Announcement

Collapse
No announcement yet.

Introducing Server 2008R2 DC's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Introducing Server 2008R2 DC's

    Hi folks,

    Looking for some helpful assistance on an AD issue that we are experiencing.

    We have a rather simple one forest one domain AD structure with 2 DC's at our HQ and 3 DC's in 3 other sites, all sites specified in AD with the correct subnet.

    These DC's are Windows Server 2003 Standard and our forest/domain level is 2003.

    I have introduced 5 Server 2008R2 DC's into AD...again 2 at our HQ and 3 at the other sites.

    I've actually retired the DC's that were Server 2003 at my other sites so at these sites are just Server 2008 R2 DC's.

    At my HQ is still the two Server 2003 DC's and now two Server 2008R2 DC's.

    I want to retire the Server 2003 ones but one of them had all the FSMO roles so I have successfully transferred them over. My new Server 2008 DC's at my HQ are GC's but the old Server 2003's were GC's but are now not.

    Before I introduced my first Server 2008R2 DC I did all the forest/domain prep to make it Version 47.

    All my Windows 7 clients are fine. They log in fine, resolve fine and process their login scripts fine. When I powered off the old Server 2003 DC's and logged in as users using Windows 7 they did not have any issues.

    My XP users though...oh my goodness...nothing worked...they simply could not find a domain...took ages to log in...no login scripts ran etc.

    My XP users are on the same DHCP scope as my Windows 7 users and thus they can actually resolve the DNS name of ALL DC's yet when I enabled logging and looked at an XP NETLOGON.TXT I see entries like this:

    06/15 11:01:55 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC1.mydomain.com (none): 0x5b4
    06/15 11:02:04 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC3.mydomain.com (none): 0x5b4
    06/15 11:02:10 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC3.mydomain.com (none): 0x5b4
    06/15 11:02:19 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC2.mydomain.com (none): 0x5b4
    06/15 11:02:25 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC2.mydomain.com (none): 0x5b4
    06/15 11:02:34 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC1.mydomain.com (none): 0x5b4
    06/15 11:02:40 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC4.mydomain.com (none): 0x5b4
    06/15 11:02:49 [CRITICAL] NetpDcHandlePingResponse: spp-group.int.: Failed DNS resolution for MYDC4.mydomain.com (none): 0x5b4

    I'm confused...with all my 2003 DC's powered off my XP clients can resolve anything because their DNS settings are pointing to the Server 2008 DC's which are up but if I try and do anything domain related the XP client acts like there is no domain.

    If I take an XP client out of the domain I cannot add it back in nor can I set permissions on a folder since it cannot see a domain.

    Yet every tool we use to find any AD errors report none.

    DCDIAG, NETDIAG, DNSLINT, REPADMIN show no errors whatsoever...all replication is fine, all DNS is fine etc.

    I'm at a loss as to why these XP clients are relying on the old 2003 DC's when there are plenty of the new Server 2008R2 DC's up and running.

    All my IP settings are correct on each DC...everything is as it should as I have poured over all settings twice yet XP machines have a horrendous time when I power off the 2003 DC's (simulating that they are demoted).

    Any ideas?

  • #2
    Re: Introducing Server 2008R2 DC's

    Well after a weekend of pulling my hair out I think I've found the issue.

    IPv6 is disabled on my all my new DC's but only by unchecking the IP6 options on their NIC's.

    The procedure to disable IPv6 on a Server 2008R2 DC is not add a registry setting at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip6\Parameters\Disabled Components=0xffffffff

    The symptoms are that LDAP queries will get through on TCP 389 but not UDP 389.

    Using Port Query I can see LDAP queries on my Server 2003 DC's respond fine on both TCP and UDP port 389 but the Server 2008R2 DC's fail to respond on UDP port 389, which XP users are using!

    I'm made the change in the registry and will reboot tonight.

    Comment

    Working...
    X