[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Domain Controller failing dcdiag dns test

Posted on 2010-09-01
29
Medium Priority
?
5,432 Views
Last Modified: 2012-05-10
I have two domain controllers which have been fine up until last week when I started to get 1030 and 1058 errors in my logs every 5 minutes on my server called appserv1.

I have slowly been working through KB's and links on EE and have found that I have a DNS issue.

I ran a dcdiag /test:netlogons and everything came back ok. But when I run a DCdiag /test:DNS I get a stack of errors with my DNS.

Testing server: Reigate\APPSERV1

DNS Tests are running and not hung. Please wait a few minutes...
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : letterpart
 
   Running enterprise tests on : letterpart.local
     Starting test: DNS
        Test results for domain controllers:
           
           DC: APPSERV1.letterpart.local
           Domain: letterpart.local

                 
              TEST: Basic (Basc)
                 Warning: adapter [00000007] Intel(R) PRO/1000 MT Server Adapter has invalid DNS server: 192.168.1.100 (<name unavailable>)
                 Warning: adapter [00000007] Intel(R) PRO/1000 MT Server Adapter has invalid DNS server: 192.168.1.210 (<name unavailable>)
                 Error: all DNS servers are invalid
             
            TEST: Records registration (RReg)
              Error: Record registrations cannot be found for all the network adapters
       
         Summary of test results for DNS servers used by the above domain controllers:

           DNS server: 192.168.1.100 (<name unavailable>)
              1 test failure on this DNS server
              This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.100
             
            DNS server: 192.168.1.210 (<name unavailable>)
              1 test failure on this DNS server
              This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.210
             
         Summary of DNS test results:
       
                                            Auth Basc Forw Del  Dyn  RReg Ext  
              ________________________________________________________________
           Domain: letterpart.local
              APPSERV1                     PASS FAIL PASS PASS PASS FAIL n/a  
       
         ......................... letterpart.local failed test DNS


I can't see anything wrong with my DNS and would appreciate some help and advice here please.

thanks
0
Comment
Question by:Letterpart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
  • 6
  • +2
29 Comments
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33575727
Disable one of the network cards and run it again, dual nic DC's have these issues.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33575752
Sorry that was abit rushed, disable one of the nwtrok cards and make sure the dns confuration on the remaining NIC points to the DC for dns, then run "ipconfig/flushdns" and then "net stop netlogon && net start netlogon"
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33575756
Additionally check on DNS server NICs binding (on which IP DNS server is listening)
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33575763
Did you make any environment IP changes?
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33575772
Thanks for your replies.

My server only has 1 LAN NIC installed, the other two NICs are on the SAN network.


It is only listening on 192.168.1.100
0
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 400 total points
ID: 33575781
Are the SAN Nics 192.168.1.100 & 192.168.1.210? if so sort the bindings as iSiek suggested so they are not being used for anything other then the SAN traffick.
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 400 total points
ID: 33575810
Check in forward lookup zone if you have defined SOA and NS records for your DNS server(s). Additionally please try to restart netlogon service to re-register it into DNS zone

Type in command-line

net stop netlogon
net start netlogon
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33575830
My SAN NICS are 192.168.252.x and 192.168.253.x

I have run "ipconfig/flushdns" and then "net stop netlogon && net start netlogon" and still getting the same result from dcdiag /test:dns

I have a SOA record for appserv1 and NS records for Appserv1 and dc1 in the FLZ
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33575836
So what are the IP's 192.168.1.100 & 192.168.1.210 ?
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33575856
192.168.1.100 is the IP of Appserv1 which is a DC
192.168.1.210 is the IP of DC1 which is also a DC
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33575888
And these dc's are both configured to look at themsleves and themsleves only for DNS? when was the second DC added?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33575893
it looks like there is no DNS configured :/
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33575904
it's looking that way, is DNS (the service) actually been installed? does dcdiag run ok on the other DC?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33575910
run in command-line

nslookup

set domain=<your_fqdn>

<your_fqdn>

and check what IP addresses of DNSes were displayed
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33575966
The second DC (DC1) was added about 4 months ago and replaced appserv2 as we are migrating to VM's and I needed to separate some server functions.

dcdiag runs fine on DC1 and gave me:

letterpart.local passed test DNS

the nslookup run on appserv1 gave me:

name: letterpart.local
Addresses: 192.168.1.210, 192.168.1.163, 192.168.1.167, 192.168.1.168, 192.168.1.100, 192.168.253.102, 192.168.252.102

0
 
LVL 1

Author Comment

by:Letterpart
ID: 33575970
And DNS has been installed on Appserv1. This server has been our Domain controller for over 5 years now.
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 800 total points
ID: 33576057
Check whether the 192.168.1.0 reverse zone has the names associated with the IPs.
nslookup 192.168.1.100 and nslookup 192.168.1.210 returns no name.
This is likely an issue with dns record scavanging that deleted the two records.
192.168.1.100 IN PTR appserv1.letterpart.local.
192.168.1.210 IN PTR dc1.letterpart.local.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33576060
OK, so check in reverse lookup zone if you have define entries for your DNS servers (100 and 210)
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33576070
Arnold makes a good point about scavaging, check the settings an ensure it is set to something over 24 hours.(default is 7 days)
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33576230
The RLZ has NS and PTR records for both 100 and 210 with the correct names associated.

Running an nslookup on 192.168.1.100 and 210 gives me the correct FQDN's for those IP's

Automatic Scavenging is set to off (which it says is the default (Windows Server 2003 R2))
0
 
LVL 80

Expert Comment

by:arnold
ID: 33578973
Reigate\APPSERV1
versus letterpart\appserver1?

did you change/alter the data you posted?
0
 
LVL 7

Assisted Solution

by:ms-pro
ms-pro earned 400 total points
ID: 33582858
Change the DNS Server on  those serves 192.168.1.100 and 192.168.1.210.
Change it from 127.0.0.1 to the real ip-add. fx 192.168.1.210 and on the 192.168.1.210
to 192.168.1.210
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33594941
Sorry for the delay in replying, my wife was ill yesterday so had to take the day off to look after 3 demanding children and spent it in front of the washing machine and sink. Thankfully I am back at work now.

@Arnold: The server is called APPSERV1 not appserver1 but I am confused as to why it is showing as Reigate\ as the server is in the Domain Controllers OU and not under Reigate.

@ms-pro: The DNS server details are already as follows:


Appserv1
Ethernet adapter Local Area Connection:
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
Physical Address. . . . . . . . . : 00-0E-0C-B5-2F-1C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.100 & 192.168.1.210

DC1
Ethernet adapter Local Area Connection:
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-08-78-DF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.210
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.210 & 192.168.1.100
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 33601629
1.Check the A  record for 192.168.1.210  and 192.168.1.100
2.Check the PTR record for 192.168.1.210  and 192.168.1.100
3.Check The event log!!
 
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33635027
I have attached the A and PTR records for both appserv1 (.100) and DC1 (.210)

There is nothing in the event logs regarding DNS.


A-Record.jpg
PTR-records.jpg
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33637867
DCDiag verbose output:

         Test results for domain controllers:
           
            DC: APPSERV1.letterpart.local
            Domain: letterpart.local

                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                   Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 2.0) is supported
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000007] Intel(R) PRO/1000 MT Server Adapter:
                     MAC address is 00:0E:0C:B5:2F:1C
                     IP address is static
                     IP address: 192.168.1.100
                     DNS servers:
                        Warning: 192.168.1.100 (<name unavailable>) [Invalid]
                        Warning: 192.168.1.210 (<name unavailable>) [Invalid]
                  Error: all DNS servers are invalid
                  The A record for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found (primary)
                  Root zone on this DC/DNS server was not found
                 
               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     192.168.1.210 (<name unavailable>) [Invalid]
                     194.72.6.57 (<name unavailable>) [Valid]
                     194.73.82.242 (<name unavailable>) [Valid]
                 
               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server
                 
               TEST: Dynamic update (Dyn)
                  Dynamic update is enabled on the zone letterpart.local.
                  Test record _dcdiag_test_record added successfully in zone letterpart.local.
                  Test record _dcdiag_test_record deleted successfully in zone letterpart.local.
               
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.1.210 (<name unavailable>)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.210
               [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
               Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
               
            DNS server: 192.168.1.100 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.100
               [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
               Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
               
            DNS server: 194.72.6.57 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server.
               
            DNS server: 194.73.82.242 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server.
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: letterpart.local
               APPSERV1                     PASS FAIL PASS PASS PASS FAIL n/a  
         
         ......................... letterpart.local failed test DNS
0
 
LVL 1

Author Comment

by:Letterpart
ID: 33638151
And the results from dcdiag /test:dns /e


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Reigate\APPSERV1
      Starting test: Connectivity
         ......................... APPSERV1 passed test Connectivity
   
   Testing server: Nutfield\APPSERV3
      Starting test: Connectivity
         ......................... APPSERV3 passed test Connectivity
   
   Testing server: Reigate\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests
   
   Testing server: Reigate\APPSERV1
   
   Testing server: Nutfield\APPSERV3
   
   Testing server: Reigate\DC1

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : letterpart
   
   Running enterprise tests on : letterpart.local
      Starting test: DNS
         Test results for domain controllers:
           
            DC: appserv3.letterpart.local
            Domain: letterpart.local

                 
               TEST: Basic (Basc)
                  Warning: adapter [00000001] Broadcom NetXtreme Gigabit Ethernet has invalid DNS server: 192.168.1.100 (<name unavailable>)
                  Warning: adapter [00000001] Broadcom NetXtreme Gigabit Ethernet has invalid DNS server: 192.168.11.102 (<name unavailable>)
                  Error: all DNS servers are invalid
                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
               
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters
         
           
            DC: APPSERV1.letterpart.local
            Domain: letterpart.local

                 
               TEST: Basic (Basc)
                  Warning: adapter [00000007] Intel(R) PRO/1000 MT Server Adapter has invalid DNS server: 192.168.1.100 (<name unavailable>)
                  Warning: adapter [00000007] Intel(R) PRO/1000 MT Server Adapter has invalid DNS server: 192.168.1.210 (<name unavailable>)
                  Error: all DNS servers are invalid
                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 192.168.1.210 (<name unavailable>)
               
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters
         
           
            DC: DC1.letterpart.local
            Domain: letterpart.local

                 
               TEST: Basic (Basc)
                  Warning: adapter [00000001] VMware Accelerated AMD PCNet Adapter has invalid DNS server: 192.168.1.210 (<name unavailable>)
                  Warning: adapter [00000001] VMware Accelerated AMD PCNet Adapter has invalid DNS server: 192.168.1.100 (<name unavailable>)
                  Error: all DNS servers are invalid
                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 192.168.1.100 (<name unavailable>)
               
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.1.100 (<name unavailable>)
               4 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.100
               
            DNS server: 192.168.1.210 (<name unavailable>)
               3 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.210
               
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
               
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.168.11.102 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.11.102
               
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: letterpart.local
               appserv3                     PASS FAIL FAIL PASS PASS FAIL n/a  
               APPSERV1                     PASS FAIL PASS PASS PASS FAIL n/a  
               DC1                          PASS FAIL PASS PASS PASS FAIL n/a  
         
         ......................... letterpart.local failed test DNS
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 800 total points
ID: 33642644
You have NS record references to appserv2 and appserv3.

Check the zone records for your AD domain.
You should have a 127.0.0 zone defined locally so that the requests are not forwarded out.

You have a mix of reigate or nutfield references and those seem to refer to the site where they are.
AD sites and services.

Add a local 127.0.0 and add 1 PTR to localhost. letterpart.local and that should eliminate the 127.0.0.1 reverse name lookup.

You have also configured seemingly static IPs for the DC1 and appserv1 to delete when deemed as stale.
0
 
LVL 1

Author Closing Comment

by:Letterpart
ID: 34524261
Sorry, just noticed this outstanding question.

Not sure what the state of play is with the DC's. Everything appears to be working so will close the question down and award points.

Thanks for everyones help and advice.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question