Forum Discussion

Steinkirchner's avatar
Steinkirchner
Copper Contributor
Apr 25, 2022

Domain authentication issue

We are a small single-domain company.  We've had one WinSvr2012 domain controller for years.  Recently we added 2 Server 2019 DCs with the objective of demoting and decommissioning the 2012 DC.  The ...
Active Directory
Harm_Veenstra's avatar
Harm_Veenstra
MVP
Apr 25, 2022

They should all be present on a running domain controller (They can be offline for a little while, but not too long) , so it's best to move them to one or divide them across two domain controllers. (Nice article here about that https://www.dtonias.com/transfer-fsmo-roles-domain-controller/) But the 2012 DC is just turned off or did you demote it first? If it's not demoted, please turn it back on and move the FSMO roles from it to another DC/DC's. If it's demoted, then seize the roles using the article (The NTDSUTIL part)

Steinkirchner's avatar
Steinkirchner
Copper Contributor
Apr 25, 2022
The 2012 DC is running, and I'm afraid to demote it because it doesn't find the other two DCs during the demoting process. I'll move the FSMO roles tomorrow morning.
  • Harm_Veenstra's avatar
    Harm_Veenstra
    MVP
    Apr 25, 2022
    "The 3 DCs seem to play nice together and correctly replicate new users, groups and computers".. And still there is an issue, it's problably DNS related. Check the settings on all three dc's and see if they are correct. Hopefully you can move the roles so that those are safe, it that fails you can always transfer using NTDSUTIL. But one DC not finding two DC's is not a good sign. Could you run a dcdiag /v on all three and check the output for errors that might indicate the issue?
    • Steinkirchner's avatar
      Steinkirchner
      Copper Contributor
      Apr 26, 2022

      Thank you for the advice concerning the FSMO roles, Harm http://@Harm_Veenstra.  I moved all roles to the new domain controllers.  Can't figure out how to attach the DCDiag log files.  DCDiag shows multiple test failures (all three DCs were running):

       

      • Both new DCs (DC2/DC3) fail the DFSREvent test the error "DFS Replication service failed to communicate with partner partner DC1" where DC1 is the original 2012 domain controller.
      • Both new DCs (DC2/DC3) fail the Advertising test with the error "SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE"
      • Both new DCs fail the NetLogons test with the error "An net use or LsaPolicy operation failed with error 67, The network name cannot be found"
      • DC3 fails (not DC2 tho) the LocatorCheck test:  "A Primary Domain Controller could not be located" and "The server holding the PDC role is down" (DC2 is the PDC now) 
      • Original DC1 fails the DFSREvent test:  "The DFS Replication service stopped replication on volume C:"
      • DC1 fails the SystemLog test:  "(KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket"
      • DC1 fails the LocatorCheck test:  "A Primary Domain Controller could not be located" and "The server holding the PDC role is down"
      • Harm_Veenstra's avatar
        Harm_Veenstra
        MVP
        Apr 26, 2022
        You said 'Primary/secondary DCs are ancient history', what did you mean by that? That all machines point to it and no changes in that for a long time?

        Could you do this on the new DC's?

        Net stop netlogon
        Net start netlogon
        Ipconfig /registerdns

        And check system log for errors