8

I have a test domain that I recently configured. All of a sudden, no users can log in except those with cached credentials. The domain includes two domain controllers that are both global catalogs that replicate to each other.

After investigating the issue, I discovered that all of the _mcdcs domain records are completely gone on both of the DNS servers. This makes it impossible to locate a domain controller because SRV records such as _ldap and _kerberos are unresolvable.

I'm not quite sure how this happened... is this something that clearing the DNS cache or DNS scavenging would cause?

At this point I need to restore the records somehow. I looked at the settings of another domain, and it looks like they can be recreated manually... but I noticed that some of the DNS records appear to have SID names in them... and I have no idea what identifier would need to be used to recreate them.

Is there is a better process that one can use for getting out of a situation like this?

Super1337
  • 474
  • 2
  • 4
  • 9

3 Answers3

12

1. Restart the Netlogon service on one of the Domain Controllers

OR

2. Run DCDiag /fix

OR

3. Manually create the records from the netlogon.dns file from one of the Domain Controllers

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • If you can't login to any of the domain controllers to accomplish any of these items, restarting the domain controller will also (in effect) accomplish #1 above. When the netlogon service starts it'll attempt to register all the _ SRV records it needs. – Cory Plastek Jan 22 '15 at 02:43
  • DCDiag /fix and restarting netlogon did not work for me... I was able to find the netlogon.dns file and recreate all of the dns records. It was pretty painful... took me about 30 minutes to manually create and test them but it ultimately seems to have fixed the problem. Thanks for your thoughts – Super1337 Jan 21 '15 at 03:21
3

It's unusual for DNS records to be deleted (unless a person deleted them). Usually they are dnsTombstoned, so the records may still appear if using another tool like ADSIEdit even if not visible in DNS Manager or nslookup.

There are edge cases where scavenging can cause this (and a lot of other problems if scavenging is not configured properly).

http://blogs.technet.com/b/askpfeplat/archive/2012/07/09/the-case-of-the-missing-srv-records.aspx

http://blogs.technet.com/b/ad/archive/2008/08/08/a-complicated-scenario-regarding-dns-and-the-dc-locator-srvs.aspx

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
1

I did restart NetLogon service and run dcdiag /fix but there was no luck. After 3-4 hours of searching and reading, I decided to uninstall Active Directory Services and install it again but the installation failed too!

Then I decided to add DNS records manually according to this and this, so I deleted the domain's zone and added it again, and when adding the zone I noticed Allow only secure dynamic updates, and I remembered from somewhere that this setting should be enabled, so I checked this check box and then restarted the netlogon service and tadaaa !! It added all the records. I also ran dcdiag /fix and then dcdiag. All the tests were passed except one (SystemLog I think) which I ignored. After that I could join other PCs to the domain. This maybe the case for others. Just needed to enable secure dynamic updates on my domain's zone.

Hope this prevents others going through all that trouble that I went.

Ashkan
  • 111
  • 1
  • 4
  • oh yea. wham bam thank you man! I had azone setup long before converting the server to DC - all i had to do is delete the old zone and add it back it. Boom.. everything added back in. Thanks! (i think before it was not setup for AD and adding it after DC it had the AD option you mentioned for secure udpates)- And now i can connect to my domain! Thanks! – Piotr Kula Jun 01 '18 at 10:31