Active Directory - Problem adding Domain Controller or AD Connect Sync (original) (raw)

Hi all,

I’m encountering a persistent and strange issue while trying to add a second Domain Controller (DC) / or Sync Azure Ad Connect to an existing Active Directory domain.

Context

• The DC promotion completes successfully without errors.
• After reboot, unable to log in to the new DC.
• The following errors appear in the Event Viewer.

Event ID 1039

Internal event: Active Directory Domain Services could not process the following object.

Object:
CN=TSGateway\0ADEL:2d35c919-3d41-4d0a-b66b-319d0d4c10a4,CN=Deleted Objects,DC=XXX,DC=XXX

User Action:
Increase physical memory or virtual memory. If this error continues to occur, restart the local computer.

Error value: 8451
Internal ID: 1030348

This Object don’t exist anymore in my active directory

Event ID 1699

This directory service was unable to retrieve the changes requested for the following directory partition.

Partition:
DC=XXX,DC=XXX

Network address:
59b11b2b-e1c2-485b-bc78-0903a813fa11._msdcs.XXX.XXX

Error: 8451 The replication operation encountered a database error.

Troubleshooting already done:

• Searched Microsoft forums and TechNet.
• Performed NTDS database defragmentation.
• Ran integrity check (no corruption found).
• Ran semantic analysis via ntdsutil (no errors).
• Enabled NTDS diagnostic logging (level 5) in the registry.

Event ID 1481 (after diagnostics enabled)

Internal error: The operation on the object failed.

Error value:
2 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=DC1-2022,CN=Servers,CN=SIEGE,CN=Sites,CN=Configuration,DC=XXX,DC=XXX'

The same errors occur when attempting to install Azure AD Connect.

Has anyone experienced something similar or have any suggestions for further steps?

Thanks in advance!

shnool (SHNOOL) May 23, 2025, 12:03pm 2

Please start first with DNS. Nearly all active directory failures occur because DNS cannot properly locate srv records. Make sure the existing AD server DNS is functioning correctly and can be used to answer DNS queries and that the new server is at least using the existing DC server as its primary and loopback as its secondary.

rerun the above tests and see where you stand.

I’d also look at DNS and see if there are any stale or incorrect entries for DCs, or srv records for the same domain.

macro974 (macro974) May 23, 2025, 12:51pm 3

Thanks a lot for the quick reply!
Here’s what I’ve verified so far:

• The existing DC’s DNS is working properly; I can resolve all standard records (A, SRV, etc.) from the new server.
• The new DC is configured to use the existing DC as its primary DNS and 127.0.0.1 as secondary, as recommended.
• I’ve **cleared the DNS cache on both servers (ipconfig /flushdns) and forced registration(ipconfig /registerdns).

I ’ve checked the _msdcs.XXX.XXX zone — the SRV records for both DCs seem valid, and I didn’t spot any stale or duplicate entries.

Denis-Kelley (Denis Kelley) May 23, 2025, 2:00pm 4

You might want to post results from DCDiag and Repadmin

macro974 (macro974) May 23, 2025, 3:21pm 5

Here the Dcdiag and Repadmin result
Dcdiag

Directory Server Diagnostic

Running initial setup:
Attempting to locate associated server...
* Verifying that the local computer DC1-2022 is a directory server.
Associated server: DC1-2022
* Connecting to the directory service on server DC1-2022.
* AD Forest identified.
Collecting AD-specific global data
* Collecting site information.
Calling ldap_search_init_page...
The previous call succeeded
Iterating through the sites
Looking at base site object...
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page...
The previous call succeeded
Iterating through the list of servers
Getting information for the server DC1-2022
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all cross-references NCs.
* 1 domain controller found. Testing 1 of them.
Initial data collection complete.

Running initial tests
Server Test: SIEGE\DC1-2022
Test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
Connectivity test passed

Running primary tests
Test: Advertising
The DC DC1-2022 is advertising itself as a DC and having a DS.
The DC DC1-2022 is advertising as an LDAP server
The DC DC1-2022 is advertising as having a writeable directory
The DC DC1-2022 is advertising as a Key Distribution Center
The DC DC1-2022 is advertising as a time server
The DS DC1-2022 is advertising as a GC.
Advertising test passed

Test: FrsEvent
* File Replication Service event log test
Skipped because the server is using DFSR.
FrsEvent test passed

Test: DFSREvent
DFS Replication Event Log
DFSREvent test passed

Test: SysVolCheck
* SYSVOL readiness test for DFS Replication
SYSVOL is ready
SysVolCheck test passed

Test: KccEvent
* KCC Event log test
Error Event ID: 0xC00005C9
Internal error: The operation on the object failed.
Additional Data: Error 500002121

Warning Event ID: 0x80000495
Exception: e0010002
Parameter: 5
Error: 8451

Error Event ID: 0xC000040F
Object: CN=TSGatewayADEL:...
Action: Increase memory or restart local computer.
Error: 8451

Error Event ID: 0xC00006A3
Could not retrieve changes for partition DC=xxx,DC=xxx
Replication operation failed
Error: 8451

Error Event ID: 0xC00005C9
Error: NO_OBJECT
KccEvent test failed

Test: KnowsOfRoleHolders
All FSMO roles held by DC1-2022
Test passed

Test: MachineAccount
SPNs verified for DC1-2022
Test passed

Test: NCSecDesc
Security permissions verified for all NCs
Test passed

Test: NetLogons
Verified netlogon and sysvol shares
Test passed

Test: ObjectsReplicated
Objects are up-to-date on all servers
Test passed

Test: Replications
Replication and latency check
Latency data for retired Invocations ignored
Test passed

Test: RidManager
RID Master: DC1-2022
RID pool and allocation are valid
Test passed

Test: Services
All necessary services are running
Test passed

Test: SystemLog
No critical errors found in the last 60 minutes
Test passed

Test: VerifyReferences
ServerReference and related links are valid
Test passed

Partition Tests
All partitions (ForestDnsZones, DomainDnsZones, Schema, Configuration, xxx) passed CheckSDRefDom and CrossRefValidation

Enterprise Tests for xxx.xxx
LocatorCheck passed (GC, PDC, Time Server, KDC all point to DC1-2022)
Intersite: Site SIEGE ignored (outside scope)

Repadmin

SIEGE\DC1-2022
DSA Options: IS_GC
Site Options: (none)
DSA Guid Object: 8a7a56c3-f994-46a0-87e5-245ad676f84f
DSA Invocation ID: ba4ffce4-c54e-447a-b9a4-09fa0cb8a775

Replication summary start time: 2025-05-23 19:13:27

Starting data collection for the replication summary;
this operation may take some time:
....

Source DSA max difference # failures %% error

Destination DSA max difference # failures %% error

Thanks

Did you run dcdiag /e /v ?

Wondering if you have an old DC with meta data hanging around in there.

macro974 (macro974) May 24, 2025, 4:15am 7

The dcdiag command was run with the /e /v options, and the old domain controllers were removed through a metadata cleanup along with the deletion of old DNS entries.

The object is saying it’s in the deleted objects which would be the AD Recycle bin. See if you can find it and remove it via powershell.

macro974 (macro974) May 24, 2025, 4:44am 9

I tried, but unfortunately the object does not exist in CN=Deleted Objects,DC=xxx,DC=XXX.