DC not servicing logon requests

[Guest]

I manage a multi-domain forest and have a DC in a remote location put there
specifically to provide local validation for another domain. However, all
validation requests are going over the WAN to DC's in other remote locations.
The DC in question shows up in a dc listing for the domain, and is in the
proper site in AD Sites and Services. We're also running BIND DNS and I've
verified proper setup by following KB247811. Could anyone shed some light on
what I might be missing? Your help is greatly appreciated.

 

[Paul Bergson]

Run diagnostics against your Active Directory domain.

If you don't have the tools installed, install them from your server install
disk.
d:\support\tools\setup.exe

Run dcdiag and netdiag in verbose mode on the DC in question.

If you download a gui script I wrote it should be simple to set and run. It
also has the option to run individual tests without having to learn all the
switch options. The script also automagically outputs the test details to a
text file and calls this text file up at the completion of the test. This
makes it much easier to read and save the details for future use and
analysis.

The script is at http://www.pbbergs.com click on downloads, download it and
save it to c:\program files\support tools\

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Kurt]

Is the subnet of the remote site defined? By defining a subnet, you've told
active directory that the preferred DC for the site is the DC with an IP
address in the same subnet. Then a query for a logon DC should always
resolve (preferred) to the local DC and fall back to a remote only if the
local is down.

....kurt

 

[Guest]

If you mean is it defined in the proper site in AD Sites and Services, yes.
Running netdiag and dcdiag in verbose mode did turn up one warning from each
utility saying the server wasn't properly defined in DNS (see below), but the
remained of the tests all passed. The problem is that the errors aren't at
all specific.

From dcdiag:
* Active Directory LDAP Services Check
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS

from netdiag:
Testing DNS
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server 'IP removed'. Please wait for 30 minutes for DNS server
replication.

Again, we are running BIND, not AD Integrated DNS. Since our network
doesn't allow dynamic registration, we're facing the challenge of having to
enter the proper records manually. It's my hunch that this is the issue
here. Is there a resource that defines the records needed from a AD
perspective in a BIND DNS setup?

Thanks

 

[Paul Bergson]

try doing a netdiag /fix

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

If you mean is it defined in the proper site in AD Sites and Services,
yes.
Running netdiag and dcdiag in verbose mode did turn up one warning from
each
utility saying the server wasn't properly defined in DNS (see below), but
the
remained of the tests all passed. The problem is that the errors aren't
at
all specific.

From dcdiag:
* Active Directory LDAP Services Check
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly
registered
with DNS

from netdiag:
Testing DNS
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server 'IP removed'. Please wait for 30 minutes for DNS server
replication.

Again, we are running BIND, not AD Integrated DNS. Since our network
doesn't allow dynamic registration, we're facing the challenge of having
to
enter the proper records manually. It's my hunch that this is the issue
here. Is there a resource that defines the records needed from a AD
perspective in a BIND DNS setup?

Thanks

Is the subnet of the remote site defined? By defining a subnet, you've
told
active directory that the preferred DC for the site is the DC with an IP
address in the same subnet. Then a query for a logon DC should always
resolve (preferred) to the local DC and fall back to a remote only if the
local is down.

....kurt

 

[Guest]

All passed except the DNS portion. As referenced below, we're running BIND
DNS that doesn't allow dynamic updates. Here's what I get:
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry
ffccd3d8-8410-42e2-a2cd-f3396bb41615._ms
dcs.edlending.com. re-registeration on DNS server '10.91.200.9' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
for th
is DC on DNS server '10.91.200.9'.
[FATAL] No DNS servers have the DNS records for this DC registered.

My question is what are the missing DNS entries it's trying to re-register?
If I knew, we could add them.

Thanks.

try doing a netdiag /fix

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

If you mean is it defined in the proper site in AD Sites and Services,
yes.
Running netdiag and dcdiag in verbose mode did turn up one warning from
each
utility saying the server wasn't properly defined in DNS (see below), but
the
remained of the tests all passed. The problem is that the errors aren't
at
all specific.

From dcdiag:
* Active Directory LDAP Services Check
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly
registered
with DNS

from netdiag:
Testing DNS
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server 'IP removed'. Please wait for 30 minutes for DNS server
replication.

Again, we are running BIND, not AD Integrated DNS. Since our network
doesn't allow dynamic registration, we're facing the challenge of having
to
enter the proper records manually. It's my hunch that this is the issue
here. Is there a resource that defines the records needed from a AD
perspective in a BIND DNS setup?

Thanks

Is the subnet of the remote site defined? By defining a subnet, you've
told
active directory that the preferred DC for the site is the DC with an IP
address in the same subnet. Then a query for a logon DC should always
resolve (preferred) to the local DC and fall back to a remote only if the
local is down.

....kurt

I manage a multi-domain forest and have a DC in a remote location put
there
specifically to provide local validation for another domain. However,
all
validation requests are going over the WAN to DC's in other remote
locations.
The DC in question shows up in a dc listing for the domain, and is in
the
proper site in AD Sites and Services. We're also running BIND DNS and
I've
verified proper setup by following KB247811. Could anyone shed some
light
on
what I might be missing? Your help is greatly appreciated.

 

[Guest]

Where is your DC pointed to for its DNS? Make sure it is pointed to the
correct DNS server and make sure it is registered in DNS as well. Drop to a
command prompt and type ipconfig /registerdns to get the DC to register
itself.

Jermaine

All passed except the DNS portion. As referenced below, we're running BIND
DNS that doesn't allow dynamic updates. Here's what I get:
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry
ffccd3d8-8410-42e2-a2cd-f3396bb41615._ms
dcs.edlending.com. re-registeration on DNS server '10.91.200.9' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
for th
is DC on DNS server '10.91.200.9'.
[FATAL] No DNS servers have the DNS records for this DC registered.

My question is what are the missing DNS entries it's trying to re-register?
If I knew, we could add them.

Thanks.

try doing a netdiag /fix

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

If you mean is it defined in the proper site in AD Sites and Services,
yes.
Running netdiag and dcdiag in verbose mode did turn up one warning from
each
utility saying the server wasn't properly defined in DNS (see below), but
the
remained of the tests all passed. The problem is that the errors aren't
at
all specific.

From dcdiag:
* Active Directory LDAP Services Check
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly
registered
with DNS

from netdiag:
Testing DNS
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server 'IP removed'. Please wait for 30 minutes for DNS server
replication.

Again, we are running BIND, not AD Integrated DNS. Since our network
doesn't allow dynamic registration, we're facing the challenge of having
to
enter the proper records manually. It's my hunch that this is the issue
here. Is there a resource that defines the records needed from a AD
perspective in a BIND DNS setup?

Thanks

:

Is the subnet of the remote site defined? By defining a subnet, you've
told
active directory that the preferred DC for the site is the DC with an IP
address in the same subnet. Then a query for a logon DC should always
resolve (preferred) to the local DC and fall back to a remote only if the
local is down.

....kurt

I manage a multi-domain forest and have a DC in a remote location put
there
specifically to provide local validation for another domain. However,
all
validation requests are going over the WAN to DC's in other remote
locations.
The DC in question shows up in a dc listing for the domain, and is in
the
proper site in AD Sites and Services. We're also running BIND DNS and
I've
verified proper setup by following KB247811. Could anyone shed some
light
on
what I might be missing? Your help is greatly appreciated.