This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 78%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi,
I had a major issue with one of my domain controllers where it could not be gracefully demoted and had to be restored from backup. I know this is a no no but there was no other option at the time. Unfortunately I went back too far, 1 month to be precise, and since then my domain has had some big replication issues. I have been using dcdiag to try and diagnose the issues and I am receiving this error when I attempt to replicate to any of the other DCs from my FSMO master:
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
[Error details: 1326 (Type: Win32 - Description: The user name or password is incorrect.) - Add connection failed]
TEST: Basic (Basc)
Error: No LDAP connectivity
Error: No WMI connectivity
[Error details: 0x80070005 (Type: HRESULT - Facility: Win32, Description: Access is denied.) - Connection to WMI server failed]
No host records (A or AAAA) were found for this DC
I do see host records for all of the DCs in ADS&S so I don't understand that error message. At first I believed that this had to do with KDC/Kerberos more than anything because the secure channel between my failed DC & the rest of the domain was broken. Trying to fix the secure channel has been a headache, not really sure where to go from here.
I did find this article useful and I think it pertains to me: https://support.microsoft.com/en-us/help/2002013/active-directory-replication-error-5-access-is-denied
These are the resources/guides that I have tried using:
Any leads would be appreciated as I'm really trying everything to repair this. Once I figure out one error, it leads to another, and so on... Thank you
Also, I did try posting this in TechNet and it keeps redirecting me to here... please let me know if this is incorrect.
Please run;
then put unzipped text files up on OneDrive and share a link.
Trying to get this for you. The healthy DCs are failing their Advertising, KCC, DFSRevent, and Systemlog tests
This is what I was getting at, simply transferring the FSMO roles is not going to fix the underlying issues with this. If the old FSMO master FSMOOld can't replicate properly to begin with how is it going to replicate anything to FSMONew? The entire domain is now having this issue.
Ok, sounds like you have successfully seized roles
https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control
then perform cleanup.
https://video2.skills-academy.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
after cleanup put up the files I requested.
then put unzipped text files up on OneDrive and share a link.
I seized the roles successfully yes. I am really worried about performing metadata cleanup, it is basically deleting the entire DC from the domain. I kept the FSMOOld as a DC, we CAN gracefully demote this server to be a member server. Should I try that first I really do not want to just delete it out of AD. Right now it's just supporting AD DS, DNS and File services however it does carry a lot of certificate information as well.
Please put up the files I requested.
then put unzipped text files up on OneDrive and share a link.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello Alex,
Thank you so much for your reply.
May I know the current situation of our issue? Hope our issue could be resolved soon.
According to the screenshot of the AD replication, FSMOOld DC is UnHealthyDC1? Have we got any other error messages when checking the AD replication? From the provided screenshot of replication, the replication seems to work properly for other healthy DCs. But as per the UnhealthyDC1, may I know more information about this DC, such as dcdiag, repadmin /showrepl?
Besides, we also mentioned that the healthy DCs failed some tests, such as Advertising, KCC, DFSRevent and Systemlog. All the healthy DCs have these error messages? More information will be needed to judge these error messages.
As Dave mentioned, we could help to collect the requested files. Thanks so much for your time and support.
Best regards,
Hannah Xiong