I don’t usually write “this how you configure this” type blogs but for this particular problem I experienced I’ll make an exception. This post details how I resolved an issue with a Windows server 2012 domain controller not authenticating users.
Up until I purchased a VM backup solution I was manually and occasionally taking backups of VM’s in the lab. On one such occasion and while the primary domain controller was shutdown, I could not authenticate using domain credentials against the other domain controller which was still online.
It took a fair amount of Google-Fu to troubleshoot and resolve the issue so so here is my gift to you, the steps I took to resolve it in one consolidated place.
Assuming you’re experiencing the same issue, check the domain controller which is online and expected to authenticate users for the existence of two shares:
- NETLOGON
- SYSVOL
In my case they were missing:
PS C:\Windows\system32> net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
CDP C:\inetpub\wwwroot\crl
CertEnroll C:\Windows\system32\CertSrv\CertEnroll
Active Directory Certificate Se...
The command completed successfully.
If NETLOGON and SYSVOL are absent, bring the primary domain controller back online and check the windows event logs for these messages:
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication. Additional Information: Volume: C: GUID: [SOME GUI ID VALUE] Recovery Steps 1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders. 2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command: wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="[SOME GUI ID VALUE]" call ResumeReplication For more information, see http://support.microsoft.com/kb/2663685.
The first thing I needed to do was re-enable DFS replication which upon experiencing a problem disables itself:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DFSR\Parameters" -Name "StopReplicationOnAutoRecovery" -Value 0
Then kick off the replication process again taking the GUID from the event logs:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid='"[ISERT_GUI_ID_HERE]"' call ResumeReplication
Watch the event logs carefully for event ID 4012 messages:
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 64 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
If you see this message run this command ensuring that the “MaxOfflineTimeInDays” value is greater than the amount of days stated in the event log message:
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=65
Now be patient and again watch the event logs for any further messages. Alternatively re run the this command to check for the existence of SYSVOL and NETLOGON shares:
PS C:\Windows\system32> net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
CDP C:\inetpub\wwwroot\crl
CertEnroll C:\Windows\system32\CertSrv\CertEnroll
Active Directory Certificate Se...
NETLOGON C:\Windows\SYSVOL\sysvol\corp.netassured.co.uk\SCRIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
Also to verify netlogon is working run this command:
dcdiag /test:netlogons
Summary
I’ve now added the above checks to my monthly patching and updates process. I guess it wouldn’t be too much of a task to automate the checks and that’s firmly on my radar when time becomes available.