0

I am migrating an Active Directory Domain from Server 2012 to Server 2016. Everything I've read says that simply setting up the 2016 server as a replica and then transferring FSMO roles to the new server should be it. I've found this not to be the case. I have verified that the FSMO roles have been transfer to Sevrer 2016, but when I shutdown the 2012 server, I am not able to connect to Active Directory from my 2016 server.

Perhaps it is something wrong with DNS? Some of my machines are resolving the 2012 server and some are resolving the 2016 server when I ping my domain. My 2016 server is even resolving to the 2012 server when I ping my domain. I've check my SOA in DNS settings and that is pointing to the 2016 server.

I've tried to uninstall AD services from the 2012 server, but I get this: "No other domain controllers could be contacted, but other domain controller objects are in the directory. If you are certain that this is the last domain controller for the domain and want to proceed, confirm that this is the last domain controller in the domain."

Intrepid
  • 163
  • 1
  • 5
  • 13
  • 2
    What have you configured your clients and servers to use for a DNS server? They don't pick one automatically. – MDMarra Jun 20 '17 at 16:57
  • Make sure that all of the clients (including the new DC) use the new DC for DNS. As for both DC's answering when you ping the AD domain name, that's perfectly normal and expected. Until you DCPROMO the old DC they are both still DC's and will answer any queries as such. – joeqwerty Jun 20 '17 at 17:08
  • My primary DNS server is actually a bind server running on Ubuntu. I've always had it this way. It points to my DC for anything AD related. – Intrepid Jun 20 '17 at 17:40
  • 1
    Always having something a certain way is usually the worst possible reason for keeping something that way. If you want things to work right, you often have to set them up correctly. – Todd Wilcox Jun 20 '17 at 19:00

1 Answers1

5

Yes, it's DNS. Change the IPv4 settings on your new 2016 DC to use itself as its DNS server, and make sure it has the DNS service installed, running, and properly configured. Also ensure that all the clients are using the 2016 server as their only DNS server. The only DNS server, do not use an external DNS server as a secondary. You would be smart to have a second DC for redundancy and disaster recovery, in which case that one could be a secondary DNS server for clients.

You also need to run the DCPromo process on the 2012 server to remove it as a DC from the domain, and possible clean up your internal DNS zone to remove any lingering records pointing to it. If you're getting errors there, as you described, then you need to troubleshoot that. If you want more help here, provide more details, mostly the ipconfig results from both machines.

It has nothing to do with SOA records in your DNS zone.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Thanks... This may work, but is not the ideal set up for me. We have always used bind running on Ubuntu as our primary DNS server. We point to our AD DNS server for anything AD related. It has always worked this way in the past. This is set up on Bind as follow:`directory IN NS ds2.directory.mycompany.com. ds2.directory.mycompany.com. IN A 10.10.0.60` . – Intrepid Jun 20 '17 at 17:45
  • Did you update BIND to account for the new DC? – joeqwerty Jun 20 '17 at 17:49
  • Yes. I replaced ds1 (server 2012) with ds2 (server 2016) for all records. – Intrepid Jun 20 '17 at 18:21
  • Not all, not if querying the domain's DNS name brings up the 2012 server's IP address. Although if you turned it back on, it might have re-added its own records, because you haven't demoted it yet. – mfinni Jun 20 '17 at 18:26
  • I'm afraid to demote it because it is telling me that it is the last domain controller in the domain and I would have to force remove it. I just tried to ping my domain again and this time it resolved to the new 2016 server... Odd. – Intrepid Jun 20 '17 at 18:47
  • 1
    @Intrepid There are a large number of DNS records that must be dynamically maintained for an Active Directory domain to function, so it's really not a good idea to use anything other than an AD-integrated DNS server to handle DNS queries for your Windows domain. You can have the BIND server as a forwarder or conditional forwarder for other records, or vice versa, but not using AD integrated DNS at all will cause headaches. Also, check whether the 2012 server say it's the last server in the domain or if it says "**if** this is the last server..." The former is a **big** problem. – Todd Wilcox Jun 20 '17 at 18:59
  • @Todd Wilcox I am still using Windows DNS for AD. My domain is actually a subdomain (eg. directory.company.com). I have a NS record in my bind config that will point to the Windows DNS server when querying for the subdomain directory.company.com. I really think this is a Windows DNS issue. I still have records for the 2012 server that keep reappearing in Windows DNS. I really want to demote this 2012 DC, but it is telling my it cannot contact my 2016 DC... Even though it can. – Intrepid Jun 21 '17 at 17:01
  • Is it necessary to have an RDOC on the same Windows server level as the RWDC though? – Mick8695 Jan 20 '23 at 15:51