Much errors after DC migration

tarek H 181

i created a new DC VM 2016 , moved the roles , waited for the replication and changed the IP ( flush dns , register dns and dcdiag fix ) but i am still getting errors in the dcdiag i am not able to understand
i want to demote the original DC ( called server1 )
IP or domain name presence is not important , this is a airgapped system

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator.OTOJUSTE> dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = DC
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
......................... DC passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC
Starting test: Advertising
......................... DC passed test Advertising
Starting test: FrsEvent
......................... DC passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC failed test DFSREvent
Starting test: SysVolCheck
......................... DC passed test SysVolCheck
Starting test: KccEvent
An error event occurred. EventID: 0xC0000827
Time Generated: 09/11/2021 08:32:55
Event String:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controll
er to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from repli
cating between one or more domain controllers in the forest. Security groups, group policy, users and computers and thei
r passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon au
thentication and access to network resources.
A warning event occurred. EventID: 0x80000BE1
Time Generated: 09/11/2021 09:20:11
Event String:
The security of this directory server can be significantly enhanced by configuring the server to enforce va
lidation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are i
ssuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the securi
ty of this server.
A warning event occurred. EventID: 0x80000B47
Time Generated: 09/11/2021 09:20:11
Event String:
......................... DC failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC passed test MachineAccount
Starting test: NCSecDesc
......................... DC passed test NCSecDesc
Starting test: NetLogons
......................... DC passed test NetLogons
Starting test: ObjectsReplicated
......................... DC passed test ObjectsReplicated
Starting test: Replications
[SERVER1] DsBindWithSpnEx() failed with error 5,
Access is denied..
[Replications Check,DC] A recent replication attempt failed:
From SERVER1 to DC
Naming Context: CN=Schema,CN=Configuration,DC=Otojuste,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2021-09-11 08:50:35.
The last success occurred at 2021-09-11 07:50:15.
1 failures have occurred since the last success.
The guid-based DNS name 6b1b8529-7380-49da-b4c2-8044e7ebbe2a._msdcs.Otojuste.local
is not registered on one or more DNS servers.
[Replications Check,DC] A recent replication attempt failed:
From SERVER1 to DC
Naming Context: CN=Configuration,DC=Otojuste,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2021-09-11 08:50:28.
The last success occurred at 2021-09-11 07:50:15.
1 failures have occurred since the last success.
The guid-based DNS name 6b1b8529-7380-49da-b4c2-8044e7ebbe2a._msdcs.Otojuste.local
is not registered on one or more DNS servers.
......................... DC failed test Replications
Starting test: RidManager
......................... DC passed test RidManager
Starting test: Services
......................... DC passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00002720
Time Generated: 09/11/2021 08:32:13
Event String:
The application-specific permission settings do not grant Local Activation permission for the COM Server app
lication with CLSID
A warning event occurred. EventID: 0x00001695
Time Generated: 09/11/2021 08:32:52
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'Otojuste.local.' fai
led. These records are used by other computers to locate this server as a domain controller (if the specified domain is
an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 09/11/2021 08:32:52
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.Otoju
ste.local.' failed. These records are used by other computers to locate this server as a domain controller (if the spec
ified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

     A warning event occurred.  EventID: 0x00001695
        Time Generated: 09/11/2021   08:32:52
        Event String:
        Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.Otoju

ste.local.' failed. These records are used by other computers to locate this server as a domain controller (if the spec
ified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

     An error event occurred.  EventID: 0x40000004
        Time Generated: 09/11/2021   08:32:58
        Event String:
        The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was OTOJU

STE\SERVER1$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur
when the target server principal name (SPN) is registered on an account other than the account the target service is usi
ng. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the t
arget service account password is different than what is configured on the Kerberos Key Distribution Center for that tar
get service. Ensure that the service on the server and the KDC are both configured to use the same password. If the serv
er name is not fully qualified, and the target domain (OTOJUSTE.LOCAL) is different from the client domain (OTOJUSTE.LOC
AL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to ident
ify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/11/2021 08:33:07
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was E3514
235-4B06-11D1-AB04-00C04FC2DCD2/6b1b8529-7380-49da-b4c2-8044e7ebbe2a/Otojuste.local@Otojuste.local. This indicates that
the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal n
ame (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is
only registered on the account used by the server. This error can also happen if the target service account password is
different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the servi
ce on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, an
d the target domain (OTOJUSTE.LOCAL) is different from the client domain (OTOJUSTE.LOCAL), check if there are identicall
y named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/11/2021 08:34:35
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was LDAP/
6b1b8529-7380-49da-b4c2-8044e7ebbe2a._msdcs.Otojuste.local. This indicates that the target server failed to decrypt the
ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account ot
her than the account the target service is using. Ensure that the target SPN is only registered on the account used by t
he server. This error can also happen if the target service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both co
nfigured to use the same password. If the server name is not fully qualified, and the target domain (OTOJUSTE.LOCAL) is
different from the client domain (OTOJUSTE.LOCAL), check if there are identically named server accounts in these two dom
ains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x0000272C
Time Generated: 09/11/2021 09:13:23
Event String:
DCOM was unable to communicate with the computer 1.1.1.1 using any of the configured protocols; requested by
PID 11b4 (C:\Windows\system32\dcdiag.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 09/11/2021 09:13:44
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by
PID 11b4 (C:\Windows\system32\dcdiag.exe).
An error event occurred. EventID: 0x40000004
Time Generated: 09/11/2021 09:34:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was LDAP/
6b1b8529-7380-49da-b4c2-8044e7ebbe2a._msdcs.Otojuste.local. This indicates that the target server failed to decrypt the
ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account ot
her than the account the target service is using. Ensure that the target SPN is only registered on the account used by t
he server. This error can also happen if the target service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both co
nfigured to use the same password. If the server name is not fully qualified, and the target domain (OTOJUSTE.LOCAL) is
different from the client domain (OTOJUSTE.LOCAL), check if there are identically named server accounts in these two dom
ains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x000003EE
Time Generated: 09/11/2021 00:01:37
Event String:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a d
omain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
......................... DC failed test SystemLog
Starting test: VerifyReferences
......................... DC passed test VerifyReferences

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : Otojuste
Starting test: CheckSDRefDom
......................... Otojuste passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Otojuste passed test CrossRefValidation

Running enterprise tests on : Otojuste.local
Starting test: LocatorCheck
......................... Otojuste.local passed test LocatorCheck
Starting test: Intersite
......................... Otojuste.local passed test Intersite
PS C:\Users\Administrator.OTOJUSTE>

Accepted answer

tarek H 181 Reputation points

2021-09-15T13:56:03.46+00:00

we can close this thread , i did a metadata cleanup and errors stopped
Please sign in to rate this answer.
Dave Patrick 426.1K Reputation points MVP

2021-09-15T13:57:44.847+00:00

Glad to hear, you're welcome.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Dave Patrick 426.1K Reputation points MVP

2021-09-16T13:37:36.437+00:00

Glad to hear, looks like wrong answer marked.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sign in to comment

5 additional answers

tarek H 181 Reputation points

2021-09-13T15:40:57.11+00:00

hello , there is only one DC , the last one was demoted on saturday but the issue happened today !
how to check the up subnet and site settings ? what should i be looking for ?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment