kassant7MemberMar 22, 2015 at 10:53 pm #165083
I have been a long time reader, first time poster.
Long story short, we renamed the domain because we can no longer get ssl certs with servers named .local. I hope you have your thinking hats on….
Before we jumped off the cliff we tested in a lab, followed all the steps and we thought everything was fine (and it was) until we made changes to a few group policies.
We had 3 DC’s dc1,2&3. We first noticed that gpupdate /force wouldnt work on workstations. The user configs wouldnt apply. The error was: Windows could not determine if the user and the computer accounts are in the same forest.
We figured easy fix, disjoin/rejoin domain. That didnt work. Then we disjoined (changed the computer name) then rejoined, that didnt work either. We created a new user (one that didn’t exist before the rename) and they got the same error! FYI, The computer and user is in the same OU.
gpresult shows that the group policy is being applied from a server that was decommissioned years ago. We deleted the registry keys for GP history and that didnt help. (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistory)
After messing that that for a few days we decided to dig deeper and noticed the event logs were reporting that dc2 couldn’t create a secure channel to dc1 or 2 and vice versa. After messing with that for a few days we decided to demote dc1 and 2 so we could focus on fixing 1 dc.
First we transferred the fsmo roles to dc3 (it was dc2). netdom query showed dc3 was the new role holder on all 3 dc’s. Demotion went smooth and we updated the dhcp server to only hand out dc3 as the dns server.
Now dc3 is the only dc running dns & GC. We left dhcp on dc1&2 since it was running failover dhcp.
After much fighting, nltest /sc_verify:ad.all.com ran from dc1&2 now show nerr_sucess to dc3.
The same test from dc3 fails. No logon servers! 1311 0x51F
I tried to reset the channel by running nltest /sc_reset:ad.all.com, same error. No logon servers.
I ran set logonserver from dc3 and it says logonserver=\dc3. Server reboots and restarts of netlogon doesn’t fix anything. running set logonserver from dc1&2 both return: logonserver=\dc3
All 3 servers are 2012. dc1 is 2012r2. I am running out of things to try.
To recap i have 1 problem that lead to finding another problem:
Group policy updates are not being applied to user policies. Computer policies work fine. I think the issue is gp is being applied from a non existing server. I cant figure out how to fix that.
The second issue is schannel broken from the only DC.
metadata cleanup shows no traces of old DC. DNS is clean of old DC as well.
What have I missed?
You must be logged in to reply to this topic.