Situation: I transferred fsmo roles from 2012r2 to 2016, everything checked out, network was fine for a few days. I demoted the former dc and the issues came. 

Summary: nltest gives errors that no such domain or cannot be contacted. 

dcdiag:

 Running enterprise tests on : us.domain.com
    Starting test: LocatorCheck
       Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
       A Global Catalog Server could not be located - All GC's are down.
       Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
       A Time Server could not be located.
       The server holding the PDC role is down.
       Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 13
       A Good Time Server could not be located.
       Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
       A KDC could not be located - All the KDCs are down.
       ......................... us.domain.com failed test LocatorCheck

nslookup

Netdom query failed: the specified domain doesn't exist, or cannot be contacted.

rep admin /replsum

Dear Folks,

I have deployed the Group policy on one OU.  Now I want to generate the report of that policy and have a evidence as this policy is applied to all nested OU. I have OU name ABC in that ABC there is OU A and OU B. I have created the policy and applied to ABC now I have to show my management that this policy is applied to ABC as well as A and B OU.

Yogesh 

Dear All,

I am facing a problem regarding my AD servers. I have 3 Domain control servers. 

1- DC (primary) 

2- ADC

3-VDC

Schema master               DC.noc.pil.com.pk
Domain naming master        DC.noc.pil.com.pk
PDC                         ADC-KHI.noc.pil.com.pk
RID pool manager            DC.noc.pil.com.pk
Infrastructure master       ADC-KHI.noc.pil.com.pk

my primary server  (DC) HardDisk got faulty the the server is completely down.  Now when i try to create new user on my other Domain control it gives me subjected error. 

My question is , Is there any way that i can update my ADC to  SCHEMA, RID and Domain naming master (As my DC is completely down and no chance to bring it UP). 

Hello y'all,

I've installed a brand new fresh copy of Windows Server 2016 Standard on a virtual machine (VMware if it matters) and installed Active Directory - promoted to domain controller and created a new User (not changing anything apart of choosing a user name and a password) and then tried to connect to the domain using the hosting computer (the one on which I run the virtual machine) and I keep receiving the same error "can't join this domain contact your it admin windows 10" and I really got no clue where to start investigating the reasons for it. Have I missed some essential steps creating the domain/user? Would be thankful for any hint where to start.

Kind Regards,
Bar

Dear Support, 

Could it have any impact on Domain Controller when the network of Domain Controller is "Public network"? 
How could the network be changed from "Public" to "Domain" if it have impact on DC?

Thanks!

Best Regards, 
Daniel

No FSMO Role on this DC,

The server was being promoted, after reboot, I could login in but could not open anything from system32 "Access Denied" after a while it fixed itself this error but now DNS service is no starting "

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          6/11/2018 4:23:46 PM
Event ID:      1557
Task Category: Replication
Level:         Information
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      XYZDC11.com.au
Description:
This directory server has not completed a full synchronization of the following directory partition. This directory server will not available to clients until this task is completed.
 
Directory partition:
DC=com.au
 
An attempt to complete a full synchronization of this directory partition will be tried again later.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="16384">1557</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>5</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2018-11-06T05:23:46.304087400Z" />
    <EventRecordID>529</EventRecordID>
    <Correlation />
    <Execution ProcessID="492" ThreadID="1460" />
    <Channel>Directory Service</Channel>
    <Computer>XYZDC11.com.au</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>DC=Com,DC=au</Data>
  </EventData>
</Event>

aWindows PowerShell
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> dcdiag /kcc
Invalid Syntax: Invalid option /kcc. Use dcdiag.exe /h for help.
PS C:\Windows\system32> repadmin /kcc

Repadmin: running command /kcc against full DC localhost
XYZDC
Current Site Options: (none)
Consistency check on localhost successful.

PS C:\Windows\system32> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = XYZDCDC11
   The directory service on XYZDCDC11 has not finished initializing.
    In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
   at least one replica of this server's writeable domain.  It must also obtain Rid information from the Rid FSMO
   holder.
    The directory service has not signalled the event which lets other services know that it is ready to accept
   requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
   this system as an eligible domain controller.
   * Identified AD Forest.
   The directory service on XYZDCDC11 has not finished initializing.
    In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
   at least one replica of this server's writeable domain.  It must also obtain Rid information from the Rid FSMO
   holder.
    The directory service has not signalled the event which lets other services know that it is ready to accept
   requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
   this system as an eligible domain controller.
   Done gathering initial info.

Doing initial required tests

   Testing server: XYZDC\XYZDCDC11
      Starting test: Connectivity
         The directory service on XYZDCDC11 has not finished initializing.
          In order for the directory service to consider itself synchronized, it must attempt an initial
         synchronization with at least one replica of this server's writeable domain.  It must also obtain Rid
         information from the Rid FSMO holder.
          The directory service has not signalled the event which lets other services know that it is ready to accept
         requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not
         consider this system as an eligible domain controller.
         ......................... XYZDCDC11 passed test Connectivity

Doing primary tests

   Testing server: XYZDC\XYZDCDC11
      Starting test: Advertising
         Warning: the directory service on XYZDCDC11 has not completed initial synchronization.
         Other services will be delayed.
         Verify that the server can replicate.
         Warning: DsGetDcName returned information for\\XYZDCDC02.domain.com, when we were trying to reach XYZDCDC11.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... XYZDCDC11 failed test Advertising
      Starting test: FrsEvent
         ......................... XYZDCDC11 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... XYZDCDC11 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... XYZDCDC11 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x8000051C
            Time Generated: 11/06/2018   16:27:18
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the followin
g directory service has consistently failed.
         ......................... XYZDCDC11 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... XYZDCDC11 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... XYZDCDC11 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... XYZDCDC11 passed test NCSecDesc
      Starting test: NetLogons
         ......................... XYZDCDC11 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... XYZDCDC11 passed test ObjectsReplicated
      Starting test: Replications
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: A full synchronization is in progress
            from GOULBDC01 to XYZDCDC11
            Replication of new changes along this path will be delayed.
            The full sync is 0 percent complete.
         [Replications Check,XYZDCDC11] A recent replication attempt failed:
            From XYZDCDC02 to XYZDCDC11
            Naming Context:
            The replication generated an error (8461):
            The replication operation was preempted.
            The failure occurred at 2018-11-06 16:31:21.
            The last success occurred at (never).
            1 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         XYZDCDC11: A full synchronization is in progress
            from XYZDCDC02 to XYZDCDC11
            Replication of new changes along this path will be delayed.
            The full sync is 87 percent complete.
         ......................... XYZDCDC11 failed test Replications
      Starting test: RidManager
         Warning: attribute rIdSetReferences missing from CN=XYZDCDC11,OU=Domain Controllers,
         Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
         ......................... XYZDCDC11 failed test RidManager
      Starting test: Services
         ......................... XYZDCDC11 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 11/06/2018   15:38:55
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 11/06/2018   16:22:27
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you s
hould use only static IPv6 addresses.
         An error event occurred.  EventID: 0x00000416
            Time Generated: 11/06/2018   16:22:28
            Event String:
            The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain domain.com, has dete
rmined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons f
or this:
         An error event occurred.  EventID: 0x0000410B
            Time Generated: 11/06/2018   16:22:48
            Event String:
            The request for a new account-identifier pool failed. The operation will be retried until the request succee
ds. The error is
         ......................... XYZDCDC11 failed test SystemLog
      Starting test: VerifyReferences
         ......................... XYZDCDC11 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : dec
      Starting test: CheckSDRefDom
         ......................... dec passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... dec passed test CrossRefValidation

   Running enterprise tests on : domain.com
      Starting test: LocatorCheck
         ......................... domain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.com passed test Intersite
PS C:\Windows\system32>
PS C:\Windows\system32> repadmin
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
                             [/retry[:<retries>][:<delay>]]
                             [/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
            description.
/help       Same as /?
/?:<cmd>    Displays the list of possible arguments <args>, appropriate
            syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
            DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
            are no longer supported by Microsoft.

Supported <cmd> commands (use /?<cmd> for detailed help):
     /kcc    Forces the KCC on targeted domain controller(s) to immediately
             recalculate its inbound replication topology.

     /prp    This command allows an admin to view or modify the
             password replication policy for RODCs.

     /queue  Displays inbound replication requests that the  DC needs to issue
             to become consistent with its source replication partners.

     /replicate  Triggers the immediate replication of the specified directory
             partition to the destination domain controller from the source DC.

     /replsingleobj Replicates a single object between any two domain
             controllers that have common directory partitions.

     /replsummary The replsummary operation quickly and concisely summarizes
             the replication state and relative health of a forest.

     /rodcpwdrepl Triggers replication of passwords for the specified user(s)
             from the source (Hub DC) to one or more Read Only DC's.

     /showattr Displays the attributes of an object.

     /showobjmeta Displays the replication metadata for a specified object
             stored in Active Directory, such as attribute ID, version
             number, originating and local Update Sequence Number (USN), and
             originating server's GUID and Date and Time stamp.

     /showrepl Displays the replication status when specified domain controller
             last attempted to inbound replicate Active Directory partitions.

     /showutdvec displays the highest committed Update Sequence Number (USN)
             that the targeted DC's copy of Active Directory shows as
             committed for itself and its transitive partners.

     /syncall Synchronizes a specified domain controller with all replication
              partners.

Supported additional parameters:

     /u:    Specifies the domain and user name separated by a backslash
            {domain\user} that has permissions to perform operations in
            Active Directory. UPN logons not supported.

     /pw:   Specifies the password for the user name entered with the /u
            parameter.

     /retry This parameter will cause repadmin to repeat its attempt to bind
            to the target dc should the first attempt fail with one of the
            following error status:

            1722 / 0x6ba : "The RPC Server is unavailable"
            1753 / 0x6d9 : "There are no more endpoints available from the
                            endpoint mapper"

     /csv   Used with /showrepl to output results in comma separated
            value format. See /csvhelp

Note: Most commands take their parameters in the order of "Destination or
      Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
      NC or Object DN if required.

        <DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
        string. For Active Directory Domain Services, this is simply a network
        label (such as a DNS, NetBios, or IP address) of a Domain Controller.
        For Active Directory Lightweight Directory Services, this must be a
        network label of the AD LDS server followed by a colon and the LDAP
        port of the AD LDS instance
            Examples (AD DS):  dc-01
                               dc-01.microsoft.com
            Examples (AD LDS): ad-am-01:2000
                               ad-am-01.microsoft.com:2000

      <Naming Context> is the Distinguished Name of the root of the NC
            Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
      Unicode characters will only display correctly if appropriate fonts and
      language support are loaded.
PS C:\Windows\system32> repadmin

NSW DECC

Greetings all.

We are currently in the process of an AD migration. Lets sat that:

1. DomainA is our current source domain

2. DomainB is our target domain

We currently have a two way, external, non-transitive trust between both domains. We also have DNS forwarders setup in DomainA, pointing to DNS servers in DomainB land. We have done some basic testing with ADMT, and are currently able to migrate accounts with SID history from DomainA into DomainB successfully. 

Now DomainB users have a default UPN of user@domainB.something.net, but also have an alternate UPN which can be assigned which is user@domainB.com

What we would like to do, is migrate our users from DomainA into DomainB with SID history (We have this working so far), and then give them a UPN of user@domainB.com (which we tested after migrating with ADMT, we can set UPN as that)

Now what we need, is our users to sit down at a machine bound to DomainA still, and have the ability to login with an account that has been ADMT migrated, using the UPN user@DomainB.com

We have tested, and can login on a machine bound to DomainA, as an ADMT migrated user using only user@DomainB.something.net

So its allowing us to login to what our trusted domain is, user@DomainB.something.net, but its not recognizing the user@DomainB.com????

We bound a VM to DomainB.something.net, and can then logon OK with that ADMT migrated account as user@DomainB.com

So the alternate UPN of user@DomainB.com is only working on machines that are also bound to DomainB.something.net

Its obviously something to do with the trust, and how the UPN's are working, but I haven't figured it out yet.

Any help would be minty.

Cheers.

Hi All, 

This should be quite a simple one to answer hopefully. 

We are two physical datacenter sites, Site A and Site B. We are using a stretched VXLAN accross both sites, so where we would previously have setup AD sites to represent each physical site and controll replication, we can't do that here. 

In terms of AD, it all appears on the same network regardless of physical location globally. Does anyone have any ideas on how we could manage excess east / west traffic in this situation? I'm currently considering DNS weightings but there may be a better way. 

Thanks in advance !

M

I am using Server 2012 R2. I have configured a policy on a user OU for blocking certain application say 'firefox'. Tested it, it was working fine. Then requirement came for blocking another application say 'chrome'. I created another similar policy to block 'chrome' and applied on the same OU. But when I see resultant set of policy, earlier blocked application was removed and only 'chrome' was present in the list of blocked applications. I was also able to run 'firefox' while I had blocked it using previous policy.

Kindly help me with the correct configuration of the policy. I am using 'Don't run specified Windows applications' settings. Does configuring multiple policies with same type of settings create problems?

Hi

I have some questions about DC migration from windows 2008 R2 to Windows 2016, I hope you can answer me as usual.

Should we migrate to windows 2012 before Windows 2016?

Support analyst

Hi IT Experts,

I need help. Here's the background:

Half yearly i will bootup a backup image of Server 2012r2 Domain Controller (with DNS, DHCP, Print Server, File Server, Folder Redirection) to test whether it is working perfectly. If you need to know, i am using ShadowProtect to backup incrementally everyday and when i restore the image, the RPO will be the night before. As usual, i will bootup the virtual server with the network disabled. No problem to login. 

After enable the network and configure the ip address, subnet mask, gateway and dns (127.0.0.1), and rebooting the server, it will keep loading on "Please Wait". I have waited for 1 hour, but it remains the same. So I turn it off and disabled the network. Turn it on again, i was able to login again.

Can anyone guide me what i can do to resolve this?

Thanks in advance.

We are looking to implement LAPS in our environment. However, during testing we notice when using powershell to check for extended right holders on an OU: Find-AdmPwdExtendedRights -identity:"OU=Test,DC=Test,DC=COM" | format-table extendedRightHolders

The extended right holders display users/groups which are not present on the same OU via ADSIEDIT. For example, if I:

1. Launch ADSIEDIT

2. Right click on TEST OU

3. Go to properties

4. Go to security 

5. Go to Advance

I don't see the user/groups listed which Powershell listed. We wan't to make sure only Domain Admins has access to view the LAPS password. Any idea what I'm missing? Could it be the users/group are present in child objects under TEST OU? 

Currently we use KMS to activate our Win 7 , Server 2012 R2 and lower and Office 2013 Pro Plus x86 

We are now going to introduce Windows Server 2016 , o365 client , Windows 10  in our environment 

Looking at the need for activation what is recommend for these products 

I checked there is something called ADBA available as well is that a beter option than updating our KMS 

Can both methods co-exist , how does a new client determine the activation source KMS or ADBA

What would we do for the non-domain joined machines (Use MAK)

Please suggest 

Hi Microsoft Team,

I am facing issue with advanced audit policy configuration, i cannot create advanced audit policy to audit object access and account management, any one can help me?

Get-ADUser -Filter * -SearchBase "OU=Departments,DC=dom,DC=for" | Select-Object samaccountname | export-csv -Path c:\users\me\desktop\wtf.csv -NoTypeInformation

Get-ADUser -Filter * -SearchBase "OU=Departments,DC=dom,DC=for" | Select-Object samaccountname | Where-Object {$_.samaccountname -eq "7-Jan"}

I have been having issues from netlogon service not starting to Time service not starting which through a few hours of research finally lead me to an issue.

Bear with me as I described what I did then what happened.

I have 2 DC's which have been running fine for some time

• NEXUS (Server 2008)
• NEXUS-NEW (SERVER 2012)

I wanted to upgrade NEXUS (Server 2008) to Server 2012 and call it the same computer name and ip address eventually

Here are the steps I took

1. I created a new 2012 DC, called it NEXUS-UPGRADE
2. Made sure all FSMO where in control of NEXUS-NEW which they already were
3. Promoted NEXUS-UPGRADE to a DC, confirmed it was working...everything checked out.
4. Went to NEXUS (Server 2008) did a dcpromo and demoted it to a regular server...everything checked out.
5. Renamed NEXUS (Server 2008) to NEXUS-OG
6. Changed the IP address of NEXUS-OG to a different one
7. Shut down NEXUS-OG
8. Went to NEXUS-UPGRADE and renamed it to NEXUS and changed the ip address to the original ip
9. Rebooted server

At this point everything seemed fine.

The next day started having time sync issues with computers on the network as well as DNS issues. I went to DNS and saw that there was some forwards and reverse entries with the new servers original name NEXUS-UPGRADE so I changed them all the NEXUS.

Still having issues

Ran dcdiag /v and was seeing that it was having replication issues and still looking for the name NEXUS-UPGRADE.

Went to regedit and searched for NEXUS-UPGRADE entries and fixed them all to NEXUS

Still having issues

Finally I went to Active Directory and saw that the domain controller accounts listed were NEXUS-NEW and NEXUS-UPGRADE

NEXUS is missing!!

So basically what happened was when I changed the new server I created computer name back to NEXUS that change did not happen with AD. It still has it's original name of NEXUS.

My idea is to change the new server from NEXUS to something else then go back and change it to NEXUS again. I tried using netdom and computer properties but they error out.

Problem is when I try and change it I get an error that the original computer account does not exist which it doesn't and I cannot change the name.

How can I get AD to create a computer account for my new AD (NEXUS)

I hope this makes sense

Hi 

we have recently installed domain and FQDN of Child Domain is "PDC.PDC.ABC.com" and we tried install the ADC for the child domain. We found that our ADC is not able to contact PDC.PDC.ABC.com and SYVOL folder is empty.

so i have doubt that name of the child domain "PDC" might be the issue so please guide me.

We found the below error :

Event ID 2974:

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=TERMSRV/PDC
CN=PDC,OU=XXX Computers,DC=ABC,DC=com  Winerror: 8647