2 Controller Nodes in an AD Cluster - Windows Server 2012 One is given trust relationship issue when trying to log.

gvaudein

New Member
Joined
Jan 3, 2020
Hi,

Who can help me to put back conroller3 within the trust? Or help me to allow controller4 to take control on th entire AD.

Issue:

We have two servers in an Active Directory Cluster with no GUI. Everything is done by powershell.

One is called Controller3 and the other one Controller4.

Controller3 (10.1.0.64) has the WSUS services running

Controller4 10.1.0.61) has the shares folders.

Controller 3 is given an error message when trying to log: The security database on the server does not have a computer account for this workstation trust relationships.

And some users cannot get ascess to theirs shares folders (Wich are on Controller4).

But everyone cn still login in their devices.

Utilman.exe is non existant, so I cannot reset the local user admin passwrd by usind a windows server iso as the microsoft processe explains.

The only way that I've managed to reset the local admin password was with: chntpw and NT Password Edit v0.7.

However I did log if I'm forcing the server to boot in a recevody mode (boot server, then shut it down half way, then reboot: it gets to recovery mode). But on the main page, I can not login.



Now, to get access in with powershell:

I've been kick out to log in the controller3 from my PC, but my collegue can login with:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value '10.1.0.64'
$cred = get-credential
enter-pssession -computername 10.1.0.64 -credential $cred1.

[10.1.0.64]: PS C:\Users\xx.xx\Documents> Test-ComputerSecureChannel
Cannot verify the secure channel for the local computer. Operation failed with the following exception: The specified domain either does not exist or could not be contacted.

+ CategoryInfo : OperationStopped: (bipcontroller3:String) [Test-ComputerSecureChannel],InvalidOperationException
+ FullyQualifiedErrorId : FailToTestSecureChannel,Microsoft.PowerShell.Commands.TestComputerSecureChannelCommand

I tried to find out what domain the host was part of:

[10.1.0.64]: PS C:\Users\xx.xx\Documents> get-addomain
Attempting to perform the InitializeDefaultDrives operation on the 'ActiveDirectory' provider failed.
Server instance not found on the given port.
+ CategoryInfo : InvalidArgument: (NTSERVDOM:ADDomain) [Get-ADDomain], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADDomain


Running the same command on my colleague desktop PC, I see a slightly different error:

PS C:\Users\XX.XX> get-addomain
get-addomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or
it does not have the Active Directory Web Services running.
At line:1 char:1
+ get-addomain
+ ~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (NTSERVDOM:ADDomain) [Get-ADDomain], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADDomain

I checked if Active Direcory was running:

[10.1.0.64]: PS C:\Users\xx.xx\ocuments> get-service "ntds"
Status Name DisplayName
------ ---- -----------
Running ntds Active Directory Domain Services

I checked the dependent services....

[10.1.0.64]: PS C:\Users\xx.xx\Documents> Get-Service -Name ntds -dependent | foreach {$_.name}
NtFrs
Kdc
IsmServ
DNS

[10.1.0.64]: PS C:\Users\xx.xx\Documents> get-service "DNS"
Status Name DisplayName
----- ---- -----------
Running DNS DNS Server

[10.1.0.64]: PS C:\Users\xx.xx\Documents> get-service ntfrs
Status Name DisplayName
------ ---- -----------
Running ntfrs File Replication Service

[10.1.0.64]: PS C:\Users\xx.xx\Documents> get-service kdc
Status Name DisplayName
------ ---- -----------
Running kdc Kerberos Key Distribution Center

[10.1.0.64]: PS C:\Users\xx.xx\Documents> get-service ismserv
Status Name DisplayName
------ ---- -----------
Running ismserv Intersite Messaging

But....

[10.1.0.64]: PS C:\Users\xx.xx\Documents> get-addomain -server 127.0.0.1

Server instance not found on the given port.
+ CategoryInfo : InvalidArgument: :)) [Get-ADDomain], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADDomain

[10.1.0.64]: PS C:\Users\xx.xx \Documents> get-nettcpconnection -state listen

LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- --------------
:: 49914 :: 0 Listen
:: 49266 :: 0 Listen
:: 49257 :: 0 Listen
:: 49223 :: 0 Listen
:: 49177 :: 0 Listen
:: 49171 :: 0 Listen
:: 49158 :: 0 Listen
:: 49157 :: 0 Listen
:: 49155 :: 0 Listen
:: 49154 :: 0 Listen
:: 49153 :: 0 Listen
:: 49152 :: 0 Listen
:: 47001 :: 0 Listen
:: 9389 :: 0 Listen
:: 8531 :: 0 Listen
:: 8530 :: 0 Listen
:: 8172 :: 0 Listen
:: 5985 :: 0 Listen
:: 3389 :: 0 Listen
:: 3269 :: 0 Listen
:: 3268 :: 0 Listen
:: 636 :: 0 Listen
:: 593 :: 0 Listen
:: 464 :: 0 Listen
:: 445 :: 0 Listen
:: 443 :: 0 Listen
:: 389 :: 0 Listen
:: 135 :: 0 Listen
:: 88 :: 0 Listen
:: 80 :: 0 Listen
fe80::f5b5:de57:5fa9:ec7e%12 53 :: 0 Listen
::1 53 :: 0 Listen
0.0.0.0 49914 0.0.0.0 0 Listen
0.0.0.0 49266 0.0.0.0 0 Listen
0.0.0.0 49257 0.0.0.0 0 Listen
0.0.0.0 49223 0.0.0.0 0 Listen
127.0.0.1 49210 0.0.0.0 0 Listen
127.0.0.1 49203 0.0.0.0 0 Listen
127.0.0.1 49202 0.0.0.0 0 Listen
0.0.0.0 49177 0.0.0.0 0 Listen
0.0.0.0 49171 0.0.0.0 0 Listen
0.0.0.0 49158 0.0.0.0 0 Listen
0.0.0.0 49157 0.0.0.0 0 Listen
0.0.0.0 49155 0.0.0.0 0 Listen
0.0.0.0 49154 0.0.0.0 0 Listen
0.0.0.0 49153 0.0.0.0 0 Listen
0.0.0.0 49152 0.0.0.0 0 Listen
10.1.0.64 22122 0.0.0.0 0 Listen
0.0.0.0 9389 0.0.0.0 0 Listen
0.0.0.0 8194 0.0.0.0 0 Listen
0.0.0.0 8193 0.0.0.0 0 Listen
0.0.0.0 8192 0.0.0.0 0 Listen
0.0.0.0 3389 0.0.0.0 0 Listen
0.0.0.0 3269 0.0.0.0 0 Listen
0.0.0.0 3268 0.0.0.0 0 Listen
0.0.0.0 636 0.0.0.0 0 Listen
0.0.0.0 593 0.0.0.0 0 Listen
0.0.0.0 389 0.0.0.0 0 Listen
10.1.0.64 139 0.0.0.0 0 Listen
0.0.0.0 135 0.0.0.0 0 Listen
127.0.0.1 53 0.0.0.0 0 Listen
10.1.0.64 53 0.0.0.0 0 Listen
0.0.0.0 42 0.0.0.0 0 Listen

From my local machine....

PS C:\Users\xx.xx> ftp
ftp> open controller3 9389
Unknown host controller3.
ftp> open controller3 9389
Connected to controller3.
Aborting any active data connections...
Connection closed by remote host.

Controller3 is holding all the FSMO roles. All the services are up and running (and I can complete a 3-way handshake with them) but pointing any protocol aware client at them results in failure,
usually with a misleading error message - e.g. host does not exist, service unavailable. "access denied" is also common.
It would appear that everything else considers controller3 "tombstoned" but the roles are not migrating.

There are various diagnostics listed on devops #4418

Isolating bipcontroller3 from the network (by unplugging its network cable) should have caused the FSMO roles to failover onto bipcontroller4. It did not.

Thanks for your help.
 
Last edited:
Also to be clear FSMO roles don't fail over. If you need to you can seize the roles on the second server but I'd only do that if the primary is permanently down
 
Back
Top Bottom