Remote Office Having Trust Relationship Issues Due to Tombstoned Domain Controller

Question

All Windows 10 computers in our remote location are having domain trust relationship issues. The computers are able to login after a reboot takes place, but the issue repeats after the computer goes to sleep.

There is a Domain Controller in the Remote site, Remote-AD-- however it seems like the machines are logging into the domain at the main site, Main-AD.

ISSUE

Remote server remote-ad does not seem to be functional. remote-ad is not accepting pc's that are domain joined, and doesnt seem to replicate properly
cannot connect windows 10 machines to the domain without specifying to use Main-ad as the server

CAUSES

(SUCCESS) - network. Network checked, routing seems to be working fine, pings and connectivity work between workstations and servers
(SUCCESS) DNS - DNS itself seems to be pulling the correct ip addresses for all Domain controllers
(ISSUES) Replication - Issues Identified with replication
- DC is tombstoned, need solution

SUMMARY

Reset-ComputerMachinePassword -Credential $c (doesn't work)
Rejoining computer to the domain (works temporarily)
uncheck IPV6 (didnt solve the problem)
ipconfig /release /renew
running: repadmin /showrepl Major issues shown syncing to the Remote-AD
- 60 days since the last contact date

Error Details

Error: Client Side, Remote Site

the trust relationship between this workstation and the primary domain failed

Error: Remote-AD

All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.

Site: CN=SLC,CN=Sites,CN=Configuration,DC=Domain,DC=com Directory partition: CN=Configuration,DC=Domain,DC=com Transport: CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Domain,DC=com

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

1st question: Why are you running Server 2003? It's long out of support. 2nd question: Are the devices in the proper subnet/site? — Davidw, Nov 22 '19 at 23:17
Thank you. I completely agree with you, but it's what I'm stuck with. They are on the same subnet as the ```remote-AD```, but I only checked that via ```ipconfig /all``` do I need to check that via a different method? — confoundr, Nov 22 '19 at 23:19
`All Windows 10 computers in our remote location are having domain trust relationship issues.` - You didn't tell us what the issue actually is. What happens? What are the symptoms? Also, do you have Active Directory Sites and Services configured correctly with your sites and subnets? My guess is it isn't. — joeqwerty, Nov 22 '19 at 23:50
```Remote-AD``` and ```Main-AD``` are in different sites in Active Directory — confoundr, Nov 22 '19 at 23:50
@joeqwerty thankyou, I've added the error detail under additional details — confoundr, Nov 22 '19 at 23:56
Run Test-ComputerSecurechannel -repair in an elevated powershell window on the clients in question. — Davidw, Nov 23 '19 at 00:04
`Remote-AD and Main-AD are in different sites in Active Directory` - OK. Do you have your subnets configured and associated with the correct sites? — joeqwerty, Nov 23 '19 at 00:14
Yes, it looks like the client computer having the trust relationship issues and the ```remote-AD``` are on the ```192.168.3.0/24``` subnet, the ```Remote-AD``` is under the ```Remote-Site``` site, and the subnet ```192.168.3.0/24``` shows as having the ```Remote-Site``` assigned — confoundr, Nov 23 '19 at 00:21

score 0 · Accepted Answer · answered Jan 10 '20 at 17:32

0

We solved this by setting up a new DC at the remote site due to the Domain controller reaching the tombstoned date.

answered Jan 10 '20 at 17:32

confoundr

347
3
8
18