Wednesday, July 23, 2008 11:58 PMHi all,
I have recently set up a very simple (single DC) Windows Server 2008 Active Directory domain. In an attempt to avoid DNS naming headaches, the domain was given the existing DNS name under our control (call it contoso.com). I set up the existing BIND DNS servers (the primary called dns1.contoso.com) to allow dynamic updates to the new child zones _tcp, _udp, _sites, and _msdcs, and added an A record for the domain controller (call it dc.contoso.com). This was done loosely following guidance provided here: http://www.usg.edu/oiit/re/re02/proceedings/bind_dns.pdf .
I subsequently noticed a few oddities. For instance, the DC pauses at "Applying Computer Settings..." for over a minute when the server is first coming up. Looking in the logs, I see among others these Administrative Events (in ascending chronological order):
Event ID: 40960
The Security System detected an authentication error for the server DNS/dns1.contoso.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
Event ID: 40960
The Security System detected an authentication error for the server LDAP/Localhost. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
Event ID: 40960
The Security System detected an authentication error for the server DNS/DC.contoso.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
Event ID: 40960
The Security System detected an authentication error for the server DNS/DC. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
Event ID: 1202
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Error: 160 (One or more arguments are not correct.)
Event ID: 6006
The winlogon notification subscriber <GPClient> took 87 second(s) to handle the notification event (CreateSession).
First, are any of these errors/warnings problematic? Second, are any related to the fact that the DNS name contoso.com resolves to our department's web server, and not dc.contoso.com's IP (and that's nonnegotiable). I know that contoso.com is used by non-SRV-aware DNS lookups, but in a Windows 2000/XP/Vista/2008 environment are any such DNS lookups made? (If so, are any important?) DCDiag is happy except for the system log check and warning about the error in the DFSR log. I should also note that in Windows explorer, \\contoso.com\sysvol is browsable from both server and client, but just \\contoso.com\ is not (I think the latter should show me the server's shares...).
What I'm trying to get at is whether or not I need to pull my AD domain into a separate DNS subdomain (e.g., ad.contoso.com)... is that what everyone else does? If so, what is the standard subdomain name (ad.parentdomain.com?)?
Thanks so much!
- Edited by Scott222 Thursday, July 24, 2008 12:02 AM Clarification
Monday, July 28, 2008 9:42 AMModerator
I would like to confirm whether the events only occur after the server has been rebooted or happen at a regular interval. Is the BIND server joined the domain?
Generally speaking, you do not need to pull the AD domain into a separate DNS subdomain if the BIND server that hosts the zone contoso.com is under your control. For your reference, here is an article about how to deploy BIND to support Active Directory:
Configuring Berkeley Internet Name Domain (BIND) to Support Active Directory
Additionally, I suggest checking the following:
1. Verify the following service is correctly configured:
RPC Locator service: Stopped, Manual
DHCP Client server: Started, Automatic
2. Make sure that the DNS server support secure dynamic update.
3. Verify the DNS server is properly configured:
1) Open Command Prompt, type nslookup, and then press Enter.
2) Type set type=all, and then press Enter.
3) Type _ldap._tcp.dc._msdcs.contoso.com, and then press Enter to check the result.
4. Verify the necessary SPNs are registered, based on the information in the event description.
Saturday, August 02, 2008 12:02 AM
Thanks so much for your response. (Sorry, I missed the thread reply notification.) I've gone through and checked everything you suggested.
First, those events do occur only on rebooting; I've seen no recurrence outside of that event. DFSR, for instance, consistently reports success in setting itself up 5 minutes after boot.
The RPC Locator and DHCP Client services are configured as you suggest.
The DNS server isn't configured for truly secured dynamic update; it just uses IP address restrictions. This is obviously a security risk, but a limited one in my environment, and only the AD _zones are allowed to update dynamically. Besides that, it does seem properly configured. An nslookup on the _ldap._tcp.dc._msdcs.contoso.com looks fine, and yields:
Default Server: dns1.contoso.com
> set type=all
_ldap._tcp.dc._msdcs.contoso.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC.contoso.com
_tcp.contoso.com nameserver = dns1.contoso.com
DC.contoso.com internet address = 192.168.0.20
dns1.contoso.com internet address = 192.168.0.95
As for the SPNs, I'm not sure how to check that they're registered, or even which to check! I'm not very familiar with them... I think you're right, though, about the errors possibly being a Kerberos configuration issue. (That sounds dumb, but it didn't really occur to me. : )
I think I really have two (probably separate) issues here:
1. Is it required that the DNS A record contoso.com point to DC.contoso.com? Because in my caase, it doesn't and can't. The documentation I've read (including among other things the link you provided) has either not mentioned this record at all or said that it's for legacy applications that don't support SRV records... so I'm thinking the answer is "probably not".
2. What's breaking on start-up that these Kerberos errors crop up on reboot? I think that's why the GPClient is hanging... because it can't authenticate to get to the SYSVOL share, but I don't know why. (Initially I thought it couldn't get to SYSVOL because it was trying \\contoso.com\SYSVOL, and as mentioned above, contoso.com is registered in DNS to our web server. But, after I logon it can get to sysvol using that path, so I don't think that's the issue.)
Any more thoughts or pointers on this? Is it even something I need to worry about? Thanks again, I really appreciate it!