Hi,
I have a weird issue and am unsure where the problem is.
The scenario is I have 3 servers, Server A, Server B, and Server C which I'm trying to join the domain and promote it as a DC. The replication DC for Server C is server B.
Server A - dc-gcc-addc-prm.home.lab / 192.168.30.151
Server B - dc-eur-addc-snd.home.lab / 192.168.30.152
Server C - dc-eur-addc.home.lab / 192.168.30.153
The script on Server C configures the network address, timezone, then reboots, then the below script is runs the below script.
$sourceDC = "dc-eur-addc-snd.home.lab"
Import-Module ADDSDeployment
$ADDSParams = @{
NoGlobalCatalog = $false
CreateDnsDelegation = $false
Credential = $cred
SafeModeAdministratorPassword = $password
CriticalReplicationOnly = $false
DatabasePath = "C:\Windows\NTDS"
DomainName = $domainName
InstallDns = $true
LogPath = "C:\Windows\NTDS"
NoRebootOnCompletion = $true
SiteName = $serverSite
ReplicationSourceDC = $sourceDC
SysvolPath = "C:\Windows\SYSVOL"
Confirm = $false
Force = $true
}
Install-ADDSDomainController @ADDSParams -ErrorAction Stop
The I see the below error.
The operation failed because:
A domain controller could not be contacted for the domain home.lab that contained an account for this computer. Make the computer a member of a workgroup then rejoin the domain before retrying the promotion.
"Access is denied."
You must restart this computer to complete the operation.
NotSpecified: (:) [Install-ADDSDomainController], DCPromoExecutionException
134: Install-ADDSDomainController @ADDSParams -ErrorAction Stop
When the above error appears the WORKGROUP is the DOMAN I'm trying to join, which I have to change back to WORKGROUP, then restart.
All this while the server can ping the Domain (home.lab), Server B, and interestingly when I restart the server it joins the domain without issues and promotes Server C without issues.
PS C:\Users\Administrator> ping home.lab
Pinging home.lab [192.168.30.152] with 32 bytes of data:
Reply from 192.168.30.152: bytes=32 time<1ms TTL=128
Reply from 192.168.30.152: bytes=32 time<1ms TTL=128
Reply from 192.168.30.152: bytes=32 time<1ms TTL=128
Reply from 192.168.30.152: bytes=32 time=1ms TTL=128
Ping statistics for 192.168.30.152:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PS C:\Users\Administrator> nslookup dc-eur-addc-snd.home.lab
Server: dc-eur-addc-snd.home.lab
Address: 192.168.30.152
Name: dc-eur-addc-snd.home.lab
Address: 192.168.30.152
PS C:\Users\Administrator> nslookup 192.168.30.152
Server: dc-eur-addc-snd.home.lab
Address: 192.168.30.152
Name: dc-eur-addc-snd.home.lab
Address: 192.168.30.152
PS C:\Users\Administrator> nslookup dc-eur-addc.home.lab
Server: dc-eur-addc-snd.home.lab
Address: 192.168.30.152
Name: dc-eur-addc.home.lab
Address: 192.168.30.153
PS C:\Users\Administrator> nslookup 192.168.30.153
Server: dc-eur-addc-snd.home.lab
Address: 192.168.30.152
Name: dc-eur-addc.home.lab
Address: 192.168.30.153
The point here is Server C tries to join the Domain after a restart but then fails and asks to rejoin again after a restart.
Below dcdiag
from Server A
PS C:\Users\Administrator> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-gcc-addc-prm
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: DC_GCC\DC-GCC-ADDC-PRM
Starting test: Connectivity
......................... DC-GCC-ADDC-PRM passed test Connectivity
Doing primary tests
Testing server: DC_GCC\DC-GCC-ADDC-PRM
Starting test: Advertising
......................... DC-GCC-ADDC-PRM passed test Advertising
Starting test: FrsEvent
......................... DC-GCC-ADDC-PRM passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC-GCC-ADDC-PRM failed test DFSREvent
Starting test: SysVolCheck
......................... DC-GCC-ADDC-PRM passed test SysVolCheck
Starting test: KccEvent
......................... DC-GCC-ADDC-PRM passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-GCC-ADDC-PRM passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-GCC-ADDC-PRM passed test MachineAccount
Starting test: NCSecDesc
......................... DC-GCC-ADDC-PRM passed test NCSecDesc
Starting test: NetLogons
......................... DC-GCC-ADDC-PRM passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-GCC-ADDC-PRM passed test ObjectsReplicated
Starting test: Replications
......................... DC-GCC-ADDC-PRM passed test Replications
Starting test: RidManager
......................... DC-GCC-ADDC-PRM passed test RidManager
Starting test: Services
......................... DC-GCC-ADDC-PRM passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x0000002F
Time Generated: 03/23/2024 13:25:13
Event String:
Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.30.1,0x8 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/23/2024 13:30:13
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
......................... DC-GCC-ADDC-PRM passed test SystemLog
Starting test: VerifyReferences
......................... DC-GCC-ADDC-PRM passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : home
Starting test: CheckSDRefDom
......................... home passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... home passed test CrossRefValidation
Running enterprise tests on : home.lab
Starting test: LocatorCheck
......................... home.lab passed test LocatorCheck
Starting test: Intersite
......................... home.lab passed test Intersite
dcdiag
below from Server B
PS C:\Users\Administrator.home> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-eur-addc-snd
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: DC_GCC\DC-EUR-ADDC-SND
Starting test: Connectivity
......................... DC-EUR-ADDC-SND passed test Connectivity
Doing primary tests
Testing server: DC_GCC\DC-EUR-ADDC-SND
Starting test: Advertising
......................... DC-EUR-ADDC-SND passed test Advertising
Starting test: FrsEvent
......................... DC-EUR-ADDC-SND passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC-EUR-ADDC-SND failed test DFSREvent
Starting test: SysVolCheck
......................... DC-EUR-ADDC-SND passed test SysVolCheck
Starting test: KccEvent
......................... DC-EUR-ADDC-SND passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-EUR-ADDC-SND passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-EUR-ADDC-SND passed test MachineAccount
Starting test: NCSecDesc
......................... DC-EUR-ADDC-SND passed test NCSecDesc
Starting test: NetLogons
......................... DC-EUR-ADDC-SND passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-EUR-ADDC-SND passed test ObjectsReplicated
Starting test: Replications
......................... DC-EUR-ADDC-SND passed test Replications
Starting test: RidManager
......................... DC-EUR-ADDC-SND passed test RidManager
Starting test: Services
......................... DC-EUR-ADDC-SND passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/23/2024 13:28:12
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x00002720
Time Generated: 03/23/2024 13:28:25
Event String:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/23/2024 13:28:32
Event String:
Name resolution for the name v10.events.data.microsoft.com timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/23/2024 13:30:25
Event String:
Name resolution for the name wdcpalt.microsoft.com timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/23/2024 13:30:44
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.home.lab. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/23/2024 13:31:06
Event String:
Name resolution for the name v10.events.data.microsoft.com timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00000086
Time Generated: 03/23/2024 13:31:16
Event String:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
An error event occurred. EventID: 0x0000410B
Time Generated: 03/23/2024 13:31:22
Event String:
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
A warning event occurred. EventID: 0x0000A00A
Time Generated: 03/23/2024 13:31:22
Event String: The Security System has detected a downgrade attempt when contacting the 3-part SPN
A warning event occurred. EventID: 0x00000086
Time Generated: 03/23/2024 13:31:28
Event String:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
A warning event occurred. EventID: 0x00002720
Time Generated: 03/23/2024 13:32:31
Event String:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/23/2024 13:32:37
Event String:
Name resolution for the name settings-win.data.microsoft.com timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000040B
Time Generated: 03/23/2024 13:33:38
Event String:
The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.
An error event occurred. EventID: 0x0000040C
Time Generated: 03/23/2024 13:33:38
Event String:
The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data.
A warning event occurred. EventID: 0x00000420
Time Generated: 03/23/2024 13:33:38
Event String:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/23/2024 13:33:42
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/23/2024 13:34:00
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/23/2024 13:34:40
Event String:
Name resolution for the name v10.events.data.microsoft.com timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000040B
Time Generated: 03/23/2024 13:34:41
Event String:
The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.
An error event occurred. EventID: 0x0000040C
Time Generated: 03/23/2024 13:34:41
Event String:
The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/23/2024 13:34:45
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x00000423
Time Generated: 03/23/2024 13:34:45
Event String: The DHCP service failed to see a directory server for authorization.
An error event occurred. EventID: 0x00000423
Time Generated: 03/23/2024 13:34:45
Event String: The DHCP service failed to see a directory server for authorization.
A warning event occurred. EventID: 0x00000086
Time Generated: 03/23/2024 13:34:50
Event String:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
A warning event occurred. EventID: 0x00002720
Time Generated: 03/23/2024 13:35:00
Event String:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
A warning event occurred. EventID: 0x00000086
Time Generated: 03/23/2024 13:35:02
Event String:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
A warning event occurred. EventID: 0x0000002F
Time Generated: 03/23/2024 13:38:34
Event String:
Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.30.1,0x8 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.
......................... DC-EUR-ADDC-SND failed test SystemLog
Starting test: VerifyReferences
......................... DC-EUR-ADDC-SND passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : home
Starting test: CheckSDRefDom
......................... home passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... home passed test CrossRefValidation
Running enterprise tests on : home.lab
Starting test: LocatorCheck
......................... home.lab passed test LocatorCheck
Starting test: Intersite
......................... home.lab passed test Intersite
Anything I'm missing ?