Please don't post the first google search results you find, we're looking for a little more personal of a diagnosis and answer.
The scope of this question is aimed at being able to add an additional domain controller to our existing domain.
This is a single domain in a single forest. We have two domain controllers (GC) that seem to be functional for the most part but some things seem haunted. The domain is at "Server 2008" functional level. One domain controller is server 2008, the other is server 2008 R2.
When trying to dcpromo a member server up to a DC, it asks for credentials over and over with "The operation failed because a domain controller could not be contacted for the domain domain.com that contained an account for this computer. make the computer a member of a workgroup then rejoin the domain before retrying the promotion - access is denied". Behind the scenes, the debug log shows "Failed to find a DC for domain domain.com"
Note that it doesn't necessarily matter WHICH server we try to dcpromo up, ALL of them have the same issue as above... we have disjoined/renamed/rejoined
one of them several times with no change.
I have attached a text document with ipconfig /all from each server, dcdiag's from each, repadmin's from each, the dcpromo debug log, and netdom query fsmo.
Some other weird symptoms that may or may not be related:
- a newly created VM server fully a domain member refuses to get any group policies applied
- sometimes users who remote desktop to server.domain.com get error messages locally about the server not containing a workstation entry for their local machine (which it shouldnt), other times it just says "the logon attempt failed". BUT if they remote desktop to the public ip address, it works. these workstations are NOT on the local network of the servers, they are across the internet coming in public.
- one GPO repeatedly fails as 'invalid entry', while it worked fine for years
- every 15 minutes or so, many kerberos errors in the system event logs, regarding preauth failure