Remote Site Unable to Resolve Names - GP Replication not working either

Hey all.

I have e remote site (single forest) where users are unable to resolve names of shares in the main office.
Going thru the Event log, I found Event ID 4 and 1058.  For Event ID 4 I followed MS KB without luck.  So I am not sure which event ID I should be fixing first.  My sense is to get the Kerberos issue going first.  Thoughts?

Thanks, and feel free to ask for any information that you might need.
Who is Participating?
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
If the server is tombstone you need to forcefully demote DC followed by metadata cleanup and promote the server back as DC.

You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Once done you can promote the Server back as ADC.Also configure authorative time server role on PDC role holder server.

Reference link
Forcefull removal of DC:
Metadata cleanup:
Seize FSMO role:
Authorative time server:
Configuring the time service on the PDC Emulator FSMO role holder
Will SzymkowskiSenior Solution ArchitectCommented:
Looks to me like there is some sort of DNS/AD replication issue at your site. Can you ping the DNS/DC servers from the remote site to main site via "Name"?

If you cannot you need to correct this first. Check the DNS settings on the client and ensure that they are correct. Does this remote Site have its own Site in AD Sites and Services?

Check your DC's that hold the FSMO role and run the following commands...

repadmin /replsum
dcdiag /Test:DNS

Also check the event logs on the DC's to ensure that all events are clean.
Lets start from scratch here:

I'm going to assume you're dealing with 2 networks (questions below):

-Main office/site
-A remote site

The users from the remote site cannot get to resources at the main site.  Lets narrow this down a bit.  First we need to troubleshoot connectivity and DNS name resolution:

1)  Does the remote site have a DNS server for all the clients at the remote site or does it rely on a DNS server that is at the main site?
2)  Can you ping the DNS server by IP address?
3)  What are the results of an NSLOOKUP to the server hosting the resources you're trying to access?
4)  Can you ping the server hosting the resources via IP address?  If no, can you ping any endpoints from the remote site to the main site?
5)  If you can ping the server, can you access the shares via IP address instead of name?
6)  Does the remote site have it's own domain controller at the remote site or does it depend on DC(s) at the main site?
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

SandeshdubeySenior Server EngineerCommented:
Please provide us more information about the env how many dcs you have in env?
Does remote site have DCs too?

I will recommend to check the health of DCs first the error you posted is related to secure channel broken.If there is no DC in remote site you can try rejoining the machine to domain.

If there is DC then try opening the unc path to access the sysvol share drive e.g \\Dcname.If you are getting target principle name incorrect,access denied then secure channel is broken.

Refer below link if secuer channel of DC is broken:

Ensure correct dns setting on clients and DC as this:

Please post the dcdiag /q and repadmin /replsum output too.
IDMAConnect With a Mentor Author Commented:
Thank you all for the input.  I ended up reaching out to MS support since the amount of errors were too much and time is $$$...
Anyway, it was determined that 2 of the DCs went into tombstone state and the best solution from MS was to demote and re-promote each DC again.

I am actually working on this today and will post the outcome later.
IDMAAuthor Commented:
Had to reach out to Microsoft Support
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.