Trying to improve domain integrity
We are trying to pinpoint some DNS / AD issues going on in one of our domain networks. We run a SQL application and have users getting kicked out of the program due to SQL authentication errors multiple times everyday. Errors vary but the most common one I am seeing has to do with the domain being "untrusted". Running DCDiag i get the following output:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Server
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 7b75d73e-c8a4-4fe5-ae3f-3c
address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... SERVER failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Skipping all tests, because server SERVER is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : boggscontracting
Starting test: CheckSDRefDom
......................... boggscontracting passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... boggscontracting passed test CrossRefValidation
Running enterprise tests on : boggscontracting.com
Starting test: LocatorCheck
......................... boggscontracting.com passed test LocatorCheck
Starting test: Intersite
......................... boggscontracting.com passed test Intersite
We have done tons of needed clean up work in the DNS Server but still get the output above. I am trying to verify my SRV records at the DC and noticed another problem, I am missing a subfolder underneath my domain zone.
I am curious as to how I can recreate the _msdcs subfolder that resides beneath the domain name in the Forward lookup zones in DNS.
This domain controller has been promoted from a 03 -> 08 -> now 2012 DC
--------------------------
Also, if you have any leads or experience with SQL and can shed light on these hard to troubleshoot Untrusted Domain / SSPI Handshake errors please let me know.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Server
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 7b75d73e-c8a4-4fe5-ae3f-3c
address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... SERVER failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Skipping all tests, because server SERVER is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : boggscontracting
Starting test: CheckSDRefDom
......................... boggscontracting passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... boggscontracting passed test CrossRefValidation
Running enterprise tests on : boggscontracting.com
Starting test: LocatorCheck
......................... boggscontracting.com passed test LocatorCheck
Starting test: Intersite
......................... boggscontracting.com passed test Intersite
We have done tons of needed clean up work in the DNS Server but still get the output above. I am trying to verify my SRV records at the DC and noticed another problem, I am missing a subfolder underneath my domain zone.
I am curious as to how I can recreate the _msdcs subfolder that resides beneath the domain name in the Forward lookup zones in DNS.
This domain controller has been promoted from a 03 -> 08 -> now 2012 DC
--------------------------
Also, if you have any leads or experience with SQL and can shed light on these hard to troubleshoot Untrusted Domain / SSPI Handshake errors please let me know.
Last Comment
ASKER
Here are the records, I have confirmed that the SOA and NS name server properties are accurate with only the one domain controller listed with the appropriate NIC binding. 
Screenshot appears fine.
Can you provide the output of running the following on the server?
Can you provide the output of running the following on the server?
ipconfig /all
nslookup 7b75d73e-c8a4-4fe5-ae3f-3c8a6884ad31._msdcs.boggscontracting.com
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
_msdcs as a subfolder of your domain zone is a valid config, but since Server 2003 new domains get this created as a separate zone (replicated to all DNS in the forest) with a delegation.
The _msdcs zone should be auto-populated with the correct records by the Netlogon service. Check for the "7b75d73e-c8a4-4fe5-ae3f-3c8a6884ad31" record (some people just see a GUID and assume it's the same, don't do that). Tell us what is in that zone.