Re: Domain Controller Stops Processing All Login Requests Randomly

"Josh-UCDHSC" <noJCspam@xxxxxxxxxxxxx> wrote in message
news:OPzhDEZUFHA.2892@xxxxxxxxxxxxxxxxxxxxxxx
> Comments inserted below~
> Would you like to have a look at things? I could setup Remote
Assistance...

I might, but unless you already have RA working then we are going to
have to ditz around with firewalls/NATs probably.

[I wrote the following lines last -- after interspersing comments all
the way down.]

Normally, I would say yes -- but I am running a little ragged right now.


I usually offer to let people call so if you think it will help go ahead.

But you seem pretty competent and if you have checked all of the DCDiag
(or equivalent) stuff, and are sure about checking the DNS then that is
all I would likely be doing.

You might chase down that missing role holder (unless it was just a
spurious RPC error.)

Or the "REPAIR" install. You should back up first, but I have never
hurt a machine doing that -- and yet to fail to recover one either. Repair
install is the best kept secret in Windows these days.

[...more inline...]

> >> DNS Server Addresses, in order of use:
> >> 132.194.21.250
> >> 132.194.21.96
> >
> > Are these both holding the SAME exact zone (now)?
>
> Yes. They are both holding the same exact zone.

Good.

> > They both must do that.

> > Irrelevant, but usually unnecessary -- the key is to
> > get the FULL computer name correct in the System
> > control panel, then this setting is never needed with
> > ONE NIC, and seldom needed with multiple NICs.
>
> This is set correctly, other than waimea is in all capital letters in the
> System Control Panel.

Caps don't matter, DNS is not case sensitive and although NetBIOS
is TECHNICALLY case sensitive, the machines always UPPERCASE
their computer name, domain names and such.

> I took out the cudenver.edu to match the TCP/IP
> settings on the 2nd DC, which didn't have it. Network Load Balancing was
> checked on the 2nd DC so I unchecked it as it is not doing any network
load
> balancing.

Load balancing only makes sense if you have at least two
servers in NLB set.

> It was interesting, when I had the cudenver.edu suffix entered
> running "nslookup waimea" about every second it would return
> "waimea.cudenver.edu" in the server field and the next time
> "waimea.coe.cudenver.edu". It would switch back and forth between the
two.
> When I took the cudenver.edu suffix out, "nslookup waimea" only lists
> "waimea.coe.cudenver.edu" in the server field.
>
> >
> >> "Register this connection's address in DNS" is checked
> >> "Use this connection's DNS suffix in DNS registration" is checked
> >
> > Same as previous.
> >
> >> > Are they all holding the Domain zone, or able to fully
> >> > resolve that zone?
> > Does the DNS server have the zone defined and have a
> > full copy of it (not some external partial copy of a zone
> > with the same name)?
>
> Yes both DCs have the same zone set.



> >> Domain Controller Diagnosis
> >>
> >> Performing initial setup:
> >> * Verifying that the local machine WAIMEA, is a DC.
> >> * Connecting to directory service on server WAIMEA.
> >> [WAIMEA] Directory Binding Error 1753:
> >> There are no more endpoints available from the endpoint mapper.
> >
> > This error is disturbing -- has someone been messing
> > with the registry in an attempt to alter the way that the
> > RPC server works?
>
> No, I think the problem is with the version of dcdiag used. To generate
> this data I used MPSRPT_DirSvc.EXE instead of dcdiag.
> Using "dcdiag" doesn't show the problems.

There is a later version of DCDiag at the MS site.

I always use it.

> > If not you may have a corrupted DC which would benefit
> > from a "REPAIR Install" (from the original CDROM.)
>
> I will consider this after the semester is over at the end of next week.
> Running a regular dcdiag doesn't show the endpoint mapper problem.

Oh.


> > How many IP addresses does this DC have? How many NICs?
>
> This server has 4 NICs. All but one are disabled.

Only active ones with working IPs count. So that is good.
Some people get weird problems with multiple NICs or multiple
IPs being active.


> Are there any more advanced tools than dcdiag and the like? Is it
advisable
> to run windump on a Win2k3 DC?

I can usually solve most any AD/DNS problem with DCDiag.

You might look at ReplMon or RepAdmin though if you are having
replication problems.

Sometimes you have to use NTDSUtil to clean out "dead" servers,
i.e., DCs that have died or been uninstalled.

> >> PDC Name: \\WAIMEA.coe.cudenver.edu
> >
> > Has anyone every SEIZED a role (PDC Emulator) in this domain?
>
> No, not to my knowledge.

I was CONSIDERING that maybe the role had been seized but the
other DCs hadn't replicated that info.

Or a role was seized but the original role holder was still brought
back online (never do that latter.)

> > Is this the only (current) DC? Has there every been more?
>
> This is the only current DC besides the 2nd active DC. There hasn't been
> any other other than a test domain with a different name (coe-test) which
> was running on a different machine and was shutdown months ago.

Ok, then you likely don't have the "seize" issue. That makes for weird and
unpredictable problems that might fit your circumstances though.

> > For DNS check all of this:
> >
> >
> > DNS for AD
> > 1) Dynamic for the zone supporting AD
> > 2) All internal DNS clients NIC\IP properties must specify SOLELY
> > that internal, dynamic DNS server (set.)
> > 3) DCs and even DNS servers are DNS clients too -- see #2
> > 4) If you have more than one Domain, every DNS server must
> > be able to resolve ALL domains (either directly or
indirectly)
>
> Yep all of this checks out.
>
> Would you like to have a look at things? I could setup Remote Assistance,
> there could be something I am missing or don't understand. I could give
you
> a call, my email is: josh.cady@xxxxxxxxxxxx if you want send me some
contact
> info.
>
> >
> > netdiag /fix
> >
> > ...or maybe:
> >
> > dcdiag /fix
> >
> > (Win2003 can do this from Support tools):
> > nltest /dsregdns /server:DC-ServerNameGoesHere
> > http://support.microsoft.com/kb/q260371/
> >
> > Ensure that DNS zones/domains are fully replicated to all DNS
> > servers for that (internal) zone/domain.
> >
> > Also useful may be running DCDiag on each DC, sending the
> > output to a text file, and searching for FAIL, ERROR, WARN.
> >
> >
> >
>
>


.

Relevant Pages

  • RE: exchange server cannot mount mailbox store
    ... What's the exact detailed DNS Events ... Type desired internal IP address of your SBS server. ... it will delete the reverse lookup zone if the zone no longer ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Event 4515 :another copy of zone has been found
    ... running on the old 2000 server. ... I then installed DNS on ... I seem to remember hearing that if you just delete/remove the zone it ... Container), the Configuration Partition, and the Schema Partition. ...
    (microsoft.public.windows.server.dns)
  • Re: Replication between parent child domains
    ... install dns before i run the dcpromo on the melbourne server. ... DNS server will forward any query it can't answer, Checks zone ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication between parent child domains
    ... DNS server will forward any query it can't answer, Checks zone ... DNS Servers) all queries will go to tld DNS server (including Internet ... Stub zones: Stub zones contain a read-only copy with specific records ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS Redesign Issue
    ... -Using DNS console you can right-click the zone and export to a File, ... -To export a Zone and import that Zone in another DNS Server you need to use ... Create a child zone dallas on the DNS server in the child domain ...
    (microsoft.public.windows.server.dns)