Hi All,
I have faced an AD problem yesterday, and I have no experience in this kind of problem so I need some advice. We have a customer with multiple sites. They had moved their HQ to another city two months before while they're also working in the previous site, so we had built another infrastructure at the new site. Previously they had a single site with one server running 2012 (non-R2) Foundation in a single domain environment. Then, we installed a Linux based firewall at the new HQ and the old site, connected the sites by IPSec and installed the new DC (Win 2016 Standard) to the new HQ by joining it to the domain and promote as DC in the existing infrastructure. AD was fine as we had installed 3-4 more Win Servers in the new site, joined to the domain and everything was fine in the past 2 months. Now they're on a migration to a new site at the old HQ so there's the time to move FSMO roles to the new HQ and demote the old DC, as only a few PCs will remain in the prevoius city, they'll work fine through IPSec and no need for a new DC there. I had moved the FSMO roles 2 days before, first of all, and configured DHCP and DNS resolver on the Linux FW to forward DNS queries to HQ DC. Before FSMO move I had checked AD replication and run the dcdiag diagnostics and there wasn't any problem with the new DC. At the end of this project I have just stopped DNS and DHCP services to be sure that everything works through IPSec. I planned to demote the DC at the next evening if everything is fine on the test day. But users complained that DNS is not working as expected. After a few hours of investigation I have found that there's a problem with Active Directory. I had tried a server restart and then I got a lot of errors in event logs. Tried dcdiag again and found these problems:
(Netlogons) Unable to connect to the NETLOGON share! An net use or LsaPolicy operation failed with error 67
(DFSREvent) There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
(Advertising) Warning: DsGetDcName returned information for \\SERVER..., when we were trying to reach SRV.... IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
NETLOGON and SYSVOLT shares are missing. All other tests were successfull.
I had googled a lot and found the D2/D4 DFSR solution. It is unclear for me what to choose, the authoritative or the non-authoritative restore and that on what DC I have to run the guide? In a case of a failure what Will lost, so in addition to normal backup that files I have to backup manually? I had moved the FSMO roles back to the old DC as it's dcdiag was fine, so can be a better solution to demote the new DC and install the role again? What could cause this problem as before FSMO move dcdiag was fine?
Every advice or idea is also appreciated!