none
NIC Teaming on Server 2016 delays network availability on Domain Controllers causing problems with Active Directory RRS feed

  • Question

  • I have a physical server (IBM HS22) with 2 NICs.  I freshly installed Windows Server 2016 with AD Directory Services, DNS, DFS, and DHCP server roles.  It's up-to-date with Windows Updates.

    The two NICs are teamed using lbfoadmin as switch independent, dynamic, and no standby.

    Problem

    When the server reboots, many unexpected event log entries are recorded.  All the errors are related to networking problems, or lack of networking.

    Examples: DNS server could not bind to IP address, ADWS cannot service directory, DFS Root xxx failed during initialization, ntpclient cannot find peer, Intersite Messaging failed, etc.

    I receive 20-40 errors on each boot.

    Notes

    • If I break the team and just use one NIC (it doesn't matter which one), these errors do not occur
    • If the team contains only one NIC, and I disable the other NIC, the problem still exists
    • Changing other team settings such as standby adapter and type doesn't help
    • This problem does not appear on similar hardware using 2012 R2
    • Side note:  The services seem to auto-recover because all the server roles seem to be working

    I suspect the teaming layer is adding a delay to networking availability and is causing the services to fail because the network is not ready.

    I really want the NICs teamed for fault-tolerance.  Any ideas on how I can fix/workaround this problem?

    • Edited by Tony MCP Friday, January 5, 2018 10:03 AM typo
    Friday, January 5, 2018 9:58 AM

All replies

  • I created a VM with 2 NICs and was able to replicate the problem there too.  It doesn't appear to be hardware related.

    -Tony

    Friday, January 5, 2018 9:38 PM
  • Hi Tony,

    Sorry for the delayed response.

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 18, 2018 7:24 AM
    Moderator
  • I Faced the same issue, even running on different hardware with HP Proliant DL360 G8, it actually was configured even with LACP however in the end i managed to partially solve the issue by changing the network device (CISCO switch) to be as PortFast.

    but even after configuring as PortFast i had to break the LACP and back to switch independent but still the intersite messaging service didn't start automatically the dns service is fine.


    Best Regards,

    Thursday, January 25, 2018 6:47 AM
  • I Faced the same issue ... but still the intersite messaging service didn't start automatically ...

    Yes, I have the same problem on my DCs with LBFO teams.

    Also, during boot, I get this error in the system log on any domain-joined system with a LBFO team:

    NETLOGON - 5719:

    This computer was not able to set up a secure session with a domain controller in domain mydomain due to the following: There are currently no logon servers available to service the logon request.

    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.


    -Tony

    Thursday, February 1, 2018 3:32 AM
  • I really want the NICs teamed for fault-tolerance.  Any ideas on how I can fix/workaround this problem?

    A better option may be to stand up two domain controllers. This would provide the fault tolerance, high availability plus the bonus of disaster mitigation.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Thursday, February 1, 2018 3:56 AM
  • I really want the NICs teamed for fault-tolerance.  Any ideas on how I can fix/workaround this problem?

    A better option may be to stand up two domain controllers. This would provide the fault tolerance, high availability plus the bonus of disaster mitigation.

    You are right.  We have multiple DCs (of course), but the LBFO problem is not isolated to domain controllers.  It affects all systems that use LBFO regardless of hardware.  This problem is really noticeable on domain controllers, though.

    -Tony

    Thursday, February 1, 2018 4:14 AM
  • Hi Tony,

    I am sorry that this issue still hasn't been resolved.

    If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:

    http://support.microsoft.com/contactus/?ln=en-au

    Best Regards,

    Candy




    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 8, 2018 9:46 AM
    Moderator
  • What happened to this?

    Hi Tony,

    Sorry for the delayed response.

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy

    Did you give up the research?

    -Tony

    Thursday, February 8, 2018 10:27 PM
  • Hi ,

    I have searched for a long time but I couldn't found any related information about it in Microsoft official documents.

    So I would suggest you open a case with Microsoft where more investigation can be done.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 9, 2018 5:05 AM
    Moderator
  • Has anyone found an answer for this?  We have dozens of Windows Server 2016 physicals and VMs that have this issue.  It takes approximately 33 seconds between when the first member nic comes online and the second member nic comes online.  This delay in forming the nic team causes the start up services that depend on the domain to fail.

    Microsoft customer service has been unable to help.

    Howard


    Howard

    Monday, April 9, 2018 10:47 PM
  • I seem to have the same issue on some member servers running Microsoft clustering. Upon reboot, TCP/IP comes up fine but SMB and NTP time out. There's also a delay with RDP. These servers have a two NIC team. If I disable NIC1 everything works fine. If I disable NIC2 I can reproduce the issue.

    -SluggoMagoo-

    Thursday, August 9, 2018 5:42 PM
  • Did you ever figure this out? I have the same issue with windows 2016 servers with same NIC teaming settings. Very frustrating as services with domain accounts will not authenticate and start, unless we login after the fact and then start them. We do not want to configure these as automatic (delayed) start. This works completely fine with windows 2012r2 servers using same domain, hardware, network infrastructure.
    Saturday, November 17, 2018 2:59 PM
  • No solution to this problem.  We have opened cases with Microsoft and asked around on several community forums but no traction. Setting these services to Automatic (Delayed) is the only way we have found to reliably start services that run using domain accounts.


    Howard

    Sunday, November 18, 2018 5:37 PM
  • hello, same problem here with a fresh DC on hardware and an NIC Teaming with 2 Intel 10 GB network cards. please let me know whats the solution of the microsoft support case!

    • Edited by SKapitzke Friday, November 23, 2018 11:19 AM
    Friday, November 23, 2018 11:06 AM
  • Hi Tony,

    We have a case open with Microsoft regarding this exact same issue for the last month.  

    It's been escalated four times, due a call with them again tomorrow!

    Long story short is services reliant on domain or network fail as they start several seconds before the team is created and bound.  

    I am hoping this will get a hot fix as we currently have over a thousand 2016 servers with this issue.

    Ben

    Tuesday, January 22, 2019 9:52 PM
  • Ben,

    Any progress on this?  I've played with making certain key network services dependent on what I believe is the service for NIC teaming, but no luck.  I suspect it doens't matter what service dependencies I put in because as soon as the mslbfoprovider service starts, even if the team isn't 'up', other services will kick off. 


    • Edited by Loc750 Monday, February 11, 2019 8:08 PM
    Monday, February 11, 2019 7:28 PM
  • I am also seeing this issue with Server 2016 and NIC teaming.  

    No issues when not using a NIC team.

    Thursday, February 14, 2019 3:48 PM
  • Don't go for NIC teaming in DC. Not recommended. it creates lot of issues in the AD infra.

    NIC teaming is supported only for member servers and not for DCs.

    Tuesday, February 19, 2019 9:00 AM
  • NIC teaming is supported only for member servers and not for DCs.

    Can you provide a source for this?

    -Tony

    Friday, February 22, 2019 9:19 PM
  • Can you provide a source for this?


    -Tony

    Here's one.

    https://blogs.technet.microsoft.com/askds/2011/01/21/friday-mail-sack-the-gangs-all-here-edition/

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, February 22, 2019 9:28 PM
  • Can you provide a source for this?


    Here's one.

    https://blogs.technet.microsoft.com/askds/2011/01/21/friday-mail-sack-the-gangs-all-here-edition/

    Thank you for the quick response!  I reviewed that Q&A article, but it was published 18 months before Server 2012 was released.  So, the advice is meant to apply to Server 2008R2.

    "Q: Is NIC teaming recommended on domain controllers?"

    "A: … MS does not make a NIC teaming solution, so you are at the mercy of 3rd party vendor software and if there are any issues, we cannot help other than to break the team..."

    Clearly, their answer doesn't apply to version 2012 and newer.

    The official documentation for LBFO doesn't mention domain controllers at all.  Windows Server 2012 NIC Teaming (LBFO) Deployment and Management

    Do you have any other sources that indicate NIC teams are not supported on domain controllers?

    Reminder: The problem described in this post does not affect 2012 or 2012 R2.  It is new to 2016.


    -Tony

    Friday, February 22, 2019 11:10 PM
  • Another source might be here with product support.

    https://support.microsoft.com/en-us/gp/contactus81?forceorigin=esmc&audience=commercial&wa=wsignin1.0

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Friday, February 22, 2019 11:21 PM
  • I ran into this issue while setting up Server 2019 Essentials today on a DC.
    Saturday, June 29, 2019 5:49 PM