Netlogon errors after adding new domain controllers

Last week I added 2 new domain controllers, both Server 2008, to a network that had a single 2003 domain controller.  Both new 2008 servers are global catalog servers.  The 2003 one is still a domain controller but no longer a GC.  A few days ago I started noticing errors on the client machines in the System log.

Netlogon 3224:
Changing machine account password for account xp-computer$ failed with the following error:
There are currently no logon servers available to service the logon request.

Netlogon 5719:
No Domain Controller is available for domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

I ran DCDIAG on both of the new domain controllers and it only reported errors from the System log for printers from an RDP session and another xpcomputer$ machine account that failed to authenticate.

On one of the XP client machines I disjoined it and rejoined it to the domain and it works fine but I can't do that with all of them.

Thanks for the help!
LVL 10
bigbigpigAsked:
Who is Participating?
 
bluntTonyConnect With a Mentor Commented:
You could use nslookup to test that DNS resolution is working by using it to target a specific DNS server, e.g.
nslookup <machine name to resolve> <DNS server name>
Check that firstly standard Host A queries are working, then to a RR lookup to check that it's returning SRV records, e.g.
nslookup
set q=srv
<SRV record> <DNS server to target>
e.g. _ldap._tcp.<SITE NAME>._sites.dc._msdcs.domain.local mydnsserver.domain.local
The fact that disjoining and rejoining an affected machine seems to say that it might not necessarily be a DNS issue. Can users log in OK on the affected machines?
 
0
 
zelron22Commented:
It looks like a DNS problem to me.  Did you do anything with DNS?  Are the new servers the DNS servers and are the workstations or DHCP set up to point to them?  Which box is handing out DHCP (assuming you're not using static IPs for your workstations)?
0
 
bigbigpigAuthor Commented:
DNS was replicated to the 2 new servers but nothing else changed.  The workstations are all DHCP and the DHCP server is one of the 2 new 2008 boxes.  The scope options are set to give out the 2 new domain controllers addresses as DNS servers.  Are there diagnostic utilities that I can run on the XP machines to find the problem?
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
bigbigpigAuthor Commented:
The nslookup's resolve ok.

Here's the output from the SRV lookup.  Machine and domain names were changed to generic.

> _ldap._tcp.dc._msdcs.domain.local srv2008dc1.domain.local
Server:  srv2008dc1.domain.local
Address:  192.168.100.57

_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2008dc1.domain.local
_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2003.domain.local
_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2008dc2.domain.local
srv2008dc1.domain.local     internet address = 192.168.100.57
srv2003.domain.local      internet address = 192.168.100.2
srv2008dc2.domain.local internet address = 192.168.100.52
0
 
bigbigpigAuthor Commented:
The users can log in OK but as far as I know they're using cached credentials.
0
 
zelron22Commented:
Try to see if you can connect to the servers from a workstation on port 389.
Make sure that SYSVOL is shared on both the DCs and that the permissions are appropriate.

Any antivirus/firewall/antispyware software on the servers that could be the problem?  Try disabling all of it and test.  You may need to reconfigure it if it's the problem.

0
 
bigbigpigAuthor Commented:
Something else I noticed... I can't resolve the NetBIOS name of the domain.  If my domain name is DOMAIN.LOCAL nothing will resolve to DOMAIN.
0
 
bluntTonyCommented:
Looks like DNS is functioning OK as nslookup is returning all three DCs' ldap records OK (also assuming that the IP addresses are correct).
You can test connection to a particular port by using telnet. e.g.
telnet <DC NAME> 389
If you get a blank console screen, then the port is opened. If it says the connection was refused, then you're not getting through. Like zelron says - disable Windows Firewall on the DC firstly if you can't get through.
Let us know how you get on...
0
 
snusgubbenCommented:
Run: dcdiag /v /e /c

and you'll most likely see the cause.


SG
0
 
bigbigpigAuthor Commented:
telnet on 389 works fine.

On the dcdiag /v /e /c results there only errors I get are for AAAA records not being found and DFS Replication errors.

Here's an event from the DFS Replication log:
The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
 
Additional Information:
Error: 160 (One or more arguments are not correct.)
0
 
Darius GhassemCommented:
Disable IPv6 then run a dcdiag /fix. Also, make sure DFS service is running and not disabled. Post a ipconfig /all for the 2008 servers.
0
 
bigbigpigAuthor Commented:
IPv6 was already deselected as a protocol for the network adapter on both of the 2008 servers.

Here's the ipconfig /all output:

C:\Users\Administrator.JTE>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : srv2008dc1.domain.local
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-23-7D-EC-15-DC
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.100.57(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
                                       192.168.100.52
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{65E9EDED-2A45-4E4A-BC12-48C5542DF
085}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
snusgubbenConnect With a Mentor Commented:
You should also run "ipconfig /registerdns" on both 2008 DCs so the correct IPv4 A-record is registered in the DNS (after IPv6 is disabled on both 2008 DCs like dariusq said).


SG
0
 
snusgubbenCommented:
You should not use the loopback as prefered DNS. Use the IP to itself (192.168.100.57 in this case)


SG
0
 
bigbigpigAuthor Commented:
Another test... ran dcdiag /s:srv2008dc1.domain.local /c from a Windows XP machine.  I get these DNS errors:

Starting test: DNS
         Test results for domain controllers:
           
            DC: srv2008dc1.domain.local
            Domain: domain.local

                 
               TEST: Records registration (RReg)
                  Network Adapter [00000006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
                     Error: Missing A record at DNS server 192.168.100.57 :
                     srv2008dc1.domain.local
                     
                     Error: Missing CNAME record at DNS server 192.168.100.57 :
                     bd73a40b-2a78-44f5-a704-0b58b2028a36._msdcs.domain.local
                     
                     Error: Missing DC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.dc._msdcs.domain.local
                     
                     Error: Missing GC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.gc._msdcs.domain.local
                     
                     Error: Missing PDC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.pdc._msdcs.domain.local
                     
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: domain.local
               srv2008dc1                  PASS PASS PASS PASS PASS FAIL n/a  
         
         ......................... domain.local failed test DNS
0
 
zelron22Connect With a Mentor Commented:
DNS servers should only point to themselves for DNS and use the actual IP instead of the loopback.

Do the 2008 DC's have multiple NICs?  DC's / DNS servers should only have one IP, any unused NICs should be disabled.  
0
 
snusgubbenCommented:
You didn't respond if you ran the commands posted previously and if you changed the prefered DNS...

Run these on both 2008 DCs from a cmd prompt (after you have set them to point to themself as prefered DNS):

ipconfig /flushdns
ipconfig /registerdns

then restart the "netlogon" service.


SG

0
 
bigbigpigAuthor Commented:
I'll be able to run these commands in a couple of hours.

I did run the ipconfig /flushdns command a little while ago on each of them.  After that the dcdiag from the Windows XP machine passed the DNS test.  After I run these commands and restart netlogon tonight I'll get to see if it worked when the users boot their machines and logon in the morning.
0
 
Darius GhassemConnect With a Mentor Commented:
Make sure the DC is pointing to the itself then run ipconfig /registerdns and dcdiag /fix.
0
 
bluntTonyCommented:
Seems strange that the last DCDIAG test failed, as the nslookup earlier returned a record which DCDIAG is now saying is missing, on the same DNS server.
Let us know how you get on after re-registering all the SRV records for the DCs (and allow for zone replication)
0
 
bigbigpigAuthor Commented:
So far there have been no errors on the client machines - looks like it's all fixed!  It appears to have been a DNS issue and was resolved by these commands.
ipconfig /flushdns
ipconfig /registerdns
dcdiag /fix
restart netlogon
0
All Courses

From novice to tech pro — start learning today.