-2

We have one domain and two domain controllers (on Windows Server 2008 Enterprise).

For about a week, we have enormous problems: some users can't log in to Windows (domain could not be contacted). Sometimes restart of Windows helps, but mostly it doesn't.

As administrator, I can't log in to DC0, on DC1 I can. The other administrator for example can log in to both DC.

I attached dcdiag /test:dns for both DC0. DC0:

 Directory Server Diagnosis


 Performing initial setup:

Trying to find home server...

 Home Server = DC0

* Identified AD Forest. 
  Done gathering initial info.


 Doing initial required tests


 Testing server: Default-First-Site-Name\DC0

  Starting test: Connectivity

     ......................... DC0 passed test Connectivity

Doing primary tests


Testing server: Default-First-Site-Name\DC0


  Starting test: DNS



     DNS Tests are running and not hung. Please wait a few minutes...

     ......................... DC0 passed test DNS


 Running partition tests on : ForestDnsZones


 Running partition tests on : DomainDnsZones


 Running partition tests on : Schema


 Running partition tests on : Configuration


 Running partition tests on : our_domain


 Running enterprise tests on : our_domain.si

  Starting test: DNS

     Test results for domain controllers:


        DC: DC0.our_domain.si

        Domain: our_domain.si




           TEST: Records registration (RReg)
              Network Adapter

              [00000006] Intel(R) PRO/1000 MT Network Connection:

                 Warning: 
                 Missing AAAA record at DNS server 193.77.60.214: 
                 gc._msdcs.our_domain.si

           Warning: Record Registrations not found in some network adapters


           DC0                          PASS PASS PASS PASS PASS WARN n/a  
     ......................... our_domain.si passed test DNS

DC1:

 Directory Server Diagnosis
 Performing initial setup:

 Trying to find home server...

 Home Server = DC1

 * Identified AD Forest. 
 Done gathering initial info.


 Doing initial required tests


  Testing server: Default-First-Site-Name\DC1

  Starting test: Connectivity

     ......................... DC1 passed test Connectivity



 Doing primary tests


  Testing server: Default-First-Site-Name\DC1


  Starting test: DNS



     DNS Tests are running and not hung. Please wait a few minutes...

     ......................... DC1 passed test DNS


 Running partition tests on : ForestDnsZones


 Running partition tests on : DomainDnsZones


 Running partition tests on : Schema


 Running partition tests on : Configuration


 Running partition tests on : our_domain


 Running enterprise tests on : our_domain.si

  Starting test: DNS

     Test results for domain controllers:


        DC: DC1.our_domain.si

        Domain: our_domain.si




           TEST: Dynamic update (Dyn)
              Warning: Failed to add the test record _dcdiag_test_record in zone our_domain.si

           TEST: Records registration (RReg)
              Network Adapter

              [00000006] Intel(R) PRO/1000 MT Network Connection:

                 Warning: 
                 Missing AAAA record at DNS server 193.77.60.213: 
                 DC1.our_domain.si

                 Warning: 
                 Missing AAAA record at DNS server 193.77.60.213: 
                 gc._msdcs.our_domain.si

                 Warning: 
                 Missing AAAA record at DNS server 193.77.60.214: 
                 DC1.our_domain.si

                 Warning: 
                 Missing AAAA record at DNS server 193.77.60.214: 
                 gc._msdcs.our_domain.si

           Warning: Record Registrations not found in some network adapters


           DC1                          PASS PASS PASS PASS WARN WARN n/a  
     ......................... our_domain.si passed test DNS

Here are IP's for DC0 and DC1 - they are all right (why there are so many?): DC0 DC1

Here is 'ipconfig /all' on DC0: enter image description here

user1452932
  • 25
  • 1
  • 4
  • As a start, please check the following on DC0 Run services.msc and verify that all services who's name starts with "Active Directory" are started and set to automatic. Try to browse to \\dc0 and verify that the SYSVOL and NETLOGON shares are visible. These checks don't necessarily relate to your errors, other than it's mentioned that the sysvol folder may not be available, however they are good initial checks. – Alex Berry Oct 17 '12 at 08:25
  • Service 'Active Directory Domain Services' is started and set to automatic (only this service starts with Active Directory). – user1452932 Oct 17 '12 at 08:45
  • and the sysvol and netlogon shares? – Alex Berry Oct 17 '12 at 08:46
  • When browsing dc0 both shares are visible (also scheduled tasks). – user1452932 Oct 17 '12 at 08:50
  • Please run "dcdiag /test:dns" on both servers and post output here, also verify that the A records for each server are correct on both servers in DNS. – Alex Berry Oct 17 '12 at 09:37
  • Also you'll need to repost your original DCDIAG, possibly via pastebin, as it appears to have been cut short. – Alex Berry Oct 17 '12 at 09:42
  • What does that mean: 'verify that the A records for each server are correct on both servers in DNS' ? – user1452932 Oct 17 '12 at 09:59
  • Open up the DNS console on each server from the start menu, expand "Forward lookup Zones", locate "our_domain.si" and expand, locate the entries for "DC0" and "DC1" within this view and verify that the IP addresses are correct on both, if not then correct them. If you are unsure about A records and DNS I seriously advise you hire a consultant to assist you in this as it sounds like you do not have the basic knowledge required to safely resolve this issue... – Alex Berry Oct 17 '12 at 10:09
  • I've added what You've requested (look in question). Any problems detected from it? – user1452932 Oct 17 '12 at 11:40
  • Well, firstly the second address 193.77.60.213 is a public address, so if dc0 is attached directly attached to the internet it's pretty poor design, if this is in fact an internal IP then it's going to cause you routing problems as it's meant to be a private IP. Run ipconfig /all on dc0 and verify it has both IP addresses, if not then delete the 193 or 172 address from both dns servers. – Alex Berry Oct 17 '12 at 11:54
  • Just seen dc1 is on the 193 range... are these publically accessible? if so are they at least firewalled properly? – Alex Berry Oct 17 '12 at 11:56
  • I've added 'ipconfig /all' on DC0 to my question... – user1452932 Oct 17 '12 at 12:03
  • OK, can you try to ping 172.16.1.213 from DC2? and when you ping DC2.our_domain.si from DC2 what does it resolve to? – Alex Berry Oct 17 '12 at 12:06
  • First ping on dc1: ping 172.16.1.213 request timed out, second ping on dc1: ping dc1.our_domain OK. – user1452932 Oct 17 '12 at 12:08
  • Is there a reason for having that 172.x.x.x IP address? or the 193 IP address range, for that matter? – Alex Berry Oct 17 '12 at 12:16
  • Yes, at the moment we use both 172. and 193., but in future we MUST go on 172., surely. – user1452932 Oct 17 '12 at 12:22
  • Yes, you should really be using 172, however connectivity between the two servers seems to work correctly so for now you can rule this out as the cause. I would also recommend disabling ipv6 unless you need it. – Alex Berry Oct 17 '12 at 12:27
  • To diagnose further please provide the full output of dcdiag on dc0, the original was cut off before the end. Try pastebin here: http://pastebin.com/ – Alex Berry Oct 17 '12 at 12:31
  • You mean: dcdiag /e /f:dc0.txt – user1452932 Oct 17 '12 at 12:39
  • Sure, either way, just paste it ALL somewhere I can see it. – Alex Berry Oct 17 '12 at 12:44
  • DC1: http://pastebin.com/deUh8Jne – user1452932 Oct 17 '12 at 12:48
  • DC0: http://pastebin.com/ZNHPsgeX – user1452932 Oct 17 '12 at 12:53
  • 2
    Sorry guys, but this is way past "too many" comments. User: It seems you're in over your head on this one, it might be time to get a local consultant. Alex: if you want to continue the discussion & diagnosis please do so in [Chat]. – Chris S Oct 17 '12 at 12:58

3 Answers3

4

There are a couple of glaring problems here:

  1. Your Domain Controller that you've screen shotted is multi-homed. This is a problem. There is usually not a good reason to do this and there are special consideration to take in regards to DNS registration, etc. Have you followed these? I'm assuming not. Really consider redesigning your network to not multihome your DCs.

  2. Your DCs are using themselves first for DNS resolution. This can lead to a replication island like you're experiencing. They should use each other first and themselves (127.0.0.1) second.

  3. That 193 address that you've provided is a publicly routable IP. There is absolutely no reason that a Domain Controller should be Internet accessible. This in and of itself isn't going to break what you're seeing, but it's a huge security issue that you should fix asap.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
2

Ok, so as the comment conversation looked to be going on forever, I will instead post what I believe the problem is:

Although it looks initially like an issue with DC0, it is actually an issue with replication between the two controllers and, as such, the problematic controller is DC1.

The easiest option open to you will be to shutdown DC1 and build a 3rd domain controller, DC2, then change secondary DNS settings on all servers and DHCP scopes to point to this server.

So long as you then have a stable domain I would suggest deleting DC1 from the domain and leaving it at that, any changes you have made on DC1 since it has last replicated will be lost, this includes users' password changes and new user accounts, so it will require some cleanup on your part, but if you can't fix the replication issue yourself (which, no offence meant, I don't believe you're capable of) this is the easiest way to resolve your problems.

If, on the other hand, you add DC2 with DC1 offline and are still having issues, I advise you seek assistance from a local Microsoft Professional.

Alex Berry
  • 2,307
  • 13
  • 23
  • We put DC1 offline (power off), but I still can't log in to DC0. When I open DNS on DC0, I get this error: The server DC0 could not be contacted. The error was: the server is unavailable. Would you like it to add it anyway. – user1452932 Oct 18 '12 at 06:03
  • When I run nslookup in DC0, I get: 'Default server: unknown. ...' – user1452932 Oct 18 '12 at 06:26
  • OK, I can log in on DC0 (remote control) with typing it's IP; if I type DC0, it doesn't work. I used 'ipconfig /registerdns' and with nslookup i get: 'Default server: unknown. Address: correct IP'. – user1452932 Oct 18 '12 at 07:24
0

(This is only a partial answer to one of your side questions...)

For some reason your DCs have 6to4 addresses. If you're sure you aren't using 6to4 (you probably aren't) then you should probably disable it.

netsh interface ipv6 6to4 set state disabled
netsh interface teredo set state disabled
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972