locked
new Domain Controller is not advertising as a domain controller RRS feed

  • Question

  • Hi,

    I promoted a Windows 2012 R2 RODC via Powershell script. The server did not reboot after replication or advertise as Domain Controller although I can see EventID 29223 "This server is now a Domain Controller."

    I did not find any usefully infomation on the logs in debug folder,  and "Active Directory Domain Services was shut down successfully. " on EventID 1004

    Any idea to resolve the issue? 

    Thanks

     

    Friday, September 16, 2016 9:36 AM

Answers

  • Why can't you run it on the other DC's??

    I have had the exact same issue, and although we were DAs in the same domain, the other DC's were controlled by other organizations and people.  So one domain, many organizations.  The problem is that AD is designed for all the DC's to talk to eachother, and if the other organizations had firewalls or something up, that would block parts of the promotion process.  This is where portqry comes in.  For us, it was the PDC being hosted at a different site.  But there are 5 roles, and the new DC may need to talk to all the role holders, AND the member DC in order to initiate replication.  This caused unending problems until finally management allowed complete access between all DC's on all ports, but any new DC's had to be added to the list.  So I would triple check your DNS and your ports.  The replication partner will be pulled from DNS DOMAIN.COM and there is a list of IP's there, and you can't choose which one.

    One final note.  you CAN manipulate the process a little, by forcing the initial DC by either making a manual entry in the lmhosts file or a command.  The command to tell it which DC to talk to is here, but I am not sure how it will react to DCPROMO process, the lmhosts may give better results.

    But here are the commands in case it helps

    • nltest /dsgetdc:domain.local                                                                        Who is the current DC
    • nltest /Server:client0 /SC_RESET:domain.local\dc1                Repoint the client


    BlankMonkey

    • Proposed as answer by Alvwan Tuesday, October 4, 2016 1:08 AM
    • Marked as answer by Alvwan Monday, October 10, 2016 3:09 AM
    Wednesday, September 28, 2016 5:02 PM

All replies

  • Hi,

    Could you please post result of below mentioned command?

    • nltest /dclist:domain_name.com
    • netdom query dc
    • netdom query fsmo
    • net share
    • dcdiag /q
    • repadmin /options *.*
    • "ipconfig /all" of all domain controllers

    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.


    Friday, September 16, 2016 10:02 AM
  • The ADDS service on the server is already shut down and cannot be started.

    nltest /dclist:domain_name.com
    RODC.xxx.com [RODC] [DS] Site: sitename


    netdom query fsmo
    the result is correct

    net share
    Share name   Resource                        Remark

    ---------------------------------------------------------------------
    C$           C:\                             Default share
    IPC$                                         Remote IPC
    ADMIN$       C:\Windows                      Remote Admin
    The command completed successfully.

    dcdiag /q
       ***Error: RODC is not a Directory Server.  Must specify
       /s:<Directory Server> or  /n:<Naming Context> or nothing to use the local
       machine.
       ERROR: Could not find home server.

    I cannot post the else result which looks good and very long.

    Friday, September 16, 2016 10:29 AM
  • Hi,

    Have you rebooted RODC and let the replication cycle complete?

    It seems me communication problem with RWDC. could you please verify if network ports are already open? you may refer this article



    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Friday, September 16, 2016 2:43 PM
  • Hi,

    Have you rebooted RODC and let the replication cycle complete?

    It seems me communication problem with RWDC. could you please verify if network ports are already open? you may refer this article



    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    I have this issue a while. If I reboot this RODC, I won't  do anything on the server and will get access deny error on every application 

    network ports on source DC are definitely open, and I can successfully promote another RODC via GUI.

     

    Friday, September 16, 2016 2:57 PM
  • I have often had network problems where I thought ports were open and were not.  A useful tool I found is PortQRY on Microsoft's site. There is a drop down menu that has AD as an automatic option, and will validate all your network connections.

    https://www.microsoft.com/en-us/download/details.aspx?id=24009


    BlankMonkey

    Friday, September 16, 2016 3:01 PM
  • Any word on this?

    BlankMonkey

    Monday, September 19, 2016 2:38 PM
  • I have often had network problems where I thought ports were open and were not.  A useful tool I found is PortQRY on Microsoft's site. There is a drop down menu that has AD as an automatic option, and will validate all your network connections.

    https://www.microsoft.com/en-us/download/details.aspx?id=24009


    BlankMonkey

    I run the tool and did not find out any firewall port issue.

    And another RODC promotion has been same issue last night.

    Tuesday, September 20, 2016 8:17 AM
  • Hi,

    First you need to make sure at least one writable domain controller running Windows Server 2012 R2 for the same domain as the RODC. This provides the RODC with a replication partner.

    And temporarily disable Windows Firewall and antivirus program to check the result.

    Besides, make sure that PDC Emulator is hosted on the Windows Server 2012 R2-based DC. Grant all of Replicating directory changes permissions (along with List contents and Read all properties) to the Enterprise-Read only Domain Controllers group on the CN=Schema,CN=Configuration,DC=<domain>,DC=com (you can make this change via ADSIEdit.msc)

    You might want to also verify that the same permissions are granted to other partitions (Configuration, domain naming context, application partitions)

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    • Edited by Alvwan Thursday, September 22, 2016 2:49 AM
    Thursday, September 22, 2016 2:48 AM
  • Hi,

    First you need to make sure at least one writable domain controller running Windows Server 2012 R2 for the same domain as the RODC. This provides the RODC with a replication partner.

    And temporarily disable Windows Firewall and antivirus program to check the result.

    Besides, make sure that PDC Emulator is hosted on the Windows Server 2012 R2-based DC. Grant all of Replicating directory changes permissions (along with List contents and Read all properties) to the Enterprise-Read only Domain Controllers group on the CN=Schema,CN=Configuration,DC=<domain>,DC=com (you can make this change via ADSIEdit.msc)

    You might want to also verify that the same permissions are granted to other partitions (Configuration, domain naming context, application partitions)

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    I have more than one writeable windows 2012 R2 DC and PDC  Emulate is on Windows 2012 R2.

    Friday, September 23, 2016 10:50 AM
  • You mentioned the portqry came back clean.  did you run it on all the servers in question, including the pdc role holder?

    BlankMonkey

    Friday, September 23, 2016 5:54 PM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 27, 2016 2:34 AM
  • You mentioned the portqry came back clean.  did you run it on all the servers in question, including the pdc role holder?

    BlankMonkey

    I cannot run portqry on all the DCs, but there is no issue on PDC role server.

    I can successfully promote the DC or RODC via GUI, but I always get this issue when I promoted the RODC via Powershell script.

    Tuesday, September 27, 2016 3:03 PM
  • Hi,

    Maybe you could try to remove the failed RODC and reinstall it:

    RODC Removal and Reinstallation

    https://technet.microsoft.com/en-us/library/cc835490(v=ws.10).aspx

    Remove corrupted RODC from AD

    https://social.technet.microsoft.com/Forums/office/en-US/e7e846c0-c3d7-4799-97ab-f649040b496c/remove-corrupted-rodc-from-ad?forum=winserverDS

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 28, 2016 10:55 AM
  • Why can't you run it on the other DC's??

    I have had the exact same issue, and although we were DAs in the same domain, the other DC's were controlled by other organizations and people.  So one domain, many organizations.  The problem is that AD is designed for all the DC's to talk to eachother, and if the other organizations had firewalls or something up, that would block parts of the promotion process.  This is where portqry comes in.  For us, it was the PDC being hosted at a different site.  But there are 5 roles, and the new DC may need to talk to all the role holders, AND the member DC in order to initiate replication.  This caused unending problems until finally management allowed complete access between all DC's on all ports, but any new DC's had to be added to the list.  So I would triple check your DNS and your ports.  The replication partner will be pulled from DNS DOMAIN.COM and there is a list of IP's there, and you can't choose which one.

    One final note.  you CAN manipulate the process a little, by forcing the initial DC by either making a manual entry in the lmhosts file or a command.  The command to tell it which DC to talk to is here, but I am not sure how it will react to DCPROMO process, the lmhosts may give better results.

    But here are the commands in case it helps

    • nltest /dsgetdc:domain.local                                                                        Who is the current DC
    • nltest /Server:client0 /SC_RESET:domain.local\dc1                Repoint the client


    BlankMonkey

    • Proposed as answer by Alvwan Tuesday, October 4, 2016 1:08 AM
    • Marked as answer by Alvwan Monday, October 10, 2016 3:09 AM
    Wednesday, September 28, 2016 5:02 PM