asked on
Need help with Netdom cmd and fixing replication issues on two DCs
Hello,
I am having replication issues between (our only) two domain controllers(both MS Server 2012 R2). I suspect the replication issues were caused by a lack of communication between them for an elongated period (issues with ARP on one server - now resolved).
Bother DCs can communicate with each other - I can successfully ping DNS names of of each other.
I tried doing an authoritative restore (using this method - https://docs.microsoft.com/en-US/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization) but ran into problems when trying to force replicate (step 4) from the DC with the initial problems (DC2) - this DC is the non-authoritative one. I got a a "RPC Server unavailable" error message with further details indicating this is probably down to a DNS lookup issue).
When I run a dcdiag /test:DNS on DC2 I get failures:
----------------------------------------------------------------
[xxxxxx-DC01] LDAP bind failed with error 8341,
A directory service error has occurred..
Got error while checking if the DC is using FRS or DFSR. Error:
A directory service error has occurred.The VerifyReferences, FrsEvent and
DfsrEvent tests might fail because of this error.
--------------------------------------------------------------
DC: xxxxx-DC01.domain.net
Domain: domain.net
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
[Error details: 1396 (Type: Win32 - Description: The target ac
count name is incorrect.) - Add connection failed]
TEST: Basic (Basc)
Error: No LDAP connectivity
Error: No WMI connectivity
[Error details: 0x800706ba (Type: HRESULT - Facility: Win32, D
escription: The RPC server is unavailable.) - Connection to WMI server failed]
No host records (A or AAAA) were found for this DC
------------------------------------------------------------------
When I try to go into DNS on DC2 I get an Access Denied error. In event viewer I can see lots of 4000 and 4007 errors.
I have Googled this and everything points to the following command to be run:
netdom resetpwd /server:<PDC.domain.com> /userd:<Domain\domain_admin> /passwordd:*
However I am a little worried about running this command - I need some help.
Does this need to be run on DC2? Do I specify DC1.domain.net in the first bracket (it is the primary DC with all the roles)? Or do I leave it as PDC.domain.net? Also, Can I specify the domain admin account I am currently logged in as on DC2?
ASKER
I'm a little reluctant to demote this DC as it is the only DC in another site which we cannot afford any down time in.
I also suspect that demoting might not work because of the underlying DNS issues with it (?) - although I could be wrong.