question

Orangeflava-5186 avatar image
0 Votes"
Orangeflava-5186 asked DSPatrick commented

Authentication and Binding issues with Primary Domain Controller after Crash

We have a domain with two Domain Controllers on Windows Server 2016. AFWDC1 and AFWDC2. DC1 is primary and crashed last weekend during a power outage. We ran microsoft recovery and were able to get it back up but now it has lost its trust/binding/authentication privileges, time has been off, applications cannot authenticate to it to verify new users as before, etc.

Can ping and get to DC1 via console but cannot remote desktop to it.
When trying via host name it does not connect. When trying via IP it fails and says, "an attempt was made to logon but the network logon service was not started"
Have checked and the netlogon service is started.

IP is correct and DNS is our DC ips and 127.0.0.1


Ran a dcdiag on DC1 and here are the results:
Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = AFWDC01
[AFWDC01] Directory Binding Error -2146893022:
The target principal name is incorrect.
This may limit some of the tests that can be performed.
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: FortWorth\AFWDC01
Starting test: Connectivity
[AFWDC01] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... AFWDC01 failed test Connectivity

Doing primary tests

Testing server: FortWorth\AFWDC01
Skipping all tests, because server AFWDC01 is not responding to directory service requests.


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : gdc
Starting test: CheckSDRefDom
......................... gdc passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... gdc passed test CrossRefValidation

Running enterprise tests on : gdc.com
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
A KDC could not be located - All the KDCs are down.
......................... gdc.com failed test LocatorCheck
Starting test: Intersite
......................... gdc.com passed test Intersite

Any ideas? Have not come across this before so more explaining can help. Thank for any help/input! Let me know if you need more info.

windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

Restore / recovery isn't recommended in a multi-domain controller environment. The simplest / safest solution is to power it off, seize roles to a healthy one (if needed)
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

then perform cleanup.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

and rebuild the failed one.

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new one, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health.


--please don't forget to upvote and Accept as answer if the reply is helpful--







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Orangeflava-5186 avatar image
0 Votes"
Orangeflava-5186 answered DSPatrick commented

So there is no way to "resync" the existing one so it can work like it did a week ago without having to set up a new machine and migrate everything?

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You can try move roles off, demote, reboot, and promo it again.

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

We are still investigating. Here is a write up we did of what was initially done and some error messages we got:

We had a power outage at our facility and the hyperv server that housed our primary domain controller (windows server 2016) was cold booted. When power was restored and the server was brought back online it was not booting and was getting the stop code 0xc00002e2.
Per a Microsoft support article, we performed a directory services repair using command: esentutl /p "c:\windows\ntds\ntds.dit"

The server then could boot but was not syncing with our other domain controllers and we are now having binding issues, time issues, DNS issues, new AD accounts are not registering/syncing properly, etc.

0 Votes 0 ·
Show more comments