AD and DNS server roles not playing nicely in Server 2008

[RavinDJ]

I'm about to pull my hair out

C:\Users\Administrator>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = dc
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
The host 661bcd5c-ba25-4e96-81b3-64c2db98a63b._msdcs.cwmg.local could
not be resolved to an IP address. Check the DNS server, DHCP, server
name, etc.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... DC failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC
Skipping all tests, because server DC is not responding to directory
service requests.


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : cwmg
Starting test: CheckSDRefDom
......................... cwmg passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... cwmg passed test CrossRefValidation

Running enterprise tests on : cwmg.local
Starting test: LocatorCheck
......................... cwmg.local passed test LocatorCheck
Starting test: Intersite
......................... cwmg.local passed test Intersite

C:\Users\Administrator>

I also get an error when I click on the DNS ROLE in SERVER MANAGEMENT:

The server DC cannot be contacted.
The error was: Access was denied.
Would you like to add it anyway?

When I click YES, it'll add it, but with a RED X.
Then, when I go to the server, it says: To configure the DNS server, , on the action menu, click CONFIGURE A DNS SERVER. however, that option is GRAYED OUT

Event ID 4000 states:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

 

[mmtom]

How many DCs?

 

[RavinDJ]

How many DCs?

Just 1... the main one, running at 192.168.10.10 which is the AD DC and DNS server

 

[RavinDJ]

I'm on the phone with Microsoft support... $259 per incident... better get fixed

On a sidenote... this made me soooooooooooo stressed out today... I was about to pull my hair out and I think I killed my health a little bit today... I hate this stress

 

[RavinDJ]

To make sure this issue is somehow prevented in the future...

How do I add another either DC or DNS server or BOTH to my network?

 

[XOR != OR]

The root cause is that your server is unable to find it's records in the configured DNS server ( for whatever reason ).

I'm guessing you have your NIC's DNS settings misconfigured on this server, so when AD installed it was unable to create the records it needs for AD to operate. Verify your network connections are correct, go from there.

This link might help you: http://serverfault.com/questions/73875/active-directory-dns-entries-missing-after-installation

 

[C7J0yc3]

Some pointers on how to get MS cases comped in the future.

1: "I don't know what happened, but after I did a round of updates, this thing is broken now." If you start with that, and they can't prove that you screwed it up, case is free.

2: "Nothing has changed,it crapped out, this is business critical, and over 100 users are affected." Not only do you get dropped in the express line, but they usually don't ask for your credit card info till afterwards.

Also just know that usually if MS goes through and finds that they broke it, or if a reformat / restore is the only way to fix it, they will refund your money.

 

[RavinDJ]

IP CONFIG shows:

IP 192.168.10.10
Subnet 255.255.255.0
GW 192.168.10.100

DNS 192.168.10.10

NSLOOKUP:

C:\Users\Lukas>nslookup dc.cwmg.local
Server: UnKnown
Address: 192.168.10.10

*** UnKnown can't find dc.cwmg.local: Non-existent domain

 

[RavinDJ]

Some pointers on how to get MS cases comped in the future.

1: "I don't know what happened, but after I did a round of updates, this thing is broken now." If you start with that, and they can't prove that you screwed it up, case is free.

2: "Nothing has changed,it crapped out, this is business critical, and over 100 users are affected." Not only do you get dropped in the express line, but they usually don't ask for your credit card info till afterwards.

Also just know that usually if MS goes through and finds that they broke it, or if a reformat / restore is the only way to fix it, they will refund your money.

Thanks for the info... let's hope I don't need it

 

[RavinDJ]

Once MS started hacking around:

Event ID 407
DNS Server could not bind a UDP socket to 192.168.10.10

Event ID 408
DNS Server could not open socket for address 192.168.10.10. Verify that this is a valid IP address for hte server computer.

Event ID 404
DNS Server could not bind a TCP socket to address 192.168.10.10. An IP Address of 0.0.0.0 can indicate a valid "ANY ADDRESS" configuration in which all configured IP addresses on teh computer are available for use.

 

[XOR != OR]

Once MS started hacking around:

Event ID 407
DNS Server could not bind a UDP socket to 192.168.10.10

Event ID 408
DNS Server could not open socket for address 192.168.10.10. Verify that this is a valid IP address for hte server computer.

Event ID 404
DNS Server could not bind a TCP socket to address 192.168.10.10. An IP Address of 0.0.0.0 can indicate a valid "ANY ADDRESS" configuration in which all configured IP addresses on teh computer are available for use.

Ya, that was where I was going next. Your DNS server is fooked in someway. Uninstall/reinstall it, then try reregistering your dns entries.

 

[da sponge]

Ya, that was where I was going next. Your DNS server is fooked in someway. Uninstall/reinstall it, then try reregistering your dns entries.

Rebooting *should* do that. Netlogon registers everything on service start.

 

[RavinDJ]

Still down.... now with a 2nd Microsoft rep

Soooo many hours already spent/wasted on this.

And, I just know the THREE questions for me tomorrow will be...
(1) What happened?
(2) Why did it happen?
(3) Who made this happen?

I don't think that even MS has a clue WTF is wrong... or, at least the techs that I'm on the phone with don't know.

And my DNS is fooked? So how do I reinstall it? I don't mind doing that, since it's not a lot... do I just remove the ROLE and add it again?

 

[RavinDJ]

Still with MS techs on the line... I'm seriously doubting their skill level

 

[randomlychosen]

Definitely agree with the above posters, it's a DNS issue.

 

[RavinDJ]

F*CK THIS!!! They don't know anything....

What do I need to do to make sure reimaging goes somewhat smoothly?

What do I need to backup so that when I reinstall Server 2008 R2 Std. 64bit tomorrow, I can have as little downtime as possible.

AND... WTF could've caused this? If I don't find out, blame's on me

 

[XOR != OR]

It's frustrating, no doubts. However, the root cause is that your DNS server isn't up and running. Get that up and running I'm fairly confident that everything else will just work.

As far as how to avoid this in the future; we don't have enough data to tell you that. Obviously something happened to your DNS service on that machine, so once you figure out what and how to fix it you'll know what to avoid in the future. Keep in mind, of course, that presumably you'll have a DNS server up and running before you bring up other servers on your network. So the likelihood of this issue reoccurring is minimal.

 

[C7J0yc3]

As far as how to avoid this in the future; we don't have enough data to tell you that.

Ohhh yes we do. You have one AD server. This was an accident waiting to happen. Let's say that the fix is to completely reimage the machine, and when you do so you weren't aware that your backups were not forming correctly (even though saying the backup was successful) and thus are unusable when you go to restore from them. In fact lets say they are so mangled because VSS or some other variable screwed up that you can't even fresh install, and then import the NTDS components, now you are stuck without a DC and have weeks of rebuild in front of you.

Moral of the story, and the forward action plan is this.

First step: Reinstall the DNS Role. If this doesn't solve your issue, don't waste more time, just restore from your backup.

Step 2: Restore from backup, No more then a week old. After that the server will tombstone itself and be useless to you.

Step 3: After restoring AD from backup, it will not "Just work." There are some steps you need to to. Keep your MS case open, and have them walk you through the finishing steps.

Step 4. Build a 2nd DC. That way in the future if one goes down, you have all the time in the world to troubleshoot the broken one and everyone just runs off the second.

Step 5: Create some sort of monthly proactive maintenance regiment. Ours is Windows Updates, CCleaner, sfc /scannow, and defrag. Also once a month we verify our backups by taking our weekly full of each machine, convert it to a VHD, and create a VM out of it to ensure it works properly (we use acronis so this makes life easy). That way when the unforeseen does happen we know we can rely on our backups.

Its a sh**ty situation dude, and trust me I have been there, more then once, just work through it, and also remember that if you are not satisfied that microsoft fixed the issue, let em know. They don't take offense because at the end of the day they want your money. Multiple times I have closed cases out of frustration, and when I get the callback for the survey tell the person how dissatisfied I was with the quality of the agent, and 99 times out of 100 the case becomes free, or the case is reopened, reviewed by microsoft, and given to someone who is usually very skilled so that the end result is a positive review by the client. MS farms their support out to call centers, we all know this, and those call centers have very strict CSAT metrics (I have a friend who works as a SME on microsoft's internal desk). If they don't meet that metric they get fined by MS, and the fine isn't small, so they will bend over backwards to get your case resolved just so you will say good things about them.

 

[RavinDJ]

Thanks for the input guys... going to do the reformat/reinstall of Server 2008 R2 Std x64 later tonight. Wish me luck!!!

It appears I don't have a working backup for the DNS zone... which basically means my active directory is fooked, right? We have about 12 to 14 users, so I'm hoping it's not going to be too bad to start from scratch. Or am I f*cked and just don't know it yet?

Is there anything I can do on the individual user's workstations???

 

[C7J0yc3]

Thanks for the input guys... going to do the reformat/reinstall of Server 2008 R2 Std x64 later tonight. Wish me luck!!!

Good Luck!

It appears I don't have a working backup for the DNS zone... which basically means my active directory is fooked, right? We have about 12 to 14 users, so I'm hoping it's not going to be too bad to start from scratch. Or am I f*cked and just don't know it yet?

Depends on what you do have in your backup. Take a look at this, and you will know quickly if you have what you need to restore your AD.

http://technet.microsoft.com/en-us/library/bb727048.aspx

Is there anything I can do on the individual user's workstations???

Your next two weeks are going to be hell. Each PC will need to be joined to the new PC, and the old AD accounts will need to be migrated to the AD new accounts. If you have in house exchange you can manually re-associate the mailboxes which is good, and if your mail is hosted, even better.

 

[RavinDJ]

The good news is that we don't use Exchange... email is hosted by a webhost (POP3 boxes).

All we need AD for is for authentication to the domain and servers.

Would it make sense to name the new domain the same (mydomain.local) or something new (pick-a-new-name.local)?

 

[defuseme2k]

egads, need a few VM DCs just for redundancy in the future .

If you had a bunch of stuff joined to the domain, I would not use the same domain name going forward if it is going to be new. That might wig out those clients. I always use .lcl rather than typing out local, its just cleaner to the .### look of things IMHO.

 

[XOR != OR]

Ohhh yes we do. You have one AD server. This was an accident waiting to happen. Let's say that the fix is to completely reimage the machine, and when you do so you weren't aware that your backups were not forming correctly (even though saying the backup was successful) and thus are unusable when you go to restore from them. In fact lets say they are so mangled because VSS or some other variable screwed up that you can't even fresh install, and then import the NTDS components, now you are stuck without a DC and have weeks of rebuild in front of you.

Moral of the story, and the forward action plan is this.

Certainly, I was speaking more specifically. RavinDJ's been on here enough to know what good practice is.