missing DNS zones of AD integrated

I am looking at my DNS and I dont see any _Mcdcs, _tcp _ldap or etc zones.
I see domain.com and child.domain.com and domain.dmz zones

Not even a gray folder outside of the domain.com

The forest has a combination of win 2003 and win 2008
There are 100s of DCs all across North America and each site has its own subnet.


As I mentioned there is also a child domain.


Notice that there are errors across Dcs. that report as such:


The dynamic registration of the DNS record '_ldap._tcp.Default._sites.gc._msdcs.domain.com. 600 IN SRV 100 100 3268
DCC02.domain.com.' failed on the following DNS server:



DNS server IP address: 172.16.110.10    This is primary DC

Returned Response Code (RCODE): 5

Returned Status Code: 9016


DC forwarders go to 192.168.110.10 which also has a zone called domain.dmz



For computers and users to locate this domain controller, this record must be
registered in DNS.




Also getting

The dynamic registration of the DNS record '_kerberos._tcp.somesite._sites.child.domain.com 600 IN SRV 0 100 88
DC03.child.domain.com.' failed on the following DNS server:



DNS server IP address: ::

Returned Response Code (RCODE): 0

Returned Status Code: 10048
 

dcdiag /test:dns shows
            DNS server: x.x.x.x (anotherDC.domain.com.)
               1 test failure on this DNS server
               Delegation is broken for the domain domain.com.domain.com. on the
 DNS server x.x.x.x
 [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

Whats weird is it says domain.com.domain.com twice.


[Broken delegated domain domain.com.domain.com.]

      Starting test: kccevent
         * The KCC Event log test
         An Warning Event occured.  EventID: 0x80000495
            Time Generated: 08/27/2013   14:24:00
            (Event String could not be retrieved)
         ......................... otherDC failed test kccevent

         An Error Event occured.  EventID: 0xC000001B
            Time Generated: 08/27/2013   14:22:28
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000001A
            Time Generated: 08/27/2013   14:25:20
            (Event String could not be retrieved)
LVL 5
IndyrbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

unknown_routineCommented:
This problem may occur if the zone is either Active Directory-Integrated or Standard Primary.

To fix it try to turn on DNS dynamic update protocol on the affected network adapter:

This problem may occur if the zone is either Active Directory-Integrated or Standard Primary.

A:On the desktop, right-click My Network Places, and then click Properties.
Right-click the internal network adapter, and then click Properties.
B:Click TCP/IP, and then click Properties.
C:Click the Advanced button.
D:Click the DNS tab, and then click to select the Register this connection's addresses in DNS check box at the bottom of the tab.
E:Click OK until the Network Properties dialog box is closed.
F:Click Start, click Run, type cmd, and then press ENTER.
G:At a command prompt, stop and restart the Netlogon service and initiate the registration of the network adapter in DNS. To do this, use the following command-line statements:
net stop netlogon
net start netlogon
ipconfig /registerdns
0
IndyrbAuthor Commented:
I already has register the connections address in DNS

It also has a DNS suffix for this connection "domain.com"

Use this connections DNS suffix in DNS registration is UNCHECKED


completed the rest net stop/start netlogon and ipconfig /registerdns
0
footechCommented:
If the _msdcs zone doesn't exist, and there isn't a delegation for it under the yourdomain.com zone, when the Netlogon service is restarted _msdcs will be recreated as a subdomain of yourdomain.com.  Other option is to create the zone manually (replicate to all DNS in the forest), and when the Netlogon service is restarted on each DC, each will register it's records in the zone.  Create the delegation for _msdcs as needed.

For your broken delegation, sounds like there is one for yourdomain.com under the yourdomain.com zone.  If so, delete it.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

unknown_routineCommented:
Then you  have to remove DNS and reinstall it.

To remove DNS, follow these steps:

1.Right-click My Network Places, and then click Properties.
2.In the Network and Dial-Up Connections window on the Advanced menu, click Optional Networking Components.
3.In the Windows Optional Networking Components Wizard, click to select Networking Services, and then click Details.
4.In the Networking Services window, click to clear the box next to Domain Name System (DNS) check box, click OK, and then click Next. This removes DNS.
Before you reinstall DNS, delete the following files:
•Cache.dns-which is located in %systemroot%\Winnt\System32\DNS
•Netlogon.dns-which is located in %systemroot%\Winnt\System32\Config
•Netlogon.dnb-which is located in %systemroot%\Winnt\System32\Config
To reinstall DNS, follow these steps:
1.Right-click My Network Places, and then click Properties.
2.In the Network and Dial-Up Connections window on the Advanced menu click Optional Networking Components.
3.In the Windows Optional Networking Components Wizard, click to select the Networking Services check box, and then click Details.
4.In the Networking Services dialog box, click to select the Domain Name System (DNS) check box, click OK, and then click Next.
5.Insert the operating system installation disc when you are prompted, click OK, and DNS is reinstalled.
6.Restart the computer.
0
IndyrbAuthor Commented:
from which server? the one that is referenced in the netlogon event id or the primary dns

The dynamic registration of the DNS record '_ldap._tcp.HQ._sites.ForestDnsZones.domain.com. 600 IN SRV 100 100 389 DC02.domain.com.' failed on the following DNS server:  

DNS server IP address: 172.16.110.10
Returned Response Code (RCODE): 5
Returned Status Code: 9016  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS signature failed to verify.
0
SandeshdubeySenior Server EngineerCommented:
Ensure the dns setting and below.

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
0
IndyrbAuthor Commented:
I am kinda confused and need a little bit more insight.

On the root domain
There is domain.com DNS Forward lookup zone (AD integrated)
Then a child.domain.com DNS forward lookup zone = but this is a stub zone

Then on child.domain.com
The child.domain.com zone is AD integrated
and domain.com is a stub zone.

Is this the right way to do it. and do I even need to be concerned with the missing _msdcs, _sites, _tcp and etc.

They don't exist on any of the DNS zones.
Neither domain.com nor child.domain.com
0
SandeshdubeySenior Server EngineerCommented:
Can you post the printscreen of root domain DNS and child domain DNS to get the clear view.
0
IndyrbAuthor Commented:
Okay this is weird... on the PDC emulater, I have the domain.com zone. but not the _msdcs, _sites, _tcp_ tls and etc...

However when I go to a secondary DC, poof there are the _msdcs zones.

And then on a third dc, it doesn't have zone transfer, but the other two do.

The one given the error "The dynamic registration of the DNS record '_kerberos._tcp"
is on the PDC emulator without the _Kerberos_tpc_site_xxx zone, even though it exist on another DC.

So whats next steps,

and third dc doesn't have zone transfer = is that an issue?
0
footechCommented:
The way I see it there are two possibilities.
Either the information we have is incomplete or there is a problem with replication between the DCs.  A screenshot as mentioned by Sandeshdubey would help for the first.  For the second look at event logs, run repadmin, dcdiag, etc.

Zone transfer settings are only needed when you have secondary zones.  If all your DNS servers are DCs and you're running AD-integrated zones, then there is no need for the zone transfer settings.
0
IndyrbAuthor Commented:
Like I mentioned I have hundreds of remote/branch domain controllers.

I found a global group named Hub_dcs with all the Datacenter DCS in it

Then there is a group policy named branchofficedc assigned to all domain controllers, except the datacenter dcs. also there are hundreds of sites. looks like each site has a sitelink with itself and datacenter.

Questions, is the GPO listed below right for a win2003 and win2008 ads domain with dns.
Also should remote ad dns point to theirselves or datacenter primary dns with large amounts of dcs.

Also on the dns forward zone domain.local, what would happen if domain controllers were given full rights/permissions on the zone to create records, would that negate the gpo on remote dcs.

Also what are the best practice settings for this GPO

Still getting weird issues, will provide dcdiag and etc. Takes forever to run with the dcdiag /c /e /v /fix /q >dcdiag.log

Thanks for your help in advance
I really do appreciate it : )

Also time keeps slipping on some dcs.


GPO:

Computer Configuration (Enabled)hide
Policieshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.System/Net Logonhide
Policy Setting Comment 
Contact PDC on logon failure Enabled  
Log File Debug Output Level Enabled  
Level: 536936447 
 
Policy Setting Comment 
Netlogon share compatibility Disabled  
Scavenge Interval Enabled  
Seconds: 900 
 
Policy Setting Comment 
Sysvol share compatibility Disabled  

System/Net Logon/DC Locator DNS Recordshide
Policy Setting Comment 
Automated Site Coverage by the DC Locator DNS SRV Records Disabled  
DC Locator DNS records not registered by the DCs Enabled  
Mnemonics: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd Gc GcIpAddress GenericGc 
 
Policy Setting Comment 
Dynamic Registration of the DC Locator DNS Records Enabled  
Force Rediscovery Interval Enabled  
Seconds: 5400 
 
Policy Setting Comment 
Priority Set in the DC Locator DNS SRV Records Enabled  
Priority: 100 
 
Policy Setting Comment 
Refresh Interval of the DC Locator DNS Records Enabled  
Seconds: 1900 
 
Policy Setting Comment 
Sites Covered by the GC Locator DNS SRV Records Disabled  
TTL Set in the DC Locator DNS Records Enabled  
Seconds: 600 
 

Windows Components/AutoPlay Policieshide
Policy Setting Comment 
Turn off Autoplay Enabled  
Turn off Autoplay on: All drives 
 

Preferenceshide
Windows Settingshide
Registryhide
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTDS/Diagnosticshide
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 24 DS Schemahide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 24 DS Schema 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 23 DS RPC Serverhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 23 DS RPC Server 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 22 DS RPC Clienthide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 22 DS RPC Client 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 21 Linked-Value Replicationhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 21 Linked-Value Replication 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 20 Group Cachinghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 20 Group Caching 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 19 Inter-site Messaginghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 19 Inter-site Messaging 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 18 Global Cataloghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 18 Global Catalog 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 17 Setuphide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 17 Setup 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 16 LDAP Interface Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 16 LDAP Interface Events 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 15 Field Engineeringhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 15 Field Engineering 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 14 Backuphide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 14 Backup 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 13 Name Resolutionhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 13 Name Resolution 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 12 Service Controlhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 12 Service Control 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 11 Initialization/Terminationhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 11 Initialization/Termination 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 10 Performance Countershide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 10 Performance Counters 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 9 Internal Processinghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 9 Internal Processing 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 8 Directory Accesshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 8 Directory Access 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 7 Internal Configurationhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 7 Internal Configuration 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 6 Garbage Collectionhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 6 Garbage Collection 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 5 Replication Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 5 Replication Events 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 4 MAPI Interface Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 4 MAPI Interface Events 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 3 ExDS Interface Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 3 ExDS Interface Events 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 2 Security Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 2 Security Events 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 1 Knowledge Consistency Checkerhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 1 Knowledge Consistency Checker 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NtFrs/Parametershide
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: Staging Space Limit in KBhide
Generalhide
Action Replace 
PropertiesHive HKEY_LOCAL_MACHINE 
Key path SYSTEM\CurrentControlSet\Services\NtFrs\Parameters 
Value name Staging Space Limit in KB 
Value type REG_DWORD 
Value data 0xFFFFFFF (268435455) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Open in new window

0
IndyrbAuthor Commented:
also does the
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]
"DsTombstoneInterval"=dword:0013c680

need to be set on all domain controllers , win 2003, and win 2008
0
IndyrbAuthor Commented:
What does this mean = atsite?

•On all branch office domain controllers, add all entries that do not have "AtSite" as part of the mnemonic, to the value of the registry key, except the DsaCname.

Looked at regedit on remote dc and I didn't see the record...
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Netlogon \Parameters
Registry value: DnsAvoidRegisterRecords
0
IndyrbAuthor Commented:
In addition to the above (multiple questions)

Are you suppose to specify a preferred bridgehead server in sites and services?
Is there only one per forest/domain? will this be the datacenter pdc /dc
all other remote dcs are hub / spoke with sitelinks
0
IndyrbAuthor Commented:
Errors from repadmin,dcdiag, and etc.

Also on the Primary DNS site: should we run
dnscmd <ServerName> /Config <ZoneName> /AllowNSRecordsAutoCreation <IpAddresses>
And exclude remote branches from creating a ns record

repadmin /failcache on remote AD/DNS server
On all sites... tons of them


        190 consecutive failures since 2013-09-03 16:37:13.
        Last error: 1722 (0x6ba):
            The RPC server is unavailable.

Naming Context: DC=site,DC=domain,DC=local

Source: site-new-york\dc0105

******* WARNING: KCC could not add this REPLICA LINK due to error.

******* 87 CONSECUTIVE FAILURES since 2013-09-04 17:13:24

Last error: 1722 (0x6ba):

            The RPC server is unavailable.

REPLICATION-RECEIVED LATENCY WARNING
         Some-DC002:  Current time is 2013-09-05 16:09:34.

Event String: All domain controllers in the following site that

An Warning Event occured.  EventID: 0x8000061E

            Time Generated: 09/05/2013   15:56:14
            Event String: All domain controllers in the following site that

         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/05/2013   15:56:14
            Event String: The Knowledge Consistency Checker (KCC) has

         An Warning Event occured.  EventID: 0x80000749

         Source DC anotherdc1 has possible security error (1722).  Diagnosing...
               No KDC found for domain domain.local in site Sanfran-site (1355, NULL)

Unable to contact a KDC for the source domain in it's own site.  This means either there are no available KDC's for this domain in the site, *including* the source DC itself, or we're having network or packet fragmentation issues connecting to it.  We'll check packet fragmentation connection to the source DC, make recommendations, and continue.
                Warning:  The maximum non-fragmentable UDP transfer unit is 1448.
               This isn't a sufficient size for successful KDC operation unless all DC's in the enterprise are Windows Server 2003 or better.
               Solution:  Either configure the network to allow non-fragmented UDP packets of at least 1472 bytes, or install Server 2003 on all DC's in the enterprise and configure the KDC kerberos packet size to 1440.

 Unable to verify the machine account
LDAP search failed with error 58,


[WARNING] Failed to query SPN registration on DC

DC59             (unknown)        9 /  10   90  (1722) The RPC server is unavailable.
DC408             (unknown)        8 /  18   44  (1256) The remote system is not available.

Experienced the following operational errors trying to retrieve replication information:
58 - DC58.child.domain.local

Error: DNS server: DC401. IP:192.168.10.11

                  [Broken delegated domain domain.local.domain.local]

The dynamic registration of the DNS record '_ldap._tcp.Site-Michigan._sites.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 MainDC.domain.local.' failed on the following DNS server:  


         An Error Event occurred.  EventID: 0x000016AD

            Time Generated: 09/05/2013   16:14:57


failed because the security database does not contain a trust account Some-Member-Server$' referenced by the specified computer.

The session setup from the computer Some-Member-Server failed to authenticate. The following error occurred:
n Error Event occurred.  EventID: 0x0000168E


happens on almost all DCs. from win 2008
0
IndyrbAuthor Commented:
Zone query result:

Zone info:
      ptr                   = 00000000002ED3C0
      zone name             = domain.local
      zone type             = 1
      shutdown              = 0
      paused                = 0
      update                = 2
      DS integrated         = 1
      read only zone        = 0
      in DS loading queue   = 0
      currently DS loading  = 0
      data file             = (null)
      using WINS            = 0
      using Nbstat          = 0
      aging                 = 1
        refresh interval    = 168
        no refresh          = 168
        scavenge available  = 3617161
      Zone Masters       NULL IP Array.
      Zone Secondaries       NULL IP Array.
      secure secs           = 1
      directory partition   = AD-Legacy     flags 00000012
      zone DN               = DC=domain.local,cn=MicrosoftDNS,cn=System,DC=domain,DC=local
Command completed successfully.
0
IndyrbAuthor Commented:
on windows 2003 remote branch DC
linkspeed /s domain.local


Evaluating the performance using MultiNetGetConnectionPerformance:
System                              : domain.local
Flag                                :Link Speed ( in Mbps )              : 3533
Delay ( in milliseconds )           : 0
Data Packet Size                    : Unknown.

Evaluating the performance using PING routine:
ERROR : The network path was not found.

Evaluating the performance using QOS:
ERROR: The network location cannot be reached. For information about network tro
ubleshooting, see Windows Help.
0
IndyrbAuthor Commented:
Evaluating the performance using MultiNetGetConnectionPerformance:
System                              : MainDC.domain.local
Flag                                : WNCON_DYNAMIC
Link Speed ( in Mbps )              : 256
Delay ( in milliseconds )           : 550
Data Packet Size                    : Unknown.

Evaluating the performance using PING routine:
System                              : MainDC.domain.local
Link Speed ( in Mbps )              : 31
Delay ( in milliseconds )           : 3
Threshold value                     : TRUE

Evaluating the performance using QOS:
System                              : MainDC.domain.local
Flag                                : MEDIUM
Link Speed ( in Mbps )[incoming]    : 953
Link Speed ( in Mbps )[outgoing]    : 953
0
SandeshdubeySenior Server EngineerCommented:
You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.
http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

Also it seems Black Hole Router Issues
http://support.microsoft.com/kb/314825 http://support.microsoft.com/kb/159211
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IndyrbAuthor Commented:
Would you get this error if in sites and services on certain sites there was a server but no ntds settings...

I do see another server in the site, and not sure if the server without settings has been decommissioned or demoted/retired.

I will ping.

But quick question, I have hundreds of sites, is there a script that will report which site has a server in it without the ntds settings.
0
IndyrbAuthor Commented:
Awarding points, still reasearching issue -- thanks for your help EE Experts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.