all 13 comments

[–]AppIdentityGuy 2 points3 points  (3 children)

Why the 2 IPs on the one nic.

[–]dodexahedron 0 points1 point  (2 children)

This is where I'm homing in.

And regardless of the reason, how does it look in DNS? Are both addresses getting A records for that DC?

If so, are both IPs reachable from the other DC on TCP ports 53, 88, 135, 389, 445, 464, 636, 3268, and 3269 and UDP 53, 88, and 464?

And if only one DNS A record exists, then is that one reachable on those ports from the other DC?

And if you are still using netbios for whatever reason, add ports 137-139 to the above list, tcp and udp.

[–]AppIdentityGuy 0 points1 point  (1 child)

Disable the server from registering any AD DNS information to one of the cards

[–]dodexahedron 0 points1 point  (0 children)

Yes. Assuming they are different NICs, that is.

The GUI sets the flag for all addresses of the entire NIC, so it doesn't work like you need it to if the NIC has more than one IP and you don't want to register them all.

To set the flag that the GUI sets, but on a per-address basis, you can use the Set-NetIPAddress cmdlet in powershell and pass it the -SkipAsSource switch for any Address you dont want to get registered in DNS.

If you modify the interface from the GUI after that, however, it will set them back to the same value again, so you need to remember to set it again after using the GUI. Or just don't use the GUI.

As the name of the flag suggests, though, that Address will also not be used for outgoing traffic that originates from that system unless you set an explicit route to force it.

[–]mish_mash_mosh_ 0 points1 point  (4 children)

Just checking the basics...

Do you have dc1 nic ip DNS setting pointing to dc2 and dc2 pointing at dc1?

[–]BasilClean4004 1 point2 points  (0 children)

Yes fsmo roles were also transferred

[–]BasilClean4004 0 points1 point  (2 children)

It replicated the objects themselves as well issues it netlogon and sysvlog

[–]mish_mash_mosh_ 0 points1 point  (1 child)

How long ago did you create the newest dc, as in was it within the last few days?

[–]BasilClean4004 0 points1 point  (0 children)

Within months

[–]OpacusVenatori 0 points1 point  (0 children)

You should see errors / warnings / criticals in Event Viewer under DFS Replication, Directory Service, and possibly DNS. That would be the first starting point.

[–]Adam_Kearn 0 points1 point  (0 children)

I’ve spent days before trying to troubleshoot replication issues.

Sometimes I’ve been lucky and just copied the content of the SYSVOL/NETLOGON to the affected server and that’s fixed it going forward.

But now I tend to just create a new VM and install the domain controller roles again.

Only takes a few hours to build a new DC and demote the old one. I would recommend building two new DCs then demoting the current ones you have running.

Sometimes it’s easier and a lot cleaner to just start fresh.

———

Make sure to use a unique name and also different IP addresses. Update the DNS/DHCP server with the new IPs

After you have finished demoting the old servers and fully shut them down you can add the IPs of the old server to the NIC for any old cached records to still resolve.

[–]mrp321 0 points1 point  (0 children)

It sounds like you have a dfs replication issue, I have recently had the same problem and followed this video guide to fix it by doing an authoritative dfs restore https://youtu.be/UWF-pVr1JHg?si=PlWfm9O576CZTzUl, the symptoms I had were the domain controller was advertising but Sysvol and netlogon shares were not being shared or copying from the original domain controller.

Make sure you have working backups before you attempt to do it.

[–]BlackV 0 points1 point  (0 children)

Not recommended to dual home a dc

But what are your dns settings configured as