Primary 2008 DC Naming information cannot be located
I am having an occasional problem with my main domain controller. As far as domain controllers go, we have 3 servers in the picture:
This seems to happen about once every couple weeks. Right now, I am having the problem. My primary DC starts acting weird. I can't access AD users and computers, I can't import users into Exchange, but I do have access to AD users and computers through RSAT. When I have this problem, rebooting the server usually fixes the problem, but only for a couple weeks.
Problem Details:
While trying to access Active Directory users and computers from the DC, I get this error message:
"Naming information cannot be located for the following reason: The server is not operational.
If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 Server SP3 or later is installed on the DC, or use the Windows 2000 administration tools. For more information about connecting to DCs running Windows 2000, see Help and Support."
In my system event log, I have a lot of these events:
1054 - "The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly."
We used to have a 2000 DC in the picture, but it had SP4 on it from the get go. And it has been completely removed from the schema for months. Does anyone have any ideas what the issue could be? This also happens to our other 2008 domain controller on a regular basis. It seems like it's one DC on one week. And rebooting the problem server temporarily fixes the issue.
When one server is like this, here are the things that don't really work:
Any help from you Microsoft gurus would be greatly appreciated.
1
Primary DC, GC, DNS server, running 2008 (the one having problems).2
Backup DC, GC, DNS server, running 2008. Also has other file server roles.3
Exchange 2007 server, running 2008.This seems to happen about once every couple weeks. Right now, I am having the problem. My primary DC starts acting weird. I can't access AD users and computers, I can't import users into Exchange, but I do have access to AD users and computers through RSAT. When I have this problem, rebooting the server usually fixes the problem, but only for a couple weeks.
Problem Details:
While trying to access Active Directory users and computers from the DC, I get this error message:
"Naming information cannot be located for the following reason: The server is not operational.
If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 Server SP3 or later is installed on the DC, or use the Windows 2000 administration tools. For more information about connecting to DCs running Windows 2000, see Help and Support."
In my system event log, I have a lot of these events:
1054 - "The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly."
We used to have a 2000 DC in the picture, but it had SP4 on it from the get go. And it has been completely removed from the schema for months. Does anyone have any ideas what the issue could be? This also happens to our other 2008 domain controller on a regular basis. It seems like it's one DC on one week. And rebooting the problem server temporarily fixes the issue.
When one server is like this, here are the things that don't really work:
You cannot add a computer to the domain
You cannot create a new user on that DC
You cannot import an AD user into a new exchange mailbox
A user cannot change their own password. It must be set by me, manually on RSAT, once on each DC
Any help from you Microsoft gurus would be greatly appreciated.
Run "netdom /query fmso" in cmd as admin. This will give you a list of which servers hold which FMSO roles.
My guess is that the 2000 DC you had was holding the roles and that they were not transferred when you removed it. See http://www.petri.co.il/seizing_fsmo_roles.htm on how to seize the roles back to a working DC.
My guess is that the 2000 DC you had was holding the roles and that they were not transferred when you removed it. See http://www.petri.co.il/seizing_fsmo_roles.htm on how to seize the roles back to a working DC.
Make sure all DCs are only pointing to other functioing DCs in their TCP\IP properties there should be no external DNS servers in the TCP\IP properties either.
Run metadata cleanup to make sure that there are no lingering objects for dead DCs.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Post dcdiag
Run metadata cleanup to make sure that there are no lingering objects for dead DCs.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Post dcdiag
ASKER
Thanks for all your replies! I haven't got to your solution yet, dariusg. But in response to mass2612 and sighar...
Just to better understand our environment: Our 2 DC's are "wiggum" (primary) and "yoda" (backup). Their local IP addresses are as follows:
wiggum: 10.1.2.6
yoda: 10.1.2.10
I ran dcdiag, and everything passed.
I ran dcdiag /test:DNS, and I came up with a bunch of "missing AAAA record" errors. I followed the steps in this article: https://www.experts-exchange.com/questions/24420880/The-AAAA-record-for-this-DC-was-not-found.html to disable IPv6 and flush and re-register the DNS. After doing that, I still get the errors.
When I run it on wiggum (primary), here are the results (I have replaced my domain name with #domain#:
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
Warning:
Missing AAAA record at DNS server 10.1.2.6:
wiggum.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
gc._msdcs.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
wiggum.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
gc._msdcs.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
wiggum.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
gc._msdcs.#domain#.com
And when I run it on Yoda, these are the results:
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
Warning:
Missing AAAA record at DNS server 10.1.2.10:
yoda..com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
gc._msdcs..com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
yoda..com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
gc._msdcs..com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
yoda..com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
gc._msdcs..com
It's interesting how when I run it on wiggum, it associates "wiggum" with both 10.1.2.6 and 10.1.2.10. And when I run it on yoda, it associates "yoda" with both 10.1.2.6 and 10.1.2.10. Anyway, I don't know if that's a problem or not.
I also ran the netdom /QUERY FSMO command on both servers. And on both servers, these were the results (it appears wiggum has all roles necessary):
Schema master wiggum.#domain#.com
Domain naming master wiggum.#domain#.com
PDC wiggum.#domain#.com
RID pool manager wiggum.#domain#.com
Infrastructure master wiggum.#domain#.com
I will continue on, trying dariusg's suggestion. But if this information provides any more insight, I would love some more ideas. Thanks!
Just to better understand our environment: Our 2 DC's are "wiggum" (primary) and "yoda" (backup). Their local IP addresses are as follows:
wiggum: 10.1.2.6
yoda: 10.1.2.10
I ran dcdiag, and everything passed.
I ran dcdiag /test:DNS, and I came up with a bunch of "missing AAAA record" errors. I followed the steps in this article: https://www.experts-exchange.com/questions/24420880/The-AAAA-record-for-this-DC-was-not-found.html to disable IPv6 and flush and re-register the DNS. After doing that, I still get the errors.
When I run it on wiggum (primary), here are the results (I have replaced my domain name with #domain#:
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
Warning:
Missing AAAA record at DNS server 10.1.2.6:
wiggum.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
gc._msdcs.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
wiggum.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
gc._msdcs.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
wiggum.#domain#.com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
gc._msdcs.#domain#.com
And when I run it on Yoda, these are the results:
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
Warning:
Missing AAAA record at DNS server 10.1.2.10:
yoda..com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
gc._msdcs..com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
yoda..com
Warning:
Missing AAAA record at DNS server 10.1.2.6:
gc._msdcs..com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
yoda..com
Warning:
Missing AAAA record at DNS server 10.1.2.10:
gc._msdcs..com
It's interesting how when I run it on wiggum, it associates "wiggum" with both 10.1.2.6 and 10.1.2.10. And when I run it on yoda, it associates "yoda" with both 10.1.2.6 and 10.1.2.10. Anyway, I don't know if that's a problem or not.
I also ran the netdom /QUERY FSMO command on both servers. And on both servers, these were the results (it appears wiggum has all roles necessary):
Schema master wiggum.#domain#.com
Domain naming master wiggum.#domain#.com
PDC wiggum.#domain#.com
RID pool manager wiggum.#domain#.com
Infrastructure master wiggum.#domain#.com
I will continue on, trying dariusg's suggestion. But if this information provides any more insight, I would love some more ideas. Thanks!
ASKER
Sorry, in the last post, instead of typing #domain# on the second set of results, I made them look like HTML tags, and it created all those closing tags at the bottom. You still get the idea.
ASKER
To dariusg, I ran the ntdsutil and followed the instructions in the link you sent, but the only two servers listed when I run "list servers in site" are wiggum and yoda. There is no record of my old 2000 DC in there.
I should also mention that I rebooted my server last night, so while I am doing all this testing, both servers are working correctly. I don't know if I need to wait until one my servers stops working to try these tests again.
I should also mention that I rebooted my server last night, so while I am doing all this testing, both servers are working correctly. I don't know if I need to wait until one my servers stops working to try these tests again.
ASKER
Thank you. That actually is the method I used to disable IPv6: in the registry. After adding the new key to both DC's, and running the following commands on both dc's: ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix, I still received the missing AAAA record references.
Post ipconfig /all
ASKER
Here is my ipconfig /all (domain name changed)
Windows IP Configuration
Host Name . . . . . . . . . . . . : wiggum
Primary Dns Suffix . . . . . . . : #domain#.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : #domain#.com
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-1E-C9-B5-1C-C1
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-1E-C9-B5-1C-BF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.2.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.2.1
DNS Servers . . . . . . . . . . . : 10.1.2.6
10.1.2.10
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{8CFD5E21-CA72-443D
A50}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{CE3B85C0-D59F-48DB
A36}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Windows IP Configuration
Host Name . . . . . . . . . . . . : wiggum
Primary Dns Suffix . . . . . . . : #domain#.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : #domain#.com
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-1E-C9-B5-1C-C1
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-1E-C9-B5-1C-BF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.2.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.2.1
DNS Servers . . . . . . . . . . . : 10.1.2.6
10.1.2.10
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{8CFD5E21-CA72-443D
A50}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{CE3B85C0-D59F-48DB
A36}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Disable all NICs except for one.
ASKER
Ok, I only have 2 NICs, I just disable the second one that is disconnected.
ASKER
Sorry, I meant to say that I just disabled it.
Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix
ASKER
As stated in previous comment, I have already run all those commands, after disabling IPv6. After running those commands I still get the AAAA record errors. For your sake I just ran them again, and tried again... same errors.
No, those commands were for disabling the second NIC.
IPv6 is not fully disabled if you are getting the AAA record errors.
IPv6 is not fully disabled if you are getting the AAA record errors.
ASKER
Ok, well regardless of what the purpose was, I have done those commands several times. I disabled IPv6 in the registry, ran those commands, disabled the second NIC, ran those commands again. I am still getting the AAAA record errors. But I'm not convinced that IPv6 is the root of the problem. It may just be something I stumbled upon while troubleshooting the bigger issue. Thanks for your responses!
What did you stumble on?
Is your LDAP port open? Do you have any IP port filtering going on? This sounds a bit like your problem even though it's for Win2000: http://support.microsoft.com/kb/323542
ASKER
I possibly stumbled upon the IPv6 AAAA record issue. I don't know if the IPv6 stuff is actually what is causing my DC's to crap out.
ASKER
Thanks. I just double checked, and LDAP is allowed through. We actually have at least 3 other programs that connect to my DC's via LDAP.
ASKER
Those look like good leads. Thanks. I don't have a ton of time today, but I'll look into them both on Monday. Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would start by running DCDIAG on all your domain controllers and see what it reports? Do you have any logs in the event logs at the time and just before you have to reboot your DC?
With Dcdiag also run with the DNS tests since many many AD problems are a result of problems with DNS.
http://technet.microsoft.com/en-us/library/cc731968(WS.10).aspx