villageengineer
asked on
missing _ldap DNS entry related to _msdcs.xxx.local in zone event 4010
I am getting error 4010 The DNS server was unable to create a resource record for fdc394f4-e3d4-4bdc-abfd-bd
I have traced this to what i believe is a missing _ldap SRV record somehere in DNS. as per MS article http://support.microsoft.com/kb/816587 I performed the test.
The out put of the test is:
C:\Users\administrator.xxx
Default Server: dc-02.xxx.local
Address: 192.168.10.11
> set type=all
> _ldap._tcp._dc.xxx.local
Server: dc-02.xxx.local
Address: 192.168.10.11
*** dc-02.xxx.local can't find _ldap._tcp._dc.xxx.local: Non-existent domain
>
My question is where is this entry located and how do I correct it?
Environment is server 2008r2 and windows 7
I have traced this to what i believe is a missing _ldap SRV record somehere in DNS. as per MS article http://support.microsoft.com/kb/816587 I performed the test.
The out put of the test is:
C:\Users\administrator.xxx
Default Server: dc-02.xxx.local
Address: 192.168.10.11
> set type=all
> _ldap._tcp._dc.xxx.local
Server: dc-02.xxx.local
Address: 192.168.10.11
*** dc-02.xxx.local can't find _ldap._tcp._dc.xxx.local: Non-existent domain
>
My question is where is this entry located and how do I correct it?
Environment is server 2008r2 and windows 7
From each of your domain controllers, try running the following command
dcdiag /fix
What version of Server are you using (2003, 2008, standard, enterprise etc) ...
ASKER
Environment is server 2008 r2 and windows 7
Also, for what it's worth, dcdiag can perform the DNS tests for you.
See the full dcdiag documentation at: http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx
See the full dcdiag documentation at: http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx
ASKER
C:\Users\administrator.xxx
Directory Server Diagnosis
Performing initial setup:
Trying to find home server....Home Server = DC-02
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC-02
Starting test: Connectivity
......................... DC-02 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC-02
Starting test: Advertising
......................... DC-02 passed test Advertising
Starting test: FrsEvent
......................... DC-02 passed test FrsEvent
Starting test: DFSREvent
......................... DC-02 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-02 passed test SysVolCheck
Starting test: KccEvent
......................... DC-02 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-02 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=xxxx,
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=xxxx,
......................... DC-02 failed test NCSecDesc
Starting test: NetLogons
......................... DC-02 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-02 passed test ObjectsReplicated
Starting test: Replications
......................... DC-02 passed test Replications
Starting test: RidManager
......................... DC-02 passed test RidManager
Starting test: Services
......................... DC-02 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000079
Time Generated: 07/16/2012 09:27:05
Event String:
The firewall exception to allow Internet Storage Name Server (iSNS)
client functionality is not enabled. iSNS client functionality is not available.
An error event occurred. EventID: 0x00000067
Time Generated: 07/16/2012 09:27:58
Event String:
Timeout waiting for iSCSI persistently bound volumes. If there are a
ny services or applications that use information stored on these volumes then th
ey may not start or may report errors.
A warning event occurred. EventID: 0x8000001D
Time Generated: 07/16/2012 09:27:59
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
An error event occurred. EventID: 0xC0001B70
Time Generated: 07/16/2012 09:28:25
Event String:
The File Server Resource Manager service terminated with service-spe
cific error %%-2147200234.
A warning event occurred. EventID: 0x800003EA
Time Generated: 07/16/2012 09:30:26
Event String:
HP WBEM data was captured and compressed as a raw data format.
A warning event occurred. EventID: 0x000727AA
Time Generated: 07/16/2012 09:30:40
Event String:
The WinRM service failed to create the following SPNs: WSMAN/DC-02.V
FP.local; WSMAN/DC-02.
A warning event occurred. EventID: 0x80000434
Time Generated: 07/16/2012 09:41:10
Event String:
The reason supplied by user xxxx\Administrator for the last unexpecte
d shutdown of this computer is: Other (Unplanned)
An error event occurred. EventID: 0x00000456
Time Generated: 07/16/2012 09:43:47
Event String:
An error occurred during processing of ntprint.inf. The file might b
e corrupted. Run Setup again to reinstall the file.
An error event occurred. EventID: 0x00000457
Time Generated: 07/16/2012 09:43:50
Event String:
Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
......................... DC-02 failed test SystemLog
Starting test: VerifyReferences
......................... DC-02 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : xxxx
Starting test: CheckSDRefDom
......................... xxxx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... xxxx passed test CrossRefValidation
Running enterprise tests on : xxxx.local
Starting test: LocatorCheck
......................... xxxx.local passed test LocatorCheck
Starting test: Intersite
......................... xxxx.local passed test Intersite
C:\Users\administrator.xxx
Directory Server Diagnosis
Performing initial setup:
Trying to find home server....Home Server = DC-02
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC-02
Starting test: Connectivity
......................... DC-02 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC-02
Starting test: Advertising
......................... DC-02 passed test Advertising
Starting test: FrsEvent
......................... DC-02 passed test FrsEvent
Starting test: DFSREvent
......................... DC-02 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-02 passed test SysVolCheck
Starting test: KccEvent
......................... DC-02 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-02 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=xxxx,
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=xxxx,
......................... DC-02 failed test NCSecDesc
Starting test: NetLogons
......................... DC-02 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-02 passed test ObjectsReplicated
Starting test: Replications
......................... DC-02 passed test Replications
Starting test: RidManager
......................... DC-02 passed test RidManager
Starting test: Services
......................... DC-02 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000079
Time Generated: 07/16/2012 09:27:05
Event String:
The firewall exception to allow Internet Storage Name Server (iSNS)
client functionality is not enabled. iSNS client functionality is not available.
An error event occurred. EventID: 0x00000067
Time Generated: 07/16/2012 09:27:58
Event String:
Timeout waiting for iSCSI persistently bound volumes. If there are a
ny services or applications that use information stored on these volumes then th
ey may not start or may report errors.
A warning event occurred. EventID: 0x8000001D
Time Generated: 07/16/2012 09:27:59
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
An error event occurred. EventID: 0xC0001B70
Time Generated: 07/16/2012 09:28:25
Event String:
The File Server Resource Manager service terminated with service-spe
cific error %%-2147200234.
A warning event occurred. EventID: 0x800003EA
Time Generated: 07/16/2012 09:30:26
Event String:
HP WBEM data was captured and compressed as a raw data format.
A warning event occurred. EventID: 0x000727AA
Time Generated: 07/16/2012 09:30:40
Event String:
The WinRM service failed to create the following SPNs: WSMAN/DC-02.V
FP.local; WSMAN/DC-02.
A warning event occurred. EventID: 0x80000434
Time Generated: 07/16/2012 09:41:10
Event String:
The reason supplied by user xxxx\Administrator for the last unexpecte
d shutdown of this computer is: Other (Unplanned)
An error event occurred. EventID: 0x00000456
Time Generated: 07/16/2012 09:43:47
Event String:
An error occurred during processing of ntprint.inf. The file might b
e corrupted. Run Setup again to reinstall the file.
An error event occurred. EventID: 0x00000457
Time Generated: 07/16/2012 09:43:50
Event String:
Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
......................... DC-02 failed test SystemLog
Starting test: VerifyReferences
......................... DC-02 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : xxxx
Starting test: CheckSDRefDom
......................... xxxx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... xxxx passed test CrossRefValidation
Running enterprise tests on : xxxx.local
Starting test: LocatorCheck
......................... xxxx.local passed test LocatorCheck
Starting test: Intersite
......................... xxxx.local passed test Intersite
C:\Users\administrator.xxx
ASKER
controller is not a RODC
Go to each of your DC's, and restart the NetLogon service. Then check DNS again.
With your regard to your nslookup, once you type in nslookup, I think the next line should be:
_ldap._tcp.dc._msdcs.DOMAI
In your original question, you typed:
_ldap._tcp.dc.DOMAIN.LOCAL
I just tested this on my servers and the one you typed gave me the exact same errors but when I added _msdcs , I got the correct results ...
_ldap._tcp.dc._msdcs.DOMAI
In your original question, you typed:
_ldap._tcp.dc.DOMAIN.LOCAL
I just tested this on my servers and the one you typed gave me the exact same errors but when I added _msdcs , I got the correct results ...
Also, no "_" before "dc"
Do not manually create the entries, this risks having incorrect ACLs. Please restart netlogon on all DCs first and see if that works.
ASKER
Your right I should not have enetered set type=all before _ldap._tcp.dc._msdcs
so I still have to figure out why im getting event error 4010
The DNS server was unable to create a resource record for fdc394f4-e3d4-4bdc-abfd-bd
The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.
so I still have to figure out why im getting event error 4010
The DNS server was unable to create a resource record for fdc394f4-e3d4-4bdc-abfd-bd
The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
do I need to do this for all DC's?
Are all the DC's getting the error?
ASKER
Yes all Dc's are getting the same error.
The fix above did not resolve the issue..even after a reboot.
The fix above did not resolve the issue..even after a reboot.
ASKER
Update....I have found a corrosponding error, now I have (i think) a cause and effect
Event ID 2087 - Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
DC-01
Failing DNS host name:
54fdf1f3-cf2f-44fe-8758-83
and
Event ID 4010 - The DNS server was unable to create a resource record for fdc394f4-e3d4-4bdc-abfd-bd
Event ID 2087 - Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
DC-01
Failing DNS host name:
54fdf1f3-cf2f-44fe-8758-83
and
Event ID 4010 - The DNS server was unable to create a resource record for fdc394f4-e3d4-4bdc-abfd-bd
Are your DC's also DNS servers? Are the NICs pointing to the internal DNS servers? Do you have reverse lookup zones?
ASKER
Yes, the DC's are DNS servers
Yes, the NIC's point to their own IP address for primary DNS, and the secondary IP address is the opposite internal DNS server. We found that pointing the the NIC to it's own IP address vs. the loopback address works better.
Yes, there are reverse lookup zones for all internal networks and loopback appear to be working well. We manually created these networks except for three entries that appeared on their own:
0.in-addr.arpa
127.in-addr.arpa
255.in-addr.arpa
Yes, the NIC's point to their own IP address for primary DNS, and the secondary IP address is the opposite internal DNS server. We found that pointing the the NIC to it's own IP address vs. the loopback address works better.
Yes, there are reverse lookup zones for all internal networks and loopback appear to be working well. We manually created these networks except for three entries that appeared on their own:
0.in-addr.arpa
127.in-addr.arpa
255.in-addr.arpa
ASKER
DNS zone screen shot attached
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The steps above corrected the issue with event id 4010 and 2087 however, after performing the steps all DNS zone transfer information was reset to defaults for both forward and reverse entries.
settings had to be entered and reentered multiple times before they "stuck". This occurred on all DNS servers.
Restart DNS services double check entries and also restart DNS servers and double check entries after following the steps above.
settings had to be entered and reentered multiple times before they "stuck". This occurred on all DNS servers.
Restart DNS services double check entries and also restart DNS servers and double check entries after following the steps above.
ASKER
I get the same results dc-name.xxx.local can't find _ldap._tcp._dc.xxx.local: Non-existent domain
when the nslookup test is run from all domain controllers and workstations.