AD and DNS server roles not playing nicely in Server 2008

Discussion in 'Networking & Security' started by RavinDJ, Feb 9, 2011.

  1. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    I'm about to pull my hair out :(

    C:\Users\Administrator>dcdiag /fix

    Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server...
    Home Server = dc
    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\DC
    Starting test: Connectivity
    The host 661bcd5c-ba25-4e96-81b3-64c2db98a63b._msdcs.cwmg.local could
    not be resolved to an IP address. Check the DNS server, DHCP, server
    name, etc.
    Got error while checking LDAP and RPC connectivity. Please check your
    firewall settings.
    ......................... DC failed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\DC
    Skipping all tests, because server DC is not responding to directory
    service requests.


    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation

    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation

    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation

    Running partition tests on : cwmg
    Starting test: CheckSDRefDom
    ......................... cwmg passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... cwmg passed test CrossRefValidation

    Running enterprise tests on : cwmg.local
    Starting test: LocatorCheck
    ......................... cwmg.local passed test LocatorCheck
    Starting test: Intersite
    ......................... cwmg.local passed test Intersite

    C:\Users\Administrator>

    I also get an error when I click on the DNS ROLE in SERVER MANAGEMENT:

    The server DC cannot be contacted.
    The error was: Access was denied.
    Would you like to add it anyway?

    When I click YES, it'll add it, but with a RED X.
    Then, when I go to the server, it says: To configure the DNS server, , on the action menu, click CONFIGURE A DNS SERVER. however, that option is GRAYED OUT :( :( :(

    Event ID 4000 states:
    The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
     
    Last edited: Feb 9, 2011
  2. mmtom

    mmtom Limp Gawd

    Messages:
    319
    Joined:
    Jan 9, 2003
    How many DCs?
     
  3. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    Just 1... the main one, running at 192.168.10.10 which is the AD DC and DNS server
     
  4. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    I'm on the phone with Microsoft support... $259 per incident... better get fixed :)

    On a sidenote... this made me soooooooooooo stressed out today... I was about to pull my hair out and I think I killed my health a little bit today... I hate this stress :( :(
     
  5. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    To make sure this issue is somehow prevented in the future...

    How do I add another either DC or DNS server or BOTH to my network?
     
  6. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,566
    Joined:
    Jun 17, 2003
  7. C7J0yc3

    C7J0yc3 [H]ard|Gawd

    Messages:
    1,353
    Joined:
    Dec 27, 2009
    Some pointers on how to get MS cases comped in the future.

    1: "I don't know what happened, but after I did a round of updates, this thing is broken now." If you start with that, and they can't prove that you screwed it up, case is free.

    2: "Nothing has changed,it crapped out, this is business critical, and over 100 users are affected." Not only do you get dropped in the express line, but they usually don't ask for your credit card info till afterwards.

    Also just know that usually if MS goes through and finds that they broke it, or if a reformat / restore is the only way to fix it, they will refund your money.
     
  8. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    IP CONFIG shows:

    IP 192.168.10.10
    Subnet 255.255.255.0
    GW 192.168.10.100

    DNS 192.168.10.10

    NSLOOKUP:

    C:\Users\Lukas>nslookup dc.cwmg.local
    Server: UnKnown
    Address: 192.168.10.10

    *** UnKnown can't find dc.cwmg.local: Non-existent domain
     
  9. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002

    Thanks for the info... let's hope I don't need it :)
     
  10. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    Once MS started hacking around:

    Event ID 407
    DNS Server could not bind a UDP socket to 192.168.10.10

    Event ID 408
    DNS Server could not open socket for address 192.168.10.10. Verify that this is a valid IP address for hte server computer.

    Event ID 404
    DNS Server could not bind a TCP socket to address 192.168.10.10. An IP Address of 0.0.0.0 can indicate a valid "ANY ADDRESS" configuration in which all configured IP addresses on teh computer are available for use.
     
  11. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,566
    Joined:
    Jun 17, 2003
    Ya, that was where I was going next. Your DNS server is fooked in someway. Uninstall/reinstall it, then try reregistering your dns entries.
     
  12. da sponge

    da sponge [H]ard|Gawd

    Messages:
    1,133
    Joined:
    Aug 23, 2001
    Rebooting *should* do that. Netlogon registers everything on service start.
     
  13. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    Still down.... now with a 2nd Microsoft rep :(

    Soooo many hours already spent/wasted on this.

    And, I just know the THREE questions for me tomorrow will be...
    (1) What happened?
    (2) Why did it happen?
    (3) Who made this happen?

    I don't think that even MS has a clue WTF is wrong... or, at least the techs that I'm on the phone with don't know.

    And my DNS is fooked? So how do I reinstall it? I don't mind doing that, since it's not a lot... do I just remove the ROLE and add it again?
     
  14. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    Still with MS techs on the line... I'm seriously doubting their skill level :(
     
  15. randomlychosen

    randomlychosen n00b

    Messages:
    54
    Joined:
    Mar 26, 2010
    Definitely agree with the above posters, it's a DNS issue.
     
  16. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    F*CK THIS!!! They don't know anything....

    What do I need to do to make sure reimaging goes somewhat smoothly?

    What do I need to backup so that when I reinstall Server 2008 R2 Std. 64bit tomorrow, I can have as little downtime as possible.

    AND... WTF could've caused this? If I don't find out, blame's on me :( :( :(
     
  17. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,566
    Joined:
    Jun 17, 2003
    It's frustrating, no doubts. However, the root cause is that your DNS server isn't up and running. Get that up and running I'm fairly confident that everything else will just work.

    As far as how to avoid this in the future; we don't have enough data to tell you that. Obviously something happened to your DNS service on that machine, so once you figure out what and how to fix it you'll know what to avoid in the future. Keep in mind, of course, that presumably you'll have a DNS server up and running before you bring up other servers on your network. So the likelihood of this issue reoccurring is minimal.
     
  18. C7J0yc3

    C7J0yc3 [H]ard|Gawd

    Messages:
    1,353
    Joined:
    Dec 27, 2009

    Ohhh yes we do. You have one AD server. This was an accident waiting to happen. Let's say that the fix is to completely reimage the machine, and when you do so you weren't aware that your backups were not forming correctly (even though saying the backup was successful) and thus are unusable when you go to restore from them. In fact lets say they are so mangled because VSS or some other variable screwed up that you can't even fresh install, and then import the NTDS components, now you are stuck without a DC and have weeks of rebuild in front of you.

    Moral of the story, and the forward action plan is this.

    First step: Reinstall the DNS Role. If this doesn't solve your issue, don't waste more time, just restore from your backup.

    Step 2: Restore from backup, No more then a week old. After that the server will tombstone itself and be useless to you.

    Step 3: After restoring AD from backup, it will not "Just work." There are some steps you need to to. Keep your MS case open, and have them walk you through the finishing steps.

    Step 4. Build a 2nd DC. That way in the future if one goes down, you have all the time in the world to troubleshoot the broken one and everyone just runs off the second.

    Step 5: Create some sort of monthly proactive maintenance regiment. Ours is Windows Updates, CCleaner, sfc /scannow, and defrag. Also once a month we verify our backups by taking our weekly full of each machine, convert it to a VHD, and create a VM out of it to ensure it works properly (we use acronis so this makes life easy). That way when the unforeseen does happen we know we can rely on our backups.

    Its a sh**ty situation dude, and trust me I have been there, more then once, just work through it, and also remember that if you are not satisfied that microsoft fixed the issue, let em know. They don't take offense because at the end of the day they want your money. Multiple times I have closed cases out of frustration, and when I get the callback for the survey tell the person how dissatisfied I was with the quality of the agent, and 99 times out of 100 the case becomes free, or the case is reopened, reviewed by microsoft, and given to someone who is usually very skilled so that the end result is a positive review by the client. MS farms their support out to call centers, we all know this, and those call centers have very strict CSAT metrics (I have a friend who works as a SME on microsoft's internal desk). If they don't meet that metric they get fined by MS, and the fine isn't small, so they will bend over backwards to get your case resolved just so you will say good things about them.
     
  19. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    Thanks for the input guys... going to do the reformat/reinstall of Server 2008 R2 Std x64 later tonight. Wish me luck!!!

    It appears I don't have a working backup for the DNS zone... which basically means my active directory is fooked, right? We have about 12 to 14 users, so I'm hoping it's not going to be too bad to start from scratch. Or am I f*cked and just don't know it yet?

    Is there anything I can do on the individual user's workstations???
     
  20. C7J0yc3

    C7J0yc3 [H]ard|Gawd

    Messages:
    1,353
    Joined:
    Dec 27, 2009
    Good Luck! :)

    Depends on what you do have in your backup. Take a look at this, and you will know quickly if you have what you need to restore your AD.

    http://technet.microsoft.com/en-us/library/bb727048.aspx

    Your next two weeks are going to be hell. Each PC will need to be joined to the new PC, and the old AD accounts will need to be migrated to the AD new accounts. If you have in house exchange you can manually re-associate the mailboxes which is good, and if your mail is hosted, even better.
     
  21. RavinDJ

    RavinDJ 2[H]4U

    Messages:
    3,922
    Joined:
    Apr 9, 2002
    The good news is that we don't use Exchange... email is hosted by a webhost (POP3 boxes).

    All we need AD for is for authentication to the domain and servers.

    Would it make sense to name the new domain the same (mydomain.local) or something new (pick-a-new-name.local)?
     
  22. defuseme2k

    defuseme2k [H]ard|Gawd

    Messages:
    1,077
    Joined:
    Oct 7, 2004
    egads, need a few VM DCs just for redundancy in the future :(.

    If you had a bunch of stuff joined to the domain, I would not use the same domain name going forward if it is going to be new. That might wig out those clients. I always use .lcl rather than typing out local, its just cleaner to the .### look of things IMHO.
     
  23. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,566
    Joined:
    Jun 17, 2003
    Certainly, I was speaking more specifically. RavinDJ's been on here enough to know what good practice is.