Forum Discussion

Brass Contributor

Sep 14, 2021

Solved

SSPI handshake failed with error code 0x80090311

The full error I'm getting: SSPI handshake failed with error code 0x80090311, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurit...

Active Directory

Windows Server

Dave Patrick
Sep 14, 2021
- ACEPDC7 is DHCP assigned which is a no-no for a domain controller. After assigning a static address I'd do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service.

- ACEPDC4 is DHCP assigned which is a no-no for a domain controller. After assigning a static address I'd do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service.

- ACEPDC5 -> ACEPDC4 5012 errors
https://social.technet.microsoft.com/wiki/contents/articles/1205.dfsr-event-5012-dfs-replication.aspx
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770728(v=ws.11)

- ACEPDC6 event logs cannot be queried because of RPC, so I'd check the logs for possible errors

- ACEPDC7 event logs cannot be queried because of RPC, so I'd check the logs for possible errors

- ACEPDC4 has replication problems. I'd check the event logs for error details (may be related to DHCP assignment)

(please don't forget to mark helpful replies)

A-CAST

Brass Contributor

Sep 14, 2021

Dave, thanks for the reply.

I'm going to look into the FRS replication migration to DFSR to see if that's been done or not, but in regards to removing our 2019 DC. The issue with that is we already have a new 2019 DC in a remote office...that's a physical server in a different state and I don't have the option to demote it, downgrade OS license (rebuild server), then promote it to a lesser OS version.

The new 2019 DC that I just put into another site, the one that's to replace the 2008 R2 that's part of the same site...that one I can remove as you described and redo but based on the reasoning behind your initial response I don't think it's going to matter based on what I said regarding the other 2019 DC that's been running for a while now at another site.

I've used dcdiag /repadmin tools before but lately I've been using the AD Replication Tool from Microsoft which did not show any errors prior to me starting this project. If dcdiag gives me different info then sure I'll do both not a problem but my main focus is knowing how to test that the replacement 2019 DC is working for this site in regards to this error before I demote the 2008 R2 DC?

A-CAST

Brass Contributor

Sep 14, 2021

One more thing...all DC's are GC enabled, but only one DC has all the FSMO roles. So, we have our HQ site, Remote Office site, and AWS site. Only physical DC is located in Remote Office, the other two are virtual DC's. The one located at our office is the 2012 R2 DC with all the FSMO roles, so my plan was to keep domain functional level at 2012 R2 until I'm ready to replace this one in the future. For now, I just needed to replace the DC on AWS due to it being EOL (2008 R2).

Dave Patrick
MVP
Sep 14, 2021
2012 R2 DFL is fine and whether physical or virtual really doesn't matter.
- A-CAST
  Brass Contributor
  Sep 14, 2021
  After looking at the links you provided, I remembered I did use this same site for my FRS to DFRS migration and it completed successfully. I had to do this prior to adding my first 2019 DC.
  - Dave Patrick
    MVP
    Sep 14, 2021
    Three right? Please run;
    
    Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
    repadmin /showrepl >C:\repl.txt
    ipconfig /all > C:\dc1.txt
    ipconfig /all > C:\dc2.txt
    ipconfig /all > C:\dc3.txt
    
    then put unzipped text files up on OneDrive and share a link.