none
Interpreting netlogon errors RRS feed

  • Question

  • I've gone through a whole range of scenarios/fixes for this problem, but I can't seem to fully pinpoint the cause. So I'm hoping someone here might have some insight.

    Problem:

    Clients (Windows 7, both physical and VDI) are able to log on, but aren't getting policies between 10 and 30% of the time.

    DC's are 2003 and 2008 R2. (Two or three in each site, three sites).

    What I've done:

    - Gone over DNS setup and verified that everything is correct. No old entries, no missing entries (that I can see).

    - Run dcdiag, which gives the A-OK; not a single error.

    - Tried setting policies to wait for network on startup, even the dial-up wait policy.

    - Enabled netlogon-logging for both DC's and clients (VDI)

    - Verified that total query received/sec and sent/sec is in line in perfmon on the mail DC (2008 R2, holding all FSOM roles)

    What I see:

    - Netlogon on clients gives a whole bunch of these:

    [CRITICAL] NetpDcGetNameIp: (Primary DC): No data returned from DnsQuery.

    [MISC] NetpDcGetName: NetpDcGetNameIp returned 1355
    [CRITICAL] NetpDcGetName: (Primary DC): IP and Netbios are both done.
    [MISC] DsGetDcName function returns 1355: Dom:(Primary DC).domain.local Acct:(null) Flags: LDAPONLY RET_DNS 
    [SITE] DsrGetSiteName: Returning site name '(Primary site)' from local cache.
    [MISC] DsGetDcName function called: Dom:domain.local Acct:(null) Flags: LDAPONLY RET_DNS 
    [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
    [MISC] NetpDcGetName: domain.local using cached information
    [MISC] DsGetDcName function returns 0: Dom:domain.local Acct:(null) Flags: LDAPONLY RET_DNS 

    Patricularily "using cached information" is repeated. So I'm enterpreting this as it's using a whole lot of cached info due to not getting anything from DNS.

    - Netlogon on DC holds a zilllion of these:

    [MAILSLOT] (domain): Ping response 'Sam Logon Response Ex' (null) to \\(file server) Site: (Primary site) on UDP LDAP
    [MAILSLOT] Received ping from (file server).domain.local. (null) on UDP LDAP

    These:

    [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1

    And these:

    [MAILSLOT] Received ping from (Primary DC) (secondary dc).domain.local (null) on <Local>
    [CRITICAL] Ping from (Primary DC) for domain (secondary dc).domain.local (null) for (null) on <Local> is invalid since we don't host the named domain.
    [CRITICAL] NetpDcGetNameIp: (secondary dc).domain.local: No data returned from DnsQuery.

    [MISC] (Domain): DsGetDcName function returns 1355: Dom:(Primary DC) Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS 

    This is very obvious in the VDI environment, as profiles aren't roaming and users aren't getting their desktops and files.

    Beyond it being a possible performance problem (this is all virtual/VMWare based), I'm stumped at this point.


    Tuesday, November 20, 2012 9:28 AM

Answers

  • [CRITICAL] NetpDcGetNameIp: (Primary DC): No data returned from DnsQuery.

    The above indicates a resolution isue.

    Is the 2008 R2 DNS server the first DNS in the NIC entries? Are the 2008 R2 DCs, SP1?

    Have you installed the hotfixes?

    NS Server service does not use root hints to resolve external names in Windows Server 2008 R2 - Post Windows 2008 R2 SP1 HOTFIX available.
    Article ID: 2616776 - Last Review: October 12, 2011, APPLIES TO •Windows 2008 R2 Datacenter •Windows 2008 R2 Ent •Windows 2008 R2 Std
    Requires a restart.
    http://support.microsoft.com/kb/2616776

    DNS queries for external domains are not resolved when you use Conditional Forwarding in Windows Server 2008 - Post Windows 2008 SP2 Hotfix available
    Requires a restart.
    http://support.microsoft.com/kb/2625735/

    DNS server stops responding to DNS queries from client computers in in Windows Server 2003, in Windows Server 2008 or in Windows Server 2008 R2 - Post Service Pack Hotfix available.
    "This issue occurs because the DNS Server service enters an infinite loop when the DNS Server service generates a DNS response. The infinite loop occurs if the DNS Server service encounters an offset that points to the previous location that the DNS Server service was checking."
    Does not require a restart.
    http://support.microsoft.com/kb/2655960

    Windows Server 2008 and Windows Server 2008 R2 DNS Servers may fail to resolve queries for some top-level domains
    http://support.microsoft.com/kb/968372

    DNS Server service does not resolve some external DNS names after it works for a while in Windows Server 2008 R2
    Hotfix release - (released 4/15/2011)
    http://support.microsoft.com/kb/2508835

    .

    Is IPv6 disabled? That may cause it, too.

    .

    Run DNSLINT to make sure all NS and SOA records are correct, since those records are used in the DNS registration process, among other things.

    Description of the DNSLint utility
    http://support.microsoft.com/kb/321045?wa=wsignin1.0

    .

    Errors in both DC's event logs? Check all Event logs including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.

    .

    Lastly, are all machines time synched with the forest root PDC?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, November 21, 2012 5:26 AM
  • It's suggested to make all DCs GCs.

    Are any of the DCs multihomed?

    The DNS console screenshot doesn't tell us much other than you have three sites and there is a .local zone and the _msdcs zone, which at least that part is good.

    Let's check for dupicate zones - at least eliminate this as a possible cause:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones 
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .

    If unable to share configuration data in the public forum due to security concerns, which I very well understand, then if I may suggest, you can contact Microsoft CSS:
    http://support.microsoft.com/contactus/

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, November 21, 2012 5:49 PM
  • None of the DCs are multihomed, and no conflicting/duplicate dns zones. This is getting more and more head-scratching.

    Could you help me identify what this means?

    11/21 19:19:25 [MAILSLOT] Received ping from (PDC) (null) (null) on <Local>

    11/21 19:19:25 [CRITICAL] Ping from (PDC) for domain (null) (PDC) for (null) on <Local> is invalid since we don't host the named domain

    It seems to me like it's trying to find itself, but is unable to, or do the (null) entries indicate that it's trying netbios, which is misinterpreted?

    Also, decommished the oldest 2003 DC, and made the remaining one GC aswell. No difference.

    These codes are usually reserved for Microsoft Support for diagnosis, but they are listed in this link:

    6.3.3.2 Domain Controller Response to an LDAP Ping
    http://msdn.microsoft.com/en-us/library/cc223813(v=prot.20).aspx

    .

    However, simply looking at it, is saying the DC is not responding to an LDAP ping, which is not good.

    .

    And if you're getting the folloqin message on the 2008 R2 server, which reading through your posts happens to be the PDC Emulator, then my take on it is that this server is not responding, and as seanis implying, maybe it lost it's secure channel, but to add, I think the DC is no longer participating with AD communications.

    Could it be a DNS lookup issue? From your previous posts, yes.
    What could have caused it? Good question. Things such as antivirus software not properly configured with AD exclusions, lack of the DNS hotfixes installed, Windows firewall, some sort of policy (such as IpSec) or security settings changes (GPO?) applied to the machine, could be causing it.

    At this point, it's safe to say you'll probably have to forcibly remoce this DC from the environment, run a metadata cleanup and remove other references, seize the FSMOs to the 2003 DC, then rebuild it. This time just in case it was a factor, remove any antivirus, disable the Windows firewall, etc, making it jsut a plain-Jane machine with nothing else on it, then promote it.

    This will help clean it up:

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameserver tab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
    Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    .

    As for the DNS hotfixes:

    DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2 - Post Windows 2008 R2 SP1 HOTFIX available.
    Article ID: 2616776 - Last Review: October 12, 2011, APPLIES TO •Windows 2008 R2 Datacenter •Windows 2008 R2 Ent •Windows 2008 R2 Std
    Requires a restart.
    http://support.microsoft.com/kb/2616776

    DNS queries for external domains are not resolved when you use Conditional Forwarding in Windows Server 2008 - Post Windows 2008 SP2 Hotfix available
    Requires a restart.
    http://support.microsoft.com/kb/2625735/

    DNS server stops responding to DNS queries from client computers in in Windows Server 2003, in Windows Server 2008 or in Windows Server 2008 R2 - Post Service Pack Hotfix available.
    Does not require a restart.
    http://support.microsoft.com/kb/2655960

    Windows Server 2008 and Windows Server 2008 DNS Server service does not resolve some external DNS names after it works for a while in Windows Server 2008 R2
    Hotfix release - (released 4/15/2011)
    http://support.microsoft.com/kb/2508835

    R2 DNS Servers may fail to resolve queries for some top-level domains
    http://support.microsoft.com/kb/968372


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, November 23, 2012 5:35 PM

All replies

  • I don't have a specific answer to this issue, but a couple of things to ponder.

    How did you build your clients?  Have these been cloned?  If so did you sysprep them to roll their sid value?  What about the time, are they getting the correct time?  Many client errors can be related to improperly configured DNS on the dns server.  You need to ensure that the clients only point to AD DNS servers and the dns servers forward to your ISP for external DNS resolution.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, November 20, 2012 1:07 PM
    Moderator
  • Clients have been deployed from a syspreped image via SCCM 2012. VDI machines have are handled by XenDesktop in a similar manner.

    Can't see anything wrong on the DNS side either. No errors are logged and no special settings have been set. So I'm slightly baffled.

    Tuesday, November 20, 2012 1:27 PM
  • I don't have much else, I have been working the forums for 9 years haven't seen this before.  I would look at the network for anything but sounds like you are already doing that.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, November 20, 2012 1:29 PM
    Moderator
  • Based on what you are putting up I would say it is a network issue ports 389/ 3268 or 53 are not opened as they should be. Below is a link that should help you and/ or your network admins confirgure the ports and protocols needed to get this working. Also keep in mind that if a DHCP server is in play then you may want to try either having the DHCP server registering the records for the devices or the devices themselves based on what troubleshooting method you want to use. You may also want to use tools like ldp.exe to see if you can pull information from the DC's to the workstations. On the DC side do a DCDIAG in verbose mode to see if any errors come up on the DC, net share to see if the sysvol is shared out, nslookup for dns resolution, etc.

    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
    Tuesday, November 20, 2012 2:57 PM
  • Since you are facing issue with policies which policies are not flowing can you elaborate the same also check the event if on client PC if policies are not applied you may get evidence to troubleshoot further.Post the same if any and policy name which is not applied.

    See this too:UserEnv Debugging Line by Linehttp://blogs.msdn.com/b/richpec/archive/2009/07/20/userenv-debugging-line-by-line.aspx

    Also set correct dns setting on DC and cleint as below.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Also the there is dedicated forum for GP which will be helpful.
    Here is the GP forum link:http://social.technet.microsoft.com/Forums/en/winserverGP/threads

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, November 20, 2012 10:57 PM
  • Hello,

    Do you have VLANs?

    If yes, turn off Spanning Tree Protocol (STP) and test again.

    Regards

    Wednesday, November 21, 2012 12:13 AM
  • [CRITICAL] NetpDcGetNameIp: (Primary DC): No data returned from DnsQuery.

    The above indicates a resolution isue.

    Is the 2008 R2 DNS server the first DNS in the NIC entries? Are the 2008 R2 DCs, SP1?

    Have you installed the hotfixes?

    NS Server service does not use root hints to resolve external names in Windows Server 2008 R2 - Post Windows 2008 R2 SP1 HOTFIX available.
    Article ID: 2616776 - Last Review: October 12, 2011, APPLIES TO •Windows 2008 R2 Datacenter •Windows 2008 R2 Ent •Windows 2008 R2 Std
    Requires a restart.
    http://support.microsoft.com/kb/2616776

    DNS queries for external domains are not resolved when you use Conditional Forwarding in Windows Server 2008 - Post Windows 2008 SP2 Hotfix available
    Requires a restart.
    http://support.microsoft.com/kb/2625735/

    DNS server stops responding to DNS queries from client computers in in Windows Server 2003, in Windows Server 2008 or in Windows Server 2008 R2 - Post Service Pack Hotfix available.
    "This issue occurs because the DNS Server service enters an infinite loop when the DNS Server service generates a DNS response. The infinite loop occurs if the DNS Server service encounters an offset that points to the previous location that the DNS Server service was checking."
    Does not require a restart.
    http://support.microsoft.com/kb/2655960

    Windows Server 2008 and Windows Server 2008 R2 DNS Servers may fail to resolve queries for some top-level domains
    http://support.microsoft.com/kb/968372

    DNS Server service does not resolve some external DNS names after it works for a while in Windows Server 2008 R2
    Hotfix release - (released 4/15/2011)
    http://support.microsoft.com/kb/2508835

    .

    Is IPv6 disabled? That may cause it, too.

    .

    Run DNSLINT to make sure all NS and SOA records are correct, since those records are used in the DNS registration process, among other things.

    Description of the DNSLint utility
    http://support.microsoft.com/kb/321045?wa=wsignin1.0

    .

    Errors in both DC's event logs? Check all Event logs including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.

    .

    Lastly, are all machines time synched with the forest root PDC?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, November 21, 2012 5:26 AM
  • Thanks for the replies guys!

    I also agree that this smells of resolution issues.

    The domain consists of both 2003 and 2008 R2 DCs. Primary DC (holding all FSOM roles) is 2008 R2.
    Dcdiag gives me all pass, no problems.
    2003 server are not Global Catalog, just the 2008 R2s. I'm not sure why (not my setup).

    But, on the primary DC, I enabled LDAP logging, just to check. And I see that I'm getting a few of these:

    Internal event: The directory service has disconnected the LDAP connection from the following network address due to a time-out. 
     
    Network address:
    172.16.16.118:49173

    And these:

    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=domain.local,CN=MicrosoftDNS,CN=System,DC=domain,DC=local'

    For which I see a hotfix on 2003:
    http://support.microsoft.com/?id=934407

    But I'm not sure wheere this is coming from. Could try it on the 2003 server though.

    Also, see screenshot of the DNS tree:
    https://dl.dropbox.com/u/9964023/DNS.JPG

    Ran DNSLint, no problems there either. Double-checked all bindings, and made sure 127.0.0.1 is secondary dns entry on all DC's, primary pointing to other DCs.
    Wednesday, November 21, 2012 8:44 AM
  • It's suggested to make all DCs GCs.

    Are any of the DCs multihomed?

    The DNS console screenshot doesn't tell us much other than you have three sites and there is a .local zone and the _msdcs zone, which at least that part is good.

    Let's check for dupicate zones - at least eliminate this as a possible cause:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones 
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .

    If unable to share configuration data in the public forum due to security concerns, which I very well understand, then if I may suggest, you can contact Microsoft CSS:
    http://support.microsoft.com/contactus/

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, November 21, 2012 5:49 PM
  • None of the DCs are multihomed, and no conflicting/duplicate dns zones. This is getting more and more head-scratching.

    Could you help me identify what this means?

    11/21 19:19:25 [MAILSLOT] Received ping from (PDC) (null) (null) on <Local>

    11/21 19:19:25 [CRITICAL] Ping from (PDC) for domain (null) (PDC) for (null) on <Local> is invalid since we don't host the named domain

    It seems to me like it's trying to find itself, but is unable to, or do the (null) entries indicate that it's trying netbios, which is misinterpreted?

    Also, decommished the oldest 2003 DC, and made the remaining one GC aswell. No difference.
    • Edited by st.kristobal Wednesday, November 21, 2012 6:26 PM
    Wednesday, November 21, 2012 6:25 PM
  • On the DC did you run the NLTEST command? Did you get valid domain trust information back? What about the NETDOM Command? Did you use this on the DC? Running the NLTEST command will tell you if your DC or DC's machine password is valid and if it is not lets you reset it. NETDOM helps to query the trust it has within the domain. Also since you have 2003 servers in play make sure that domainfunctionality: 2=(WIN2003) and forestFunctionality: 2=(WIN2003) The DomainControllerFunctionality will eithr be a 2=(WIN2003) or a 4=(WIN2008R2) depending on the DC you lookup, you can use ldp.exe to get this information.

    http://technet.microsoft.com/en-us/library/cc737599(v=WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx

    Wednesday, November 21, 2012 7:45 PM
  • Forgot to mention that; I did do a NLTEST (SC_QUERY) on the PDC, and it gives me:

    I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    So that's not good, and also indicative of a resolution error.

    If I run it against the other DC in the main site; I get:

    Flags: 30 HAS_IP  HAS_TIMESERV

    Trusted DC Name \\(PDC)

    Trusted DC Connection Status Status = 0 0x0 NERR_Success

    I could try a /sc_verify, but I don't know the implications of doing that when query gives me an error message.

    Is this looking like a fudged PDC?

    Wednesday, November 21, 2012 9:08 PM
  • Looks like the DC lost it's secure channel within the domain. run NLTEST /SC_Reset:<Domain Name> and see if that helps.  Running the SC_Reset switch helps rebuild the netlogon secure channel information.

    http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx


    Wednesday, November 21, 2012 9:30 PM
  • Getting the same "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN" on both SC_VERIFY and SC_RESET :(
    Wednesday, November 21, 2012 9:56 PM
  • This is only happening on the 2008R2 servers right? Before making the windows 2008 R2 a DC in your domain did you run the ADPREP.exe with the Domain and forest prep switchs?

    http://technet.microsoft.com/en-us/library/cc731728(v=ws.10).aspx
    Wednesday, November 21, 2012 11:24 PM
  • is your forest and domain levels 2003?

    Did you run the "SET" command from the command prompt? What was the information it gave you back?

    Is IPSEC  in the equation?

    Is this only with 2008R2? Or both 2008R2 and 2003 OS?

    Wednesday, November 21, 2012 11:31 PM
  • Well, matter of definition; it happens on both 2003 and 2008R2 servers; since it's regardless of what logonserver I get; but the 1355 message I only get on the 2008 R2 PDC. Forest and domain is 2003, yes, and no ipsec.

    Schema is up to date as well.

    Biggest problem right now is that I can 100% pinpoint it to one source. I'm not sure how many of these messages are 'normal' and should be overlooked. And if it was consistent, I'd at least have a source; but it seems pretty random at this point.

    Thursday, November 22, 2012 4:25 PM
  • Since you have 2003 servers in your enviroment your domain functionality and forest functionality must be 2003, if this is not the case you have a problem. If you are positive that the one you believe is the problem is causing all this I would say demote it and un-join it from your domain, cleanup the remaining AD objects left behind from it, if needed rebuild it, promote and go from there. Did you run ADPREP Before introducing the 2008 R2's into your enviroment?

    Use the links below to get further insight to the issue.

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/59f76f88-fbb1-4cae-8742-7eb78356a751

    http://www.petri.co.il/forums/showthread.php?t=50949

    http://technet.microsoft.com/en-us/library/cc816779(v=ws.10).aspx

    http://technet.microsoft.com/en-us/library/cc794749(v=ws.10).aspx

    http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/21797808-62f3-402a-aef3-845207f5025f
    Thursday, November 22, 2012 5:16 PM
  • None of the DCs are multihomed, and no conflicting/duplicate dns zones. This is getting more and more head-scratching.

    Could you help me identify what this means?

    11/21 19:19:25 [MAILSLOT] Received ping from (PDC) (null) (null) on <Local>

    11/21 19:19:25 [CRITICAL] Ping from (PDC) for domain (null) (PDC) for (null) on <Local> is invalid since we don't host the named domain

    It seems to me like it's trying to find itself, but is unable to, or do the (null) entries indicate that it's trying netbios, which is misinterpreted?

    Also, decommished the oldest 2003 DC, and made the remaining one GC aswell. No difference.

    These codes are usually reserved for Microsoft Support for diagnosis, but they are listed in this link:

    6.3.3.2 Domain Controller Response to an LDAP Ping
    http://msdn.microsoft.com/en-us/library/cc223813(v=prot.20).aspx

    .

    However, simply looking at it, is saying the DC is not responding to an LDAP ping, which is not good.

    .

    And if you're getting the folloqin message on the 2008 R2 server, which reading through your posts happens to be the PDC Emulator, then my take on it is that this server is not responding, and as seanis implying, maybe it lost it's secure channel, but to add, I think the DC is no longer participating with AD communications.

    Could it be a DNS lookup issue? From your previous posts, yes.
    What could have caused it? Good question. Things such as antivirus software not properly configured with AD exclusions, lack of the DNS hotfixes installed, Windows firewall, some sort of policy (such as IpSec) or security settings changes (GPO?) applied to the machine, could be causing it.

    At this point, it's safe to say you'll probably have to forcibly remoce this DC from the environment, run a metadata cleanup and remove other references, seize the FSMOs to the 2003 DC, then rebuild it. This time just in case it was a factor, remove any antivirus, disable the Windows firewall, etc, making it jsut a plain-Jane machine with nothing else on it, then promote it.

    This will help clean it up:

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameserver tab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
    Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    .

    As for the DNS hotfixes:

    DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2 - Post Windows 2008 R2 SP1 HOTFIX available.
    Article ID: 2616776 - Last Review: October 12, 2011, APPLIES TO •Windows 2008 R2 Datacenter •Windows 2008 R2 Ent •Windows 2008 R2 Std
    Requires a restart.
    http://support.microsoft.com/kb/2616776

    DNS queries for external domains are not resolved when you use Conditional Forwarding in Windows Server 2008 - Post Windows 2008 SP2 Hotfix available
    Requires a restart.
    http://support.microsoft.com/kb/2625735/

    DNS server stops responding to DNS queries from client computers in in Windows Server 2003, in Windows Server 2008 or in Windows Server 2008 R2 - Post Service Pack Hotfix available.
    Does not require a restart.
    http://support.microsoft.com/kb/2655960

    Windows Server 2008 and Windows Server 2008 DNS Server service does not resolve some external DNS names after it works for a while in Windows Server 2008 R2
    Hotfix release - (released 4/15/2011)
    http://support.microsoft.com/kb/2508835

    R2 DNS Servers may fail to resolve queries for some top-level domains
    http://support.microsoft.com/kb/968372


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, November 23, 2012 5:35 PM