none
Issues with registering SRV records, Domain/DNS not working properly RRS feed

  • Question

  • 

    Having major issues at a school that i work, can anyone give me any pointers?

    DNS seems to be the culprit, as we lost our Apple magic triangle too.

    I recently demoted a domain controller that was running DHCP and all hell broke loose

    Please help! Heres the DCDIAG


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = 80xxxxxx

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Default-First-Site-Name\80xxxxxx

          Starting test: Connectivity

             The host

             4e4892a5-b03a-4e78-984d-8fa8a9670eb6._msdcs.mxxxxxxxxxxxxxxxxxxx could

             not be resolved to an IP address. Check the DNS server, DHCP, server

             name, etc.

             Got error while checking LDAP and RPC connectivity. Please check your

             firewall settings.

             ......................... 80xxxxxx failed test Connectivity



    Doing primary tests

       
       Testing server: Default-First-Site-Name\80xxxxxx

          Skipping all tests, because server 80xxxxxx is not responding to

          directory service requests.

       
       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : mentone-girls-sc

          Starting test: CheckSDRefDom

             ......................... mentone-girls-sc passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... mentone-girls-sc passed test

             CrossRefValidation

       
       Running enterprise tests on : mxxxxxxxxxxxxxxxxxxx

          Starting test: LocatorCheck

             ......................... mxxxxxxxxxxxxxxxxxxx passed test

             LocatorCheck

          Starting test: Intersite

             ......................... mxxxxxxxxxxxxxxxxxxx passed test Intersite


    • Edited by Luke Bayley Wednesday, April 25, 2018 8:42 AM
    Wednesday, April 25, 2018 8:08 AM

Answers

  • Hi,

    To anyone that is interested, this fixed my problem :

    According to your description, I understand that your Windows 2008 server keep receiving Event ID: 5774.

     

    These events are typically logged with other events that may that may give clues to the problem. In general, these events indicates that the machine is unable to register its records with the DNS server it's configured to register with.

     

    Please check the following steps whether it fixes your issue.


    1. On the machine logging the above event, in their TCP/IP configuration, make sure they’re not configured for the same DNS server for both Primary and Secondary.

    2. The following registry value is incorrect: “SiteCoverage” under:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
        This value typically should equal the domain name.

    3. Change the zone type from Active Directory integrated to "Standard Primary", then stop & start DNS. Then stop & start the netlogon service on the child DC & 
        verify that the records are registered. If so, then change the zone type back to Active Directory integrated and verify that the DC no longer records the Eveny log 
        errors when the netlogon service is stopped & started.

    4. Make sure the machine logging the above event is pointing to a DNS server that support Dynamic updates and is hosting a zone for the domain (i.e. make sure it’s 
        not pointing to the ISPs DNS server).

    5. verify if there is a CName (or other record) for the same hostname that was manually entered and is preventing a dynamic host registration. Remove the manual record.

     

    6. Parent / child domain. The above event was logged on the domain controllers in the child domain.
        Setup:
        On the parent DNS servers, there is a delegation down to the child DNS servers. The child DNS servers have forwarders up to the parent DNS servers.
        Cause and Fix:
        On the Security tab in the delegations, check if  “Authenticated Users” is missing. 
       Added “Authenticated Users” and enabled Full Control.

     

    7. Domain Controller Generates a Netlogon Error Event ID 5774

        http://support.microsoft.com/?id=284963

     

    Best Regards,

    Wilson Jia


    • Marked as answer by Luke Bayley Friday, May 18, 2018 6:12 AM
    Monday, May 7, 2018 10:46 PM

All replies

  • Hi,

    Is it possible to have more information regarding the topology (Number of DCs/DNS) ?

    The first thing you can try is to check if the record listed "4e4892a5-b03a-4e78-984d-8fa8a9670eb6._msdcs" exist on your DNS servers and if you have a host record for the server

    Best Regards,

    Wednesday, April 25, 2018 10:25 AM
  • Hi,

    Thank you for the reply.

    Details are 2 DNS servers running AD integrated DNS.

    What zone should the 4e4892a5-b03a-4e78-984d-8fa8a9670eb6._msdcs server record be in? CNAME or A record?

    Its very strange indeed, lookups working fine on domain machines and member servers, but I cant lookup anything on the DNS servers.

    Directory services seem to be working as domain users can log in. 

    Wednesday, April 25, 2018 10:20 PM
  • Been digging around more and it looks like a faulty FSMO role :

    This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 
     
    Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
     
    FSMO Role: CN=Partitions,CN=Configuration,DC=mxxxxxxxxxx,DC=wan 
     
    User Action: 
     
    1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
    2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
    3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
     
    The following operations may be impacted: 
    Schema: You will no longer be able to modify the schema for this forest. 
    Domain Naming: You will no longer be able to add or remove domains from this forest. 
    PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
    RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
    Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

    Wednesday, April 25, 2018 11:57 PM
  • Normally you should encounter the 4e4892a5-b03a-4e78-984d-8fa8a9670eb6 in the zone _msdcs.mxxxxxxxxxx.wan

    This record should be a CNAME to the FQDN of one domain controller. So after that you should verify that you have A record for this domain controller.

    Ok so you got an issue with the initial synchronization, how do you demote your domain controller ?

    Best Regards,

    Thursday, April 26, 2018 6:32 AM
  • Hey guys, worked on this for a good 30 hours and could not get this going. Thank god for Veeam and regular backups.  The domain is functioning again, but cant pass dcdiag tests at all......Replication seems to be working via netbios name only

    Look ups from clients are working OK

    Our AD bound macs are now also working again. 

    I demoted the domain controller using the wizard, but also had to perform a metadata cleanup.



    Friday, April 27, 2018 8:53 AM
  • Hi,

    To anyone that is interested, this fixed my problem :

    According to your description, I understand that your Windows 2008 server keep receiving Event ID: 5774.

     

    These events are typically logged with other events that may that may give clues to the problem. In general, these events indicates that the machine is unable to register its records with the DNS server it's configured to register with.

     

    Please check the following steps whether it fixes your issue.


    1. On the machine logging the above event, in their TCP/IP configuration, make sure they’re not configured for the same DNS server for both Primary and Secondary.

    2. The following registry value is incorrect: “SiteCoverage” under:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
        This value typically should equal the domain name.

    3. Change the zone type from Active Directory integrated to "Standard Primary", then stop & start DNS. Then stop & start the netlogon service on the child DC & 
        verify that the records are registered. If so, then change the zone type back to Active Directory integrated and verify that the DC no longer records the Eveny log 
        errors when the netlogon service is stopped & started.

    4. Make sure the machine logging the above event is pointing to a DNS server that support Dynamic updates and is hosting a zone for the domain (i.e. make sure it’s 
        not pointing to the ISPs DNS server).

    5. verify if there is a CName (or other record) for the same hostname that was manually entered and is preventing a dynamic host registration. Remove the manual record.

     

    6. Parent / child domain. The above event was logged on the domain controllers in the child domain.
        Setup:
        On the parent DNS servers, there is a delegation down to the child DNS servers. The child DNS servers have forwarders up to the parent DNS servers.
        Cause and Fix:
        On the Security tab in the delegations, check if  “Authenticated Users” is missing. 
       Added “Authenticated Users” and enabled Full Control.

     

    7. Domain Controller Generates a Netlogon Error Event ID 5774

        http://support.microsoft.com/?id=284963

     

    Best Regards,

    Wilson Jia


    • Marked as answer by Luke Bayley Friday, May 18, 2018 6:12 AM
    Monday, May 7, 2018 10:46 PM