Domain Controller.


We have Active Directory Domain Controller installed on Windows Server 2008R2 in our office with domain name jbboda.local, where hostname JBBDC-1 IP is primary domain controller and hostname JBBDC-2 IP is the backup domain controller. Few days ago our primary DC i.e. JBBDC-1 went down due to hardware failure. To restore the Domain Services we had Seizing FSMO Roles and tried to do Metadata cleanup through command prompt but we did not found broken JBBDC-1 in the list.  To clear the metadata we had deleted JBBDC-1 from Active Directory Users and Computer > Domain Controllers list, Active Directory Sites and Services and DNS entry related to JBBDC-1 with the help of GUI.

To test the Seizing FSMO Roles is completed successfully we had used nltest /dclist:jbboda.local and netdom query fsmo

Output: nltest /dclist:jbboda.local
Get list of DCs in domain 'jbboda.local' from '\\JBBDC-2.jbboda.local'.
    JBBDC-2.jbboda.local [PDC]  [DS] Site: Site1
The command completed successfully

Output: netdom query fsmo
Schema master                  JBBDC-2.jbboda.local
Domain naming master            JBBDC-2.jbboda.local
PDC                        JBBDC-2.jbboda.local
RID pool manager            JBBDC-2.jbboda.local
Infrastructure master            JBBDC-2.jbboda.local
The command completed successfully.

We had logged in with local administrator and changed the primary DNS IP and used command ipconfig /flushDNS in all client system.

After completion of the above process we tried to login with the domain users, but still users are not able to login to domain as it is taking very long time in Applying Windows Settings, Applying Group Policy around 15 to 20min.

When we assign the DC1 IP to the new PDC as alias IP, domain users are able to login properly but some time some policies are not getting applied, we need to run gpupdate /fore to apply the policy.

Can anyone help us how to resolve the above said issue.

Ronak Sheth
System Administrator
Silcom Solutions Pvt. Ltd.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If you had to manually seize the roles to a backup DC then what you probably should check is your SRV records in DNS. These will not get cleaned up automatically if the DC was not removed gracefully.

Do the following...
- open DNS Manager
- Expand Forward Lookup Zone, Expand _msdcs.domain.local
- Expand all of the folders dc, domains, gc, and pdc
- Make sure that there are no service records that are still pointing to the failed DC
- If you do see SRV records that are pointing to the failed DC  you can simply delete them

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
To start with can you post the dcdiag /q output of current DC.Check the event log too for any errors and warnings.Check the sysvol folder content policy and script folder should be present.

Ensure that client dns setting is pointing to online DC and there is no public ip address added as DNS setting.
silcomAuthor Commented:

I have cross verified there is no SRV records in DNS server also pleas find dcdiag logs as attached.

Still some policy are not getting applied to some computer.

Ronak Sheth
SandeshdubeySenior Server EngineerCommented:
The dcdiag output indicates that health of DC is good but in system log there are errors reported which need to be fix.One thing to look is this error A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data.

It seems that DC IP address is assigned to some other workstation/Server.This will cause name resolution issue,etc.
silcomAuthor Commented:

how do i identify which is the duplicate name in the network as per the dcdiad logs i have executed the command nbtstat -n and the Output is as below

Local Area Connection:
Node IpAddress: [] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    JBBDC-2        <00>  UNIQUE      Registered
    JBBODA         <00>  GROUP       Registered
    JBBODA         <1C>  GROUP       Registered
    JBBDC-2        <20>  UNIQUE      Registered
    JBBODA         <1B>  UNIQUE      Registered
    JBBODA         <1E>  GROUP       Registered
    JBBODA         <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered

I have also verified event log it stats the same "A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state." with the Event ID: 4319.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.