Active Directory
--
Questions
--
Followers
Top Experts
Trying to improve domain integrity
We are trying to pinpoint some DNS / AD issues going on in one of our domain networks. We run a SQL application and have users getting kicked out of the program due to SQL authentication errors multiple times everyday. Errors vary but the most common one I am seeing has to do with the domain being "untrusted". Running DCDiag i get the following output:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Server
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 7b75d73e-c8a4-4fe5-ae3f-3c
address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... SERVER failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Skipping all tests, because server SERVER is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : boggscontracting
Starting test: CheckSDRefDom
......................... boggscontracting passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... boggscontracting passed test CrossRefValidation
Running enterprise tests on : boggscontracting.com
Starting test: LocatorCheck
......................... boggscontracting.com passed test LocatorCheck
Starting test: Intersite
......................... boggscontracting.com passed test Intersite
We have done tons of needed clean up work in the DNS Server but still get the output above. I am trying to verify my SRV records at the DC and noticed another problem, I am missing a subfolder underneath my domain zone.
I am curious as to how I can recreate the _msdcs subfolder that resides beneath the domain name in the Forward lookup zones in DNS.
This domain controller has been promoted from a 03 -> 08 -> now 2012 DC
--------------------------
Also, if you have any leads or experience with SQL and can shed light on these hard to troubleshoot Untrusted Domain / SSPI Handshake errors please let me know.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Server
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 7b75d73e-c8a4-4fe5-ae3f-3c
address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... SERVER failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Skipping all tests, because server SERVER is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : boggscontracting
Starting test: CheckSDRefDom
......................... boggscontracting passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... boggscontracting passed test CrossRefValidation
Running enterprise tests on : boggscontracting.com
Starting test: LocatorCheck
......................... boggscontracting.com passed test LocatorCheck
Starting test: Intersite
......................... boggscontracting.com passed test Intersite
We have done tons of needed clean up work in the DNS Server but still get the output above. I am trying to verify my SRV records at the DC and noticed another problem, I am missing a subfolder underneath my domain zone.
I am curious as to how I can recreate the _msdcs subfolder that resides beneath the domain name in the Forward lookup zones in DNS.
This domain controller has been promoted from a 03 -> 08 -> now 2012 DC
--------------------------
Also, if you have any leads or experience with SQL and can shed light on these hard to troubleshoot Untrusted Domain / SSPI Handshake errors please let me know.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
You should not recreate a _msdcs subfolder under your domain zone, as you already have _msdcs zone. With that config you should have a delegation for _msdcs in your domain zone (but really if all DC/DNS have the _msdcs zone and you're running just the single AD domain then the delegation is actually redundant).
_msdcs as a subfolder of your domain zone is a valid config, but since Server 2003 new domains get this created as a separate zone (replicated to all DNS in the forest) with a delegation.
The _msdcs zone should be auto-populated with the correct records by the Netlogon service. Check for the "7b75d73e-c8a4-4fe5-ae3f-3c8a6884ad31" record (some people just see a GUID and assume it's the same, don't do that). Tell us what is in that zone.
_msdcs as a subfolder of your domain zone is a valid config, but since Server 2003 new domains get this created as a separate zone (replicated to all DNS in the forest) with a delegation.
The _msdcs zone should be auto-populated with the correct records by the Netlogon service. Check for the "7b75d73e-c8a4-4fe5-ae3f-3c8a6884ad31" record (some people just see a GUID and assume it's the same, don't do that). Tell us what is in that zone.
Here are the records, I have confirmed that the SOA and NS name server properties are accurate with only the one domain controller listed with the appropriate NIC binding. 
Screenshot appears fine.
Can you provide the output of running the following on the server?
Can you provide the output of running the following on the server?
ipconfig /all
nslookup 7b75d73e-c8a4-4fe5-ae3f-3c8a6884ad31._msdcs.boggscontracting.com
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Active Directory
--
Questions
--
Followers
Top Experts
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.