How do I fix broken DC registration?

I'm having a weird problem where it appears that I can't find any DCs in my domain using certain tools.  I'm trying to understand the problem and fix it, but haven't gotten very far with it.

Here's what I'm seeing:

C:\Documents and Settings\user>nltest /dclist:domain
Get list of DCs in domain 'domain' from '\\SERVER1'.
The command completed successfully

So no DC's shown there.

Here's another:

C:\Program Files\Resource Kit>gpotool /verbose
Domain: DOMAIN.internetdomain.com
Validating DCs...
Error: DC list is empty

I get this though:

C:\Program Files\Resource Kit>nltest /DCNAME:domain
PDC for Domain domain is \\SERVER1
The command completed successfully

So it finds the PDC but doesn't find any DCs.

Also, I get the following:

C:\Program Files\Resource Kit>nslookup
*** Can't find server name for address 192.168.2.45: Non-existent domain
*** Can't find server name for address 192.168.2.31: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.2.45

Any ideas how I can fix this problem?  I'm currently on a Windows 2000 Server, and I'm hoping to sort this stuff out before I migrate to a new Windows 2003 Server.

Thanks,

Tom
tommaxwellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

"Non-existent domain" error means that there are no reverse lookup zones configured on you DNS server. Reverse lookup zones can be easily configured but yu should know that this error is not related to other errors.

Does IP address 192.168.2.45 belong to your internal DNS?

Run dcdiag an post result here.

Toni
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tommaxwellAuthor Commented:
Here you go, minus any anonymity editing:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Sausalito\W2KSERVER1
      Starting test: Connectivity
         ......................... W2KSERVER1 passed test Connectivity

Doing primary tests
   
   Testing server: Sausalito\W2KSERVER1
      Starting test: Replications
         ......................... W2KSERVER1 passed test Replications
      Starting test: NCSecDesc
         ......................... W2KSERVER1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... W2KSERVER1 passed test NetLogons
      Starting test: Advertising
         ......................... W2KSERVER1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... W2KSERVER1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... W2KSERVER1 passed test RidManager
      Starting test: MachineAccount
         * W2KSERVER1 is not a server trust account
         * W2KSERVER1 is not trusted for account delegation
         ......................... W2KSERVER1 failed test MachineAccount
      Starting test: Services
         ......................... W2KSERVER1 passed test Services
      Starting test: ObjectsReplicated
         ......................... W2KSERVER1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... W2KSERVER1 passed test frssysvol
      Starting test: kccevent
         ......................... W2KSERVER1 passed test kccevent
      Starting test: systemlog
         ......................... W2KSERVER1 passed test systemlog
   
   Running enterprise tests on : MBEA2K.mathsolutions.com
      Starting test: Intersite
         ......................... MBEA2K.mathsolutions.com passed test Intersite
      Starting test: FsmoCheck
         ......................... MBEA2K.mathsolutions.com passed test FsmoCheck
0
tommaxwellAuthor Commented:
192.168.2.45 is in my internal DNS.  I've set up reverse DNS  to see if that had any bearing on this, and it doesn't appear to make a difference.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Toni UranjekConsultant/TrainerCommented:
"dcdiag" report looks fine to me.

You need to add PTR records for your DNS servers in reverse lookup zone, to see the difference in nslookup.

Do you experience any other problems on your network apart from errors in nltest and gpotool?
0
tommaxwellAuthor Commented:
OK - so here may be a point of confusion for me...  This is probably pretty basic stuff, but here goes..

We've got our Windows domain here - it's MBEA2K.  We also have an Internet domain - mathsolutions.com.

So we have two forward lookup zones:

Name      Type      Status
mathsolutions.com      Standard Primary
mbea2k.mathsolutions.com      Active Directory-integrated

The AD integrated zone is managed more or less automagically.  The reason for the standard primary zone is to advertise the NAT address of servers for users inside the LAN.  I'm not sure if that should cause any problems.

I have set up reverse dns: 192.168.2.in-addr.arpa

Within that is w2kserver1.mbea2k.mathsolutions.com. - type NS

Any ideas?
0
Toni UranjekConsultant/TrainerCommented:
Forward lookup zones are configured correctly if mbea2k.mathsolutions.com contains zone named _msdcs. This is where SRV records should be.

You are still missing PTR record in reverse lookup zone. It should be very easy to create this records, right click zone and add new record.
0
tommaxwellAuthor Commented:
I added the PTR records, and here's my reverses:

Name      Type      Data
(same as parent folder)      SOA      [3], w2kserver1.mbea2k.mathsolutions.com., admin.mbea2k.mathsolutions.com.
31      PTR      edutrax.mathsolutions.com
31      PTR      edutrax.mbea2k.mathsolutions.com
45      PTR      w2kserver1.mathsolutions.com.
45      PTR      w2kserver1.mbea2k.mathsolutions.com.
(same as parent folder)      NS      w2kserver1.mbea2k.mathsolutions.com.

I'm not finding any differences.  I still can't list any of the DCs in the MBEA2K domain using nltest or gpotool.

-Tom

0
Toni UranjekConsultant/TrainerCommented:
My apologies, I was either half asleep or I'm blind. Of course there is an error in your dcidag test:

 Starting test: MachineAccount
         * W2KSERVER1 is not a server trust account
         * W2KSERVER1 is not trusted for account delegation
         ......................... W2KSERVER1 failed test MachineAccount

Run the following comand on your DC "dcdiag /FixMachineAccount", run dcdiag again, any change?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.