We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Second Domain Controller in Forest DNS Issue

Medium Priority
3,197 Views
Last Modified: 2012-05-11
We are having an issue with DNS in our Forest. The way it is setup now is that we have one domain (01.local) and second domain (02.local) with a trust between the two. They are on two different subnets (20.3) and (21.3).

The 01.local DC can validate the trust from both sides but the 02.local DC can only validate itself and gets an error message when opening the properties of the 01.local domain.

Also the priamry o1.local DC can run DCDIAG /test:dns fine where as the 02.local DC gets the following:

 
C:\>dcdiag.exe /test:DNS

Directory Server Diagnosis

Performing initial setup:
  Trying to find home server...
  Home Server = FSA1DC01
  * Identified AD Forest.
  Done gathering initial info.

Doing initial required tests

  Testing server: Default-First-Site-Name\FSA1DC01
     Starting test: Connectivity
        ......................... FSA1DC01 passed test Connectivity

Doing primary tests

  Testing server: Default-First-Site-Name\FSA1DC01

     Starting test: DNS

        DNS Tests are running and not hung. Please wait a few minutes...
        ......................... FSA1DC01 passed test DNS

  Running partition tests on : DomainDnsZones

  Running partition tests on : a1

  Running partition tests on : ForestDnsZones

  Running partition tests on : Schema

  Running partition tests on : Configuration

  Running enterprise tests on : setadc.local
     Starting test: DNS
        Test results for domain controllers:

           DC: FSA1DC01.a1.local
           Domain: a1.local


              TEST: Basic (Basc)
                 Warning: adapter
                 [00000007] Intel(R) PRO/1000 MT Network Connection has
                 invalid DNS server: 127.0.0.1 (FSA1DC01)
                 Error: all DNS servers are invalid

           TEST: Records registration (RReg)
              Error: Record registrations cannot be found for all the network
              adapters

        Summary of test results for DNS servers used by the above domain
        controllers:

           DNS server: 192.168.201.3 (FSA1DC01)
              1 test failure on this DNS server
              Name resolution is not functional. _ldap._tcp.setadc.local. faile
d on the DNS server 192.168.201.3

        Summary of DNS test results:

                                           Auth Basc Forw Del  Dyn  RReg Ext
           _________________________________________________________________
           Domain: a1.local
              FSA1DC01                     PASS FAIL PASS PASS PASS FAIL n/a

        ......................... setadc.local failed test DNS

C:\>

Open in new window


The issue we are having is that we want the top level domain 01.local to be able to see all of the other domains in the forest.
Comment
Watch Question

Can you run PortqryUI and check if any ports are blocked on the firewall. Run it from 02.local DC.

Author

Commented:
Here is what PortqryUI returned

Just so you know these are two virtual machines on seperate VLANs without a physical firewall between them.

 
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 135 -p TCP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:127.0.0.1[55424]

UUID: 897e2e5f-93f3-4376-9c9c-fd2277495c27 Frs2 Service
ncacn_ip_tcp:127.0.0.1[5722]

UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48 Remote Fw APIs
ncacn_ip_tcp:127.0.0.1[49168]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_ip_tcp:127.0.0.1[49168]

UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:127.0.0.1[49165]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:127.0.0.1[\\pipe\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:127.0.0.1[\\PIPE\\protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:127.0.0.1[49155]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:127.0.0.1[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:127.0.0.1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:127.0.0.1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:127.0.0.1[49155]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_http:127.0.0.1[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:127.0.0.1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:127.0.0.1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:127.0.0.1[49155]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_http:127.0.0.1[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:127.0.0.1[49158]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:127.0.0.1[\\pipe\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:127.0.0.1[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:127.0.0.1[49155]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:127.0.0.1[49157]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:127.0.0.1[49158]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncacn_np:127.0.0.1[\\PIPE\\W32TIME_ALT]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_ip_tcp:127.0.0.1[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_ip_tcp:127.0.0.1[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_ip_tcp:127.0.0.1[49154]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_ip_tcp:127.0.0.1[49153]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_np:127.0.0.1[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:127.0.0.1[49152]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncacn_np:127.0.0.1[\\PIPE\\InitShutdown]

Total endpoints found: 53

 

==== End of RPC Endpoint Mapper query response ====
portqry.exe -n 127.0.0.1 -e 135 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 389 -p BOTH ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 04/20/2011 15:31:29 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=setadc,DC=local
dsServiceName: CN=NTDS Settings,CN=FSA1DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=setadc,DC=local
namingContexts: CN=Configuration,DC=setadc,DC=local
defaultNamingContext: DC=a1,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=setadc,DC=local
configurationNamingContext: CN=Configuration,DC=setadc,DC=local
rootDomainNamingContext: DC=setadc,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 33594
supportedSASLMechanisms: GSSAPI
dnsHostName: FSA1DC01.a1.local
ldapServiceName: setadc.local:fsa1dc01$@A1.LOCAL
serverName: CN=FSA1DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=setadc,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4


======== End of LDAP query response ========

UDP port 389 (unknown service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 389 -p BOTH exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 636 -p TCP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 636 (ldaps service): LISTENING
portqry.exe -n 127.0.0.1 -e 636 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 3268 -p TCP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 3268 (msft-gc service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 3268...

LDAP query response:


currentdate: 04/20/2011 15:31:29 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=setadc,DC=local
dsServiceName: CN=NTDS Settings,CN=FSA1DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=setadc,DC=local
namingContexts: CN=Configuration,DC=setadc,DC=local
defaultNamingContext: DC=a1,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=setadc,DC=local
configurationNamingContext: CN=Configuration,DC=setadc,DC=local
rootDomainNamingContext: DC=setadc,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 33594
supportedSASLMechanisms: GSSAPI
dnsHostName: FSA1DC01.a1.local
ldapServiceName: setadc.local:fsa1dc01$@A1.LOCAL
serverName: CN=FSA1DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=setadc,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4


======== End of LDAP query response ========
portqry.exe -n 127.0.0.1 -e 3268 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 3269 -p TCP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 3269 (msft-gc-ssl service): LISTENING
portqry.exe -n 127.0.0.1 -e 3269 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 53 -p BOTH ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING
portqry.exe -n 127.0.0.1 -e 53 -p BOTH exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 88 -p BOTH ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 88 (kerberos service): LISTENING

UDP port 88 (kerberos service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 88 -p BOTH exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 445 -p TCP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n 127.0.0.1 -e 445 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 137 -p UDP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

UDP port 137 (netbios-ns service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 137 -p UDP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 138 -p UDP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

UDP port 138 (netbios-dgm service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 138 -p UDP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 139 -p TCP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 139 (netbios-ssn service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 139 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n 127.0.0.1 -e 42 -p TCP ...


Querying target system called:

 127.0.0.1

Attempting to resolve IP address to a name...


IP address resolved to FSA1DC01.a1.local

querying...

TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 42 -p TCP exits with return code 0x00000001.

Open in new window

Most Valuable Expert 2011

Commented:
Subnets are completely irrelevant and can be left out of the conversation.

VMs, and virtualization in general, is most likely irrelevant and can be left out of the conversation.

If they are in the same Forest then they would already be aware of each other and would already trust each other.  If that is failing then you need to view the problem from that perspective.

If they are not in the same Forest then you start out configuring the DNS in each Domain as if that is the only Domain that exists.  Then before setting up the trust choose one of the two methods:

1. Zone Transfers.  Set up Zone Transfers so that each Domain's DNS has a copy of the Zone from the opposite Domain's DNS

2. Conditional Forwarders.  Set up Conditional Forwarders on each Domain's DNS so that each knows which DNS to forward to when querying anything in the opposite Domain.

My favorite is Zones Transfers,...they seem the more "solid" solution to me,...but either method should work.

Author

Commented:
Should both the DNS in 01.local and 02.local have a zone for each domain? It seems we are having some conflict internally as to what each domain's DNS should contain, as far as records.
Most Valuable Expert 2011

Commented:
Each DC will have the one main Zone that is the AD Integrated Zone for that particular Domain
Then it will have a second Standard Non-AD Integrated Zone that matches the spelling of the AD Zone in the opposite Domain.   Repeat the same theory on both Domain's DNS.

Create the Zone Transfers to copy the data from the AD Zones on one side to the empty Standard Zone on the opposite domain.    Then rinse & repeat the theory on the opposite Domain.

It is pretty straight forward and logical,..just think it through.

Author

Commented:
Ok thats how we currently have it with zone transfers being used. Do you have any clue as to why dcdiag is failing like it is in the initial post?
Most Valuable Expert 2011

Commented:
Make sure that all the DCs only have one network adapter.  Remove any additional adapters if possible,..if not removable then disable them at the hardware level.  Do not disable them until their TCP/IP specs are set to Automatic and allowed to take effect

In the Binding Order (properties of Net Places-->Advanced-->Advanced Settings) make sure the Network Adapter in use is at the top of the Binding order above any other adapters that may show in the list.

Never configure RRAS on a DC,..ever.
RRAS as far as I know is not removable/uninstallable,...but it needs to be left in a deactivated unconfigured state.

Remove any DNS Records in either the Forward or the Reverse Zone that may have crept in there from some other previous adapter.

On each DC,...in the Propterties of each AD Integrated Zone,...go to the Name Servers Tab remove or correct any bad entries there.

That is all I can think of right now.

Author

Commented:
For the nameservers should both DCs be listed on each DC?
Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2012
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011

Commented:
Everyone has a different answer when it comes to DNS settings on Domain Controllers. The best performance overall is to have the DC point to itself as primary with the full IP not loopback then any other secondary DCs. You don't want a DC to rely on another DC to boot because who knows if the other DC is down as well. If the DC that you are rebooting is starting them you know that the DNS server will work when it boots. You shouldn't see any time difference when booting if your DC is configure properly

That is a debate that is never going to end.  Even people at MS can't agree.
Most Valuable Expert 2011

Commented:
BTW - MS even puts the loopback address in there by default when a DC is created or also if you close the TCP/IP Specs dialog without filling in a DNS IP,...so even the behavior they designed into the thing disagrees with them.
CERTIFIED EXPERT
Top Expert 2012

Commented:
That is the truth. LOL!

CERTIFIED EXPERT
Top Expert 2012

Commented:
Yeah I have spoke with about that answer I have received is better half way broke then fully broker. If the system is running in a single domain environment then at least it will function. Should work for multiple DCs as well even though errors appear.
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.