Solved

dns error. Troubleshooting DNS resolution

Posted on 2015-02-16
16
39 Views
Last Modified: 2015-03-16
Hello,
WE have AD integrated DNS and just introduced 2012 new DCs into the environment. I see this error in the DNS event log on the new 2012 DC. Please advise:
0
Comment
Question by:creative555
  • 9
  • 5
  • 2
16 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40612745
Which error? Forgot the upload I think?
0
 

Author Comment

by:creative555
ID: 40612746
DNSerrro.jpg
0
 
LVL 76

Expert Comment

by:arnold
ID: 40612749
while adding the event/ text preferred to an Image.
What AD domain/forest are you running 2008, 2003?

Did you install all the required roles on the new server including DNS??
0
 

Author Comment

by:creative555
ID: 40612750
Here you go. What should we do. How to troubleshoot it?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40612754
On your functional DC, check the DNS server and the domain zone properties. What do you have set there dealing access to the zone, all dns on domain controllers in the forest/domain or the pre-2000??
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40612765
Also, run DCDIAG for more in depth analysis, could be replication going on...
0
 

Author Comment

by:creative555
ID: 40612782
ToaLLDCs.jpg
0
 

Author Comment

by:creative555
ID: 40612783
do you want dcdiag without any switches? I ran dcdiag with v/switch here is the log
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 76

Expert Comment

by:arnold
ID: 40612788
Do you still have a 2000 DC? IF DNS on a DC in the forest or domain.

It seems you have a 2003 DC? You need to add ntfrs/sysvol roles  to the 2012 DC so they can replicate data.
0
 

Author Comment

by:creative555
ID: 40612805
I am getting this same error 4015 on all new 2012 DCs/DNS that we introduced. On 2003 DNS we are getting this errors:

DNSexistingerror.jpg
error4010.jpg
0
 

Author Comment

by:creative555
ID: 40612807
ntfrs/sysvol roles ?? NEver heard of such roles. Coudld you please be mores specific? WOuld this resolve DNS issues? Yes you are correct we have 2003 DC and we are bringing new 2012 DC.

On all 2012 DCs/DNS we are getting this error 4015
0
 

Author Comment

by:creative555
ID: 40612827
All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 79 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: NYC\2012DC01

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... 2012DC01 passed test Connectivity



Doing primary tests

   
   Testing server: NYC\2012DC01

      Starting test: Advertising

         The DC 2012DC01 is advertising itself as a DC and having a DS.
         The DC 2012DC01 is advertising as an LDAP server
         The DC 2012DC01 is advertising as having a writeable directory
         The DC 2012DC01 is advertising as a Key Distribution Center
         The DC 2012DC01 is advertising as a time server
         The DS 2012DC01 is advertising as a GC.
         ......................... 2012DC01 passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         ......................... 2012DC01 passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         Skip the test because the server is running FRS.

         ......................... 2012DC01 passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... 2012DC01 passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... 2012DC01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=NAPDCMDMCT001PV,CN=Servers,CN=PDC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=NAPDCMDMCT001PV,CN=Servers,CN=PDC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=2003DC01,CN=Servers,CN=PDC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=2003DC01,CN=Servers,CN=PDC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=2003DC01,CN=Servers,CN=PDC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com
         ......................... 2012DC01 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC 2012DC01 on DC 2012DC01.
         * SPN found :LDAP/2012DC01.corp.domain.com/corp.domain.com
         * SPN found :LDAP/2012DC01.corp.domain.com
         * SPN found :LDAP/2012DC01
         * SPN found :LDAP/2012DC01.corp.domain.com/CORP
         * SPN found :LDAP/0e3fa761-5216-4730-bb69-88a9529069db._msdcs.frd.domain.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/0e3fa761-5216-4730-bb69-88a9529069db/corp.domain.com
         * SPN found :HOST/2012DC01.corp.domain.com/corp.domain.com
         * SPN found :HOST/2012DC01.corp.domain.com
         * SPN found :HOST/2012DC01
         * SPN found :HOST/2012DC01.corp.domain.com/CORP
         * SPN found :GC/2012DC01.corp.domain.com/frd.domain.com
         ......................... 2012DC01 passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC 2012DC01.
         * Security Permissions Check for

           DC=DomainDnsZones,DC=corp,DC=domain,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=ForestDnsZones,DC=frd,DC=domain,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=corp,DC=domain,DC=com
            (Domain,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=frd,DC=domain,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=frd,DC=domain,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=frd,DC=domain,DC=com
            (Domain,Version 3)
         ......................... 2012DC01 passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\2012DC01\netlogon
         Verified share \\2012DC01\sysvol
         ......................... 2012DC01 passed test NetLogons

      Starting test: ObjectsReplicated

         2012DC01 is in domain DC=corp,DC=domain,DC=com
         Checking for CN=2012DC01,OU=Domain Controllers,DC=corp,DC=domain,DC=com in domain DC=corp,DC=domain,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=2012DC01,CN=Servers,CN=NYC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com in domain CN=Configuration,DC=frd,DC=domain,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... 2012DC01 passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=frd,DC=domain,DC=com
               Latency information for 46 entries in the vector were ignored.
                  46 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=frd,DC=domain,DC=com
               Latency information for 72 entries in the vector were ignored.
                  72 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=frd,DC=domain,DC=com
               Latency information for 72 entries in the vector were ignored.
                  72 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=frd,DC=domain,DC=com
               Latency information for 67 entries in the vector were ignored.
                  4 were retired Invocations.  63 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=corp,DC=domain,DC=com
               Latency information for 44 entries in the vector were ignored.
                  44 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=corp,DC=domain,DC=com
               Latency information for 67 entries in the vector were ignored.
                  67 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... 2012DC01 passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 1619104 to 1073741823
         * 2003DC01.corp.domain.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1616104 to 1616603
         * rIDPreviousAllocationPool is 1616104 to 1616603
         * rIDNextRID: 1616104
         ......................... 2012DC01 passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... 2012DC01 passed test Services

      Starting test: SystemLog

         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... 2012DC01 passed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=2012DC01,OU=Domain Controllers,DC=corp,DC=domain,DC=com and

         backlink on

         CN=2012DC01,CN=Servers,CN=NYC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com

         are correct.
         The system object reference (serverReferenceBL)

         CN=2012DC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=corp,DC=domain,DC=com

         and backlink on

         CN=NTDS Settings,CN=2012DC01,CN=Servers,CN=NYC,CN=Sites,CN=Configuration,DC=frd,DC=domain,DC=com

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=2012DC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=corp,DC=domain,DC=com

         and backlink on

         CN=2012DC01,OU=Domain Controllers,DC=corp,DC=domain,DC=com are

         correct.
         ......................... 2012DC01 passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : corp

      Starting test: CheckSDRefDom

         ......................... corp passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... corp passed test CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running enterprise tests on : frd.domain.com

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\2012DC01.corp.domain.com

         Locator Flags: 0xe000f1fc
         PDC Name: \\2003DC01.corp.domain.com
         Locator Flags: 0xe0000179
         Time Server Name: \\2012DC01.corp.domain.com
         Locator Flags: 0xe000f1fc
         Preferred Time Server Name: \\2012DC01.corp.domain.com
         Locator Flags: 0xe000f1fc
         KDC Name: \\2012DC01.corp.domain.com
         Locator Flags: 0xe000f1fc
         ......................... frd.domain.com passed test LocatorCheck

      Starting test: Intersite

         Skipping site MEX, this site is outside the scope provided by the

         
         command line arguments provided.
         Skipping site NYC, this site is outside the scope provided by the

         command line arguments provided.
         ......................... frd.domain.com passed test Intersite
0
 
LVL 76

Expert Comment

by:arnold
ID: 40612863
2003 to 20012 ntfrs is needed, look under the fileserver DFS roles, there should be additional features that need to be added.
does the 2012 show sysvol in net share?

There a few that need to be added if not so already.
0
 

Author Comment

by:creative555
ID: 40613040
NTfrsId13516.jpg
0
 

Author Comment

by:creative555
ID: 40613058
what am I looking for under 2012 Sysvol foler? I see the policy folder has some policy folders there.

SysVol-Volume.jpg
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 40613178
Under fileserver role, look through role services and add the windows server 2003 file services. This is the way it is referenced under 2008, I think it should still be included/referenced under 2012 as well.

This will should resolve your issue.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now