on our DCs the BPA comes up the the error in the subject.
From what I understand this is because this is an old domain and meanwhile you store the _msdcs.domain.com zone directly under "Forward Lookup Zones" and not only at the "zone name" as we old folks learned. I get why and now want to fix this.
It would be great if someone could double check the way I consider to do this:
- I delete the _msdcs.domain.com folder folder under domain.com
- I add a new primary zone "_msdcs.domain.com" directly under at the Forward Lookup Zones
- This Zone will be available for all DCs in the forrest and I will allow only secure updates
- Now I would restart Netlogon & DNSServer service
- Delete local cache: ipconfig /flushdns
- Log into all other DCs, restart DNS & Netlogon Service and delete Cache.
Is this how it is done? Do I have to prepare anything else? Do I have to delete the DNS entries of the DCs?
Edit: And another question: What happens when I restart DNS & Netlogon Service. How much impact is this for the user?
Additional question: my _msdcs folder contains some entries of the same DC in upper AND in lower case.. is there an explanation why this happens? the timestamps are different for this entries.
once again I would love to participate from your knowledge.
I inherited an old 2008R2 DC with a CA and NPS running on it which serves as an RADIUS Server for a firewall/ wifi management. All NPS settings are a bit messy as there are old, unused settings in it as well and on top no ones knows the private key passphrase for the CA.
This is my last 2008R2 DC and I want to get rid of it and use the opportunity to clean up the mess.
My plan is to build up a new server which only purpose shall be to be a NPS/ Radius Server as I like to have my DCs clean of any other services. That server will be a domain member.
The NPS part is actually straight forward for me and I watched your 2012 videos about it which look like they transfer pretty well to 2016. But one question bugs me..
At "Policies - Connection Request Policies - Use Windows authentication for all users - Properties - Settings - Authentication" it says "Authenticate requests on this server".. Does this mean, that all authentication requests are only checked against the local user information or, as it is a domain member server, requests are checked against the domain user database? Or does this mean there always has to be a NPS on a domain controller? I am a bit confused by this…
I addition I have a question about the CA stuff.
I plan to build a new, local CA on the new server. So when users authenticate against the NPS they do need the cert of that NPS server, right? That is the cert I have to deploy so that no one gets an error message?!
does anyone has experiences with the Win32 Long Paths GPO?
Is there anything to be aware of? Does this work instantly for all attached storage?
And a general question. If I add a GPO to a OU which includes Win2016 and Win2012 server. Will the 2012 server just ignore this GPO? Or should I better add a new GPO just for the 2016 servers?
a) current DCs are running 2008R2, we have two. ntds.dit is 38MB, so we are some bits and bytes away from 100GB. So I will let the new DC run the adprep. This is a bit of the spooky part for me. Is there any chance of messing up my existing AD or is this so rock solid that everything should run fine?
b) will do this. Thanks.
c) all already set up all the subnets according to our network. This should be fine.
Once again thanks for your advice, very appreciated!
Hi @Mike-Rodrick ,
happy new year!
Thanks a ton for the help so far. Let me summarise what I understood and if you could correct me if I got something completely wrong let me know:
Scenario assumes a running VPN between branch & HQ.
At the HQ:
- NO adprep is needed anymore, as I will add a 2012 Server which does this automatically
- Rename the default-first-site-name and the defaultipsitelink to something meaningful
- Create the second site for branch office.
- Create subnet object and associate them with their appropriate sites.
At the branch:
- Bring the 2012R2 Server into the new location
- Give it a static IP.
- Join the Domain
- Install Domain Role
- Promote Server to Domain Controller
- Keep DNS & GC boxes ticked.
- Choose Branch Offie Site!
- Finish Promotion
- Install DHCP Role & Configure
This should be pretty much it, right?
No the good and the bad part about ITproTV. You learn a lot more, but also some more questions pop up. :-)
a: Would it be better to do the adprep beforehand? Even if the new DC would do it? Especially because in the beginning the VPN won’t be the fastest? And if yes, is adprep in any form interruptive for the existing Domain? Or could I do this during working hours?
b: Would you recommend IFM for the new DC? Or should the internet connection be enough. 350 User / 400 Machines
Once again, thanks
Edit: One more question: In Default there is no subnet linked to the first-site. I now will add my second site and add a subnet to it. Do I have to add subnets to the first-site? Or can I leave it without specific subnets and assumes it is every net beside the configured net for the second site. (I hope you understand what I want to say.. I am a non native speaker. :-) )
@mike-rodrick Hi, thanks for the answer. I would love to clarify some steps.
I did not set up the new DC yet, as the Subnet in the HQ is different and from all I have learned so far I remember that changing the IP of a DC is a massive pain. Did this change?
If not, I will set up the new DC in the branch office and connect via the VPN. This should work, right? And don´t I have to create a new subnet? And are Site-Links needed?
I guess I should watch the videos... I just do not want to see all of it, just the bit I need. :-)