 DC w/DNS. Ran dcdiag/bpa and fixed any issues. Also ran it on the other DCs.
Removed the VM 2012 R2 DC from the domain (demote, remove features, remove from domain, power off, delete VM).
Everything seems to be working fine. dcdiags look clean, event logs seem good.
Bump forest/domain to 2012 R2 native.
Then, a few days later, it goes bad. I (after hours) install all accumulated updates on both DCs. Reboot both.
Next AM a user calls. Her thin client cannot connect to the terminal services server. DNS has deleted its dns record, even though the delete when stale was unchecked. :| So I readd the static record and turn off scavenging.
Problem solved.
Next call s from a XP user (we have XP, Win 7, and thin clients). She cannot print. Printers show "cannot connect". Try various things to no avail. Check Win 7 boxes and they're working fine & printers are connected.
Note that the XP & Win7 boxes all pull their DHCP address from the same dhcp server/scope.
Review error logs and run dcdiag. There are several somewhat esoteric errors. After several hours or tail chasing I decide to take a more scorched earth tack. I demote the 2nd DC and remove AD & DNS from it. After demotion and role
removal I check AD and it still shows the DC. I remove the now just a server from the domain. Clean up DNS & AD removing all traces. This takes a while as I have to run variuos scripts (tahnk you google) to ensure AD is clean.
Run dcdiag and resolve issues. Even a detailed dcdiag comes out clean. Replication tests show the old server is now forgotten.
Check XP boxes and they still show printers as "cannot connect".
Remove a XP PC from the domain. Try to rejoin and I get a error. Rename it and still get the error. I can ping, nslookup, etc and they return the correct IP.
I've tried the simple change the join a domain in system properties. That gives a somewht non descript error. The network identification wizard seemed to find the domain but didn't work. As it was trying to find the PC in AD, I went ahead
and added it via AD users& Computer console. Run the wizard and it tells me it found the record in AD. It then says "a domain controller for the domain [ourdomain] could not be contacted." !? Yet the prior screen it told
me it had found the record for the PC on the DC.
nslookup for ourdomain.local as well as dcname.ourdomain.local resolve correctly. Tried chenging the PC to static - no change. Rename the old win 2012 R2 dc (now just a server outside the domain), reboot, and the try to rejoin the domain.
Works flawlessly.
BTW - We're running tcpip w/o netbios over tcpip.
So basically my XP boxes cannot use AD printers and cannot join the domain. IDK if they're picking up gp updates (I'll check in the AM), but I suspect they're not.
Short of buying a truckload of Win 7 licenses and reloading OSs, what can I do to fix this?
Details on the XP box error (fyi - I did a record to record comparison to a Win 2008 domain's SRV records and they look identical (except, fo course, the domain& server names)) :
The domain name [ourdomain] might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.
If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain [ourdomain]:
The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc._msdcs.[ourdomain]
Common causes of this error include the following:
- The DNS SRV record is not registered in DNS.
- One or more of the following zones do not include delegation to its child zone:
[ourdomain]
. (the root zone)
For information about correcting this problem, click Help.
dcdiag /test:dns results
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Domctl1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DOMCTL1
Starting test: Connectivity
......................... DOMCTL1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DOMCTL1
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... DOMCTL1 passed test DNS
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : [ourdomain]
Running enterprise tests on : [ourdomain].local
Starting test: DNS
Test results for domain controllers:
DC: Domctl1.[ourdomain].local
Domain: [ourdomain].local
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record in zone [ourdomain].local
Domctl1 PASS PASS PASS PASS WARN PASS n/a
......................... [ourdomain].local passed test DNS
