I'm currently facing an issue while trying to promote a new Domain Controller in our AWS environment as part of a disaster recovery test. We have two existing Server 2016 Domain Controllers in a colo facility, and we're connected to AWS via a VPN tunnel. There's a twist—our DNS setup relies on dnsmasq running on Linux rather than AD-integrated DNS. All our Domain Controllers are on Server 2016 with a Schema version of 88, and this setup worked without a hitch a month ago.
Now, every time I try to promote the new Server 2016 DC, it fails at schema replication, throwing an error 123 (ERROR_INVALID_NAME). This error suggests there's something off with DNS naming or RPC binding. I've checked and fixed several things: blocked dynamic RPC ports, stale NTDS settings, and outdated DCs in the replication topology have all been addressed. I also verified DNS records and ensured that firewalls are disabled across DCs.
A key finding is that both source DCs received a cumulative update (KB5078938) shortly before the promotion failures began, so I'm currently uninstalling that patch to see if it resolves the issue. I would love to hear if anyone else has encountered this specific patch breaking DC promotions, especially in isolated or non-standard DNS setups, or if there are any known issues with the April 2026 cumulative update affecting schema replication. If removing the patch doesn't solve the problem, I would appreciate any insights on other potential causes of this persistent error 123 during schema replication, given I'm confident that DNS resolves correctly and existing DCs are replicating well.
5 Answers
Your DNS setup appears to be causing some issues. Since you’re using dnsmasq on Linux without AD-integrated DNS, it could be leading to the ERROR_INVALID_NAME. Ideally, you should have your Domain Controllers managing their own DNS or setting up proper forwarding—this could help with the promotion process.
Error 123 during schema replication typically suggests there's something subtle going on with DNS naming or RPC binding, even if everything seems fine. Given that you experienced these issues right after the cumulative update, rolling it back is definitely a smart first step before diving deeper into troubleshooting.
The lack of AD-integrated DNS is indeed a problem. I'd recommend creating manual DNS entries for the new DC in your current setup. Having DCs run their own DNS is crucial for the promotion process to succeed.
I noticed you are forcing the RPC port to a single one. Remember that Domain Controllers often need multiple ports open for various services like LSA, Netlogon, and DFSR. Did you verify that all necessary ports are opened? There's a Microsoft article that provides info on configuring RPC traffic—might be worth checking out.
Honestly, it's high time you considered migrating to a newer OS version. Server 2016 is showing its age, and newer versions come with significant improvements and bug fixes that could help prevent issues like this.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures