Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #1 
Hi guys,

Well 2016 hit GA today so I can finally talk about it lol.

I finished up upgrading my last DC to 2016 this morning and the domain promptly broke into a thousand pieces.  Sort of.

Auth stopped working right - member servers were flipping over to the public firewall profile instead of domain, etc etc.

Dug into it with a couple of guys from the MS side and we discovered that netlogon was set for manual startup instead of automatic on all 4 DCs.  It appears that the upgrade process is not setting it back to automatic once the upgrade completes - oops!

I'm sure they'll get this fixed asap in an update, but something to take note of if you do a non-update or offline upgrade in the meantime.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 808
Reply with quote  #2 
Wes
I have to ask what was the driver to upgrade on the day of release?

I'm assuming that bragging rights is not the prime reason.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #3 
Always bragging rights! Lol

We are part of the testing brigade so we actually upgraded many servers a while ago. Today was just the day that this last dc was upgraded as it was the day kms keys were released And that happens to be our kms server
0
jsclmedave

Administrator
Registered:
Posts: 445
Reply with quote  #4 
Quote:
Originally Posted by Wes
Always bragging rights! Lol We are part of the testing brigade so we actually upgraded many servers a while ago. Today was just the day that this last dc was upgraded as it was the day kms keys were released And that happens to be our kms server


Sorry for the confusion,,, Upgrade..?  You mean instead of a clean install you upgraded a 2012R2 to 2016..?  If so, WHY??

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #5 
Never used to do upgrades but since 2012 we do them quite frequently on DCs and file servers - especially when they are CA servers.  Been rock solid until this lovely bug.  Time advertising also appear to be broken - working on that now.
0
jsclmedave

Administrator
Registered:
Posts: 445
Reply with quote  #6 
Quote:
Originally Posted by Wes
Never used to do upgrades but since 2012 we do them quite frequently on DCs and file servers - especially when they are CA servers.  Been rock solid until this lovely bug.  Time advertising also appear to be broken - working on that now.


Interesting,,,

DC's I would normally spin up new but the others make sense.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #7 
Can you guys do me a quick favor and check this location on your DCs:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]

Can you tell me if type is NTP or NT5DS?

Thanks!

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 808
Reply with quote  #8 
NTP on 2008 - On a 2008 DC
NT5DS on a 2012R2 domain member.

No access to a 2012 DC tonight.

NT5DS on a 2012R2 DC.


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 69
Reply with quote  #9 
I should be NT5DS on member servers and domain controllers that have not been configured to sync with an external time source (normally, everything except the PDCe).

It is NTP on the PDCe *if* the domain controller holding this role has been configured to sync with an external time source.

With a command like this:

w32tm /config /manualpeerlist:"time.nist.gov",0x8 /syncfromflags:manual

And only then.

0
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #10 
Appears that there is another confirmed bug with the upgrade changing the NTPserver to disabled/0.  Have to manually set it back to enabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]

“enabled = 1”

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 808
Reply with quote  #11 
You mentioned this was the last DC to be upgraded. Did issues arise since that upgrade or on a general AD health check?
Was this targeted issues you or MS were looking for or an AD check using a RAP scan?

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #12 
The other 3 DCs had all been upgraded and had netlogon set to manual, but we didn't notice it because the 4th was still happily running 2012r2.  Only when that one was upgraded did everything start falling apart - and immediately...  Within 10-15 minutes of me starting the upgrade folks started being unable to get to file server resources, and member servers were switching over to the public firewall profile instead of domain one, etc...

Ironically I used to monitor netlogon via prtg but took that out a while back - I think we were short on sensors at the time.

Once netlogon is set to automatic and NTPserver is set to enabled everything is good to go.
0
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #13 
So looks like this is not limited just to DCs.  File servers and WDS servers that I've upgraded also have netlogon set to manual, so it looks to be a general bug in the upgrade logic.
0
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #14 
https://support.microsoft.com/en-us/kb/3201247
0
jsclmedave

Administrator
Registered:
Posts: 445
Reply with quote  #15 
Thanks for the heads up Wes!
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.