Solved

Can not connect to domain

Posted on 2010-11-08
21
1,076 Views
Last Modified: 2012-06-27
Running standard server 2003 sp2 with exchange 2007.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "MYDOMAIN.local":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN.local

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.1.2 (example of local ip address of server could be at)
ISP DNS1
ISP DNS2

- One or more of the following zones do not include delegation to its child zone:

MYDOMAIN.local
local
. (the root zone)
---------------------------------------------------------

I had a problem with nslookup and then I created a reverse lookup with a PTR record and fixed that problem, but I'm not sure where I'm missing to get this fixed join domain issue fixed.

I noticed in DNS > MYSERVERNAME > forward lookup zones > MYDOMAIN.local > under this is normally a grey folder _msdcs but I do not see this folder like I do on other servers.
0
Comment
Question by:easyworks
  • 7
  • 6
  • 5
  • +2
21 Comments
 
LVL 1

Expert Comment

by:ziaic1
ID: 34088738
You should only use Interal DNS on your DC's and on the other servers... Your DNS should have forwarders for external DNS.
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34089780
If the _msdcs folder is missing, you can attempt to have directory services rebuild the folder by simply adding the zone _msdcs which will create the folder, then restart the netlogon service.
Update me on your progress.
0
 
LVL 1

Author Comment

by:easyworks
ID: 34092644
That is probably what I'll have to do, because it will recreate the folder I need, but the folder that I'm missing isn't a zone. It is located under the MyDomain.local which has "_msdcs, _sites, _tcp, _udp, DomainDnsZones, and ForestDnsZones" and is a grey looking folder...
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34093808
That sounds like the DNS isn't AD integrated, check your DNS settings on the new server for that.

The other point I'm thinking might be trouble is a PTR record instead of a CNAME record for the server.

For what it's worth.
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34097651
Have you stopped and started the netlogon service? See if that will repopulate the ad zone for you in dns. If not, let me know, there are some other things we can do to try and get this fixed. Possibly the fastest fix for this issue is to determine you have dns resolution to another ad controller, and then demote and repromote the ad controller with the problem. This would require demoting the server, deleting the server account from ad users and computers, and also sites and services. Then reboot and promote the server as a dc.
0
 
LVL 1

Author Comment

by:easyworks
ID: 34101413
pmarquardt - Yes, I have restarted the "net logon" service still no dice on connecting to the domain.

9660kel - If it is a PTR record problem how would I go about figuring this out?

pmarquardt - So I should delete the folder _msdsc_mydomain.local first and recreate it?
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34103852
Add a new record for the DC in DNS, but add a CNAME record instead of a PTR record.

I noticed you show that outside dns servers are being distributed on your internal network, that could be part of the problem.

When you look in DNS, does it show SOA record, and if so, does it point to your domain controller?
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34103984
If the folder exists there is no reason to delete it. Run DCdiag on the system and show us the output. Verify you have a record in mydomain.local for the DC in question. If you do not have a record for the DC, add a record. Also verify you have DNS records for all of the DC's in your environment.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34104186
To clarify my last question, do you have the root DC set as SOA for DNS (not ISP)?

Another question, is the new DC in the same AD site as the root DC, or is it in a different site? Is the new DC listed in AD sites and services?
0
 
LVL 5

Accepted Solution

by:
9660kel earned 167 total points
ID: 34104340
The more I think about it, the more I think you should remove the local DNS entries for the ISP DNS servers, and only point to the root domain for DNS. I'm assuming this machine has a static IP address and not DHCP.

after you make that change, from a command window, run: ipconfig /flushdns and try again.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:easyworks
ID: 34105165
Sorry, can not test any of this until after hours, but I really appreciate all the help I'm getting from everyone.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 333 total points
ID: 34109387
There are a couple problems with your DNS server.

For one, NOWHERE on the domain should you have your ISPs DNS servers configured as a preferred or alternate DNS server. So, on Every fixed IP computer, you need to make sure the preferred and alternat DNS servers point to Your internal servers, not the ISP. The only place you configure outside servers is as DNS forwarders.
---------------------------------------------------
The second part of your problem is the DNS delegation records have expired. I ran into this as well.

It looks exactly like this:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

In your case, you can delete the MSDCS file folders on the servers and recreate them by going to the command prompt and typing:

DCdiag /flushdns
Net Stop Netlogon
Net Start Netlogon
and
DCdiag /fix:DNS

Explaination:
The greyed out MSDCS folder was created by the first DC on the forest, by default, It contains a pointer record to that MSDCS file folder that is its own forward lookup zone. That ...MSDCS... Forward lookup zone IS your PDCe's SRV records. Since the pointer record (called a delegation record) has expired, you no longer have a pointer to your SRV records.

SRV records point the clients to the Authentication server for authentication. They also show what servers replicate between each other.

WARNING:
For that reason, we will have to fix DNS, then check your replication set. You may be in Journal wrap. This means replications between your servers may have seized. If the inability to replicate goes on too long, you may end up with a tombstoned server. So after fixing your DNS related issues, we have some testing to do!!!
0
 
LVL 1

Author Comment

by:easyworks
ID: 34111536
ChiefIT
DCdiag /flushdns did you mean ipconfig /flushdsn?
and DCdiag /fix:DNS just DCdiag /fix?
Because when i follow those steps in order it does not delete anything.

My ISP if you were looking in the Local area connection > properties of tcp/ip > the preffered dns is just pointing to the server.
Under the DHCP scope for DNS servers there is the servers IP > followed by the ISP DNS1 + 2. If I do not put the ISP dns there then where should i put it so the workstations can get to the internet?

9660kel - im not sure about SOA record i will have to look into it deeper
The DC and AD are on the same computer.

pmarquardt - everything passed
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34113730
Don't worry about the SOA, you have other stuff to do in DNS.

Remove the DHCP settings for the external DNS, and add forwarding entries in DNS for external name resolution.

Here's a how to link:
http://technet.microsoft.com/en-us/library/cc773370(WS.10).aspx

0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34113734
You should be adding the ISP DNS IP addresses to the forwarders tab of DNS on the DC. Then clients connect to the DC for DNS and it forwards externally for Internet access on recursive queries.
I'm sure ChiefIT meant ipconfig /flushdns
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 34113758
9660kel is exactly correct about DHCP. I forgot to add that in my comment. You have to remove the DNS entry from the DHCP scope, and make sure the DC DNS IP address is listed in the DHCP scope.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34113986
http://technet.microsoft.com/en-us/library/cc779380(WS.10).aspx

Here's a link to the main DNS area at Technet, It has lots of good info on DNS configuration.

BTW, ChiefIT has some very valid points, if this has been like this for a while, (over 60 days) you will need to clean up the replication and journals after you fix the DNS problem.

Always put the external DNS entries into DNS as forwarders, do not use DHCP, as the external DNS servers will not know the location of local resources, and when the DNS server says to the workstation or server that the resource does not exist, the client will believe them, and cashe the not available entry. The problem is that the computer will no longer connect to that location, and won't even try to find it through an alternate server after that.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 34114186
A correction to my second post, I said CNAME record, I meant A record, but neither are applicable. Sorry for the red herring.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 333 total points
ID: 34117275
Step 1)
Ok, you have to manually right click and delete all MSDCS file folders on ALL DCs.  

After you have deleted them all:
Step 2) Then, go to the command prompt and type all of these command lines in order:

IPconfig /flushdns
Net Stop Netlogon
Net Start Netlogon
Dcdiag /fix|DNS
Netdiag /fix

Now, let's look at what errors remain:
Step 3) Report any errors on your DCdiag reports by going to the command prompt and typing:
Dcdiag /v
and
DCdiag /test:DNS

NOTE: On the DCdiag commands, I can't remember which one is a pipe and which is a colon. So, if they don't work, use the other:
Example: If DCdiag /fix:DNS doesn't work, use Dcdiag /fix|DNS
0
 
LVL 1

Author Comment

by:easyworks
ID: 34120035
9660kel and pmarquardt I'll jump on that right away as soon as I'm given time to work on it again.

ChiefIT - Appreciate the step1 step2, because this isn't my area of expertise.
0
 
LVL 1

Author Comment

by:easyworks
ID: 34122546
After removing my the ISP from the DHCP scope for DNS and removing the _msdcs and recreating it everything is working now I am able to connect up workstation.

Thank you all again for being patient with me and helping me through this I really appreciate it.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now