Broken delegation

stephenbowerman9307 · 2015-02-05T11:53:01.000Z

HI hopping you can help as I am not sure how to proceed.

I have setup my first vm in a remote site connected via lan to lan vpn via a couple of drayteks.

Everything seemed to go well during dcpromo but now I am getting various errors the main one is a broken delegation.

I have noticed this seems to have happened on 2 other servers in remote sites the other 3 are still working fine.

here is the dcdiag /test:dns results

>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = server 2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: site\server 2
      Starting test: Connectivity
         ......................... server 2 passed test Connectivity

Doing primary tests

   Testing server: site\server 2

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few 

minutes...
         ......................... server 2 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : mydomain

   Running enterprise tests on : mydomain.local
      Starting test: DNS
         Test results for domain controllers:

            DC: server 2.mydomain.local
            Domain: mydomain.local

               TEST: Delegations (Del)
                  Error: DNS server: server 1.mydomain.local. 

IP:192.168.100.1
                  [Broken delegated domain _msdcs.mydomain.local.]

         Summary of test results for DNS servers used by the above 

domain
         controllers:

            DNS server: 192.168.100.1 (server 1.mydomain.local.)
               1 test failure on this DNS server

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  

RReg Ext
            

_________________________________________________________________
            Domain: mydomain.local
               server 2                         PASS PASS PASS FAIL 

PASS PASS n/a

         ......................... mydomain.local failed test DNS

C:\Users\Administrator.mydomain>

Server 2 can ping both ip and computer name

Server 1 can ping both ip and computer name

ipconfig from server 2

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-64-2D-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.21.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.21.254
   DNS Servers . . . . . . . . . . . : 192.168.100.1
                                       192.168.21.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

I noticed all this after I had run the best practices on server 2 and it came back with

various stuff

server 2	Error	DNS: The DNS server 192.168.100.1 on Ethernet must resolve Global Catalog resource records for the domain controller	Configuration
server 2	Error	DNS: The DNS server 192.168.100.1 on the Ethernet must resolve PDC resource records for the domain controller	Configuration
server 2	Error	DNS: The DNS server 192.168.100.1 on Ethernet must resolve names in the primary DNS domain zone	Configuration
server 2	Error	DNS: The DNS server 192.168.100.1 on Ethernet must resolve names in the forest root domain name zone	Configuration
server 2	Error	DNS: The DNS server 192.168.100.1 on Ethernet must resolve LDAP resource records for the domain controller	Configuration
server 2	Error	DNS: The DNS server 192.168.100.1 on Ethernet must resolve Kerberos resource records for the domain controller	Configuration
server 2	Error	DNS: The DNS server 192.168.100.1 on Ethernet must resolve the name of this computer	Configuration

The only thing that has happened out of the norm was our ISP changed public IP and username:password on our dsl connection so the vpn went down for a couple of days probably a day after I dcpromoed.

Not sure if this would have any bearings on this.

I have been through the dns records and the records seem to be there but I am probably missing something.

otherhorse6278 · 2015-02-05T12:51:31.000Z

The DNS settings on the NIC of the DCs are wrong…
The IP of the other DC should be primary and 127.0.0.1 as secondary.

Is that a space in the computer name? “server 1”? Horrible practice… Or have you changed the data above?

Have you configured AD sites and subnets according to the geographic network topology?
Have you checked for AD replication errors after the VPN link came back up?

stephenbowerman9307 · 2015-02-05T13:24:58.000Z

I changed the data to make it easier to read there is no space in the computer name.

Yes sites and subnets setup correctly

Replication tests passed

brianlittlejohn · 2015-02-05T13:39:22.000Z

If you do an NSLOOKUP from Server 2 to Server 1, does it resolve correctly?

stephenbowerman9307 · 2015-02-05T13:43:34.000Z

Yes both ip and computer name from server 2 > server 1 resolve correctly and both resolve correctly from server 1 > server 2

brianlittlejohn · 2015-02-05T14:05:24.000Z

Do you have any references to old DCs in your DNS anywhere?

stephenbowerman9307 · 2015-02-05T14:15:15.000Z

no not had to remove any dc’s and I have asked around the company and no one remembers any dc’s/servers going down here

I have had a look in case some thing was there but cant see anything.

stephenbowerman9307 · 2015-02-09T14:42:29.000Z

any more ideas ?

stephenbowerman9307 · 2015-02-11T15:04:01.000Z

GPO’s working

DNS seems to be updating

Tried disabling firewalls