2012 R2 Domain Controller - Kerberos Auth and Trust Relationships

I had this question after viewing Netlogon service periodically going into Pause state on DC.

We're seeing several machines randomly losing trust with the domain, even a member server this morning. Started happening just today. Didn't perform any weird functions in recent days on the domain controllers or in DNS, but nonetheless...

The above article was not specifically about Windows 2012 R2, but all of my DC's are 2012R2.
I do have the following key in the registry on the PDC Emulator:
> Dsa Not Writeabe > Reg_Dword > (4)

Unable to currently gracefully transfer roles to the other DC. Other DC does NOT have the same reg value.

From this info, it seems like I should perform, in this order:
1) Forceful removal of DC1
2) Perform metadata cleanup using ntdsutil on DC2
3) Seize FSMO roles on DC2
4) DC Promo DC1 to bring it back up as a DC

Does that seem correct?
Chad VollerAsked:
Who is Participating?
Radhakrishnan RConnect With a Mentor Senior Technical LeadCommented:

You need to perform the following steps;

1) Seize the fsmo roles to the second server
2) Remove CA role (if it present) (take backup of CA before removing it).
3) Remove ad domain service roles (perform force removal)
4) Reboot the server
5) Perform metadata cleanup to remove broken entries of failed server
6) Clear out all the DNS entries from the console
7) Join back the server into domain
8) Install domain services role and promoted the server as DC
9) Transfer back all the FSMO roles
10) Install CA role and restore the certificates.

Good luck
Chad VollerAuthor Commented:
Thanks... backed up CA, removed it, now forcing removal of AD DS...

When you say clear out all DNS entries from console... you mean using the DNS mmc and deleting zones?
Not sure I follow you there.
Radhakrishnan RSenior Technical LeadCommented:

Even though you remove the DS role, still the DNS entries of the failed DC will be present in DNS zone's (you need to expand each zone and delete the corresponding entries). Yes, from DNS management console.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Chad VollerAuthor Commented:
After forcing removal and performing metadata cleanup, I am unable to rejoin the domain using the same hostname.
Can't find the machine in AD, but the join wizard says the machine already exists. OY
Chad VollerAuthor Commented:
Holy heck, this thing came back up and still had all the roles on it! After forcing removal and seeing successful results.
Radhakrishnan RSenior Technical LeadCommented:
Did you deleted all the DNS entries for this server before joining it to the domain?
Chad VollerAuthor Commented:
I did delete all DNS entries before joining. In fact, after expanding every zone, there were no entries in any of them.

I'm unable to restore the CA for the following reason:

"The common name of the restored CA certificate does not match... "
Radhakrishnan RSenior Technical LeadCommented:

I suspect something isn't right here. What's the output you get when you trigger netdom query fsmo from second server?

Did you renamed the first server just before when you weren't able to join domain?
Chad VollerAuthor Commented:
I get the expected output from that query. Since I transferred back some roles via the GUI with success:

Schema master dc02
domain naming master dc02
pdc dc01
rid master dc01
infra master dc02

Haven't transferred back the domain naming or schema master roles yet. Maybe I should.

I renamed before joining the domain, and then again after joining the domain.
Wasn't able to rejoin the domain under the original name, so I renamed to dc03.
Then joined as member server.
Then renamed to dc01, rebooted.
Then promoted to domain controller
Chad VollerAuthor Commented:
I don't have the same errors as before, and I do have replication between domain controllers... the trust relationship thing isn't spreading like wildfire, and seems to have cooled off for now. Had to reset another of the same computer accounts from earlier today and remove/readd to the domain (just a member workstation)... so I'm not sure what to think at this point.
Chad VollerAuthor Commented:
Thanks for the assist!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.