none
Server 2008 r2, IP Changed, now DNS access denied and more...

    Question

  • so we had to change the server IP.

    now when I try open the DNS i get: Access was denied.

    DNS server is working partly, solving external IPs, have internet access, BUT don`t resolve his own name.

    1 PC lost trust relationship so I try to add but get errors user name and pass.

    Event Log Errors:

    NETLOGON 5781 

    DNS 4000

    Active Directory Web Services 1202

    Directory Service 1126 & 1655

    Windows IP Configuration
       Host Name . . . . . . . . . . . . : SERVER
       Primary Dns Suffix  . . . . . . . : DOMAIN.LOCAL
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : DOMAIN.LOCAL
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-19-B9-FE-A5-62
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::9865:fb46:acfc:9205%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.10.50(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : fe80::c2ea:e4ff:fe25:8990%11
                                           192.168.10.1
       DNS Servers . . . . . . . . . . . : fe80::9865:fb46:acfc:9205%11
                                           192.168.10.50
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.{129E4CA8-941A-4D78-939C-6DC4D5D4D17B}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tuesday, May 15, 2018 2:35 AM

All replies

  • No Access to DNS cant change DNS IP in properties...


    Asi

    Tuesday, May 15, 2018 2:42 AM
  • Hi,

    Thanks for your question.

    Based on my experience, this error "Access denied" might also be due to the permission issues, MMC corruption or corruption of the dll files. Make sure the account you are using is member of the domain admin or enterprise administrator group or DNS admin group.

    Please try the following link to see if it could be of help.

    Troubleshooting DNS servers

    http://technet.microsoft.com/en-us/library/cc787724%28v=ws.10%29.aspx

    On the other hand, you could try below steps,

    1 Please type the command "net stop netlogon"  & "net start netlogon"  & “ipconfig /registerdns” on the DNS server to re-register AD records.

    2 Restart the DNS server and run dcdiag /test:dns to see if it works.

    Furthermore, here are articles about these events troubleshooting.

    DNS event 4000 & 4015.
    http://social.technet.microsoft.com/wiki/contents/articles/2063.dns-stops-working-on-windows-server-2008-dns-event-id-4000-4015-and-userenv-event-id-1053-1054-dsforum2wiki.aspx

    Event ID 1202 - SceCli on Domain Controllers

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/aa407f63-3b4f-41b2-ae2d-7904bc44a8ee/event-id-1202-scecli-on-domain-controllers?forum=winserverDS

    Netlogon eventid 5781

    https://social.technet.microsoft.com/Forums/windows/en-US/1a79f8ec-6aa6-4313-8b20-c43a90f711fa/netlogon-eventid-5781?forum=winserverNIS

    Getting event errors in active directory 1126 and 1655 - Can't contact GC

    https://community.spiceworks.com/topic/850262-getting-event-errors-in-active-directory-1126-and-1655-can-t-contact-gc

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope this helps. I look forward hearing your good news. If you have any questions, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 16, 2018 4:07 AM
  • Hi,

    How are things going on? Was your issue resolved?

    If you would like further assistance, please feel free to feed back.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 17, 2018 8:39 AM
  • Hi,

    Thank you for checking, still same we actually order new box, going to Server 2016.

    I will love to try resolve issue. 

    DCDIAG result.. 

    C:\Users\Administrator>dcdiag /test:dns

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = SERVER
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\SERVER
          Starting test: Connectivity
             The host edf3d145-e2a5-484a-8a50-08a40fde627f._msdcs.DOMAIN.LOCAL
             could not be resolved to an IP address. Check the DNS server, DHCP,
             server name, etc.
             Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... SERVER failed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\SERVER

          Starting test: DNS

             DNS Tests are running and not hung. Please wait a few minutes...
             ......................... SERVER failed test DNS

       Running partition tests on : ForestDnsZones

       Running partition tests on : DomainDnsZones

       Running partition tests on : Schema

       Running partition tests on : Configuration

       Running partition tests on : DOMAIN

       Running enterprise tests on : DOMAIN.LOCAL
          Starting test: DNS
             Test results for domain controllers:

                DC: SERVER.DOMAIN.LOCAL
                Domain: DOMAIN.LOCAL


                   TEST: Basic (Basc)
                      Error: No LDAP connectivity
                      Warning: adapter
                      [00000007] Broadcom NetXtreme Gigabit Ethernet has invalid
                      DNS server: 192.168.10.50 (SERVER)
                      Error: all DNS servers are invalid
                      No host records (A or AAAA) were found for this DC
                      Warning: no DNS RPC connectivity (error or non Microsoft DNS s
    erver is running)

             Summary of test results for DNS servers used by the above domain
             controllers:

                DNS server: 192.168.10.50 (SERVER)
                   1 test failure on this DNS server
                   Name resolution is not functional. _ldap._tcp.DOMAIN.LOCAL. faile
    d on the DNS server 192.168.10.50

             Summary of DNS test results:

                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: DOMAIN.LOCAL
                   SERVER                       PASS FAIL n/a  n/a  n/a  n/a  n/a

             ......................... DOMAIN.LOCAL failed test DNS



    Asi

    Thursday, May 17, 2018 7:45 PM
  • got 

    The following active directory domain services error occurred: An internal error occurred.

    When I try to add DnsAdmin.


    Asi


    • Edited by Asi_av Thursday, May 17, 2018 7:54 PM
    Thursday, May 17, 2018 7:53 PM
  • Hi,

    Thanks for your update.

    I see that SERVER failed test Connectivity..SERVER failed test DNS..DOMAIN.LOCAL failed test DNS.

    It seems that your Active Directory Integrated DNS zone is corrupted.

    Any change before this issue?

    Run the command DCDIAG /FIX on the server to see if it could be resolved.

    If the issue persists, I'll suggest you need to restore the ADI-DNS zone from the backupfile .dns, please refer to the following article,

    https://social.technet.microsoft.com/wiki/contents/articles/24227.backup-restore-adi-dns-zone.aspx

    After the restore accomplishment, we'll run the following again,

    1 Please type the command "net stop netlogon"  & "net start netlogon"  & “ipconfig /registerdns” on the DNS server to re-register AD records.

    2 Restart the DNS server and run dcdiag /test:dns to see if it works.

    Please remember we'll need to backup full system for the server before this restore proceeding in case of any disaster unexpected happens.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, May 18, 2018 12:47 PM
  • C:\Users\Administrator>DCDIAG /FIX

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = SERVER
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\SERVER
          Starting test: Connectivity
             The host edf3d145-e2a5-484a-8a50-08a40fde627f._msdcs.DOMAIN.LOCAL
             could not be resolved to an IP address. Check the DNS server, DHCP,
             server name, etc.
             Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... SERVER failed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\SERVER
          Skipping all tests, because server SERVER is not responding to directory
          service requests.


       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : DOMAIN
          Starting test: CheckSDRefDom
             ......................... DOMAIN passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DOMAIN passed test CrossRefValidation

       Running enterprise tests on : DOMAIN.LOCAL
          Starting test: LocatorCheck
             ......................... DOMAIN.LOCAL passed test LocatorCheck
          Starting test: Intersite
             ......................... DOMAIN.LOCAL passed test Intersite


    Asi


    • Edited by Asi_av Saturday, May 19, 2018 1:44 AM
    Friday, May 18, 2018 1:25 PM
  • I try to backup:

    Backup ADI Zone using DNSCMD. Here is the command.

    DnsCmd got-003/ZoneExport msft.org msft.org.bak 

     

    Got this error:

    Command failed:  RPC_S_SERVER_UNAVAILABLE     1722    0x6BA


    Asi

    Friday, May 18, 2018 1:39 PM
  • Hi,

    Sorry for my delay.

    It sighs RPC service was unavailable. Please check the two things on our DC.

    1. Type services.msc on RUN.exe to check RPC service and its dependencies state is running (started), and change the startup type to Automatic as the following figure.

    2.Please check Windows Firewall and Anti-virus software on the DC. We'll need to make sure that AD services such as RPC, LADP are allowed in the settings of Windows Firewall or Anti-virus software as below.

    For testing purpose, we best turn off the firewall temporarily. 

    Hope this helps. I look forward hearing your good news. Highly appreciate your effort and time.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 23, 2018 7:58 AM