Share via

some users can't login to an adfs 2022 server but can on 2012

Mika01450 0 Reputation points
2025-10-14T12:13:56.25+00:00

Hi,

Since I migrated a secondary domain controller from 2012r2 to 2022, users can not longer log in. It works fine if they log in to the primary server in 2012. Perhaps there's a setting to change in ADFS authentication. On a workstation, when I ping domain.local, if I get the primary controller in return, everything works; however, if it's the secondary controller, it doesn't.

Thank you in advance for your help.

Windows for business | Windows Server | Directory services | User logon and profiles
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joseph Tran 3,995 Reputation points Independent Advisor
    2025-10-14T14:58:15.33+00:00

    Hi, There

    It's sounds like your new 2022 domain controller isn’t handling logins correctly to me, clients only authenticate when they hit the old 2012 DC. That usually means a replication, DNS, or time-sync issue, not ADFS itself.

    So you should check first these steps:

    • Time sync – Make sure both DCs and clients match the same NTP source. Run w32tm /resync.
    • SYSVOL/NETLOGON – On the 2022 DC, run dcdiag /test:sysvolcheck /test:netlogons. If it fails, fix DFSR replication.
    • DNS – Ensure both DCs register proper SRV records. Run:
    nslookup
set type=SRV
_kerberos._tcp.dc._msdcs.domain.local

    =>Both DCs should appear.

    • Trust check – On the 2022 DC: nltest /sc_verify:domain.local If it fails, rejoin or reestablish trust.
    • ADFS – Restart the ADFS service after fixing replication/DNS. Also verify SPNs with setspn -L <adfs_service_account>.

    => If users can log in only when DNS resolves to the 2012 DC, it’s almost always one of the first three issues.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.