This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
When I stop Netlogon and KDC service in a DC, I receive "operational errors trying to retrieve replication information" with error code 8341.
This does not happen in my other environment when I stop these 2 services.
Hello,
Would you mind telling us the current situation? Please let us know if you would like further assistance. Thanks.
Best regards,
Hannah Xiong
What is the reason for stopping services? Error 8341 is a generic error A directory service error has occurred
--please don't forget to Accept as answer if the reply is helpful--
I am stopping them to check which client machine has dependencies to that particular DC. So that i can demote that DC at last without client failures.
Hi,
When I stop Netlogon and KDC service in a DC, I receive "operational errors trying to retrieve replication information" with error code 8341.
When you stop these services used for authentication by user users and member machines, the DC will be unable to contact its KDC and netlogon to authenticate and perform the replication process.
This does not happen in my other environment when I stop these 2 services.
This behavior depend of active directory topology, if the DC is able to contact the KDC of another Dc when it's KDC is stopped , it will be able to authenticate and perform the AD replication.
For your information it's not recommended to keep Netlogon and KDC service stopped, they should be started automatically.
Please don't forget to mark this reply as answer if it help you to fix your issue
We are in the process of demoting legacy DCs but first we want clear all the dependencies from clients to these DCs. To know that we are stopping these services.
Is there a way to know which DCs using this DCs KDC and how to redirect them to another DC.
Thanks
Is there a way to know which DCs using this DCs KDC and how to redirect them to another DC.
I'd check that clients no longer have the old domain controllers listed for DNS. To know for sure you could setup a wireshark (or similar) trace.
--please don't forget to Accept as answer if the reply is helpful--
Thanks @Thameur-BOURBITA
When you stop these services used for authentication by user users and member machines, the DC will be unable to contact its KDC and netlogon to authenticate and perform the replication process.
Cant the DCs look for another DC for authentication? Is there a way to know which DCs using this DCs KDC and how to redirect them to another DC.
Hi,
You can launch the following command to display on which domain controller the secure channel currently is connected:
nltest /sc_query:DomainName
please Don't forget to mark this reply as answer if it help you to fix your issue
I am stopping them to check which client machine has dependencies
Simplest solution is to update the DHCP server to hand out the new domain controller for DNS
--please don't forget to Accept as answer if the reply is helpful--
Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
Hi,
Stopping theses services is not enough to check dependency before demote this legacy domain controller, because if you don't delete the DC DNS records , client will still trying to contact it. Because a client will send DNS request to get the list of DCs and closest DC. So the best way to check dependency is stop this DC and remove all it's DNS records.
Check Ip configuration for all members servers that there is no client still send a DNS request to this DC and if there is any application or script still configured to contact this DCs
Please don't forget to mark this reply as answer if it help you to fix your issue
The DNs server is separate and we have done that part. Just to be extra carefull.
I assume that, If the DC is hardcoded in the client someway, since the netlogon and KDC is stopped it will fail to process the request of client instead of going to another DC and we will know that this client is failing and there is the issue.
So that is the plan but getting replication issue in the main environment while not in the lab is confusing.
Cant the DCs look for another DC for authentication? Is there a way to know which DCs using this DCs KDC and how to redirect them to another DC.
The search order depends on how you list them on the client connection properties.
--please don't forget to Accept as answer if the reply is helpful--
Just an update..
Looking for any GPOs. Because if I am testing it in another environment its working, disabling netlogon not causing any error in replication but in the main environment it is giving me replication error.
Hi,
Thanks for your updates.
If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business