Solved

Netlogon errors after adding new domain controllers

Posted on 2009-04-13
21
1,114 Views
Last Modified: 2012-05-06
Last week I added 2 new domain controllers, both Server 2008, to a network that had a single 2003 domain controller.  Both new 2008 servers are global catalog servers.  The 2003 one is still a domain controller but no longer a GC.  A few days ago I started noticing errors on the client machines in the System log.

Netlogon 3224:
Changing machine account password for account xp-computer$ failed with the following error:
There are currently no logon servers available to service the logon request.

Netlogon 5719:
No Domain Controller is available for domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

I ran DCDIAG on both of the new domain controllers and it only reported errors from the System log for printers from an RDP session and another xpcomputer$ machine account that failed to authenticate.

On one of the XP client machines I disjoined it and rejoined it to the domain and it works fine but I can't do that with all of them.

Thanks for the help!
0
Comment
Question by:bigbigpig
  • 9
  • 4
  • 3
  • +2
21 Comments
 
LVL 15

Expert Comment

by:zelron22
Comment Utility
It looks like a DNS problem to me.  Did you do anything with DNS?  Are the new servers the DNS servers and are the workstations or DHCP set up to point to them?  Which box is handing out DHCP (assuming you're not using static IPs for your workstations)?
0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
DNS was replicated to the 2 new servers but nothing else changed.  The workstations are all DHCP and the DHCP server is one of the 2 new 2008 boxes.  The scope options are set to give out the 2 new domain controllers addresses as DNS servers.  Are there diagnostic utilities that I can run on the XP machines to find the problem?
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 125 total points
Comment Utility
You could use nslookup to test that DNS resolution is working by using it to target a specific DNS server, e.g.
nslookup <machine name to resolve> <DNS server name>
Check that firstly standard Host A queries are working, then to a RR lookup to check that it's returning SRV records, e.g.
nslookup
set q=srv
<SRV record> <DNS server to target>
e.g. _ldap._tcp.<SITE NAME>._sites.dc._msdcs.domain.local mydnsserver.domain.local
The fact that disjoining and rejoining an affected machine seems to say that it might not necessarily be a DNS issue. Can users log in OK on the affected machines?
 
0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
The nslookup's resolve ok.

Here's the output from the SRV lookup.  Machine and domain names were changed to generic.

> _ldap._tcp.dc._msdcs.domain.local srv2008dc1.domain.local
Server:  srv2008dc1.domain.local
Address:  192.168.100.57

_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2008dc1.domain.local
_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2003.domain.local
_ldap._tcp.dc._msdcs.domain.local    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv2008dc2.domain.local
srv2008dc1.domain.local     internet address = 192.168.100.57
srv2003.domain.local      internet address = 192.168.100.2
srv2008dc2.domain.local internet address = 192.168.100.52
0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
The users can log in OK but as far as I know they're using cached credentials.
0
 
LVL 15

Expert Comment

by:zelron22
Comment Utility
Try to see if you can connect to the servers from a workstation on port 389.
Make sure that SYSVOL is shared on both the DCs and that the permissions are appropriate.

Any antivirus/firewall/antispyware software on the servers that could be the problem?  Try disabling all of it and test.  You may need to reconfigure it if it's the problem.

0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
Something else I noticed... I can't resolve the NetBIOS name of the domain.  If my domain name is DOMAIN.LOCAL nothing will resolve to DOMAIN.
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Looks like DNS is functioning OK as nslookup is returning all three DCs' ldap records OK (also assuming that the IP addresses are correct).
You can test connection to a particular port by using telnet. e.g.
telnet <DC NAME> 389
If you get a blank console screen, then the port is opened. If it says the connection was refused, then you're not getting through. Like zelron says - disable Windows Firewall on the DC firstly if you can't get through.
Let us know how you get on...
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Run: dcdiag /v /e /c

and you'll most likely see the cause.


SG
0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
telnet on 389 works fine.

On the dcdiag /v /e /c results there only errors I get are for AAAA records not being found and DFS Replication errors.

Here's an event from the DFS Replication log:
The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
 
Additional Information:
Error: 160 (One or more arguments are not correct.)
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Disable IPv6 then run a dcdiag /fix. Also, make sure DFS service is running and not disabled. Post a ipconfig /all for the 2008 servers.
0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
IPv6 was already deselected as a protocol for the network adapter on both of the 2008 servers.

Here's the ipconfig /all output:

C:\Users\Administrator.JTE>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : srv2008dc1.domain.local
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-23-7D-EC-15-DC
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.100.57(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
                                       192.168.100.52
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{65E9EDED-2A45-4E4A-BC12-48C5542DF
085}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 125 total points
Comment Utility
You should also run "ipconfig /registerdns" on both 2008 DCs so the correct IPv4 A-record is registered in the DNS (after IPv6 is disabled on both 2008 DCs like dariusq said).


SG
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
You should not use the loopback as prefered DNS. Use the IP to itself (192.168.100.57 in this case)


SG
0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
Another test... ran dcdiag /s:srv2008dc1.domain.local /c from a Windows XP machine.  I get these DNS errors:

Starting test: DNS
         Test results for domain controllers:
           
            DC: srv2008dc1.domain.local
            Domain: domain.local

                 
               TEST: Records registration (RReg)
                  Network Adapter [00000006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
                     Error: Missing A record at DNS server 192.168.100.57 :
                     srv2008dc1.domain.local
                     
                     Error: Missing CNAME record at DNS server 192.168.100.57 :
                     bd73a40b-2a78-44f5-a704-0b58b2028a36._msdcs.domain.local
                     
                     Error: Missing DC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.dc._msdcs.domain.local
                     
                     Error: Missing GC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.gc._msdcs.domain.local
                     
                     Error: Missing PDC SRV record at DNS server 192.168.100.57 :
                     _ldap._tcp.pdc._msdcs.domain.local
                     
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: domain.local
               srv2008dc1                  PASS PASS PASS PASS PASS FAIL n/a  
         
         ......................... domain.local failed test DNS
0
 
LVL 15

Assisted Solution

by:zelron22
zelron22 earned 125 total points
Comment Utility
DNS servers should only point to themselves for DNS and use the actual IP instead of the loopback.

Do the 2008 DC's have multiple NICs?  DC's / DNS servers should only have one IP, any unused NICs should be disabled.  
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
You didn't respond if you ran the commands posted previously and if you changed the prefered DNS...

Run these on both 2008 DCs from a cmd prompt (after you have set them to point to themself as prefered DNS):

ipconfig /flushdns
ipconfig /registerdns

then restart the "netlogon" service.


SG

0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
I'll be able to run these commands in a couple of hours.

I did run the ipconfig /flushdns command a little while ago on each of them.  After that the dcdiag from the Windows XP machine passed the DNS test.  After I run these commands and restart netlogon tonight I'll get to see if it worked when the users boot their machines and logon in the morning.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 125 total points
Comment Utility
Make sure the DC is pointing to the itself then run ipconfig /registerdns and dcdiag /fix.
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Seems strange that the last DCDIAG test failed, as the nslookup earlier returned a record which DCDIAG is now saying is missing, on the same DNS server.
Let us know how you get on after re-registering all the SRV records for the DCs (and allow for zone replication)
0
 
LVL 10

Author Comment

by:bigbigpig
Comment Utility
So far there have been no errors on the client machines - looks like it's all fixed!  It appears to have been a DNS issue and was resolved by these commands.
ipconfig /flushdns
ipconfig /registerdns
dcdiag /fix
restart netlogon
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now