Re: Domain Controller Stops Processing All Login Requests Randomly

Comments inserted below~
Would you like to have a look at things? I could setup Remote Assistance...

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:%23geDaGTUFHA.2172@xxxxxxxxxxxxxxxxxxxxxxx
> "Josh-UCDHSC" <noJCspam@xxxxxxxxxxxxx> wrote in message
> news:OrFy1EQUFHA.3584@xxxxxxxxxxxxxxxxxxxxxxx
>> Many thanks; Comments inserted below, also -
>> Microsoft thinks they have fixed it again. They created a global catalog
> on
>> the 2nd domain controller. They also changed the DNS dynamic update
>> settings on the DC from "secure" to "non secure and secure". I
>> questioned
>> this but they said it was needed for both DCs to work as global catalogs.
>
> For small forests and single domain forests it
> is usual to make ALL DC into GCs.
>
>> Also, the 2nd domain controller's A record appeared to have been pointing
> to
>> the wrong location, it was replying to pings from the first DC as
>> halcyon.cudenver.edu instead of halcyon.coe.cudenver.edu.
>
> Replies to pings don't happen by name;
> seeing that would be based on reverse
> records or some such.
>
>> The server stopped responding today. The forward lookup zone on waimea
>> wasn't present on in the DNS after the reboot. MS Support recreated it.
>> This was the first time I've seen this happen.
>
> Gone entirely?
>
> Someone deleted it. They don't just disappear.
>
>> Clients are running Windows XP Professional With SP2. Firewall is turned
>> on.
>
> Generally irrelevant EXCEPT that the machines
> with the firewall cannot be "servers" by default;
> you must enable services/port they wish to share,
> and that is not an issue for you here.
>
>> Full computer name: WAIMEA.coe.cudenver.edu
>> Domain: coe.cudenver.edu
>>
>> DNS Server Addresses, in order of use:
>> 132.194.21.250
>> 132.194.21.96
>
> Are these both holding the SAME exact zone (now)?

Yes. They are both holding the same exact zone.

>
> They both must do that.
>
>> "append primary and connection specific DNS suffixes" is selected
>
> Irrelevant to the type of problems you are
> having this is a user convenenience setting.
>
>> DNS suffix for this connection: cudenver.edu
>
> Irrelevant, but usually unnecessary -- the key is to
> get the FULL computer name correct in the System
> control panel, then this setting is never needed with
> ONE NIC, and seldom needed with multiple NICs.

This is set correctly, other than waimea is in all capital letters in the
System Control Panel. I took out the cudenver.edu to match the TCP/IP
settings on the 2nd DC, which didn't have it. Network Load Balancing was
checked on the 2nd DC so I unchecked it as it is not doing any network load
balancing. It was interesting, when I had the cudenver.edu suffix entered
running "nslookup waimea" about every second it would return
"waimea.cudenver.edu" in the server field and the next time
"waimea.coe.cudenver.edu". It would switch back and forth between the two.
When I took the cudenver.edu suffix out, "nslookup waimea" only lists
"waimea.coe.cudenver.edu" in the server field.

>
>> "Register this connection's address in DNS" is checked
>> "Use this connection's DNS suffix in DNS registration" is checked
>
> Same as previous.
>
>> > Are they all holding the Domain zone, or able to fully
>> > resolve that zone?
>>
>> Not sure what you mean by "holing the Domain zone" the DCs resolve
> nslookups
>> for computers in the domain as computername.coe.cudenver.edu for
> nslookups
>> outside the
>
> Does the DNS server have the zone defined and have a
> full copy of it (not some external partial copy of a zone
> with the same name)?

Yes both DCs have the same zone set.

>
>> >> If I
>> >> restart the DNS service without rebooting it doesn't help. Could this
> in
>> >> any way be Active Directory related?
>> >
>> > Well, yes, but in the sense that almost all AD replication
>> > OR authentiction (logon) problems are really DNS problems.
>> >
>> > Practically all of those DNS problems are due to
>> > misconfiguration. And a high percentage of those
>> > are casue by trying to configure "two sets" of DNS
>> > servers on the client NICs (DCs are DNS clients too.)
>>
>> WAIMEA_DCDIAG.TXT Output below:
>>
>>
>> Domain Controller Diagnosis
>>
>> Performing initial setup:
>> * Verifying that the local machine WAIMEA, is a DC.
>> * Connecting to directory service on server WAIMEA.
>> [WAIMEA] Directory Binding Error 1753:
>> There are no more endpoints available from the endpoint mapper.
>
> This error is disturbing -- has someone been messing
> with the registry in an attempt to alter the way that the
> RPC server works?

No, I think the problem is with the version of dcdiag used. To generate
this data I used MPSRPT_DirSvc.EXE instead of dcdiag.
Using "dcdiag" doesn't show the problems.

>
> If not you may have a corrupted DC which would benefit
> from a "REPAIR Install" (from the original CDROM.)

I will consider this after the semester is over at the end of next week.
Running a regular dcdiag doesn't show the endpoint mapper problem.

>
>> Doing initial required tests
>>
>> Testing server: Default-First-Site-Name\WAIMEA
>> Starting test: Connectivity
>> Error Record 1, ProcessID is 1908 (DcDiag)
>> System Time is: 5/4/2005 20:54:21:884
>> Generating component is 2 (RPC runtime)
>> Status is 1753: There are no more endpoints available from
>> the
>> endpoint mapper.
>
> Ditto.
>
>> Error Record 2, ProcessID is 1908 (DcDiag)
>> System Time is: 5/4/2005 20:54:21:884
>> Generating component is 2 (RPC runtime)
>> Status is 1722: The RPC server is unavailable.
>
> Something wrong with the RPC Server?
>
>> Error Record 3, ProcessID is 1908 (DcDiag)
>> System Time is: 5/4/2005 20:54:21:884
>> Generating component is 8 (winsock)
>> Status is 1722: The RPC server is unavailable.
>>
>> Error Record 4, ProcessID is 1908 (DcDiag)
>> Generating component is 8 (winsock)
>> Status is 10048: Only one usage of each socket address
>> (protocol/network address/port) is normally permitted.
>
> How many IP addresses does this DC have? How many NICs?

This server has 4 NICs. All but one are disabled.

>
>> Doing primary tests
>>
>> Testing server: Default-First-Site-Name\WAIMEA
>> Skipping all tests, because server WAIMEA is
>> not responding to directory service requests
>
> Likely a DNS or RPC server problem still...

Are there any more advanced tools than dcdiag and the like? Is it advisable
to run windump on a Win2k3 DC?

>
>
>> Starting test: FsmoCheck
>> GC Name: \\WAIMEA.coe.cudenver.edu
>> Locator Flags: 0xe00001fd
>> Warning: Couldn't verify this server as a PDC using
>> DsListRoles()
>> PDC Name: \\WAIMEA.coe.cudenver.edu
>
> Has anyone every SEIZED a role (PDC Emulator) in this domain?

No, not to my knowledge.

>
> Is this the only (current) DC? Has there every been more?

This is the only current DC besides the 2nd active DC. There hasn't been
any other other than a test domain with a different name (coe-test) which
was running on a different machine and was shutdown months ago.

>
> For DNS check all of this:
>
>
> DNS for AD
> 1) Dynamic for the zone supporting AD
> 2) All internal DNS clients NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.)
> 3) DCs and even DNS servers are DNS clients too -- see #2
> 4) If you have more than one Domain, every DNS server must
> be able to resolve ALL domains (either directly or indirectly)

Yep all of this checks out.

Would you like to have a look at things? I could setup Remote Assistance,
there could be something I am missing or don't understand. I could give you
a call, my email is: josh.cady@xxxxxxxxxxxx if you want send me some contact
info.

>
> netdiag /fix
>
> ...or maybe:
>
> dcdiag /fix
>
> (Win2003 can do this from Support tools):
> nltest /dsregdns /server:DC-ServerNameGoesHere
> http://support.microsoft.com/kb/q260371/
>
> Ensure that DNS zones/domains are fully replicated to all DNS
> servers for that (internal) zone/domain.
>
> Also useful may be running DCDiag on each DC, sending the
> output to a text file, and searching for FAIL, ERROR, WARN.
>
>
>


.

Relevant Pages

  • RE: exchange server cannot mount mailbox store
    ... What's the exact detailed DNS Events ... Type desired internal IP address of your SBS server. ... it will delete the reverse lookup zone if the zone no longer ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Event 4515 :another copy of zone has been found
    ... running on the old 2000 server. ... I then installed DNS on ... I seem to remember hearing that if you just delete/remove the zone it ... Container), the Configuration Partition, and the Schema Partition. ...
    (microsoft.public.windows.server.dns)
  • Re: Replication between parent child domains
    ... install dns before i run the dcpromo on the melbourne server. ... DNS server will forward any query it can't answer, Checks zone ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication between parent child domains
    ... DNS server will forward any query it can't answer, Checks zone ... DNS Servers) all queries will go to tld DNS server (including Internet ... Stub zones: Stub zones contain a read-only copy with specific records ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS Redesign Issue
    ... -Using DNS console you can right-click the zone and export to a File, ... -To export a Zone and import that Zone in another DNS Server you need to use ... Create a child zone dallas on the DNS server in the child domain ...
    (microsoft.public.windows.server.dns)
Loading