locked
Additional Domain Controller doesnt work Primary Domain Controller is down RRS feed

  • Question

  •  Hello Everyone.

    My primary Domain controller is Windows Server 2003 and following roles are installed on it

    • Active Directory and Domain Services
    • DNS
    • DHCP

    Recently we have bought a new server and i have installed Windows Server 2008 R2 with following roles

    • Active Directory and Domain Services
    • DNS
    • DHCP

    for testing i have shutdown the Primary Domain Controller and wanted to see whether Additional Domain Controller can take the complete role of Primary but it fails with the following errors.

    Active Directory Domain Services Errors and Warnings

    Log Name:          Directory Service
    Event ID:         2087
    Task Category:    DS RPC Client
    Level:         Error
    User:             ANONYMOUS LOGON


    Description:
    Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 

     

    Log Name:      Directory Service
    Event ID:        1308
    Task Category: Knowledge Consistency Checker
    Level:              Warning
    User:               ANONYMOUS LOGON

    Description:
    The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed. 

    DNS:

    Log Name:      DNS Server
    Source:          Microsoft-Windows-DNS-Server-Service
    Event ID:      4013
    Level:            Warning
    Keywords:      Classic

    Description:
    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

    DHCP

    Log Name:      System
    Source:        Microsoft-Windows-DHCP-Server
    Event ID:      1059
    Level:         Error

    Description:
    The DHCP service failed to see a directory server for authorization.

    Can you please guide me how to fix this issue.

    Thanks in Advance


    Monday, March 9, 2015 4:29 AM

Answers

All replies

  • Hello

    haven't got replication or other AD related error message when both DC online?

    Check your dns settings on new dc.
    Try ping your domain name and restart DNS services.

    Because FSMO Roles stay on old server warming is normal.


    sorry my english

    Monday, March 9, 2015 9:19 PM
  • One of the error messages is indicating that the new DC is not yet ready. It seems Sysvol synchronization is not yet complete. On the new dc if run net share from command prompt do you see the sysvol as shared?

    Once initial sync is done, also make sure the new DC is pointing to itself for DNS.

    Also run DCDiag /test:advertising and post the results.

    Thanks


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Monday, March 9, 2015 9:42 PM
  • Dear Sneff,

    When both servers are on i get the same Warnings and Errors in Additional Domain Controller.

    in Active Directory i get Warnings (Event ID 1308 - 2088 - 2886)

    in DNS i get Warning (Event ID 4013)

    in DHCP i get Error (Event ID 1059)

    Tuesday, March 10, 2015 5:14 AM
  • Dear Issac, 

    here is the screenshots for Net Share and  DCDiag /test:advertising.

    I have taken these screenshots when both servers were on.

    Tuesday, March 10, 2015 5:50 AM
  • Hello, based on the dcdiag and net share data, the new dc have not finished synchronization with the current DC. so it is not yet fully functional as a domain controller. Make sure the DC is still pointing to the old DC for Primary DNS. Are they both in the Active Site/subnet? How long ago did you promote the new server as a Domain Controller? 

    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Tuesday, March 10, 2015 6:27 AM
  • Hello,

    Now both ADC and PDC is pointing to the Old DC for the primary DNS.

    it has been almost 10 days.

    when both servers are running everything works fine like if i add or remove any users from the ADC or PDC i can seen the changes in both server.

    Tuesday, March 10, 2015 6:44 AM
  • Hello

    Login to new server start server manager --> roles--> active directory domain services--> run best practice analyser and check error and resolvd error.


    sorry my english

    Tuesday, March 10, 2015 7:18 AM
  • Hello Snef,

     i have run Practice Analyzer i got 25 Noncompliant Errors and Warnnings

    Tuesday, March 10, 2015 7:24 AM
  • Hello

    lets go and resolve error duble clik to error and read and check and changes settings if need.


    sorry my english

    Tuesday, March 10, 2015 7:26 AM
  • Hello,

    The errors are normally like below.

    Tuesday, March 10, 2015 7:57 AM
  • Hello,

    try running DCDiag /fix and if that doesn't solve the issue, then I will advise you to demote and re-promote the server as a DC. 10+ days is a lot of days for a DC not to be able to complete synchronization with its partner.

    Just one quick question. can you ping the new Dc from the old and vice versa?


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Tuesday, March 10, 2015 2:58 PM
  • Hello,

    I have run DCDiag /fix and again i receive the same result nothing solved.

    I can ping new DC from the old server and vice versa.

    Sunday, March 15, 2015 5:15 AM
    • Proposed as answer by Alex Lv Wednesday, March 25, 2015 7:10 AM
    • Marked as answer by Alex Lv Wednesday, April 29, 2015 6:55 AM
    Sunday, March 15, 2015 5:51 PM