Domain Controller Can't Authenticate against itself

Posted on 2012-04-04
Last Modified: 2012-06-13
I have two Server 2003 Domain Controllers. One has all of the FSMO roles (DC1) and one is just a standalone Domain Controller (DC2) with no FSMO roles. I shutdown the standalone Domain Controller (DC2). When I try and RDP into the DC with all of the FSMO roles (as confirmed with the netdom /query fsmo command) it gives me the following error:

"The system cannot log you on due to the following error:
The specified domain either does not exist or could not be contacted.

Please try again or consult your system administrator."

Another symptom is in trying to create a share on another box and in trying to find active directory objects, it couldn't find them, only local computer users.

Looking through the event log there's nothing serious recently.

Thanks, Jonathan
Question by:RFVDB

Expert Comment

ID: 37805501
LVL 10

Expert Comment

by:Prashant Girennavar
ID: 37805511
First you will have to check , By default which Domain controller a client system is contacting.

To determine a DC within a set of DC of DCs in the client's AD site that could authenticate/service the client:


ALso do you have any sites and subnets configured in your enviorment? Explain.

Refer below link to understand DC locatore proccess which is performed by clients.


LVL 37

Expert Comment

by:Neil Russell
ID: 37805516
Is DC1 also a Global Catalog server? It MUST be a GC to authenticate logins.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 21

Expert Comment

ID: 37805520
Are you even seeing the OM roles from DC2?

netdom query fsmo

Do you have DC1's ip address as a DNS entry?
LVL 26

Expert Comment

by:Leon Fester
ID: 37805929
Is that server functioning correctly?
For all you know the netlogon service is not running or something.

Access the server with the FSMO roles and then run a dcdiag. You'd probably have to switch on the other DC again.
Then run dcdiag /v to check for errors.

Preferably run it on both DC's.

Author Comment

ID: 37808006
Thanks for the rapid response. I checked the netlogon service and its running. Both servers are GCs.

The dcdiag did come up with a couple of errors. I did both commands on both servers. Please see attached.
LVL 26

Expert Comment

by:Leon Fester
ID: 37809819
Move FILESERVER to the Domain Controllers OU
Run IPCONFIG /registerdns
Run nltest /dsregdns
w32tm /config /update /syncfromflags:domhier /reliable:yes

Move COLO1 to the Domain Controllers OU

The Domain Controllers OU has specific GPO's and settings that related to controlling permissions on these type of servers.
Hence why it is recommended to run DC's with no additional roles/applications.

Once you've moved the servers to the Domain Controllers OU, you'll need to run the following in a CMD prompt on both servers.
Note: you may need to restart the DC's. It won't automatically restart, just run the command and check the reply. Restart them if required.

If no restart is required then run "repadmin /syncall" on both DC's.

Wait 15 minutes then check the results of "repadmin /showrepl"
You don't want to see any failed replications.

If errors persist then re-run the dcdiags and post the results.

Alternatively, check the solution provided for re-initializing SYSVOL replication:

Author Comment

ID: 37931267
Hi dvt_localboy,

Thanks for the comprehensive answer. I just went on a long vacation as you answered and just came back. Will be reviewing this in the next couple of days and will then get back to you.

Best, Jonathan

Author Comment

ID: 37937534
Hi dvt_localboy,

The above handlings didn't fix the issue. So instead of messing around with it since I was migrating this environment to VMware anyhow I decided to upgrade and setup a 2008R2 domain controller. I upgraded Active Directory as needed to implement the 2008R2 DC which it did successfully and setup a 2008R2 DC with DNS.

When running dcdiag on the new 2008 DC server however it came up with a couple of errors, even if it will replicate successfully with Colo1.

DCDIAG: "   Testing server: BaxterSF\DC1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\, when we were trying to reach DC1.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems."

AND: "      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000018
            Time Generated: 05/05/2012   11:22:19
            Event String:
            Time Provider NtpClient: No valid response has been received from do
main controller after 8 attempts to contact it. This do
main controller will be discarded as a time source and NtpClient will attempt to
 discover a new domain controller from which to synchronize. The error was: The
peer is unreachable."

Its saying that there are Sysvol problems. Running "net share" shows that there's no "netlogon" or "sysvol" share on the new 2008R2 DC named DC1:

"Share name   Resource                        Remark

C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
The command completed successfully."

Looking into the event viewer shows no errors relating to sysvol or netlogon not being available or shared - which seems very strange to me as from what I understand, these are needed for a DC to function?

Attached are the dcdiag and and dcdiag /v for the current 2003 DC and the new 2008R2 DC.

I want to move away from the 2003 DCs but need to have functioning 2008R2 DCs before I can correctly migrate the FSMO roles and decommission the 2003 DCs. Thanks!

- Jonathan
LVL 26

Expert Comment

by:Leon Fester
ID: 37937636
I hate you for going on vacation! LOL j/king
Hope you had a good time and got lots of rest.

I get your idea about installing the new DC...but while there is still a problem with the old DC, it may not be able to finalize the initial replication.

N.B. Only after the initial replication has finished will the SYSVOL and NETLOGON shares be available.

You need to double check the configuration for colo1.
You can nltest /dsregdns to re-register all DNS entries for colo1.

You can verify the SRV records for all your DC's:

You can then manually create records if it wasn't successful using the nltest commands.

If colo1 is still giving issues, then maybe move all the FSMO roles to the other W2K3 DC and then demote colo1.

Do you know what other roles are installed on colo1? e.g. DNS, DHCP, WINS, etc?
Those will need to be moved before you demote colo1.

Author Comment

ID: 37958316
I ran nltest /dsregdns and checked the Svr Records. All good. Still no go.

The problem with the 2nd W2K3 DC (fileserver) is that it also doesn't have the sysvol and netlogon shares, only colo1 does. Colo1 has all of the FSMO roles and a functioning sysvol and netlogon share. So I can't migrate to the 2nd W2K3 server.

All DCs have the DNS roles. Colo1 also has the RRAS for VPN access setup.


Accepted Solution

RFVDB earned 0 total points
ID: 38062959
I opened up a case with Microsoft and this fixed the problem of the netlogon and sysvol share not replicating to the other domain controllers:

1) Disable and stop FRS service.
2) Backup of WINDOWS\SYSVOL\sysvol\\ (folders within)
3) Change the following on the DC that is does have the netlogon and sysvol share: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D2
4) Change the following on the other DCs that can't get the netlogon and sysvol share replicated to them: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D4
5) Enable and start FRS service.
5) Wait for a while, maybe 30 mins or so for correct replication and run netshare and dcdiag on your other servers and you'll see the netlogon and sysvol share show up and dcdiag without the same errors. Event log will show Event 13516 showing correct FRS replication.
LVL 26

Expert Comment

by:Leon Fester
ID: 38062988
Microsoft showed you how to do and an authoratative restore.

Have a look at the link suggested by: dvt_localboyPosted on 2012-04-05 at 07:43:10ID: 37809819
It discusses the same solution . . .

Author Closing Comment

ID: 38077933
I contacted Microsoft and had them assist me in implementing the correct solution which immediately fixed the problem.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question