| Author | Messages | |
BrianB
Posts:126
 | | 06/10/2010 6:11 PM |
| All:
I need some help. I have exhausted my logs trying to find a reason why a promotion of a new 2008 R2 server core server to a domain controller failed. Well, actually, it did not fail per se.
I went through the normal process to promote my 2008 R2 server in the existing 2003 R2 forest and all seemed OK. I was seeing replication of the Ad partitions occurring and thought I would be done in quick time. After the first reboot I ran DCdiag and it failed enterprise tests stating that DNS was an issue. I checked DNS and saw that it registered it A record but not any SRV records. After several attempts to reboot, restart Net logon, re-register its IP the SRV records would not get populated.
Some additional background might helpful. This server was to replace a current 2003 R2 server in Production. It was brought up in the domain as a member server first. I uninstalled DNS from the old server (It was also a DNS server for the forest) and rebooted. Then demoted the server and gracefully disjoined the domain shutting it down completely at the end.
On the new server, I named it according to our DC standards but kept the old IP from the original server that I just shut down, joined the domain, then promoted it. At the time when I received the errors from DCDIAG, I looked at DNS and found that the old server NS records were still listed in DNS. We had to manually delete the NS record of the old on each DNS server in the forest. I installed DNS on the new server and it populated its NS record on itself but not on the other DNS servers. It seems like a replication problem but all was well with replication prior to the upgrade.
I am unsure why the new 2008 R2 DC would register it's A record but not SRV records. Ns lookups from other DC's in the forest would not show the new DC address. Eventually we had to roll back by demotion but the demotion failed due to DNS issues. We had to forcefully remove AD from the server and perform a metadata cleanup. We re-promoted the old 2003 R2 server and there were no issues - DNS, replication, or otherwise.
I have re-scheduled a promotion for later next week and am rebuilding the server from scratch. There have been two other promotions in a different site to 2008 R2 server core that have occurred already without a problem. DCpromo logs on the new server do not indicate that there was a problem and actually show that the promotion was a success.
Does anyone have an answer to why the srv records would not populate? This may be a symptom of a bigger problem or the cause of the problem, I am unsure. Again, we used the same IP address as the old server but used a different name and OS. Firewall should not have been an issue.
Brian Britt
Vanderbilt University | Directory Services Specialist
Nashville, TN
615-322-4676
| | | |
| Thomas Vuylsteke
Posts:207
| | 06/10/2010 9:36 PM |
| A wild guess:
Official explanation and patch (for the 2003 DC's): http://support.microsoft.com//kb/939820<http://support.microsoft.com/kb/939820>
Clear explanation: http://blogs.technet.com/instan/archive/2009/07/30/problems-with-introducing-a-new-windows-server-2008-dc-into-a-windows-2003-forest.aspx
More specific, perform the following test:
repadmin /showmeta <DN of krbtgt account in the domain>
Sample output:
repadmin /showmeta
------------------
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
11950 CONTOSO\DC1 10540508 2008-11-24 20:46:51 100002 description
11950 CONTOSO\DC1 10540508 2008-11-24 20:46:51 100002 name
11950 CONTOSO\DC1 10540508 2008-11-24 20:46:51 100002 unicodePwd
11950 CONTOSO\DC1 10540508 2008-11-24 20:46:51 100002 ntPwdHistory
In this case, the unicodePwd attribute PVN is 100002 which is usually caused by an authoritative restore of the object...which triggers the issue if the object turns out to be the krbtgt account.
If the latter is the case, you need the hotfix.
If not, perhaps more thinking on my part might be required.
Regards,
Thomas
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: donderdag 10 juni 2010 19:09
To: activedir@mail.activedir.org
Subject: [ActiveDir] Failed DC Promotion of 2008 R2 in 2003 forest
Sensitivity: Confidential
All:
I need some help. I have exhausted my logs trying to find a reason why a promotion of a new 2008 R2 server core server to a domain controller failed. Well, actually, it did not fail per se.
I went through the normal process to promote my 2008 R2 server in the existing 2003 R2 forest and all seemed OK. I was seeing replication of the Ad partitions occurring and thought I would be done in quick time. After the first reboot I ran DCdiag and it failed enterprise tests stating that DNS was an issue. I checked DNS and saw that it registered it A record but not any SRV records. After several attempts to reboot, restart Net logon, re-register its IP the SRV records would not get populated.
Some additional background might helpful. This server was to replace a current 2003 R2 server in Production. It was brought up in the domain as a member server first. I uninstalled DNS from the old server (It was also a DNS server for the forest) and rebooted. Then demoted the server and gracefully disjoined the domain shutting it down completely at the end.
On the new server, I named it according to our DC standards but kept the old IP from the original server that I just shut down, joined the domain, then promoted it. At the time when I received the errors from DCDIAG, I looked at DNS and found that the old server NS records were still listed in DNS. We had to manually delete the NS record of the old on each DNS server in the forest. I installed DNS on the new server and it populated its NS record on itself but not on the other DNS servers. It seems like a replication problem but all was well with replication prior to the upgrade.
I am unsure why the new 2008 R2 DC would register it's A record but not SRV records. Ns lookups from other DC's in the forest would not show the new DC address. Eventually we had to roll back by demotion but the demotion failed due to DNS issues. We had to forcefully remove AD from the server and perform a metadata cleanup. We re-promoted the old 2003 R2 server and there were no issues - DNS, replication, or otherwise.
I have re-scheduled a promotion for later next week and am rebuilding the server from scratch. There have been two other promotions in a different site to 2008 R2 server core that have occurred already without a problem. DCpromo logs on the new server do not indicate that there was a problem and actually show that the promotion was a success.
Does anyone have an answer to why the srv records would not populate? This may be a symptom of a bigger problem or the cause of the problem, I am unsure. Again, we used the same IP address as the old server but used a different name and OS. Firewall should not have been an issue.
Brian Britt
Vanderbilt University | Directory Services Specialist
Nashville, TN
615-322-4676
| | | |
|
|