none
Authentication Failure RRS feed

  • Question

  • Dear Professionals,

    We have a small Windows domain to share files, print and browse the 'net with 2 ea 2012 servers. Now we got a much stronger hardware wanted to migrate to the new hardware (all 3 servers are physical) and get rid of the two old.

    I installed the new server, added to all the roles and features (ADDS, DNS, DHCP, File and Storage services, Print services), everything looked OK, I promoted the new server to Domain Controller.

    Now the system works fine but still - I don't know how or why - one of the old servers is the only one which can authenticate any user, because if I switch off both old servers we cannot log-on.

    I tried DCDIAG and found out that there is something wrong with the NetLogon Share/Service:

    "Unable to connect to the NETLOGON share! (\\NEWSRV\netlogon)
    [NEWSRV] An net use or LsaPolicy operation failed with error 67,
    The network name cannot be found..
    ......................... NEWSRV failed test NetLogons"

    Also in the Server Manager Dashboard I can see that the DNS is red, so I went to DNS manager and found this entry in the log:

    "The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed."

    I think these two are connecting problems.

    Any idea how I can fix this? Thank you in advance!

    Wednesday, January 22, 2020 11:51 AM

All replies

  • If using FRS you can follow along here.

    https://support.microsoft.com/en-us/help/257338/troubleshooting-missing-sysvol-and-netlogon-shares-on-windows-domain-c

    or DFSR follow this one.

    https://support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, January 22, 2020 1:53 PM
  • Dear Dave,

    We used to have DFS to utilize both old servers, but decided to remove it later (we did a HDD upgrade in one) so as of now DFS is not installed on any servers. So, I don't know which article to follow, I tried to follow the first and got these:

    • REPADMIN /SHOWREPS %UPSTREAMCOMPUTER% found no problems either direction
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters\SysVol\DomainName key does not exist on either DC
    • SYSVOL and NETLOGON shares are existing on the old server, but neither of them exist on the new one
    • I can ping both of them by name, both can resolve the FQDN to IP, in IPCONFIG I can see the same settings (of course own IP is different, but subnet and gateway are the same)
    • DIR \\<computername>\admin$\ntfrs\jet comes back an error message on both DCs: "The system cannot find the file specified." 
      They have \Admin$, but neither of them have \ntfrs underneath
    • C:\Windows\system32>NTFRSUTL DS <MYOLDSERVERNAME>
      ERROR - Cannot bind w/authentication to computer, 
      <MYOLDSERVERNAME>; 000006d9 (1753)
      ERROR - Cannot bind w/o authentication to computer, 
      <MYOLDSERVERNAME>; 000006d9 (1753)
      ERROR - Cannot RPC to computer, 
      <MYOLDSERVERNAME>; 000006d9 (1753)
      C:\Windows\system32>NTFRSUTL DS 
      <MYNEWSERVERNAME>
      ERROR - Cannot bind w/authentication to computer, 
      <MYNEWSERVERNAME>; 000006ba (1722)
      ERROR - Cannot bind w/o authentication to computer, 
      <MYNEWSERVERNAME>; 000006ba (1722)
      ERROR - Cannot RPC to computer, 
      <MYNEWSERVERNAME>; 000006ba (1722)

    Well, I stopped here - because I don't know where to go. Can you, please look into it? Thank you in advance, regards,

    Victor

    Friday, January 24, 2020 3:43 PM
  • I was talking about the built-in sysvol active directory replication. It sounded like the new server was missing the sysvol / netlogon shares?

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, January 24, 2020 3:56 PM
  • Correct, that is my opinion,too. But how can I re-create those?
    Friday, January 24, 2020 10:04 PM
  • You can follow along here. If active directory is using FRS you can follow along here.
    https://support.microsoft.com/en-us/help/257338/troubleshooting-missing-sysvol-and-netlogon-shares-on-windows-domain-c
    or DFSR follow this one.
    https://support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, January 24, 2020 10:08 PM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 28, 2020 1:18 AM
  • Dear Vicky,

    Thank you for checking on me.

    Well, I am stuck. I started to follow the article suggested by Dave, but then I went over to article 2218556 , (because the new domain controller is waiting to perform initial synchronization) I am not sure how to proceed. I started ADSIEDIT on the new server, but I have not found the "mentioned key":

    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

    So, I don't know what to do.

    And also on the old DC, the ADSIEDIT is totally empty. Is this normal?

    Thank you again, regards,

    Victor

    Wednesday, January 29, 2020 8:56 AM
  • The simplest solution may be to demote, reboot, promote it again.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, January 29, 2020 1:30 PM
  • Dear Dave, I just did what you recommended. Demoted the new server, rebooted.

    Just to make sure this would be a new "instance" I removed it from the domain, re-named also.

    Now after the re-boot I cannot attach it to the domain, because it says there is no domain controller available responsible for that domain.

    From any other workstation we can log on - and not just with cached credentials.

    Do you have any idea what to do? I am about to re-built the whole domain from the beginning...

    Maybe I can somehow export users/groups and import to the new domain?

    Thank you,

    Norbert

    Wednesday, January 29, 2020 2:24 PM
  • Seems a little drastic but please run;
    • Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt

      then put unzipped text files up on OneDrive and share a link.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, January 29, 2020 2:27 PM