Solved

Unable to login to domain controller (DC=2008, Client=2003)

Posted on 2013-01-21
11
479 Views
Last Modified: 2013-01-22
Good Day,
I am unable to login to my domain controller from a member (server 2003). DNS Services are currently running. Here is a log file from dcdiag test:dns

Domain Name: coop.tor
DC Name: TOR-DC01.coop.tor
2003 Box:  TOR-DB02.coop.tor


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\TOR-DC01
      Starting test: Connectivity
         ......................... TOR-DC01 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\TOR-DC01

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : coop
   
   Running enterprise tests on : coop.tor
      Starting test: DNS
         Test results for domain controllers:
           
            DC: TOR-DC01.coop.tor
            Domain: coop.tor

                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
                 
               TEST: Delegations (Del)
                  Warning: DNS server: tor_dc01.coop.tor. IP: <Unavailable> Failure:Missing glue A record
               
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
               
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: coop.tor
               TOR-DC01                     PASS PASS PASS FAIL PASS FAIL n/a  
         
         ......................... coop.tor failed test DNS



Any and all help is always appreciated!
0
Comment
Question by:LFoArano
  • 5
  • 5
11 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38802474
The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003.

Update your root certificates on your 2003 server.

Windows Update Catalog

look for “root update” or the KB article for the Root Certificate Program, “KB931125”.
0
 

Author Comment

by:LFoArano
ID: 38802488
Thank you, but the dcdiag above was from a 2008 DC

Did you want me to try to update my root certs on my tor-db02 box (Server 2003)
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38802505
Sorry. Yes, you should try to update root certs on your 2008 DC

here is what I am getting for those roots

b.root-servers.net has address 192.228.79.201
l.root-servers.net has address 199.7.83.42
0
 

Author Comment

by:LFoArano
ID: 38802529
No luck, at least not all the way through.
Please review the new DCDiag /test:dns



Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\TOR-DC01
      Starting test: Connectivity
         ......................... TOR-DC01 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\TOR-DC01

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : coop
   
   Running enterprise tests on : coop.tor
      Starting test: DNS
         Test results for domain controllers:
           
            DC: TOR-DC01.coop.tor
            Domain: coop.tor

                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
                 
               TEST: Delegations (Del)
                  Warning: DNS server: tor_dc01.coop.tor. IP: <Unavailable> Failure:Missing glue A record
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
               
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: coop.tor
               TOR-DC01                     PASS PASS PASS FAIL PASS PASS n/a  
         
         ......................... coop.tor failed test DNS
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38802662
can you send the results of ipconfig /all from your 2008 DC?

Appears like you have invalid DNS forwarders listed
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:LFoArano
ID: 38803182
sure thing, here you go:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : TOR-DC01
   Primary Dns Suffix  . . . . . . . : coop.tor
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : coop.tor

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Citrix XenServer PV Ethernet Adapter
   Physical Address. . . . . . . . . : EA-3F-C3-15-49-8C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.200
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{874DE82C-F12D-43DA-A1BC-99707A704A7A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38803297
Ok, I think we are almost there.

What does ipconfig /all from the 2003 server contain?
0
 

Author Comment

by:LFoArano
ID: 38803350
Here we go:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : TOR-DB02
   Primary Dns Suffix  . . . . . . . : coop.tor
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : coop.tor

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Citrix XenServer PV Ethernet Adapter
   Physical Address. . . . . . . . . : FA-45-32-3A-AB-36
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.241
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.200
0
 
LVL 13

Accepted Solution

by:
Ugo Mena earned 500 total points
ID: 38803500
OK. This should be it

If your 2008 DC is the only DNS server on your network, then you will need to enable (with at least 1) DNS forwarder (use your ISPs DNS servers) within Forwarders tab. Select allow DNS recursion (by unchecking disable box) and Secure cache against pollution within the Advanced tab. Both are done from within the DNS Server Properties.

If you find that you already have a forwarder listed, then it is not responding correctly. The TEST: Forwarders/Root hints (Forw) results are showing that your server is set to use root servers when forwarders are not responding.

But your server's root hints are not up to date and it is failing to get to the correct b.root-servers.net and l.root-servers.net

You should edit your root hints and update b.root-servers.net to address 192.228.79.201 and  l.root-servers.net to address 199.7.83.42 too.

Your DNS server will have to perform all the queries whether recursive or iterative queries are being used, but when recursion is used, most of the name resolution requests are handled by your DNS server and are kept off of your network. This reduces the amount of traffic flowing across the network, thereby improving performance.
0
 
LVL 4

Expert Comment

by:mgpremkumar
ID: 38804033
The issue description says:
I am unable to login to my domain controller from a member (server 2003)

Could you please elaborate?
Are you trying to RDP into the domain controller from the member server or are you trying to logon to the member server using the domain credentials?
What is the error message that you are seeing?
0
 

Author Closing Comment

by:LFoArano
ID: 38805394
Thank you kindly!!!! You, sir, were great!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now