Link to home
Create AccountLog in
Avatar of AJKBOC

asked on

Domain controller

Dear All,

We have an issue with one of our domain controllers, let's name it "DC_A". This domain controller is a Windows Server 2008 R2 and is the operations master of our domain. Problems we get are the following:

- The DNS on the server does not work. When we try to open the DNS Manager it gives the following error: "Access was denied. Would you like to add it anyway?". Answering yes displays the DNS Manager with a red X on the domain controller.
- If you open "Operations Master" from Active Directory Users and Computers management console from another domain controller, the operations master field displays "ERROR" for RID, PDC and Infrastructure. This field should show DC_A as the operations master. If you check this from DC_A it correctly shows itself as the operations master.
- All systems that have DC_A as their primary DNS cannot authenticate to active directory and fail to login.

The server started giving these errors without any change to its configuration from our side. What could be the problem causing these issues and how can we troubleshoot?

Thank you.
Avatar of Manojkumar Rane
Manojkumar Rane
Flag of India image

Check event viewer on FSMO role holder.
Check DNS setting on NIC card.
Run command NETDOM QUERY DC & NETDOM QUERY FSMO. (provide the output)
Run dcdiag /q (Provide the output)
Avatar of Guy Lidbetter
Guy Lidbetter
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
First thing would be to change your dhcp scope to point to the secondary DNS server so while you  are resolving this issue the computers can logon.

Check this

also run dcdiag and netdiag, try ryunning them as administrator
Actually... "net start ntds" isn't a bad place to start.... checking the services are running is a basic thing!

If this works fine then you don't need to seize or transfer the FSMO Roles. Once Active-Directory is up verify by running the following command and see if FSMO roles are intact

netdom query fsmo

Avatar of Chris H
Is there a user account Running the DNS server service in services.msc on the problem child domain?
Can you access the DNS interface remotely from another system.

The issue might be related to the account/profile..

Was any restore performed on this DC system or an issue arose and the system was restored from a backup image?  I believe an AD restore would lead to an event?

When you say from your side, who else has access/control over the server?

At this point the remedy is to update the DHCP server to exclude this servers IP as a Name server reference in the scope options.
then you have to decide how to proceed.  One way is after removing/transfering files if any. have another system assert that it is the RID, Schema, FSMo, etc. master.
You might have to seize the roles using ntdsutil.
Check your hosts file on the Domain Controller, also.  Make sure it only has one NIC and that the DNS server is set correctly as mentioned by Manojkumar above.
Avatar of AJKBOC


Dear All,

Thank you very much for your suggestions. We have removed DC_A from the DHCP scope as a temporary measure. Run "net start ntds" and it said that the services were already started. We stopped the service and restarted it and after that the problem was resolved. The strange thing about this is that we had already restarted the server several time yesterday but the problem was still there. After manually restarting ntds the problem was resolved.

Thank you All.
Hi There,

Very happy you got this resolved.

Keep well!