Go Premium for a chance to win a PS4. Enter to Win


Domain Controller Can't Authenticate against itself

Posted on 2012-04-04
Medium Priority
Last Modified: 2012-06-13
I have two Server 2003 Domain Controllers. One has all of the FSMO roles (DC1) and one is just a standalone Domain Controller (DC2) with no FSMO roles. I shutdown the standalone Domain Controller (DC2). When I try and RDP into the DC with all of the FSMO roles (as confirmed with the netdom /query fsmo command) it gives me the following error:

"The system cannot log you on due to the following error:
The specified domain either does not exist or could not be contacted.

Please try again or consult your system administrator."

Another symptom is in trying to create a share on another box and in trying to find active directory objects, it couldn't find them, only local computer users.

Looking through the event log there's nothing serious recently.

Thanks, Jonathan
Question by:RFVDB

Expert Comment

ID: 37805501
LVL 10

Expert Comment

by:Prashant Girennavar
ID: 37805511
First you will have to check , By default which Domain controller a client system is contacting.

To determine a DC within a set of DC of DCs in the client's AD site that could authenticate/service the client:


ALso do you have any sites and subnets configured in your enviorment? Explain.

Refer below link to understand DC locatore proccess which is performed by clients.





LVL 37

Expert Comment

by:Neil Russell
ID: 37805516
Is DC1 also a Global Catalog server? It MUST be a GC to authenticate logins.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

LVL 21

Expert Comment

ID: 37805520
Are you even seeing the OM roles from DC2?

netdom query fsmo

Do you have DC1's ip address as a DNS entry?
LVL 26

Expert Comment

by:Leon Fester
ID: 37805929
Is that server functioning correctly?
For all you know the netlogon service is not running or something.

Access the server with the FSMO roles and then run a dcdiag. You'd probably have to switch on the other DC again.
Then run dcdiag /v to check for errors.

Preferably run it on both DC's.

Author Comment

ID: 37808006
Thanks for the rapid response. I checked the netlogon service and its running. Both servers are GCs.

The dcdiag did come up with a couple of errors. I did both commands on both servers. Please see attached.
LVL 26

Expert Comment

by:Leon Fester
ID: 37809819
Move FILESERVER to the Domain Controllers OU
Run IPCONFIG /registerdns
Run nltest /dsregdns
w32tm /config /update /syncfromflags:domhier /reliable:yes

Move COLO1 to the Domain Controllers OU

The Domain Controllers OU has specific GPO's and settings that related to controlling permissions on these type of servers.
Hence why it is recommended to run DC's with no additional roles/applications.

Once you've moved the servers to the Domain Controllers OU, you'll need to run the following in a CMD prompt on both servers.
Note: you may need to restart the DC's. It won't automatically restart, just run the command and check the reply. Restart them if required.

If no restart is required then run "repadmin /syncall" on both DC's.

Wait 15 minutes then check the results of "repadmin /showrepl"
You don't want to see any failed replications.

If errors persist then re-run the dcdiags and post the results.

Alternatively, check the solution provided for re-initializing SYSVOL replication:

Author Comment

ID: 37931267
Hi dvt_localboy,

Thanks for the comprehensive answer. I just went on a long vacation as you answered and just came back. Will be reviewing this in the next couple of days and will then get back to you.

Best, Jonathan

Author Comment

ID: 37937534
Hi dvt_localboy,

The above handlings didn't fix the issue. So instead of messing around with it since I was migrating this environment to VMware anyhow I decided to upgrade and setup a 2008R2 domain controller. I upgraded Active Directory as needed to implement the 2008R2 DC which it did successfully and setup a 2008R2 DC with DNS.

When running dcdiag on the new 2008 DC server however it came up with a couple of errors, even if it will replicate successfully with Colo1.

DCDIAG: "   Testing server: BaxterSF\DC1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\colo1.BaxterResearch.net, when we were trying to reach DC1.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems."

AND: "      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000018
            Time Generated: 05/05/2012   11:22:19
            Event String:
            Time Provider NtpClient: No valid response has been received from do
main controller colo1.BaxterResearch.net after 8 attempts to contact it. This do
main controller will be discarded as a time source and NtpClient will attempt to
 discover a new domain controller from which to synchronize. The error was: The
peer is unreachable."

Its saying that there are Sysvol problems. Running "net share" shows that there's no "netlogon" or "sysvol" share on the new 2008R2 DC named DC1:

"Share name   Resource                        Remark

C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
The command completed successfully."

Looking into the event viewer shows no errors relating to sysvol or netlogon not being available or shared - which seems very strange to me as from what I understand, these are needed for a DC to function?

Attached are the dcdiag and and dcdiag /v for the current 2003 DC and the new 2008R2 DC.

I want to move away from the 2003 DCs but need to have functioning 2008R2 DCs before I can correctly migrate the FSMO roles and decommission the 2003 DCs. Thanks!

- Jonathan
LVL 26

Expert Comment

by:Leon Fester
ID: 37937636
I hate you for going on vacation! LOL j/king
Hope you had a good time and got lots of rest.

I get your idea about installing the new DC...but while there is still a problem with the old DC, it may not be able to finalize the initial replication.

N.B. Only after the initial replication has finished will the SYSVOL and NETLOGON shares be available.

You need to double check the configuration for colo1.
You can nltest /dsregdns to re-register all DNS entries for colo1.

You can verify the SRV records for all your DC's:

You can then manually create records if it wasn't successful using the nltest commands.

If colo1 is still giving issues, then maybe move all the FSMO roles to the other W2K3 DC and then demote colo1.

Do you know what other roles are installed on colo1? e.g. DNS, DHCP, WINS, etc?
Those will need to be moved before you demote colo1.

Author Comment

ID: 37958316
I ran nltest /dsregdns and checked the Svr Records. All good. Still no go.

The problem with the 2nd W2K3 DC (fileserver) is that it also doesn't have the sysvol and netlogon shares, only colo1 does. Colo1 has all of the FSMO roles and a functioning sysvol and netlogon share. So I can't migrate to the 2nd W2K3 server.

All DCs have the DNS roles. Colo1 also has the RRAS for VPN access setup.


Accepted Solution

RFVDB earned 0 total points
ID: 38062959
I opened up a case with Microsoft and this fixed the problem of the netlogon and sysvol share not replicating to the other domain controllers:

1) Disable and stop FRS service.
2) Backup of WINDOWS\SYSVOL\sysvol\BaxterReserarch.net\ (folders within)
3) Change the following on the DC that is does have the netlogon and sysvol share: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D2
4) Change the following on the other DCs that can't get the netlogon and sysvol share replicated to them: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D4
5) Enable and start FRS service.
5) Wait for a while, maybe 30 mins or so for correct replication and run netshare and dcdiag on your other servers and you'll see the netlogon and sysvol share show up and dcdiag without the same errors. Event log will show Event 13516 showing correct FRS replication.
LVL 26

Expert Comment

by:Leon Fester
ID: 38062988
Microsoft showed you how to do and an authoratative restore.

Have a look at the link suggested by: dvt_localboyPosted on 2012-04-05 at 07:43:10ID: 37809819
It discusses the same solution . . .


Author Closing Comment

ID: 38077933
I contacted Microsoft and had them assist me in implementing the correct solution which immediately fixed the problem.

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question