1

I just discovered that Active Directory and DNS are no longer working on our PDC. Those appear to be working fine on our other domain controller, though. Should I transfer roles over and promote the other DC, or is there a way to repair AD & DNS without doing that? There appear to be no hardware issues on the current PDC, so I’m not sure what has transpired to cause the AD & DNS failure. Just a “1-2-3” list in order of how I should proceed would be very helpful right now, from any of you that have been in my place. We have a dozen other major projects going on right now; when it rains, it pours! Thanks.

3 Spice ups
2

How is it not working? Replication issue?

You need to sort that out first, because even demoting this one will leave bad DNS entries behind.

3

Verify DNS is set properly on both DC’s and run DCDIAG on both and work the errors. You can seize the roles to the functional DC and do a metadata cleanup but that may still leave you with problems. It’s better to fix the issue if possible.

4

First of all, remove PDC from your nomenclature, all DCs are equal hierarchically. What happens is that whatever changes are made on one DC, those get replicated to all other DCs. So here’s the issue, where were those changes made? You’re going to have to examine which DC has the most current AD changes, and that can be tough to do. What you typically would do is use the burflags in the registry, and set the offending server to a non-authoritative restore state, then restart the netlogon service.

Force all the roles from another server, since if you try to transfer from the messed up server it will never replicate out.

Make sure your other DCs are GCs first, if they’re 2012/2016 that shouldnt be an issue, but just make sure anyways, or at least one other GC exists or no one will be able to loginn. Find that in AD sites-> ntds settings.

Once you restart the netlogon service, replication should start happening within about 15 minutes, just be patient, you’ll see two event log entries once it has successfully finished.

If you’ve got more than one DC on your network, no reason to even try to fix it. You could just blow away that DC and spin up a fresh one as well, just make sure that the FSMO roles are forcibly moved first and that there is another GC in your domain.

5

Run DCDiag on PDC and post the result. Remember, the first thing to fix Windows issues is to reboot the system.

6

As already mentioned: PDC is no longer a thing. This is terminology from the time (NT4) you had one writable DC and the rest were Read Only (BDC).

A good start to trying to fix issues like this is to run DCDIAG /v /q /e (preferably on one of the DCs that is working and then DCDIAG /v /q on the one that is no longer working as intended. The /e will go and try to contact all DCs it can to diagnose the domain health, but if you have replication isues with one, chances are dcdiag won’t be able to reach out either).

Then run repadmin /showrepl and repadmin /replsummary to check for replication issues

Also: check DNS setings, you want your DCs to point to another DC first then to itself (to prevent islanding issues, a bit like this one seems to be)

7

I said PDC, because I wanted it to be run on the role holder PDC.

8

Thanks everyone for all the helpful suggestions. It appears that the DC was having some replication issues, which were resolved with a server reboot. Ran repadmin /replsummary and there are no failures.

Running dcdiag /test:DNS shows no issues on the formerly problematic DC, but same test failed on our other DNS server (also a DC). Everything passed except the Forwarders/Root hints. Will be looking further into that issue today.

I checked; both servers DNS settings pointed to the other first, and themselves (127.0.0.1) in the secondary field.