Hello,
I am still new in the administration area and currently face an unsolvable problem. If there are any questions, please just ask and do not just write technical terms, because I'm not quite so fit.
About my problem:
Currently a Windows Server 2012 is used as DC for AD and is currently the only server that runs the AD (still to be changed). The clients are Windows 10 21H2 or 22H2.
From one day to the next the domain was no longer accessible to add new users or join computers the domain. I can see all old entries in users, but cannot add a new one.
LDAP is still working and can be used by the current clients and websites for authentication.
Extra information for the dcdiag command, in the past there were up to 3 DC which are either unreachable or disabled.
Here is a link to the dcdiag command: https://justpaste.it/5v5zk
The first guess was after some searching, the DNS is broken.
Here is the information:
- There is only one forward lookup domain for the AD
- DNS is running stable
- Dcdiag says that SOA Entry is missing, but it is there.
- The server has entered itself as DNS
- Only ipv4
Ping to own server pdm.sam.company.de works fine.
Translated with www.DeepL.com/Translator (free version)Nslookup to pdm.sam.company.de gives the ip address back from our webserver (extern hosted + extern dns) with the name pdm.sam.company.de.company.de that’s completely wrong.
But nslookup to pdm.sam.company.de. works fine without problems.
And the clients in your network can make nslookup to pdm.sam.company.de (without root) and works fine. Only the server itself has that problem.
The errors which I get if I want to add a new computer or user:
-> The specified domain either does not exist or could not be contacted.
-> Windows cannot verify that user name is unique because the following error occured while contacting the global catalog.
-> Windows cannot create the object <username> because: The directory service has exhausted the pool of relative identifiers.
And here some new errors from the event view:
- SRMSVC Event 12344,
-> File Server Resource Manager finished syncing claims from Active Directory and encountered errors during the sync (0x8007054b, The specified domain either does not exist or could not be contacted.).
- GroupPolicy Event 1054,
-> The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
- ActiveDirectory_DomainService Event 2092,
-> This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. Operations which require contacting a FSMO operation master will fail until this condition is corrected. FSMO Role: CN=RID Manager$,CN=System,DC=sam,DC=company,DC=de
And I also got sometimes the error message the global catalog is missing.
Most of the answers which I read in the last weeks, say the problem is the DNS but I tried many things, rebuild both zones: sam.company.de and _msdcs.sam.company.de, started and stopped netlogon, flushed and registereddns with ipconfig.
It would be really nice if someone had that problem or maybe knows there to search because I have no idea anymore and sorry for my English.
Jonas
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
