We help IT Professionals succeed at work.

Domain wide DNS issues

ncomper
ncomper asked
on
Medium Priority
411 Views
Last Modified: 2012-08-14
All,

We have recently upgraded our network and have been having constant problems since with DNS and replication.

We started with a 2003 DC running DHCP, DNS and all FSMO roles. We have built a VM 2008 DC, upgraded the forest schema and transferred all FSMO roles to this new 2008 DC. DNS has been setup and configured on this server as an AD Primary.

The 2003 DC is still online but not contactable as i have disabled the NIC until happy to dcpromo and decom from the domain.

This morning we had an issue with a VIP logging on and his profile not loading. The admin account would not show his profile on the local laptop at all in any root. Renaming his profile and logging on again only gave him a temp account. He has no roaming profile configured. We quickly realized that connection to the file server (where his user data is stored) was contactable by rdp, ping to ip and hostname but browsing to it did not show the shared folders.

Therefore i rebooted the main DC and all other servers there after.  I gave his laptop a static IP outside the DHCP scope and rebooted. This resolved the issue with the missing profile, but doesn't explain what happened in the first place. I believe this is something to with the DNS issues we are having but cant see what I'm missing.
Comment
Watch Question

Bruno PACIIT Consultant
CERTIFIED EXPERT

Commented:
Hi,


Did you give the GC (Global Catalog) function to your new 2008 DC ?
Clients need to contact a GC to authenticate in the domain. If you forgot to give the GC function to your new DC and shut down the old DC your users are not authenticated in the domain. They probably can opn their Windows desktop by the way of the credentials cache that exists in Windows but they can not reach any network ressource...

Does the problem appear for any user or only this one ?


Have a good day

Author

Commented:
I have double checked the 2008 DC and it is a GC. The origional 2003 DC within Sites and Services is also still showing as a GC, would it be worth removing this role to aviod confusion?

Thanks
Bruno PACIIT Consultant
CERTIFIED EXPERT

Commented:
Hi again,


No need to remove the GC role. Let it like this on both DCs.

Check time synchronization with command "W32TM /MONITOR" on each DC and look at the offset.
DCs in an Active Directory domain must be time synchronized and offset must be less than 5 seconds. In normal situation, if time synchronization works well you should see an offset les than one second.

Author

Commented:
For your Ref:

SBDC01 = New 2008 DC (active)
Schdc03 = Remote site DC (active)
Schsbs2003 = Old 2003 DC (NIC disabled)

Results posted below:

C:\Windows\system32>w32tm /monitor
schsbs2003.Scheldebouw.local[10.0.0.1:123]:
    ICMP: error IP_REQ_TIMED_OUT - no response in 1000m
    NTP: error ERROR_TIMEOUT - no response from server
schdc03.Scheldebouw.local[10.30.0.2:123]:
    ICMP: 10ms delay
    NTP: -0.0104486s offset from SBDC01.Scheldebouw.loc
        RefID: SBDC01.Scheldebouw.local [10.0.0.211]
        Stratum: 2
SBDC01.Scheldebouw.local *** PDC ***[[fe80::5905:cd56:2
    ICMP: 0ms delay
    NTP: +0.0000000s offset from SBDC01.Scheldebouw.loc
        RefID: 'LOCL' [0x4C434F4C]
        Stratum: 1

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs acros
NTP implementations and may not be using IP addresses.
IT Consultant
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
If DHCP is still on your old server and you disabled the NIC then you won't be able to contact a DHCP server at all...unless you set that up on the new 2008 server.
This would explain why a static IP address worked.

Is that the case?

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.