1

Hello, Bit stressed at the moment, our main DC will not open DNS.

At our primary school we have 2 2008r2 DC’s. DC1 which has this error also has all the roles, SQL, DHCP, printers and user files.

When I try to open DNS on DC1 it says 'The server is unavailable.

Not sure if this was the correct course of action but as a precaution I have pointed DC1’s network adapeter / ip4 / prefered DNS server at DC2 and pointed it at itself for the second DNS server (basically switched them round), I have also pointed all the clients computers at DC2 for DNS using DHCP.

When I look in the logs on DC1 for any DNS errors there none.

When I check the DNS service it says it has started.

None of our servers have the firewall enabled.

Dynamic zones are set to secure and DNS is AD integrated

The DNS entries on the working server DC2 all look good, although I am new to DNS.

Odd thing I did notice is both server think they are on a public connection. I restarted the network location service and they corrected themselves and display as being connected to a Domain network now.

This server has been up for almost 5 years and we were just about to order a replacement.

I have no idea where to start on this and really hope someone on SpiceWorks can come to my rescue.

@Microsoft

11 Spice ups
2

"Not sure if this was the correct course of action but as a precaution I have pointed DC1’s network adapeter / ip4 / prefered DNS server at DC2 and pointed it at itself for the second DNS server (basically switched them round), I have also pointed all the clients computers at DC2 for DNS using DHCP. "

That’s how it should be. DC1 should have DC2 as its primary DNS and then itself as secondary. DC2 should have DC1 as its primary DNS and itself as secondary.

What does dcdiag /v show?

Have you confirmed that AD is replicating properly? MS makes a graphical tool to show this if you don’t like reading cmd line output. (Which apparently is being replaced, but is still available here: https://www.microsoft.com/en-us/download/details.aspx?id=30005 )

1 Spice up
3

yeah the public connection is the issue…

try the hints here

for force it back to work/domain network

4

Are you actually having a problem where stuff isn’t working then ?

You could try opening a cmd line and use nslookup to see if bits are resolving.

5

That’s how it should be. DC1 should have DC2 as its primary DNS and then itself as secondary. DC2 should have DC1 as its primary DNS and itself as secondar

Even though DC1 might have DNS issues should I point to it as preferred DNS server from DC2?

I will download the GUI tool you have linked and post back.

This is the output from dcdiag on DC1

Directory Server Diagnosis

Performing initial setup:

Trying to find home server…

  • Verifying that the local machine School-srv01, is a Directory Server.

Home Server = School-srv01

  • Connecting to directory service on server School-srv01.

  • Identified AD Forest.

Collecting AD specific global data

  • Collecting site info.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),…

The previous call succeeded

Iterating through the sites

Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

Getting ISTG and options for the site

  • Identifying all servers.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),…

The previous call succeeded…

The previous call succeeded

Iterating through the list of servers

Getting information for the server CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

objectGuid obtained

InvocationID obtained

dnsHostname obtained

site info obtained

All the info for the server collected

Getting information for the server CN=NTDS Settings,CN=VM-2008R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

objectGuid obtained

InvocationID obtained

dnsHostname obtained

site info obtained

All the info for the server collected

  • Identifying all NC cross-refs.

  • Found 2 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SCHOOL-SRV01

Starting test: Connectivity

  • Active Directory LDAP Services Check

Determining IP4 connectivity

  • Active Directory RPC Services Check

… SCHOOL-SRV01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SCHOOL-SRV01

Starting test: Advertising

The DC SCHOOL-SRV01 is advertising itself as a DC and having a DS.

The DC SCHOOL-SRV01 is advertising as an LDAP server

The DC SCHOOL-SRV01 is advertising as having a writeable directory

The DC SCHOOL-SRV01 is advertising as a Key Distribution Center

The DC SCHOOL-SRV01 is advertising as a time server

The DS SCHOOL-SRV01 is advertising as a GC.

… SCHOOL-SRV01 passed test Advertising

Test omitted by user request: CheckSecurityError

Test omitted by user request: CutoffServers

Starting test: FrsEvent

  • The File Replication Service Event log test

Skip the test because the server is running DFSR.

… SCHOOL-SRV01 passed test FrsEvent

Starting test: DFSREvent

The DFS Replication Event Log.

… SCHOOL-SRV01 passed test DFSREvent

Starting test: SysVolCheck

  • The File Replication Service SYSVOL ready test

File Replication Service’s SYSVOL is ready

… SCHOOL-SRV01 passed test SysVolCheck

Starting test: KccEvent

  • The KCC Event log test

Found no KCC errors in “Directory Service” Event log in the last 15 minutes.

… SCHOOL-SRV01 passed test KccEvent

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

Role Domain Owner = CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

Role PDC Owner = CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

Role Rid Owner = CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

Role Infrastructure Update Owner = CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

… SCHOOL-SRV01 passed test

KnowsOfRoleHolders

Starting test: MachineAccount

Checking machine account for DC SCHOOL-SRV01 on DC SCHOOL-SRV01.

  • SPN found :LDAP/School-srv01.SCHOOL.LAN/SCHOOL.LAN

  • SPN found :LDAP/School-srv01.SCHOOL.LAN

  • SPN found :LDAP/SCHOOL-SRV01

  • SPN found :LDAP/School-srv01.SCHOOL.LAN/SCHOOL

  • SPN found :LDAP/d0b7784e-bb95-4ba9-b23b-d0c22cea8833._msdcs.SCHOOL.LAN

  • SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/d0b7784e-bb95-4ba9-b23b-d0c22cea8833/SCHOOL.LAN

  • SPN found :HOST/School-srv01.SCHOOL.LAN/SCHOOL.LAN

  • SPN found :HOST/School-srv01.SCHOOL.LAN

  • SPN found :HOST/SCHOOL-SRV01

  • SPN found :HOST/School-srv01.SCHOOL.LAN/SCHOOL

  • SPN found :GC/School-srv01.SCHOOL.LAN/SCHOOL.LAN

… SCHOOL-SRV01 passed test MachineAccount

Starting test: NCSecDesc

  • Security Permissions check for all NC’s on DC SCHOOL-SRV01.

  • Security Permissions Check for

DC=ForestDnsZones,DC=SCHOOL,DC=LAN

(NDNC,Version 3)

  • Security Permissions Check for

DC=DomainDnsZones,DC=SCHOOL,DC=LAN

(NDNC,Version 3)

  • Security Permissions Check for

CN=Schema,CN=Configuration,DC=SCHOOL,DC=LAN

(Schema,Version 3)

  • Security Permissions Check for

CN=Configuration,DC=SCHOOL,DC=LAN

(Configuration,Version 3)

  • Security Permissions Check for

DC=SCHOOL,DC=LAN

(Domain,Version 3)

… SCHOOL-SRV01 passed test NCSecDesc

Starting test: NetLogons

  • Network Logons Privileges Check

Verified share \SCHOOL-SRV01\netlogon

Verified share \SCHOOL-SRV01\sysvol

… SCHOOL-SRV01 passed test NetLogons

Starting test: ObjectsReplicated

SCHOOL-SRV01 is in domain DC=SCHOOL,DC=LAN

Checking for CN=SCHOOL-SRV01,OU=Domain Controllers,DC=SCHOOL,DC=LAN in domain DC=SCHOOL,DC=LAN on 1 servers

Object is up-to-date on all servers.

Checking for CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN in domain CN=Configuration,DC=SCHOOL,DC=LAN on 1 servers

Object is up-to-date on all servers.

… SCHOOL-SRV01 passed test ObjectsReplicated

Test omitted by user request: OutboundSecureChannels

Starting test: Replications

  • Replications Check

  • Replication Latency Check

DC=ForestDnsZones,DC=SCHOOL,DC=LAN

Latency information for 2 entries in the vector were ignored.

2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).

DC=DomainDnsZones,DC=SCHOOL,DC=LAN

Latency information for 2 entries in the vector were ignored.

2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).

CN=Schema,CN=Configuration,DC=SCHOOL,DC=LAN

Latency information for 2 entries in the vector were ignored.

2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).

CN=Configuration,DC=SCHOOL,DC=LAN

Latency information for 2 entries in the vector were ignored.

2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).

DC=SCHOOL,DC=LAN

Latency information for 2 entries in the vector were ignored.

2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).

… SCHOOL-SRV01 passed test Replications

Starting test: RidManager

  • Available RID Pool for the Domain is 3611 to 1073741823

  • School-srv01.SCHOOL.LAN is the RID Master

  • DsBind with RID Master was successful

  • rIDAllocationPool is 2611 to 3110

  • rIDPreviousAllocationPool is 2611 to 3110

  • rIDNextRID: 2701

… SCHOOL-SRV01 passed test RidManager

Starting test: Services

  • Checking Service: EventSystem

  • Checking Service: RpcSs

  • Checking Service: NTDS

  • Checking Service: DnsCache

  • Checking Service: DFSR

  • Checking Service: IsmServ

  • Checking Service: kdc

  • Checking Service: SamSs

  • Checking Service: LanmanServer

  • Checking Service: LanmanWorkstation

  • Checking Service: w32time

  • Checking Service: NETLOGON

… SCHOOL-SRV01 passed test Services

Starting test: SystemLog

  • The System Event log test

An error event occurred. EventID: 0x00000457

Time Generated: 03/03/2016 08:52:58

Event String:

Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

An error event occurred. EventID: 0x00000457

Time Generated: 03/03/2016 08:53:02

Event String:

Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

An error event occurred. EventID: 0x00000457

Time Generated: 03/03/2016 08:53:02

Event String:

Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

… SCHOOL-SRV01 failed test SystemLog

Test omitted by user request: Topology

Test omitted by user request: VerifyEnterpriseReferences

Starting test: VerifyReferences

The system object reference (serverReference)

CN=SCHOOL-SRV01,OU=Domain Controllers,DC=SCHOOL,DC=LAN and

backlink on

CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

are correct.

The system object reference (serverReferenceBL)

CN=SCHOOL-SRV01,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=SCHOOL,DC=LAN

and backlink on

CN=NTDS Settings,CN=SCHOOL-SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SCHOOL,DC=LAN

are correct.

The system object reference (msDFSR-ComputerReferenceBL)

CN=SCHOOL-SRV01,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=SCHOOL,DC=LAN

and backlink on

CN=SCHOOL-SRV01,OU=Domain Controllers,DC=SCHOOL,DC=LAN are

correct.

… SCHOOL-SRV01 passed test VerifyReferences

Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS

Test omitted by user request: DNS

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

… ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

… ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

… DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

… DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

… Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

… Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

… Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

… Configuration passed test CrossRefValidation

Running partition tests on : SCHOOL

Starting test: CheckSDRefDom

… SCHOOL passed test CheckSDRefDom

Starting test: CrossRefValidation

… SCHOOL passed test CrossRefValidation

Running enterprise tests on : SCHOOL.LAN

Test omitted by user request: DNS

Test omitted by user request: DNS

Starting test: LocatorCheck

GC Name: \School-srv01.SCHOOL.LAN

Locator Flags: 0xe00033fd

PDC Name: \School-srv01.SCHOOL.LAN

Locator Flags: 0xe00033fd

Time Server Name: \School-srv01.SCHOOL.LAN

Locator Flags: 0xe00033fd

Preferred Time Server Name: \School-srv01.SCHOOL.LAN

Locator Flags: 0xe00033fd

KDC Name: \School-srv01.SCHOOL.LAN

Locator Flags: 0xe00033fd

… SCHOOL.LAN passed test LocatorCheck

Starting test: Intersite

Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.

… SCHOOL.LAN passed test Intersite

6

Are you actually having a problem where stuff isn’t working then ?

I cant access the DNS GUI on DC1. When I try to open DNS console on DC1 it says 'The server is unavailable.

7

Have you confirmed that AD is replicating properly? MS makes a graphical tool to show this if you don’t like reading cmd line output. (Which apparently is being replaced, but is still available here: https://www.microsoft.com/en-us/download/details.aspx?id=30005 )

When I run the tool it says this is no longer supported and directs me to a new version. The new version requires an online workspace to be created and AD to be linked to the online workspace. Could you advice how I would use the cmd version? Not really sure I want to start linking our DC to an online space.

BTW thanks for all the help so far

8

The test looks good that you ran, you may just need to add the server back to the dns manager

9

I think the question meant… is DNS really not working, or just the GUI?

1 Spice up
10

You should open up nslookup also and see if it errors out on you try putting some machine names in see if it responds.

11

When I try to add the server to DNS manager it says the same error ‘The server is unavailable.’

12

yes but what does an nslookup using that server do?

13

it may also be worth flushing the dns cache in case it has got stale, at cmd type ipconfig /flushdns

14

I think the question meant… is DNS really not working, or just the GUI?
Clients all seem to be fine, nobody has raised any issues.

When I run NSLOOKUP in cmd I get the folowing

Default Server: UnKnown
Address: ::1

Is this because I have IP6 enabled? Should I disable IP6?

15

in your ip address config do you have dc1 set as the primary dns server using its actual ip address and not 127.0.0.1 ?

1 Spice up
16

you could also try ‘dnscmd ipaddress’ from command prompt

17

They are the actual IP addresses and not loop back

DC1 was listed as primary but I have just made it secondary. If you read the second post they said -

DC1 should have DC2 as its primary DNS and then itself as secondary. DC2 should have DC1 as its primary DNS and itself as secondary.

18

I have tried ipconfig /flushdns

you could also try ‘dnscmd ipaddress’ from command prompt
Which switches would you recommend I use?

19

try a /info to see if it will return any info

20

Just run this - dcdiag /test:dns (I will run dnscmd ipaddress /info next)

and get the following error -

Directory Server Diagnosis

Performing initial setup:

Trying to find home server…

Home Server = School-srv01

  • Identified AD Forest.

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SCHOOL-SRV01

Starting test: Connectivity

… SCHOOL-SRV01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SCHOOL-SRV01

Starting test: DNS

DNS Tests are running and not hung. Please wait a few minutes…

SCHOOL-SRV01 failed test DNS

Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : SCHOOL

Running enterprise tests on : SCHOOL.LAN

Starting test: DNS

Test results for domain controllers:

DC: School-srv01.SCHOOL.LAN

Domain: SCHOOL.LAN

TEST: Basic (Basc)

Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)

School-srv01 PASS WARN n/a n/a n/a n/a n/a

… SCHOOL.LAN passed test DNS