locked
Unable to contact domain after transferring fsmo roles 2012R2 > 2016 RRS feed

  • Question

  • Situation: I transferred fsmo roles from 2012r2 to 2016, everything checked out, network was fine for a few days. I demoted the former dc and the issues came. 

    Summary: nltest gives errors that no such domain or cannot be contacted. 

    dcdiag:

     Running enterprise tests on : us.domain.com
        Starting test: LocatorCheck
           Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
           A Global Catalog Server could not be located - All GC's are down.
           Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
           A Time Server could not be located.
           The server holding the PDC role is down.
           Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 13
           A Good Time Server could not be located.
           Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
           A KDC could not be located - All the KDCs are down.
           ......................... us.domain.com failed test LocatorCheck

    nslookup

    > _ldap._tcp.dc._msdcs.us
    Server:  localhost
    Address:  127.0.0.1
    _ldap._tcp.dc._msdcs.us.domain.com    SRV service location
              priority       = 0
              weight         = 100
              port           = 389
              svr hostname   = dc1.us.domain.com
    dc1.us.domain.com     internet address = 10.24.16.10
    >

    Netdom query failed: the specified domain doesn't exist, or cannot be contacted.

    rep admin /replsum


    Source DSA          largest delta    fails/total %%   error
     OLDDC           01d.00h:46m:20s   10 /  10  100  (5) Access is denied.
     DC1               01d.00h:31m:17s    5 /   5  100  (5) Access is denied.

    Destination DSA     largest delta    fails/total %%   error
     DC1               01d.00h:34m:42s    5 /   5  100  (2148074274) The target principal name is incorrect.
     DC3               01d.00h:46m:21s   10 /  10  100  (5) Access is denied.

    Experienced the following operational errors trying to retrieve replication information:
            8341 - olddc.us.domain.com
            1326 - dc2.us.domain.com
              58 - 24ccb0b8-dab4-4730-acff-1ee490af6fc5._msdcs.us.domain.com

    • Edited by _C.J Saturday, October 20, 2018 6:47 PM
    Saturday, October 20, 2018 6:39 PM

Answers

  • You Sir, are a wonderful person. Thanks for helping me unravel my brain. I wish I could hug you. 

    I cleaned every other dc out of active directory using adsi edit, also took a detour to re-enable the mdfsr attribute as I wanted it to be recognized as the new authoritative server for our DFS shares.

    After a reboot, I instantly noticed my network connection was recognized and switched to domain network. 

    DCDiag tests passed, nslookup still resolved; AD Users/computers now successfully opened, AD sites & services, check; AD domains & trusts, check;

    Now some minor  work to sweep through the network and rebuild or rejoin the rodc's I kicked out and I'm back in business. Thanks to you I can still salvage what's left of my weekend.

    • Marked as answer by _C.J Sunday, October 21, 2018 2:44 AM
    Saturday, October 20, 2018 11:56 PM

All replies

  • I'd check the domain controller has own address listed for DNS and no others such as router or public DNS.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, October 20, 2018 7:05 PM
  • This was confirmed, not the issue persisted.
    • Edited by _C.J Saturday, October 20, 2018 7:52 PM replacing 1 word answer
    Saturday, October 20, 2018 7:45 PM
  • No help here. If you need further assistance then please run;

    • Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log
      (please replace DCName with your domain controller's netbios name)
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt
      then put files up on OneDrive and share a link.

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Saturday, October 20, 2018 7:48 PM
  • https://1drv.ms/f/s!Ai6NNgd2yWSugYhobm2QzargxAyQAA

    unfortunately the former dc was demoted already, so I didn't grab a file from it.

    Saturday, October 20, 2018 9:54 PM
  • no more endpoints available from the endpoint mapper

    I'd reboot it as first step (clean up from port exhaustion)

    then I'd do clean up (a total of 5 DCs still shows up)
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816907(v=ws.10)#bkmk_graphical
    then after clean up maybe reboot again and seize roles again. It appears you already did but roles could not be validated because of the confusion of the missing DCs
    https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, October 20, 2018 10:16 PM
  • You Sir, are a wonderful person. Thanks for helping me unravel my brain. I wish I could hug you. 

    I cleaned every other dc out of active directory using adsi edit, also took a detour to re-enable the mdfsr attribute as I wanted it to be recognized as the new authoritative server for our DFS shares.

    After a reboot, I instantly noticed my network connection was recognized and switched to domain network. 

    DCDiag tests passed, nslookup still resolved; AD Users/computers now successfully opened, AD sites & services, check; AD domains & trusts, check;

    Now some minor  work to sweep through the network and rebuild or rejoin the rodc's I kicked out and I'm back in business. Thanks to you I can still salvage what's left of my weekend.

    • Marked as answer by _C.J Sunday, October 21, 2018 2:44 AM
    Saturday, October 20, 2018 11:56 PM
  • Good news! You're welcome.

    (please don't forget to mark any helpful replies as answer)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, October 21, 2018 12:09 AM
  • Please also mark my replies as answer.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, October 21, 2018 3:16 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Julie 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 6, 2018 1:39 AM