Forum Discussion
A-CAST
Sep 14, 2021Brass Contributor
SSPI handshake failed with error code 0x80090311
The full error I'm getting: SSPI handshake failed with error code 0x80090311, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurit...
- Sep 14, 2021
- ACEPDC7 is DHCP assigned which is a no-no for a domain controller. After assigning a static address I'd do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service.
- ACEPDC4 is DHCP assigned which is a no-no for a domain controller. After assigning a static address I'd do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service.
- ACEPDC5 -> ACEPDC4 5012 errors
https://social.technet.microsoft.com/wiki/contents/articles/1205.dfsr-event-5012-dfs-replication.aspx
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770728(v=ws.11)
- ACEPDC6 event logs cannot be queried because of RPC, so I'd check the logs for possible errors- ACEPDC7 event logs cannot be queried because of RPC, so I'd check the logs for possible errors
- ACEPDC4 has replication problems. I'd check the event logs for error details (may be related to DHCP assignment)(please don't forget to mark helpful replies)
Dave Patrick
Sep 14, 2021MVP
The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405
I'd suggest removing the new 2019, make sure prerequisites have been met, then use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can move on to next one
A-CAST
Sep 14, 2021Brass Contributor
Dave, thanks for the reply.
I'm going to look into the FRS replication migration to DFSR to see if that's been done or not, but in regards to removing our 2019 DC. The issue with that is we already have a new 2019 DC in a remote office...that's a physical server in a different state and I don't have the option to demote it, downgrade OS license (rebuild server), then promote it to a lesser OS version.
The new 2019 DC that I just put into another site, the one that's to replace the 2008 R2 that's part of the same site...that one I can remove as you described and redo but based on the reasoning behind your initial response I don't think it's going to matter based on what I said regarding the other 2019 DC that's been running for a while now at another site.
I've used dcdiag /repadmin tools before but lately I've been using the AD Replication Tool from Microsoft which did not show any errors prior to me starting this project. If dcdiag gives me different info then sure I'll do both not a problem but my main focus is knowing how to test that the replacement 2019 DC is working for this site in regards to this error before I demote the 2008 R2 DC?
I'm going to look into the FRS replication migration to DFSR to see if that's been done or not, but in regards to removing our 2019 DC. The issue with that is we already have a new 2019 DC in a remote office...that's a physical server in a different state and I don't have the option to demote it, downgrade OS license (rebuild server), then promote it to a lesser OS version.
The new 2019 DC that I just put into another site, the one that's to replace the 2008 R2 that's part of the same site...that one I can remove as you described and redo but based on the reasoning behind your initial response I don't think it's going to matter based on what I said regarding the other 2019 DC that's been running for a while now at another site.
I've used dcdiag /repadmin tools before but lately I've been using the AD Replication Tool from Microsoft which did not show any errors prior to me starting this project. If dcdiag gives me different info then sure I'll do both not a problem but my main focus is knowing how to test that the replacement 2019 DC is working for this site in regards to this error before I demote the 2008 R2 DC?
- A-CASTSep 14, 2021Brass ContributorOne more thing...all DC's are GC enabled, but only one DC has all the FSMO roles. So, we have our HQ site, Remote Office site, and AWS site. Only physical DC is located in Remote Office, the other two are virtual DC's. The one located at our office is the 2012 R2 DC with all the FSMO roles, so my plan was to keep domain functional level at 2012 R2 until I'm ready to replace this one in the future. For now, I just needed to replace the DC on AWS due to it being EOL (2008 R2).
- Dave PatrickSep 14, 2021MVP
2012 R2 DFL is fine and whether physical or virtual really doesn't matter.
- A-CASTSep 14, 2021Brass ContributorAfter looking at the links you provided, I remembered I did use this same site for my FRS to DFRS migration and it completed successfully. I had to do this prior to adding my first 2019 DC.
- Dave PatrickSep 14, 2021MVP
If the prerequisites have not been met then there is no choice but to remove the 2019 domain controllers. Perform cleanup if needed.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564Then check health is 100% and if so you can start again.