Share via

Users can not sign in with domain credential.

Noyon Chandra Das 336 Reputation points
Apr 22, 2023, 2:56 PM

We have one Primary domain controller and one secondary domain controller. FSMO roles are present at primary domain controller. When create new user at primary domain controller user also replicated at secondary domain controller. But the issue is when we shut down the primary domain controller, we cannot login user's computer with the user's domain credentials. Below errors is showing. User's image

Microsoft Entra
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,056 Reputation points Microsoft Employee
    Apr 25, 2023, 8:48 PM

    @Noyon Chandra Das ,

    Based on your description it sounds like there is an issue with the replication between the primary and secondary domain controllers. When the primary domain controller is shut down, the secondary domain controller should be able to authenticate users.

    To troubleshoot this issue, I would recommend checking the health of the domain controllers via Azure AD Connect Health.

    If you have not already enabled Azure AD Connect Health, you can follow the steps in this article to connect Azure AD Connect Health to your on-premises infrastructure: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-alert-catalog

    Once you have connected Azure AD Connect Health, you can check the health of your domain controllers by going to Azure AD Connect Health > Domain Controllers dashboard. If there are any issues, you should see them listed here.

    User's image

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect

    Then you can check the Replication status dashboard and drill in to see errors related to replication:

    User's image

    In addition, please ensure that the DNS server has the right IP address of itself populated for all zones and records via nslookup. https://techdirectarchive.com/2020/07/28/how-to-fix-nslookup-unknown-cannot-find-non-existent-domain/

    Also, ensure that Windows Hello for Business has a trust established between the Active Directory and Azure AD. You need to establish trust by establishing a Hybrid Azure AD Joined trust. https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join

    If there are no issues with your domain controllers, we can check the event logs on the secondary domain controller to see if there are any errors related to authentication.

    You can also try to manually force replication between the primary and secondary domain controllers by following these steps:

    1. Open a command prompt on the secondary domain controller**.**
    2. Type "repadmin /syncall" and press Enter.
    3. Wait for the replication to complete.

    If none of these steps resolve the issue, it might be necessary to transfer the FSMO roles to the secondary domain controller**.** You can follow the steps in this article to transfer the FSMO roles: https://support.microsoft.com/kb/255504

    Other variables that can cause this issue are problems with network connectivity and GPO settings.

    Let me know if this helps or if you need further assistance.

    Additional resource: https://learn.microsoft.com/en-us/answers/questions/482526/cannot-login-to-domain-controller-because-domain-i

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.