I have a domain separated into four sites. In one of my remote sites, I have promoted a new DC and will be decommissioning the existing DC in a few weeks. I didn't receive any errors when I did the dcpromo but I had to delay rebooting the server after the promotion for a few days.
After the reboot, it appears there are some serious problems on this new DC:
- The directory service log is full of events 1864 (
This directory server has not recently received replication information from a number of directory servers.), 2089 (This directory partition has not been backed up since at least the following number of days.), and 2093 (The remote server which is the owner of a FSMO role is not responding. This server has not replicated with the FSMO role owner recently.). The system log contains many events 1006 (
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.) - info from the details tab is as follows:SupportInfo1 1 SupportInfo2 5012 ProcessingMode 0 ProcessingTimeInMilliseconds 2184 ErrorCode 49 ErrorDescription Invalid Credentials DCNameAs well as error 4 (
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server kelethdc01$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/2ee10a9d-dcf0-4940-b2e5-25044f90869c/[email protected]. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.), and error 5782 (Dynamic registration or deregistration of one or more DNS records failed with the following error: TCP/IP network protocol not installed.).
Can anyone suggest what might have happened here, and how to correct?
I have not seen this before, but my initial thoughts would be that because Kerberos tickets are time based, the delay between
dcpromoand reboot could have caused the issue.Have you tried de-promoting the new server and doing a new dcpromo and reboot?
Regarding the "This directory partition has not been backed up since at least the following number of days.". When a system state backup is performed and Active Directory is backed up, it updates an attribute on the partition(s).
You can confirm if/when the backups are performed by using the following command:
It is possible to suppress the updating of the attribute. If this message is only being displayed for the schema partition, it may have turned it off.