DNS problems in logs after domain rename

Two W2003SP2 DCs, DC1 and DC2 having just renamed their domain from mydomain to mydomain.lan (single label to dotted name).  Everything went well, no error messages.  Clients logs on to the new domain name flawlessly.

However, there is a DNS problem.  DC1 takes minutes to start, freezes at 'Preparing network connections'.  The event logs displays various errors / warnings which are copied below.  I believe that many of the problems are related.  I need specific information on where to go in the consoles and what to check for to resolve this situation, therefore I set the points to 500.

Thanks a lot if there are som DNS / AD wizards out there ;-)

best regards

Geir

Excerpt from event logs after last reboot.  DC" (the secondary DC) logs first:

!!!!  Warning or Error events since last boot from DC2

application log:

event ID warning 53258 computer dc2
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1128
No Callstack, CmdLine: C:\WINDOWS\system32\msdtc.exe


dns server log:

event ID warning 4010 computer dc2
The DNS server was unable to create a resource record for  1ffcb6ba-c6bf-4037-95bc-2614d7ea9a61._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

event ID warning 4010 computer dc2
The DNS server was unable to create a resource record for  477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

!!!!  Warning or Error events since last boot from DC1

application log:

event ID error 1005 computer DC1
The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.

****************************
system log:

event ID warning 1101 computer DC1
The SNMP Service is ignoring extension agent key SOFTWARE\Microsoft\DhcpMibAgent\CurrentVersion because it is missing or misconfigured.

event id warning 40960 computer DC1
The Security System detected an authentication error for the server ldap/DC1.mydomain.LAN.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
same event id:
The Security System detected an authentication error for the server LDAP/DC1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

****************************
directory service log:

event ID warning 2088

Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 Alternate server name:
 DC2
Failing DNS host name:
 1ffcb6ba-c6bf-4037-95bc-2614d7ea9a61._msdcs.mydomain.LAN
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 Registry Path:  HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
Additional Data,
Error value:
 11004 The requested name is valid, but no data of the requested type was found.

***********************************
dns log:

event ID error 4010 computer DC1
The DNS server was unable to create a resource record for  1ffcb6ba-c6bf-4037-95bc-2614d7ea9a61._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error
event ID error 4010
The DNS server was unable to create a resource record for  477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

event ID error 6702 computer DC1
DNS server has updated its own host (A) records.  In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
 
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

*******************************************
file replication service log

event ID warning 13508 computer DC1
The File Replication Service is having trouble enabling replication from DC2 to DC1 for c:\windows\sysvol\domain using the DNS name DC2.mydomain.LAN. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 [1] FRS can not correctly resolve the DNS name DC2.mydomain.LAN from this computer.
 [2] FRS is not running on DC2.mydomain.LAN.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

event ID warning 13509 computer DC1
The File Replication Service has enabled replication from DC2 to DC1 for c:\windows\sysvol\domain after repeated retries.

geir056Asked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

I suspect you may find that this one is part of the problem:

Default Gateway. . . . . . : 172.22.100.1
Dns Servers. . . . . . . . : 172.22.100.10, 172.22.100.1

Is 172.22.100.1 a router? If so, it shouldn't be listed in the DNS section unless it can answer all requests about your internal domain.

Generally routers can't cope with that so shouldn't be included or referenced in TCP/IP configuration. Doing so causes many failures, including some of the above as the DC or clients try to query the router for records it simply doesn't have.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Start with the basics...

Can you verify that a Forward Lookup Zone for mydomain.lan exists in the DNS console?

If it does, check that it's set to AD Integrated (as that's ideal), and that Dynamic Updates is enabled and set to Secure Only.

If you find the zone is there, and does appear to be set correctly but you still suffer from Registration errors you might want to consider recreating it. Normally that's simply a case of deleting it, waiting 15 minutes then making it again. Once done you should restart the NetLogon Service and run "ipconfig /registerdns" so the Service Records and Host Records get added back in.

Chris
0
 
gurutcCommented:
Hi,

Included on the Server install cd is a set of tools that is a subset of the resource kit.  Browse on the CD and install those.  Then set your DNS server properties temporarily to allow all updates, open a command prompt, and type NETDIAG /FIX and press Enter.  This will reconstruct the DNS and LDAP service locations in the DNS structure for your AD services.

Good Luck,

- gurutc
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
geir056Author Commented:
gurutc

I'll try your solution first.  How / where do I set the DNS to allow all updates?

Also when I went into the DNS server's properties, security tab, I noticed that the preceeding domain name for all users listed was the former 'mydomain' and not the new and dotted 'mydomain.lan'.  Should I expect to se the domain suffix '.lan' included in this list or would the suffix be stripped here?

Awaiting your comment I'll proceed with netdiag.

regards

Geir
0
 
Chris DentPowerShell DeveloperCommented:

The Access Control List you see under Security will typically have the NetBIOS Name for the Domain when referring to an Account. So, no, you wouldn't expect that to update with the DNS Domain Name.

The permission to update a DNS Zone is under the General tab for the zone.

Chris
0
 
gurutcCommented:
Hi,

Go to the Forward Lookup Zone and highlight the zone name, right click on it, and choose Properties,   Under General, Dynamic update, set it for secure and unsecure and apply.  Then Netdiag will be able to update the domain with all the correct pointer info.  As far as the extension goes, when the zone is updated the extension may/should be included, but I'm not sure...

- gurutc
0
 
geir056Author Commented:
OK, opened all zones for nonsecure and secure updates for all zones.

here is netdiag /fix' output:

Per interface results:

    Adapter : Broadcom NetXtreme Gigabit Ethernet Adapter - Onboard
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : moses
        IP Address . . . . . . . . : 172.22.100.10
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 172.22.100.1
        Dns Servers. . . . . . . . : 172.22.100.10, 172.22.100.1

        AutoConfiguration results. . . . . . : Passed
        Default gateway test . . . : Passed
        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:

Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{ED56E8D7-319A-40E1-8619-F23FDE408591}
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
       [FATAL] File \config\netlogon.dns contains invalid DNS entries.    [FATAL] No DNS servers have the DNS records for this DC registered.

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{ED56E8D7-319A-40E1-8619-F23FDE408591}
    The redir is bound to 1 NetBt transport.
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{ED56E8D7-319A-40E1-8619-F23FDE408591}
    The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

Here is the NETLOGON.DNS file contents:

mydomain. 600 IN A 172.22.100.10
gc._msdcs.mydomain. 600 IN A 172.22.100.10
mydomain.LAN. 600 IN A 172.22.100.10
gc._msdcs.mydomain.LAN. 600 IN A 172.22.100.10
TAPI3Directory.mydomain.LAN. 600 IN A 172.22.100.10
ForestDnsZones.mydomain.LAN. 600 IN A 172.22.100.10
DomainDnsZones.mydomain.LAN. 600 IN A 172.22.100.10
_ldap._tcp.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.pdc._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.pdc._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.gc._msdcs.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.gc._msdcs.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.gc._msdcs.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.gc._msdcs.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.93a285bc-f6b1-4c4c-bf62-1b647a3ea7d2.domains._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.93a285bc-f6b1-4c4c-bf62-1b647a3ea7d2.domains._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain.LAN. 600 IN CNAME DC1.mydomain.LAN.
477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain. 600 IN CNAME DC1.mydomain.LAN.
_ldap._tcp.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.dc._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.dc._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_gc._tcp.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_gc._tcp.Default-First-Site._sites.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_gc._tcp.Default-First-Site._sites.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_kerberos._tcp.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.dc._msdcs.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.dc._msdcs.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._udp.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._udp.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kpasswd._tcp.mydomain.LAN. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_kpasswd._tcp.mydomain. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_kpasswd._udp.mydomain.LAN. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_kpasswd._udp.mydomain. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_ldap._tcp.TAPI3Directory.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.TAPI3Directory.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.ForestDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.ForestDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.DomainDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.DomainDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
; _gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
; _gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
; _gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
0
 
geir056Author Commented:
I'll be one week of vacation.  Will repost status in 9 days.

regards

Tor
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.