This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 19%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi
We have a domain controller that is about 12 years old, the OS itself has been upgraded regularly (now it is Windows Server 2019) because in these years a lot of setting has been changed or a couple of services connected to Active Directory then disconnected, a lot of junks has been leftover and many services not work as proper as used to.
Therefore, we need a way to clean up our domain controller.
Recently we seize our primary DC and install a fresh OS but when making it primary again, it takes back all those crap from our additional DC, so back, to where we are
The reason I ask you is that recently an annoying problem occurred, any Windows PC that joins our domain get SSL Cert error even for google.com
I create a policy on top of the tree and import an updated version of certificates from Microsoft and enforce that policy but the problem still exists.
PS: dcdiag.exe is showing everything pass
Thank you in advanced
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hi @Mahyar S ,
Thanks a lot for posting here.
Before and after we make any change to our AD environment, please kindly make sure that all domain controllers work well and the replication status among the domain controllers is okay without any error.
To check about this, we could run the below commands:
dcdiag /v /e>c:\temp\dcdiag.txt
repadmin /replsummary /bydst /bysrc >C:\temp\replsummary.txt
repadmin /showrepl * /csv >C:\temp\repall.csv
As for the certificate error, if possible, would you please share the screenshot of this error? So we could better understand this issue. Besides, may I know whether it is SSL self-signed certificate?
Looking forward to hearing from you. Thanks.
Best regards,
Hannah Xiong
I checked for errors with commands you said and now we're checking for how to fix our errors, however, I attached all the reports so if you have time kindly check and say your opinion. (I changed server names to something obvious)
PS: The Skype server it's not available anymore.
about your certificate question, It's not a self-sign certificate and I get an error with every site that uses SSL, as the screenshot I attached and you can see I get certificate error with https://www.google.com
OS and Browser are up to date and region and time/date are correct.
Thank you for your time
111494-replsummary.txt
Hi @Mahyar S ,
Thank you so much for your kindly reply.
Due to security consideration, it is suggested not to post any logs here. As for the confidential information, it is suggested to make them blurred.
I have checked that there is nothing wrong with the AD replication. From the dcdiag report, there seems to be something wrong with SYSVOL replication. Would you please kindly run the below commands to check for more information?
Net share
dfsrmig.exe /getglobalstate
wmic /namespace:\root\microsoftdfs path DfsrReplicatedFolderInfo get ReplicationGroupName, ReplicatedFolderName, State
As for the SSL certificate issue, it is showing that "This certificate cannot be verified up to a trusted certificate authority". I have found this documentation and hope it would be of some help.
Best regards,
Hannah Xiong
Hi
I'm sorry for not replying to you sooner.
I ran the commands and here what I get in result. (Same as before I changed those info specific to our network)
Net share
Share name Resource Remark
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\domain.com\SCRIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
dfsrmig.exe /getglobalstate
Current DFSR global state: 'Eliminated'
Succeeded.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
wmic /namespace:\root\microsoftdfs path DfsrReplicatedFolderInfo get ReplicationGroupName, ReplicatedFolderName, State
ReplicatedFolderName, State
ReplicatedFolderName ReplicationGroupName State
SYSVOL Share Domain System Volume 4
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
about our certificate problem, I try to push all the public certificates through group policy and see it can fix it or not
thank you for your time
Hi,
Thank you so much for your kindly reply.
From the outputs of the commands, SYSVOL and Netlogon folders are shared and SYSVOL folder replication type is DFSR, which is must for the Windows server 2019 domain controller. Besides, the state of the SYSVOL replication is 4, which means normal. So from the commands, we could see that everything is okay.
To quickly test whether the SYSVOL replication is okay or not, we could try the below steps:
Pease kindly create a new folder or file under \domain_name\Sysvol\domain_name\Policies. And then check whether this newly created folder or file could be replicated to the same path on other domain controllers.
About the certificate problem, for any update, please keep us posted.
Thank you so much and have a wonderful day.
Best regards,
Hannah Xiong
Hi
I checked the SYSVOL replication and it was ok.
about the certificate problem, now none of the domain clients get a certificate error because of the policy but the SSL sites became slow and don't work right!
I thought maybe the problem is our internet provider or our firewall config but no, if a client uses our network without joining our domain everything works perfectly, but if a joined client wants to work with the internet works badly! I even test a joined client out of our network with deferent internet but still works badly!
Thank you for your time.
Hi @Mahyar S ,
Thank you so much for your kindly reply.
As mentioned, the certificate error has been resolved because of the policy, but now our SSL sites became slow and do not work right.
Based on my understanding, we access the SSL site google.com via https. If so, it will verify the validity of the certificate. May I know whether we could successfully access the site finally? Or is there any error message we would see?
To figure out this issue, I would suggest capturing network trace and maybe CAPI2 logging for further analysis. Due to the security reason,I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.serviceshub.microsoft.com/supportforbusiness
Thanks a lot and have a nice day.
Best regards,
Hannah Xiong
Hi @Hannah Xiong
The certificate error it's gone but when you want to use a site with SSL, the website gets stuck on loading or maybe some part of that website load and not all of it.
Anyway thank you so much for your help