Domain Controller not functioning properly.

Dear Experts,

I having an issue in logon to domain from domain servers. I couldnt logon to domain member when my additional domain controller was on power off, even the PDC (where fsmo roles are currenlty running) is online. Came up with error logon servers not available. Even another additonal domain controllers recently created also couldnt logon to itself. Once after putup online earlier ADC logon is possible.  Yesterday only i noticed that, when i tried to move ADC virtual machine to another Hyper-v host.

One more my previous action who like to explain here.. Earlier PDC was a baremetal server recently changed to Virtual server and transferred all roles to the current PDC (currently Virtual) since before itself the ADC was virtual and still virtual.

What will be the issue, why domain is pointed to ADC still when PDC with all fsmo roles are online.? help me to rectify.

Thanks
Shamil
LVL 1
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

albatros99Commented:
First run DCDIAG on the new domain controller to see if it's in a healthy state. This could be anything from replication not working to DNS issues.
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Ok. I will get to you with result.
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
here am pasting dcdiag result.. please have a look.



Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = dc01

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\DC01

      Starting test: Connectivity

         ......................... DC01 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\DC01

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\adcsvr.hgpt.my, when

         we were trying to reach DC01.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... DC01 failed test Advertising

      Starting test: FrsEvent

         ......................... DC01 passed test FrsEvent

      Starting test: DFSREvent

         ......................... DC01 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC01 passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC01 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC01 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC01 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\DC01\netlogon)

         [DC01] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... DC01 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC01 passed test ObjectsReplicated

      Starting test: Replications

         ......................... DC01 passed test Replications

      Starting test: RidManager

         ......................... DC01 passed test RidManager

      Starting test: Services

         ......................... DC01 passed test Services

      Starting test: SystemLog

         ......................... DC01 failed test SystemLog

      Starting test: VerifyReferences

         ......................... DC01 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : hgpt

      Starting test: CheckSDRefDom

         ......................... hgpt passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... hgpt passed test CrossRefValidation

   
   Running enterprise tests on : hgpt.my

      Starting test: LocatorCheck

         ......................... hgpt.my passed test LocatorCheck

      Starting test: Intersite

         ......................... hgpt.my passed test Intersite
dcdiag.txt
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

albatros99Commented:
This DC is not sharing out SYSVOL and is not advertising as a DC. It is likely it will not be used by clients when trying to discover a domain controller. Hence, the reason why clients default to the other DC. Basically, you'll need to dig into the directory service event logs to find out why it's not working. Or, since it's not working anyway consider demoting / repromoting the DC role.
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
OK i will try to repromote one of my addtional domain controller.. And will update you. But still another 2 more addtional dc to rectify same issue.
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Dear Fellows,

Even after repromote also I am receiving same advertising error. What will be the issue ?? any idea ???

Sysvol not replicting, FRS failed, Netlon failed.. Please help me to troubleshoot.

I here attached dcdiag outpput and dcdiah /v output also.

dcdiagrepromote-v.txt
dcdiagrepromote.txt
MaheshArchitectCommented:
run below command on all domain controllers one by one:
netdom query fsmo

Check if output is similar on all DCs?

Also run Net share command on all DCs and verify that sysvol and netlogon are shared out, if not probably you need to do authoritative and non authoritative restore of sysvol. Follow below article:
https://support.microsoft.com/en-us/kb/290762 - if you have FRS service enabled on DCs
OR
http://www.experts-exchange.com/articles/17360/Active-Directory-DFSR-Sysvol-Authoritative-and-Non-Authoritative-Restore-Sequence.html - If you have DFSR Sysvol

In _msdcs.domain.com ensure that CNAME records for all DCs are present and if they are resolving to proper host and IP

U may check below article to validate DC health:
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28672020.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Dear Mahesh Bhai,

Thanks for your help. Please help me out from this trouble.

How to check out  currently dfsr Sysvol or FRS Sysvol ??

Both DC's are Windows Server 2012, Here attached a picture for reference.

DFS Mgmt
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Dear Mahesh,

at the step 9 i having an issue, that which i didnt get the event log ID 4602. Here attached the pics for reference.
step9
eventresult
What i got to do.. please advice me.

Shamil
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Some more i receiving another dc's (dc01) offline.

dcoffiline
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
One more error I noticed in DC (which holding fsmo)..

error
MaheshArchitectCommented:
You have got DFSR Sysvol

Your problem is DFSR Sysvol replication is stopped on server where you got 2213 event ID

Is this DC is PDC?

You need to either enable replication of DFSR on this server
https://support.microsoft.com/en-us/kb/2846759 - Follow recovery steps in this article
Also create registry mentioned in article on all 2012 DCs

OR

You need to do sysvol authoritative restore on PDC followed by non authoritative restore on all other DCs
U can follow my EE article posted earlier for that
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Event 2213 was appeared on both server server. Adsiedit.msc only can work in PDC. In ADC when i tried to adsiedit.msc DC is status showing "unavailable".

I followed your article. But in step 9 I didn't get that event ID 4602.

Please advice me. Thank you.
MaheshArchitectCommented:
So you have tried authoritative restore on PDC?

Please try all steps on PDC 1st
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Upto step 9 I did. Once after noticed about the event  4602.

Anyway let me try once more.. Thank you.
MaheshArchitectCommented:
OK
As per article, you need to do authoritative restore on PDC and non-authoritative restore on other ADCs,
steps 10 to 13 need to be followed on ADCs
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Bro,

Before i g working base of on article, can you please check again dcdiag /v report of pdc whether its healthy or not ??

here in file server name adcsvr is my current pdc (which having al fsmo roles).

Thank you.
pdc.txt
showrepl.txt
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.