خطا در اکتیودایرکتوری
سلام .من اکتیودارکتوری خود رو با دستور dcdiag تست کردم و چند مورد خطا داره لطفا بگین چطوری این خطا رو رفع کنم
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER-AC2012
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SERVER-AC2012
Starting test: Connectivity
......................... SERVER-AC2012 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SERVER-AC2012
Starting test: Advertising
Warning: SERVER-AC2012 is not advertising as a time server.
......................... SERVER-AC2012 failed test Advertising
Starting test: FrsEvent
......................... SERVER-AC2012 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... SERVER-AC2012 failed test DFSREvent
Starting test: SysVolCheck
......................... SERVER-AC2012 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER-AC2012 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER-AC2012 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER-AC2012 passed test MachineAccount
Starting test: NCSecDesc
......................... SERVER-AC2012 passed test NCSecDesc
Starting test: NetLogons
......................... SERVER-AC2012 passed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER-AC2012 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: DC=ForestDnsZones,DC=khayam,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2022-08-07 19:18:02.
The last success occurred at 2020-06-11 08:19:29.
19062 failures have occurred since the last success.
[SERVER2016DC2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
[SERVER2019DC2] DsBindWithSpnEx() failed with error 1398,
There is a time and/or date difference between the client and server..
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: DC=DomainDnsZones,DC=khayam,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2022-08-07 19:18:02.
The last success occurred at 2020-06-11 08:19:29.
19062 failures have occurred since the last success.
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: CN=Schema,CN=Configuration,DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-07 19:18:02.
The last success occurred at 2020-06-11 08:19:29.
19061 failures have occurred since the last success.
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: CN=Configuration,DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-07 19:18:02.
The last success occurred at 2020-06-11 08:19:29.
19062 failures have occurred since the last success.
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-07 19:18:02.
The last success occurred at 2020-06-11 08:31:02.
19059 failures have occurred since the last success.
......................... SERVER-AC2012 failed test Replications
Starting test: RidManager
......................... SERVER-AC2012 passed test RidManager
Starting test: Services
Invalid service startup type: NETLOGON on SERVER-AC2012, current value DEMAND_START, expected value
AUTO_START
......................... SERVER-AC2012 failed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x40000004
Time Generated: 08/07/2022 19:01:44
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was KHAYAM\SERVER2016DC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 08/07/2022 19:18:02
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/c54ec21c-e264-4cb0-a5ca-4f370c223d22/khayam.local@khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
A warning event occurred. EventID: 0x80000025
Time Generated: 08/07/2022 19:36:45
Event String:
The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.
A warning event occurred. EventID: 0x80000023
Time Generated: 08/07/2022 19:36:45
Event String:
The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (SERVER2019DC2) that did not contain a PAC attributes field. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.
An error event occurred. EventID: 0x40000004
Time Generated: 08/07/2022 19:41:46
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was LDAP/c54ec21c-e264-4cb0-a5ca-4f370c223d22._msdcs.khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000005
Time Generated: 08/07/2022 19:41:46
Event String:
The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server server2019dc2$. This indicates that the ticket presented to that server is not yet valid (due to a discrepancy between ticket and server time. Contact your system administrator to make sure the client and server times are synchronized, and that the time for the Key Distribution Center Service (KDC) in realm KHAYAM.LOCAL is synchronized with the KDC in the client realm.
......................... SERVER-AC2012 failed test SystemLog
Starting test: VerifyReferences
......................... SERVER-AC2012 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : khayam
Starting test: CheckSDRefDom
......................... khayam passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... khayam passed test CrossRefValidation
Running enterprise tests on : khayam.local
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
......................... khayam.local failed test LocatorCheck
Starting test: Intersite
......................... khayam.local passed test Intersite
5 پاسخ
چیزی که log داره نشون میده چند تا مورد هستش که باید توجه بشه:
1- تعداد DC ها دو سرور هستش (server2016dc2 ,server2019dc2)
2- DNS IP ادرس DC ها 8.8.8.8 هستش که باید 100% عوض بشه به IP ADDRESS خود DC یا (DC با DNS+INTEGRATED ZONE DOMAIN)
3- در نهایت بعد از تصحیح DNS سرور باید (AD DS service) یا سرور restart بشه
4- replication بین سرورها چک بشه (repadmin)
5- اگر فقط یک DC هستش با دستور NETDOM کامیپیوتر اکانت DC رو رست کن. در حین COMMAND از FQDN استفاده بشه
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... SERVER2016DC2 failed test Connectivity
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... SERVER2019DC2 failed test Connectivity
Warning: DsGetDcName returned information for \\server2019dc2.khayam.local, when we were trying to reach
SERVER-AC2012.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SERVER-AC2012 failed test Advertising
[SERVER-AC2012] LDAP bind failed with error 8341. A directory service error has occurred.
Unable to verify the machine account (CN=SERVER-AC2012,OU=Domain Controllers,DC=khayam,DC=local) for
SERVER-AC2012 on SERVER2019DC2.
[SERVER-AC2012] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... SERVER-AC2012 failed test DFSREvent
** Did not run Outbound Secure Channels test because /testdomain: was not entered
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: DC=ForestDnsZones,DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-08 22:32:17.
The last success occurred at 2020-06-11 08:19:29.
19092 failures have occurred since the last success.
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: DC=DomainDnsZones,DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-08 22:32:17.
The last success occurred at 2020-06-11 08:19:29.
19092 failures have occurred since the last success.
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: CN=Schema,CN=Configuration,DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-08 22:32:17.
The last success occurred at 2020-06-11 08:19:29.
19091 failures have occurred since the last success.
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: CN=Configuration,DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-08 22:32:17.
The last success occurred at 2020-06-11 08:19:29.
19092 failures have occurred since the last success.
[Replications Check,SERVER-AC2012] A recent replication attempt failed:
From SERVER2016DC2 to SERVER-AC2012
Naming Context: DC=khayam,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-08 22:32:17.
The last success occurred at 2020-06-11 08:31:02.
19089 failures have occurred since the last success.
......................... SERVER-AC2012 failed test Replications
Invalid service startup type: NETLOGON on SERVER-AC2012, current value DEMAND_START, expected value
AUTO_START
NETLOGON Service is stopped on [SERVER-AC2012]
......................... SERVER-AC2012 failed test Services
An error event occurred. EventID: 0xC00038D4
Time Generated: 08/08/2022 22:02:53
Event String:
The DFS Namespace service could not initialize the trusted domain information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0x40000005
Time Generated: 08/08/2022 22:03:59
Event String:
The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server server2019dc2$. This indicates that the ticket presented to that server is not yet valid (due to a discrepancy between ticket and server time. Contact your system administrator to make sure the client and server times are synchronized, and that the time for the Key Distribution Center Service (KDC) in realm KHAYAM.LOCAL is synchronized with the KDC in the client realm.
An error event occurred. EventID: 0x40000004
Time Generated: 08/08/2022 22:16:55
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/c54ec21c-e264-4cb0-a5ca-4f370c223d22/khayam.local@khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 08/08/2022 22:22:30
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was KHAYAM\SERVER2016DC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 08/08/2022 22:30:50
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was ldap/server2016dc2.khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 08/08/2022 22:30:50
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was LDAP/c54ec21c-e264-4cb0-a5ca-4f370c223d22._msdcs.khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 08/08/2022 22:30:52
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was cifs/SERVER2016DC2. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 08/08/2022 22:30:52
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was RPCSS/server2016dc2.khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x0000272C
Time Generated: 08/08/2022 22:30:52
Event String:
DCOM was unable to communicate with the computer server2016dc2.khayam.local using any of the configured protocols; requested by PID 26c4 (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 08/08/2022 22:30:52
Event String:
DCOM was unable to communicate with the computer server2019dc2.khayam.local using any of the configured protocols; requested by PID 26c4 (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 08/08/2022 22:31:14
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 26c4 (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 08/08/2022 22:32:17
Event String:
DCOM was unable to communicate with the computer server2019dc2.khayam.local using any of the configured protocols; requested by PID 17cc (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 08/08/2022 22:32:17
Event String:
DCOM was unable to communicate with the computer server2016dc2.khayam.local using any of the configured protocols; requested by PID 17cc (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
......................... SERVER-AC2012 failed test SystemLog
......................... SERVER2019DC2 failed test DNS
......................... SERVER2016DC2 failed test DNS
Invalid service startup type: NETLOGON on SERVER-AC2012, current value DEMAND_START, expected value AUTO_START
NETLOGON Service is stopped on [SERVER-AC2012]
Test results for domain controllers:
DC: SERVER-AC2012.khayam.local
Domain: khayam.local
TEST: Basic (Basc)
Error: NETLOGON service is not running
TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the network adapters
DC: server2016dc2.khayam.local
Domain: khayam.local
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Error: No LDAP connectivity
Error: No WMI connectivity
No host records (A or AAAA) were found for this DC
DC: server2019dc2.khayam.local
Domain: khayam.local
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Error: No LDAP connectivity
Error: No WMI connectivity
No host records (A or AAAA) were found for this DC
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: khayam.local
SERVER-AC2012 PASS FAIL PASS PASS PASS FAIL n/a
server2016dc2 FAIL FAIL n/a n/a n/a n/a n/a
server2019dc2 FAIL FAIL n/a n/a n/a n/a n/a
......................... khayam.local failed test DNS
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
......................... khayam.local failed test LocatorCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
......................... khayam.local failed test FsmoCheck
سلام ، لطفا خروجی دستور زیر رو ارسال کنید و بفرمایید که چند تا دامین کنترلر توی دامین تون دارید و سیستم عامل هاشون چی هست.
DCDIAG /c /v /e /q
دستور بالا فقط ارور ها رو نشون میده و تست هاش رو روی همه DC های اجرا می کنه و یه خروجی تمیز نشون میده. لطفا خروجی رو در قالب کد (پاراگراف -> بلوک ها -> کد) ارسال کنید تا خوندنش راحت تر هست. ممنونم
خروجی DCDIAG داره نشون میده که چند تا دامین کنترلر دارید (داشتید) ولی شما میگید که یدونه دامین کنترلر دارم - این میتونه به این معنی باشه که (البته خروجی DCDIAG هم اینو گواهی میده) اون دامین کنترلر ها از مدار خارج شدن اما نه بصورت درست. کاری که باید انجام بدید اینه که Metadata های باقی مونده از سایر دامین کنترلر ها رو از روی دامین کنترلری که روش DCDIAG رو اجرا کردید پاک کنید. لینک زیر رو ببینید :
https://servergurunow.wordpress.com/2017/08/08/metadata-cleanup-of-a-domain-controller-2
پیشنهاد می کنم از تو کنسول ADSI Edit هم object های مربوط به DC های قدیمی رو پاک کنید.
پ.ن : من گفتم خروجی DCDIAG رو در قالب کد (پاراگراف -> بلوک ها -> کد) ارسال کنید ولی این کار رو انجام ندادید.
سیستم عامل server2019
فقط یک عدد دومین کنترلر داره