Solved

Netlogon errors after adding new domain controllers

Posted on 2009-04-13
21
1,138 Views
Last Modified: 2012-05-06
Last week I added 2 new domain controllers, both Server 2008, to a network that had a single 2003 domain controller.  Both new 2008 servers are global catalog servers.  The 2003 one is still a domain controller but no longer a GC.  A few days ago I started noticing errors on the client machines in the System log.

Netlogon 3224:
Changing machine account password for account xp-computer$ failed with the following error:
There are currently no logon servers available to service the logon request.

Netlogon 5719:
No Domain Controller is available for domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

I ran DCDIAG on both of the new domain controllers and it only reported errors from the System log for printers from an RDP session and another xpcomputer$ machine account that failed to authenticate.

On one of the XP client machines I disjoined it and rejoined it to the domain and it works fine but I can't do that with all of them.

Thanks for the help!
0
Comment
Question by:bigbigpig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 3
  • +2
21 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24130516
It looks like a DNS problem to me.  Did you do anything with DNS?  Are the new servers the DNS servers and are the workstations or DHCP set up to point to them?  Which box is handing out DHCP (assuming you're not using static IPs for your workstations)?
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24130636
DNS was replicated to the 2 new servers but nothing else changed.  The workstations are all DHCP and the DHCP server is one of the 2 new 2008 boxes.  The scope options are set to give out the 2 new domain controllers addresses as DNS servers.  Are there diagnostic utilities that I can run on the XP machines to find the problem?
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 125 total points
ID: 24130752
You could use nslookup to test that DNS resolution is working by using it to target a specific DNS server, e.g.
nslookup <machine name to resolve> <DNS server name>
Check that firstly standard Host A queries are working, then to a RR lookup to check that it's returning SRV records, e.g.
nslookup
set q=srv
<SRV record> <DNS server to target>
e.g. _ldap._tcp.<SITE NAME>._sites.dc._msdcs.domain.local mydnsserver.domain.local
The fact that disjoining and rejoining an affected machine seems to say that it might not necessarily be a DNS issue. Can users log in OK on the affected machines?
 
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 10

Author Comment

by:bigbigpig
ID: 24130893
The nslookup's resolve ok.

Here's the output from the SRV lookup.  Machine and domain names were changed to generic.

> _ldap._tcp.dc._msdcs.domain.local srv2008dc1.domain.local
Server:  srv2008dc1.domain.local
Address:  192.168.100.57

_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2008dc1.domain.local
_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2003.domain.local
_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2008dc2.domain.local
srv2008dc1.domain.local     internet address = 192.168.100.57
srv2003.domain.local      internet address = 192.168.100.2
srv2008dc2.domain.local internet address = 192.168.100.52
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24130906
The users can log in OK but as far as I know they're using cached credentials.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24130978
Try to see if you can connect to the servers from a workstation on port 389.
Make sure that SYSVOL is shared on both the DCs and that the permissions are appropriate.

Any antivirus/firewall/antispyware software on the servers that could be the problem?  Try disabling all of it and test.  You may need to reconfigure it if it's the problem.

0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24131068
Something else I noticed... I can't resolve the NetBIOS name of the domain.  If my domain name is DOMAIN.LOCAL nothing will resolve to DOMAIN.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24131080
Looks like DNS is functioning OK as nslookup is returning all three DCs' ldap records OK (also assuming that the IP addresses are correct).
You can test connection to a particular port by using telnet. e.g.
telnet <DC NAME> 389
If you get a blank console screen, then the port is opened. If it says the connection was refused, then you're not getting through. Like zelron says - disable Windows Firewall on the DC firstly if you can't get through.
Let us know how you get on...
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24131212
Run: dcdiag /v /e /c

and you'll most likely see the cause.


SG
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24131621
telnet on 389 works fine.

On the dcdiag /v /e /c results there only errors I get are for AAAA records not being found and DFS Replication errors.

Here's an event from the DFS Replication log:
The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
 
Additional Information:
Error: 160 (One or more arguments are not correct.)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24131782
Disable IPv6 then run a dcdiag /fix. Also, make sure DFS service is running and not disabled. Post a ipconfig /all for the 2008 servers.
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24131860
IPv6 was already deselected as a protocol for the network adapter on both of the 2008 servers.

Here's the ipconfig /all output:

C:\Users\Administrator.JTE>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : srv2008dc1.domain.local
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-23-7D-EC-15-DC
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.100.57(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
                                       192.168.100.52
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{65E9EDED-2A45-4E4A-BC12-48C5542DF
085}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 125 total points
ID: 24131872
You should also run "ipconfig /registerdns" on both 2008 DCs so the correct IPv4 A-record is registered in the DNS (after IPv6 is disabled on both 2008 DCs like dariusq said).


SG
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24131887
You should not use the loopback as prefered DNS. Use the IP to itself (192.168.100.57 in this case)


SG
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24131888
Another test... ran dcdiag /s:srv2008dc1.domain.local /c from a Windows XP machine.  I get these DNS errors:

Starting test: DNS
         Test results for domain controllers:
           
            DC: srv2008dc1.domain.local
            Domain: domain.local

                 
               TEST: Records registration (RReg)
                  Network Adapter [00000006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
                     Error: Missing A record at DNS server 192.168.100.57 :
                     srv2008dc1.domain.local
                     
                     Error: Missing CNAME record at DNS server 192.168.100.57 :
                     bd73a40b-2a78-44f5-a704-0b58b2028a36._msdcs.domain.local
                     
                     Error: Missing DC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.dc._msdcs.domain.local
                     
                     Error: Missing GC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.gc._msdcs.domain.local
                     
                     Error: Missing PDC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.pdc._msdcs.domain.local
                     
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: domain.local
               srv2008dc1                  PASS PASS PASS PASS PASS FAIL n/a  
         
         ......................... domain.local failed test DNS
0
 
LVL 15

Assisted Solution

by:zelron22
zelron22 earned 125 total points
ID: 24132193
DNS servers should only point to themselves for DNS and use the actual IP instead of the loopback.

Do the 2008 DC's have multiple NICs?  DC's / DNS servers should only have one IP, any unused NICs should be disabled.  
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24132251
You didn't respond if you ran the commands posted previously and if you changed the prefered DNS...

Run these on both 2008 DCs from a cmd prompt (after you have set them to point to themself as prefered DNS):

ipconfig /flushdns
ipconfig /registerdns

then restart the "netlogon" service.


SG

0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24132710
I'll be able to run these commands in a couple of hours.

I did run the ipconfig /flushdns command a little while ago on each of them.  After that the dcdiag from the Windows XP machine passed the DNS test.  After I run these commands and restart netlogon tonight I'll get to see if it worked when the users boot their machines and logon in the morning.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 125 total points
ID: 24134029
Make sure the DC is pointing to the itself then run ipconfig /registerdns and dcdiag /fix.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24135776
Seems strange that the last DCDIAG test failed, as the nslookup earlier returned a record which DCDIAG is now saying is missing, on the same DNS server.
Let us know how you get on after re-registering all the SRV records for the DCs (and allow for zone replication)
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 24138267
So far there have been no errors on the client machines - looks like it's all fixed!  It appears to have been a DNS issue and was resolved by these commands.
ipconfig /flushdns
ipconfig /registerdns
dcdiag /fix
restart netlogon
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question