This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hi, Can you help me figure out what is causing this error:
Add-Computer -Credential $Cred -Server "dc03.contoso.com" -DomainName numerix.com -Force
This operation is only allowed from the Primary Domain Controller of the domain
Or like this: DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "contoso.com":
The query was for the SRV record for _ldap._tcp.dc._msdcs.contoso.com when I try to add the device to the domain.
The fact is that there are three domain controllers. Network traffic is open between them and replication is successful. The host is on the same network as DC03, but the network between DC01, DC02 and Host is isolated.
All FQDN roles on DC01.
I don't understand why there is a dependency on the PDC if the computer is added to the domain or re-added. If I allow traffic to DC01, DC02 - no problem. I also tried resetting the secure channel between for DC03, but that didn't work. Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
You'll just need access to a writeable domain controller to do a domain join.
--please don't forget to upvote and Accept as answer if the reply is helpful--
DC03 - is no read-only controller. If I allow traffic to DC01, DC02 - no problem. I also tried resetting the secure channel between for DC03, but that didn't work.
Ok, I guess I'm not sure what problem you're trying to solve? domain join issue? or is it an orphaned DC issue?
I'm trying to add a regular computer (HOST01) to a domain. With the condition that the computer is on the same network as the DC03 domain controller and has direct access to this controller. But the same computer does not have access to DC01 (FSMO), DC02.
In theory, DC03 is enough to add a computer to the domain. However, I am getting errors. And as soon as I allow traffic from Computer (HOST01) to DC01 DC02, the addition is successful.
I don't understand why the computer (HOST01) I want to add , needs DC01 and DC02. Why can't he be added via DC03 which is completely open to him.
Even Ping contoso.com returns the IP address of DC03. Thank you for your participation!
Does this work or same result?
Add-Computer -DomainName domain.com -Credential domain\administrator
Yes The query was for the SRV record for _ldap._tcp.dc._msdcs.contoso.com
And if Add-Computer -Credential $Cred -Server "dc03.contoso.com" -DomainName numerix.com
This operation is only allowed from the Primary Domain Controller of the domain
Interesting fact: if i do Get-ADDomainController
on DC01, DC02 - the command returns information on DC01 for DC01 and also on DC02 - returns information about DC02.
But if I execute on DC03, information about DC01 (not DC03) is returned, I need to specifically target DC03 to get the information.
Same with nltest /DSGETDC:CONTOSO.COM
DC03 returns information about DC01
Yes, the same error:
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "contoso.com":
And if Add-Computer -Credential $Cred -Server "dc03.contoso.com" -DomainName numerix.com -Force
This operation is only allowed from the Primary Domain Controller of the domain
Might check for incorrect DNS records, check the domain controller has checkbox for register this connection....... on connection properties and that it has own static ip address listed for DNS, then also do net stop netlogon, net stop DNS, ipconfig /flushdns, net start dns, net start netlogon, ipconfig /registerdns
Sorry: what do you mean? "check the domain controller has checkbox for register this connection....... on connection properties,"
Yes, enabled. But I don`t understend how can it fix the problem.
Another option may be to demote, reboot, promo it again.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Unfortunately, I can no longer deal with this issue. There is even a possibility that there was some old controller on the network with the same IP address as DC03. Which was forcibly removed from the domain. In general, unfortunately I can not yet check anything. Thanks for the help.
Ok, sounds good.