CrossPost: Domain authentication broken when primary domain controller working alone

AveryFreeman

ESXi + ( ILLUMOS / ZFS ) = HAPPY
Mar 17, 2017
165
19
18
39
Near Seattle
averyfreeman.com
Hi

This is a cross-post -- it crosses two different platforms

I was having issues logging into my file server using Windows desktop over 2012r2 IDMU domain. Not sure which platform is having the issue, but I think it's the Windows desktop so I was hoping some Windows people could look at this thread and help me if you have any ideas. It's really perplexing:


Edit: This was the weirdest thing. I had one domain controller powered off - the secondary one. Now that it's on authentication is working properly.

What could be responsible for the primary domain controller not properly authenticating users and only working when the second is powered on? I also could not join some platforms to the domain (e.g. the OmniOS file server mentioned in the thread)
 
Last edited:

j_h_o

Active Member
Apr 21, 2015
496
114
43
California, US
There's not really a concept of a primary/backup domain controller any longer.

1. Which of your DCs hold which FSMO roles?

(Powershell)
Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles}


2. What DNS servers do you have specified on the clients/server that are attempting to authenticate? Are they able to resolve the (running) domain controller?
 
Last edited:

AveryFreeman

ESXi + ( ILLUMOS / ZFS ) = HAPPY
Mar 17, 2017
165
19
18
39
Near Seattle
averyfreeman.com
There's not really a concept of a primary/backup domain controller any longer.

1. Which of your DCs hold which FSMO roles?

(Powershell)
Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles}
Looks like the DC I was referring to as the primary:

Code:
Name     Domain        Forest        OperationMasterRoles
----     ------        ------        --------------------
2012DC01 webtool.space webtool.space {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...}
2. What DNS servers do you have specified on the clients/server that are attempting to authenticate? Are they able to resolve the (running) domain controller?
DNS is set to the two DCs, e.g.

Code:
search webtool.space
domain webtool.space
nameserver 192.168.1.2
nameserver 192.168.1.3
or:

1593181178073.png

Thanks for the response. Any idea why connecting to AD would be impossible without the DC that's not showing any FSMO roles?
 

j_h_o

Active Member
Apr 21, 2015
496
114
43
California, US
Sorry, I had to deal with kids halfway thru responding and only posted half my message...

3. Which are Global catalogs?

Powershell:
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs

4. Any replication delays/queues between DCs?

You had mentioned you were adding/removing devices from the domain?

dcdiag
repadmin /replsummary
repadmin /showrepl
repadmin /queue

5. Any time sync issues between all the machines?

6. With one of the DCs off, are you able to ping/resolve the domain (ipconfig /flushdns, then ping webtool.space)?
When you attempt to access the file server, can you check Event Viewer for any authentication errors (paste here)?