Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Install Server 2008 DC alongside 2012 DC


  • Please log in to reply
9 replies to this topic

#1 aroshlakshan

aroshlakshan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 10 January 2015 - 11:55 PM

I have a test environment going on and it has Server 2012 DC(Name it 'A') installed. Forest Functional Level is, Windows2012Forest. As test, I want to install Server 2008 DC alongside this 'A' server and replicate all data from 'A' server to Server 2008 DC and decommission the 'A' server . And then I want to migrate from Server 2008 DC to a new Server 2012 DC. Is this possible? If it is, please let me know the approach to this project. If anyone can provide the outlined steps to achieve this, I'd really appreciate.



BC AdBot (Login to Remove)

 


#2 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:06:12 PM

Posted 11 January 2015 - 12:43 AM

You will need to lower the domain functional level to 2008R2 or 2008 BEFORE adding the new server then you can proceed with migration. Lowering domain functional level can only be done via PowerShell

Edited by Sneakycyber, 11 January 2015 - 12:43 AM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#3 aroshlakshan

aroshlakshan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 12 January 2015 - 12:00 AM

I have installed the new DC and tried Active Directory Replication Status Tool to find out the status of the replication. But it has failed due to the error "8524 The DSA operation is unable to proceed because of a DNS lookup failure". Then I have tried dcdiag /test:dns and it says it failed DNS test. Below is the result I got from the test. If possible, let me know how can I get rid of the issue.

PS C:\Users\aroshlw> dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = TECHEN-DC2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\TECHEN-DC2
      Starting test: Connectivity
         ......................... TECHEN-DC2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\TECHEN-DC2

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... TECHEN-DC2 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : techencounters

   Running enterprise tests on : techencounters.local
      Starting test: DNS
         Test results for domain controllers:

            DC: TECHEN-DC2.techencounters.local
            Domain: techencounters.local


               TEST: Basic (Basc)
                  Warning: adapter [00000007] Intel(R) PRO/1000 MT Network Connection has invalid DNS server:
                  192.168.1.1 (<name unavailable>)

               TEST: Forwarders/Root hints (Forw)
                  Error: All forwarders in the forwarder list are invalid.

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone techencounters.local

               TEST: Records registration (RReg)
                  Network Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
                     Warning:
                     Missing CNAME record at DNS server 192.168.1.1:
                     526aa5fa-56f9-4bf1-8d17-aca5be387591._msdcs.techencounters.local

                     Warning:
                     Missing A record at DNS server 192.168.1.1:
                     TECHEN-DC2.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _ldap._tcp.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _ldap._tcp.a45a43ce-465e-4a3e-b330-b1ad9cbbf68e.domains._msdcs.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _kerberos._tcp.dc._msdcs.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _ldap._tcp.dc._msdcs.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _kerberos._tcp.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _kerberos._udp.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _kpasswd._tcp.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _ldap._tcp.Default-First-Site-Name._sites.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _kerberos._tcp.Default-First-Site-Name._sites.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _ldap._tcp.gc._msdcs.techencounters.local

                     Warning:
                     Missing A record at DNS server 192.168.1.1:
                     gc._msdcs.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _gc._tcp.Default-First-Site-Name._sites.techencounters.local

                     Error:
                     Missing SRV record at DNS server 192.168.1.1:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.techencounters.local

               Error: Record registrations cannot be found for all the network adapters

         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.1.1 (<name unavailable>)
               2 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.techencounters.local. failed on the DNS server 192.168.1.1

            DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:500:1::803f:235
            DNS server: 2001:500:2f::f (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:500:2f::f
            DNS server: 2001:500:3::42 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:500:3::42
            DNS server: 2001:500:84::b (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:500:84::b
            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:503:ba3e::2:30
            DNS server: 2001:7fd::1 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:7fd::1
            DNS server: 2001:7fe::53 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:7fe::53
            DNS server: 2001:dc3::35 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed
on the DNS server 2001:dc3::35
         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: techencounters.local
               TECHEN-DC2                   PASS WARN FAIL PASS WARN FAIL n/a

         ......................... techencounters.local failed test DNS


#4 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:12 PM

Posted 12 January 2015 - 02:52 PM

I'm assuming 192.168.1.1 is your internet router. This should not be a DNS client entry on any domain connected system, and certainly not on a DC.

.

As for DNS client entries on the DCs... With two DCs you probably want to set the primary DNS client address to the other DC, and set a secondary DNS client of 127.0.0.1 (i.e. itself).

 

Your Internet router, or (probably better) a DNS resolver at your ISP should be set as the forwarder on both of the DNS services on the DCs.

 

Member servers and workstations should have both DCs as their DNS client entries.

 

x64

 

(Edit: oh, and after changing the DNS client entries - do an "ipconfig  /registerdns" from an elevated command prompt to write the DC IP addresses and domain service locator records into your local DNS zone.)


Edited by x64, 12 January 2015 - 02:56 PM.


#5 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 12 January 2015 - 06:44 PM

Simply put a gateway ip is not a dns server.  The server should be pointing at itself for dns and for it to resolve internet names of which is has no knowledge of you need to configure the conditional forwarders.  These are usually the ISP's dns server ips or other internet based dns servers.



#6 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:12 PM

Posted 13 January 2015 - 02:09 AM

..."The server should be pointing at itself for dns"...

Where you have more than one DC that are "well connected" (effectively LAN speed connectivity between them) then best practice is to use another well connected DC as the Primary DNS client entry, and itself as the secondary IP DNS client entry. Doing otherwise may cause boot issues/delays or in some cases form separate islands of the same AD.

 

..."you need to configure the conditional forwarders"...

You mean "Forwarders" (not a conditional forwarders) - The DNS server Service on the DC will receive a request from a domain client, if it is for a zone held locally (normally the AD domain) then it just answers it. If it is for another domain on the internet - ANY other domain on the internet - it has to forward that request to a more knowledgeable DNS server - As I said above a resolver at the local ISP is best.

 

a CONDITIONAL forwarder is used to deal with specific external domains (ie not answering the request locally, nor relying on the ISP forwarder), by routing requests to another specified DNS server, which is knowledgeable for the other domain. An example of why you may need to do this, is connecting two separate company networks together. The administrator for the network "company1.local" might set up a conditional forwarder for "company2.local" referring queried to one or more DNS servers in the company2.local network.

 

x64



#7 aroshlakshan

aroshlakshan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 13 January 2015 - 02:12 AM

I changed the IP and ran the test again. This time around it was successful. But I have another issue. I'm trying to turn off the 1st DC(Server 2012) and authenticate user accounts on a computer from the 2nd DC(Server 2008 R2). But it does not seem to be working. It can't authenticate user from that computer even though I changed DNS on that computer. Any ideas?



#8 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:12 PM

Posted 13 January 2015 - 01:40 PM

So many possibilities..

 

Time synchronisation (are all of the clocks in sync);

Workstation IP configuration (has it got an IP, are both DCs listed as the DNS client settings on the workstation;

Did you do an ipconfig /registerdns on both DCs when they were both up.

Any errors in the event logs that show AD related issues? (since you sorted out the DNS settings that is!)

 

You could also try temporarily disabling the Windows Firewall on the DCs (assuming you r network is behind a firewall or nat router of course!)

 

x64



#9 aroshlakshan

aroshlakshan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 16 January 2015 - 12:36 AM

Hi, I encountered another problem. After I thought the replication was complete between my 2 DCs, I have added another computer to my domain. Please refer the set up below.

 

DC1

  • IP - 192.168.1.4
  • Windows Server 2012
  • DNS : 127.0.0.1, 192.168.1.11

 

DC2

  • IP - 192.168.1.11
  • Windows Server 2008 R2
  • DNS : 192.168.1.4, 127.0.0.1

Workstation Computer

  • Windows XP
  • IP - 192.168.1.32
  • DNS : 192.168.1.11

Because I want to test the new DC(DC2), I shut down DC1 and tried to log in to the Workstation computer but it says the Domain is not available. But when I turn on the DC1 and try to log in, it logs me in fine even though the DNS I set on the workstation computer is only DC2 IP. That means, the workstation computer user account is always authenticated by DC1 even though the request goes through DC2. I'm not sure what is going on here. Any ideas??



#10 aroshlakshan

aroshlakshan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 17 January 2015 - 10:58 AM

Anyone?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users