Windows 2008 DC not accessible

DavidRS4
DavidRS4 used Ask the Experts™
on
We had two DCs in the domain.  One died.  It did not have any FSMO roles.  Now none of the member servers can contact the primary DC for any DC requests.  Can not get lists of users, nletest /query fails - can not find domain.

However I can browse to dcserver/sysvol and dcserver/netlogon fiine and the nltests work fine from the DC.  I can ping as well.

from member servers:

nltest /sc_query:domain.local (with domain name)

flags: 0
trusted dc name
trusted dc connection status status = 1311 0x51f ERROR_NO_LOGON_SERVERS

Any ideas what I should be looking at?  Can not seem to figure out why the member servers can not access the dc..
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Do you have DNS server (service) on the still active Domain Controller?

What DNS server is setup in TCP/IP in the active server and the PC's.  You should have all DNS going to the active server.

In the Active server is the DNS zone for your domain (internal domain) there and does it have records in it?
Andrew OakeleyConsultant

Commented:
I think chakko is spot on the money here - ckeck all your DNS setup.

You may also like to follow these instructions to ensure the old DC is properly removed from AD http://www.petri.co.il/delete_failed_dcs_from_ad.htm 

Author

Commented:
The active domain controller (dc1) does have dns.  I have checked and I can ping dc1 from any system and it resolves fine.  I can browse to \\dc1\sysvol from any system.

I checked and the SRV records are listed correctly in the dns.

All systems have the dns from dc1.

The dc2 died but I can still get it running for short periods of time(15-20 min - hardware issue).  I did not want to fully pull it out of the domain until I resolve why the member servers can not check with the dc1.

I appreciate any insight.
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Andrew OakeleyConsultant

Commented:
from dc1 please do a dcdiag and post restults back here.
Please post results as an attached file NOT in the body of the post
from command prompt

#> dcdiag /v > dcdiag.txt

post dcdiag.txt here.

Author

Commented:
File is attached.  I did do a replace from actual company name to say "company"

Thank you.
dcdiag.txt
Andrew OakeleyConsultant

Commented:
On the bright side it looks like this DC has a valid copy of AD... so that's good?

this is an interesting error......
  * The System Event log test
         An Error Event occurred.  EventID: 0xC00010DF
            Time Generated: 05/21/2011   22:37:06
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see...

Has the server got multiple active NICs? (i.e. multi homed)

I am still leaning towards a dns issue. Can you please post

#> DCDIAG /TEST:DNS > dcdiag_dns.txt

Author

Commented:
Yes, that is why I am having trouble.  its fine on the DC but no one else can see it correctly.  It does have 2 active NICs.  It is a Hyper-V server - the .2 is used for the DC1 and the hypers go through .3.

I think it is a DNS issue of some type as well - but not sure how to fix :)

File attached.


dcdiag-dns.txt

Author

Commented:
Also - IPv6 is disabled on both NICs.  Noticed some IPv6 errors.

Commented:
I saw this several times:

The guid-based DNS name            aa68f3cb-3e9b-4981-a9d7-75cf9a679bd1._msdcs.company.local            is not registered on one or more DNS servers.

Can you do a ipconfig /registerdns on the DC1

See if that makes any difference.
Also, in the DNS records (DC1) do you see any obvious incorrect records related to DC1

Commented:
I've seen problems with disabling ip6.  Any reason to have it disabled?   you can try to enable on the LAN interface.

Author

Commented:
I did the ipconfig and still get the same ERROR_NO_LOGON_SERVERS on the member server.  But the member server can still ping company1.company.local fine.

I looked at all the dns records and didnt see anything that seemed to be wrong for dc1.. also took out all the records for dc2.

Commented:
try this:

nltest /dsgetdc: < DomainName > 

what is the result.  If looks good, then try from a PC
Consultant
Commented:
Did you disable ipv6 properly (as per http://support.microsoft.com/kb/929852) or did you just untick it?
- if you just unticked it it may pay to turn it back on again

Rathern than using PING to test DNS resolution, what happens when you do

#> nslookup DC1

The reason for not using ping for DNS testing is that it will also broadcast to find the server, thus you can get a ping back for a server even when DNS is incorrectly configured.

Author

Commented:
nslookup dc1 was trying to find a server at .1 which was the old server.  I went through the dns and find 2 places that still had a .1 and removed them.

Now the nslookup dc1 resolves fine but nltest /query still shows no logon servers.  

The nltest /dsgetdc:company.local shows error_no_such_domain on the member server.  It works fine on the dc1.

Commented:
when was the last time you restarted DC1?

you might try to stop and start the NETLOGON service.  That should register records into DNS.

Can also try this (from eventid.net)

Value 1722 (Error code 1722) = "The RPC Server is unavailable" - Usually occurs when DNS servers are not configured properly. There is connectivity but not at the service level. One note here, usually it may appear that DNS is set properly but one has to double-check all the aspects of DNS registration/resolution as the problem may not be that obvious. See also M261007 - It says that this behavior can occur if the address for the configured preferred DNS server on the client is invalid or unreachable.
From a newsgroup post: "Do the following to ensure that the SRV records for the AD servers are in DNS properly: (from the DOS prompt)

nslookup
server DC1
set type=srv
_ldap._tcp.dc._msdcs.YOURDOMAIN.COM
Server:  dnsserver.yourdomain.com     <<should return your info>>
Address:  192.168.100.2   <<should return your IP>>

you should see something like this:

_ldap._tcp.dc._msdcs.YOURDOMAIN.COM       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = server1.YOURDOMAIN.COM
_ldap._tcp.dc._msdcs.YOURDOMAIN.COM       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = server2.YOURDOMAIN.COM
server1.YOURDOMAIN.COM       internet address = 1.1.1.2
server2.YOURDOMAIN.COM  nternet address = 1.1.1.1

If you don't then you definately have a DNS problem.

Commented:
is DC1 a global catalog server?

Author

Commented:
Thank you! Between the two of you I was able to track down the problem, resolve it and get everything working!
Andrew OakeleyConsultant

Commented:
From the dcdiag
> The DS company1 is advertising as a GC.

Are the two NICS on the same subnet? if so disable one and make sure DNS entries only point to the remaining active NIC.

Author

Commented:
Thank you both. I restarted the NETLOGON service (I had restarted the full dc1 earlier today but guess I had to do it after the DNS issue was fixed).  I then had to do a nltest /sc_reset:company.local and then everything started working (resolving requests to the server for security for users, etc...).

Andrew OakeleyConsultant

Commented:
> Thank you! Between the two of you I was able to track down the problem, resolve it and get everything working!

So what was the eventual "thing" that fixed it?

Author

Commented:
Nic issue - the two nics are on the same subnet but I can not disable one.  The .2 is used for the company1 server which is a Hyper-V server.  All the traffic for the virtual servers goes over .3.

Author

Commented:
Eventual "thing" -

Remove all entries in DNS that listed company2 server or .1 address.

Restart DNS.

Restart NETLOGON service.

Run nltest /sc_reset:company.local on member servers.

Everything works.!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial