DNS bad key in NETLOGON 5774. Help!

[Fer]

Hi all

Currently, I have 2 DC in a subdomain, both Global Catalog and DNS server,
containing a forward lookup zone (AD integrated) subdomain.domain.corp
delegated from parent domain and allowing dynamic updates. Both DNS clients
point to itself. No replication problems, automatic and forced. Now the
problem, when I run dcpromo in a new server (NEWDC) everything goes ok, but
then, when I reboot NEWDC, error events appear, NETLOGON 5774, and
replications fail, automatic a forced, KCC warning id 1265 and error 1311
appear in both domain controllers. Run dcdiag in NEWDC and fails in
connectivity test. Reports below. Any suggestions?
Thanks in advance.



Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 16/07/2004
Time: 12:17:36
User: N/A
Computer: NEWDC
Description:
Registration of the DNS record 'd02956dd-e532-46b8-a174-
5b5f50759a48._msdcs.dominio.corp. 600 IN CNAME
newdc.subdominio.dominio.corp.' failed with the following
error:
DNS bad key.
Data:
0000: 39 23 00 00 9#..

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 16/07/2004
Time: 12:17:36
User: N/A
Computer: NEWDC
Description:
Registration of the DNS record '_ldap._tcp.54668727-5f5d-
4ba7-8484-fe86a2659159.domains._msdcs.dominio.corp. 600
IN SRV 0 100 389 newdc.subdominio.dominio.corp.' failed
with the following error:
DNS bad key.
Data:
0000: 39 23 00 00 9#..


Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\dcdiag /test:connectivity /s:newdc


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Site-SITIO\NEWDC
Starting test: Connectivity
d02956dd-e532-46b8-a174-
5b5f50759a48._msdcs.dominio.corp's server GUI
D DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server
name, etc
Although the Guid DNS name
(d02956dd-e532-46b8-a174-
5b5f50759a48._msdcs.dominio.corp) couldn't
be resolved, the server name
(newdc.subdominio.dominio.corp) resolved to
the IP address (x.x.x.253) and was pingable.
Check that the IP
address is registered correctly with the DNS
server.
......................... NEWDC failed test
Connectivity

Doing primary tests

Testing server: Site-SITIO\NEWDC

Running enterprise tests on : dominio.corp

..

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi all

Currently, I have 2 DC in a subdomain, both Global
Catalog and DNS server, containing a forward lookup zone
(AD integrated) subdomain.domain.corp delegated from
parent domain and allowing dynamic updates. Both DNS
clients point to itself. No replication problems,
automatic and forced. Now the problem, when I run dcpromo
in a new server (NEWDC) everything goes ok, but then,
when I reboot NEWDC, error events appear, NETLOGON 5774,
and replications fail, automatic a forced, KCC warning id
1265 and error 1311 appear in both domain controllers.
Run dcdiag in NEWDC and fails in connectivity test.
Reports below. Any suggestions?
Thanks in advance.

Is the newdc pointing to the first DC as the preferred DNS then itself as
alternate?

 

[Fer]

In

Is the newdc pointing to the first DC as the preferred DNS then itself
as alternate?

Kevin

Yes, it points to the PDC. There is no DNS server service running in
NEWDC. As alternate points to the other DC.

Thanks for reply.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Yes, it points to the PDC. There is no DNS server service
running in NEWDC. As alternate points to the other DC.

Ok so this is a third DC in the child domain?

Did you run netdiag /fix?
Can you post the results from nediag /test:dns /v
And ipconfig /all

 

[Fer]

Ok so this is a third DC in the child domain?

Did you run netdiag /fix?
Can you post the results from nediag /test:dns /v
And ipconfig /all

Yes, this is the third DC in the site, there are two more DC in other
sites in the same subdomain with the same problem, all of them
promoted to DC later than the two conflicting DCs, the only ones that
works ok.

netdiag /fix was run in all DC but did not fix the problem.

Now I can not post any test because I won't have access to DCs until
monday, but netdiag /test:dns failed too.

As soon as I have the results, they will be posted. I have used
static IP configuration.

Thanks.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Yes, this is the third DC in the site, there are two more
DC in other sites in the same subdomain with the same
problem, all of them promoted to DC later than the two
conflicting DCs, the only ones that works ok.

netdiag /fix was run in all DC but did not fix the
problem.

Now I can not post any test because I won't have access
to DCs until monday, but netdiag /test:dns failed too.

As soon as I have the results, they will be posted. I
have used static IP configuration.

I have spent quite a bit of time researching this, and have come to the
conclusion that I'm missing something somewhere. I think the key to
resolving this is to find the "Bad key" noted in the error.
I;m not sure what this "Bad key" is but is this the entire event? Are there
any other events listed in the log?
Is the DHCP client service running?
Is the zone using "Secure updates only"?
If so if you set dynamic updates to "Yes" and restart the netlogon service
is it able to register the records?

 

[Ace Fekay [MVP]]

In

I have spent quite a bit of time researching this, and have come to
the conclusion that I'm missing something somewhere. I think the key
to resolving this is to find the "Bad key" noted in the error.
I;m not sure what this "Bad key" is but is this the entire event? Are
there any other events listed in the log?
Is the DHCP client service running?
Is the zone using "Secure updates only"?
If so if you set dynamic updates to "Yes" and restart the netlogon
service is it able to register the records?

I've seen this come up after upgrading service packs. I've fixed it by
saving a copy of the zone, reinstalling DNS and re-creating the zone and
using my orginal zone files. Not sure why it occurs, and I don';t see it
occuring all the time, but just once in awhile.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Fer]

In Kevin D. Goodknecht Sr. [MVP] <[email protected]> asked for help
and I offered my suggestions below:
I've seen this come up after upgrading service packs. I've fixed it by
saving a copy of the zone, reinstalling DNS and re-creating the zone
and using my orginal zone files. Not sure why it occurs, and I don';t
see it occuring all the time, but just once in awhile.

Thanks for reply.

Servers were installed with a copy of W2000 CD SP4 integrated, but if it
looks like a similar failure, the same process should be successful.
Please, could you tell me how did you fixed it? more in detail, what
tools did you use? I am working with delegated subzones
(subdomain.domain.corp),must root domain admin delegate it again?, which
DC must I choose to make it? and, the most important, Is it a safe
procedure?

It could be a Kerberos Authentication Protocol or KDC failure?

 

[Fer]

I have spent quite a bit of time researching this, and have come to
the conclusion that I'm missing something somewhere. I think the key
to resolving this is to find the "Bad key" noted in the error.
I;m not sure what this "Bad key" is but is this the entire event? Are
there any other events listed in the log?

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1134
Date: 21/07/2004
Time: 14:32:31
User: N/A
Computer: NEWDC
Description:
The ntdsConnection object CN="dc001
CNF:22978f36-0632-4f26-9a17-5605feb7f215",CN=NTDS
Settings,CN=NEWDC,CN=Servers,CN=Site-
SITE,CN=Sites,CN=Configuration,DC=domain,DC=corp is configured for the
same source server as CN=dc001,CN=NTDS
Settings,CN=NEWDC,CN=Servers,CN=Site-
SITE,CN=Sites,CN=Configuration,DC=domain,DC=corp and will be ignored.
Please use the Active Directory Sites and Services tool to modify or
delete one of these objects.

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date: 27/07/2004
Time: 16:01:12
User: N/A
Computer: NEWDC
Description:
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
NEWDC.subdomain.domain.corp for FRS replica set configuration
information.

The nTDSConnection object cn=dc001,cn=ntds
settings,cn=NEWDC,cn=servers,cn=site-
SITE,cn=sites,cn=configuration,dc=domain,dc=corp is conflicting with cn=
244c63b9-9043-4318-94ae-20d27ce6267d,cn=ntds
settings,cn=NEWDC,cn=servers,cn=site-
SITE,cn=sites,cn=configuration,dc=domain,dc=corp. Using cn=dc001,cn=ntds
settings,cn=NEWDC,cn=servers,cn=site-
SITE,cn=sites,cn=configuration,dc=domain,dc=corp



Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 11
Date: 26/07/2004
Time: 18:49:02
User: N/A
Computer: NEWDC
Description:
The NTP server \\dc002.subdomain.domain.corp didn't respond
Data:
0000: 46 27 00 00 F'..

Is the DHCP client service running? No

Is the zone using "Secure updates only"?

No, dynamic updates

If so if you set dynamic updates to "Yes" and restart the netlogon
service is it able to register the records?

Even restarting the server, no

 

[Ace Fekay [MVP]]

The DHCP Client service MUST BE RUNNING. There is no way around this,
othewise DNS resolution and registration will not work. Enable it and see
what happens. This service is tied into the DNS APIs for functionality
whether the machine is set with a static Ip or DHCP. Required service.
Please enable it and test it.

Ace

 

[Fer]

The DHCP Client service MUST BE RUNNING. There is no way around this,
othewise DNS resolution and registration will not work. Enable it and see
what happens. This service is tied into the DNS APIs for functionality
whether the machine is set with a static Ip or DHCP. Required service.
Please enable it and test it.

Ace

Sorry, I was trying to say that there was not DHCP server running, that all
ip address were static. But I have never tested if it was enabled, I think
it must be enabled by default. I'll check it.

Thanks.

 

[Ace Fekay [MVP]]

In

Sorry, I was trying to say that there was not DHCP server running,
that all ip address were static. But I have never tested if it was
enabled, I think it must be enabled by default. I'll check it.

Thanks.

Ok, no prob? Just go into the Services console and see if its started, then
test to see if replication will work and if the errors disappear.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Ace Fekay [MVP]]

In

Thanks for reply.

Servers were installed with a copy of W2000 CD SP4 integrated, but if
it looks like a similar failure, the same process should be
successful. Please, could you tell me how did you fixed it? more in
detail, what tools did you use? I am working with delegated subzones
(subdomain.domain.corp),must root domain admin delegate it again?,
which DC must I choose to make it? and, the most important, Is it a
safe procedure?

It could be a Kerberos Authentication Protocol or KDC failure?

Well, what I did was changed the zone on one of the DC/DNS servers to a
Primary zone.
Then I saved a copy of the domainname.dns file from system32\dns folder.
Then I removed DNS off this machine from Add/Remove - WIndows components.
Then I went to the other machine and deleted the zone.
THen went back to the first machine and reinstalled DNS.
Then I recreated the zone, and made it AD Integrated.
Then I went back to the other machine and created the zone and made it AD
Integrated.
Errors were gone.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Fer]

"Ace Fekay [MVP]"

Ok, no prob? Just go into the Services console and see if its started,
then test to see if replication will work and if the errors disappear.

The DHCP client service is started as I supposed. I must try another
solution.

Thanks.

 

[Fer]

Well, what I did was changed the zone on one of the DC/DNS servers to
a Primary zone.
Then I saved a copy of the domainname.dns file from system32\dns
folder. Then I removed DNS off this machine from Add/Remove - WIndows
components. Then I went to the other machine and deleted the zone.
THen went back to the first machine and reinstalled DNS.
Then I recreated the zone, and made it AD Integrated.
Then I went back to the other machine and created the zone and made it
AD Integrated.
Errors were gone.

Ok, I´ll try this procedure, but I have doubts about the fact of
deleting a subzone with delegated management from root domain zone, what
do you think about? Must enterprise administrator delegate it again?

Thanks.

 

[Ace Fekay [MVP]]

In

Ok, I´ll try this procedure, but I have doubts about the fact of
deleting a subzone with delegated management from root domain zone,
what do you think about? Must enterprise administrator delegate it
again?

Thanks.

Its really no harm since you;re recreating the zone. If you had a
delegation, yes, it needs to be recreated, but its only a couple steps. Let
us know how you make out.



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.