Issues with Domain Resolution After Seizing FSMO Roles

By
Aaron Garnes
-
0
1
Asked By TechWhiz2023 On

I'm having trouble with domain resolution after a recent hardware failure of one of our domain controllers. We had two domain controllers, but since the failed one couldn't be demoted or have its FSMO roles transferred, we seized the roles and cleaned up the metadata, including DNS records, to promote the second domain controller as the primary. However, it seems we're still experiencing issues, especially with DFS errors in the event log indicating it's still trying to contact the old DC. Our VPN servers are also confused, thinking the dead DC is still the main one.

I've tried directing their DNS settings to the new DC, but the results are inconsistent:

- For VPN server 1: it resolves the domain during nslookup but hits an unexpected private IP on ping, and the %logonserver% command returns the dead DC's name.
- For VPN server 2: it resolves correctly in nslookup and pings the new DC, yet still shows the dead DC in %logonserver%.

I've already tried various troubleshooting measures like flushdns, nbtstat reset, winsock reset, and registering DNS without success. Just to clarify, our first DC is on Windows Server 2016 (bare metal), and the second is on Windows Server 2022 (Hyper-V VM). I'm running out of ideas. Any suggestions?

3 Answers

Answered By FixItWizard On

It could be a sign of a broken sysvol or missing replication. I suggest doing an authoritative restore similar to FRS's "D4" process. It might help to reset the state of your sysvol. I know it can be tricky, but it sounds like a good way to guarantee that everything is pointing to the right locations.

Answered By SysAdminGuru99 On

It sounds like you're dealing with some lingering references to the old DC. Make sure that the DNS records and any related services like DHCP have been fully updated to remove the dead server. If the VPS is referencing incorrect names, you might need to check the DFS settings and update targets to remove any ties to the old DC. Have you looked into whether the failed server had any other roles that might still be causing this issue?

Answered By NetworkNinja88 On

You might want to consider doing an authoritative restore for DFS. I found this guide that explains how to perform authoritative synchronization, which might help clear up the lingering issues you’re seeing with your domain resolution. It outlines steps for fixing DFSR replication and might resolve your event log errors. Here's the link to check it out: https://www.rmtechteam.com/blog/dfs-replication-dfsr-fix/.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.