none
DC not working, netdom resetpwd not fixing it

    Question

  • We have a two domain setup that failed last week.

    The trust went down, and both domains went crazy.

    We have managed to get the domains up, mostly, and the trust back between them, but one DC just wont be happy about it.

    I have tried using the netdom resetpwd a bunch of times (it worked fine for getting other DC's inline) but it wont happen here.

    Does anyone have an idea on what I can do?

    I have a suspicion that DNS is involved in the problem, but I cant seem to find the cause.

    Oh, I have opened everything between the DC och the PDC in the firewall, and disabled firewalls on both machines, so I don't think thats the problem.

    Thanks in advance for any suggestions.

    Monday, December 19, 2016 7:30 PM

All replies

  • Hello,

    What does the eventlog/dcdiag/repadmin say? And did you try different domain controllers when using netdom to reset password?

    /\


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Monday, December 19, 2016 10:20 PM
  • Hi Jesper

    Sorry for the lack of information in the original post, I wrote that quite late my time, after 12 hours of trying to fix this.

    We have three sites, USA, Europe and Asia, with two domains.

    In Usa, one DC for domain A and one for domain B, in Europe, two DC's of each (including the FSMO role holders) and in Asia there is only one DC, for domain A.

    When everything went down, we first spent a lot of time trying to get the trust back up between the PDC:s
    And that seems to be working, at least in the Europe site. All four DC:s there seem to be replicating, but there are some errors here and there, mostly related to DNS, but they are working and can authenticate between the domains and such.

    The DC in Asia however, wont do anything.

    On to your questions

    Asia DC, eventviewer keeps saying event id 4 (The Kerberos client received a KRB_AP_ERR_MODIFIED ). I´ve seen that one before and resolved it with a reset of the machine passwords, but not now.

    I am also seing a bunch of event id 1925 (The attempt to establish a replication link for the following writable directory partition failed) and 1311 (The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. )

    DCDIAG fails to bind ldap to the PDC (error 8341), and RDC to PDC as well. Also, i´m getting a lot of replication errors "The target principal name is incorrect).

    repadmin is also talking alot about "The target principal name is incorrect" and "Access denied".

    I´ve been googling all of these errors, but everything always seem to end up with either "remove from domain and rejoin" or "netdom resetpwd"

    As for netdom resetpwd, are you suggesting running the command from the Asia DC thats bothersome to another DC, or on another DC with against the Asia DC?

    Tuesday, December 20, 2016 8:04 AM
  • Ok,

    Thanks for the info. I don't quite follow though, so it might be a stupid question,.is it a single forest with two domains,.or is it 2x single-forest/single-domain? :)

    Don't know if it's possible to put up a single drawing?

    When using netdom, you have to do it from the dc having issues, pointing to a healthy server. I assume you also disable/stop the kdc service when using netdom..?

    /\


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Tuesday, December 20, 2016 6:16 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 26, 2016 7:44 AM
    Moderator