DNS SRV records

Discussion in 'DNS Server' started by Michael R. Mastro II, Dec 28, 2006.

  1. Ok here is my problem. My clients have lost connectivity with my domain
    controllers. When I try to join the clients to the domain, I am unable to.
    I get a message saying domain controllers could not be contacted. I ran
    netdiag on the DCs and found I had one problem where it was resolving the DNS
    to 127.0.0.1. I was able to easily fix this and netdiag has passed since
    then. I also ran successful dcdiag and nltest querys. I then restarted the
    netlogon service and the DNS service on the DCs. Afterwards I attempted to
    join a client to the domain. Still the same problem. I then ran nslookup
    querys on the A & SRV records. I had correct A records from the domain, and
    the SRV records showed up in _ldap._tcp.dc._msdcs.domainname.local. Now if
    all the records are correct, then how come the clients will not join to the
    domain? I have run ipconfig from the clients and flushed the DNS cache and
    reregistered it. I am at wits end trying to get my clients to join.
     
    Michael R. Mastro II, Dec 28, 2006
    #1
    1. Advertisements

  2. In
    What DNS address is the workstation using?

    Is it mixed between the DC and the ISP's?

    Keep in mind, in an AD infrastructure all AD members must ONLY use the
    internal DNS server(s).

    --
    Ace
    Innovative IT Concepts, Inc (IITCI)
    Willow Grove, PA

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.
    It's easy:

    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only constant in life is change...
     
    Ace Fekay [MVP], Dec 28, 2006
    #2
    1. Advertisements

  3. read inline.

    The workstation is getting the DNS servers from the DHCP. DHCP has it
    configured to look at both domain controllers for the DNS using 192.168.0.1
    and 192.168.0.2
    No just plain DC. The DCs use forwards to get ISP DNS and access the
    internet.
     
    Michael R. Mastro II, Dec 28, 2006
    #3
  4. In

    Ok. Is the firewall turned on? If so, is File and Print services allowed? If
    not, it will be required. One of my customers had a similar problem just the
    other day. He was pulling his hair out trying to find out why. He had F&P
    services not allowed.

    Previously you said you ran nslookup to check for SRV records. Did you run
    this from the client or the DC?

    Ace
     
    Ace Fekay [MVP], Dec 30, 2006
    #4
  5. File and Print services are turned on. The firewall is ISA Server, but that
    server cannot connect to the domain controllers either. Though the domain
    controllers are somehow using the ISA machine to access the internet. Other
    than the ISA server, the domain controllers are the only machines on the
    network with access to the internet. It seems like some stuff is being
    accessed on the domain controllers, even though the client computers are not
    in the domain. I can access printers off the domain controller, but no
    network drives or files, or the internet. I can access the DHCP server and
    all tests on the DNS servers are good, but cannot join a domain. This is
    baffling. I am currently looking over 3 different netdiag logs to see any
    difference in them.
     
    Michael R. Mastro II, Dec 30, 2006
    #5
  6. In
    Ok, this is now getting better, especially with ISA involved. Now I believe
    it depends on how you have your ISA clients setup, whether as secure NAT
    clients, or as ISA firewall clients, which will require additional config to
    allow traffic between them and the ISA server.

    At htis point I would suggest to post this to the ISA newsgroup, which I
    already cross posted to the group:
    microsoft.public.isaserver

    Responses will come back to this group and the ISA group. So hang in there.

    Ace

    x-posted to microsoft.public.isa, microsoft.public.windows.server.dns
    no f/ups set.


    original post:
     
    Ace Fekay [MVP], Jan 1, 2007
    #6
  7. Michael,
    This has to be investigated one step at a time,...this includes not blaming
    ISA imediately which may waiste a bunch of time looking where the problem
    isn't, which happens quite often. Here's the first things to do:

    1a. Disable the local Windows Firewall on everything.
    1b. Uninstall any third party host-based firewalls if installed.
    2. Make sure all machines use only the DC's for DNS and nothing else. The
    DC's should use themselves and each other.
    3. Don't pay any attention to whether you can access the Internet or
    not,...it is not relevant yet,...one step at a time....
    4. Remove "bad' machine accounts if they exist in AD.
    5. Try joining again.
    6. Report back

    I recommend that these things stay this way as "standard", even if they
    don't prove to be the problem.


    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed are my own (as annoying as they are), and not those of
    my employer or anyone else associated with me.
    -----------------------------------------------------
     
    Phillip Windell, Jan 1, 2007
    #7
  8. Install and run netdiag on your clients, install from the OS installation
    media in the support tools directory.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jan 1, 2007
    #8
  9. Ok, the Windows Firewall is disabled. I never turn it on since everything is
    behind ISA. No third party firewalls. Ok the clients use the DC's for DNS
    because that is all that is programmed in with DHCP. The DC's are using
    their own adapters and each other as the DNS servers. I removed the client
    accounts that are no longer connecting to the domain from AD. And they still
    do not join to the domain. Now here is the latest netdiag from the DNS test:

    DNS test...............Passed
    Interface {AC11C17C-8F95-4963-84FC-652951AEBDD3}
    DNS Domain:
    DNS Servers: 192.168.0.1 192.168.0.2
    IP Address: Expected registration with PDN (Primary
    DNS Domain Name):
    Hostname: server1.mastro.local.
    Authoritative zone: mastro.local.
    Primary DNS Server: server1.mastro.local
    192.168.0.1
    Authoritative NS: 192.168.0.2 192.168.0.1
    Check the DNS registration for DCs entries on DNS server '192.168.0.1'
    ****************************************************
    * CHECK NAME mastro.local. on DNS Server 192.168.0.1
    ****************************************************

    The record is different on DNS server '192.168.0.1'
    DNS server has more than one entries for this name, usually this means there
    are multiple DCs for this domain.
    Your DC entry is one of them on DNS server '192.168.0.1', no need to
    re-register.

    +---------------------------------------------------------------+
    The reocrd on your DC is:
    DNS NAME = mastro.local.
    DNS DATA =
    A 192.168.0.1

    The record on DNS server 192.168.0.1 is:
    DNS NAME = mastro.local.
    DNS DATA =
    A 192.168.0.2
    A 192.168.0.1
    +----------------------------------------------------------------+

    *************************************************************
    * CHECK NAME _ldap._tcp.mastro.local. on DNS Server 192.168.0.1
    *************************************************************

    The record is different on DNS server '192.168.0.1'
    DNS server has more than one entries for this name, usually this means there
    are multiple DCs for this domain.
    Your DC entry is one of them on DNS server '192.168.0.1', no need to
    re-register.

    +------------------------------------------------------------------+
    The record on your DC is:
    DNS NAME = _ladp._tcp.mastro.local.
    DNS DATA =
    SRV 0 100 389 server1.mastro.local

    The record on DNS server 192.168.0.1 is:
    DNS NAME = _ladp._tcp.mastro.local.
    DNS DATA =
    SRV 0 100 389 server1.mastro.local
    SRV 0 100 389 server2.mastro.local
    +---------------------------------------------------------------------+

    ********************************************************
    * CHECK NAME _ldap._tcp.pdc._msdcs.mastro.local. on DNS server 192.168.0.1
    ********************************************************

    The record is correct on DNS server '192.168.0.1'

    ********************************************************
    * CHECK NAME _ldap._tcp.gc._msdcs.mastro.local. on DNS server 192.168.0.1
    ********************************************************

    The record is correct on DNS server '192.168.0.1'

    ********************************************************
    * CHECK NAME gc._msdcs.mastro.local. on DNS server 192.168.0.1
    ********************************************************

    The record is correct on DNS server '192.168.0.1'


    *************************************************************
    * CHECK NAME _kerberos._tcp.dc._msdcs.mastro.local. on DNS Server 192.168.0.1
    *************************************************************

    The record is different on DNS server '192.168.0.1'
    DNS server has more than one entries for this name, usually this means there
    are multiple DCs for this domain.
    Your DC entry is one of them on DNS server '192.168.0.1', no need to
    re-register.

    +------------------------------------------------------------------+
    The record on your DC is:
    DNS NAME = _kerberos._tcp.dc._msdcs.mastro.local.
    DNS DATA =
    SRV 0 100 88 server1.mastro.local

    The record on DNS server 192.168.0.1 is:
    DNS NAME = _kerberos._tcp.dc._msdcs.mastro.local.
    DNS DATA =
    SRV 0 100 88 server1.mastro.local
    SRV 0 100 88 server2.mastro.local
    +---------------------------------------------------------------------+

    <snip>

    ** ** Check DC DNS NAME FINAL RESULT ** **
    PASS - All the DNS enteries for DC are registered on DNS server
    '192.168.0.1' and other DC also have some of the names registered.

    Check the DNS registration for DCs enteries on DNS server '192.168.0.2'

    <snip>

    results are the same as above.


    So if the all the netdiag tests pass, and nslookup test pass from the
    clients. How come they can't join the domain?



     
    Michael R. Mastro II, Jan 1, 2007
    #9
  10. Forgot to mention that I ran the nslookup test from the clients
     
    Michael R. Mastro II, Jan 2, 2007
    #10
  11. ISA needs to be a Domain Member. It needs to be one before the ISA Software
    is installed so that the System Policies are configured correctly during the
    installation of ISA.

    Debunking the Myth that the ISA Firewall Should Not be a Domain Member
    http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed are my own (as annoying as they are), and not those of
    my employer or anyone else associated with me.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, Jan 2, 2007
    #11
  12. Remove any proxy settings from the machines and uninstall the Firewall
    Client if it is installed.
    Try again.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed are my own (as annoying as they are), and not those of
    my employer or anyone else associated with me.
    -----------------------------------------------------
     
    Phillip Windell, Jan 2, 2007
    #12
  13. In
    Because nslookup works to find your domain records, but not outside
    addresses (which I assume as well but you didn't mention), then I would
    think the firewall client is installed and/or the clients are not specifying
    the ISA server in IE properties. If nsllookup is resolving outside addresses
    but cannot connect to them, then ISA is blocking that type of traffic and IE
    is not configured to use ISA.

    I hope the responses from the ISA folks helped out in resolving this for
    you. As James mentioned, please post back if you haven't resolved it.

    Ace
     
    Ace Fekay [MVP], Jan 3, 2007
    #13
  14. In
    How about the DC? Uninstall everything off that too?

    Do you have an AV solution with a built-in firewall?

    Ace
     
    Ace Fekay [MVP], Jan 3, 2007
    #14
  15. In
    That sounds like the older version of netdiag and/or the DNSAPI. Download
    the latest Support Tools version for XP:
    http://www.microsoft.com/downloads/...76-9BB9-4126-9761-BA8011FABF38&displaylang=en

    Ace
     
    Ace Fekay [MVP], Jan 3, 2007
    #15
  16. In

    I was trying to determine if ISA is blocking it. However, since you can
    enumerate internal records and actually find the domain service records, as
    you've indicated where it shows you the ldap records, then connectivity
    apparently seems to be blocked by the DC. You say you can't even map a drive
    to the DC. Can you map a drive between two workstations?

    Ace
     
    Ace Fekay [MVP], Jan 3, 2007
    #16
  17. Then the problem is definately not caused by ISA.


    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed are my own (as annoying as they are), and not those of
    my employer or anyone else associated with me.
    -----------------------------------------------------

     
    Phillip Windell, Jan 3, 2007
    #17
  18. In
    So the problem is the DC refusing communications.

    See my other response below...
     
    Ace Fekay [MVP], Jan 4, 2007
    #18
  19. In
    Interesting. Did we already ask if there are any Event log errors? This
    thread is running all over the place and is now getting difficult to look
    back thru it all. Can you post any Event log errors please, including their
    Source?

    Also, was by chance, Zone Alarm ever installed on the DC?

    Is there any communication errors between the DCs? You said you have two,
    correct? 192.168.0.1 and 192.168.0.2? If you go into Sites and Services,
    Site name, servers, double click on NTDS settings, on the right side you
    will see your replication connections. Rt click on them and select
    'replicate now'. Any errors?

    In DNS, under the mastro.local zone, is there a (same as parent) entry for
    the two DCs?

    Also do all the SRV records exist under the zone, as well as the
    _msdcs.mastro.local zone exists?

    Ever alter any registry entries or policies concerning LDAP or SMB signing?

    Is the DHCP client service (not the DHCP server service) turned off on any
    machine? Are any services disabled maybe due to wanting to clean up any
    possible thought as 'unecessary' services?

    Ace
     
    Ace Fekay [MVP], Jan 4, 2007
    #19
  20. Well things took a serious degradation today. What was a clean event log on
    the server is now packed with errors. Between DNS events that cannot contact
    Active Directory, to DFS replication failing, and application errors like I
    had on the client machines. Now what is tricky is that the NTDS has no
    errors or warnings. Plus the event viewer shows that the NTDS database is
    working. But going to any of the Active Directory plugins produces a unable
    to find domain, and this from the servers, while earlier today I was able to
    access these with no problem. DHCP server is also unable to be found from
    the DHCP server. No services are turned off, it has just started down the
    path of death all of a sudden. So I am unable to replicated through the
    domain. I ran an ipconfig /release, /renew on a client machine after seeing
    DHCP not found, and was able to get a IP address from the DHCP server. So
    this is really begining to become strange. Never had ZoneAlarm installed on
    any of these machines. Personally I don't like ZoneAlarm. The DNS records
    are as they should be, same as parent for both DCs, and SRV records in all
    spots of _msdcs.mastro.local. Here is the event logs from the clients from
    earlier. Now these are starting to show up on the servers:

    Application:
    Type: Error
    Source: Userenv
    Event ID: 1055
    User: S-1-5-21-964348623-4235773807-894329585-161
    Description:
    Windows cannot determine the computer name (access is denied, ). Group
    Policy aborted.

    Almost an hour later I get two more errors in application.
    Type: Error
    Source: Userenv
    Event ID: 1058
    User: NT Authority\System
    Description:
    Windows cannot access the file gpt.ini for GPO
    cn=(838427DD-7ADA-470D-8E1E-714C38231E5E),cn=policies,cn=system,DC=mastro,DC=local.
    The file must be present at the location
    <\\mastro.local\Sysvol\mastro.local\Policies\{838427DD-7ADA-470D-8E1E-714C38231E5E}\gpt.ini>.
    (The specific network name is no longer available. )Group Policy processing
    aborted.
    The second error stated group policy cannot be applied see above.

    I am begining to wonder if I should uninstalled Active Directory, DNS and
    DHCP, then reinstall DNS and DHCP, get them sorted out and working, then
    reinstall Active Directory?

     
    Michael R. Mastro II, Jan 4, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.