DC doesn't know its own domain (cont)

[dan]

Source: Usernv
Event Id: 1000

Windows cannot obtain the domain controller name for your
computer network. Return value (2146)

I just noticed that about two minutes before i get the
error mentioned above, I get a system log warning....

Source: W32time
Event ID: 63

The time service cannot provide secure (signed) time to
client 192.x.x.x because the attempt to validate its
computer account failed.

not sure if this is causing the problem or is a result of
the problem. Any help would be appreciated.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Source: Usernv
Event Id: 1000

Windows cannot obtain the domain controller name for your
computer network. Return value (2146)

I just noticed that about two minutes before i get the
error mentioned above, I get a system log warning....

Source: W32time
Event ID: 63

The time service cannot provide secure (signed) time to
client 192.x.x.x because the attempt to validate its
computer account failed.

not sure if this is causing the problem or is a result of
the problem. Any help would be appreciated.

Post the ipconfig /all from your DC.

 

[dan]

-----Original Message-----
In

Post the ipconfig /all from your DC.




.
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : PNEB-OA
Primary DNS Suffix . . . . . . . : mic.corp.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mic.corp.org
corp.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)
PRO/100 Network Connection
Physical Address. . . . . . . . . : 00-B0-D0-AA-2E-
09
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.2
192.168.9.2

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Host Name . . . . . . . . . . . . : PNEB-OA
Primary DNS Suffix . . . . . . . : mic.corp.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mic.corp.org
corp.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)
PRO/100 Network Connection
Physical Address. . . . . . . . . :
00-B0-D0-AA-2E- 09
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.2
192.168.9.2

What is the DNS server at 192.168.9.2?
Both of these DNS servers must have a zone for the AD domain.

Also, is this a child of corp.org?
If it isn't you should consider modifying the DNS suffix search list by
unchecking "Append parent suffixes of the Primary DNS suffix"

Source: Usernv
Event Id: 1000

Windows cannot obtain the domain controller name for your
computer network. Return value (2146)

http://www.eventid.net/display.asp?eventid=1000&eventno=1441&source=Userenv&phase=1



For this:

Source: W32time
Event ID: 63

The time service cannot provide secure (signed) time to
client 192.x.x.x because the attempt to validate its
computer account failed.

http://www.eventid.net/display.asp?eventid=63&eventno=792&source=w32time&phase=1

 

[dan]

192.168.9.2 is a DNS server at another site. Same
domain. And yes, it is a child domain of corp.org.

 

[Ace Fekay [MVP]]

In

192.168.9.2 is a DNS server at another site. Same
domain. And yes, it is a child domain of corp.org.

Does 192.168.9.2 have a copy of the mic.corp.org zone and updates are
allowed?

This part is important: Can you tell us if the SRV records exist under the
mic.corp.org zone?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Mark Renoden [MSFT]]

Somehow I'm missing bits of this thread.

What do we know?

--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Somehow I'm missing bits of this thread.

What do we know?


"Ace Fekay [MVP]"

Hi Mark,

Sometimes the newsreaders do that!!

So far we got just the ipconfig /all. I didn't snip anything out of the
thread in this post so you can see it. I pasted the ipconfig /all below.
Apparently he started this new thread and may have not been able to find the
original thread. Hard to say. So far, it's either a mis-delegation with
incorrect forwarders, or if it is delegated, then pointing to the wrong DNS
that has the incorrect zone content, or firewall issue or a search suffix
issue. Don't have enough to go on concerning his topology yet other than the
ipconfig /all.

Here's his ipconfig /all. Were wondering what the192.168.9.2 DNS is since
its on another subnet, hence my thought about a firewall issue, delegation,
or lack of.

.
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : PNEB-OA
Primary DNS Suffix . . . . . . . : mic.corp.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mic.corp.org
corp.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)
PRO/100 Network Connection
Physical Address. . . . . . . . . : 00-B0-D0-AA-2E-09
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.2
192.168.9.2

Ace

 

[Mark Renoden [MSFT]]

Hi

Yeah the fact that a reboot allows it to come good certainly fits with the
DC trying to use the preferred server again and succeeding. Best guess
running with the DNS theme is:

1. DC stops using itself for DNS because of some failure. DNS logs might
lend a hand here.

2. DC fails over to the alternate DNS which doesn't have a valid zone or
zone data. If it is a DNS issue, we must be getting a response back from
192.168.9.2, just not a response that allows things to work. If 192.168.9.2
was unresponsive due to firewall/lack of existance etc, the DC should fail
back to itself for requests.

What happens if 192.168.9.2 is removed as an alternate? Must ensure that
DNS on the DC is healthy - logs.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Hi

Yeah the fact that a reboot allows it to come good certainly fits
with the DC trying to use the preferred server again and succeeding.
Best guess running with the DNS theme is:

1. DC stops using itself for DNS because of some failure. DNS logs
might lend a hand here.

2. DC fails over to the alternate DNS which doesn't have a valid zone
or zone data. If it is a DNS issue, we must be getting a response
back from 192.168.9.2, just not a response that allows things to
work. If 192.168.9.2 was unresponsive due to firewall/lack of
existance etc, the DC should fail back to itself for requests.

What happens if 192.168.9.2 is removed as an alternate? Must ensure
that DNS on the DC is healthy - logs.

Kind regards

I hope we here back from Dan with his responses. It would be good to know
more topology and config info and what's in the logs.

Ace

 

[dan]

192.168.9.2 has an Active Directory integrated zone of
mic.corp.org that allows transfers to 192.168.10.2 and
vice versa. The srv record does exist.
Sadly enough, I don't have dns logging enabled. I shall
turn that on.
In tcp/ip properties, should I have just the servers
address for dns or have both servers. Right now i have
both addresses for both servers.

-----Original Message-----
In Mark Renoden [MSFT] <[email protected]> made a post then I
commented below

Hi

Yeah the fact that a reboot allows it to come good certainly fits
with the DC trying to use the preferred server again and succeeding.
Best guess running with the DNS theme is:

1. DC stops using itself for DNS because of some failure. DNS logs
might lend a hand here.

2. DC fails over to the alternate DNS which doesn't have a valid zone
or zone data. If it is a DNS issue, we must be getting a response
back from 192.168.9.2, just not a response that allows things to
work. If 192.168.9.2 was unresponsive due to firewall/lack of
existance etc, the DC should fail back to itself for requests.

What happens if 192.168.9.2 is removed as an alternate? Must ensure
that DNS on the DC is healthy - logs.

Kind regards

I hope we here back from Dan with his responses. It would be good to know
more topology and config info and what's in the logs.

Ace


.

 

[Mark Renoden [MSFT]]

Hi Dan

I was more referring to DNS specific event logs rather than debug logging.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

192.168.9.2 has an Active Directory integrated zone of
mic.corp.org that allows transfers to 192.168.10.2 and
vice versa. The srv record does exist.
Sadly enough, I don't have dns logging enabled. I shall
turn that on.
In tcp/ip properties, should I have just the servers
address for dns or have both servers. Right now i have
both addresses for both servers.

-----Original Message-----
In Mark Renoden [MSFT] <[email protected]> made a post then I
commented below

Hi

Yeah the fact that a reboot allows it to come good certainly fits
with the DC trying to use the preferred server again and succeeding.
Best guess running with the DNS theme is:

1. DC stops using itself for DNS because of some failure. DNS logs
might lend a hand here.

2. DC fails over to the alternate DNS which doesn't have a valid zone
or zone data. If it is a DNS issue, we must be getting a response
back from 192.168.9.2, just not a response that allows things to
work. If 192.168.9.2 was unresponsive due to firewall/lack of
existance etc, the DC should fail back to itself for requests.

What happens if 192.168.9.2 is removed as an alternate? Must ensure
that DNS on the DC is healthy - logs.

Kind regards

I hope we here back from Dan with his responses. It would be good to know
more topology and config info and what's in the logs.

Ace


.

 

[Ace Fekay [MVP]]

In

192.168.9.2 has an Active Directory integrated zone of
mic.corp.org that allows transfers to 192.168.10.2 and
vice versa. The srv record does exist.
Sadly enough, I don't have dns logging enabled. I shall
turn that on.
In tcp/ip properties, should I have just the servers
address for dns or have both servers. Right now i have
both addresses for both servers.

Thank you. The lack of SRV records is what is causing the whole thing. But
that is just a symptom of a greater problem because those records normally
get created automatically during the dynamic update process. Back to your
config. Your zone name is and spelled exactly as mic.corp.org. on your DNS
server, 192.168.9.2.

Does the zone have updates allowed?

I would immediately remove the 192.168.10.2 if that is truly a secondary
zone, because when updates are sent to that, it will read the MNAME in the
zone record and send it there, which in your case is actually 192.168.9.2
(the master), so it will be looping.


Ace