Major DNS issue

Hello,

  I came into the office and rebooted one of our member servers and noticed that on reboot it said a service didn't start. When I started looking into the errors it pointed me back to our primary DC. When I go into DNS I don't see anything under the forward or reverse lookup zones. They are empty. Any and all help would be MUCH appreciated. Here is the results of running dcdiag /test:dns (LEWISDC1 is the server in question, this was ran on this server)



Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site\LEWISDC1
      Starting test: Connectivity
         ......................... LEWISDC1 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site\LEWISDC1

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : LEWISCO
   
   Running enterprise tests on : LEWISCO.lcfhc.org
      Starting test: DNS
         Test results for domain controllers:
           
            DC: lewisdc1.LEWISCO.lcfhc.org
            Domain: LEWISCO.lcfhc.org

                 
               TEST: Basic (Basc)
                  Warning: adapter [00000002] Intel(R) PRO/1000 MT Network Connection has invalid DNS server: 192.168.0.11 (<name unavailable>)
                  Error: The A record for this DC was not found
                  Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)
                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 192.168.0.1 (<name unavailable>)
                  Error: Forwarders list has invalid forwarder: 205.152.132.235 (<name unavailable>)
                  Error: Forwarders list has invalid forwarder: 209.149.134.252 (<name unavailable>)
                 
               TEST: Records registration (RReg)
                  Network Adapter [00000002] Intel(R) PRO/1000 MT Network Connection:
                     Warning: Missing GC SRV record at DNS server 192.168.0.8 :
                     _ldap._tcp.gc._msdcs.LEWISCO.lcfhc.org
                     
                     Error: Missing A record at DNS server 192.168.0.11 :
                     lewisdc1.LEWISCO.lcfhc.org
                     
                     Error: Missing CNAME record at DNS server 192.168.0.11 :
                     5ae28650-1936-4f29-9d87-436c6a0f8b3a._msdcs.LEWISCO.lcfhc.org
                     
                     Error: Missing DC SRV record at DNS server 192.168.0.11 :
                     _ldap._tcp.dc._msdcs.LEWISCO.lcfhc.org
                     
                     Error: Missing GC SRV record at DNS server 192.168.0.11 :
                     _ldap._tcp.gc._msdcs.LEWISCO.lcfhc.org
                     
                     Error: Missing PDC SRV record at DNS server 192.168.0.11 :
                     _ldap._tcp.pdc._msdcs.LEWISCO.lcfhc.org
                     
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.0.1 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.0.1
               
            DNS server: 192.168.0.11 (<name unavailable>)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.LEWISCO.lcfhc.org. failed on the DNS server 192.168.0.11
               
            DNS server: 205.152.132.235 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 205.152.132.235
               
            DNS server: 209.149.134.252 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 209.149.134.252
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: LEWISCO.lcfhc.org
               lewisdc1                     PASS FAIL FAIL n/a  PASS FAIL n/a  
         
         ......................... LEWISCO.lcfhc.org failed test DNS

Here is first 2 entries into the DNS event log when starting:

#1
Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4013
Date:            2/10/2008
Time:            12:16:22 PM
User:            N/A
Computer:      LEWISDC1
Description:
The DNS server was unable to open the Active Directory.  This DNS server is configured to use directory service information and can not operate without access to the directory.  The DNS server will wait for the directory to start.  If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    

#2
Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4000
Date:            2/10/2008
Time:            12:16:22 PM
User:            N/A
Computer:      LEWISDC1
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    





PPLUSEEAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GeyybeccaCommented:
Do you only have one DNS server on the network? if not then trying manually adding back the zones and see if the populate automatically
0
GeyybeccaCommented:
should have also said point the problematic DC to one of your other DNS servers that have the Active Directory intergrated
0
PPLUSEEAuthor Commented:
Geyybecca,
 
I have 4 DNS servers on the network. I have tried recreating the zone and it failed...
I have also tried pointing it via the network connections back to one of the other DNS servers and no go..

I did just notice something in AD VERY weird... When I go to the DOmain Controllers OU I see the server listed in there, but when I look at the tab Member Of, it shows it a member of Domain Comouters, NOT Domain Controllers... what's up with that????
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

GeyybeccaCommented:
does this DC have any critical services running on it other than DC, does it hold any of the FSMO roles? if not blow it away, remove it from AD and recreate it by reinstalling windows. Proberbly the quickest and cleanest way of resolving this issue
0
TG TranIT guyCommented:
Is your security event log filled up?
Check out this KB:
http://support.microsoft.com/kb/316685
0
PPLUSEEAuthor Commented:
geyybecca,

  Definitely would rather not go that route... It has 3 FSNO roles:
PDC, RID & Infrastructure...

What I don't understand is I have not seen any errors from this server... and whay would it now be showing as a member of the Domain Computers and not Domain Controllers. and when I go into the Delagation tab it says "Do not Trust" Which I am sure the issue with not being able to read AD for DNS.

Surely there is a way to get this to be seen as a DC rather than just blowing it away. I just don't understand how this could have even happened... very weird.
0
kmotawehCommented:
you have to try to restore a backup with the right configuration that's the backup was invented to
0
PPLUSEEAuthor Commented:
tqtran,

 looked at that the very first thing... cleared it out, but it was already set to overwrite as needed.

 Again the thing to me that now is really strange is that I have a DC in the Domain Controllers OU that is showing it is only a member of the Domain computers... ???? This is the real issue, just don't know how to fix it, short of blowing it away and reinstalling, but I guess that fixes just about anything...

 
0
GeyybeccaCommented:
I would say if you do not have a backup then you really are in a diffecult place and have no choice but to blow away, cease the FSMO roles and reinstall
0
PPLUSEEAuthor Commented:
Geybecca,
 
  I do backups of all my servers everynight, plus I do a seperate system state backup every night as well on all my servers, I just didn't know if rebooting it into AD restore mode and restoring the system state would fix the issue... do you thing that would take care of it?
0
kmotawehCommented:
for sure the backup will solve it
0
PPLUSEEAuthor Commented:
kmotaweh,

  I'm not sure right now if it would or not since I still don't understand exactly what could have happend that would move a DC into Domain Computers.... I just removed it as a member of Domain Computers and added to Domain Controllers and also set the Delegation to Trust the computer for delegation.... rebooted and it looked like it was going to be ok because when I first checked it was still a member of Domain Controllers but after about 5 minutes it removed it as a member of Domain Controllers and placed it in Domain Computers. The delegation is still set to trust.
 Another strange thing it the fact that when I go to the Domain Controllers OU and look at it, it is the only one that shows something under the User Logon Name section.. it shows HOST/lewisdc1.yadayda..
Just would really be interested in what possibly went haywire here..
0
PPLUSEEAuthor Commented:
Well after shelling out $515.00 to Microsoft last night the issue is fixed... They worked about 2 1/2 hours on it and I didn't even need to rebuild anything. They were able to use ASDI Edit to make some edits to the AD object of this server and then reset some of the Kereros settings and all is well now..

Not sure on awarding any points on this since it seemed like the general concensus here was to blow the server away and rebuild/restore it. Which by the way, I did take the server down before I called MS and did an AD restore of the system state and that seemed to help a little but it was still very messed up in thinking it was a Domain Computer instead of a Domain Controller. It also was holding 3 of the FSMO roles and I was unable to transfer them also.. I had tried that before the MS call as well. Over all I was really impressed with the expertise of the MS support engineer though, very good...

So with all that said if the Administrator wants to award points then I will let it be his call. Thanks anyway for the responses.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PPLUSEEAuthor Commented:
Well I really don't feel that this question should be deleted.... the information that was provided by myself may help someone in the future. I had asked that the moderator award the points as he/she saw fit and that apparently did not happen. In all reality my response should be marked as the solution but since it is MY response I can not make that so. So I guess do with it as you choose but I just wanted to make it known I do not agree with the deletion on the item. Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.