Domain controller

Dear All,

We have an issue with one of our domain controllers, let's name it "DC_A". This domain controller is a Windows Server 2008 R2 and is the operations master of our domain. Problems we get are the following:

- The DNS on the server does not work. When we try to open the DNS Manager it gives the following error: "Access was denied. Would you like to add it anyway?". Answering yes displays the DNS Manager with a red X on the domain controller.
- If you open "Operations Master" from Active Directory Users and Computers management console from another domain controller, the operations master field displays "ERROR" for RID, PDC and Infrastructure. This field should show DC_A as the operations master. If you check this from DC_A it correctly shows itself as the operations master.
- All systems that have DC_A as their primary DNS cannot authenticate to active directory and fail to login.

The server started giving these errors without any change to its configuration from our side. What could be the problem causing these issues and how can we troubleshoot?

Thank you.
LVL 2
AJKBOCAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manojkumar RaneCommented:
Check event viewer on FSMO role holder.
Check DNS setting on NIC card.
Run command NETDOM QUERY DC & NETDOM QUERY FSMO. (provide the output)
Run dcdiag /q (Provide the output)
0
Guy LidbetterCommented:
In all honesty I'd seize the roles, transfer any DHCP\DNS etc roles over to another DC, then depromo the DC, wait for replication and promo it back in.

You can dig, scratch and do as you will but diagnosing a failed DC like this, unless it is your ONLY DC and you have no option, is a waste of time. It could be AD corruption, system failure, etc...

If you want to diagnose...
First run dcdiag on DC_A. evaluate and check for errors, resolve as necessary.
Check that "Netdom query /d:domain FSMO" lists your server.
Download DNSLINT and run a  replication check from one of your other DC's to DC_A
Perform Semantic database analysis with fixup (https://technet.microsoft.com/en-gb/library/cc770715.aspx)

Once you've done all that, we can try a few more things.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Since your DNS is not working if you try to open Active Directory Users & Computers you recevie an error Naming Information could not be found. And the AD will fail to open. To resolve this issue check the DNS Service is started from the Services.msc. When you open the DNS management console on DC_A right click > All tasks and start or restart the service. Once the service is started then see if you're able to open Active Directory Users & Computers. You can also check whether Active Directory Domain Services is started if not try starting it. From the command prompt issue the following command. See if all the services are started when you execute the command

net start ntds

Thanks
Manikandan
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Thomas GrassiSystems AdministratorCommented:
First thing would be to change your dhcp scope to point to the secondary DNS server so while you  are resolving this issue the computers can logon.


Check this

https://social.technet.microsoft.com/Forums/windowsserver/en-US/9f33fc9e-a4aa-4164-a4b0-8a9b0088c8f3/windows-2008-r2-dns-server-mmc-access-was-denied?forum=winserverManagement



also run dcdiag and netdiag, try ryunning them as administrator
0
Guy LidbetterCommented:
Actually... "net start ntds" isn't a bad place to start.... checking the services are running is a basic thing!
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

If this works fine then you don't need to seize or transfer the FSMO Roles. Once Active-Directory is up verify by running the following command and see if FSMO roles are intact

netdom query fsmo

Thanks
Manikandan
0
Chris HInfrastructure ManagerCommented:
Is there a user account Running the DNS server service in services.msc on the problem child domain?
0
arnoldCommented:
Can you access the DNS interface remotely from another system.

The issue might be related to the account/profile..

Was any restore performed on this DC system or an issue arose and the system was restored from a backup image?  I believe an AD restore would lead to an event?

When you say from your side, who else has access/control over the server?

At this point the remedy is to update the DHCP server to exclude this servers IP as a Name server reference in the scope options.
then you have to decide how to proceed.  One way is after removing/transfering files if any. have another system assert that it is the RID, Schema, FSMo, etc. master.
You might have to seize the roles using ntdsutil.
0
Chris HInfrastructure ManagerCommented:
Check your hosts file on the Domain Controller, also.  Make sure it only has one NIC and that the DNS server is set correctly as mentioned by Manojkumar above.
0
AJKBOCAuthor Commented:
Dear All,

Thank you very much for your suggestions. We have removed DC_A from the DHCP scope as a temporary measure. Run "net start ntds" and it said that the services were already started. We stopped the service and restarted it and after that the problem was resolved. The strange thing about this is that we had already restarted the server several time yesterday but the problem was still there. After manually restarting ntds the problem was resolved.

Thank you All.
0
Guy LidbetterCommented:
Hi There,

Very happy you got this resolved.

Keep well!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.