We ended up with a situation where a workstation lost trust with the domain.
When looking into what was happening on the two Domain Controllers (DCs) on the domain it took a while to figure out just where the problem was.
The first error was 1127, failing to write to a hard disk. So, we dug into both VMs’ setups to make sure they were okay. After moving both the VMs and their CSV owner to new nodes the problem was still there.
- RepAdmin /ShowReps
- Last attempt @ 2020-03-27 11:49:03 failed, result 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failure.
We ran:
- RepAdmin /ReplSum
- RepAdmin /ShowReps
- Active Directory Replication Error 8524: The DSA operation is unable to proceed because of a DNS lookup failure.
We then ran:
- DCDiag /TEST:DNS
- Error 0x6ba “The RPC server is unavailable”
When scrolling up through the above results we saw:
TEST: Delegations (Del)
Error: DNS server: HV01.DOMAIN.Local. IP:192.168.22.68
[Broken delegated domain _msdcs.DOMAIN.Local.]
Sure enough, when we looked in DNS at the _msdcs stub zone on the new DC (DC01) the NS server on both DNS servers had the wrong server name in there.
As it turns out, we fat fingered the NS record for the DNS _msdcs stub zone given that we had just set up the DC on HV01! 🙁
We shut down the newly stood up DC, updated the NS records to DC01 and DC02, fired up DC01, and sure enough the records showed up correct.
Once we managed to get everything corrected we were able to reset the computer’s account password and then good to go!
$cred = Get-Credential # (enter your domain admin credentials) reset-ComputerMachinePassword -Credential $cred -server NAME # Change NAME
Further Reading:
- Active Directory Replication Error 1127: While accessing the hard disk, a disk operation failed even after retries
- Active Directory Replication Error 8524: The DSA operation is unable to proceed because of a DNS lookup failure
Philip Elder
Microsoft High Availability MVP
MPECS Inc.
www.s2d.rocks !
Our Web Site