SSPI handshake failed with error code 0x80090311

Dave, just wanted to follow-up and let you know that I was able to resolve the SSPI handshake error along with the RPC errors from two of my domain controllers.

First, did some more digging and found that these RPC errors are common when trying to query a server remotely while running the dcdiag command, so the quick fix was to temporarily disable the firewall and dcdiag ran fine with all tests passing. The articles I found said to add inbound rules for RPC, there is like 3 of them if I really wanted to but that they were harmless, just makes the dcdiag not report the errors, so being that I don't use this much and only to troubleshoot specific errors like this, I decided to just re-enable the firewall and only disable it if I need to run the tests or simply ignore them.

For the domain controller issue that caused this error to begin with...I shutdown the domain controller to see if this would happen and it did, so it was very repeatable. I then started to investigate on the application and noticed that I was getting LDAP authentication errors. This lead me to find that the entry for this in DNS was an alias CNAME record that was pointing to that same domain controller.

I then changed the entry to point to the new domain controller and forced replication, etc. waiting for DNS to update and show things correctly on all domain controllers and was then able to sign into the application even after shutting down the old domain controller that I'll be removing.

Other applications from different servers that were generating the same error also continued to work, so no SSPI handshake failed errors happened after this fix.

Now, I can demote this 2008 R2 domain controller once and for all and thanks again for all your help with this