Apr 25 2022 11:26 AM
We are a small single-domain company. We've had one WinSvr2012 domain controller for years. Recently we added 2 Server 2019 DCs with the objective of demoting and decommissioning the 2012 DC. The 3 DCs seem to play nice together and correctly replicate new users, groups and computers. However, when we shutdown the 2012 DC, domain authentication is lost. Primary/secondary DCs are ancient history so how can this be? We did disable/remove the DNS role on the 2012 DC, so only our 2019 DCs are DNS.
Apr 25 2022 11:35 AM
Apr 25 2022 11:42 AM
Apr 25 2022 11:48 AM
Apr 25 2022 12:01 PM
Apr 25 2022 12:08 PM - edited Apr 25 2022 12:11 PM
They should all be present on a running domain controller (They can be offline for a little while, but not too long) , so it's best to move them to one or divide them across two domain controllers. (Nice article here about that https://www.dtonias.com/transfer-fsmo-roles-domain-controller/) But the 2012 DC is just turned off or did you demote it first? If it's not demoted, please turn it back on and move the FSMO roles from it to another DC/DC's. If it's demoted, then seize the roles using the article (The NTDSUTIL part)
Apr 25 2022 12:11 PM
Apr 25 2022 12:15 PM
Apr 26 2022 10:40 AM
Thank you for the advice concerning the FSMO roles, Harm @Harm_Veenstra. I moved all roles to the new domain controllers. Can't figure out how to attach the DCDiag log files. DCDiag shows multiple test failures (all three DCs were running):
Apr 26 2022 10:53 AM
Apr 26 2022 11:59 AM
I'm sorry, Harm, by "ancient history" I meant that I thought that primary domain controllers no longer existed because there is no UI to configure PDCs. Our DC1 has been our PDC and only DC for the past 9 years.
System Log info from DC2 (now the PDC):
System log info from DC3:
Apr 26 2022 12:24 PM
Apr 28 2022 08:20 AM
I did restart the netlogon services from the command prompt and then executed ipconfig /registerdns. The only error is from DC3: "A Primary Domain Controller could not be located". DC2/DC3 have 127.0.0.1 as the primary DNS and each other as the secondary DNS. They both are patched to April '22. Both also reference DC1 as the GC name and time server, which shouldn't be the case I think. They should reference themselves as the GC name and time server, correct?
Apr 28 2022 10:18 AM
Apr 28 2022 11:06 AM
Apr 29 2022 12:53 AM
Apr 29 2022 04:47 AM
Apr 29 2022 05:30 AM
Apr 29 2022 05:53 AM
My new DCs now pass the Advertising test. They did not have SYSVOL shares. I followed the instructions at the link below to set a registry entry to generate the missing shares.
Apr 29 2022 05:58 AM