?
Solved

W2k3 DNS servers unavailable, they report "Access is denied. You do not have permission to access this dns server."

Posted on 2005-03-08
16
Medium Priority
?
3,377 Views
Last Modified: 2012-05-05
2 of our three DNS servers appear to be working correctly - although one of them (the operations master) not at all. All three servers do not allow any access to themselves through the management console offering the above error.

The DNS that is not working logs event id:113

The DNS server could not signal the service "NAT". The error was 1168. There may be interoperability problems between the DNS service and this service.

Help
0
Comment
Question by:MentalSolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13487799
can you explain more about your network setup?  do you have windows server performing NAT at all via RRAS??  Are all DCs at the same location?  Can they ping each other etc?

0
 

Author Comment

by:MentalSolutions
ID: 13487948
No we are not running RRAS at all

we have a sonicwall 3060 which has two internet connections primary is a T1 line and the backup leg is an ADSL 2mb. Internet connectivity is working perfectly although on the operations master - no DNS lookups were working until we added dns servers to the nic (we added the other two dns servers from the domain).

The domain is spread over 2 main sites - with a 2mb leased line in between - each site is naturally on a different subnet. There are 2 DC's on each site.

the main problem is we cant access any of the DNS servers whatsoever.

 
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13488130
Ok,,, now im more confused:

"no DNS lookups were working until we added dns servers to the nic"   of course DNS lookups dont work if you dont have the computer pointed to a DNS server.

"the main problem is we cant access any of the DNS servers whatsoever. "  this contradicts the above statment.

in one place you say DNS lookups work when you have the NIC pointed to a DNS server (as expected), and then you say that you can't access any DNS servers at all.  Which is it???

All of your DNS servers should be pointed to themseves for DNS name resolution.
All of your clients should be pointed to the LOCAL DNS server for DNS name resolution.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:MentalSolutions
ID: 13488354
"no DNS lookups were working until we added dns servers to the nic"   of course DNS lookups dont work if you dont have the computer pointed to a DNS server.

The point is this machine *IS* a DNS server - so when working dosent actually need to point at dns - it uses itself. This machine has been happily working for 12 months in this fashion and 2 days ago it stopped working. the only way for us then to resolve dns was to point it at one of our other DNS servers.


"the main problem is we cant access any of the DNS servers whatsoever. " 
I can see how this statement can seem ambiguious - what I meant is that the management side of the DNS servers is accessible - although on two of the servers the actual DNS lookups are working.


All of your DNS servers should be pointed to themseves for DNS name resolution.
All of your clients should be pointed to the LOCAL DNS server for DNS name resolution.
*they are*
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13488493
so when working dosent actually need to point at dns - it uses itself.---not true,,,,, if you dont have any DNS servers listed for the NIC then it doesn't look anywhere for DNS name resolution.  Like i said,, it should be pointed to itself.

i would check the DNS error log for errors and try to resolve these errors.
OR  
i would remove dns from the problem server and then reinstall it.
0
 

Author Comment

by:MentalSolutions
ID: 13488876
so when working dosent actually need to point at dns - it uses itself.---not true,,,,, if you dont have any DNS servers listed for the NIC then it doesn't look anywhere for DNS name resolution.  Like i said,, it should be pointed to itself.

if you dont have any DNS servers listed - a message comes up and says

Warning - you dont have any DNS servers listed. The local IP address will be configured as the primary DNS as DNS server is installed on this machine.

So even though no DNS servers are listed it does indeed use itself

"OR  
i would remove dns from the problem server and then reinstall it."

I was thinking this is what i would do - its just that there seems to be something wrong with all of them - in terms of not being able to access the management side. I will try removing and re-installing and see if that cures it
0
 

Author Comment

by:MentalSolutions
ID: 13488914
The dns zone is only a secondary zone internal - would i be able to remove all the dns servers on the domain and then re-install again from scratch ?
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13489454
are any of them active directory integrated zones?  they should all be AD integrated if they are physically on domain controllers.

Since all of these are on DCs,,, just remove the secondary zone and make them all AD integrated.
0
 

Author Comment

by:MentalSolutions
ID: 13489576
OK so I removed the DNS from all 3 servers and then re-installed on the operations master - unfortunately the installation could not complete due to the Access Denied 05 error
0
 

Author Comment

by:MentalSolutions
ID: 13489801
they are all supposed to be AD integrated zones -

sorry if some of my answers are misleading - i appreciate your assistance very much
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13489865
what about the other 2?  were you able to create an AD integrated DNS zone on those?

did you uninstall and reinstall DNS on the operations master??  NOT just remove the zone and recreate it,,,, you need to uninstall the DNS service, reboot, then reinstall teh DNS service on this server since the DNS service isn't working properly.  You do this from add/remove programs> windows components.

FYI,, i never said to remove DNS from all 3 servers. I said if they have a secondary zone, then remove the secondary zone and then create an AD integrated zone.

0
 

Author Comment

by:MentalSolutions
ID: 13490011
I know you didnt say to remove DNS from all 3 servers

unfortunately i did (although I didnt reboot inbetween)

Im afraid that now i have a big mess

when i re-install the DNS it says "access denied" halfway through the installation - again the dns appears to be installed but i have not told it if it is ad integrated primary or secondary. The DNS MMC snapin still simply says access denied. The zone contains no unique information - i would like to just re-install from scratch and let it pickup its settings again automatically. I just dont know how

0
 

Author Comment

by:MentalSolutions
ID: 13490020
I have about 200 users who will be arriving at work in 10 hours and at this rate wont be able to log-in - im starting to panic
0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 1500 total points
ID: 13490185
Active directory REQUIRES DNS, bottom line.  which account are your logged in with when you attempt to install/configure DNS??  Is the account a member of the DNS admin group??  when you say you get the access denied error, do you get this on all 3 of your DCs or just the one that holds the operations master role??

just to make sure i understand correctly, you have 3 Domain controllers, all of which used to have DNS on them, but you have now removed DNS from all 3 right?

you said earlier that you have 2 sites with 2 DCs at each site,, wouldnt that mean you have 4 domain controllers though? does this 4th one have DNS installed?
0
 

Author Comment

by:MentalSolutions
ID: 13490346
4th controller does not have dns installed

problem has been seriously improved

the access denied problem has been resolved - the security settings were screwed on the MicrosoftDNS object
i had to go into ADu & C
then on the View menu, click Advanced Features , expand the System folder and found  MicrosoftDNS object with no owner

now when i click on the mmc dns snap-in it allows me access the dns server and i can re-create my zone

 thank god

I appreciate your tireless efforts to help and have given youthe points on your last answer

many thanks mikeleebrla

now if only i knew the best way to create the zone for this setup !
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13490572
its easy,, just create them all as AD integrated since they are all on DCs anyway
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question