Forum Discussion
Domain authentication issue
We are a small single-domain company. We've had one WinSvr2012 domain controller for years. Recently we added 2 Server 2019 DCs with the objective of demoting and decommissioning the 2012 DC. The ...
Ok, my question was.. What DNS servers do your clients get assigned from your DHCP server? If you run a "ipconfig /all" on a client which can't authenticate to the domain.. What is the primary and secondary dns server, 192.168.0.99 and 192.168.0.102 or? These options are set in your DHCP, perhaps not changed?
Other than that, if you run "netdom query FSMO" Are all the FSMO roles present on one or both of the new DC's?
Other than that, if you run "netdom query FSMO" Are all the FSMO roles present on one or both of the new DC's?
.99 and .102 are also DNS. IPconfig /all correctly shows them as DNS on our domain clients. I'm not sure how many FSMO roles should be present. Until now, I was only aware of "domain naming master".
Schema master: 2012 DC
domain naming master: 2019 DC (I changed this)
PDC: 2012 DC
RID pool manager: 2012 DC
Infrastructure master: 2012 DC
Thank you very much, Harm, for taking an interest in my AD problem.
Schema master: 2012 DC
domain naming master: 2019 DC (I changed this)
PDC: 2012 DC
RID pool manager: 2012 DC
Infrastructure master: 2012 DC
Thank you very much, Harm, for taking an interest in my AD problem.
They should all be present on a running domain controller (They can be offline for a little while, but not too long) , so it's best to move them to one or divide them across two domain controllers. (Nice article here about that https://www.dtonias.com/transfer-fsmo-roles-domain-controller/) But the 2012 DC is just turned off or did you demote it first? If it's not demoted, please turn it back on and move the FSMO roles from it to another DC/DC's. If it's demoted, then seize the roles using the article (The NTDSUTIL part)
- The 2012 DC is running, and I'm afraid to demote it because it doesn't find the other two DCs during the demoting process. I'll move the FSMO roles tomorrow morning.
- "The 3 DCs seem to play nice together and correctly replicate new users, groups and computers".. And still there is an issue, it's problably DNS related. Check the settings on all three dc's and see if they are correct. Hopefully you can move the roles so that those are safe, it that fails you can always transfer using NTDSUTIL. But one DC not finding two DC's is not a good sign. Could you run a dcdiag /v on all three and check the output for errors that might indicate the issue?