nigenl
asked on
DNS Not responding
Hi all, need a little help ASAP please. I have two DCs which I'd call DC1 and DC2 in a single domain forest. Both are Windows Server 2003 SP2 DCs. Both are also DNS Servers and DC1 holds the FSMO roles. I'm not using DHCP at the moment but intend to in the weeks to come.
I recently noticed an error on DC1 and ran dcdiag, which returned an error looking like this (stripped out specific IP and FQDN info):
Although the Guid DNS name IP address 208.82.240.224 could not be pinged, the servername resolved to the IP address and could be pinged
-----Failed Connectivity Test
DC Diag on DC2 is clean without errors or any failure messages
So I ran ipconfig /flushdns, then dnscmd /clearcache, then I started and stopped netlogon.
I also ran netdiag. This seem to look OK except the DC List test Failed though the DC discovery test passed and the trust relationship test was skipped! Also running a test from the Monitoring Tab of the DNS property dialog (from the dns mmc interface) passed both the simple and recursive tests for DC2 both only passed simple but failed recursive test from DC1.
DC 2 passed all tests for Netdiag and dcdiag. So I changed the NIC setting on DC2 to point to itself as primary DNS
When I run nslookup from DC1 or DC2, I get an initial prompt:
" Can't find server name for address 192.168.0.x: Non-existent domain"
But when I query names withing or outside my domain from DC1, I only get names resolved for names within the domain, but I get names resolved for both domain and non domain names for DC2.
After doing all these, I ran dcdiag again on DC1 and got this message:
Doing initial required tests
Testing server: Site\SvrName
Starting test: Connectivity
Server SvrName resolved to this IP address 208.82.240.224,
but the address couldn't be reached(pinged), so check the network.
The error returned was: A non-recoverable error occurred during a datab
ase lookup.
......................... ENLAPAPA1 failed test Connectivity
This IP 208.82.240.224 that keeps being listed is not even on my network!
I'm at a loss, anyone with an idea what to do?
NB: Replication also succeeds but fails now and then but still seems to be happening.
Got the following error DNS Server events log on DC1 and DC2:
Err ID:4015
Description: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Err ID: 4004
Description: The DNS server was unable to complete directory service enumeration of zone domain.com. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error
Err ID:4004
Description: The DNS server was unable to complete directory service enumeration of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
Err ID: 4004
Description: The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
I recently noticed an error on DC1 and ran dcdiag, which returned an error looking like this (stripped out specific IP and FQDN info):
Although the Guid DNS name IP address 208.82.240.224 could not be pinged, the servername resolved to the IP address and could be pinged
-----Failed Connectivity Test
DC Diag on DC2 is clean without errors or any failure messages
So I ran ipconfig /flushdns, then dnscmd /clearcache, then I started and stopped netlogon.
I also ran netdiag. This seem to look OK except the DC List test Failed though the DC discovery test passed and the trust relationship test was skipped! Also running a test from the Monitoring Tab of the DNS property dialog (from the dns mmc interface) passed both the simple and recursive tests for DC2 both only passed simple but failed recursive test from DC1.
DC 2 passed all tests for Netdiag and dcdiag. So I changed the NIC setting on DC2 to point to itself as primary DNS
When I run nslookup from DC1 or DC2, I get an initial prompt:
" Can't find server name for address 192.168.0.x: Non-existent domain"
But when I query names withing or outside my domain from DC1, I only get names resolved for names within the domain, but I get names resolved for both domain and non domain names for DC2.
After doing all these, I ran dcdiag again on DC1 and got this message:
Doing initial required tests
Testing server: Site\SvrName
Starting test: Connectivity
Server SvrName resolved to this IP address 208.82.240.224,
but the address couldn't be reached(pinged), so check the network.
The error returned was: A non-recoverable error occurred during a datab
ase lookup.
......................... ENLAPAPA1 failed test Connectivity
This IP 208.82.240.224 that keeps being listed is not even on my network!
I'm at a loss, anyone with an idea what to do?
NB: Replication also succeeds but fails now and then but still seems to be happening.
Got the following error DNS Server events log on DC1 and DC2:
Err ID:4015
Description: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Err ID: 4004
Description: The DNS server was unable to complete directory service enumeration of zone domain.com. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error
Err ID:4004
Description: The DNS server was unable to complete directory service enumeration of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
Err ID: 4004
Description: The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
Nagendra Pratap Singh
What is your DNS ip?
ASKER
DC1 192.168.0.1, DC2 192.168.0.3
ASKER
Additional Info: I ran dnslint /ad /s localhost /v
It returned without errors on both DC1 and DC2. Both gave identical results as follows:
dnslint /ad /s localhost /v
Root of Active Directory Forest:
enl.com
Active Directory Forest Replication GUIDs Found:
DC: ENLAPAPA1
GUID: 2b040ee6-abb3-479c-868c-9c
DC: ENLAPAPA3
GUID: f044d671-847c-4179-a99c-ca
Total GUIDs found: 2
--------------------------
Results from querying the locally configured DNS server(s):
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 2b040ee6-abb3-479c-868c-9c
Alias: enlapapa1.enl.com
Glue: 192.168.0.1
CNAME: f044d671-847c-4179-a99c-ca
Alias: enlapapa3.enl.com
Glue: 192.168.0.3
Total number of CNAME records found by local system: 2
Total number of CNAME records local system could not find: 0
Total number of glue (A) records local system could not find: 0
NOTE: Mine is not the same as the Internet enl.com domain name!
It returned without errors on both DC1 and DC2. Both gave identical results as follows:
dnslint /ad /s localhost /v
Root of Active Directory Forest:
enl.com
Active Directory Forest Replication GUIDs Found:
DC: ENLAPAPA1
GUID: 2b040ee6-abb3-479c-868c-9c
DC: ENLAPAPA3
GUID: f044d671-847c-4179-a99c-ca
Total GUIDs found: 2
--------------------------
Results from querying the locally configured DNS server(s):
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 2b040ee6-abb3-479c-868c-9c
Alias: enlapapa1.enl.com
Glue: 192.168.0.1
CNAME: f044d671-847c-4179-a99c-ca
Alias: enlapapa3.enl.com
Glue: 192.168.0.3
Total number of CNAME records found by local system: 2
Total number of CNAME records local system could not find: 0
Total number of glue (A) records local system could not find: 0
NOTE: Mine is not the same as the Internet enl.com domain name!
Ping each server by name from the other DC?
Could be FW?
Or even something like file sharing being disabled (Browsing UNC will test that)
Try simple tests like browsing using UNC paths:
\\DC1\
\\DC1.mydomain.local
Any kind of name resolution issue, or network issue can make AD fail.
Could be FW?
Or even something like file sharing being disabled (Browsing UNC will test that)
Try simple tests like browsing using UNC paths:
\\DC1\
\\DC1.mydomain.local
Any kind of name resolution issue, or network issue can make AD fail.
Have you verified that you don't have an A record for DC1 that is pointing to 208.82.240.224?
Also verify that both servers are pointing to each other and themselves for DNS under NIC properties.
Next check that recursion isn't disabled for the server (in DNS Managment, server properties, Advanced tab).
Do you have forwarders configured for specific domains?
Do you have Group Policy configuring any DNS settings?
Also verify that both servers are pointing to each other and themselves for DNS under NIC properties.
Next check that recursion isn't disabled for the server (in DNS Managment, server properties, Advanced tab).
Do you have forwarders configured for specific domains?
Do you have Group Policy configuring any DNS settings?
ASKER
Thanks guys for your replies. My apologies for the late response but I've had to go home for the night. For starters, my servers are not always on servers. They are turned off at the end of business day. So, last error when running dcdiag from DC1 yesterday was:
Doing initial required tests
Testing server: Site\SvrName
Starting test: Connectivity
Server SvrName resolved to this IP address 208.82.240.224,
but the address couldn't be reached(pinged), so check the network.
The error returned was: A non-recoverable error occurred during a datab
ase lookup.
However, this morning, on turning on the DC1 machine, the previous dcdiag error had returned. i.e:
Testing server: Site\SvrName
Starting test: Connectivity
Although the Guid DNS name
(2b040ee6-abb3-479c-868c-9
IP address (208.82.240.224), which could not be pinged, the server
name (enlapapa1.enl.com) resolved to the IP address (192.168.0.1) and
could be pinged. Check that the IP address is registered correctly
with the DNS server.
......................... SvrName failed test Connectivity
@ ping FQDN responded OK on DC1 and DC2. UNC access also worked fine for Netbios name and FQDN. What is FW please?
@footech, I've checked and double checked A record. No, that IP doesn't appear anywhere. Even if there were A records, then the same problem should be affecting DC2 but DC2 does have any of these errors. Both servers point at each other and themselves in NIC settings. DC1 has preferred dns pointing at itself and alternate at DC2. DC2 has preffered dns pointing at itself and alternate at DC1. Recursion is not disabled on either DC1 or DC2.
Only forwarder configured is for the Internet (i.e. my ISP's DNS IP). DC2 uses these and resolves well but DC1 only seem to resolve local network names.
No, there are not group policies used to configure DNS settings. But just in case, I'd duoble check the GPO and get back to you shortly.
Doing initial required tests
Testing server: Site\SvrName
Starting test: Connectivity
Server SvrName resolved to this IP address 208.82.240.224,
but the address couldn't be reached(pinged), so check the network.
The error returned was: A non-recoverable error occurred during a datab
ase lookup.
However, this morning, on turning on the DC1 machine, the previous dcdiag error had returned. i.e:
Testing server: Site\SvrName
Starting test: Connectivity
Although the Guid DNS name
(2b040ee6-abb3-479c-868c-9
IP address (208.82.240.224), which could not be pinged, the server
name (enlapapa1.enl.com) resolved to the IP address (192.168.0.1) and
could be pinged. Check that the IP address is registered correctly
with the DNS server.
......................... SvrName failed test Connectivity
@ ping FQDN responded OK on DC1 and DC2. UNC access also worked fine for Netbios name and FQDN. What is FW please?
@footech, I've checked and double checked A record. No, that IP doesn't appear anywhere. Even if there were A records, then the same problem should be affecting DC2 but DC2 does have any of these errors. Both servers point at each other and themselves in NIC settings. DC1 has preferred dns pointing at itself and alternate at DC2. DC2 has preffered dns pointing at itself and alternate at DC1. Recursion is not disabled on either DC1 or DC2.
Only forwarder configured is for the Internet (i.e. my ISP's DNS IP). DC2 uses these and resolves well but DC1 only seem to resolve local network names.
No, there are not group policies used to configure DNS settings. But just in case, I'd duoble check the GPO and get back to you shortly.
I had gone through all the post quickly not sure u have mentioned or not but have checked the NIC properties of culprit DC that if it has any Primary or secondary DNS configuered as 208.82.240.224
Also have you check if any record is present in forward or reverse lookup zone for IP 208.82.240.224
Its an public IP and make sure you have not given it at any place other than forwarders if its a DNS
Also have you check if any record is present in forward or reverse lookup zone for IP 208.82.240.224
Its an public IP and make sure you have not given it at any place other than forwarders if its a DNS
ASKER
@sarang_tinguria, yes I've checked all that and didn't find any record for this IP. I've investigated the public IP too. It belongs to a company my company have no association with.
I'm at a dead end, short of transfering FSMO rolls to DC2 and taking down DC1 to re-promote it, I'm short on ideas.
Will appreciate any suggestions. Thanks
I'm at a dead end, short of transfering FSMO rolls to DC2 and taking down DC1 to re-promote it, I'm short on ideas.
Will appreciate any suggestions. Thanks
ASKER
More baffling results: I transferred all FSMO roles to DC2, made DC2 the GC, then demoted DC1 as a Domain Controller, restarted and when it came back online, un-installed DNS from DC1. Restarted again. Now I've promoted DC1back (yet to install DNS). Unfortunately, after promoting DC1 back to a domain controller. I get the exact same error! Anyone got an idea what is happening here?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi footech, SOA and NS record are good. DC1 not recognizing that it is authoritative for enl.com does sound like a possibility so I did a A record look up online for the Internet domain name enl.com. And you were right, it was the rouge IP 208.82.240.224. Problem is, what could possibly be causing this problem?!
I'd attempt the authoritative restore from DC2 to DC1. Hoping that works.
I'd keep you updated.
I'd attempt the authoritative restore from DC2 to DC1. Hoping that works.
I'd keep you updated.
ASKER
Guys, nothings seems to work. Outside of completely re-installing that server, I'm out off ideas right now!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks, though I don't know that I deserve any points for it. :) I almost can't believe I'm saying this, but it's rare that I run Windows Firewall (or any other) on a 2003 server. Guess it was always too much of a pain. 2008 is different though.
Glad you figured it out.
Glad you figured it out.
ASKER
Well, since no one could have known just everything that was locally installed on my machine, no one could have guessed the solution. But thanks everyone for peaching in. Especially, footech, your contribution guided my thoughts in the right direction and made locating the problem a little faster.