3rd Server Not Joining Domain When Connecting to Secondary DC 1st Time ?!

touqeeranjum 80 Reputation points
2024-03-23T06:29:51.6066667+00:00

Hi,

I have a weird issue and am unsure where the problem is.

The scenario is I have 3 servers, Server A, Server B, and Server C which I'm trying to join the domain and promote it as a DC. The replication DC for Server C is server B.

Server A - dc-gcc-addc-prm.home.lab / 192.168.30.151

Server B - dc-eur-addc-snd.home.lab / 192.168.30.152

Server C - dc-eur-addc.home.lab / 192.168.30.153

The script on Server C configures the network address, timezone, then reboots, then the below script is runs the below script.

$sourceDC = "dc-eur-addc-snd.home.lab"
Import-Module ADDSDeployment
  
$ADDSParams = @{
NoGlobalCatalog = $false
CreateDnsDelegation = $false
Credential = $cred
SafeModeAdministratorPassword = $password
CriticalReplicationOnly = $false
DatabasePath = "C:\Windows\NTDS"
DomainName = $domainName
InstallDns = $true
LogPath = "C:\Windows\NTDS"
NoRebootOnCompletion = $true
SiteName = $serverSite
ReplicationSourceDC = $sourceDC
SysvolPath = "C:\Windows\SYSVOL"
Confirm = $false
Force = $true
}
  
Install-ADDSDomainController @ADDSParams -ErrorAction Stop

The I see the below error.

The operation failed because: A domain controller could not be contacted for the domain home.lab that contained an account for this computer. Make the computer a member of a workgroup then rejoin the domain before retrying the promotion. "Access is denied." You must restart this computer to complete the operation. NotSpecified: (:) [Install-ADDSDomainController], DCPromoExecutionException 134: Install-ADDSDomainController @ADDSParams -ErrorAction Stop

When the above error appears the WORKGROUP is the DOMAN I'm trying to join, which I have to change back to WORKGROUP, then restart.

User's image

All this while the server can ping the Domain (home.lab), Server B, and interestingly when I restart the server it joins the domain without issues and promotes Server C without issues.

PS C:\Users\Administrator> ping home.lab
Pinging home.lab [192.168.30.152] with 32 bytes of data:
Reply from 192.168.30.152: bytes=32 time<1ms TTL=128
Reply from 192.168.30.152: bytes=32 time<1ms TTL=128
Reply from 192.168.30.152: bytes=32 time<1ms TTL=128
Reply from 192.168.30.152: bytes=32 time=1ms TTL=128
Ping statistics for 192.168.30.152:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

PS C:\Users\Administrator> nslookup dc-eur-addc-snd.home.lab
Server:  dc-eur-addc-snd.home.lab
Address:  192.168.30.152
Name:    dc-eur-addc-snd.home.lab
Address:  192.168.30.152

PS C:\Users\Administrator> nslookup 192.168.30.152
Server:  dc-eur-addc-snd.home.lab
Address:  192.168.30.152
Name:    dc-eur-addc-snd.home.lab
Address:  192.168.30.152

PS C:\Users\Administrator> nslookup dc-eur-addc.home.lab
Server:  dc-eur-addc-snd.home.lab
Address:  192.168.30.152
Name:    dc-eur-addc.home.lab
Address:  192.168.30.153

PS C:\Users\Administrator> nslookup 192.168.30.153
Server:  dc-eur-addc-snd.home.lab
Address:  192.168.30.152
Name:    dc-eur-addc.home.lab
Address:  192.168.30.153

The point here is Server C tries to join the Domain after a restart but then fails and asks to rejoin again after a restart.

Below dcdiag from Server A

PS C:\Users\Administrator> dcdiag
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = dc-gcc-addc-prm
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: DC_GCC\DC-GCC-ADDC-PRM
      Starting test: Connectivity
         ......................... DC-GCC-ADDC-PRM passed test Connectivity
Doing primary tests
   Testing server: DC_GCC\DC-GCC-ADDC-PRM
      Starting test: Advertising
         ......................... DC-GCC-ADDC-PRM passed test Advertising
      Starting test: FrsEvent
         ......................... DC-GCC-ADDC-PRM passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... DC-GCC-ADDC-PRM failed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC-GCC-ADDC-PRM passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC-GCC-ADDC-PRM passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC-GCC-ADDC-PRM passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC-GCC-ADDC-PRM passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC-GCC-ADDC-PRM passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-GCC-ADDC-PRM passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC-GCC-ADDC-PRM passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC-GCC-ADDC-PRM passed test Replications
      Starting test: RidManager
         ......................... DC-GCC-ADDC-PRM passed test RidManager
      Starting test: Services
         ......................... DC-GCC-ADDC-PRM passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x0000002F
            Time Generated: 03/23/2024   13:25:13
            Event String:
            Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.30.1,0x8 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 03/23/2024   13:30:13
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         ......................... DC-GCC-ADDC-PRM passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC-GCC-ADDC-PRM passed test VerifyReferences
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   Running partition tests on : home
      Starting test: CheckSDRefDom
         ......................... home passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... home passed test CrossRefValidation
   Running enterprise tests on : home.lab
      Starting test: LocatorCheck
         ......................... home.lab passed test LocatorCheck
      Starting test: Intersite
         ......................... home.lab passed test Intersite

dcdiag below from Server B

PS C:\Users\Administrator.home> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = dc-eur-addc-snd
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: DC_GCC\DC-EUR-ADDC-SND
      Starting test: Connectivity
         ......................... DC-EUR-ADDC-SND passed test Connectivity

Doing primary tests

   Testing server: DC_GCC\DC-EUR-ADDC-SND
      Starting test: Advertising
         ......................... DC-EUR-ADDC-SND passed test Advertising
      Starting test: FrsEvent
         ......................... DC-EUR-ADDC-SND passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... DC-EUR-ADDC-SND failed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC-EUR-ADDC-SND passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC-EUR-ADDC-SND passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC-EUR-ADDC-SND passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC-EUR-ADDC-SND passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC-EUR-ADDC-SND passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-EUR-ADDC-SND passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC-EUR-ADDC-SND passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC-EUR-ADDC-SND passed test Replications
      Starting test: RidManager
         ......................... DC-EUR-ADDC-SND passed test RidManager
      Starting test: Services
         ......................... DC-EUR-ADDC-SND passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 03/23/2024   13:28:12
            Event String: The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x00002720
            Time Generated: 03/23/2024   13:28:25
            Event String:
            The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 03/23/2024   13:28:32
            Event String:
            Name resolution for the name v10.events.data.microsoft.com timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 03/23/2024   13:30:25
            Event String:
            Name resolution for the name wdcpalt.microsoft.com timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 03/23/2024   13:30:44
            Event String:
            Name resolution for the name _ldap._tcp.dc._msdcs.home.lab. timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 03/23/2024   13:31:06
            Event String:
            Name resolution for the name v10.events.data.microsoft.com timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/23/2024   13:31:16
            Event String:
            NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
         An error event occurred.  EventID: 0x0000410B
            Time Generated: 03/23/2024   13:31:22
            Event String:
            The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
         A warning event occurred.  EventID: 0x0000A00A
            Time Generated: 03/23/2024   13:31:22
            Event String: The Security System has detected a downgrade attempt when contacting the 3-part SPN
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/23/2024   13:31:28
            Event String:
            NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
         A warning event occurred.  EventID: 0x00002720
            Time Generated: 03/23/2024   13:32:31
            Event String:
            The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 03/23/2024   13:32:37
            Event String:
            Name resolution for the name settings-win.data.microsoft.com timed out after none of the configured DNS servers responded.
         An error event occurred.  EventID: 0x0000040B
            Time Generated: 03/23/2024   13:33:38
            Event String:
            The DHCP service was unable to create or lookup the DHCP Users local group on this computer.  The error code is in the data.
         An error event occurred.  EventID: 0x0000040C
            Time Generated: 03/23/2024   13:33:38
            Event String:
            The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer.  The error code is in the data.
         A warning event occurred.  EventID: 0x00000420
            Time Generated: 03/23/2024   13:33:38
            Event String:
            The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 03/23/2024   13:33:42
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 03/23/2024   13:34:00
            Event String: The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 03/23/2024   13:34:40
            Event String:
            Name resolution for the name v10.events.data.microsoft.com timed out after none of the configured DNS servers responded.
         An error event occurred.  EventID: 0x0000040B
            Time Generated: 03/23/2024   13:34:41
            Event String:
            The DHCP service was unable to create or lookup the DHCP Users local group on this computer.  The error code is in the data.
         An error event occurred.  EventID: 0x0000040C
            Time Generated: 03/23/2024   13:34:41
            Event String:
            The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer.  The error code is in the data.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 03/23/2024   13:34:45
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An error event occurred.  EventID: 0x00000423
            Time Generated: 03/23/2024   13:34:45
            Event String: The DHCP service failed to see a directory server for authorization.
         An error event occurred.  EventID: 0x00000423
            Time Generated: 03/23/2024   13:34:45
            Event String: The DHCP service failed to see a directory server for authorization.
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/23/2024   13:34:50
            Event String:
            NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
         A warning event occurred.  EventID: 0x00002720
            Time Generated: 03/23/2024   13:35:00
            Event String:
            The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/23/2024   13:35:02
            Event String:
            NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. (0x80072AFA)
         A warning event occurred.  EventID: 0x0000002F
            Time Generated: 03/23/2024   13:38:34
            Event String:
            Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.30.1,0x8 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.
         ......................... DC-EUR-ADDC-SND failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC-EUR-ADDC-SND passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : home
      Starting test: CheckSDRefDom
         ......................... home passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... home passed test CrossRefValidation

   Running enterprise tests on : home.lab
      Starting test: LocatorCheck
         ......................... home.lab passed test LocatorCheck
      Starting test: Intersite
         ......................... home.lab passed test Intersite

Anything I'm missing ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,381 questions
Accepted answer
  1. Thameur-BOURBITA 32,586 Reputation points
    2024-03-23T10:19:08.3866667+00:00

    Hi @touqeeranjum

    Did you check if the network flow required for the join between the serverC and domain controllers ?

    You can use this tools :

    PortQryUI - User Interface for the PortQry Command Line Port Scanner

    For the computer domain join , I think you can create a computer account object before the join or/and join the computer using powershell command and specify the name of domain controller to be contacted in your Powershell script:

    Add-Computer -DomainName Domain01 -Server 

Start-Sleep -Seconds 120 # wait for AD replication

    Please don't forget to accept helpful answer

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. touqeeranjum 80 Reputation points
    2024-03-23T15:56:33.65+00:00

    @Rich Matheisen

    This is a set up running in VMware Workstation, all 3 servers are in the same network, not sure what is going on.

    When resolving DNS resolve works fine..

    0 comments