Вопросы Теги

Server 2012R2: Problems Adding Additional Domain Controller

So I have a new environment that I'm setting up with two different data center locations: one in Seattle, and one in LA. In Seattle, I currently have DC1 (primary domain controller) and around 15 servers, and in LA, I have around 5 servers in the domain. None of the servers in the domain are having issues, and all have their time set properly. DC1 gets it's time from the NTP Pool while the domain members get their time from DC1.

For the last day, I've been trying to add a secondary domain controller for redundancy: DC2. However, every time that I try to add it (and I've done this 5 times, provisioning a fresh Win2012R2 server each time, and also deleting the old server from ActiveDirectory and it's DNS records from the DNS zones), the promotion to a domain controller stalls and sticks at "Creating the NTDS settings object ..." stage. I've let it sit for as long as 6 hours, and it never budges.

Looking in the Event Logs, the only errors/warnings are:

NtpClient was unable to set a domain peer to use as a time source because of failure in establishing a trust relationship between this computer and the 'corp.XXXXXXXXXXX.XXX' domain in order to securely synchronize time. NtpClient will try again in 30 minutes and double the reattempt interval thereafter. The error was: The interface is unknown. (0x800706B5)

  • Running a dcdiag picks up no issues, and if I do a dcdiag /s:dc1 from DC2, it * comes back clean with no connection issues.
  • I've verified that Computer Browser, IP Helper, Netlogin, and so on are all running.
  • Firewall is disabled on both servers.
  • Verified before starting that the time is correct, down to the second, for both servers.
  • Made sure the local admin password and domain admin password are different.
  • Am using a separate, domain administrator account as credentials to join DC2 to the domain (same one that has worked on all the other servers)
  • Have tried joining DC2 to the domain FIRST, and then promoting it, and doing a promotion without it joined to the domain ... same results.

Anyone got any thoughts?

0
задан 30 August 2016 в 17:40
1 ответ

Каждый DC является сервером времени; но он не станет им, если не сможет синхронизировать время с другими DC. Сосредоточьтесь на проблеме NTP. Если вы используете ВМ, убедитесь, что вы отключили синхронизацию времени между ВМ и хостом. Проверьте настройки службы Windows Time: w32tm /query /configuration

.
0
ответ дан 5 December 2019 в 09:35

Теги

Похожие вопросы