Troubleshooting common errors when adding a new domain controller to an existing domain

Background:
I want to join a new Windows Server 2012R2 server (C) / Windows 2016 to my existing lab domain as a new domain controller.  The current domain contains only one DC (Windows Server 2012), call it server B.  After the domain controller joined, the policy doesn't replicate.  SYSVOL and NETLOGON were not created.

Root cause:
There were a previous domain controller (Windows Server 2008, called it A) which was not removed from the domain in a proper way.  Therefore, the DFSR is always in error state.  Below is the event error found and resolutions:
  1. Problem - No SYSVOL and NETLOGON
    1. Create the below folders if it is not present:
      1. c:\windows\system32\SYSVOL\sysvol\domain.name\Policies
      2. c:\windows\system32\SYSVOL\sysvol\domain.name\scripts
    2. Copy policies files manually:
      1. C:\Windows\SYSVOL\domain\Policies>robocopy \\Old_dc\sysvol\homenet.com\policies . *.* /s /sec
    3. Follow MS KB947022 to trigger NETLOGON service to recreate the SYSVOL and NETLOGON share.

  2. Problem - DCx is not advertising as a time server
    1.  When I run dcdiag /q or dcdiag /test:advertising, I found my server is not advertised as time server
    2. Run below command:
      1. On PDC run: w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
      2. On additional DC, run: w32tm /config /syncfromflags:domhier /update
      3. net stop w32time
        net start w32time
      4. w32tm /config /update
      5. w32tm /resync
      6. dcdiag /q /s:yourDCname
        This time you should see the time advertising error gone.

  3. Problem - Event 10149 - Windows Remote Management (WinRM) failed to create SPN
    1. Add NETWORK SERVICE with "“Validated write to service principal name” permission"at ASDI Edit.
    2. Detail steps: Reference: http://www.projectleadership.net/blogs_details.php?id=3154

  4. Problem - New domain controller DC joined the domain, but SYSVOL and NETSHARE not created
    1. Used DCDIAG to diagnostic, found there are a lot of issues.
    2. Root cause: The original DC has an issue of  on DFSR
      1. Event ID: 4012 - The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for x days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). 
    3. Root Cause
      1. By following KB2958414 , I found that since I have lost my previous DC without proper removal from domain, the file replication between my old DC and my current DC broke, result and 4012 event.  Thus it won't further sync SYSVOL with my new DC.
    4. Fix:
      1.  install DFSR Management Tools  to monitor  check the replication status of "Domain System Volume". 
        PowerShell: Install-WindowsFeature RSAT-DFS-Mgmt-Con

        (You must install DFSR in order to have command line tool dfsrdiag.)
      2. Refer to KB2218556 :
        1. On the original DC, perform  authoritative synchronization.
        2. On new DC (which has no SYSVOL), perform  a non-authoritative synchronization.
      3.  If all done successful:
        1. On original DC (authoritative), you should see event ID 4602.
        2. On the new DC (non-authoritative), you should see Event ID 4604.
        3. Use net share on new DC to check if the SYSVOL sharing has been recreated automatically.
      4. Check for any obsolete server/invalid entry can be deleted via ADSI Edit (adsiedit.msc):
        CN=,
        CN=Topology,
        CN=Domain System Volume,
        CN=DFSR-GlobalSettings,
        CN=System,
        DC=mydomain,DC=com

  5. Problem - Cannot check "Domain Name System (DNS) server" during dcpromo to add a new domain controller to existing domain:


    1. Review C:\Windows\debug\dcpromoui.log
    2. On all current DC, check NIC DNS settings --> check any invalid DNS server IP
    3. Check with dcdiag /c /v
      Summary of DNS test results:
                Auth Basc Forw Del  Dyn  RReg Ext
      _____________________________________________
      Domain: homenet.com
      DC5       PASS PASS PASS PASS PASS PASS n/a

      1. Check if you got PASS on all area.
      2. Check if you have any issue in DFS Replication (DFSR), e.g. Event 9061, Event 4012

  6. Problem - Event 9061 - The replicated folder has been offline for too long / Event 4012 DFS Replication Stopped

    Possible Cause:
    Some DC has been removed from the network without properly remove from AD DS

    Solution:
    1. Open ADSI Edit
    2. Remove entry for any DC under OU=Domain Controllers,DC=<domain>
    3. open the CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<DC hostname>,OU=Domain Controllers,DC=<domain> 
    4. Right click to SYSVOL Subscription, select Properties
    5. For all DC, set msDFSR-Enabled=FALSE
    6. For the DC to make authoritative, set msDFSR-options=1
    7. Restart DFSR or restart the server
    8. Review if there is any new DFSR error event 
    9. open the CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<DC hostname>,OU=Domain Controllers,DC=<domain> 
    10. On the DC set as authoritative
      1. set msDFSR-Enabled=TRUE
      2. run command:  DFSRDIAG POLLAD
    11. For other DCs
      1. set msDFSR-Enabled=TRUE for all  other DCs
      2. run command at other DC:  DFSRDIAG POLLAD
    12. Reference: https://www.nomizo.fr/2013/08/windows-server-2012-issues-with-active_16.html

Email Post

Comments

Post a Comment

Popular Posts