Share via

Trust relationship between workstation primary domain failed after moving dc/gc to 2019 from 2012

Sunith 81 Reputation points
2023-02-11T07:37:01.3166667+00:00

Domain Name: ka.dn.com

All users can login using "ka\username"

Moved DC from Windows 2012 to 2019 | Demoted the 2012 to become a 2ndary DNS | Moved all FSMO roles to new DC | 

Checked all settings from client side and everything points to the new server, DHCP, DNS etc

After restarting the client, we get a message the "trust relationship is broken......."

How can we correct this?

adding a device to the domain we could use the domain "KA" with admin account "KA\Administrator"

however after moving the DC we get "target account name is incorrect"

and we need to enter the FQDN "ka.dn.com\Administrator"

How can we correct this?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,558 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,561 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,494 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,034 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
413 questions
0 comments

20 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.4K Reputation points MVP
    2023-02-11T14:33:55.2+00:00

    Please run;

    Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
    repadmin /showrepl >C:\repl.txt (run on any domain controller)
    ipconfig /all > C:\%computername%.txt (run on EVERY domain controller)
    ipconfig /all > C:\problemworkstation.txt (run on problem pc)

    Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs of any found. (no evtx files)

    then put unzipped text files up on OneDrive and share a link.

    0 comments
  2. Sunith 81 Reputation points
    2023-02-12T04:15:30.08+00:00
    0 comments
  3. Sunith 81 Reputation points
    2023-02-12T12:58:07.4933333+00:00

    Ran the dcdiag /test:dns /DnsRecordRegistration

    Please see below

    Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = RLBDC01

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\RLBDC01

      Starting test: Connectivity

         An error that is usually temporary occurred during DNS host lookup.

         Please try again later.

         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... RLBDC01 failed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\RLBDC01

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... RLBDC01 passed test DNS

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : ae

   
   Running enterprise tests on : ae.rlb.com

      Starting test: DNS

         Test results for domain controllers:

            
            DC: RLBDC01.ae.rlb.com

            Domain: ae.rlb.com

            

                  
               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  No host records (A or AAAA) were found for this DC

                  
               TEST: Records registration (RReg)
                  Network Adapter

                  [00000005] Microsoft Network Adapter Multiplexor Driver:

                     Warning: 
                     Missing CNAME record at DNS server 192.168.36.23: 
                     1432f1b1-0975-4697-9198-f7369fbfda51._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.405d4522-e371-440f-a718-f5c7246129ec.domains._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _kerberos._tcp.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.gc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.pdc._msdcs.ae.rlb.com
                     
                     Warning: 
                     Missing CNAME record at DNS server 192.168.36.23: 
                     1432f1b1-0975-4697-9198-f7369fbfda51._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.405d4522-e371-440f-a718-f5c7246129ec.domains._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _kerberos._tcp.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.gc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ae.rlb.com
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.36.23:
                     _ldap._tcp.pdc._msdcs.ae.rlb.com
                     
               Error: Record registrations cannot be found for all the network

               adapters

         
         Summary of DNS test results:

         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: ae.rlb.com

               RLBDC01                      PASS FAIL n/a  n/a  n/a  FAIL n/a  
         
         ......................... ae.rlb.com failed test DNS
    0 comments
  4. Dave Patrick 426.4K Reputation points MVP
    2023-02-12T13:58:00.55+00:00

    All tests seem to have failed. I'd check the system event logs on all domain controllers for clues.

    Some logs I saw indicate that tombstone life has been exceeded which means that one will need to be removed from active directory and rebuilt.

    Clean up Active Directory Domain Controller server metadata

    Step-By-Step: Manually Removing A Domain Controller Server

    Also confirm that older FRS was migrated to DFSR as this is required.

    The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments
  5. Sunith 81 Reputation points
    2023-02-12T15:03:22.99+00:00

    Thanks Dave

    The OLD DCs are demoted and offline. AT this point of time we only have 1 DC

    Or else I may need to promote and activate the offline DCs

    Is there a way to correct this without the old dc? What would be best to do?

    0 comments