DNS Issue on MS Server 2008 DC

F

funstuie

n00b
Joined
Sep 26, 2006
Messages
58
Hi All,

I have just started a new role as sole IT in a small company. The guy I replaced was not really into documentation so I am having to do a lot of digging to sort out small issues.

anyway the infrastructure consists of a Server 2008 DC which was also servs DNS and is used as a file and print server. It's working fine for the most part but a lot of the users are taking a long time to logon in the mornings which seems to be getting worse. There have been a couple of users and renaming their local profile seems to have temporarily solved the problems.

But today it's getting worse, I just built a new windows PC, added it to the domain but when I tried to logon to the network it took about 15 minutes for the network selections box to drop down.

So I have done some digging on the DC (company info changed):

Code: 
C:\Windows\System32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : blablabla
   Primary Dns Suffix  . . . . . . . : asabove.co.uk
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : asabove.co.uk
                                       co.uk

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-10-18-3D-5C-66
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ac:db54:3b5b:9d9b%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.253.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.253.1
   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.253.13
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

ipconfig on local machines:

Code: 
Windows IP Configuration

        Host Name . . . . . . . . . . . . : blablabla
        Primary Dns Suffix  . . . . . . . : asabove.co.uk
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : asabove.co.uk
                                            asabove.co.uk
                                            co.uk

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :asabove.co.uk
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Co
roller
        Physical Address. . . . . . . . . : 00-1D-09-2F-73-5F
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.253.117
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.253.1
        DHCP Server . . . . . . . . . . . : 192.168.253.7
        DNS Servers . . . . . . . . . . . : 192.168.253.7
        Primary WINS Server . . . . . . . : 192.168.253.7
        Lease Obtained. . . . . . . . . . : 10 October 2009 15:11:25
        Lease Expires . . . . . . . . . . : 18 October 2009 15:11:25

Ethernet adapter Local Area Connection 3:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : TAP-Win32 Adapter V9
        Physical Address. . . . . . . . . : 00-FF-A6-31-02-42

So on the local machines the DNS server is pointing to the DC but on the DC the dns server is pointing to a server than doesn't exist (192.253.168.13) as far as I can tell. Could this be causing the issues?

Where would the DNS on the DC usually point? I am going a bit mad on this one, I just can work out the answer.

I have this batch script which I would normally run on 2k3 DC's:

Code: 
net stop netlogon
net stop dns
net start dns
net start netlogon
ipconfig /flushdns
ipconfig /registerdns
nbtstat -R
nbtstat -RR
pause

But I don't think this will make any difference on this server as the rogue DNS server is manually entered on the DC.

Any ideas? Sorry if these are pretty stupid questions but I am having a dumb day when it comes to my knowledge of Server 2008.
 
What was the .13 server?
The second DNS server of this new server is local host, 127.0.0.1..but I'd have that as primary DNS server, and if there are no additional DCs on this network, no secondary DNS is warranted.

So on your primary DC,
IP 192.168.1.7
SNM 255.255.255.0
GTWY 192.168.1.1
DNS 192.168.1.7

Under DNS fowarding, you'd want either your ISPs 2x DNS servers...or better yet, use OpenDNS, 208.67.222.222 and 208.67.220.220
 
Thanks I had figured the same thing. I have removed the odd server which I have since discovered was an old terminal services server which was retired a long time ago.
 
It's working fine for the most part but a lot of the users are taking a long time to logon in the mornings which seems to be getting worse.
Click to expand...

A sure sign that the DC doesn't know to look at itself for DNS.

the DC needs to actually have its own IP address as the DNS server. You don't absolutely need forwarders, if this machine also serves up internet DNS names as well - the server will look to the root servers, but openDNS is a mighty nice way to go.
 
If you aren't actually using IPv6 on the 2008 server, it wouldn't hurt to disable that on the 2008 server. The ::1 is the IPv6 equivalent of 127.0.0.1, so the server was already configured to look at itself first for DNS, but your clients don't have IPV6 enabled.

The dead IP definitely should go.

Unless you are doing soemthing with IPv6 tunneling through your IPv4 Internet connection, having IPv6 enabled is extraneous on the server side. If you are actually using it, you may want to make sure it is lower in the binding order compared to IPv4 on your NIC bindings.

And another +1 to using OpenDNS servers for your forwarders.
 
Yeah, I second that .13 DNS setting has to do with your issue. Also, since the previous guy had an invalid setting in there in the first place, I'd check the actual zones in the DNS server to make sure everything there is setup correctly.
 
I have amended the dns settings so they should now be OK but it's still acting weird.

For example I built a new PC (with XP) and added it to the domain when I go to log it in for the first time it takes about 5/10 minutes to allow me to change the domain on the login screen.

Roaming profiles are complete mess, some users have gigabytes of data in their profiles (one guy had 22gb!!). I have asked users to delete everything from their desktop and move all work data from my documents to the network shares and get rid of any non work files.

I will need to looking in putting their "my documents" on the network somewhere. It's a bit of mess.
 
I am still having some issue with DNS and logon times on the network. Changing the DNS seemed to work but it's slowing down again.

I did some research and the old DC was also the default DNS, WINS, DHCP, TS server. It was on a different IP to the current server. Anyway today while tearing my head out over various issues I just pinged the old server for no other reason than I could.

I got a reply but this server no longer exists and as far as I can tell nothing else has picked up the IP (servers have all had IP settings manually configured and the server IP range is reserved). I can't connect to it and when I run psloggedon.exe it can't connect to the registry. Can anyone explain how this server is still responding to ping commands on name and ip?

Also I checked in the Domain Controller section in ADUAC on the main DC and the old server is also listed in there:

8vq0zl.jpg


Is there any reason not to delete the two dead servers from that list?
 
update. As I typed the above I just worked out where the IP of the old DC has been reused. It's now the Avaya IP Office control box.

I don't know why pinging the old DC server name would return an IP and reply.
 
You probably need to clean up the DNS records for anything regarding the DC name and the old IP address.
 
Yep, Sounds like you need to do a bit of cleaning up.

First thing you want to do is clean up the remnants of those old DCs you'll need to do that from ntdsutil.

Then I'd recommend setting a scavenge on your DNS to clean up stale records.

Next you need a bit of info on how DNS works for Active Directory. When the user logs in it looks up the DNS server for servers related to AD Authentication (LDAP, KDC, Kerberos, GC), it then tries to authenticate to the server/servers listed under these records. If your DCs haven't properly been removed then it's quite possible that there are still entries in these fields for those failed DCs.

What is the event viewer saying to all of this? I'd be suprised if it wasn't throwing up errors.

Also, do a check on DCDIAG (you need to add switches here but I can't remember them) and let us know what errors you see. I expect quite a few.
 
This is mess. I have setup and managed DC's before but I have never really had to deal with this level of issues. There is no documentation so I am having to work out everything in the dark.

I really should have paid attention when I did my MCSE ;)

Anyway I ran DCDIAG /v (as it was one of the few switches I could remember).

Here are the highlights (highlights=errors). I have starred out names as they reference the company. Not that it matters much but probably best not to publish the company info all over the net.

Code: 
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine ******DCFP03, is a Directory Server. 
   Home Server = ******DCFP03

   * Connecting to directory service on server ******DCFP03.

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=******,DC=co,DC=uk,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=******,DC=co,DC=uk
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=******,DC=co,DC=uk,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=******SVCE01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=******,DC=co,DC=uk 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=******DCFP03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=******,DC=co,DC=uk 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 2 DC(s). Testing 1 of them.

In the above ******SVCE01 is the old domain controller (server 2000). It doesn't exist anymore.

******DCFP03 is the current DC (server 2008).

Code: 
Doing primary tests

   
   Testing server: Default-First-Site-Name\******DCFP03

      Starting test: Advertising

         The DC ******DCFP03 is advertising itself as a DC and having a DS.
         The DC ******DCFP03 is advertising as an LDAP server
         The DC ******DCFP03 is advertising as having a writeable directory
         The DC ******DCFP03 is advertising as a Key Distribution Center
         The DC ******DCFP03 is advertising as a time server
         The DS ******DCFP03 is advertising as a GC.
         ......................... ******DCFP03 passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         An Warning Event occurred.  EventID: 0x800034FA

            Time Generated: 11/24/2009   22:38:41

            EvtFormatMessage failed, error 15100 Win32 Error 15100.
            (Event String (event log = File Replication Service) could not be

            retrieved, error 0x3afc)

         An Error Event occurred.  EventID: 0xC0003500

            Time Generated: 11/24/2009   22:43:41

            EvtFormatMessage failed, error 15100 Win32 Error 15100.
            (Event String (event log = File Replication Service) could not be

            retrieved, error 0x3afc)

         ......................... ******DCFP03 failed test FrsEvent

Code: 
Starting test: DFSREvent

         The DFS Replication Event Log. 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         An Error Event occurred.  EventID: 0xC00004B2

            Time Generated: 11/24/2009   22:36:13

            EvtFormatMessage failed, error 15100 Win32 Error 15100.
            (Event String (event log = DFS Replication) could not be retrieved,

            error 0x3afc)

         ......................... ******DCFP03 failed test DFSREvent

And finally for now

Code: 
Starting test: Replications 
         * Replications Check
         [Replications Check,******DCFP03] A recent replication attempt failed: 
            From ******SVCE01 to ******DCFP03 
            Naming Context: CN=Schema,CN=Configuration,DC=******,DC=co,DC=uk 
            The replication generated an error (1722): 
            Win32 Error 1722 
            The failure occurred at 2009-11-25 08:50:43. 
            The last success occurred at 2009-03-04 15:54:08. 
            6396 failures have occurred since the last success. 
            [******SVCE01] DsBindWithSpnEx() failed with error 1722, 
            Win32 Error 1722.
            Printing RPC Extended Error Info: 
            Error Record 1, ProcessID is 4372
             (DcDiag)
            
               System Time is: 11/25/2009 9:48:17:176 
               Generating component is 2 (RPC runtime)
               
               Status is 1722 The RPC server is unavailable. 
               
               Detection location is 501 
               NumberOfParameters is 4 
               Unicode string: ncacn_ip_tcp 
               Unicode string: 
               cfdd79a5-ee9c-4ed5-bcc9-3c9943107b5e._msdcs.******.co.uk 
               Long val: -481213899 
               Long val: 1722 
            Error Record 2, ProcessID is 4372
             (DcDiag)
            
               System Time is: 11/25/2009 9:48:17:176 
               Generating component is 8 (winsock)
               
               Status is 1722 The RPC server is unavailable. 
               
               Detection location is 1442 
               NumberOfParameters is 1 
               Unicode string: 
               cfdd79a5-ee9c-4ed5-bcc9-3c9943107b5e._msdcs.******.co.uk 
            Error Record 3, ProcessID is 4372
             (DcDiag)
            
               System Time is: 11/25/2009 9:48:17:176 
               Generating component is 8 (winsock)
               
               Status is 1237 
               The operation could not be completed. A retry should be performed. 
               
               Detection location is 313 
            Error Record 4, ProcessID is 4372
             (DcDiag)
            
               System Time is: 11/25/2009 9:48:17:176 
               Generating component is 8 (winsock)
               
               Status is 10060 
               A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 
               
               Detection location is 311 
               NumberOfParameters is 3 
               Long val: 135 
               Pointer val: 0 
               Pointer val: 0 
            Error Record 5, ProcessID is 4372
             (DcDiag)
            
               System Time is: 11/25/2009 9:48:17:176 
               Generating component is 8 (winsock)
               
               Status is 10060 
               A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 
               
               Detection location is 318 
            The source remains down. Please check the machine. 
         [Replications Check,******DCFP03] A recent replication attempt failed: 
            From ******SVCE01 to ******DCFP03 
            Naming Context: CN=Configuration,DC=******,DC=co,DC=uk 
            The replication generated an error (1722): 
            Win32 Error 1722 
            The failure occurred at 2009-11-25 08:50:22. 
            The last success occurred at 2009-03-04 16:26:22. 
            6396 failures have occurred since the last success. 
            The source remains down. Please check the machine. 
         [Replications Check,******DCFP03] A recent replication attempt failed: 
            From ******SVCE01 to ******DCFP03 
            Naming Context: DC=******,DC=co,DC=uk 
            The replication generated an error (1722): 
            Win32 Error 1722 
            The failure occurred at 2009-11-25 08:50:01. 
            The last success occurred at 2009-03-04 16:27:07. 
            6396 failures have occurred since the last success. 
            The source remains down. Please check the machine. 
         ......................... ******DCFP03 failed test Replications

The most alarming part of the above section is

A recent replication attempt failed:

From ******SVCE01 to ******DCFP03
Click to expand...

I am going to play really stupid here and ask how do I rectify this problem?
 
In DNS Manager the old DC is listed all over the place. I am very wary of just deleting these entries. What is the correct procedure?
 
I suspected someone had just switched off the old DCs and not removed them properly so all the metadata for the DCs is still in AD. DCDIAG tests basic AD connectivity to all the DCs listed in AD.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

The above link details how to remove the failed/deleted DCs using NTDSUTIL. It does work okay, I've used it before to remove a corrupted DC.
 
fantasticdan said:
I suspected someone had just switched off the old DCs and not removed them properly so all the metadata for the DCs is still in AD. DCDIAG tests basic AD connectivity to all the DCs listed in AD.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

The above link details how to remove the failed/deleted DCs using NTDSUTIL. It does work okay, I've used it before to remove a corrupted DC.
Click to expand...

Thanks for that. I will have a go at removing it tomorrow evening (it's a quiet day tomorrow and Friday).

Just out of interest. What's the worst that could happen if I remove this entry?
 
You must log in or register to reply here.
Back
Top