Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 30, 2014 12:57 PM
Hi,
we have 2 domain controllers both rwdc one of them has all of the opations masters the other one has global catalog DNS, DHCP failover enabled
if both of then are online I can connect to second dc DNS DHCP ad via remote console, but once it is in isolated network the second domain controller ad just stops working, the DNS DHCP consols fail, but DNS and DHCP itself resolves adreses and solvs dns quesys, with a PC in the same isolated network I get network unidentified
I think this is a simple problem, but I cant figure out what could be wrong, the data of ad is replicating normally when they are both online
All replies (15)
Friday, February 14, 2014 1:11 PM âś…Answered | 1 vote
so I had a maintenance window and just wanted to see what would happen is I turn off the main DC, the strangest thing is that they worked, so I have no Idea why isn't is working isolated, but everything besides that seems to be ok
Friday, January 31, 2014 3:43 AM | 1 vote
It is best practice to make both of your DCs Global Catalog servers. In your case, you need to make them both DNS servers as well. For DHCP, it might be in your best interest to setup split zones.
Because you only have two DCs, you need to be careful about shutting them down. The FSMO roles need to always be available, so if you're going to power one off, you need to take the time to migrate the roles to the other server.
- If you have found my post to be helpful, or the answer, please mark them appropriately. Thank you.
Chris Ream
Friday, January 31, 2014 7:37 AM
Hi,
I agree with the above suggestion. If you have only one DNS server in the domain, you need to point the DNS server's IP address as preferred DNS server in TCP/IP property on DCs. You'd better make the two DC both DNS servers and point them as preferred DNS server and alternate DNS server.
In addition, the link below may be helpful:
Best practices for DNS settings on DC and domain members.
Best regards,
Susie
Monday, February 3, 2014 3:57 AM
Hi,
Anything updates?
If you need further assistance, please feel free to let me know.
Best regards,
Susie
Tuesday, February 4, 2014 8:18 AM
Hi, so I tied to move the roles to the second server and still the same results, I will try to add a third DC and look how it reacts
Susie, Chris
both of DC's are GC and DNS
Tuesday, February 4, 2014 9:08 AM
Can you post the IPCONFIG /ALL:
Scenario 1: Both servers online
DC1
DC2
Client Machine
===========
Scenario 2:
IPCONFIG /ALL: (isolated network as what you said)
DC ipconfig on isolated network
Client Machine ipconfig on isolated network
Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Tuesday, February 4, 2014 4:01 PM
Primary both on line:
Windows IP Configuration
Host Name . . . . . . . . . . . . : S008
Primary Dns Suffix . . . . . . . : domain.eu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.eu
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-8E-04
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4c70:817e:c7e4:7e4f%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.1.1
DHCPv6 IAID . . . . . . . . . . . : 486544733
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-5E-EA-C8-00-15-5D-01-8E-04
DNS Servers . . . . . . . . . . . : 127.0.0.1
10.0.1.3
NetBIOS over Tcpip. . . . . . . . : Enabled
Secondary both on line:
Windows IP Configuration
Host Name . . . . . . . . . . . . : s009
Primary Dns Suffix . . . . . . . : domain.eu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.eu
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-FE-D1-76
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::415f:8e27:a507:7cbe%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.1.1
DHCPv6 IAID . . . . . . . . . . . : 301995357
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-5C-87-49-00-15-5D-FE-D1-76
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
10.0.1.2
NetBIOS over Tcpip. . . . . . . . : Enabled
secondary isolated:
Windows IP Configuration
Host Name . . . . . . . . . . . . : s009
Primary Dns Suffix . . . . . . . : domain.eu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.eu
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-FE-D1-76
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::415f:8e27:a507:7cbe%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.1.1
DHCPv6 IAID . . . . . . . . . . . : 301995357
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-5C-87-49-00-15-5D-FE-D1-76
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
10.0.1.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Tuesday, February 4, 2014 7:49 PM | 1 vote
The best practice method, and what the BPA will show you if you've ever ran it, that the DC should point to another partner DC as the first entry, and the second entry to the loopback, or its own IP.
To remove the ::1 entry, which is the IPv6 entry, you can just set the IPv6 NIC DNS to get an IPv6 automatically, whether using DHCP or not. This way it won't show up and your the partner DC will show up as the first entry in the ipconfig /all.
Also, I agree with the previous suggestions that all the DCs should be a GC. There are certain scenarios with multiple sites and need to use GC Universal caching in one site, where you may not want this, but with a simple two DC environment, it would not apply.
*
I also wanted to address the original question as for if one DC/DNS is down, why doesn't it work? This is actually based on the client side resolver algorithm. Every machine has this service, whether it's a DC, client, member server, iPhone, Android, Linux, Mac, Unix.... etc. It's an industry standard on how it works. It's what queries DNS and how DNS query results are cached. So it may not necessarily be because of how the DCs are configured. Of course, ideally both DCs should be GCs.
If you want to read as to why and how ... read my blog on this below. This has been posted numerous times and has bewildered folks. I hope this explains it.
INS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
Client side resolution process chart.
The DNS Client Side Resolver algorithm.
If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
Client side resolution process chart
Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM 1764 1
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, February 5, 2014 1:18 AM
try changing to this:
Primary:
DNS Servers . . . . . . . . . . . : 10.0.1.2
10.0.1.3
Secondary:
DNS Servers . . . . . . . . . . . : 10.0.1.3
10.0.1.2
I guess it's not a good idea to put 127.0.0.1 or ::1, especially if the DC is also a DHCP.
If you put 127.0.0.1 or ::1, and the DHCP release it to client.
Client will have a DNS of 127.0.0.1, which basically points to the machine itself and not to the DC.
Just try the configuration above, see how it goes. Keep us posted.
Root hints is enabled? or you use forwarders?
Both DC's are Global catalog?
Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Tuesday, February 11, 2014 3:40 PM
back again after some more testing
changed the dns to point to another controller and the third one is the 127.0.0.1
I added a third DC and upgraded forest and domain lvl to 2012 R2:
s008 (the main witch was upgraded from 2012 now 2012 R2 with all masters)
s009 (installed with 2012 R2 Core)
s028 (installed with 2012 R2 GUI)
the results: only s008 works alone, all of the other ones do not function if isolated, even if I move the masters to the server that I isolate, even if I assign the masters to s028 and isolate it together with s009, AD console is not accessible, from s028 itself ( the service is running, double cheeked and even restarted after changing the operations masters)
this was not happening with 2012
Wednesday, February 12, 2014 3:54 PM
I looked at the event logs and this is what came up when it's isolated:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
when I run nslookup this it resolves the name
C:\Users\LTVARMO01>nslookup pc
*** Default servers are not available
Server: UnKnown
Address: 127.0.0.1
Name: pc.domain.eu
Address: 10.0.1.192
Monday, February 17, 2014 3:02 AM
Hi,
Good to hear that and thanks for your share.
Have a good day!
Best regards,
Susie
Wednesday, February 19, 2014 4:04 PM
Good to hear! :-)
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, January 18, 2018 6:45 AM
Really not an answer to the problem
Sam
Wednesday, July 10, 2019 11:51 PM
My scenario: New DC, so we have DC1 and now DC2. DC2 was unable to work solo without DC1. Noted netlogon / sysvol shares was missing.
Tried everything including Microsoft bulletin and nothing works.
My new Domain Controller was unable to work solo. No DNS problems and errors pointing what was wrong.
What did the trick for me was creating a backup and then a system restore.
In order to do that, restart the server pressing F8 after the BIOS screen and from Advanced Boot Options select "Directory Services Repair Mode".
Using the password asked when active directory was implemented we can select the "System State" option.
On the next screen, check the box "perform an authoritative restore of active directory files".
Windows will recreate the shares and fix this bizarre situation.
Hope it helps someone in the same sittuation.