Solved

Can not connect to domain

Posted on 2010-11-08
21
1,087 Views
Last Modified: 2012-06-27
Running standard server 2003 sp2 with exchange 2007.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "MYDOMAIN.local":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN.local

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.1.2 (example of local ip address of server could be at)
ISP DNS1
ISP DNS2

- One or more of the following zones do not include delegation to its child zone:

MYDOMAIN.local
local
. (the root zone)
---------------------------------------------------------

I had a problem with nslookup and then I created a reverse lookup with a PTR record and fixed that problem, but I'm not sure where I'm missing to get this fixed join domain issue fixed.

I noticed in DNS > MYSERVERNAME > forward lookup zones > MYDOMAIN.local > under this is normally a grey folder _msdcs but I do not see this folder like I do on other servers.
0
Comment
Question by:easyworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 5
  • +2
21 Comments
 
LVL 1

Expert Comment

by:ziaic1
ID: 34088738
You should only use Interal DNS on your DC's and on the other servers... Your DNS should have forwarders for external DNS.
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34089780
If the _msdcs folder is missing, you can attempt to have directory services rebuild the folder by simply adding the zone _msdcs which will create the folder, then restart the netlogon service.
Update me on your progress.
0
 
LVL 1

Author Comment

by:easyworks
ID: 34092644
That is probably what I'll have to do, because it will recreate the folder I need, but the folder that I'm missing isn't a zone. It is located under the MyDomain.local which has "_msdcs, _sites, _tcp, _udp, DomainDnsZones, and ForestDnsZones" and is a grey looking folder...
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 5

Expert Comment

by:9660kel
ID: 34093808
That sounds like the DNS isn't AD integrated, check your DNS settings on the new server for that.

The other point I'm thinking might be trouble is a PTR record instead of a CNAME record for the server.

For what it's worth.
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34097651
Have you stopped and started the netlogon service? See if that will repopulate the ad zone for you in dns. If not, let me know, there are some other things we can do to try and get this fixed. Possibly the fastest fix for this issue is to determine you have dns resolution to another ad controller, and then demote and repromote the ad controller with the problem. This would require demoting the server, deleting the server account from ad users and computers, and also sites and services. Then reboot and promote the server as a dc.
0
 
LVL 1

Author Comment

by:easyworks
ID: 34101413
pmarquardt - Yes, I have restarted the "net logon" service still no dice on connecting to the domain.

9660kel - If it is a PTR record problem how would I go about figuring this out?

pmarquardt - So I should delete the folder _msdsc_mydomain.local first and recreate it?
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34103852
Add a new record for the DC in DNS, but add a CNAME record instead of a PTR record.

I noticed you show that outside dns servers are being distributed on your internal network, that could be part of the problem.

When you look in DNS, does it show SOA record, and if so, does it point to your domain controller?
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34103984
If the folder exists there is no reason to delete it. Run DCdiag on the system and show us the output. Verify you have a record in mydomain.local for the DC in question. If you do not have a record for the DC, add a record. Also verify you have DNS records for all of the DC's in your environment.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34104186
To clarify my last question, do you have the root DC set as SOA for DNS (not ISP)?

Another question, is the new DC in the same AD site as the root DC, or is it in a different site? Is the new DC listed in AD sites and services?
0
 
LVL 5

Accepted Solution

by:
9660kel earned 167 total points
ID: 34104340
The more I think about it, the more I think you should remove the local DNS entries for the ISP DNS servers, and only point to the root domain for DNS. I'm assuming this machine has a static IP address and not DHCP.

after you make that change, from a command window, run: ipconfig /flushdns and try again.
0
 
LVL 1

Author Comment

by:easyworks
ID: 34105165
Sorry, can not test any of this until after hours, but I really appreciate all the help I'm getting from everyone.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 333 total points
ID: 34109387
There are a couple problems with your DNS server.

For one, NOWHERE on the domain should you have your ISPs DNS servers configured as a preferred or alternate DNS server. So, on Every fixed IP computer, you need to make sure the preferred and alternat DNS servers point to Your internal servers, not the ISP. The only place you configure outside servers is as DNS forwarders.
---------------------------------------------------
The second part of your problem is the DNS delegation records have expired. I ran into this as well.

It looks exactly like this:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

In your case, you can delete the MSDCS file folders on the servers and recreate them by going to the command prompt and typing:

DCdiag /flushdns
Net Stop Netlogon
Net Start Netlogon
and
DCdiag /fix:DNS

Explaination:
The greyed out MSDCS folder was created by the first DC on the forest, by default, It contains a pointer record to that MSDCS file folder that is its own forward lookup zone. That ...MSDCS... Forward lookup zone IS your PDCe's SRV records. Since the pointer record (called a delegation record) has expired, you no longer have a pointer to your SRV records.

SRV records point the clients to the Authentication server for authentication. They also show what servers replicate between each other.

WARNING:
For that reason, we will have to fix DNS, then check your replication set. You may be in Journal wrap. This means replications between your servers may have seized. If the inability to replicate goes on too long, you may end up with a tombstoned server. So after fixing your DNS related issues, we have some testing to do!!!
0
 
LVL 1

Author Comment

by:easyworks
ID: 34111536
ChiefIT
DCdiag /flushdns did you mean ipconfig /flushdsn?
and DCdiag /fix:DNS just DCdiag /fix?
Because when i follow those steps in order it does not delete anything.

My ISP if you were looking in the Local area connection > properties of tcp/ip > the preffered dns is just pointing to the server.
Under the DHCP scope for DNS servers there is the servers IP > followed by the ISP DNS1 + 2. If I do not put the ISP dns there then where should i put it so the workstations can get to the internet?

9660kel - im not sure about SOA record i will have to look into it deeper
The DC and AD are on the same computer.

pmarquardt - everything passed
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34113730
Don't worry about the SOA, you have other stuff to do in DNS.

Remove the DHCP settings for the external DNS, and add forwarding entries in DNS for external name resolution.

Here's a how to link:
http://technet.microsoft.com/en-us/library/cc773370(WS.10).aspx

0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34113734
You should be adding the ISP DNS IP addresses to the forwarders tab of DNS on the DC. Then clients connect to the DC for DNS and it forwards externally for Internet access on recursive queries.
I'm sure ChiefIT meant ipconfig /flushdns
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34113758
9660kel is exactly correct about DHCP. I forgot to add that in my comment. You have to remove the DNS entry from the DHCP scope, and make sure the DC DNS IP address is listed in the DHCP scope.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34113986
http://technet.microsoft.com/en-us/library/cc779380(WS.10).aspx

Here's a link to the main DNS area at Technet, It has lots of good info on DNS configuration.

BTW, ChiefIT has some very valid points, if this has been like this for a while, (over 60 days) you will need to clean up the replication and journals after you fix the DNS problem.

Always put the external DNS entries into DNS as forwarders, do not use DHCP, as the external DNS servers will not know the location of local resources, and when the DNS server says to the workstation or server that the resource does not exist, the client will believe them, and cashe the not available entry. The problem is that the computer will no longer connect to that location, and won't even try to find it through an alternate server after that.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34114186
A correction to my second post, I said CNAME record, I meant A record, but neither are applicable. Sorry for the red herring.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 333 total points
ID: 34117275
Step 1)
Ok, you have to manually right click and delete all MSDCS file folders on ALL DCs.  

After you have deleted them all:
Step 2) Then, go to the command prompt and type all of these command lines in order:

IPconfig /flushdns
Net Stop Netlogon
Net Start Netlogon
Dcdiag /fix|DNS
Netdiag /fix

Now, let's look at what errors remain:
Step 3) Report any errors on your DCdiag reports by going to the command prompt and typing:
Dcdiag /v
and
DCdiag /test:DNS

NOTE: On the DCdiag commands, I can't remember which one is a pipe and which is a colon. So, if they don't work, use the other:
Example: If DCdiag /fix:DNS doesn't work, use Dcdiag /fix|DNS
0
 
LVL 1

Author Comment

by:easyworks
ID: 34120035
9660kel and pmarquardt I'll jump on that right away as soon as I'm given time to work on it again.

ChiefIT - Appreciate the step1 step2, because this isn't my area of expertise.
0
 
LVL 1

Author Comment

by:easyworks
ID: 34122546
After removing my the ISP from the DHCP scope for DNS and removing the _msdcs and recreating it everything is working now I am able to connect up workstation.

Thank you all again for being patient with me and helping me through this I really appreciate it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question