Hey everyone! I'm dealing with a tricky issue in a client's environment and could really use your insights. So here's the situation: the client originally had two Domain Controllers, named DC01 and DC02. They noticed a problem with DC01 and decided to remove it, leaving only DC02.
Now, when they attempted to add a new Domain Controller (let's call it DC03), the setup went smoothly. However, after rebooting DC03, nobody can log in with any domain user credentials on DC02. Here are the key points to consider:
- As long as DC02 isn't rebooted, I can join new machines to the domain and authenticate users.
- I've been testing with a cloned version of DC02 using Hyper-V, and I'm careful to import it while still running it in a saved state. Then I discard and re-import the VM after every failed reboot login attempt.
- Every time I reboot, the same problem persists: no domain user can log in.
I've tried a bunch of things, such as cleanups in Active Directory and DNS, checked for shared accessibility of NETLOGON and SYSVOL, and verified that all services are running as they should. I've also run diagnostic tools like dcdiag and found no errors.
Despite spending over 20 hours troubleshooting, I haven't hit on a solution yet. If anyone has any ideas or suggestions, I'm all ears! Since I'm in a lab environment, I can try any destructive tests you might recommend. Thanks so much for your help!
5 Answers
Have you checked DC02 for the FSMO roles? Also, look into DFS-R replication logs for any issues. Cloning Domain Controllers can lead to serious problems, especially on the same network! Just a heads up on that. What kind of cloning process are you using?
When you say DC02 "failed to allow domain logins" after a reboot, are you trying to log in directly on DC02 or from a domain computer?
Since the login issue happens only after a reboot and you’re working with cloned DCs, it might be a case of USN rollback or inconsistencies from snapshots. It’s best to build a fresh DC, properly promote it, and avoid using saved state restores to sidestep these AD issues.
You really shouldn't be backing up and restoring Domain Controllers like this. It messes up how they operate. Try running a few diagnostic commands on your running DCs to look for errors: 'repadmin /replsummary SERVERNAME', 'repadmin /showrepl', and 'dcdiag /v /c /d /e /s:SERVERNAME >C:somefilepath.log'. Also, did you change DHCP settings or is DNS configured correctly?
The reboot issue sounds crucial. Often, that indicates problems with SYSVOL/DFS-R or secure channel issues, even if the diagnostics pass. The warnings you see during promotion are something to consider seriously! Also, when you import a running DC via Hyper-V, it can sometimes keep a bad state. Testing with a cold boot could help, along with checking DFS-R health and time sync.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures