question

kimsengvit-5577 avatar image
0 Votes"
kimsengvit-5577 asked DSPatrick commented

Client can't join primary domain controller but secondary domain controller is working normal?

Hi team,



I have two domain controller primary and secondary domain controller on windows server 2016 Standard. Now i have some issue with my client any new client PC with windows 10 can't join primary domain controller but my secondary domain controller is working fine. I notice that yesterday i have try to install WSUS server ( But this server is other Host ) then a new PC can't join and also client configure DNS primary domain controller also can't access to website but ping to IP is working fine. I'm not sure 100% with WSUS server.

Any idea?
102805-f2e1ba9a-612c-4671-8f45-d2c3d7c47ba4.png


windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered kimsengvit-5577 commented

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt

then put unzipped text files up on OneDrive and share a link.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered kimsengvit-5577 commented

I'd check the domain controller and problem member both have the static ip address of DC listed for DNS and no others such as router or public DNS

--please don't forget to upvote and Accept as answer if the reply is helpful--


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Yes both server is static IP and we have DHCP provide from router.

And my problem is client can't join to primary domain controller but it working fine with secondary domain controller.

Best Regards,
Kimseng

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered kimsengvit-5577 commented

Hello @kimsengvit-5577,

Thank you for posting here.

Based on the description, I understand you want to join a WSUS server to the existing domain with two DCs (a primary domain controller and a secondary domain controller).

Please troubleshoot as below:

  1. Before we do any change in existing AD domain environment, we had better do:
    1-1Check if AD environment is healthy. Check all DCs in this domain is working fine by running command **Dcdiag /v*on each DC.
    1-2Check if AD replication works properly by running
    repadmin /showrepl and repadmin /replsum on primary DC.
    1-3Check if both SYSVOL folder and Netlogon folder are shared by running
    net share on each DC.
    1-4Check if we can update GPO by running command
    gpupdate /force* on each DC successfully.

2.Check if you set static IP addresses for both DCs.

For example:
102789-ns2.png


3.Check if primary domain controller and secondary domain controller are all DNS server (I mean check if you install and configure DNS role on both DCs).

Or check if there is NS record for both DCs in the DNS manager.

For example:
102842-ns1.png

4.Check if you set the correct preferred DNS server on WSUS server (Please double check here, no one number can be wrong ).

For example:

102851-ns3.png


5.Check if you type the correct domain name when joining the server into domain.


If it does not work, please confirm:

1.Based on "Now i have some issue with my client any new client PC with windows 10 can't join primary domain controller but my secondary domain controller is working fine. ", did you mean when you set the Preferred DNS server using the IP address of primary domain controller on WSUS server, you cannot join the WSUS server to domain, but when you set referred DNS server using the IP address of secondary domain controller on WSUS server, you can join the WSUS server to domain, is it right?

2.What did you mean "also can't access to website"?



Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



ns2.png (17.7 KiB)
ns1.png (25.9 KiB)
ns3.png (15.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Daisy,

I have two domain controller Primary and Secondary.

My issue is my client can't join domain to primary domain controller but it working fine with Secondary controller so why i know that i can't joined to primary domain controller because i have manual DNS IP on my client to each domain controller.

Any idea?

Kimseng

0 Votes 0 ·

Hi,

1.Based on "Now i have some issue with my client any new client PC with windows 10 can't join primary domain controller but my secondary domain controller is working fine.

Answer: WSUS can join domain because i have set manual DNS both my Domain controller. Like i told you above i'm not sure that the problem from after i install WSUS or not but now all my client can't join domain to primary domain controller ( by manual dns ) but when i manual dns to secondary domain controller, all my client can join as normal.

2.What did you mean "also can't access to website"?
Answer: All my client that use primary domain controller dns can't access any website but dns of my secondary domain controller is working fine.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DaisyZhou-MSFT commented

On TT-DC01-2k16 I'd add domain controller's own static ip address (10.10.101.101) listed for DNS, then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service


There may be some replication problems between domain controllers. You'll need to examine the event logs on both for more details

I'd check the the required ports are flowing between the networks 172.21.11.1 and 10.10.101.1
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts
https://www.microsoft.com/en-us/download/details.aspx?id=24009


--please don't forget to upvote and Accept as answer if the reply is helpful--


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi DSPatrick,

After i run command

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt

and i my client PC can join domain back without run ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service, Do i need to run this command?

Other Question:

1/ I have other issue related to sometime my client can't get policy rule from server. Example: wallpaper from server some user got and some user black screen. Could you guide me how to check?

2/ I have a few vlan join to AD but when user logon difference vlan they can't get any policy from server also. Note: i have apply checking firewall already.

Best Regards,

0 Votes 0 ·

Hello @kimsengvit-5577,

I am so glad to receive your reply. I am very glad that the problem has been solved.

In order to avoid confusion between the question and the answer, we suggest that it is best to post a question in a post.

If you have any other questions, I'm glad you post it anytime. I suggest you reopen a post and describe the problem in detail.

Thank you for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

Glad to hear it helps. There appears to be some replication problems between domain controllers. You'll need to examine the event logs on both for more details. This is the reason the policy is not replicated. Depending on the errors found you may need to perform a non-authoritative synchronization
https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

--please don't forget to upvote and Accept as answer if the reply is helpful--


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi DSPatrick,

Could you guide me the step how to check and fix issue my question below:

1/ I have other issue related to sometime my client can't get policy rule from server. Example: wallpaper from server some user got and some user black screen. Could you guide me how to check?

2/ I have a few vlan join to AD but when user logon difference vlan they can't get any policy from server also. Note: i have apply checking firewall already.

Best Regards,

0 Votes 0 ·

There appears to be some replication problems between domain controllers. You'll need to examine the event logs on both for more details. This is the reason the policy is not replicated. Depending on the errors found you may need to perform a non-authoritative synchronization
https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo




0 Votes 0 ·