One domain controller does not see the other.

I have 2 domain controllers, DC0 and DC1.

DC0 shows only itself  in Active Directory. Also DC0 shows that it is has the RID, PDC and Infrastructure roles in AD.

DC0 is getting the error...  

Event ID: 22
The time provider NtpServer encountered an error while digitally signing the  NTP response for peer 192.168.1.12:123.  NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: The specified user does not exist. (0x80070525)



DC1 shows both domain controllers in AD. DC1 also thinks it has the Infrastructure role.

DC1 is getting the error....
Event ID:
Time Provider NtpClient: The response received from domain controller dc0l has a bad signature. The response may have been tampered with and will be ignored.


I have a user that I can not join to the domain. I forget the exact error at the moment but was something to do with "allocating a relative identifier".

What would be the best plan of action to fix the problem. If I demoted DC1 and re promoted it again would that fix the issues? Would I loose any data in AD or loose my permissions on the shared folders on DC1?
If I demote DC1 will I be able to promote it back to a domain controller, even though I have a computer I can't join.


Any suggestions to help me on my way would help.
BiofilmincAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bhanukir7Commented:
Hi,

are both the DCs at the same location or at different locations. Is the subnet the same. Are there any network related issues or any firewalls between the DCs

bhanu
0
AmericomCommented:
There is no problem demote and promote a DC.
Before you do that, you may want to verify the DNS is configured probably. As long as there's no firewall in between these two DCs, the first thing you need to check is DNS.
Assuming you are using Windows DNS and Active Directory Integrated Zone(ADIZ), you want to have DNS services installed on both DCs. Make sure you have Name Server(NS) shows both DCs in the DNS. Make sure both Host records appears DNS forward zone. Make sure the Reverse Zone also configured. If you don't see one DC, just install DNS on the missing DC and configure it the same way as the other DC. If they are configured properly, then both DNS will replicate any record you create in one DNS to the other DNS. But the host and Name Server record must present first. If not, you can manually register it with IPCONFIG or simply restart the NetLogon Services on your DCs.
0
BiofilmincAuthor Commented:
I have the windows firewall disabled on both. Both are in same server room on 192.168.1.x network.

I can connect to DC1 from DC0 using \\dc1

and I can connect to DC0 from DC1 using \\dc0
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

BiofilmincAuthor Commented:
Both domain controllers have DNS but appear to be configured differently, or at least have different data.
dc0.JPG
dc1.JPG
0
AmericomCommented:
Actually they look the same, at lest on the high level. My guess is if your domain name is Bioxxx.local then they both look the same. If you click on this zone, they the content of this zone should be the same from both DC0 and DC1 if it's actually the same and working. What's bothers me is the _msdcs.Bioxxx.local zone which should not be in parallel of Bioxxx.local as it already contain _msdcs under it. You may want to double check on the _msdcs.Bioxxx.local and see how is it configured, I'm hoping it is just manually created or replicated from somewhere. What is needed to be equal is the content of the forward zone Bioxxx.local and everything underneath. Make sure you have both Nameserver and host record there of your DC0 and DC1. You can verify if the replication is working both simply create a dumy host record in Dc0 and see if DC1 will get it replcated.
0
BiofilmincAuthor Commented:
I've been sick and had to put this problem on hold. I will do what Americom says shortly.
0
BiofilmincAuthor Commented:
If I create a record in either server it is not replicated.  And DC1 has 71 records under biofilminc.local and DC0 has 70.
0
BiofilmincAuthor Commented:
I had to reformat them
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.