none
Cannot ping DC, but DNS service on the box is working for all workstations RRS feed

  • Question

  • A buddy of mine has a standalone 2003 Server acting as a DC, DNS, and file storage system.

    He is having drive space issues on the OS drive and one of his employees took it upon themselves to try and fix the issues......hahaha

    First they Compressed the C:\, then went to MSCONFIG and disabled all non-Microsoft Services (although I found several essential MS services that were disabled), and defragged the HD.

    When this was done, they no longer could access the server.

    Here is the weird part. DNS is still working. I can ping from a workstation, all the PCs on the network by name and IP, but can’t ping the DC.

    If I turn off DNS on the DC, I cannot ping any workstations.

    From the DC, I can ping all the workstations on the network and access their shares.

    Authentication to the Domain from the workstations is not working obviously.

    NSLOOKUP cannot resolve the domain name or server name.

    I had a few errors from DNS on reboots that it could not establish a connection to the Active Directory, but this cleared itself up after restarting DNS a few times.

     I am assuming it might be an issue with the AD components taking longer to fully come up when DNS loads??

    I get no other errors on the system when it boots.

     

    Before I go all “scorched earth” on the system, has anyone seen this type of problem? With very few error messages to work with, finding a solution has been tedious.

     

     

    Friday, November 18, 2011 3:35 PM

Answers

  • You have entered gateway IP address as alternate DNS setting in DC remove the same.Restart the netlogon and DNS service.
    Ran ipconfig/flushdns and ipconfig /registerdns

    Enable NetBIOS over TCP setting.

    Check the TCP/IP NetBIOS Helper,Computer browser,Server,Workstation services are started.

    If the server is SBS server check the firewall exception group policy the subnet in which the client cannot ping the server is added to the policy.

    Have a look at this also: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/71e3a74d-accf-4b17-848e-03c5997cf767/

    Check on the DC Client for Microsoft Network and File and Printer sharing for Microsoft Networks are enabled on NIC setting.

    Check the firewall setting if ping response to DC is Disabled.

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    Saturday, November 19, 2011 8:18 AM
  • Here is the weird part. DNS is still working. I can ping from a workstation, all the PCs on the network by name and IP, but can’t ping the DC.

    That means that:

    • The workstations are not allowed to send ICMP requests to the server
    • or the server is not allowed to send ICMP replies to the workstations

    If you are trying to ping the DC by its DNS name then this may be a DNS resolution problem.

    If I turn off DNS on the DC, I cannot ping any workstations.

    That is because you are trying to ping them using their DNS / NetBIOS names and the DNS / NetBIOS name resolution was not made.

    Here is the IPCONFIG /ALL results:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : server1

     Primary Dns Suffix  . . . . . . . : XXXXXDOM.local

       Node Type . . . . . . . . . . . . : Unknown

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : Yes

       DNS Suffix Search List. . . . . . : XXXXXDOM.local

     

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

       Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 192.168.0.40

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 192.168.0.1

       DNS Servers . . . . . . . . . . . : 192.168.0.40

                                                       192.168.0.1

    Please make the DC points to 192.168.0.40 as primary DNS server and 127.0.0.1 as secondary one. For public DNS resolution, add your ISP DNS servers as forwarder.

    Also, make sure that your domain zones exists (domain.com and _msdcs.domain.com). Once done, run ipconfig /registerdns and restart netlogon on the DC.

    For client computers, make them points to the DC as primary DNS server.

    Also, please disable all security softwares and firewalls and check again.

    I made sure all the services were restarted.

    When I try to open the Firewall control panel, i get a message saying:

    "Windows firewall cannot run because another program or service is running
    that might use the network address translation component" (Ipnat.sys)

    Looked all over fo any app (virus software) or service that could be running and blocking traffic.

    We do not have a backup of the OS partition (correcting that when we get this fixed)

    Please proceed like that:

    • Run msconfig and disable all startup items except Microsoft ones. Also, disable all non-Microsoft services
    • Uninstall all unused programs

    Once done, reboot the server and try again to start the faulty service.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Saturday, November 19, 2011 9:31 AM

All replies

  • Hi,

    We need "ipconfig /all" and "dcdiag /q" result of DC. As per your description its only DC in network, correct?

    Also ensure the below IP configuration on DC and clients/member servers:
    -->>MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.
    ------------------------------------
    1. Domain Controllers should not be multi-homed
    2. Being a VPN Server and even simply running RRAS makes it multi-homed.
    3. DNS even just all by itself, is better on a single homed machine.
    4. Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

    272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    -->> IP configuration on domain controller:
    ------------------------------------------
    1. Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
    2. Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
    3. If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
    4. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.

    -->> IP configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    Once you are done with above, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS server and NETLOGON service on each DC.


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Friday, November 18, 2011 5:31 PM
  • Thanks for the info. I went through all the info you sent and tested. I still cannot ping the IP or DNS name.

     

    Here is the IPCONFIG /ALL results:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : server1

     Primary Dns Suffix  . . . . . . . : XXXXXDOM.local

       Node Type . . . . . . . . . . . . : Unknown

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : Yes

       DNS Suffix Search List. . . . . . : XXXXXDOM.local

     

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

       Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 192.168.0.40

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 192.168.0.1

       DNS Servers . . . . . . . . . . . : 192.168.0.40

                                                       192.168.0.1

     

    DCDIAG /Q results:

             An Error Event occured.  EventID: 0xC004006F

                Time Generated: 11/18/2011   13:42:28

                Event String: RSM could not load media in drive Drive 0 of

             An Error Event occured.  EventID: 0xC004006F

                Time Generated: 11/18/2011   13:42:30

                Event String: RSM could not load media in drive Drive 0 of         ......................... SERVER1 failed test systemlog

     

    Friday, November 18, 2011 8:08 PM
  • Hi,

    As you said, several essential MS services that were disabled. Did you start those services? Also I recommend you to start other services, some dependencies may cause this issue.

    Also open DNS console and confirm the all zones are present.

    Open eventviewer and check DNS Server logs.  Are you getting any errors?

    One serious thing is you are unable to ping by IP address. Check the firewall setting on DC.

    Do you have a system state backup?


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Friday, November 18, 2011 8:22 PM
  • I made sure all the services were restarted.

    When I try to open the Firewall control panel, i get a message saying:

    "Windows firewall cannot run because another program or service is running
    that might use the network address translation component" (Ipnat.sys)

    Looked all over fo any app (virus software) or service that could be running and blocking traffic.

    We do not have a backup of the OS partition (correcting that when we get this fixed)

     

     

    Friday, November 18, 2011 8:53 PM
  • You have entered gateway IP address as alternate DNS setting in DC remove the same.Restart the netlogon and DNS service.
    Ran ipconfig/flushdns and ipconfig /registerdns

    Enable NetBIOS over TCP setting.

    Check the TCP/IP NetBIOS Helper,Computer browser,Server,Workstation services are started.

    If the server is SBS server check the firewall exception group policy the subnet in which the client cannot ping the server is added to the policy.

    Have a look at this also: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/71e3a74d-accf-4b17-848e-03c5997cf767/

    Check on the DC Client for Microsoft Network and File and Printer sharing for Microsoft Networks are enabled on NIC setting.

    Check the firewall setting if ping response to DC is Disabled.

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    Saturday, November 19, 2011 8:18 AM
  • Here is the weird part. DNS is still working. I can ping from a workstation, all the PCs on the network by name and IP, but can’t ping the DC.

    That means that:

    • The workstations are not allowed to send ICMP requests to the server
    • or the server is not allowed to send ICMP replies to the workstations

    If you are trying to ping the DC by its DNS name then this may be a DNS resolution problem.

    If I turn off DNS on the DC, I cannot ping any workstations.

    That is because you are trying to ping them using their DNS / NetBIOS names and the DNS / NetBIOS name resolution was not made.

    Here is the IPCONFIG /ALL results:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : server1

     Primary Dns Suffix  . . . . . . . : XXXXXDOM.local

       Node Type . . . . . . . . . . . . : Unknown

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : Yes

       DNS Suffix Search List. . . . . . : XXXXXDOM.local

     

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

       Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 192.168.0.40

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 192.168.0.1

       DNS Servers . . . . . . . . . . . : 192.168.0.40

                                                       192.168.0.1

    Please make the DC points to 192.168.0.40 as primary DNS server and 127.0.0.1 as secondary one. For public DNS resolution, add your ISP DNS servers as forwarder.

    Also, make sure that your domain zones exists (domain.com and _msdcs.domain.com). Once done, run ipconfig /registerdns and restart netlogon on the DC.

    For client computers, make them points to the DC as primary DNS server.

    Also, please disable all security softwares and firewalls and check again.

    I made sure all the services were restarted.

    When I try to open the Firewall control panel, i get a message saying:

    "Windows firewall cannot run because another program or service is running
    that might use the network address translation component" (Ipnat.sys)

    Looked all over fo any app (virus software) or service that could be running and blocking traffic.

    We do not have a backup of the OS partition (correcting that when we get this fixed)

    Please proceed like that:

    • Run msconfig and disable all startup items except Microsoft ones. Also, disable all non-Microsoft services
    • Uninstall all unused programs

    Once done, reboot the server and try again to start the faulty service.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Saturday, November 19, 2011 9:31 AM