MarlinTechSupport
asked on
DNS issue on AD domain
Hello, I have an active directory set up that is extremly simple... Or so I thought. The AD serves approximatley 60 or so workstations and 8 or so member servers.
There is only one DC, the DC is running DNS.
Every so often I get errors on workstations that won't process GPO's because, well:
>Group Policy Infrastructure failed due to the error listed below.
>
>The specified domain either does not exist or could not be contacted.
>
>Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. >Consequently, status information for the other components is not available
When I sit at my DC/DNS server and run dcdiag everything comes up green.
When I run netdiag /q I get DNS failure:
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.10.51'. Please wait for 30 minutes for DNS server replication.
When I run a netdiag /fix I get:
[FIX] re-register DC DNS entry 'mydomainname.com.' on the DNS server '192.168.10.51' succeed.
FIX PASS - netdiag re-registered missing DNS entriesfor this DC successfully on server '192.168.10.51'.
[FATAL No DNS servers have the DNS records for this DC registered.
I wonder what I am missing. It says it fixes but then is still broken?
I have to assume that the errors I get on workstations and servers such as:
-Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
or
-Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
I dont get these errors on every workstation/server on my domain, in fact most have no issues at all. There is also nothing common amongst the devices getting these issues, some are servers, some are workstations, some are on one subnet, some are on another, different OS's different hardware.
I am at a loss and do not know enough about DNS to fix this on my own.
Also on my DNS MMC I get DNS errors such as this:
Source:DNS Event ID 3000 - The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.
Source:DNS Event ID 4015 - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Source:DNS Event ID 4004 - The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
I get 4004 errors for each zone it cannot load.
Can anyone assist?
There is only one DC, the DC is running DNS.
Every so often I get errors on workstations that won't process GPO's because, well:
>Group Policy Infrastructure failed due to the error listed below.
>
>The specified domain either does not exist or could not be contacted.
>
>Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. >Consequently, status information for the other components is not available
When I sit at my DC/DNS server and run dcdiag everything comes up green.
When I run netdiag /q I get DNS failure:
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.10.51'. Please wait for 30 minutes for DNS server replication.
When I run a netdiag /fix I get:
[FIX] re-register DC DNS entry 'mydomainname.com.' on the DNS server '192.168.10.51' succeed.
FIX PASS - netdiag re-registered missing DNS entriesfor this DC successfully on server '192.168.10.51'.
[FATAL No DNS servers have the DNS records for this DC registered.
I wonder what I am missing. It says it fixes but then is still broken?
I have to assume that the errors I get on workstations and servers such as:
-Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
or
-Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
I dont get these errors on every workstation/server on my domain, in fact most have no issues at all. There is also nothing common amongst the devices getting these issues, some are servers, some are workstations, some are on one subnet, some are on another, different OS's different hardware.
I am at a loss and do not know enough about DNS to fix this on my own.
Also on my DNS MMC I get DNS errors such as this:
Source:DNS Event ID 3000 - The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.
Source:DNS Event ID 4015 - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Source:DNS Event ID 4004 - The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
I get 4004 errors for each zone it cannot load.
Can anyone assist?
ASKER
I agree, we had two DC's, I will be assigning a second DC soon, but there are issues that need to be worked out first. I am told by the powers that be to not run DCPROMO on another server until I figure alot of this out. It should be noted that before I decommissioned the second DC (back when there were two) I transfered all FSMO roles, made it the GC server and demoted it to a member server, then took it off the domain. The decomissioned server was the primary DC at the time but DNS was always not quite right even then.
ipconfig /all output:
Host Name: tmc-itadmin-2
primary dns suffix: themarlinco.com
node type: Hybrid
IP Routing Enabled: No
WINS Proxy Enabled: NO
DNS Suffix search list: themarlinco.com
Ethernet adapter network bridge
connection specific DNS suffix: No Value
Description: MAC Bridge Miniport
Physical Address: My Mac Address for bridge
DHCP Enabled: No
IP Address: 192.168.10.51
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.10.1
DNS Servers: 192.168.10.51
192.168.10.50
68.87.71.226
68.87.73.242
Primary WINS Server: 192.168.10.51
Secondary WINS Server: 192.168.10.50
ipconfig /all output:
Host Name: tmc-itadmin-2
primary dns suffix: themarlinco.com
node type: Hybrid
IP Routing Enabled: No
WINS Proxy Enabled: NO
DNS Suffix search list: themarlinco.com
Ethernet adapter network bridge
connection specific DNS suffix: No Value
Description: MAC Bridge Miniport
Physical Address: My Mac Address for bridge
DHCP Enabled: No
IP Address: 192.168.10.51
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.10.1
DNS Servers: 192.168.10.51
192.168.10.50
68.87.71.226
68.87.73.242
Primary WINS Server: 192.168.10.51
Secondary WINS Server: 192.168.10.50
Your problem (or at least part of it) is right there.
Remove ALL the entries for DNS servers except 192.168.10.51. This assumes that 192.168.10.50 used to be the old DC that was taken offline. The two public IP's that are in there should NEVER be listed on your servers (as configured DNS servers, anyway). Bad bad bad!!!
If you want to use your ISP's DNS to do lookups, then configure it as a forwarder in your DNS server, NEVER in the DNS settings on the NIC. Why? Because your server will try to register all it's AD records (as well as do lookups) with those DNS servers. Since those records obviously don't exist there, bad things...
So remove all that stuff, and then run a dcdiag /test:dns and post the results.
HTH,
exx
Remove ALL the entries for DNS servers except 192.168.10.51. This assumes that 192.168.10.50 used to be the old DC that was taken offline. The two public IP's that are in there should NEVER be listed on your servers (as configured DNS servers, anyway). Bad bad bad!!!
If you want to use your ISP's DNS to do lookups, then configure it as a forwarder in your DNS server, NEVER in the DNS settings on the NIC. Why? Because your server will try to register all it's AD records (as well as do lookups) with those DNS servers. Since those records obviously don't exist there, bad things...
So remove all that stuff, and then run a dcdiag /test:dns and post the results.
HTH,
exx
ASKER
10.50 is the backup DNS server actually. The backup DNS server does not have the DNS service running right now for a few reasons.
I do not know where the publc addresses came from, I'll have the network engineer look into that and report what happens after the changes are made.
I have inherited this system, learning as I go along, and really dont know where/why alot of things are the way they are. My only saving grace is that the design is relativly small.
Thanks.
I do not know where the publc addresses came from, I'll have the network engineer look into that and report what happens after the changes are made.
I have inherited this system, learning as I go along, and really dont know where/why alot of things are the way they are. My only saving grace is that the design is relativly small.
Thanks.
So, let me get this straight.. You have a backup DNS server, but no backup AD controller?!?
Wooooooooow...
Either way, if it's not running, remove it. You can put it back later if and when it gets running again. For now, we need to fix the DNS issues you are having. Also remove those two 68.x.x.x addresses. Then please post the output from dcdiag /test:dns so that we can proceed.
-exx
Wooooooooow...
Either way, if it's not running, remove it. You can put it back later if and when it gets running again. For now, we need to fix the DNS issues you are having. Also remove those two 68.x.x.x addresses. Then please post the output from dcdiag /test:dns so that we can proceed.
-exx
ASKER
lol I know, like I said, at one time we had 2 DC's and 2 DNS servers.
I dont know the reasons for being told to stick with one DC and 1 DNS for now.
Either way removed the 68.x's and the backup dns that is not running right now.
Per interface results:
Adapter : Network Bridge (Network Bridge) 2
Netcard queries test . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{DFFBFCD1-301D
1 NetBt transport currently configured.
DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.10.51'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
The command completed successfully
I dont know the reasons for being told to stick with one DC and 1 DNS for now.
Either way removed the 68.x's and the backup dns that is not running right now.
Per interface results:
Adapter : Network Bridge (Network Bridge) 2
Netcard queries test . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{DFFBFCD1-301D
1 NetBt transport currently configured.
DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.10.51'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
The command completed successfully
ASKER
I am extremly confused...
How can my DC have trouble registering itself with the DNS server it's running!?
How can my DC have trouble registering itself with the DNS server it's running!?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok, now on to your problem.. Please post the output of an ipconfig /all
-exx