2012 R2 Domain Controller - Kerberos Auth and Trust Relationships

I had this question after viewing Netlogon service periodically going into Pause state on DC.

We're seeing several machines randomly losing trust with the domain, even a member server this morning. Started happening just today. Didn't perform any weird functions in recent days on the domain controllers or in DNS, but nonetheless...

The above article was not specifically about Windows 2012 R2, but all of my DC's are 2012R2.
I do have the following key in the registry on the PDC Emulator:
> Dsa Not Writeabe > Reg_Dword > (4)

Unable to currently gracefully transfer roles to the other DC. Other DC does NOT have the same reg value.

From this info, it seems like I should perform, in this order:
1) Forceful removal of DC1
2) Perform metadata cleanup using ntdsutil on DC2
3) Seize FSMO roles on DC2
4) DC Promo DC1 to bring it back up as a DC

Does that seem correct?
Chad VollerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:

You need to perform the following steps;

1) Seize the fsmo roles to the second server
2) Remove CA role (if it present) (take backup of CA before removing it).
3) Remove ad domain service roles (perform force removal)
4) Reboot the server
5) Perform metadata cleanup to remove broken entries of failed server
6) Clear out all the DNS entries from the console
7) Join back the server into domain
8) Install domain services role and promoted the server as DC
9) Transfer back all the FSMO roles
10) Install CA role and restore the certificates.

Good luck

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chad VollerAuthor Commented:
Thanks... backed up CA, removed it, now forcing removal of AD DS...

When you say clear out all DNS entries from console... you mean using the DNS mmc and deleting zones?
Not sure I follow you there.
Radhakrishnan RSenior Technical LeadCommented:

Even though you remove the DS role, still the DNS entries of the failed DC will be present in DNS zone's (you need to expand each zone and delete the corresponding entries). Yes, from DNS management console.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Chad VollerAuthor Commented:
After forcing removal and performing metadata cleanup, I am unable to rejoin the domain using the same hostname.
Can't find the machine in AD, but the join wizard says the machine already exists. OY
Chad VollerAuthor Commented:
Holy heck, this thing came back up and still had all the roles on it! After forcing removal and seeing successful results.
Radhakrishnan RSenior Technical LeadCommented:
Did you deleted all the DNS entries for this server before joining it to the domain?
Chad VollerAuthor Commented:
I did delete all DNS entries before joining. In fact, after expanding every zone, there were no entries in any of them.

I'm unable to restore the CA for the following reason:

"The common name of the restored CA certificate does not match... "
Radhakrishnan RSenior Technical LeadCommented:

I suspect something isn't right here. What's the output you get when you trigger netdom query fsmo from second server?

Did you renamed the first server just before when you weren't able to join domain?
Chad VollerAuthor Commented:
I get the expected output from that query. Since I transferred back some roles via the GUI with success:

Schema master dc02
domain naming master dc02
pdc dc01
rid master dc01
infra master dc02

Haven't transferred back the domain naming or schema master roles yet. Maybe I should.

I renamed before joining the domain, and then again after joining the domain.
Wasn't able to rejoin the domain under the original name, so I renamed to dc03.
Then joined as member server.
Then renamed to dc01, rebooted.
Then promoted to domain controller
Chad VollerAuthor Commented:
I don't have the same errors as before, and I do have replication between domain controllers... the trust relationship thing isn't spreading like wildfire, and seems to have cooled off for now. Had to reset another of the same computer accounts from earlier today and remove/readd to the domain (just a member workstation)... so I'm not sure what to think at this point.
Chad VollerAuthor Commented:
Thanks for the assist!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.