Windows 10: Build new DC in new forest and SRV entries are missing from AD DNS

was building a DC for a UAT environment. Standalone Forest and Domain. Single DC with GC.when trying to join a workstation, got an error that a DC cannot be contactable.Check the DNS entries and saw that the _msdcs records are all missing.Rebuild the DC again and after rebuilding, I check the entries in DNS. The records are also missing.Would appreciate any suggestions how to troubleshoot the issue.Note This is a single DC and there is no other DCs. Would any hardening impact the DNS entries?The OS is Windows 2022 Standard Desktop and is a VM using a hardening image.

:)

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW

 

Migrating services from old 2012 R2 Domain Controller to new 2022 servers (AD-DNS/CA/DHCP/Print Management)

Currently our old DC also (incorrectly) has DHCP, CA, and Print Services /management.

So not only do most static machines already have a dns entry that points to the old DC server, but i have this mess of services that need to go elsewhere.

Its my understanding from going from 08 to 12 way back when, i just need to move the (5?) ad roles to the new member server? I thought i read something about FSR sysvol issues as well?

Beyond this, once they are on the new 2019 server, i guess i just run the domain and forest upgrades to 2022 level after the fact?

Is there some way to avoid changing the dns ip of the new dc? How messy is it to transfer roles from the old, shut down old, then change the new's ip address back to what the old one had? THis way no static hardware or vm's need their dns entry changed?

Final question is that another server also does ad sync with office 365, i assume thats tied directly to AD and not the name of the old dc specifically ? (I cant find the setting to show otherwise)

Is it also best to have a second DC server? If so which roles do i assign/split, in the past i had some issues with splitting this up.

Any thoughts on all of this? As of now i have a new DC called for this example.. VSDC21 and a new server called VSServices21 (for CA/DHCP, print)

Thank you in advance

 

root forest -Trust

Hi all,

hope someone can shed some light on this issue. In our environment we have Windows Server 2003 DC on domain (A). and DC 2012 R2 Domain (B). these two are not same forest root.

we setup one-way Trust (Type) Forest trust transitive= Domain B (2012 R2 DC) trusted Domain A (2003 DC)=

-Direction of trust- Outgoing

-Transitivity of trust- forest transitive

-Validated successful.

-Name suffix Routing setup for Domain.local B forest.

-authentication Forest wide - forest wide authentication

validated = passed (no problem here)

adding users to domain B group = failed error stated (some of the object names cannot be shown in their user-friendly name form , this can happen if the object is from an external domain and that domain is not available to translate the object name)



this happened after selected some users from domain A, which mean I did able browsing on domain-A of AD.

If we tried two way trust then everything seemed OK, we were able successfully added some users. so no issue on two-way trust.

if two way-trust is fine, that's rule out DNS, right?

thank you every much in advance.