Domain Controller Can't Authenticate against itself

I have two Server 2003 Domain Controllers. One has all of the FSMO roles (DC1) and one is just a standalone Domain Controller (DC2) with no FSMO roles. I shutdown the standalone Domain Controller (DC2). When I try and RDP into the DC with all of the FSMO roles (as confirmed with the netdom /query fsmo command) it gives me the following error:

"The system cannot log you on due to the following error:
The specified domain either does not exist or could not be contacted.

Please try again or consult your system administrator."

Another symptom is in trying to create a share on another box and in trying to find active directory objects, it couldn't find them, only local computer users.

Looking through the event log there's nothing serious recently.

Thanks, Jonathan
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Prashant GirennavarCommented:
First you will have to check , By default which Domain controller a client system is contacting.

To determine a DC within a set of DC of DCs in the client's AD site that could authenticate/service the client:


ALso do you have any sites and subnets configured in your enviorment? Explain.

Refer below link to understand DC locatore proccess which is performed by clients.


Neil RussellTechnical Development LeadCommented:
Is DC1 also a Global Catalog server? It MUST be a GC to authenticate logins.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Are you even seeing the OM roles from DC2?

netdom query fsmo

Do you have DC1's ip address as a DNS entry?
Leon FesterSenior Solutions ArchitectCommented:
Is that server functioning correctly?
For all you know the netlogon service is not running or something.

Access the server with the FSMO roles and then run a dcdiag. You'd probably have to switch on the other DC again.
Then run dcdiag /v to check for errors.

Preferably run it on both DC's.
RFVDBAuthor Commented:
Thanks for the rapid response. I checked the netlogon service and its running. Both servers are GCs.

The dcdiag did come up with a couple of errors. I did both commands on both servers. Please see attached.
Leon FesterSenior Solutions ArchitectCommented:
Move FILESERVER to the Domain Controllers OU
Run IPCONFIG /registerdns
Run nltest /dsregdns
w32tm /config /update /syncfromflags:domhier /reliable:yes

Move COLO1 to the Domain Controllers OU

The Domain Controllers OU has specific GPO's and settings that related to controlling permissions on these type of servers.
Hence why it is recommended to run DC's with no additional roles/applications.

Once you've moved the servers to the Domain Controllers OU, you'll need to run the following in a CMD prompt on both servers.
Note: you may need to restart the DC's. It won't automatically restart, just run the command and check the reply. Restart them if required.

If no restart is required then run "repadmin /syncall" on both DC's.

Wait 15 minutes then check the results of "repadmin /showrepl"
You don't want to see any failed replications.

If errors persist then re-run the dcdiags and post the results.

Alternatively, check the solution provided for re-initializing SYSVOL replication:
RFVDBAuthor Commented:
Hi dvt_localboy,

Thanks for the comprehensive answer. I just went on a long vacation as you answered and just came back. Will be reviewing this in the next couple of days and will then get back to you.

Best, Jonathan
RFVDBAuthor Commented:
Hi dvt_localboy,

The above handlings didn't fix the issue. So instead of messing around with it since I was migrating this environment to VMware anyhow I decided to upgrade and setup a 2008R2 domain controller. I upgraded Active Directory as needed to implement the 2008R2 DC which it did successfully and setup a 2008R2 DC with DNS.

When running dcdiag on the new 2008 DC server however it came up with a couple of errors, even if it will replicate successfully with Colo1.

DCDIAG: "   Testing server: BaxterSF\DC1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\, when we were trying to reach DC1.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems."

AND: "      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000018
            Time Generated: 05/05/2012   11:22:19
            Event String:
            Time Provider NtpClient: No valid response has been received from do
main controller after 8 attempts to contact it. This do
main controller will be discarded as a time source and NtpClient will attempt to
 discover a new domain controller from which to synchronize. The error was: The
peer is unreachable."

Its saying that there are Sysvol problems. Running "net share" shows that there's no "netlogon" or "sysvol" share on the new 2008R2 DC named DC1:

"Share name   Resource                        Remark

C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
The command completed successfully."

Looking into the event viewer shows no errors relating to sysvol or netlogon not being available or shared - which seems very strange to me as from what I understand, these are needed for a DC to function?

Attached are the dcdiag and and dcdiag /v for the current 2003 DC and the new 2008R2 DC.

I want to move away from the 2003 DCs but need to have functioning 2008R2 DCs before I can correctly migrate the FSMO roles and decommission the 2003 DCs. Thanks!

- Jonathan
Leon FesterSenior Solutions ArchitectCommented:
I hate you for going on vacation! LOL j/king
Hope you had a good time and got lots of rest.

I get your idea about installing the new DC...but while there is still a problem with the old DC, it may not be able to finalize the initial replication.

N.B. Only after the initial replication has finished will the SYSVOL and NETLOGON shares be available.

You need to double check the configuration for colo1.
You can nltest /dsregdns to re-register all DNS entries for colo1.

You can verify the SRV records for all your DC's:

You can then manually create records if it wasn't successful using the nltest commands.

If colo1 is still giving issues, then maybe move all the FSMO roles to the other W2K3 DC and then demote colo1.

Do you know what other roles are installed on colo1? e.g. DNS, DHCP, WINS, etc?
Those will need to be moved before you demote colo1.
RFVDBAuthor Commented:
I ran nltest /dsregdns and checked the Svr Records. All good. Still no go.

The problem with the 2nd W2K3 DC (fileserver) is that it also doesn't have the sysvol and netlogon shares, only colo1 does. Colo1 has all of the FSMO roles and a functioning sysvol and netlogon share. So I can't migrate to the 2nd W2K3 server.

All DCs have the DNS roles. Colo1 also has the RRAS for VPN access setup.

RFVDBAuthor Commented:
I opened up a case with Microsoft and this fixed the problem of the netlogon and sysvol share not replicating to the other domain controllers:

1) Disable and stop FRS service.
2) Backup of WINDOWS\SYSVOL\sysvol\\ (folders within)
3) Change the following on the DC that is does have the netlogon and sysvol share: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D2
4) Change the following on the other DCs that can't get the netlogon and sysvol share replicated to them: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D4
5) Enable and start FRS service.
5) Wait for a while, maybe 30 mins or so for correct replication and run netshare and dcdiag on your other servers and you'll see the netlogon and sysvol share show up and dcdiag without the same errors. Event log will show Event 13516 showing correct FRS replication.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leon FesterSenior Solutions ArchitectCommented:
Microsoft showed you how to do and an authoratative restore.

Have a look at the link suggested by: dvt_localboyPosted on 2012-04-05 at 07:43:10ID: 37809819
It discusses the same solution . . .
RFVDBAuthor Commented:
I contacted Microsoft and had them assist me in implementing the correct solution which immediately fixed the problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.