Share via

Brand new AD with 2 DCs, broken

Anonymous
2023-09-05T20:55:04+00:00

Hi, I've recently setup a brand-new AD with 2 DCs (both were GCs, and serving DNS). Everything was fine until yesterday. It seems that both domain controllers have lost its secure channel and I am unable to login to the DCs with my Domain Admin account, nor the local admin account. I am able to get in via DSRM. DNS, KDC, ADDS will not start. I've attempted to reset the sc by using netdom, and it says cannot be reset. It seems that my domain has 'dropped'??

performing dcdiag /v gives me the following.. ***Error: inf-pv5-dc1hq is not a directory server.

ADWS event viewier shows id 1202, This computer is now hosting the specified directory instance, but Active directory Web Services could not service it

Directory Service event viewer shows id 2092, This server is the owner of the following FSMO role, but does not consider it valid.

netdom query fsmo returns, the specified domain either does not exist or could not be contacted.

not able to open ADSIedit either, same message that the domain doesn't exist.

any help is appreciated.

This is the around the time I noticed the issues..

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-09-06T02:25:54+00:00

    Hello Samir Budhdeo,

    Thank you for posting in Microsoft Community forum.

    Based on the description above, I understand you have newly set up a domain with two Domain Controllers (both DCs are GC servers and DNS servers).

    To better understand your question, please confirm the information below so that we can help you better.

    1.Based on "everything was fine until yesterday", may I know what changes did you make before the issue occurs?

    For example:
    Configure any GPO related to logon methods on Domain Controller or other settings.

    2.Based on the description "I am unable to login to the DCs with my Domain Admin account", what error message did you receive when you sign in both DCs with domain Administrator account?

    3.Did you run Dcdiag /v and netdom query fsmo in DSRM mode?

    4.What error message did you see about broken secure channel?

    5.Did you reset secure channel in DSRM mode?

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2023-09-06T03:32:28+00:00

    Hello Daisy, thanks for your reply.

    Yes, I did implement a NIST controlled GPO to the domain controllers.

    When attempting to login to the DCs, it just says, your username or password is incorrect

    yes, dciag was ran, see the images in my original post, they are attached

    regarding broken secure channel, i don't recall which eventID i saw it in

    i was not able to reset the secure channel, it failed.. here's the image.

    0 comments
  3. Anonymous
    2023-09-07T01:09:02+00:00

    Hello Samir Budhdeo,

    Thank you for your confirmation.

    1.What is the detailed group policy setting about "the NIST controlled GPO to the domain controllers"?

    2.Did you link the GPO to Domain Controllers OU?

    3.Did you reset secure channel password on non-PDC or PDC? You can try to reset secure channel password on non-PDC?

    4.Also, what error message did you receive when you sign in both DCs with domain Administrator account?

    Best Regards,
    Daisy Zhou

    0 comments