AD/DNS Server losing secure channel

%3CLINGO-SUB%20id%3D%22lingo-sub-3241512%22%20slang%3D%22en-US%22%3EAD%2FDNS%20Server%20losing%20secure%20channel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3241512%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20single%20DC%20environment%20(Windows%20Server%202019)%20which%20keeps%20losing%20its%20secure%20channel%20with%20itself.%20We%20get%20DNS%20errors%204000%20and%204007.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20run%20the%20following%20command%2C%20and%20reboot%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Enetdom%20resetpwd%20%2Fserver%3AAD.IPP.ADDR%20%2Fuserd%3ADomain%5Cdomain_admin%20%2Fpasswordd%3A*%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20issue%20resolves%20itself%2C%20however%20re-appears%20after%20any%20further%20reboots.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20was%20originally%20in%20a%20dual%20DC%20environment%2C%20and%20the%20other%20has%20recently%20been%20removed%2C%20unsure%20if%20this%20is%20related.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAppreciate%20any%20advice.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3241512%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3241881%22%20slang%3D%22en-US%22%3ERe%3A%20AD%2FDNS%20Server%20losing%20secure%20channel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3241881%22%20slang%3D%22en-US%22%3EYou%20don't%20have%20any%20other%20issues%2C%20the%20other%20DC%20was%20removed%20correctly%3F%20What%20does%20a%20%22dcdiag.exe%20%2Fv%22%20show%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3242538%22%20slang%3D%22en-US%22%3ERe%3A%20AD%2FDNS%20Server%20losing%20secure%20channel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3242538%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1209009%22%20target%3D%22_blank%22%3E%40Harm_Veenstra%3C%2FA%3E%26nbsp%3BPlease%20see%20below%20output%20from%20dcdiag%20%2Fv.%20I%20believe%20the%20DC%20was%20removed%20correctly%2C%20but%20I%20can't%20be%20sure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDirectory%20Server%20Diagnosis%3C%2FP%3E%3CP%3EPerforming%20initial%20setup%3A%3CBR%20%2F%3ETrying%20to%20find%20home%20server...%3CBR%20%2F%3E*%20Verifying%20that%20the%20local%20machine%20AD-SERVER%2C%20is%20a%20Directory%20Server.%3CBR%20%2F%3EHome%20Server%20%3D%20AD-SERVER%3CBR%20%2F%3E*%20Connecting%20to%20directory%20service%20on%20server%20AD-SERVER.%3CBR%20%2F%3E*%20Identified%20AD%20Forest.%3CBR%20%2F%3ECollecting%20AD%20specific%20global%20data%3CBR%20%2F%3E*%20Collecting%20site%20info.%3CBR%20%2F%3ECalling%20ldap_search_init_page(hld%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%2CLDAP_SCOPE_SUBTREE%2C(objectCategory%3DntDSSiteSettings)%2C.......%3CBR%20%2F%3EThe%20previous%20call%20succeeded%3CBR%20%2F%3EIterating%20through%20the%20sites%3CBR%20%2F%3ELooking%20at%20base%20site%20object%3A%20CN%3DNTDS%20Site%20Settings%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3EGetting%20ISTG%20and%20options%20for%20the%20site%3CBR%20%2F%3E*%20Identifying%20all%20servers.%3CBR%20%2F%3ECalling%20ldap_search_init_page(hld%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%2CLDAP_SCOPE_SUBTREE%2C(objectClass%3DntDSDsa)%2C.......%3CBR%20%2F%3EThe%20previous%20call%20succeeded....%3CBR%20%2F%3EThe%20previous%20call%20succeeded%3CBR%20%2F%3EIterating%20through%20the%20list%20of%20servers%3CBR%20%2F%3EGetting%20information%20for%20the%20server%20CN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3EobjectGuid%20obtained%3CBR%20%2F%3EInvocationID%20obtained%3CBR%20%2F%3EdnsHostname%20obtained%3CBR%20%2F%3Esite%20info%20obtained%3CBR%20%2F%3EAll%20the%20info%20for%20the%20server%20collected%3CBR%20%2F%3E*%20Identifying%20all%20NC%20cross-refs.%3CBR%20%2F%3E*%20Found%201%20DC(s).%20Testing%201%20of%20them.%3CBR%20%2F%3EDone%20gathering%20initial%20info.%3C%2FP%3E%3CP%3EDoing%20initial%20required%20tests%3C%2FP%3E%3CP%3ETesting%20server%3A%20Default-First-Site-Name%5CAD-SERVER%3CBR%20%2F%3EStarting%20test%3A%20Connectivity%3CBR%20%2F%3E*%20Active%20Directory%20LDAP%20Services%20Check%3CBR%20%2F%3EDetermining%20IP4%20connectivity%3CBR%20%2F%3E*%20Active%20Directory%20RPC%20Services%20Check%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20Connectivity%3C%2FP%3E%3CP%3EDoing%20primary%20tests%3C%2FP%3E%3CP%3ETesting%20server%3A%20Default-First-Site-Name%5CAD-SERVER%3CBR%20%2F%3EStarting%20test%3A%20Advertising%3CBR%20%2F%3EThe%20DC%20AD-SERVER%20is%20advertising%20itself%20as%20a%20DC%20and%20having%20a%20DS.%3CBR%20%2F%3EThe%20DC%20AD-SERVER%20is%20advertising%20as%20an%20LDAP%20server%3CBR%20%2F%3EThe%20DC%20AD-SERVER%20is%20advertising%20as%20having%20a%20writeable%20directory%3CBR%20%2F%3EThe%20DC%20AD-SERVER%20is%20advertising%20as%20a%20Key%20Distribution%20Center%3CBR%20%2F%3EThe%20DC%20AD-SERVER%20is%20advertising%20as%20a%20time%20server%3CBR%20%2F%3EThe%20DS%20AD-SERVER%20is%20advertising%20as%20a%20GC.%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20Advertising%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20CheckSecurityError%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20CutoffServers%3CBR%20%2F%3EStarting%20test%3A%20FrsEvent%3CBR%20%2F%3E*%20The%20File%20Replication%20Service%20Event%20log%20test%3CBR%20%2F%3ESkip%20the%20test%20because%20the%20server%20is%20running%20DFSR.%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20FrsEvent%3CBR%20%2F%3EStarting%20test%3A%20DFSREvent%3CBR%20%2F%3EThe%20DFS%20Replication%20Event%20Log.%3CBR%20%2F%3EThere%20are%20warning%20or%20error%20events%20within%20the%20last%2024%20hours%20after%20the%20SYSVOL%20has%20been%20shared.%20Failing%20SYSVOL%3CBR%20%2F%3Ereplication%20problems%20may%20cause%20Group%20Policy%20problems.%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2012%3A08%3A53%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2012%3A13%3A53%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2012%3A26%3A06%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2014%3A15%3A02%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2014%3A20%3A03%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2014%3A30%3A04%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2014%3A35%3A05%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2014%3A53%3A07%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3EAn%20error%20event%20occurred.%20EventID%3A%200xC00004B2%3CBR%20%2F%3ETime%20Generated%3A%2003%2F02%2F2022%2014%3A58%3A08%3CBR%20%2F%3EEvent%20String%3A%3CBR%20%2F%3EThe%20DFS%20Replication%20service%20failed%20to%20contact%20domain%20controller%20to%20access%20configuration%20information.%20Replication%20is%20stopped.%20The%20service%20will%20try%20again%20during%20the%20next%20configuration%20polling%20cycle%2C%20which%20will%20occur%20in%2060%20minutes.%20This%20event%20can%20be%20caused%20by%20TCP%2FIP%20connectivity%2C%20firewall%2C%20Active%20Directory%20Domain%20Services%2C%20or%20DNS%20issues.%3C%2FP%3E%3CP%3EAdditional%20Information%3A%3CBR%20%2F%3EError%3A%20160%20(One%20or%20more%20arguments%20are%20not%20correct.)%3CBR%20%2F%3E.........................%20AD-SERVER%20failed%20test%20DFSREvent%3CBR%20%2F%3EStarting%20test%3A%20SysVolCheck%3CBR%20%2F%3E*%20The%20File%20Replication%20Service%20SYSVOL%20ready%20test%3CBR%20%2F%3EFile%20Replication%20Service's%20SYSVOL%20is%20ready%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20SysVolCheck%3CBR%20%2F%3EStarting%20test%3A%20KccEvent%3CBR%20%2F%3E*%20The%20KCC%20Event%20log%20test%3CBR%20%2F%3EFound%20no%20KCC%20errors%20in%20%22Directory%20Service%22%20Event%20log%20in%20the%20last%2015%20minutes.%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20KccEvent%3CBR%20%2F%3EStarting%20test%3A%20KnowsOfRoleHolders%3CBR%20%2F%3ERole%20Schema%20Owner%20%3D%20CN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3ERole%20Domain%20Owner%20%3D%20CN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3ERole%20PDC%20Owner%20%3D%20CN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3ERole%20Rid%20Owner%20%3D%20CN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3ERole%20Infrastructure%20Update%20Owner%20%3D%20CN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20KnowsOfRoleHolders%3CBR%20%2F%3EStarting%20test%3A%20MachineAccount%3CBR%20%2F%3EChecking%20machine%20account%20for%20DC%20AD-SERVER%20on%20DC%20AD-SERVER.%3CBR%20%2F%3E*%20SPN%20found%20%3ALDAP%2FAD-SERVER.our-domain-name.com%2Four-domain-name.com%3CBR%20%2F%3E*%20SPN%20found%20%3ALDAP%2FAD-SERVER.our-domain-name.com%3CBR%20%2F%3E*%20SPN%20found%20%3ALDAP%2FAD-SERVER%3CBR%20%2F%3E*%20SPN%20found%20%3ALDAP%2FAD-SERVER.our-domain-name.com%2Four-domain-name%3CBR%20%2F%3E*%20SPN%20found%20%3ALDAP%2Fae2dfa24-4f30-4909-a5e3-079f70b6b83e._msdcs.our-domain-name.com%3CBR%20%2F%3E*%20SPN%20found%20%3AE3514235-4B06-11D1-AB04-00C04FC2DCD2%2Fae2dfa24-4f30-4909-a5e3-079f70b6b83e%2Four-domain-name.com%3CBR%20%2F%3E*%20SPN%20found%20%3AHOST%2FAD-SERVER.our-domain-name.com%2Four-domain-name.com%3CBR%20%2F%3E*%20SPN%20found%20%3AHOST%2FAD-SERVER.our-domain-name.com%3CBR%20%2F%3E*%20SPN%20found%20%3AHOST%2FAD-SERVER%3CBR%20%2F%3E*%20SPN%20found%20%3AHOST%2FAD-SERVER.our-domain-name.com%2Four-domain-name%3CBR%20%2F%3E*%20SPN%20found%20%3AGC%2FAD-SERVER.our-domain-name.com%2Four-domain-name.com%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20MachineAccount%3CBR%20%2F%3EStarting%20test%3A%20NCSecDesc%3CBR%20%2F%3E*%20Security%20Permissions%20check%20for%20all%20NC's%20on%20DC%20AD-SERVER.%3CBR%20%2F%3E*%20Security%20Permissions%20Check%20for%3CBR%20%2F%3EDC%3DForestDnsZones%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3E(NDNC%2CVersion%203)%3CBR%20%2F%3E*%20Security%20Permissions%20Check%20for%3CBR%20%2F%3EDC%3DDomainDnsZones%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3E(NDNC%2CVersion%203)%3CBR%20%2F%3E*%20Security%20Permissions%20Check%20for%3CBR%20%2F%3ECN%3DSchema%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3E(Schema%2CVersion%203)%3CBR%20%2F%3E*%20Security%20Permissions%20Check%20for%3CBR%20%2F%3ECN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3E(Configuration%2CVersion%203)%3CBR%20%2F%3E*%20Security%20Permissions%20Check%20for%3CBR%20%2F%3EDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3E(Domain%2CVersion%203)%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20NCSecDesc%3CBR%20%2F%3EStarting%20test%3A%20NetLogons%3CBR%20%2F%3E*%20Network%20Logons%20Privileges%20Check%3CBR%20%2F%3EVerified%20share%20%5C%5CAD-SERVER%5Cnetlogon%3CBR%20%2F%3EVerified%20share%20%5C%5CAD-SERVER%5Csysvol%3CBR%20%2F%3E%5BAD-SERVER%5D%20User%20credentials%20does%20not%20have%20permission%20to%20perform%20this%20operation.%3CBR%20%2F%3EThe%20account%20used%20for%20this%20test%20must%20have%20network%20logon%20privileges%3CBR%20%2F%3Efor%20this%20machine's%20domain.%3CBR%20%2F%3E.........................%20AD-SERVER%20failed%20test%20NetLogons%3CBR%20%2F%3EStarting%20test%3A%20ObjectsReplicated%3CBR%20%2F%3EAD-SERVER%20is%20in%20domain%20DC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3EChecking%20for%20CN%3DAD-SERVER%2COU%3DDomain%20Controllers%2CDC%3Dour-domain-name%2CDC%3Dcom%20in%20domain%20DC%3Dour-domain-name%2CDC%3Dcom%20on%201%20servers%3CBR%20%2F%3EObject%20is%20up-to-date%20on%20all%20servers.%3CBR%20%2F%3EChecking%20for%20CN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%20in%20domain%20CN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%20on%201%20servers%3CBR%20%2F%3EObject%20is%20up-to-date%20on%20all%20servers.%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20ObjectsReplicated%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20OutboundSecureChannels%3CBR%20%2F%3EStarting%20test%3A%20Replications%3CBR%20%2F%3E*%20Replications%20Check%3CBR%20%2F%3E%5BReplications%20Check%2CAD-SERVER%5D%20DsReplicaGetInfo(PENDING_OPS%2C%20NULL)%20failed%2C%20error%200x2105%3CBR%20%2F%3E%22Replication%20access%20was%20denied.%22%3CBR%20%2F%3E.........................%20AD-SERVER%20failed%20test%20Replications%3CBR%20%2F%3EStarting%20test%3A%20RidManager%3CBR%20%2F%3E*%20Available%20RID%20Pool%20for%20the%20Domain%20is%2012602%20to%201073741823%3CBR%20%2F%3E*%20AD-SERVER.our-domain-name.com%20is%20the%20RID%20Master%3CBR%20%2F%3E*%20DsBind%20with%20RID%20Master%20was%20successful%3CBR%20%2F%3E*%20rIDAllocationPool%20is%201602%20to%202101%3CBR%20%2F%3E*%20rIDPreviousAllocationPool%20is%201602%20to%202101%3CBR%20%2F%3E*%20rIDNextRID%3A%201666%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20RidManager%3CBR%20%2F%3EStarting%20test%3A%20Services%3CBR%20%2F%3E*%20Checking%20Service%3A%20EventSystem%3CBR%20%2F%3E*%20Checking%20Service%3A%20RpcSs%3CBR%20%2F%3E*%20Checking%20Service%3A%20NTDS%3CBR%20%2F%3ECould%20not%20open%20NTDS%20Service%20on%20AD-SERVER%2C%20error%200x5%20%22Access%20is%20denied.%22%3CBR%20%2F%3E*%20Checking%20Service%3A%20DnsCache%3CBR%20%2F%3E*%20Checking%20Service%3A%20DFSR%3CBR%20%2F%3E*%20Checking%20Service%3A%20IsmServ%3CBR%20%2F%3E*%20Checking%20Service%3A%20kdc%3CBR%20%2F%3E*%20Checking%20Service%3A%20SamSs%3CBR%20%2F%3E*%20Checking%20Service%3A%20LanmanServer%3CBR%20%2F%3E*%20Checking%20Service%3A%20LanmanWorkstation%3CBR%20%2F%3E*%20Checking%20Service%3A%20w32time%3CBR%20%2F%3E*%20Checking%20Service%3A%20NETLOGON%3CBR%20%2F%3E.........................%20AD-SERVER%20failed%20test%20Services%3CBR%20%2F%3EStarting%20test%3A%20SystemLog%3CBR%20%2F%3E*%20The%20System%20Event%20log%20test%3CBR%20%2F%3EFound%20no%20errors%20in%20%22System%22%20Event%20log%20in%20the%20last%2060%20minutes.%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20SystemLog%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20Topology%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20VerifyEnterpriseReferences%3CBR%20%2F%3EStarting%20test%3A%20VerifyReferences%3CBR%20%2F%3EThe%20system%20object%20reference%20(serverReference)%20CN%3DAD-SERVER%2COU%3DDomain%20Controllers%2CDC%3Dour-domain-name%2CDC%3Dcom%20and%3CBR%20%2F%3Ebacklink%20on%20CN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%20are%3CBR%20%2F%3Ecorrect.%3CBR%20%2F%3EThe%20system%20object%20reference%20(serverReferenceBL)%3CBR%20%2F%3ECN%3DAD-SERVER%2CCN%3DTopology%2CCN%3DDomain%20System%20Volume%2CCN%3DDFSR-GlobalSettings%2CCN%3DSystem%2CDC%3Dour-domain-name%2CDC%3Dcom%20and%3CBR%20%2F%3Ebacklink%20on%3CBR%20%2F%3ECN%3DNTDS%20Settings%2CCN%3DAD-SERVER%2CCN%3DServers%2CCN%3DDefault-First-Site-Name%2CCN%3DSites%2CCN%3DConfiguration%2CDC%3Dour-domain-name%2CDC%3Dcom%3CBR%20%2F%3Eare%20correct.%3CBR%20%2F%3EThe%20system%20object%20reference%20(msDFSR-ComputerReferenceBL)%3CBR%20%2F%3ECN%3DAD-SERVER%2CCN%3DTopology%2CCN%3DDomain%20System%20Volume%2CCN%3DDFSR-GlobalSettings%2CCN%3DSystem%2CDC%3Dour-domain-name%2CDC%3Dcom%20and%3CBR%20%2F%3Ebacklink%20on%20CN%3DAD-SERVER%2COU%3DDomain%20Controllers%2CDC%3Dour-domain-name%2CDC%3Dcom%20are%20correct.%3CBR%20%2F%3E.........................%20AD-SERVER%20passed%20test%20VerifyReferences%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20VerifyReplicas%3C%2FP%3E%3CP%3ETest%20omitted%20by%20user%20request%3A%20DNS%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20DNS%3C%2FP%3E%3CP%3ERunning%20partition%20tests%20on%20%3A%20ForestDnsZones%3CBR%20%2F%3EStarting%20test%3A%20CheckSDRefDom%3CBR%20%2F%3E.........................%20ForestDnsZones%20passed%20test%20CheckSDRefDom%3CBR%20%2F%3EStarting%20test%3A%20CrossRefValidation%3CBR%20%2F%3E.........................%20ForestDnsZones%20passed%20test%20CrossRefValidation%3C%2FP%3E%3CP%3ERunning%20partition%20tests%20on%20%3A%20DomainDnsZones%3CBR%20%2F%3EStarting%20test%3A%20CheckSDRefDom%3CBR%20%2F%3E.........................%20DomainDnsZones%20passed%20test%20CheckSDRefDom%3CBR%20%2F%3EStarting%20test%3A%20CrossRefValidation%3CBR%20%2F%3E.........................%20DomainDnsZones%20passed%20test%20CrossRefValidation%3C%2FP%3E%3CP%3ERunning%20partition%20tests%20on%20%3A%20Schema%3CBR%20%2F%3EStarting%20test%3A%20CheckSDRefDom%3CBR%20%2F%3E.........................%20Schema%20passed%20test%20CheckSDRefDom%3CBR%20%2F%3EStarting%20test%3A%20CrossRefValidation%3CBR%20%2F%3E.........................%20Schema%20passed%20test%20CrossRefValidation%3C%2FP%3E%3CP%3ERunning%20partition%20tests%20on%20%3A%20Configuration%3CBR%20%2F%3EStarting%20test%3A%20CheckSDRefDom%3CBR%20%2F%3E.........................%20Configuration%20passed%20test%20CheckSDRefDom%3CBR%20%2F%3EStarting%20test%3A%20CrossRefValidation%3CBR%20%2F%3E.........................%20Configuration%20passed%20test%20CrossRefValidation%3C%2FP%3E%3CP%3ERunning%20partition%20tests%20on%20%3A%20our-domain-name%3CBR%20%2F%3EStarting%20test%3A%20CheckSDRefDom%3CBR%20%2F%3E.........................%20our-domain-name%20passed%20test%20CheckSDRefDom%3CBR%20%2F%3EStarting%20test%3A%20CrossRefValidation%3CBR%20%2F%3E.........................%20our-domain-name%20passed%20test%20CrossRefValidation%3C%2FP%3E%3CP%3ERunning%20enterprise%20tests%20on%20%3A%20our-domain-name.com%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20DNS%3CBR%20%2F%3ETest%20omitted%20by%20user%20request%3A%20DNS%3CBR%20%2F%3EStarting%20test%3A%20LocatorCheck%3CBR%20%2F%3EGC%20Name%3A%20%5C%5CAD-SERVER.our-domain-name.com%3CBR%20%2F%3ELocator%20Flags%3A%200xe003f1fd%3CBR%20%2F%3EPDC%20Name%3A%20%5C%5CAD-SERVER.our-domain-name.com%3CBR%20%2F%3ELocator%20Flags%3A%200xe003f1fd%3CBR%20%2F%3ETime%20Server%20Name%3A%20%5C%5CAD-SERVER.our-domain-name.com%3CBR%20%2F%3ELocator%20Flags%3A%200xe003f1fd%3CBR%20%2F%3EPreferred%20Time%20Server%20Name%3A%20%5C%5CAD-SERVER.our-domain-name.com%3CBR%20%2F%3ELocator%20Flags%3A%200xe003f1fd%3CBR%20%2F%3EKDC%20Name%3A%20%5C%5CAD-SERVER.our-domain-name.com%3CBR%20%2F%3ELocator%20Flags%3A%200xe003f1fd%3CBR%20%2F%3E.........................%20our-domain-name.com%20passed%20test%20LocatorCheck%3CBR%20%2F%3EStarting%20test%3A%20Intersite%3CBR%20%2F%3ESkipping%20site%20Default-First-Site-Name%2C%20this%20site%20is%20outside%20the%20scope%20provided%20by%20the%20command%20line%20arguments%3CBR%20%2F%3Eprovided.%3CBR%20%2F%3E.........................%20our-domain-name.com%20passed%20test%20Intersite%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi guys,

 

We have a single DC environment (Windows Server 2019) which keeps losing its secure channel with itself. We get DNS errors 4000 and 4007.

 

We run the following command, and reboot:

 

netdom resetpwd /server:AD.IPP.ADDR /userd:Domain\domain_admin /passwordd:*

 

The issue resolves itself, however re-appears after any further reboots. 

 

This was originally in a dual DC environment, and the other has recently been removed, unsure if this is related.

 

Appreciate any advice.

6 Replies
You don't have any other issues, the other DC was removed correctly? What does a "dcdiag.exe /v" show?

@Harm_Veenstra Please see below output from dcdiag /v. I believe the DC was removed correctly, but I can't be sure.

 

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
* Verifying that the local machine AD-SERVER, is a Directory Server.
Home Server = AD-SERVER
* Connecting to directory service on server AD-SERVER.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\AD-SERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... AD-SERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\AD-SERVER
Starting test: Advertising
The DC AD-SERVER is advertising itself as a DC and having a DS.
The DC AD-SERVER is advertising as an LDAP server
The DC AD-SERVER is advertising as having a writeable directory
The DC AD-SERVER is advertising as a Key Distribution Center
The DC AD-SERVER is advertising as a time server
The DS AD-SERVER is advertising as a GC.
......................... AD-SERVER passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... AD-SERVER passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:08:53
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:13:53
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:26:06
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:15:02
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:20:03
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:30:04
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:35:05
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:53:07
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:58:08
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
......................... AD-SERVER failed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... AD-SERVER passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... AD-SERVER passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Domain Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role PDC Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Rid Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
......................... AD-SERVER passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC AD-SERVER on DC AD-SERVER.
* SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name.com
* SPN found :LDAP/AD-SERVER.our-domain-name.com
* SPN found :LDAP/AD-SERVER
* SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name
* SPN found :LDAP/ae2dfa24-4f30-4909-a5e3-079f70b6b83e._msdcs.our-domain-name.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae2dfa24-4f30-4909-a5e3-079f70b6b83e/our-domain-name.com
* SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name.com
* SPN found :HOST/AD-SERVER.our-domain-name.com
* SPN found :HOST/AD-SERVER
* SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name
* SPN found :GC/AD-SERVER.our-domain-name.com/our-domain-name.com
......................... AD-SERVER passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC AD-SERVER.
* Security Permissions Check for
DC=ForestDnsZones,DC=our-domain-name,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=our-domain-name,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=our-domain-name,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=our-domain-name,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=our-domain-name,DC=com
(Domain,Version 3)
......................... AD-SERVER passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\AD-SERVER\netlogon
Verified share \\AD-SERVER\sysvol
[AD-SERVER] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... AD-SERVER failed test NetLogons
Starting test: ObjectsReplicated
AD-SERVER is in domain DC=our-domain-name,DC=com
Checking for CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com in domain DC=our-domain-name,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com in domain CN=Configuration,DC=our-domain-name,DC=com on 1 servers
Object is up-to-date on all servers.
......................... AD-SERVER passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
[Replications Check,AD-SERVER] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
"Replication access was denied."
......................... AD-SERVER failed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 12602 to 1073741823
* AD-SERVER.our-domain-name.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1602 to 2101
* rIDPreviousAllocationPool is 1602 to 2101
* rIDNextRID: 1666
......................... AD-SERVER passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on AD-SERVER, error 0x5 "Access is denied."
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... AD-SERVER failed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... AD-SERVER passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com and
backlink on CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com are
correct.
The system object reference (serverReferenceBL)
CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and
backlink on
CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and
backlink on CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com are correct.
......................... AD-SERVER passed test VerifyReferences
Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS
Test omitted by user request: DNS

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : our-domain-name
Starting test: CheckSDRefDom
......................... our-domain-name passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... our-domain-name passed test CrossRefValidation

Running enterprise tests on : our-domain-name.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
PDC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
Time Server Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
Preferred Time Server Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
KDC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
......................... our-domain-name.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... our-domain-name.com passed test Intersite

Could you run it in an Administrator Command prompt? There are errors like "Could not open NTDS Service on AD-SERVER, error 0x5 "Access is denied." " which indicate you're not running the dcdiag command as an admin/in a elevated prompt
Perhaps this is something you could try?

https://glennopedia.com/2016/02/25/how-to-reset-secure-channel-on-a-domain-controller/

You receive an access denied error when access the DNS management console on the problem domain controller.
You run nltest /sc_query:domain.local and receive access denied.
You run nltest /sc_verify:domain.local and receive access denied.
Here is how you reset secure channel on a domain controller:

Open an administrative command line
Run the following commands*:
net stop kdc
klist purge
netdom resetpwd /server:<DCName> /userD:<domain\username> /passwordD:*
net start kdc
net stop DNS & net start DNS

@Harm_Veenstra 

Hi Harm, I just tried this procedure and restarted a few times and it seems to be okay now. I will try another restart in the morning, however it looks promising.

Here is the elevated output requested:

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
* Verifying that the local machine AD-SERVER, is a Directory Server.
Home Server = AD-SERVER
* Connecting to directory service on server AD-SERVER.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\AD-SERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... AD-SERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\AD-SERVER
Starting test: Advertising
The DC AD-SERVER is advertising itself as a DC and having a DS.
The DC AD-SERVER is advertising as an LDAP server
The DC AD-SERVER is advertising as having a writeable directory
The DC AD-SERVER is advertising as a Key Distribution Center
The DC AD-SERVER is advertising as a time server
The DS AD-SERVER is advertising as a GC.
......................... AD-SERVER passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... AD-SERVER passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:08:53
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:13:53
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:26:06
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:15:02
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:20:03
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:30:04
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:35:05
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:53:07
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:58:08
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:
Error: 160 (One or more arguments are not correct.)
......................... AD-SERVER failed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... AD-SERVER passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
A warning event occurred. EventID: 0x80000603
Time Generated: 03/02/2022 20:45:04
Event String: Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.

Hard disk:
c:

Data might be lost during system failures.
A warning event occurred. EventID: 0x80000BEB
Time Generated: 03/02/2022 20:45:05
Event String:
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked.

This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

For more information, please see https://go.microsoft.com/fwlink/?linkid=2174032.
A warning event occurred. EventID: 0x80000BEE
Time Generated: 03/02/2022 20:45:05
Event String:
The directory has been configured to allow implicit owner privileges when initially setting or modifying the nTSecurityDescriptor attribute during LDAP add and modify operations. Warning events will be logged, but no requests will be blocked.

This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

For more information, please see https://go.microsoft.com/fwlink/?linkid=2174032.
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/02/2022 20:45:16
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
A warning event occurred. EventID: 0x80000BE1
Time Generated: 03/02/2022 20:45:16
Event String:
The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server.

For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.
A warning event occurred. EventID: 0x80000603
Time Generated: 03/02/2022 20:46:54
Event String: Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.

Hard disk:
c:

Data might be lost during system failures.
A warning event occurred. EventID: 0x80000BEB
Time Generated: 03/02/2022 20:46:55
Event String:
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked.

This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

For more information, please see https://go.microsoft.com/fwlink/?linkid=2174032.
A warning event occurred. EventID: 0x80000BEE
Time Generated: 03/02/2022 20:46:55
Event String:
The directory has been configured to allow implicit owner privileges when initially setting or modifying the nTSecurityDescriptor attribute during LDAP add and modify operations. Warning events will be logged, but no requests will be blocked.

This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

For more information, please see https://go.microsoft.com/fwlink/?linkid=2174032.
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/02/2022 20:47:06
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
A warning event occurred. EventID: 0x80000BE1
Time Generated: 03/02/2022 20:47:06
Event String:
The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server.

For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.
A warning event occurred. EventID: 0x80000603
Time Generated: 03/02/2022 20:48:42
Event String: Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.

Hard disk:
c:

Data might be lost during system failures.
A warning event occurred. EventID: 0x80000BEB
Time Generated: 03/02/2022 20:48:43
Event String:
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked.

This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

For more information, please see https://go.microsoft.com/fwlink/?linkid=2174032.
A warning event occurred. EventID: 0x80000BEE
Time Generated: 03/02/2022 20:48:43
Event String:
The directory has been configured to allow implicit owner privileges when initially setting or modifying the nTSecurityDescriptor attribute during LDAP add and modify operations. Warning events will be logged, but no requests will be blocked.

This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

For more information, please see https://go.microsoft.com/fwlink/?linkid=2174032.
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/02/2022 20:48:54
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
A warning event occurred. EventID: 0x80000BE1
Time Generated: 03/02/2022 20:48:54
Event String:
The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server.

For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... AD-SERVER passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Domain Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role PDC Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Rid Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
......................... AD-SERVER passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC AD-SERVER on DC AD-SERVER.
* SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name.com
* SPN found :LDAP/AD-SERVER.our-domain-name.com
* SPN found :LDAP/AD-SERVER
* SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name
* SPN found :LDAP/ae2dfa24-4f30-4909-a5e3-079f70b6b83e._msdcs.our-domain-name.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae2dfa24-4f30-4909-a5e3-079f70b6b83e/our-domain-name.com
* SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name.com
* SPN found :HOST/AD-SERVER.our-domain-name.com
* SPN found :HOST/AD-SERVER
* SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name
* SPN found :GC/AD-SERVER.our-domain-name.com/our-domain-name.com
......................... AD-SERVER passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC AD-SERVER.
* Security Permissions Check for
DC=ForestDnsZones,DC=our-domain-name,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=our-domain-name,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=our-domain-name,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=our-domain-name,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=our-domain-name,DC=com
(Domain,Version 3)
......................... AD-SERVER passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\AD-SERVER\netlogon
Verified share \\AD-SERVER\sysvol
......................... AD-SERVER passed test NetLogons
Starting test: ObjectsReplicated
AD-SERVER is in domain DC=our-domain-name,DC=com
Checking for CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com in domain DC=our-domain-name,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com in domain CN=Configuration,DC=our-domain-name,DC=com on 1 servers
Object is up-to-date on all servers.
......................... AD-SERVER passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=our-domain-name,DC=com
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=our-domain-name,DC=com
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=our-domain-name,DC=com
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=our-domain-name,DC=com
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=our-domain-name,DC=com
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... AD-SERVER passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 12602 to 1073741823
* AD-SERVER.our-domain-name.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1602 to 2101
* rIDPreviousAllocationPool is 1602 to 2101
* rIDNextRID: 1666
......................... AD-SERVER passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... AD-SERVER passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2022 20:41:00
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.dc._msdcs.our-domain-name.com. 600 IN SRV 0 100 88 AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: 172.18.140.123
Returned Response Code (RCODE): 5
Returned Status Code: 9017

USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: DNS bad key.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2022 20:41:00
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.our-domain-name.com. 600 IN SRV 0 100 88 AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: 172.18.140.123
Returned Response Code (RCODE): 5
Returned Status Code: 9017

USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: DNS bad key.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2022 20:41:00
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.our-domain-name.com. 600 IN SRV 0 100 88 AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: 172.18.140.123
Returned Response Code (RCODE): 5
Returned Status Code: 9017

USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: DNS bad key.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2022 20:41:00
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.Default-First-Site-Name._sites.our-domain-name.com. 600 IN SRV 0 100 88 AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: 172.18.140.123
Returned Response Code (RCODE): 5
Returned Status Code: 9017

USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: DNS bad key.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2022 20:41:00
Event String:
The dynamic deletion of the DNS record '_kerberos._udp.our-domain-name.com. 600 IN SRV 0 100 88 AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: 172.18.140.123
Returned Response Code (RCODE): 5
Returned Status Code: 9017

USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: DNS bad key.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2022 20:41:00
Event String:
The dynamic deletion of the DNS record '_kpasswd._tcp.our-domain-name.com. 600 IN SRV 0 100 464 AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: 172.18.140.123
Returned Response Code (RCODE): 5
Returned Status Code: 9017

USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: DNS bad key.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2022 20:41:00
Event String:
The dynamic deletion of the DNS record '_kpasswd._udp.our-domain-name.com. 600 IN SRV 0 100 464 AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: 172.18.140.123
Returned Response Code (RCODE): 5
Returned Status Code: 9017

USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: DNS bad key.
A warning event occurred. EventID: 0x00001695
Time Generated: 03/02/2022 20:42:08
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'our-domain-name.com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.
A warning event occurred. EventID: 0x00001695
Time Generated: 03/02/2022 20:42:08
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.our-domain-name.com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.
A warning event occurred. EventID: 0x00001695
Time Generated: 03/02/2022 20:42:08
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.our-domain-name.com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2022 20:44:55
Event String:
The WinRM service is not listening for WS-Management requests.

User Action
If you did not intentionally stop the service, use the following command to see the WinRM configuration:

winrm enumerate winrm/config/listener
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:45:04
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:45:04
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:45:04
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2022 20:45:06
Event String: Name resolution for the name wpad timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2022 20:45:10
Event String: Name resolution for the name wpad timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x00072793
Time Generated: 03/02/2022 20:45:17
Event String:
The IP Range 127.0.0.1 is invalid and it will be ignored.

Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," as delimiter.
Example IPv4 ranges: 2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
Example IPv6 ranges: 3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562

User Action
Correct the IP filter 127.0.0.1 using the syntax described above.
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2022 20:45:29
Event String:
The WinRM service failed to create the following SPNs: WSMAN/AD-SERVER.our-domain-name.com; WSMAN/AD-SERVER.

Additional Data
The error received was 1355: %%1355.

User Action
The SPNs can be created by an administrator using setspn.exe utility.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/02/2022 20:45:33
Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x0000168E
Time Generated: 03/02/2022 20:45:46
Event String:
The dynamic registration of the DNS record 'ae2dfa24-4f30-4909-a5e3-079f70b6b83e._msdcs.our-domain-name.com. 600 IN CNAME AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: ::
Returned Response Code (RCODE): 0
Returned Status Code: 0

For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.

ADDITIONAL DATA
Error Value: Bad DNS packet.
An error event occurred. EventID: 0x00000416
Time Generated: 03/02/2022 20:45:46
Event String:
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain our-domain-name.com, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this:
This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information).

This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

Some unexpected network error occurred.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/02/2022 20:46:26
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

NTLM is a weaker authentication mechanism. Please check:

Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?

Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
An error event occurred. EventID: 0x0000271A
Time Generated: 03/02/2022 20:46:42
Event String: The server {A463FCB9-6B1C-4E0D-A80B-A2CA7999E25D} did not register with DCOM within the required timeout.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2022 20:46:45
Event String:
The WinRM service is not listening for WS-Management requests.

User Action
If you did not intentionally stop the service, use the following command to see the WinRM configuration:

winrm enumerate winrm/config/listener
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:46:54
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:46:54
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:46:54
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2022 20:46:56
Event String: Name resolution for the name _ldap._tcp.dc._msdcs.our-domain-name.com. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2022 20:46:57
Event String: Name resolution for the name _ldap._tcp.dc._msdcs.our-domain-name.com. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x00072793
Time Generated: 03/02/2022 20:47:07
Event String:
The IP Range 127.0.0.1 is invalid and it will be ignored.

Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," as delimiter.
Example IPv4 ranges: 2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
Example IPv6 ranges: 3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562

User Action
Correct the IP filter 127.0.0.1 using the syntax described above.
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2022 20:47:19
Event String:
The WinRM service failed to create the following SPNs: WSMAN/AD-SERVER.our-domain-name.com; WSMAN/AD-SERVER.

Additional Data
The error received was 1355: %%1355.

User Action
The SPNs can be created by an administrator using setspn.exe utility.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/02/2022 20:47:35
Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x00000416
Time Generated: 03/02/2022 20:47:36
Event String:
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain our-domain-name.com, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this:
This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information).

This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

Some unexpected network error occurred.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/02/2022 20:48:07
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

NTLM is a weaker authentication mechanism. Please check:

Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?

Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2022 20:48:33
Event String:
The WinRM service is not listening for WS-Management requests.

User Action
If you did not intentionally stop the service, use the following command to see the WinRM configuration:

winrm enumerate winrm/config/listener
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:48:42
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:48:42
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/02/2022 20:48:42
Event String: The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2022 20:48:44
Event String: Name resolution for the name wpad timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2022 20:48:47
Event String: Name resolution for the name wpad timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x00072793
Time Generated: 03/02/2022 20:48:55
Event String:
The IP Range 127.0.0.1 is invalid and it will be ignored.

Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," as delimiter.
Example IPv4 ranges: 2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
Example IPv6 ranges: 3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562

User Action
Correct the IP filter 127.0.0.1 using the syntax described above.
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2022 20:49:07
Event String:
The WinRM service failed to create the following SPNs: WSMAN/AD-SERVER.our-domain-name.com; WSMAN/AD-SERVER.

Additional Data
The error received was 1355: %%1355.

User Action
The SPNs can be created by an administrator using setspn.exe utility.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/02/2022 20:49:11
Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x0000168E
Time Generated: 03/02/2022 20:49:24
Event String:
The dynamic registration of the DNS record 'ae2dfa24-4f30-4909-a5e3-079f70b6b83e._msdcs.our-domain-name.com. 600 IN CNAME AD-SERVER.our-domain-name.com.' failed on the following DNS server:

DNS server IP address: ::
Returned Response Code (RCODE): 0
Returned Status Code: 0

For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.

ADDITIONAL DATA
Error Value: Bad DNS packet.
An error event occurred. EventID: 0x00000416
Time Generated: 03/02/2022 20:49:24
Event String:
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain our-domain-name.com, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this:
This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information).

This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

Some unexpected network error occurred.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/02/2022 20:51:09
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

NTLM is a weaker authentication mechanism. Please check:

Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?

Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
......................... AD-SERVER failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com and backlink on CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com are correct.
The system object reference (serverReferenceBL) CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and backlink on
CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com are correct.
The system object reference (msDFSR-ComputerReferenceBL) CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and backlink on CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com
are correct.
......................... AD-SERVER passed test VerifyReferences
Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS
Test omitted by user request: DNS

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : our-domain-name
Starting test: CheckSDRefDom
......................... our-domain-name passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... our-domain-name passed test CrossRefValidation

Running enterprise tests on : our-domain-name.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f3fd
PDC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f3fd
Time Server Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f3fd
Preferred Time Server Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f3fd
KDC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f3fd
......................... our-domain-name.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... our-domain-name.com passed test Intersite

Did you manage to solve the problem?