Based on your description it sounds like there is an issue with the replication between the primary and secondary domain controllers. When the primary domain controller is shut down, the secondary domain controller should be able to authenticate users.
To troubleshoot this issue, I would recommend checking the health of the domain controllers via Azure AD Connect Health.
If you have not already enabled Azure AD Connect Health, you can follow the steps in this article to connect Azure AD Connect Health to your on-premises infrastructure: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-alert-catalog
Once you have connected Azure AD Connect Health, you can check the health of your domain controllers by going to Azure AD Connect Health > Domain Controllers dashboard. If there are any issues, you should see them listed here.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
Then you can check the Replication status dashboard and drill in to see errors related to replication:
In addition, please ensure that the DNS server has the right IP address of itself populated for all zones and records via nslookup. https://techdirectarchive.com/2020/07/28/how-to-fix-nslookup-unknown-cannot-find-non-existent-domain/
Also, ensure that Windows Hello for Business has a trust established between the Active Directory and Azure AD. You need to establish trust by establishing a Hybrid Azure AD Joined trust. https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join
If there are no issues with your domain controllers, we can check the event logs on the secondary domain controller to see if there are any errors related to authentication.
You can also try to manually force replication between the primary and secondary domain controllers by following these steps:
- Open a command prompt on the secondary domain controller**.**
- Type "repadmin /syncall" and press Enter.
- Wait for the replication to complete.
If none of these steps resolve the issue, it might be necessary to transfer the FSMO roles to the secondary domain controller**.** You can follow the steps in this article to transfer the FSMO roles: https://support.microsoft.com/kb/255504
Other variables that can cause this issue are problems with network connectivity and GPO settings.
Let me know if this helps or if you need further assistance.
Additional resource: https://learn.microsoft.com/en-us/answers/questions/482526/cannot-login-to-domain-controller-because-domain-i
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.