[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DNS problems in logs after domain rename

Posted on 2007-07-26
8
Medium Priority
?
1,078 Views
Last Modified: 2011-09-20
Two W2003SP2 DCs, DC1 and DC2 having just renamed their domain from mydomain to mydomain.lan (single label to dotted name).  Everything went well, no error messages.  Clients logs on to the new domain name flawlessly.

However, there is a DNS problem.  DC1 takes minutes to start, freezes at 'Preparing network connections'.  The event logs displays various errors / warnings which are copied below.  I believe that many of the problems are related.  I need specific information on where to go in the consoles and what to check for to resolve this situation, therefore I set the points to 500.

Thanks a lot if there are som DNS / AD wizards out there ;-)

best regards

Geir

Excerpt from event logs after last reboot.  DC" (the secondary DC) logs first:

!!!!  Warning or Error events since last boot from DC2

application log:

event ID warning 53258 computer dc2
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1128
No Callstack, CmdLine: C:\WINDOWS\system32\msdtc.exe


dns server log:

event ID warning 4010 computer dc2
The DNS server was unable to create a resource record for  1ffcb6ba-c6bf-4037-95bc-2614d7ea9a61._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

event ID warning 4010 computer dc2
The DNS server was unable to create a resource record for  477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

!!!!  Warning or Error events since last boot from DC1

application log:

event ID error 1005 computer DC1
The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.

****************************
system log:

event ID warning 1101 computer DC1
The SNMP Service is ignoring extension agent key SOFTWARE\Microsoft\DhcpMibAgent\CurrentVersion because it is missing or misconfigured.

event id warning 40960 computer DC1
The Security System detected an authentication error for the server ldap/DC1.mydomain.LAN.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
same event id:
The Security System detected an authentication error for the server LDAP/DC1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

****************************
directory service log:

event ID warning 2088

Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 Alternate server name:
 DC2
Failing DNS host name:
 1ffcb6ba-c6bf-4037-95bc-2614d7ea9a61._msdcs.mydomain.LAN
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 Registry Path:  HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
Additional Data,
Error value:
 11004 The requested name is valid, but no data of the requested type was found.

***********************************
dns log:

event ID error 4010 computer DC1
The DNS server was unable to create a resource record for  1ffcb6ba-c6bf-4037-95bc-2614d7ea9a61._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error
event ID error 4010
The DNS server was unable to create a resource record for  477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain.lan. in zone mydomain.LAN. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

event ID error 6702 computer DC1
DNS server has updated its own host (A) records.  In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
 
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

*******************************************
file replication service log

event ID warning 13508 computer DC1
The File Replication Service is having trouble enabling replication from DC2 to DC1 for c:\windows\sysvol\domain using the DNS name DC2.mydomain.LAN. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 [1] FRS can not correctly resolve the DNS name DC2.mydomain.LAN from this computer.
 [2] FRS is not running on DC2.mydomain.LAN.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

event ID warning 13509 computer DC1
The File Replication Service has enabled replication from DC2 to DC1 for c:\windows\sysvol\domain after repeated retries.

0
Comment
Question by:geir056
  • 3
  • 3
  • 2
8 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 19573655

Start with the basics...

Can you verify that a Forward Lookup Zone for mydomain.lan exists in the DNS console?

If it does, check that it's set to AD Integrated (as that's ideal), and that Dynamic Updates is enabled and set to Secure Only.

If you find the zone is there, and does appear to be set correctly but you still suffer from Registration errors you might want to consider recreating it. Normally that's simply a case of deleting it, waiting 15 minutes then making it again. Once done you should restart the NetLogon Service and run "ipconfig /registerdns" so the Service Records and Host Records get added back in.

Chris
0
 
LVL 16

Expert Comment

by:gurutc
ID: 19573672
Hi,

Included on the Server install cd is a set of tools that is a subset of the resource kit.  Browse on the CD and install those.  Then set your DNS server properties temporarily to allow all updates, open a command prompt, and type NETDIAG /FIX and press Enter.  This will reconstruct the DNS and LDAP service locations in the DNS structure for your AD services.

Good Luck,

- gurutc
0
 

Author Comment

by:geir056
ID: 19573843
gurutc

I'll try your solution first.  How / where do I set the DNS to allow all updates?

Also when I went into the DNS server's properties, security tab, I noticed that the preceeding domain name for all users listed was the former 'mydomain' and not the new and dotted 'mydomain.lan'.  Should I expect to se the domain suffix '.lan' included in this list or would the suffix be stripped here?

Awaiting your comment I'll proceed with netdiag.

regards

Geir
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 19573888

The Access Control List you see under Security will typically have the NetBIOS Name for the Domain when referring to an Account. So, no, you wouldn't expect that to update with the DNS Domain Name.

The permission to update a DNS Zone is under the General tab for the zone.

Chris
0
 
LVL 16

Expert Comment

by:gurutc
ID: 19573936
Hi,

Go to the Forward Lookup Zone and highlight the zone name, right click on it, and choose Properties,   Under General, Dynamic update, set it for secure and unsecure and apply.  Then Netdiag will be able to update the domain with all the correct pointer info.  As far as the extension goes, when the zone is updated the extension may/should be included, but I'm not sure...

- gurutc
0
 

Author Comment

by:geir056
ID: 19574172
OK, opened all zones for nonsecure and secure updates for all zones.

here is netdiag /fix' output:

Per interface results:

    Adapter : Broadcom NetXtreme Gigabit Ethernet Adapter - Onboard
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : moses
        IP Address . . . . . . . . : 172.22.100.10
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 172.22.100.1
        Dns Servers. . . . . . . . : 172.22.100.10, 172.22.100.1

        AutoConfiguration results. . . . . . : Passed
        Default gateway test . . . : Passed
        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:

Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{ED56E8D7-319A-40E1-8619-F23FDE408591}
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
       [FATAL] File \config\netlogon.dns contains invalid DNS entries.    [FATAL] No DNS servers have the DNS records for this DC registered.

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{ED56E8D7-319A-40E1-8619-F23FDE408591}
    The redir is bound to 1 NetBt transport.
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{ED56E8D7-319A-40E1-8619-F23FDE408591}
    The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

Here is the NETLOGON.DNS file contents:

mydomain. 600 IN A 172.22.100.10
gc._msdcs.mydomain. 600 IN A 172.22.100.10
mydomain.LAN. 600 IN A 172.22.100.10
gc._msdcs.mydomain.LAN. 600 IN A 172.22.100.10
TAPI3Directory.mydomain.LAN. 600 IN A 172.22.100.10
ForestDnsZones.mydomain.LAN. 600 IN A 172.22.100.10
DomainDnsZones.mydomain.LAN. 600 IN A 172.22.100.10
_ldap._tcp.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.pdc._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.pdc._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.gc._msdcs.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.gc._msdcs.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.gc._msdcs.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.gc._msdcs.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_ldap._tcp.93a285bc-f6b1-4c4c-bf62-1b647a3ea7d2.domains._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.93a285bc-f6b1-4c4c-bf62-1b647a3ea7d2.domains._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain.LAN. 600 IN CNAME DC1.mydomain.LAN.
477e0653-8f6b-4265-ba75-b053508230da._msdcs.mydomain. 600 IN CNAME DC1.mydomain.LAN.
_ldap._tcp.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.dc._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.dc._msdcs.mydomain. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_gc._tcp.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_gc._tcp.Default-First-Site._sites.mydomain.LAN. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_gc._tcp.Default-First-Site._sites.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
_kerberos._tcp.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.dc._msdcs.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.dc._msdcs.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.dc._msdcs.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._tcp.Default-First-Site._sites.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._udp.mydomain.LAN. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kerberos._udp.mydomain. 600 IN SRV 0 100 88 DC1.mydomain.LAN.
_kpasswd._tcp.mydomain.LAN. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_kpasswd._tcp.mydomain. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_kpasswd._udp.mydomain.LAN. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_kpasswd._udp.mydomain. 600 IN SRV 0 100 464 DC1.mydomain.LAN.
_ldap._tcp.TAPI3Directory.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.TAPI3Directory.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.ForestDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.ForestDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.DomainDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
_ldap._tcp.Default-First-Site._sites.DomainDnsZones.mydomain.LAN. 600 IN SRV 0 100 389 DC1.mydomain.LAN.
; _gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
; _gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
; _gc._tcp.mydomain. 600 IN SRV 0 100 3268 DC1.mydomain.LAN.
0
 

Author Comment

by:geir056
ID: 19587531
I'll be one week of vacation.  Will repost status in 9 days.

regards

Tor
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1500 total points
ID: 19587593

I suspect you may find that this one is part of the problem:

Default Gateway. . . . . . : 172.22.100.1
Dns Servers. . . . . . . . : 172.22.100.10, 172.22.100.1

Is 172.22.100.1 a router? If so, it shouldn't be listed in the DNS section unless it can answer all requests about your internal domain.

Generally routers can't cope with that so shouldn't be included or referenced in TCP/IP configuration. Doing so causes many failures, including some of the above as the DC or clients try to query the router for records it simply doesn't have.

Chris
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question