• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Domain wide DNS issues


We have recently upgraded our network and have been having constant problems since with DNS and replication.

We started with a 2003 DC running DHCP, DNS and all FSMO roles. We have built a VM 2008 DC, upgraded the forest schema and transferred all FSMO roles to this new 2008 DC. DNS has been setup and configured on this server as an AD Primary.

The 2003 DC is still online but not contactable as i have disabled the NIC until happy to dcpromo and decom from the domain.

This morning we had an issue with a VIP logging on and his profile not loading. The admin account would not show his profile on the local laptop at all in any root. Renaming his profile and logging on again only gave him a temp account. He has no roaming profile configured. We quickly realized that connection to the file server (where his user data is stored) was contactable by rdp, ping to ip and hostname but browsing to it did not show the shared folders.

Therefore i rebooted the main DC and all other servers there after.  I gave his laptop a static IP outside the DHCP scope and rebooted. This resolved the issue with the missing profile, but doesn't explain what happened in the first place. I believe this is something to with the DNS issues we are having but cant see what I'm missing.
  • 3
  • 2
1 Solution
Bruno PACIIT ConsultantCommented:

Did you give the GC (Global Catalog) function to your new 2008 DC ?
Clients need to contact a GC to authenticate in the domain. If you forgot to give the GC function to your new DC and shut down the old DC your users are not authenticated in the domain. They probably can opn their Windows desktop by the way of the credentials cache that exists in Windows but they can not reach any network ressource...

Does the problem appear for any user or only this one ?

Have a good day
ncomperAuthor Commented:
I have double checked the 2008 DC and it is a GC. The origional 2003 DC within Sites and Services is also still showing as a GC, would it be worth removing this role to aviod confusion?

Bruno PACIIT ConsultantCommented:
Hi again,

No need to remove the GC role. Let it like this on both DCs.

Check time synchronization with command "W32TM /MONITOR" on each DC and look at the offset.
DCs in an Active Directory domain must be time synchronized and offset must be less than 5 seconds. In normal situation, if time synchronization works well you should see an offset les than one second.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

ncomperAuthor Commented:
For your Ref:

SBDC01 = New 2008 DC (active)
Schdc03 = Remote site DC (active)
Schsbs2003 = Old 2003 DC (NIC disabled)

Results posted below:

C:\Windows\system32>w32tm /monitor
    ICMP: error IP_REQ_TIMED_OUT - no response in 1000m
    NTP: error ERROR_TIMEOUT - no response from server
    ICMP: 10ms delay
    NTP: -0.0104486s offset from SBDC01.Scheldebouw.loc
        RefID: SBDC01.Scheldebouw.local []
        Stratum: 2
SBDC01.Scheldebouw.local *** PDC ***[[fe80::5905:cd56:2
    ICMP: 0ms delay
    NTP: +0.0000000s offset from SBDC01.Scheldebouw.loc
        RefID: 'LOCL' [0x4C434F4C]
        Stratum: 1

Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs acros
NTP implementations and may not be using IP addresses.
Bruno PACIIT ConsultantCommented:
Take a look at your RDP server and at the file server that hosts users profiles. Look at the DNS configuration on them to verify that these servers are able to interrogate a reachable DNS server.

Before you stop the old DC did you think about changing IP configuration on every server so that they can interrogate DNS service on the new DC ??

If DHCP is still on your old server and you disabled the NIC then you won't be able to contact a DHCP server at all...unless you set that up on the new 2008 server.
This would explain why a static IP address worked.

Is that the case?


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now