Domain wide DNS issues

Posted on 2011-04-21
Last Modified: 2012-08-14

We have recently upgraded our network and have been having constant problems since with DNS and replication.

We started with a 2003 DC running DHCP, DNS and all FSMO roles. We have built a VM 2008 DC, upgraded the forest schema and transferred all FSMO roles to this new 2008 DC. DNS has been setup and configured on this server as an AD Primary.

The 2003 DC is still online but not contactable as i have disabled the NIC until happy to dcpromo and decom from the domain.

This morning we had an issue with a VIP logging on and his profile not loading. The admin account would not show his profile on the local laptop at all in any root. Renaming his profile and logging on again only gave him a temp account. He has no roaming profile configured. We quickly realized that connection to the file server (where his user data is stored) was contactable by rdp, ping to ip and hostname but browsing to it did not show the shared folders.

Therefore i rebooted the main DC and all other servers there after.  I gave his laptop a static IP outside the DHCP scope and rebooted. This resolved the issue with the missing profile, but doesn't explain what happened in the first place. I believe this is something to with the DNS issues we are having but cant see what I'm missing.
Question by:ncomper
    LVL 16

    Expert Comment


    Did you give the GC (Global Catalog) function to your new 2008 DC ?
    Clients need to contact a GC to authenticate in the domain. If you forgot to give the GC function to your new DC and shut down the old DC your users are not authenticated in the domain. They probably can opn their Windows desktop by the way of the credentials cache that exists in Windows but they can not reach any network ressource...

    Does the problem appear for any user or only this one ?

    Have a good day
    LVL 5

    Author Comment

    I have double checked the 2008 DC and it is a GC. The origional 2003 DC within Sites and Services is also still showing as a GC, would it be worth removing this role to aviod confusion?

    LVL 16

    Expert Comment

    Hi again,

    No need to remove the GC role. Let it like this on both DCs.

    Check time synchronization with command "W32TM /MONITOR" on each DC and look at the offset.
    DCs in an Active Directory domain must be time synchronized and offset must be less than 5 seconds. In normal situation, if time synchronization works well you should see an offset les than one second.
    LVL 5

    Author Comment

    For your Ref:

    SBDC01 = New 2008 DC (active)
    Schdc03 = Remote site DC (active)
    Schsbs2003 = Old 2003 DC (NIC disabled)

    Results posted below:

    C:\Windows\system32>w32tm /monitor
        ICMP: error IP_REQ_TIMED_OUT - no response in 1000m
        NTP: error ERROR_TIMEOUT - no response from server
        ICMP: 10ms delay
        NTP: -0.0104486s offset from SBDC01.Scheldebouw.loc
            RefID: SBDC01.Scheldebouw.local []
            Stratum: 2
    SBDC01.Scheldebouw.local *** PDC ***[[fe80::5905:cd56:2
        ICMP: 0ms delay
        NTP: +0.0000000s offset from SBDC01.Scheldebouw.loc
            RefID: 'LOCL' [0x4C434F4C]
            Stratum: 1

    Reverse name resolution is best effort. It may not be
    correct since RefID field in time packets differs acros
    NTP implementations and may not be using IP addresses.
    LVL 16

    Accepted Solution

    Take a look at your RDP server and at the file server that hosts users profiles. Look at the DNS configuration on them to verify that these servers are able to interrogate a reachable DNS server.

    Before you stop the old DC did you think about changing IP configuration on every server so that they can interrogate DNS service on the new DC ??

    LVL 8

    Expert Comment

    If DHCP is still on your old server and you disabled the NIC then you won't be able to contact a DHCP server at all...unless you set that up on the new 2008 server.
    This would explain why a static IP address worked.

    Is that the case?


    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now