Solved

Unable to login to domain controller (DC=2008, Client=2003)

Posted on 2013-01-21
11
480 Views
Last Modified: 2013-01-22
Good Day,
I am unable to login to my domain controller from a member (server 2003). DNS Services are currently running. Here is a log file from dcdiag test:dns

Domain Name: coop.tor
DC Name: TOR-DC01.coop.tor
2003 Box:  TOR-DB02.coop.tor


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\TOR-DC01
      Starting test: Connectivity
         ......................... TOR-DC01 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\TOR-DC01

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : coop
   
   Running enterprise tests on : coop.tor
      Starting test: DNS
         Test results for domain controllers:
           
            DC: TOR-DC01.coop.tor
            Domain: coop.tor

                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
                 
               TEST: Delegations (Del)
                  Warning: DNS server: tor_dc01.coop.tor. IP: <Unavailable> Failure:Missing glue A record
               
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
               
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: coop.tor
               TOR-DC01                     PASS PASS PASS FAIL PASS FAIL n/a  
         
         ......................... coop.tor failed test DNS



Any and all help is always appreciated!
0
Comment
Question by:LFoArano
  • 5
  • 5
11 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38802474
The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003.

Update your root certificates on your 2003 server.

Windows Update Catalog

look for “root update” or the KB article for the Root Certificate Program, “KB931125”.
0
 

Author Comment

by:LFoArano
ID: 38802488
Thank you, but the dcdiag above was from a 2008 DC

Did you want me to try to update my root certs on my tor-db02 box (Server 2003)
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38802505
Sorry. Yes, you should try to update root certs on your 2008 DC

here is what I am getting for those roots

b.root-servers.net has address 192.228.79.201
l.root-servers.net has address 199.7.83.42
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:LFoArano
ID: 38802529
No luck, at least not all the way through.
Please review the new DCDiag /test:dns



Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\TOR-DC01
      Starting test: Connectivity
         ......................... TOR-DC01 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\TOR-DC01

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : coop
   
   Running enterprise tests on : coop.tor
      Starting test: DNS
         Test results for domain controllers:
           
            DC: TOR-DC01.coop.tor
            Domain: coop.tor

                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
                 
               TEST: Delegations (Del)
                  Warning: DNS server: tor_dc01.coop.tor. IP: <Unavailable> Failure:Missing glue A record
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
               
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: coop.tor
               TOR-DC01                     PASS PASS PASS FAIL PASS PASS n/a  
         
         ......................... coop.tor failed test DNS
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38802662
can you send the results of ipconfig /all from your 2008 DC?

Appears like you have invalid DNS forwarders listed
0
 

Author Comment

by:LFoArano
ID: 38803182
sure thing, here you go:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : TOR-DC01
   Primary Dns Suffix  . . . . . . . : coop.tor
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : coop.tor

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Citrix XenServer PV Ethernet Adapter
   Physical Address. . . . . . . . . : EA-3F-C3-15-49-8C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.200
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{874DE82C-F12D-43DA-A1BC-99707A704A7A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38803297
Ok, I think we are almost there.

What does ipconfig /all from the 2003 server contain?
0
 

Author Comment

by:LFoArano
ID: 38803350
Here we go:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : TOR-DB02
   Primary Dns Suffix  . . . . . . . : coop.tor
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : coop.tor

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Citrix XenServer PV Ethernet Adapter
   Physical Address. . . . . . . . . : FA-45-32-3A-AB-36
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.241
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.200
0
 
LVL 13

Accepted Solution

by:
Ugo Mena earned 500 total points
ID: 38803500
OK. This should be it

If your 2008 DC is the only DNS server on your network, then you will need to enable (with at least 1) DNS forwarder (use your ISPs DNS servers) within Forwarders tab. Select allow DNS recursion (by unchecking disable box) and Secure cache against pollution within the Advanced tab. Both are done from within the DNS Server Properties.

If you find that you already have a forwarder listed, then it is not responding correctly. The TEST: Forwarders/Root hints (Forw) results are showing that your server is set to use root servers when forwarders are not responding.

But your server's root hints are not up to date and it is failing to get to the correct b.root-servers.net and l.root-servers.net

You should edit your root hints and update b.root-servers.net to address 192.228.79.201 and  l.root-servers.net to address 199.7.83.42 too.

Your DNS server will have to perform all the queries whether recursive or iterative queries are being used, but when recursion is used, most of the name resolution requests are handled by your DNS server and are kept off of your network. This reduces the amount of traffic flowing across the network, thereby improving performance.
0
 
LVL 4

Expert Comment

by:mgpremkumar
ID: 38804033
The issue description says:
I am unable to login to my domain controller from a member (server 2003)

Could you please elaborate?
Are you trying to RDP into the domain controller from the member server or are you trying to logon to the member server using the domain credentials?
What is the error message that you are seeing?
0
 

Author Closing Comment

by:LFoArano
ID: 38805394
Thank you kindly!!!! You, sir, were great!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question