0

Windows 2016 Server environment with 3 DCs, single domain. All DCs are also GCs. Server 1 holds all 5 FSMO roles.

Now I want to export the VM of server 1 and put onto a different environment on a separate virtual host server, network completely separated from the actual domain. Shutdown VM, export, then re-import on the other host.

The VM works. Can ping it from a PC connected to the new separate network.

What I would expect is that AD should work just as usual, with this DC now being a lonely DC. Of course replications won't work, but since that server is a GC and holds all FSMO roles, it should have all it needs, right?

However, what happens is following:

  • Cannot connect to Active Directory, not even locally from server 1
  • dcdiag passes connectivity test but fails advertising test with error 1355 (the locator cannot find the server).
  • another error in dcdiag is unable to connect to NetLogon share.
  • nslookup query for _ldap._tcp.dc._msdcs.domain.com yields the proper reply, just as it did in the original domain network. This is supposed to be the query to locate a DC, so why does it not find it although DNS can locate it?
  • On the DC itself, in the new domain environment, the sysvol folder no longer contains "Policy" and "Scripts" folder, but instead there is a folder called something like "Ntfrs_Previous_SeeEventLog".

I am at a loss to understand why this happens.

Is that expected to happen, or did I do something wrong? What could it be?

nepdev2
  • 11
  • 2

1 Answers1

0

Microsoft explicitly says to not do what you're doing (1). "replication won't work" will definitely (eventually) lead to "my AD broke". A DC with badly-broken replication will indeed stop acting like a DC, stop servicing logins, etc.

They even left you a breadcrumb that you found! Ntfrs_Previous_SeeEventLog - That's NT File Replication Service. It broke (expected), the DC removed its shares (expected), thus breaking logins, and left you a message to look up the event logs. Go do that.

If you insist on going down this path, you'll need to fix replication, cleanup this machine's view of AD now that you've cut it off from other DCs, and then you might have a working isolated test domain.

Update per your comment - yes, of course you can have a domain with a single DC. But you took a (copy of) a DC that was NOT solo, and cut it off from the replication partners that it knows about, so it thinks it's broken. You have to fix it. End of story.

(1) - There used to be a TechNet KB article stating this. Microsoft memory-holed a lot of that, so I don't have an easy source. It was about unsupported scenarios for AD migrations during corporate splits and divestitures; a "please don't do this" scenario was simply partitioning the network and then cleaning up each half's AD. Obviously, on paper there's no reason it shouldn't work, but if you miss something or do it wrong or cleanup the wrong stuff, you've made a HELL of a headache and MS didn't want to support it.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Can you provide info where Microsoft says so? Obviously I can have a domain with a single DC so replication is not required. What seems not supported then is "downgrading" a DC without demoting all other DCs first (which is not what I want to do) – nepdev2 Jun 12 '23 at 17:29
  • But isn't that exactly what replication with a 2nd DC is supposed to handle? Imagine domain with 2 DCs - disastrous outage - after recovery only 1 DC comes back up - exactly same situation as I have, so the single DC will not function? But that situation is exactly why one would have 2 DCs - so that one can fail, and in any way imaginable. - So does this then mean minimum nbr of DCs is 2? So one should really always have 3 so one can fail, leaving 2? This would be a disastrously stupid setup - I cannot believe this to be true. – nepdev2 Jun 12 '23 at 21:56
  • No, loss of a single DC in a 2-DC environment will not immediately cause the domain to die, you're correct. The design is not disastrously stupid. It usually takes a while. So perhaps you took too long to recreate the isolated environment. Maybe there was some weirdness with the time service during the isolation/recreation. Regardless, Windows already told you the problem - NTFRS had a hiccup so the DC protected itself. Figure out the problem, fix it, and keep going. – mfinni Jun 12 '23 at 22:35