Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 204
  • Last Modified:

domain issue 2008

ok I got a complicate done. I had a engineer onsite at a customer they had a current novell environment that ran DNS then a 2008 domain running dns as a secondary.l each comouter had ms as the primary dns and novell as secondary dns.  Everything was working fine a engineer came in and installed a new 2008 server and exchange 2007 on that box I believe he made it a global catalog. he started having issues and tried to dcpromo to rmeove and it would not work. so he forced removed it form the domain. Now users are having random issues. I will first start with a health check and look through event logs and other ideas places to start. Thanks guys
0
zenworksb
Asked:
zenworksb
  • 32
  • 17
1 Solution
 
Darius GhassemCommented:
Do a metadata cleanup to remove the failed DC.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Make sure when he DC promos to remove IPv6.
0
 
zenworksbAuthor Commented:
do you think this might be why they are having issues?
0
 
Darius GhassemCommented:
Yes, if you force remove a DC then you need to metadata cleanup. IPv6 has been causing issues with networks since they don't support IPv6.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
zenworksbAuthor Commented:
do I run this from the removed dc or the main dc that is still up?
0
 
Darius GhassemCommented:
The DC that is still running.
0
 
zenworksbAuthor Commented:
i just found out that the engineer that was onsite used this exact article?
0
 
Darius GhassemCommented:
What are the random issues they are having?
0
 
zenworksbAuthor Commented:
i will get a list and post
0
 
Darius GhassemCommented:
Make sure you don't have any DNS records in DNS for the failed DC. Also, make sure that none of the clients are pointing to it for DNS. You can also run a netdiag to see if you have any errors.
0
 
zenworksbAuthor Commented:
this is what I get from dc diag can you see anything

DCDiag - DNS on 11/12/2008 12:33:07 PM

 view online documentation.

 
--------------------------------------------------------------------------------
 
Directory Server Diagnosis

Performing initial setup:

* Connecting to directory service on server domain-dc01.domain.local.

* Identified AD Forest.

Collecting AD specific global data

* Collecting site info.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......

The previous call succeeded

Iterating through the sites

Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local

Getting ISTG and options for the site

* Identifying all servers.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......

The previous call succeeded....

The previous call succeeded

Iterating through the list of servers

Getting information for the server CN=NTDS Settings,CN=DOMAIN-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local

objectGuid obtained

InvocationID obtained

dnsHostname obtained

site info obtained

All the info for the server collected

* Identifying all NC cross-refs.

* Found 1 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DOMAIN-DC01

     Starting test: Connectivity

* Active Directory LDAP Services Check

The host a1732d1f-fb48-4dc1-8607-a31989bb08a2._msdcs.domain.local could

not be resolved to an IP address. Check the DNS server, DHCP, server

name, etc.

......................... DOMAIN-DC01 failed test Connectivity


Doing primary tests

Testing server: Default-First-Site-Name\DOMAIN-DC01

Test omitted by user request: Advertising

Test omitted by user request: CheckSecurityError

Test omitted by user request: CutoffServers

Test omitted by user request: FrsEvent

Test omitted by user request: DFSREvent

Test omitted by user request: SysVolCheck

Test omitted by user request: KccEvent

Test omitted by user request: KnowsOfRoleHolders

Test omitted by user request: MachineAccount

Test omitted by user request: NCSecDesc

Test omitted by user request: NetLogons

Test omitted by user request: ObjectsReplicated

Test omitted by user request: OutboundSecureChannels

Test omitted by user request: Replications

Test omitted by user request: RidManager

Test omitted by user request: Services

Test omitted by user request: SystemLog

Test omitted by user request: Topology

Test omitted by user request: VerifyEnterpriseReferences

Test omitted by user request: VerifyReferences

Test omitted by user request: VerifyReplicas

     Starting test: DNS


DNS Tests are running and not hung. Please wait a few minutes...

See DNS test in enterprise tests section for results

......................... DOMAIN-DC01 passed test DNS

Running partition tests on : ForestDnsZones

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : DomainDnsZones

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : Schema

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : Configuration

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : domain

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running enterprise tests on : domain.local

     Starting test: DNS

Test results for domain controllers:

DC: domain-dc01.domain.local

Domain: domain.local


     TEST: Authentication (Auth)

     Authentication test: Successfully completed

     TEST: Basic (Basc)

          Error: No LDAP connectivity

Microsoftr Windows Serverr 2008 Standard (Service Pack level: 1.0)

is supported

NETLOGON service is running

kdc service is running

DNSCACHE service is running

DNS service is running

DC is a DNS server

Network adapters information:

Adapter [00000006] Broadcom NetXtreme Gigabit Ethernet:

MAC address is 00:18:71:E9:81:36

IP Address is static

IP address: 10.6.6.115

DNS servers:

Warning:

127.0.0.1 (DOMAIN-DC01) [Invalid]

          Warning: adapter

[00000006] Broadcom NetXtreme Gigabit Ethernet has

invalid DNS server: 127.0.0.1 (DOMAIN-DC01)

          Error: all DNS servers are invalid

No host records (A or AAAA) were found for this DC

The SOA record for the Active Directory zone was not found

          Warning: The Active Directory zone on this DC/DNS server was

not found (probably a misconfiguration)

Root zone on this DC/DNS server was not found

     TEST: Forwarders/Root hints (Forw)

Recursion is enabled

Forwarders Information:

10.6.6.144 () [Invalid (unreachable)]

          Error: Forwarders list has invalid forwarder: 10.6.6.144 ()

10.6.6.175 () [Valid]

     TEST: Dynamic update (Dyn)

          Warning: Failed to add the test record _dcdiag_test_record in zone domain.local

[Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

Test record _dcdiag_test_record deleted successfully in zone domain.local

     TEST: Records registration (RReg)

          Error: Record registrations cannot be found for all the network

adapters

Summary of test results for DNS servers used by the above domain

controllers:


DNS server: 10.6.6.115 (DOMAIN-DC01)

1 test failure on this DNS server

Name resolution is not functional. _ldap._tcp.domain.local. failed on the DNS server 10.6.6.115

[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

DNS server: 10.6.6.144 ()

1 test failure on this DNS server

PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.6.6.144 [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]

DNS server: 10.6.6.175 ()

All tests passed on this DNS server






Summary of DNS test results:

Computer Domain Auth Basc Forw Del Dyn RReg Ext
domain-dc01 domain.local  PASS FAIL FAIL n/a WARN FAIL n/a

......................... domain.local failed test DNS

Test omitted by user request: LocatorCheck

Test omitted by user request: Intersite
0
 
Darius GhassemCommented:
Is this from the failed 2008 DC or is this from a functioning 2008 DC?
0
 
zenworksbAuthor Commented:
functioning
0
 
Darius GhassemCommented:
Is this a 2008 machine? You need to remove the 127.0.0.1 DNS address out of the TCP\IP properties the put the actual DNS server IP address in the DNS settings. Disable IPv6. Do a netdiag /fix on this system
0
 
zenworksbAuthor Commented:
will do the following and post back
0
 
zenworksbAuthor Commented:
i changed the 127 addres sto the server address then made sure ipv6 was unchecked and it was. i USED a different tool for netdiag I do not have the system tools on this server I will download install and do netdiag /fix and post back
0
 
zenworksbAuthor Commented:
it says netdiag is not supported in 2008 server so what do you think?
0
 
Darius GhassemCommented:
Sorry dcdiag /fix
0
 
zenworksbAuthor Commented:
cool man ran that did you want me to post anything from that
0
 
Darius GhassemCommented:
Are you getting any errors in the Event Log? Do a netdiag then post results. When you do the dcdiag /fix did you see any errors?
0
 
zenworksbAuthor Commented:
C:\Users\acarollo>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = domain-dc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMAIN-DC01
      Starting test: Connectivity
         The host a1732d1f-fb48-4dc1-8607-a31989bb08a2._msdcs.domain.local could
         not be resolved to an IP address. Check the DNS server, DHCP, server
         name, etc.
         ......................... DOMAIN-DC01 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMAIN-DC01
      Skipping all tests, because server DOMAIN-DC01 is not responding to
      directory service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.local
      Starting test: LocatorCheck
         ......................... domain.local passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.local passed test Intersite

C:\Users\

0
 
zenworksbAuthor Commented:

C:\Users\acarollo>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = domain-dc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMAIN-DC01
      Starting test: Connectivity
         The host a1732d1f-fb48-4dc1-8607-a31989bb08a2._msdcs.domain.local could
         not be resolved to an IP address. Check the DNS server, DHCP, server
         name, etc.
         ......................... DOMAIN-DC01 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMAIN-DC01
      Skipping all tests, because server DOMAIN-DC01 is not responding to
      directory service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.local
      Starting test: LocatorCheck
         ......................... domain.local passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.local passed test Intersite
0
 
Darius GhassemCommented:
Is the DC only have it's ip address listed for DNS? Does it have two NICs? Everything seems better but you still have this one error. Can you go into DNS then expand the zone take a screen shot and post?
0
 
zenworksbAuthor Commented:
The dc only has its ip address for dns
In the dns I only see a couple entries and they are all valid I still have not looked in the event logs I will do that next
0
 
Darius GhassemCommented:
Do you have these folders under the DNS zone?

msdcs
sites
tcp
udp
0
 
zenworksbAuthor Commented:
i will check in 10 minutes I got a call from th eclient and he brought up that he can not add domian groups to local groups. meaning he goes to computer management and admini group and browse to add domian groups and hge does not see teh domain. I asked him to ping to domain and he can not. I will check abouve and also check event log man dariusq you are the man thank you
0
 
zenworksbAuthor Commented:
you want me to look in the dns manager right?
0
 
Darius GhassemCommented:
Yes.
0
 
zenworksbAuthor Commented:
ok will do give me about 15min have to pick up my kid from school thanks man
0
 
zenworksbAuthor Commented:
i see msdcs and under that sites but where is tcp and udp
0
 
zenworksbAuthor Commented:
in the gc of dns I found a entry for the bad dc that is offline so I removed that as well, I just found out that we can ping the server by name but not by fqdn.
0
 
Darius GhassemCommented:
When you go into the msdcs folder so you see a CNAME Record? Then when you dig deeper into the folder structure do you see a SRV record?
0
 
Darius GhassemCommented:
Check to make sure you have an A record for the DC. Where are you pinging it from? Does the computer you are pinging it from have only the DC's IP address listed for DNS?
0
 
zenworksbAuthor Commented:
let me try that now i will post back
0
 
zenworksbAuthor Commented:
i am waiting to get into the machine on teh domain to try and ping. I do see the msdcs and I see a alias cname record and i do deeper in teh structure see the srv records there are two of them for ldap and kerebos
0
 
zenworksbAuthor Commented:
i am on a computer that is on the domain it did have the novell as a secondary i removed that and just added the dc as teh dns server then flush dns and resgisterdns and still can ping the dc by name but not by fqdn can not ping the domain either. I also tried what they were doing with trying to add a domain group to a local group and it oes not see the domain as something that can be added?
0
 
Darius GhassemCommented:
Do you see this record in DNS a1732d1f-fb48-4dc1-8607-a31989bb08a2
0
 
zenworksbAuthor Commented:
shoudl I restart dns on the server?
0
 
zenworksbAuthor Commented:
let me look
0
 
zenworksbAuthor Commented:
yes that is the alias cname
0
 
Darius GhassemCommented:
When you open it up does it point to a FQDN for the server? Then check to make sure the server has an A record.
0
 
zenworksbAuthor Commented:
yes it point to the fqdn of the server when I click browse or where would teh A record be I went where the other a records are and I do not see this server have one
0
 
zenworksbAuthor Commented:
when I click browse it does show the server?
0
 
zenworksbAuthor Commented:
should I create a A record?
0
 
zenworksbAuthor Commented:
oh no did i loose you
0
 
zenworksbAuthor Commented:
i created a A record and asscoiated ptr record for the server name and the ipaddres I will ping and let you know if that did it do i need to restart DNS ?
0
 
zenworksbAuthor Commented:
i am removing the A record I created I do not think that is needed and will wiat to hear from you
0
 
zenworksbAuthor Commented:
i tried adding the doman to the dns suffix still cna not ping domain?
0
 
zenworksbAuthor Commented:
i am standing by thanks man
0
 
Darius GhassemCommented:
Hey sorry about that but I had something happen last night and had to run. Is everything fixed?
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 32
  • 17
Tackle projects and never again get stuck behind a technical roadblock.
Join Now