Issues related to a domain controller being offline for long enough to get out of sync with the other domain controllers. These issues also commonly occur when a domain controller has to be restored from a backup, particularly with Veeam which restores the machine to a point in time block-for-block. Here are the symptoms:
- Clients cannot connect to shared drives or printers, get either authentication errors or simply cannot see the shares
- Dcdiag fails primary tests, can’t communicate with other domain controllers and/or its own shares.
- Repadmin /showrepl shows errors
- Attempts to replicate from running DC using AD Sites and Services – Default-First-Site-Name – Servers – server – NTDS Settings – Replicate configuration from the selected DC fails.
- Event Viewer shows warnings and errors for Security-Kerberos, NtFrs, ActiveDirectory_DomainService, NETLOGON and other AD-related systems
The Kerberos errors are caused by the machine account for the domain controller losing its authentication; replication and FRS errors are caused by problems with replication of SYSVOL and NETLOGON breaking between domain controllers. The following steps fixed everything:
- “netdom resetpwd /s:server /ud:administrator /pd:*” to fix secure channel/Kerberos issues and reset the machine account
- On working domain controller, copy SYSVOL and NETLOGON folders to safe location in case things go wrong
- “net stop ntfrs” to stop FRS service
- Set BurFlags to “d2” per this document to force non-authoritative restore: https://support.microsoft.com/en-us/kb/840674
- “net start ntfrs” to start FRS service
- Test by creating a folder on \\SERVER\SYSVOL\domain\Policies and see if it replicates to the other domain controller
Other related articles:
Target Principal Name incorrect: https://support.microsoft.com/en-us/kb/288167
Force the replication manually :- https://technet.microsoft.com/en-us/library/cc816836(v=ws.10).aspx