Share via

Domain Controller doesn't work correctly - can not add computer to domain

drClays 146 Reputation points
2023-06-13T12:26:48.01+00:00

Hello,

I have a problem with my domain controller (Windows Server 2019).

Before I had a problem with synchronization between two domain controllers WS2019=WS2012.

I removed old domain controller(WS2012) and now I had only one.

When I tried to add a computer to the domain I had it:

image1

The domain controller and this computer are in the same network.

They can ping together and DNS on the computer is set on DC.

When I run on DC dcdiag almost all services are passed.

On DFSREvent I have got:

There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.

On SystemLog I have it:

An error event occurred.  EventID: 0x0000272C
            Time Generated: 06/13/2023   13:37:25
            Event String:
            DCOM was unable to communicate with the computer 172.0.0.1 using any of the configured protocols; requested by PID      820 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 06/13/2023   13:38:22
            Event String:
            DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID      820 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 06/13/2023   13:38:32
            Event String:
            DCOM was unable to communicate with the computer 172.0.0.1 using any of the configured protocols; requested by PID     21a0 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 06/13/2023   13:38:43
            Event String:
            DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID      820 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.

And

An error event occurred.  EventID: 0x80000025
            Time Generated: 06/13/2023   13:50:02
            Event String:
            The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

An error event occurred.  EventID: 0x40000004
            Time Generated: 06/13/2023   13:59:57
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ad$. The target name used was cifs/AD. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (contoso.LOCAL) is different from the client domain (contoso.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

On Event Viewer I have got this:

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

  Ticket PAC constructed by: SRV-OLD
  Client: CONTOSO.LOCAL\\a.smith
  Ticket for: krbtgt

Where SRV-OLD is my old DC(WS2012) and it's not in domain.

When I deleted SRV-OLD as DC I cleaned up all metadata.

Does anyone have some ideas on how to fix it?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,790 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,209 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,630 questions
0 comments

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-06-13T12:34:06.4833333+00:00

    Please run;

    Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
    repadmin /showrepl >C:\repl.txt (run on any domain controller)
    ipconfig /all > C:\%computername%.txt (run on EVERY domain controller)
    ipconfig /all > C:\problemworkstation.txt (run on problem pc)

    Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs of any found. (no evtx files)

    then put unzipped text files up on OneDrive and share a link.

  2. Anonymous
    2023-06-13T14:08:51.28+00:00

    On AD remove the address 172.0.0.1 listed for DNS and add the server's own static ip address (10.11.11.11) plus the loopback address 127.0.0.1 then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service. For the replication error since a single domain controller you can try an authoritative sync

    https://learn.microsoft.com/en-US/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization#how-to-perform-an-authoritative-synchronization-of-dfsr-replicated-sysvol-replication-like-d4-for-frs

    if problems persist then put up a new set of files to look at.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  4. Anonymous
    2023-06-16T14:11:44.1766667+00:00
  5. Anonymous
    2023-06-19T13:12:34.75+00:00

    More than likely is the replication did not complete before 2012 domain controller was removed. May want to start looking for known good backups.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.