Forum Discussion

Steinkirchner's avatar
Steinkirchner
Copper Contributor
Apr 25, 2022

Domain authentication issue

We are a small single-domain company.  We've had one WinSvr2012 domain controller for years.  Recently we added 2 Server 2019 DCs with the objective of demoting and decommissioning the 2012 DC.  The ...
Active Directory
Steinkirchner's avatar
Steinkirchner
Copper Contributor
Apr 28, 2022

Harm_Veenstra 

I did restart the netlogon services from the command prompt and then executed ipconfig /registerdns.  The only error is from DC3: "A Primary Domain Controller could not be located".  DC2/DC3 have 127.0.0.1 as the primary DNS and each other as the secondary DNS.  They both are patched to April '22.  Both also reference DC1 as the GC name and time server, which shouldn't be the case I think.  They should reference themselves as the GC name and time server, correct? 

Harm_Veenstra's avatar
Harm_Veenstra
MVP
Apr 28, 2022
Timeserver should he configured to a domain controller which syncs it time to the internet or a hardware ntp. Are there time differences on the domain controllers?

Could you post a screenshot of the GC reference?
  • Harm_Veenstra's avatar
    Harm_Veenstra
    MVP
    Apr 29, 2022
    Ok, no SYSVOL is something that will prevent a DC from advertising itself.. Hope this will get things running!
  • Steinkirchner's avatar
    Steinkirchner
    Copper Contributor
    Apr 29, 2022
    The next step is to resolve the failed test NetLogons. From DCDiag output:

    Starting test: NetLogons

    * Network Logons Privileges Check
    Unable to connect to the NETLOGON share! (\\DC2\netlogon)

    [DC2] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..

    ......................... DC2 failed test NetLogons
  • Steinkirchner's avatar
    Steinkirchner
    Copper Contributor
    Apr 29, 2022

    My new DCs now pass the Advertising test.  They did not have SYSVOL shares.  I followed the instructions at the link below to set a registry entry to generate the missing shares.

     

    https://social.technet.microsoft.com/Forums/en-US/3d76a999-cfdc-4eff-b2ab-2fb697e8d7ee/2016-sysvol-and-netlogon-shares-missing-from-new-domain-controllers-added-to-2012-and-below?forum=ws2016

     

  • Steinkirchner's avatar
    Steinkirchner
    Copper Contributor
    Apr 29, 2022
    I think the next issue to resolve is the advertising test failure. From DCdiag output:

    Starting test: Advertising

    Warning: DsGetDcName returned information for \\DC1.<domain>, when we were trying to reach

    DC2.

    SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

    ......................... DC2 failed test Advertising
  • Steinkirchner's avatar
    Steinkirchner
    Copper Contributor
    Apr 29, 2022
    Yes, DC1 is still online. All 3 of the DCs show the same output from netdom query fsmo.
  • Harm_Veenstra's avatar
    Harm_Veenstra
    MVP
    Apr 29, 2022
    Ok, but DC1 is still there.. You did move all the FSMO roles, all domain controllers do see this change? If you run "netdom query fsmo" on all DC's indivually, they do see the same output?
  • Steinkirchner's avatar
    Steinkirchner
    Copper Contributor
    Apr 28, 2022
    No time differences between the DCs.

    The GC reference is shown in the DCdiag output:
    Starting test: LocatorCheck
    GC Name: \\DC1.<domain>

Resources