Verify Active directory synchronization before primary domain controller demotion
I just added a second domain controller to my domain and transferred the fsmo roles to it as I plan to demote and retire the original dc. Once the new dc2 was added I ran dcdiag to verify no errors and communication was established. I also waited several days (72hrs or more) to make sure synchronization completed. Everything looked good so prior to demoting the original dc1, I powered it off. After about an hour I was unable to access AD from dc2. No objects or containers were visible, and users couldn’t access shares (on dc2) until dc1 was rebooted and communication reestablished with dc2. After scanning the event logs of dc1 I determine that dfs replication had stopped and both sysvol and netlogon folders were missing on dc2. After some research I was able to create both shares and restarted replication which appears to have worked since both folders are now synchronized with dc1. My concern is how do I know if AD is now available on dc2? AD synch commands show no errors, but they did before. Short of powering off the server again, as I am remote, is there a way to disable AD on dc1 and see if I still have access to AD on dc2? Would an incomplete replication of sysvol cause user authentication issues? Any advice would be greatly appreciated.
I just added a second domain controller to my domain and transferred the fsmo roles to it as I plan to demote and retire the original dc. Once the new dc2 was added I ran dcdiag to verify no errors and communication was established. I also waited several days (72hrs or more) to make sure synchronization completed. Everything looked good so prior to demoting the original dc1, I powered it off. After about an hour I was unable to access AD from dc2. No objects or containers were visible, and users couldn’t access shares (on dc2) until dc1 was rebooted and communication reestablished with dc2. After scanning the event logs of dc1 I determine that dfs replication had stopped and both sysvol and netlogon folders were missing on dc2. After some research I was able to create both shares and restarted replication which appears to have worked since both folders are now synchronized with dc1. My concern is how do I know if AD is now available on dc2? AD synch commands show no errors, but they did before. Short of powering off the server again, as I am remote, is there a way to disable AD on dc1 and see if I still have access to AD on dc2? Would an incomplete replication of sysvol cause user authentication issues? Any advice would be greatly appreciated. Read More
