3

I'm opening a new site (physical and logical) in my international Windows domain.

The site is connected to the main office by a VPN over a slow connection (I'm using pfsense as my main router and ClearOS as my VPN manager, which is the same setup I use at all my sites). I can't do anything about improving the connection at the moment.

I've just setup two brand new physical machines, each running an instance of a brand-new clean install of Windows Server 2012 R2 (with all updates) on top of VMware ESXi 6 (again, this is the same at all my sites, except some are running ESXi 5.5 and some are running 6).

When I try to promote the servers to Domain Controller, I am getting the following error:

The wizard cannot gain access to the list of domains in the forest.

Clicking on Show more gives me the following details:

This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The error is: The RPC server is unavailable.

Following the recommendations here https://technet.microsoft.com/en-us/library/cc526682.aspx, I have tried issuing the commands ipconfig /registerdns and ipconfig /flushdns and then trying the promotion again, to no effect.

Some additional "symptoms" of my slow connection:

  1. The above error take about 5 to 10 minutes to appear after attempting the initial step of the promotion process (in another question I posted that the process was hanging, but I simply wasn't waiting long enough).
  2. I successfully joined both servers to the Domain, but one took about 5 minutes to join and the other took about 10 minutes to join.
  3. After joining the Domain, I had to reboot and then I logged in as a Domain Admin user. Logging in took about 10 minutes on one machine and 20 minutes on the other machine.
  4. All that said, I can ping the remote DC in the main office continuously (over the VPN, using the local IP) with no problem. Average ping is around 250ms. The ping is not the problem, it is the bandwidth over the local DSL connection which is about 5mbit down and 750kb up, but shared amongst the entire office of about 10 users.

Here are some additional errors from my event viewer:

DFSR Event 1202: (On one machine only)

The DFS Replication service failed to contact a domain controller to access configuration information. The service will try again during the next configuration polling cycle. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Group Policy Preprocessing Event 1006: (On both machines)

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the Details tab for error code and description.

Can anyone give me any troubleshooting clues on how to figure out why I can't successfully promote these servers to DCs? I've used almost this identical setup in a dozen different branches around the world with no problems, so I'm thinking this must be something unique to the local connection...

Daniel
  • 1,594
  • 8
  • 26
  • 44
  • It may be your incredibly slow connection, other than that make sure you have full access to the other domain controllers and no firewalls are blocking required ports. From experience, the "The wizard cannot gain access to the list of domains in the forest." means the server can't contact one of the FSMO role holders - although the gui failed, cmd commands seemed to function properly for me so i could work around that error – person Jul 19 '16 at 19:02
  • go with `netdiag/fix` can you see any dns record update on any of dc after joing to domain? – DisplayName Jul 19 '16 at 23:22
  • anything interesting in dcpromo log files (usually in %windir%\debug)? – natxo asenjo Jul 21 '16 at 11:34
  • The fact that you joined domain successfully over this link eliminates the possibility of bad network configuration, that would have spoiled RPC connection. The fact that the latency is that high and resulting bandwidth is very low introduces a very high chance of failure in promotion, as any connection would be subject to timeout, resulting in a failure after a long wait. – Grigory Sergeev Jul 21 '16 at 12:02
  • Yes, in fact i just left the domain and then rejoined it for test purposes. No problems other than very slow. I am now trying `dcdiag /test:DNS /v /e /s:mainDCserver` and it is hanging at the very beginning of the test `Performing Initial Setup: * Connecting to directory service on server mainDCserver`. It's been stuck on that step for more than an hour, on both machines. Are there any other tests I can do to get a more detailed picture of what is wrong with the connection? – Daniel Jul 21 '16 at 19:57
  • dcpromo log says: `[INFO] Searching for domain controller for the domain mydomain.com` followed by `[ERROR] Failed to find a DC for the domain mydomain.com : 5` followed by `[ERROR] Failed to get domain controller for account NEWSERVER$ (5)` followed by `[INFO] A domain controller could not be contacted for the domain mydomain.com that contained an account for this computer. Make the computer a member of a workgroup and then rejoin the domain before retrying the promotion.` I actually just did that... I also checked and NEWSERVER exists under `Computers` on my main DC. – Daniel Jul 21 '16 at 20:14
  • hello, anyone?? – Daniel Jul 25 '16 at 14:02

1 Answers1

3

You may have better luck promoting to DC from media, as described in this MS TechNet article Basically, you will move all necessary data in one go with a packed file, instead of establishing all those connections over your high latency connections. After promotion there will be need of regular replication, which will be retried continuously and, hopefully, some will succeed.

On source DC:

ntdsutil
activate instance ntds
ifm
create sysvol full c:\path-to.file

Copy file to new server and use it with Install from Media option in promotion wizard.

Grigory Sergeev
  • 661
  • 4
  • 12
  • Before I try this, I want to verify that there is not some other problem with my connection or configuration... – Daniel Jul 21 '16 at 20:19
  • If I can't promote the server to DC, then I am probably going to have similar problems replicating the AD, which renders the DC useless. Actually, I got one of the servers to promote successfully over the existing connection (after many tries), but since then it has been continuous replication failures... so.... – Daniel Aug 29 '16 at 21:01
  • Then the ultimate answer to your question is: eliminate your network issues before promoting DC. – Grigory Sergeev Aug 30 '16 at 08:02
  • Ya, but I wish I could figure out exactly what the network issues are. Despite the slow connection, we have a pretty solid VPN, we handle IP telephony over the same connection, etc. I mean, I can even remote desktop to the Server (over the VPN) and manage it with only a moderate amount of lag. I feel like it should be able to support promotion and replication, even if it is slow. – Daniel Aug 31 '16 at 00:23