@Dave Patrick I already did that and the roles are in the DC's to where i moved them and it seams that everything is alright. But every time i query the domain (ping -a <domain>) the IP that i receive is from the DC that i want the remove and when I use netdom query fsmo it point the PDC is the new server. Another thing is that when the roles are in the new server's if i shutdown the DC I want to remove i lost the Active Directory. To regain access again i have to start the old DC. I have done transfer the role without problem, i have seized the role but nothing worked.

---

if i shutdown the DC I want to remove i lost the Active Directory. 

---

How are you verifying this? Might also check the DHCP server hands out the addresses of healthy domain controllers.     

   

 

Hello,

I don't have DHCP in the DC's. All the VM's are in Azure and the have fixed IP and DNS server are configured in the network configuration. To identifiy which DC'a have the PDC i run Get-ADDomainController -domainname edoc.local -Discover -Service PrimaryDC and nltest /dsgetdc:edoc.local. When the role is hosted by the DC that i want to remove works fine. When i change the PDC role to another DC i start to get this error:
Get-ADDomainController : The specified domain either does not exist or could not be contacted
At line:1 char:1
+ Get-ADDomainController -domainname edoc.local -Discover -Service Prim ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-ADDomainController], ADException
+ FullyQualifiedErrorId : GetADDomainController:BeginProcessingOverride:DiscoverDC:1355,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController

Please run;

Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
repadmin /showrepl >C:\repl.txt (run on **any** domain controller)
ipconfig /all > C:\%computername%.txt (run on **EVERY** domain controller)
ipconfig /all > C:\problemworkstation.txt (run on problem pc)

Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the ***Event Source*** and ***Event IDs*** of any found. (no evtx files)

then put `unzipped` text files up on OneDrive and share a link.  

  

 

Hello,

The link for the files is this ... https://1drv.ms/f/s!Al6qCMQjnWZQmecAnI0kfOnzFkzCyA?e=2ONRru

On the server to where i move the PDC role i found this:
The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner EDOCCOM2.EDOC.local. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.

Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 616342C9-9107-4C87-8FF3-BF1985A17368
Replication Group Name: Domain System Volume
Replication Group ID: F0046DA5-64B8-4D21-A281-C92A21BE55E6
Member ID: 0E0F2930-7056-4D44-8EB5-5C07488B6DFC
Read-Only: 0

The DFS Replication service encountered an error communicating with partner EDOCCOM2 for replication group Domain System Volume.

Partner DNS address: EDOCCOM2.EDOC.local

Optional data if available:
Partner WINS Address: EDOCCOM2
Partner IP Address: 10.0.0.8

The service will retry the connection periodically.

Additional Information:
Error: 1753 (There are no more endpoints available from the endpoint mapper.)
Connection ID: F0046DA5-64B8-4D21-A281-C92A21BE55E6
Replication Group ID: C2195BA6-6C4B-4F2E-AF1B-4E5D43C57DD3

The DFS Replication service is stopping communication with partner EDOCCOM2 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Additional Information:
Error: 9033 (The request was cancelled by a shutdown)
Connection ID: F0046DA5-64B8-4D21-A281-C92A21BE55E6
Replication Group ID: C2195BA6-6C4B-4F2E-AF1B-4E5D43C57DD3

Please do not zip the files.   

 

 

Hello,

I unziped the file.

Domain controllers should never have DHCP assigned ip addresses. Also appears there may be a rouge IPv6 DHCP server on the network (router?) with could be problematic.   

Check the DFS Replication event logs on EDOCCOM2 for details as there seems to be errors. (the Event Source and Event IDs of any found)   

 

Warning: DsGetDcName returned information for \\EDOCCOM2.EDOC.local, when we were trying to reach EDOCAD

Warning: DsGetDcName returned information for \\EDOCCOM2.EDOC.local, when we were trying to reach EDOCAD2.

 

could be related to DHCP addressing.

 

Are the sysvol / netlogon shares visible on all? 

 

10.0.0.10 (EDOCCOM4) [Invalid (unreachable) renamed? or an old one?     

 

The domain controller System and DFS Replication event logs should also guide you. 

 

 

Hello,

Only in the server that i want to disconnect i can see the share SYSVOL and NETLOGON. The other have the folder SYSVOL but aren´t shared.

The error that i found in EDOCCOM2 is the following:

The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)

With the event source DFSR and event id 1202

The EDOCDOM4 was n DC that was demoted.

Only in the server that i want to disconnect i can see the share SYSVOL and NETLOGON. The other have the folder SYSVOL but aren´t shared.

The error that i found in EDOCCOM2 is the following:

The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle

---

Ok, I think I finally get it now. Sounds like the single domain controller may not have been in a healthy state and then three more were added that is complicating the situation. If it were me, I'd probably get rid of the additional ones and work to bring health on the one to 100% then try again. It may be some or all do not get the domain network profile which blocks the required ports.    

   

 

 

 

Hello Dave,

It was a problem with the DFRS. I resolved correcting the problem and i could move the PDC and every server started to reply to the correct DC.

Thank for your help and support.

Best regards,
Sérgio Raposo