Discussion:
ADPREP error message 0x2095
(too old to reply)
BrianO
2010-01-03 21:00:24 UTC
Permalink
Trying to prepare a mixed 2003/2008 domain with one DC with a second DC on a
2003 server. ADPREP fails with the Win32 error 0x2095, "a directory service
error has occurred". I have searched everywhere but cannot find any
reference to this error.
I would really appreciate help from someone that might have some idea what
the problem might be.
Thanks
Briano
Meinolf Weber [MVP-DS]
2010-01-03 21:15:07 UTC
Permalink
Hello BrianO,

Please describe more detailed the DCs OS version, not really clear from your
description. 2 DCs with a 2003 and a 2008 DC?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Trying to prepare a mixed 2003/2008 domain with one DC with a second DC on a
2003 server. ADPREP fails with the Win32 error 0x2095, "a directory service
error has occurred". I have searched everywhere but cannot find any
reference to this error.
I would really appreciate help from someone that might have some idea what
the problem might be.
Thanks
Briano
BrianO
2010-01-03 22:31:02 UTC
Permalink
Thanks for looking at my problem. The present (and only) DC is a hyper-v
virtualized 2003 R2 64 bit, and the host it is running on, I want to promote
to a DC.

The host is a 2008 64 bit enterprise server. There are two other
stand-alone servers, one 2008 64 bit ent, and the second one, a 2003 R2 64
bit ent. There is one other virtualized 2008 64 bit std server. So, in
this particular domain, there are 5 active servers. 3 physical boxes and
two virtualized.

It is my ultimate aim to virtualize the 2003 stand-alone, and the other 2008
stand-alone is heavily utilized with a SQL database and not a good candidate
for a DC.

There are 2 DNS servers. The existing DC and the stand-alone 2003 R2. I
know it is not recommended to virtualize a DC but it has worked for us for
two years. All apps are web based. Other than the administrator, there are
no local logons.

Hopefully you can visualize the setup from my description. I can see it in
my sleep, but sometimes it is hard to describe to someone else.

Briano
Post by Meinolf Weber [MVP-DS]
Hello BrianO,
Please describe more detailed the DCs OS version, not really clear from
your description. 2 DCs with a 2003 and a 2008 DC?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Trying to prepare a mixed 2003/2008 domain with one DC with a second DC on a
2003 server. ADPREP fails with the Win32 error 0x2095, "a directory service
error has occurred". I have searched everywhere but cannot find any
reference to this error.
I would really appreciate help from someone that might have some idea what
the problem might be.
Thanks
Briano
Ace Fekay [MCT]
2010-01-03 22:47:59 UTC
Permalink
Post by BrianO
Thanks for looking at my problem. The present (and only) DC is a hyper-v
virtualized 2003 R2 64 bit, and the host it is running on, I want to
promote to a DC.
The host is a 2008 64 bit enterprise server. There are two other
stand-alone servers, one 2008 64 bit ent, and the second one, a 2003 R2 64
bit ent. There is one other virtualized 2008 64 bit std server. So, in
this particular domain, there are 5 active servers. 3 physical boxes and
two virtualized.
It is my ultimate aim to virtualize the 2003 stand-alone, and the other
2008 stand-alone is heavily utilized with a SQL database and not a good
candidate for a DC.
There are 2 DNS servers. The existing DC and the stand-alone 2003 R2. I
know it is not recommended to virtualize a DC but it has worked for us for
two years. All apps are web based. Other than the administrator, there
are no local logons.
Hopefully you can visualize the setup from my description. I can see it
in my sleep, but sometimes it is hard to describe to someone else.
Briano
Briano,

I don't see a problem in virtualizing all of your DCs, but I would make sure
they are on different hosts, so if the host goes down on one, it won't
affect the other.

As for the directory services error, can you post an unedited ipconfig /all
from both the current (virtual) DC and the one you intend to promote?

What is the relationship between the two current DNS servers? Does the
standalone host a secondary of the AD zones (_msdcs.domain.com and the
domain.com zones)? If not, can you elaborate, please?

Also, post any Event log errors and their respective Source names.

Thanks,
--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
BrianO
2010-01-04 00:56:43 UTC
Permalink
IP Config /all Existing DC

Windows IP Configuration

Host Name . . . . . . . . . . . . : test
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca

Ethernet adapter WAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-00-01-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.20.31

Ethernet adapter LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter
Physical Address. . . . . . . . . : 00-15-5D-00-01-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.20.31

IP Config /all New DC

Windows IP Configuration

Host Name . . . . . . . . . . . . : vs1-ERA
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::5493:5d5a:970f:ca72%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, December 27, 2009 3:14:56 AM
Lease Expires . . . . . . . . . . : Monday, January 04, 2010 3:15:04 PM
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : LAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::35e7:8de9:1548:e8b6%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.20.29(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.30
DNS Servers . . . . . . . . . . . : 192.168.20.31
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :
isatap.{F9DAE0C6-BD2D-4395-900C-B5C9B47B7C19}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :
isatap.{7E06F8D1-C7A7-4B6F-A629-1C9671F1E2C3}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes


As you described there is the primary DNS and the other DNS server is a copy
(secondary). The .20 network is the internal LAN, the .10 network is a
connection to a port forwarding router, then to the outside.

Thanks

Briano
Post by Ace Fekay [MCT]
Post by BrianO
Thanks for looking at my problem. The present (and only) DC is a hyper-v
virtualized 2003 R2 64 bit, and the host it is running on, I want to
promote to a DC.
The host is a 2008 64 bit enterprise server. There are two other
stand-alone servers, one 2008 64 bit ent, and the second one, a 2003 R2
64 bit ent. There is one other virtualized 2008 64 bit std server. So,
in this particular domain, there are 5 active servers. 3 physical boxes
and two virtualized.
It is my ultimate aim to virtualize the 2003 stand-alone, and the other
2008 stand-alone is heavily utilized with a SQL database and not a good
candidate for a DC.
There are 2 DNS servers. The existing DC and the stand-alone 2003 R2. I
know it is not recommended to virtualize a DC but it has worked for us
for two years. All apps are web based. Other than the administrator,
there are no local logons.
Hopefully you can visualize the setup from my description. I can see it
in my sleep, but sometimes it is hard to describe to someone else.
Briano
Briano,
I don't see a problem in virtualizing all of your DCs, but I would make
sure they are on different hosts, so if the host goes down on one, it
won't affect the other.
As for the directory services error, can you post an unedited ipconfig
/all from both the current (virtual) DC and the one you intend to promote?
What is the relationship between the two current DNS servers? Does the
standalone host a secondary of the AD zones (_msdcs.domain.com and the
domain.com zones)? If not, can you elaborate, please?
Also, post any Event log errors and their respective Source names.
Thanks,
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Ace Fekay [MCT]
2010-01-04 01:47:42 UTC
Permalink
Post by BrianO
IP Config /all Existing DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : test
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-00-01-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.20.31
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-00-01-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
DNS Servers . . . . . . . . . . . : 192.168.20.31
IP Config /all New DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : vs1-ERA
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca
Description . . . . . . . . . . . : WAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
fe80::5493:5d5a:970f:ca72%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, December 27, 2009 3:14:56 AM
Lease Expires . . . . . . . . . . : Monday, January 04, 2010 3:15:04 PM
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Description . . . . . . . . . . . : LAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
fe80::35e7:8de9:1548:e8b6%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.20.29(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.30
DNS Servers . . . . . . . . . . . : 192.168.20.31
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
isatap.{F9DAE0C6-BD2D-4395-900C-B5C9B47B7C19}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Media State . . . . . . . . . . . : Media disconnected
isatap.{7E06F8D1-C7A7-4B6F-A629-1C9671F1E2C3}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
As you described there is the primary DNS and the other DNS server is a
copy (secondary). The .20 network is the internal LAN, the .10 network is
a connection to a port forwarding router, then to the outside.
Thanks
Briano
Briano,

Thank you for posting the requested data.

I see the problem, rather two problems:

1.Your DCs are multihomed. Multihomed DCs are extremely problematic. This is
due to DNS records. It is highly recommended to never multihome a DC.

a. The .10 NIC is set to DHCP, another non-recommended config. A DC
requires static configs.

b. There two default gateways on the new DC. Any machine should only
have one 'default" gateway, otherwise it will cause networking routing
issues within itself. A "gateway" is the "doorway out to the world," so to
speak. There can only be one.

2. You are using your router as a DNS server. Even if you have DNS installed
on the machines, it will never use it because you didn't specify that in
thier network config.

Resolution:

1. Disable the .10 NIC. I'm not entirely sure the requirement of the .10
subnet's role. Is it a DMZ? Or was it setup due to the type of router/modem
the ISP provided? If the latter, it may need to be configured in 'arp' mode.
Either way, if you need to keep the .10 subnet for whatever reason, install
a firewall connecting the two subnets, and use it a the default gateway for
all internal machines.

2. Point DNS to the current DC for DNS, 192.168.20.30. Let's not use the
secondary for now, rather just use the current DC. Reason is, if you use the
secondary, then promote the machine, it will delete the current conflicting
(secondary) zone, then await repication for the current AD integrated zone
to populate. During this delay, it can cause significant issues. This will
reduce the complexity to help straighten this out.

If you absolutely postively need to keep the DCs multihomed, there is a
procedure that will alter the DCs to properly function, however it requires
significant alteration to a DC's default functions, including registry
changes. Normally we recommend to not do this, and simply single-home the
DC.

The following is a link to the procedure, as well as a detailed explanation
of what a multihomed DC is, and it's implications.

Multihomed DCs with DNS, RRAS, multiple IPs, and/or PPPoE adapters
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
BrianO
2010-01-04 04:03:33 UTC
Permalink
Hard to know where to start here. I am aware of multi-homed, or rather not
to do it. I did notice the dual gateways when I ran IP config. The
particular network connection we are talking about is not required. It was
put there by the Hyper-V install and should have been disabled long ago. It
was never configured (that's why the DHCP) and is now disabled. Can't be
all that bad, this particular installation has run for 2 years without an
apparent problem.

Yes, we need the .10 network (can be any private address). It is simply a
link between this server and a router. If the server makes a DNS request to
the .10 network it is routed (via routing table) to an outside internet DNS
server. If the outside does not answer than presumably it will try the
internal DNS server. Each of the servers, except for the Hyper-V host, have
similar links to similar port-forwarding routers, and carry web app traffic.
The WAN side of the routers have individual public IPs and connect to a T1
line through a managed switch.

So far, I am still looking for a solution to my initial problem. I have
tried a number of things but so far to no avail.

Thanks again for your interest.

Brian O.
Post by Ace Fekay [MCT]
Post by BrianO
IP Config /all Existing DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : test
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-00-01-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.20.31
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-00-01-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
DNS Servers . . . . . . . . . . . : 192.168.20.31
IP Config /all New DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : vs1-ERA
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca
Description . . . . . . . . . . . : WAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
fe80::5493:5d5a:970f:ca72%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, December 27, 2009 3:14:56 AM
Lease Expires . . . . . . . . . . : Monday, January 04, 2010 3:15:04 PM
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Description . . . . . . . . . . . : LAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
fe80::35e7:8de9:1548:e8b6%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.20.29(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.30
DNS Servers . . . . . . . . . . . : 192.168.20.31
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
isatap.{F9DAE0C6-BD2D-4395-900C-B5C9B47B7C19}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Media State . . . . . . . . . . . : Media disconnected
isatap.{7E06F8D1-C7A7-4B6F-A629-1C9671F1E2C3}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
As you described there is the primary DNS and the other DNS server is a
copy (secondary). The .20 network is the internal LAN, the .10 network
is a connection to a port forwarding router, then to the outside.
Thanks
Briano
Briano,
Thank you for posting the requested data.
1.Your DCs are multihomed. Multihomed DCs are extremely problematic. This
is due to DNS records. It is highly recommended to never multihome a DC.
a. The .10 NIC is set to DHCP, another non-recommended config. A DC
requires static configs.
b. There two default gateways on the new DC. Any machine should only
have one 'default" gateway, otherwise it will cause networking routing
issues within itself. A "gateway" is the "doorway out to the world," so to
speak. There can only be one.
2. You are using your router as a DNS server. Even if you have DNS
installed on the machines, it will never use it because you didn't specify
that in thier network config.
1. Disable the .10 NIC. I'm not entirely sure the requirement of the .10
subnet's role. Is it a DMZ? Or was it setup due to the type of
router/modem the ISP provided? If the latter, it may need to be configured
in 'arp' mode. Either way, if you need to keep the .10 subnet for whatever
reason, install a firewall connecting the two subnets, and use it a the
default gateway for all internal machines.
2. Point DNS to the current DC for DNS, 192.168.20.30. Let's not use the
secondary for now, rather just use the current DC. Reason is, if you use
the secondary, then promote the machine, it will delete the current
conflicting (secondary) zone, then await repication for the current AD
integrated zone to populate. During this delay, it can cause significant
issues. This will reduce the complexity to help straighten this out.
If you absolutely postively need to keep the DCs multihomed, there is a
procedure that will alter the DCs to properly function, however it
requires significant alteration to a DC's default functions, including
registry changes. Normally we recommend to not do this, and simply
single-home the DC.
The following is a link to the procedure, as well as a detailed
explanation of what a multihomed DC is, and it's implications.
Multihomed DCs with DNS, RRAS, multiple IPs, and/or PPPoE adapters
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Ace Fekay [MCT]
2010-01-04 04:17:41 UTC
Permalink
Post by BrianO
Hard to know where to start here. I am aware of multi-homed, or rather
not to do it. I did notice the dual gateways when I ran IP config. The
particular network connection we are talking about is not required. It
was put there by the Hyper-V install and should have been disabled long
ago. It was never configured (that's why the DHCP) and is now disabled.
Can't be all that bad, this particular installation has run for 2 years
without an apparent problem.
Surprising that it ran for 2 years without issues, but then again, it was
the only DC.
Post by BrianO
Yes, we need the .10 network (can be any private address). It is simply a
link between this server and a router. If the server makes a DNS request
to the .10 network it is routed (via routing table) to an outside internet
DNS server.
Actually, DNS requests do not get "routed" per se in the sense of your
context, rather network traffic gets sent to it's destination host, and if
the host is not on the same subnet, it sends it to the default gateway to
determine how to get it to the destination host.
Post by BrianO
If the outside does not answer than presumably it will try the internal
DNS server.
Actually all internal machines that are part of AD, including the DC itself,
clients and member servers, must only use the internal DC as their DNS
address. You would configure a Forwarder in the DNS server's properties (in
DNS console, right-click the servername, properties, Forwarders tab, type in
the ISP's DNS address(es).)
Post by BrianO
Each of the servers, except for the Hyper-V host, have similar links to
similar port-forwarding routers, and carry web app traffic. The WAN side
of the routers have individual public IPs and connect to a T1 line through
a managed switch.
So far, I am still looking for a solution to my initial problem. I have
tried a number of things but so far to no avail.
I provided a resolution. You need to disable multihoming, or make the
changes outlined in my blog on each DC that is multhomed to make it work.
The adprep process simply can't properly "find" domain resources due to DNS
entries from the additional interfaces. Also, if you try to delete the
entries, the netlogon service simply puts them back. If you feel this is not
correct or reluctant to make the necessary changes for it to work, (because
it worked well for many years), I can understand. Maybe someone else can
explain it in different terms.
Post by BrianO
Thanks again for your interest.
Brian O.
You are welcome.

Ace
Meinolf Weber [MVP-DS]
2010-01-04 09:33:48 UTC
Permalink
Hello BrianO,

As already stated from Ace, you can be happy that the domain runs that long
time without any problem with a multihomed DC. And now the problems occur
exactly as expected with multihomed DCs. What you see are only some of them
there will be more in the future, i am sure.

So kick out the multihoming of the exisiting machine, cleanup DNS zones form
the second entry, run ipconfig /flushdns and ipconfig /registerdns, then
restart the netlogon service on it.

On the new machine configure a fixed ip address instead of the DHCP, if the
server reboots or request a new ip address after lease time expires you will
run into trouble as the new ip address creates also conflicts. Multihoming
is the same as above, remove it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
IP Config /all Existing DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : test
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-00-01-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.20.31
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter
Physical Address. . . . . . . . . : 00-15-5D-00-01-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
DNS Servers . . . . . . . . . . . : 192.168.20.31
IP Config /all New DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : vs1-ERA
Primary Dns Suffix . . . . . . . : ERA-Server.ca
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ERA-Server.ca
Description . . . . . . . . . . . : WAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
fe80::5493:5d5a:970f:ca72%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, December 27, 2009
3:14:56 AM
Lease Expires . . . . . . . . . . : Monday, January 04, 2010
3:15:04 PM
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Description . . . . . . . . . . . : LAN Virtual Network
Physical Address. . . . . . . . . : 00-30-48-33-52-B8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
fe80::35e7:8de9:1548:e8b6%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.20.29(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.30
DNS Servers . . . . . . . . . . . : 192.168.20.31
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
isatap.{F9DAE0C6-BD2D-4395-900C-B5C9B47B7C19}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Media State . . . . . . . . . . . : Media disconnected
isatap.{7E06F8D1-C7A7-4B6F-A629-1C9671F1E2C3}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
As you described there is the primary DNS and the other DNS server is
a copy (secondary). The .20 network is the internal LAN, the .10
network is a connection to a port forwarding router, then to the
outside.
Thanks
Briano
Post by Ace Fekay [MCT]
Post by BrianO
Thanks for looking at my problem. The present (and only) DC is a
hyper-v virtualized 2003 R2 64 bit, and the host it is running on, I
want to promote to a DC.
The host is a 2008 64 bit enterprise server. There are two other
stand-alone servers, one 2008 64 bit ent, and the second one, a 2003
R2 64 bit ent. There is one other virtualized 2008 64 bit std
server. So, in this particular domain, there are 5 active servers.
3 physical boxes and two virtualized.
It is my ultimate aim to virtualize the 2003 stand-alone, and the
other 2008 stand-alone is heavily utilized with a SQL database and
not a good candidate for a DC.
There are 2 DNS servers. The existing DC and the stand-alone 2003
R2. I know it is not recommended to virtualize a DC but it has
worked for us for two years. All apps are web based. Other than
the administrator, there are no local logons.
Hopefully you can visualize the setup from my description. I can
see it in my sleep, but sometimes it is hard to describe to someone
else.
Briano
Briano,
I don't see a problem in virtualizing all of your DCs, but I would
make sure they are on different hosts, so if the host goes down on
one, it won't affect the other.
As for the directory services error, can you post an unedited
ipconfig /all from both the current (virtual) DC and the one you
intend to promote?
What is the relationship between the two current DNS servers? Does
the standalone host a secondary of the AD zones (_msdcs.domain.com
and the domain.com zones)? If not, can you elaborate, please?
Also, post any Event log errors and their respective Source names.
Thanks,
-- Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone
numbers.
unknown
2010-01-03 22:50:29 UTC
Permalink
Hello BrianO,

So you use the 2008 64bit installation disk and run the adprep command from
it on the 2003 DC with /forestprep and /domainprep with an account of the
schema/domain/enterprise admins? Please post the adprep logfile here so we
can verify it.

Also keep in mind that you should move the FSMO roles to the Windows server
2008 host and also make it DNS and Global catalog server immediately after
promoting it. Personal i would NOT host a DC VM on the same physical machine.
If the host crashes also the VM is gone.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Thanks for looking at my problem. The present (and only) DC is a
hyper-v virtualized 2003 R2 64 bit, and the host it is running on, I
want to promote to a DC.
The host is a 2008 64 bit enterprise server. There are two other
stand-alone servers, one 2008 64 bit ent, and the second one, a 2003
R2 64 bit ent. There is one other virtualized 2008 64 bit std server.
So, in this particular domain, there are 5 active servers. 3 physical
boxes and two virtualized.
It is my ultimate aim to virtualize the 2003 stand-alone, and the
other 2008 stand-alone is heavily utilized with a SQL database and not
a good candidate for a DC.
There are 2 DNS servers. The existing DC and the stand-alone 2003 R2.
I know it is not recommended to virtualize a DC but it has worked for
us for two years. All apps are web based. Other than the
administrator, there are no local logons.
Hopefully you can visualize the setup from my description. I can see
it in my sleep, but sometimes it is hard to describe to someone else.
Briano
Post by Meinolf Weber [MVP-DS]
Hello BrianO,
Please describe more detailed the DCs OS version, not really clear
from your description. 2 DCs with a 2003 and a 2008 DC?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Trying to prepare a mixed 2003/2008 domain with one DC with a second DC on a
2003 server. ADPREP fails with the Win32 error 0x2095, "a directory service
error has occurred". I have searched everywhere but cannot find any
reference to this error.
I would really appreciate help from someone that might have some
idea
what
the problem might be.
Thanks
Brian
BrianO
2010-01-04 01:17:59 UTC
Permalink
That is correct. The Adprep files are dated 1/19/2008. They were actually
taken off the disk and a directory location established. These servers are
1U rack mount without DVD drives. Have not run /domainprep since
/forestprep has not completed. I have not been able to find the location of
the adprep logfiles. I thought it would be /system32/debug or
/system32/logfiles but not there. I have the logfiles directory but not a
debug directory.

I understand your concern about a VM of the DC but we back up each VHD file
every night and have an ISO of the host OS. We feel we could be back online
in less than 1/2 to 1 hour if we should have a catastrophic failure of the
host. With the release of MS R2 version of VMM we are experimenting with
moving around VHD files online. If I could only get this DC business fixed
I could free up another server.

Thanks again.

Brian O
Post by Meinolf Weber [MVP-DS]
Hello BrianO,
So you use the 2008 64bit installation disk and run the adprep command
from it on the 2003 DC with /forestprep and /domainprep with an account of
the schema/domain/enterprise admins? Please post the adprep logfile here
so we can verify it.
Also keep in mind that you should move the FSMO roles to the Windows
server 2008 host and also make it DNS and Global catalog server
immediately after promoting it. Personal i would NOT host a DC VM on the
same physical machine. If the host crashes also the VM is gone.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Thanks for looking at my problem. The present (and only) DC is a
hyper-v virtualized 2003 R2 64 bit, and the host it is running on, I
want to promote to a DC.
The host is a 2008 64 bit enterprise server. There are two other
stand-alone servers, one 2008 64 bit ent, and the second one, a 2003
R2 64 bit ent. There is one other virtualized 2008 64 bit std server.
So, in this particular domain, there are 5 active servers. 3 physical
boxes and two virtualized.
It is my ultimate aim to virtualize the 2003 stand-alone, and the
other 2008 stand-alone is heavily utilized with a SQL database and not
a good candidate for a DC.
There are 2 DNS servers. The existing DC and the stand-alone 2003 R2.
I know it is not recommended to virtualize a DC but it has worked for
us for two years. All apps are web based. Other than the
administrator, there are no local logons.
Hopefully you can visualize the setup from my description. I can see
it in my sleep, but sometimes it is hard to describe to someone else.
Briano
Post by Meinolf Weber [MVP-DS]
Hello BrianO,
Please describe more detailed the DCs OS version, not really clear
from your description. 2 DCs with a 2003 and a 2008 DC?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Trying to prepare a mixed 2003/2008 domain with one DC with a second DC on a
2003 server. ADPREP fails with the Win32 error 0x2095, "a directory service
error has occurred". I have searched everywhere but cannot find any
reference to this error.
I would really appreciate help from someone that might have some
idea
what
the problem might be.
Thanks
Briano
Ace Fekay [MCT]
2010-01-04 01:51:49 UTC
Permalink
Post by BrianO
That is correct. The Adprep files are dated 1/19/2008. They were
actually taken off the disk and a directory location established. These
servers are 1U rack mount without DVD drives. Have not run /domainprep
since /forestprep has not completed. I have not been able to find the
location of the adprep logfiles. I thought it would be /system32/debug or
/system32/logfiles but not there. I have the logfiles directory but not a
debug directory.
I understand your concern about a VM of the DC but we back up each VHD
file every night and have an ISO of the host OS. We feel we could be back
online in less than 1/2 to 1 hour if we should have a catastrophic failure
of the host. With the release of MS R2 version of VMM we are
experimenting with moving around VHD files online. If I could only get
this DC business fixed I could free up another server.
Thanks again.
Brian O
Hi Brian,

It's not advised to use imaging software to restore a DC, otherwise it will
introduce unrecoverable errors, such as a USN Rollback. It's highly
recommended to use normal backup procedures backing up the System State and
the C: drive. I know it takes longer, but believe me, you don't want a USN
Rollback to occur. Read the following to get an idea what this is.

How to detect and recover from a USN rollback in Windows Server 2003Explains
how to recover when a domain controller is incorrectly rolled back by using
an image-based installation of the operating system.
http://support.microsoft.com/kb/875495

How to detect and recover from a USN rollback in Windows 2000 ServerExplains
how to detect and recover from a USN rollback that is caused when a domain
controller is incorrectly rolled back by using an image-based ...
http://support.microsoft.com/kb/885875

Ace
Meinolf Weber [MVP-DS]
2010-01-04 09:35:43 UTC
Permalink
Hello BrianO,

Snapshots or file copies from a VM, or an image from a physical machine,
are NOT supported AD aware backups as pointed out form Ace with the related
Micorsoft documentation. So avoid this way of backup or you run into trouble
when using them.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
That is correct. The Adprep files are dated 1/19/2008. They were
actually taken off the disk and a directory location established.
These servers are 1U rack mount without DVD drives. Have not run
/domainprep since /forestprep has not completed. I have not been able
to find the location of the adprep logfiles. I thought it would be
/system32/debug or /system32/logfiles but not there. I have the
logfiles directory but not a debug directory.
I understand your concern about a VM of the DC but we back up each VHD
file every night and have an ISO of the host OS. We feel we could be
back online in less than 1/2 to 1 hour if we should have a
catastrophic failure of the host. With the release of MS R2 version
of VMM we are experimenting with moving around VHD files online. If I
could only get this DC business fixed I could free up another server.
Thanks again.
Brian O
Post by Meinolf Weber [MVP-DS]
Hello BrianO,
So you use the 2008 64bit installation disk and run the adprep
command from it on the 2003 DC with /forestprep and /domainprep with
an account of the schema/domain/enterprise admins? Please post the
adprep logfile here so we can verify it.
Also keep in mind that you should move the FSMO roles to the Windows
server 2008 host and also make it DNS and Global catalog server
immediately after promoting it. Personal i would NOT host a DC VM on
the same physical machine. If the host crashes also the VM is gone.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Thanks for looking at my problem. The present (and only) DC is a
hyper-v virtualized 2003 R2 64 bit, and the host it is running on, I
want to promote to a DC.
The host is a 2008 64 bit enterprise server. There are two other
stand-alone servers, one 2008 64 bit ent, and the second one, a 2003
R2 64 bit ent. There is one other virtualized 2008 64 bit std
server. So, in this particular domain, there are 5 active servers.
3 physical boxes and two virtualized.
It is my ultimate aim to virtualize the 2003 stand-alone, and the
other 2008 stand-alone is heavily utilized with a SQL database and
not a good candidate for a DC.
There are 2 DNS servers. The existing DC and the stand-alone 2003
R2. I know it is not recommended to virtualize a DC but it has
worked for us for two years. All apps are web based. Other than
the administrator, there are no local logons.
Hopefully you can visualize the setup from my description. I can
see it in my sleep, but sometimes it is hard to describe to someone
else.
Briano
Post by Meinolf Weber [MVP-DS]
Hello BrianO,
Please describe more detailed the DCs OS version, not really clear
from your description. 2 DCs with a 2003 and a 2008 DC?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
Trying to prepare a mixed 2003/2008 domain with one DC with a
second
DC on a
2003 server. ADPREP fails with the Win32 error 0x2095, "a
directory
service
error has occurred". I have searched everywhere but cannot find any
reference to this error.
I would really appreciate help from someone that might have some
idea
what
the problem might be.
Thanks
Briano
BrianO
2010-01-06 22:44:52 UTC
Permalink
I had to brute force fix. I brought in another computer and promoted it to
DC. Then I could demote the problem DC. I had to /forceremove, but that
was OK. I then promoted it and removed the temporary DC. I was then able
to update the schema. Where there is a will, there is a way.

Thanks everyone for your suggestions and help

Brian O.
Post by BrianO
Trying to prepare a mixed 2003/2008 domain with one DC with a second DC on
a 2003 server. ADPREP fails with the Win32 error 0x2095, "a directory
service error has occurred". I have searched everywhere but cannot find
any reference to this error.
I would really appreciate help from someone that might have some idea what
the problem might be.
Thanks
Briano
Meinolf Weber [MVP-DS]
2010-01-06 22:58:03 UTC
Permalink
Hello BrianO,

If you remove a DC with /forceremoval you have to cleanup the AD database
from it according to:
http://support.microsoft.com/kb/555846/en-us

To be sure that no problems exist run dcdiag /v, netdiag /v and repadmin
/showrepl. They should all come up with NO error message and additional the
event viewer shouldn't show any errors related to replication or DNS.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by BrianO
I had to brute force fix. I brought in another computer and promoted
it to DC. Then I could demote the problem DC. I had to /forceremove,
but that was OK. I then promoted it and removed the temporary DC. I
was then able to update the schema. Where there is a will, there is a
way.
Thanks everyone for your suggestions and help
Brian O.
Post by BrianO
Trying to prepare a mixed 2003/2008 domain with one DC with a second DC on
a 2003 server. ADPREP fails with the Win32 error 0x2095, "a
directory
service error has occurred". I have searched everywhere but cannot find
any reference to this error.
I would really appreciate help from someone that might have some idea what
the problem might be.
Thanks
Brian
Ace Fekay [MVP-DS, MCT]
2010-01-07 02:02:37 UTC
Permalink
Post by BrianO
I had to brute force fix. I brought in another computer and promoted it to
DC. Then I could demote the problem DC. I had to /forceremove, but that
was OK. I then promoted it and removed the temporary DC. I was then able
to update the schema. Where there is a will, there is a way.
Thanks everyone for your suggestions and help
Brian O.
You are welcome. Good to hear you figured a way to resolve it.

I would also follow Meinolf's suggestions to insure the Ad database is clear
of the forced removed DC.

Ace

Loading...