Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
techgrunt

Still Checking the Forum Out
Registered:
Posts: 4
Reply with quote  #1 
Hi Everyone,

struggling with an issue at present following migration of vm guests including a dc to a new 2016 hyper-v host.

All went well, and on final checks, found that our physical dc/file/dns server had entered journal wrap error prior to the hyper-v migration. Did the burflags D2 registry repair and rebooted the physical dc - event log reporting that FRS failed to replicate between the two dc as it couldn't find the virtual dc.
Digging deeper, the nic on the physical dc had switched its network profile to private, and have not been able to get it back to domain profile. Physical dc is Win 2016 std, vm dc is 2012 R2 std. Have checked nic settings and all is as it should be with correct dns suffix set in nic properties. DNS set initially to point to vm dc then to itself, however changing it to point to itself first makes no difference. Have restarted the NLA service multiple times and rebooted the server multiple times attempting to get nic to switch back to domain profile. Have also transferred FSMO roles to vm dc and is the only server now that has the domain profile set to its nic. The hyper-v host virtual adapter and management nic are also now set to private profile. This has gotten me stumped. Any suggestions appreciated.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 235
Reply with quote  #2 
> the nic on the physical dc had switched its network profile to private

This typically happens when FRS has a problem, which in turn leads to NETLOGON having problems.

The fact that the firewall is in private mode should not stop FRS from working.

Depending on how you did the VM migration it may have ended in a D2 state itself, which leaves both DCs in a broken state. So my recommendation would be:
- verify that normal AD repl is working (repadmin /replsum). If not --> fix this first.
- pick one DC that has the most complete SYSVOL data. Call this the master.
- stop/disable FRS on both.
- Put the master in D4
- Put the other in D2
- start FRS on the master
- start FRS on the other.

When things are stable again, migrate SYSVOL from FRS to DFSR asap. There are good reasons that FRS has been deprecated.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
techgrunt

Still Checking the Forum Out
Registered:
Posts: 4
Reply with quote  #3 
Thanks for the reply wkasdo.

The vm dc was exported from our old hyper-v host running win 2012 R2 and imported into the new hyper-v. Firewall is disabled for domain via group policy.

Will be on site tomorrow and carry out your plan of action. Your comment regarding FRS problem > nic profile problem and netlogon problems is helpful. I assumed it was the other way around and was attempting to fix it from that point of view and not getting anywhere.

Here's hoping... [thumb]
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 235
Reply with quote  #4 
> The vm dc was exported from our old hyper-v host running win 2012 R2 and imported into the new hyper-v

Yes, that would cause the VM to need a D2. So it really looks like you had two DCs in D2 at the same time, which cannot work.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
techgrunt

Still Checking the Forum Out
Registered:
Posts: 4
Reply with quote  #5 
From past research, I was under the assumption that DC's hosted on win 2008 hyper-v hosts had to be restored from bare metal backup to new hosts, however vm dcs on 2012 hosts could be exported. This is the first dc that I have migrated from a 2012 hyper-v host. Need to find definitive answers for this from MS for future migrations.
0
jsclmedave

Administrator
Registered:
Posts: 460
Reply with quote  #6 
Quote:
Originally Posted by wkasdo
> the nic on the physical dc had switched its network profile to private

This typically happens when FRS has a problem, which in turn leads to NETLOGON having problems.

The fact that the firewall is in private mode should not stop FRS from working.

Depending on how you did the VM migration it may have ended in a D2 state itself, which leaves both DCs in a broken state. So my recommendation would be:
- verify that normal AD repl is working (repadmin /replsum). If not --> fix this first.
- pick one DC that has the most complete SYSVOL data. Call this the master.
- stop/disable FRS on both.
- Put the master in D4
- Put the other in D2
- start FRS on the master
- start FRS on the other.

When things are stable again, migrate SYSVOL from FRS to DFSR asap. There are good reasons that FRS has been deprecated.



D2 & D4 ..?  What is that?


__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 282
Reply with quote  #7 
Quote:
Originally Posted by jsclmedave

D2 & D4 ..?  What is that?


Burflags.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 460
Reply with quote  #8 
Quote:
Originally Posted by cj_berlin


Burflags.


Thank You CJ !!

Those tings I'm never supposed to mess with   : )

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
techgrunt

Still Checking the Forum Out
Registered:
Posts: 4
Reply with quote  #9 
An update, was not able to repair AD replication, must have broken it further attempting the original recovery.

So turned off physical DC and vm dc on new hyper-v host. Fired up vm dc on old hyper-v host which was pre-export.

Seized FSMO roles and deleted physical dc computer account and metadata cleanup of that dc.

Disconnected physical dc from network > logged in and force demoted it off domain. Plugged into network > joined domain and promoted to dc.

All seems to be working well, when I am back next week, will follow through with migration of sysvol to DFSR.

Thanks again wkasdo for your help, cheers.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.