AD Fun after user enforced shutdown

Jools PB 96

Hi All,

I've got a problem with a server at a charity I volunteer at, where it appears one on the DCs at one of their remote site was shut down on the button.

The following day, the server involved started complaining about a target account being incorrect when a user was trying to access a share. I went through the logs and found the credentials that the servers use to communicate was skewed. The cure, it turned out was "netdom resetpwd" run on the server from a remote DC. All of a sudden, DNS pops up and things seem to be working again.

Following morning, I get a call from one of the other offices complaining that they can't access shares on the server in their building. So, log in, same error. Go to the first server that broke (server 2016) run netdom reset and it fails with:

The machine account password for the local machine could not be reset.

The target account name is incorrect.

The command failed to complete successfully.

So, go to another DC - same, another - same, finally, last DC in the organisation succeeds, and all the errors in the log on the 2nd server disappear and DNS comes back up.

So, try to access the shares on the second server from the others in the organisation and get the same error about target accounts. Go to the server that succeeded in the netdom passwrd reset and that one opens all the shares on the second server. So, somewhere along the line, AD seems to got out of sync.

I've tried syncing and on all the servers, it return sync completed with no errors, but they don't seem to getting along. There are no errors logged in event viewer which seems odd and aside from the share access, everything appears to be fine.

Could someone please point in the best direction for getting these boxes talking to each other again. There are three dcs which work fine (sharewise) together but won't talk to the other two, and the other two which work fine with each other but won't talk to the other 3.

If you want log or dcdiag outputs, please let me know the parameters and I'll post the result.

Thanks,

Jools

Accepted answer

Jools PB 96 Reputation points

2020-07-31T16:06:11.683+00:00

I appear to have had a bit of a result (hopefully).

Having begun picking through the logs to sort out individual errors, the one that was bugging was the target name error. Hunting it down, I came across a technet article on server 2003 that used the IP of the server in the netdom resetpwd command instead of the computer name. Waited for the building to empty and ran the command on one of the remote servers and bingo, password successfully reset.

So, I now only have an SChannel problem to sort and it looks like it may be a fix.

So, once again, thanks for your help. You kept me going when I was just running round in circles getting frustrated. Top marks for you.

Best of luck to you,

Jools
Please sign in to rate this answer.
Dave Patrick 426.4K Reputation points MVP

2020-07-31T16:18:07.137+00:00

Glad to hear, you're welcome.

--please don't forget to Accept as answer if the reply is helpful--
Sign in to comment

11 additional answers

Jools PB 96 Reputation points

2020-07-29T23:13:04.477+00:00

Thanks. I'll try without the https://

1drv.ms/u/s!AitQ-yNrk-M6cE3GxcHsYCu5UVw?e=jcqOpk
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Jools PB 96 Reputation points

2020-07-29T23:13:31.66+00:00

Well, that worked. Just add https:// to the line above
Please sign in to rate this answer.
Dave Patrick 426.4K Reputation points MVP

2020-07-29T23:25:59.587+00:00

capstone is multi-homed which will always cause no end to grief for active directory DNS, disable the second adapter, then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service.

domain controller should also have own static ip address (192.168.3.2) listed for DNS on connection properties

I didn't bother looking at other files because these issues are show stoppers. Looks like we're missing the files for other three so I check these issues for them as well. If problems persist put up a new set of files to look at.

--please don't forget to Accept as answer if the reply is helpful--

Jools PB 96 Reputation points

2020-07-30T00:12:13.137+00:00

OK, disabled the 2nd adaptor and ran the commands. I forgot to mention that this network have been running for about 3 years with no problems and it's only since the shutdown of capstone that it's gone pear shaped.

It's also typical that the DC that's going down the pan is also the FSMO role holder. I checked earlier to see if the FSMO transfer tools would see chatham-main but the just show a blank box for the role holder. I'm now starting to plan for your first suggestion (it's 1 am here now) of demoting and repromoting the DC.

This will of course require transfer of the roles before the demotion. If not, because let's face it Chatham-main does seem to be scuppered, I assume it's a matter of seizing the FSMO roles on another DC and then DCPROMOing the server down before promoting again. If I go down this road, are there any points you have for me to look out for in the process?

Dave Patrick 426.4K Reputation points MVP

2020-07-30T00:25:02.75+00:00

I'd work to fix the issues I mentioned as first step. Also check these items on the servers where we were missing files. After the corrections have been made put up a new set of all files to look at. I wouldn't start moving roles around just yet. Let's see what we've got first.
Sign in to comment
Jools PB 96 Reputation points

2020-07-30T08:47:01.66+00:00

2nd run results below. Thanks again for your help, it's much appreciated.

Site is also still objecting to URLs, so I've left the prefix off again.

1drv.ms/u/s!AitQ-yNrk-M6edFP3-y6MKxLkCg?e=lzEBkU
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Dave Patrick 426.4K Reputation points MVP

2020-07-30T13:04:08.517+00:00

On BROGDALE I'd add own static ip address (192.168.2.2) listed for DNS
On mackenney I'd add own static ip address (192.168.5.2) listed for DNS
On chris-ellis I'd add own static ip address (192.168.4.2) listed for DNS

There are still problems with DNS registration, after fixing above I'd do ipconfig /flushdns, ipconfig /registerdns, restart netlogon service on all. Also check DNS for any incorrect registrations for these domain controllers and remove.

Check the event logs for error details on each
also refer this one for further troubleshooting the 1908 errors
https://support.microsoft.com/en-us/help/2712026/troubleshooting-ad-replication-error-1908-could-not-find-the-domain-co

https://support.microsoft.com/en-us/help/305476/initial-synchronization-requirements-for-windows-2000-server-and-windo

I'd check these ports are flowing between sites.
https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
https://www.microsoft.com/en-us/download/details.aspx?id=24009

--please don't forget to Accept as answer if the reply is helpful--
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

AD Fun after user enforced shutdown

11 additional answers