Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

Domain authentication issue

Copper Contributor

We are a small single-domain company.  We've had one WinSvr2012 domain controller for years.  Recently we added 2 Server 2019 DCs with the objective of demoting and decommissioning the 2012 DC.  The 3 DCs seem to play nice together and correctly replicate new users, groups and computers.  However, when we shutdown the 2012 DC, domain authentication is lost.  Primary/secondary DCs are ancient history so how can this be?  We did disable/remove the DNS role on the 2012 DC, so only our 2019 DCs are DNS.

26 Replies
What ip's do you use in your DHCP configuration for your clients? The ip's that point to your two new DC's?
Our DHCP is 192.168.0.98. 2012 DC is 192.168.0.100. 2019/new DCs are 192.68.0.99 and .102.
Ok, my question was.. What DNS servers do your clients get assigned from your DHCP server? If you run a "ipconfig /all" on a client which can't authenticate to the domain.. What is the primary and secondary dns server, 192.168.0.99 and 192.168.0.102 or? These options are set in your DHCP, perhaps not changed?

Other than that, if you run "netdom query FSMO" Are all the FSMO roles present on one or both of the new DC's?
.99 and .102 are also DNS. IPconfig /all correctly shows them as DNS on our domain clients. I'm not sure how many FSMO roles should be present. Until now, I was only aware of "domain naming master".
Schema master: 2012 DC
domain naming master: 2019 DC (I changed this)
PDC: 2012 DC
RID pool manager: 2012 DC
Infrastructure master: 2012 DC

Thank you very much, Harm, for taking an interest in my AD problem.

They should all be present on a running domain controller (They can be offline for a little while, but not too long) , so it's best to move them to one or divide them across two domain controllers. (Nice article here about that https://www.dtonias.com/transfer-fsmo-roles-domain-controller/) But the 2012 DC is just turned off or did you demote it first? If it's not demoted, please turn it back on and move the FSMO roles from it to another DC/DC's. If it's demoted, then seize the roles using the article (The NTDSUTIL part)

The 2012 DC is running, and I'm afraid to demote it because it doesn't find the other two DCs during the demoting process. I'll move the FSMO roles tomorrow morning.
"The 3 DCs seem to play nice together and correctly replicate new users, groups and computers".. And still there is an issue, it's problably DNS related. Check the settings on all three dc's and see if they are correct. Hopefully you can move the roles so that those are safe, it that fails you can always transfer using NTDSUTIL. But one DC not finding two DC's is not a good sign. Could you run a dcdiag /v on all three and check the output for errors that might indicate the issue?

Thank you for the advice concerning the FSMO roles, Harm @Harm_Veenstra.  I moved all roles to the new domain controllers.  Can't figure out how to attach the DCDiag log files.  DCDiag shows multiple test failures (all three DCs were running):

 

  • Both new DCs (DC2/DC3) fail the DFSREvent test the error "DFS Replication service failed to communicate with partner partner DC1" where DC1 is the original 2012 domain controller.
  • Both new DCs (DC2/DC3) fail the Advertising test with the error "SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE"
  • Both new DCs fail the NetLogons test with the error "An net use or LsaPolicy operation failed with error 67, The network name cannot be found"
  • DC3 fails (not DC2 tho) the LocatorCheck test:  "A Primary Domain Controller could not be located" and "The server holding the PDC role is down" (DC2 is the PDC now) 
  • Original DC1 fails the DFSREvent test:  "The DFS Replication service stopped replication on volume C:"
  • DC1 fails the SystemLog test:  "(KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket"
  • DC1 fails the LocatorCheck test:  "A Primary Domain Controller could not be located" and "The server holding the PDC role is down"
You said 'Primary/secondary DCs are ancient history', what did you mean by that? That all machines point to it and no changes in that for a long time?

Could you do this on the new DC's?

Net stop netlogon
Net start netlogon
Ipconfig /registerdns

And check system log for errors

@Harm_Veenstra 

I'm sorry, Harm, by "ancient history" I meant that I thought that primary domain controllers no longer existed because there is no UI to configure PDCs.  Our DC1 has been our PDC and only DC for the past 9 years.

System Log info from DC2 (now the PDC):

  • (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket.
  • The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (FORTECHDC1) that did not contain a PAC attributes field.

System log info from DC3:

  • Netlogon source: The primary Domain Controller for this domain could not be located.
You did herstart the netlogon service from a command prompt and did the ipconfig /registerdns? No errors in the eventlog about that? Both DC's have their own ip as primary dns and the other DC as the secondary? Are the new DC's patched (Windows Update) to last month? The KDC error is also something that could be coming from patches from last year November

@Harm_Veenstra 

I did restart the netlogon services from the command prompt and then executed ipconfig /registerdns.  The only error is from DC3: "A Primary Domain Controller could not be located".  DC2/DC3 have 127.0.0.1 as the primary DNS and each other as the secondary DNS.  They both are patched to April '22.  Both also reference DC1 as the GC name and time server, which shouldn't be the case I think.  They should reference themselves as the GC name and time server, correct? 

Timeserver should he configured to a domain controller which syncs it time to the internet or a hardware ntp. Are there time differences on the domain controllers?

Could you post a screenshot of the GC reference?
No time differences between the DCs.

The GC reference is shown in the DCdiag output:
Starting test: LocatorCheck
GC Name: \\DC1.<domain>
Ok, but DC1 is still there.. You did move all the FSMO roles, all domain controllers do see this change? If you run "netdom query fsmo" on all DC's indivually, they do see the same output?
Yes, DC1 is still online. All 3 of the DCs show the same output from netdom query fsmo.
I think the next issue to resolve is the advertising test failure. From DCdiag output:

Starting test: Advertising

Warning: DsGetDcName returned information for \\DC1.<domain>, when we were trying to reach

DC2.

SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

......................... DC2 failed test Advertising

My new DCs now pass the Advertising test.  They did not have SYSVOL shares.  I followed the instructions at the link below to set a registry entry to generate the missing shares.

 

https://social.technet.microsoft.com/Forums/en-US/3d76a999-cfdc-4eff-b2ab-2fb697e8d7ee/2016-sysvol-a...

 

The next step is to resolve the failed test NetLogons. From DCDiag output:

Starting test: NetLogons

* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\DC2\netlogon)

[DC2] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..

......................... DC2 failed test NetLogons