bigbigpig
asked on
Netlogon errors after adding new domain controllers
Last week I added 2 new domain controllers, both Server 2008, to a network that had a single 2003 domain controller. Both new 2008 servers are global catalog servers. The 2003 one is still a domain controller but no longer a GC. A few days ago I started noticing errors on the client machines in the System log.
Netlogon 3224:
Changing machine account password for account xp-computer$ failed with the following error:
There are currently no logon servers available to service the logon request.
Netlogon 5719:
No Domain Controller is available for domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
I ran DCDIAG on both of the new domain controllers and it only reported errors from the System log for printers from an RDP session and another xpcomputer$ machine account that failed to authenticate.
On one of the XP client machines I disjoined it and rejoined it to the domain and it works fine but I can't do that with all of them.
Thanks for the help!
Netlogon 3224:
Changing machine account password for account xp-computer$ failed with the following error:
There are currently no logon servers available to service the logon request.
Netlogon 5719:
No Domain Controller is available for domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
I ran DCDIAG on both of the new domain controllers and it only reported errors from the System log for printers from an RDP session and another xpcomputer$ machine account that failed to authenticate.
On one of the XP client machines I disjoined it and rejoined it to the domain and it works fine but I can't do that with all of them.
Thanks for the help!
It looks like a DNS problem to me. Did you do anything with DNS? Are the new servers the DNS servers and are the workstations or DHCP set up to point to them? Which box is handing out DHCP (assuming you're not using static IPs for your workstations)?
ASKER
DNS was replicated to the 2 new servers but nothing else changed. The workstations are all DHCP and the DHCP server is one of the 2 new 2008 boxes. The scope options are set to give out the 2 new domain controllers addresses as DNS servers. Are there diagnostic utilities that I can run on the XP machines to find the problem?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The nslookup's resolve ok.
Here's the output from the SRV lookup. Machine and domain names were changed to generic.
> _ldap._tcp.dc._msdcs.domai
Server: srv2008dc1.domain.local
Address: 192.168.100.57
_ldap._tcp.dc._msdcs.domai
priority = 0
weight = 100
port = 389
svr hostname = srv2008dc1.domain.local
_ldap._tcp.dc._msdcs.domai
priority = 0
weight = 100
port = 389
svr hostname = srv2003.domain.local
_ldap._tcp.dc._msdcs.domai
priority = 0
weight = 100
port = 389
svr hostname = srv2008dc2.domain.local
srv2008dc1.domain.local internet address = 192.168.100.57
srv2003.domain.local internet address = 192.168.100.2
srv2008dc2.domain.local internet address = 192.168.100.52
Here's the output from the SRV lookup. Machine and domain names were changed to generic.
> _ldap._tcp.dc._msdcs.domai
Server: srv2008dc1.domain.local
Address: 192.168.100.57
_ldap._tcp.dc._msdcs.domai
priority = 0
weight = 100
port = 389
svr hostname = srv2008dc1.domain.local
_ldap._tcp.dc._msdcs.domai
priority = 0
weight = 100
port = 389
svr hostname = srv2003.domain.local
_ldap._tcp.dc._msdcs.domai
priority = 0
weight = 100
port = 389
svr hostname = srv2008dc2.domain.local
srv2008dc1.domain.local internet address = 192.168.100.57
srv2003.domain.local internet address = 192.168.100.2
srv2008dc2.domain.local internet address = 192.168.100.52
ASKER
The users can log in OK but as far as I know they're using cached credentials.
Try to see if you can connect to the servers from a workstation on port 389.
Make sure that SYSVOL is shared on both the DCs and that the permissions are appropriate.
Any antivirus/firewall/antispy
Make sure that SYSVOL is shared on both the DCs and that the permissions are appropriate.
Any antivirus/firewall/antispy
ASKER
Something else I noticed... I can't resolve the NetBIOS name of the domain. If my domain name is DOMAIN.LOCAL nothing will resolve to DOMAIN.
Looks like DNS is functioning OK as nslookup is returning all three DCs' ldap records OK (also assuming that the IP addresses are correct).
You can test connection to a particular port by using telnet. e.g.
telnet <DC NAME> 389
If you get a blank console screen, then the port is opened. If it says the connection was refused, then you're not getting through. Like zelron says - disable Windows Firewall on the DC firstly if you can't get through.
Let us know how you get on...
You can test connection to a particular port by using telnet. e.g.
telnet <DC NAME> 389
If you get a blank console screen, then the port is opened. If it says the connection was refused, then you're not getting through. Like zelron says - disable Windows Firewall on the DC firstly if you can't get through.
Let us know how you get on...
Run: dcdiag /v /e /c
and you'll most likely see the cause.
SG
and you'll most likely see the cause.
SG
ASKER
telnet on 389 works fine.
On the dcdiag /v /e /c results there only errors I get are for AAAA records not being found and DFS Replication errors.
Here's an event from the DFS Replication log:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)
On the dcdiag /v /e /c results there only errors I get are for AAAA records not being found and DFS Replication errors.
Here's an event from the DFS Replication log:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)
Disable IPv6 then run a dcdiag /fix. Also, make sure DFS service is running and not disabled. Post a ipconfig /all for the 2008 servers.
ASKER
IPv6 was already deselected as a protocol for the network adapter on both of the 2008 servers.
Here's the ipconfig /all output:
C:\Users\Administrator.JTE
Windows IP Configuration
Host Name . . . . . . . . . . . . : srv2008dc1.domain.local
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-23-7D-EC-15-DC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.100.57(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
192.168.100.52
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{65E9EDED-2A45-4E4A
085}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Here's the ipconfig /all output:
C:\Users\Administrator.JTE
Windows IP Configuration
Host Name . . . . . . . . . . . . : srv2008dc1.domain.local
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-23-7D-EC-15-DC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.100.57(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
192.168.100.52
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{65E9EDED-2A45-4E4A
085}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should not use the loopback as prefered DNS. Use the IP to itself (192.168.100.57 in this case)
SG
SG
ASKER
Another test... ran dcdiag /s:srv2008dc1.domain.local
Starting test: DNS
Test results for domain controllers:
DC: srv2008dc1.domain.local
Domain: domain.local
TEST: Records registration (RReg)
Network Adapter [00000006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
Error: Missing A record at DNS server 192.168.100.57 :
srv2008dc1.domain.local
Error: Missing CNAME record at DNS server 192.168.100.57 :
bd73a40b-2a78-44f5-a704-0b
Error: Missing DC SRV record at DNS server 192.168.100.57 :
_ldap._tcp.dc._msdcs.domai
Error: Missing GC SRV record at DNS server 192.168.100.57 :
_ldap._tcp.gc._msdcs.domai
Error: Missing PDC SRV record at DNS server 192.168.100.57 :
_ldap._tcp.pdc._msdcs.doma
Error: Record registrations cannot be found for all the network adapters
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: domain.local
srv2008dc1 PASS PASS PASS PASS PASS FAIL n/a
......................... domain.local failed test DNS
Starting test: DNS
Test results for domain controllers:
DC: srv2008dc1.domain.local
Domain: domain.local
TEST: Records registration (RReg)
Network Adapter [00000006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
Error: Missing A record at DNS server 192.168.100.57 :
srv2008dc1.domain.local
Error: Missing CNAME record at DNS server 192.168.100.57 :
bd73a40b-2a78-44f5-a704-0b
Error: Missing DC SRV record at DNS server 192.168.100.57 :
_ldap._tcp.dc._msdcs.domai
Error: Missing GC SRV record at DNS server 192.168.100.57 :
_ldap._tcp.gc._msdcs.domai
Error: Missing PDC SRV record at DNS server 192.168.100.57 :
_ldap._tcp.pdc._msdcs.doma
Error: Record registrations cannot be found for all the network adapters
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: domain.local
srv2008dc1 PASS PASS PASS PASS PASS FAIL n/a
......................... domain.local failed test DNS
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You didn't respond if you ran the commands posted previously and if you changed the prefered DNS...
Run these on both 2008 DCs from a cmd prompt (after you have set them to point to themself as prefered DNS):
ipconfig /flushdns
ipconfig /registerdns
then restart the "netlogon" service.
SG
Run these on both 2008 DCs from a cmd prompt (after you have set them to point to themself as prefered DNS):
ipconfig /flushdns
ipconfig /registerdns
then restart the "netlogon" service.
SG
ASKER
I'll be able to run these commands in a couple of hours.
I did run the ipconfig /flushdns command a little while ago on each of them. After that the dcdiag from the Windows XP machine passed the DNS test. After I run these commands and restart netlogon tonight I'll get to see if it worked when the users boot their machines and logon in the morning.
I did run the ipconfig /flushdns command a little while ago on each of them. After that the dcdiag from the Windows XP machine passed the DNS test. After I run these commands and restart netlogon tonight I'll get to see if it worked when the users boot their machines and logon in the morning.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Seems strange that the last DCDIAG test failed, as the nslookup earlier returned a record which DCDIAG is now saying is missing, on the same DNS server.
Let us know how you get on after re-registering all the SRV records for the DCs (and allow for zone replication)
Let us know how you get on after re-registering all the SRV records for the DCs (and allow for zone replication)
ASKER
So far there have been no errors on the client machines - looks like it's all fixed! It appears to have been a DNS issue and was resolved by these commands.
ipconfig /flushdns
ipconfig /registerdns
dcdiag /fix
restart netlogon
ipconfig /flushdns
ipconfig /registerdns
dcdiag /fix
restart netlogon