1

I have recently removed my HPe Server from my domain to workgroup now trying to rejoin my domain but it’s giving me the following error:

Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain domainname.co.uk:

The error was: “This operation returned because the timeout period expired.”
(error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for _ldap._tcp.dc._msdcs.domainname.co.uk

The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:

10.xx.xx.x

Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

Few things to consider:

  • My DNS is installed on my primary domain controller (dc-01) and DNS is a primary zone here. I have a secondary domain controller (dc02) with DNS but it’s setup as a secondary zone.

  • I use Hyper-V to host these domain controllers.

  • I used to use my laptop to run these dc’s via Hyper-V and have moved over to my HPe server about a month ago. The dc-01 had DNS primary zone configured and so did dc02. When I realised dc02 had a primary dns i erased it and configured it as secondary dns zone. I took necessary measures when it came to removing/demoting the dcs from my laptop by; Removing the static IP address from the network adapters (changing from static to dynamic), removing the virtual adapters (hyper-v), removing all the roles it had (incl. dns manager) then finally demoting the servers from domain controller. All was done whilst the VM’s on my HPe server were offline so there are not conflicts (the VMs on both my laptop and HPe server have never been online at the same time). Lastly I wiped the OS for both so there was nothing left.

  • My HPe server was joined to the domain when I was running the DCs on my laptop so after the migration I left the domain, rejoined and seemed to be working will. Only recently (about a week now) I am having a constant (trust relationship) error each time I RDP in to the machine. I believe this is happening because I changed the ip address of one of the NICs to an old ip static ip address so i can keep my static ip addresses numbered in order. I can get passed the trust relationship issue by re-entering my domain admin credentials however I was dealing with another issue (where my file server or any other server in that matter) are not able to find any of my domain users/groups when it came to adding them in an access control list for a folder (was using the local c: folder as an example). It keeps coming up with the error "An object (User, Group, or Built-in security principal) with the following name cannot be found: “name”. Check the selected object types and locations for accuracy and ensure that you have typed the object name correctly, or remove this object from the selection." This was the error I was initially trying to resolve, so I went to ping the name of my domain from the server as part of another troubleshooting article and the response was this: “Ping request could not find host domain.co.uk. Please check the name and try again.” So I went to my dc and ran the command dcdiag /test:DNS /v which came back with the result:

DNS servers:

  •                    Warning:*

  •                    10.xx.xx.x (DC-01) [Invalid]*

  •                    Warning: adapter [00000019] Microsoft Hyper-V Network Adapter has invalid DNS server:*

  •                    10.xx.xx.x (DC-01)*

  •              Error: all DNS servers are invalid*

  •              The A host record(s) for this DC was found*

  •              The SOA record for the Active Directory zone was found*

  •              Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)*

  •              [Error details: 5 (Type: Win32 - Description: Access is denied.)]*

  •     Summary of test results for DNS servers used by the above domain controllers:*

  •        DNS server: xx.xx.xx.x (DC-01)*

  •           1 test failure on this DNS server*

  •           Name resolution is not functional. _ldap._tcp.domainname.co.uk. failed on the DNS server 10.xx.xx.x*

  •           [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]*

  •     Summary of DNS test results:*

  •                                        Auth Basc Forw Del  Dyn  RReg Ext*

  •        _________________________________________________________________*

  •        Domain: domainname.co.uk*

  •           DC-01                        PASS FAIL n/a  n/a  n/a  n/a  n/a*

Steps I’ve taken:

I’ve gone into my DNS Manager > Forward Lookup Zones > _msdcs.“domainname”.co.uk > dc > _tcp > and can see the _ldap SRV file with the correct details. Went ahead an deleted that then re-created.

  • Restarted DNS Server services
  • Flushed dns on hpe server
  • Tried to rejoin but same error

I then revisited DNS Manager > Forward Lookup zones > “domainname.co.uk” > and deleted the Host (A) record for my DC-01 and re-added with the same settings which included ticking the checkbox for PTR.

  • Restarted DNS Server services
  • Flushed dns on hpe server
  • Tried to rejoin but same error

Went into my Revers Lookup Zones > 10.xx.xx.in-addr.arpa > selected my dc-01 PTR > deleted and re-added.

  • Restarted DNS Server services
  • Flushed dns on hpe server
  • Tried to rejoin but same error

I did have trouble joining this HPe server in the past (after migration) but with a different error, done some research and added the Alias (CNAME) records for each folder within DNS Manager > Forward Lookup Zones > _msdcs.domainname.co.uk, and that seem to resolve that issue, so just fyi there is an Alias (CNAME) record there.

Was doing a lot of researching with copilot and various websites but i still can’t seem to get this hpe server to rejoin, maybe if i can get this working it would also fix my issue on the file server not able to see my users/groups? Also to add; I’m able to see users/groups when it comes to adding permissions within my DC-01, it’s just the other servers (DHCP servers, file server) that is not allowing me to.

Also to add; firewalls have been switched off temporarily for both hpe server & dc-01. the hpe server is able to ping my dc-01 ip address and receive all 4 replies. the hpe server also has a static ip address and subnet, gateway, dns (pointing to my dc-01 ip) all set up correctly, as i mentioned earlier it was previously joined and all was working well but now cant rejoin.

3 Spice ups
(Rod-IT) 2

The server you removed, why? Was it a DC?

What is it using for DNS?

Why is DC02 a secondary zone?

Based on it being on your laptop previously, this is a lab - right? I’m worried if it’s not.

DCs should never be DHCP, but if you demoted everything, you tore down your domain, am I reading this right?

Please output the value of ‘ipconfig all’ on both your DCs and host please.

This all sounds like a DNS issue.

If your DCs/DNS are both virtual and both on this host, it may be wise not to put the host in the domain at all. If your DNS doesn’t start or AD doesn’t, you may not get in.

2 Spice ups
3

thanks for responding.

It was a DC yes however this was removed after I confirmed that the DC was working well on the HPe server. I removed it because I obviously no longer needed it on my laptop but this removal was not done until 2 weeks of monitoring.

DC02 is a secondary zone because of the articles I’ve read online - apparently there should only be 1 primary zone the rest can be secondary. Having 2 primary zones can cause issues.

A little story re: DHCP/DC. So as I was starting off this “home-lab” I was only able to run 2-3 VMs due to lack of compute. Therefore DHCP, DNS, RRAS & AADConnect were configured on the single DC-01. Now that I’ve purchased a HPe server I was able to have more breathing space and created a VM for each plus a failover VM for those servers. PS, I demoted the server once I confirmed all was working well on the HPe server (the HPe server is hosting VMs via Hyperv)

I’ve also been told by the senior infra guys at work that the host should be on the domain and it should not be a stand-alone/vanilla.

Anyways, carried out a few more checks this morning and managed to “fix” it.

I did isolate the DC02 yesterday for troubleshooting but I’ve launched it up again today morning as I was following a troubleshooting guide. So now with the DC02 online, I went back in to my DC-01 and navigated to DNS Manager > Forward Lookup Zones > _msdcs.domainname.co.uk folder > Name Servers tab and found that the dc02 FQDN needs to be on here. Went ahead and added that on, restarted DNS server services, dnsflush on the hpe server and still no luck. However when I run the dcdiag it now passed all checks. Read abit more and it suggested to use the dc02 as the alternate DNS server within the network adapter of my HPe device. So went ahead and done that and it worked. I also pinged dc-01.domainname.co.uk and finally received responses (i wasn’t receiving this earlier but ping to the ip address works).

Now I’m guessing the HPe Server is relying on the alternate DNS server? Seems like I don’t have to do this for all the other VMs’ adapters as they are able to ping/receive successfully to dc-01.domainname.co.uk. I haven’t tried spinning up a new vm and see if that joins to my domain yet so could be a good test. let me know your thoughts. thanks

1 Spice up
4

How can you remove it, did you have 4 DCs at one point and remove the 2 on the laptop or did you mimic them on the server and take them away on the laptop?

Or did you build a same named domain on the server with different IPs then later change things?

Can you link any of the articles referencing the second zone, it may be my understanding of what you’re describing or what your describing that isn’t clear.

When you have DCs outside of the host this would make sense, but in your case your DCs are on the host, if your DCs are not up and running, you may not get in to the host nor will your client devices get DNS or DHCP, you may end up in a chicken-and-egg situation.

As for what DNS things are relying on, without sharing your ipconfig it’s hard to know and we have to assume you have it setup correctly (noting, we do not know your skill level).

1 Spice up
5

DNS is the foundation for how Active Directory is able to locate directory objects and services.

Active Directory Domain Controllers with the DNS role automatically replicate everything they need to function with their peers (multi-master replication). Don’t mess with DNS, you can literally break everything.

From a Domain Controller, and elevated command prompt. What is the output of dcdiag.exe /test:DNS /v?

A properly (best practices) configured Domain Controller uses another Domain Controller as it’s “primary” DNS server (usually from the same AD site), and itself as secondary (or lower).

There is no concept of a “Primary” Domain Controller - they are all equal peers (except for RODC). There is a legacy “PDC” FSMO role, but that’s really just a way to locate certain specific domain services.

While your senior admin is correct that joining a Hyper-V host to the domain is a best practice - he appears to have omitted giving you the equally necessary guidance about virtual Domain Controller placement: Domain membership is recommended for servers running Hyper-V | Microsoft Learn

Try not to introduce single-points of failure - whether a production network or a home-lab - unless necessary. It’s totally fine for a home-lab setup, but you should also use that to understand the implications and restrictions of doing so - and why you wouldn’t in a production network.

2 Spice ups
6

I did have 4 DCs at one point, however, I made sure that they were not powered on simultaneously. Once I felt comfortable with the DCs on my server, I then erased them from my laptop.

Negative.

tbh I got the info from copilot, I’ve just done another search on copilot and now they’re saying that having more than 1 primary zone is more beneficial, cuts out the need for a secondary zone. I may alter this now..

I understand and this was exactly one of my concerns. But I got advised that’s why we have a built-in admin account for those situations.

Windows IP Configuration

Host Name . . . . . . . . . . . . : DC-01
Primary Dns Suffix . . . . . . . : domainname.co.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainname.co.uk

Ethernet adapter Ethernet 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #7
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : xxxx::xxxx:xxxx:xxxx:xxxxx(Preferred)
IPv4 Address. . . . . . . . . . . : 10.xx.xx.x(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.xx.xx.x
DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
DHCPv6 Client DUID. . . . . . . . : xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
DNS Servers . . . . . . . . . . . : 10.xx.xx.x
10.xx.xx.x
NetBIOS over Tcpip. . . . . . . . : Enabled

Here you can see I have 2 DNS Servers and they are correct.

Everything seems to be excellect so far. I had 2 other issues which got fixed after resolving this one. The first issue was what I initially posted:

And the second issue was a bit of a strange one. My DHCP Manager kept Deauthorizing itself every 48hours. Even whilst I have it running as I’m working. There were other troubleshooting stuff I did in the background but didn’t resolve it. I have been monitoring since my last post and it is now day number 6 with no issues!

7

Here are the results:

Summary of DNS test results:

                                        Auth Basc Forw Del  Dyn  RReg Ext
        _________________________________________________________________
        Domain: domainname.co.uk
           DC-01                        PASS PASS PASS PASS WARN PASS n/a

     ......................... domainname.co.uk passed test DNS
  Test omitted by user request: LocatorCheck
  Test omitted by user request: Intersite

The warning is this, any info about this would help:

TEST: Dynamic update (Dyn)
Warning: Failed to add the test record dcdiag-test-record in zone domainname.co.uk
[Error details: 9004 (Type: Win32 - Description: DNS request not supported by name server.)]
Test record dcdiag-test-record deleted successfully in zone domainname.co.uk

So have 2 Domain Controllers with a “Primary” DNS Server? I read about it and will go ahead with this.

Certainly. I am treating the home-lab “almost” the same as a production network (if I can keep up with costs!).

8

I’ll have to take your word for it. DNS is fundamental to AD, if it’s wrong, we have no idea.

All I can see is 10.x.x.x which if this is a lab and at home, is not recommended. You should consider using the 192.168 range in case you ever need to use VPN or your on a VPN from another device - you wont see these machines while connected, or worse, you wont be able to connect to work devices on that range.

Still unclear if you built new ones, like-for-like and migrated or if all 4 were one domain and you later decommissioned two, you said you erased them, but no mentioned of removing them correctly.

Good luck, but I think I will back out.

9

All clients and servers need a primary DNS, what you are being advised is the order which isn’t visible in your above output when only 10.xx.xx.xx is visible. So we can’t assist you if information is missing.

Active Directory DNS Refresher - Windows - Spiceworks Community

10

I understand where you’re coming from but I wanted this to be very production-like setup, therefore going with the private address. At some point I will configure my VPN with that range and possible purchase a public ip address to allow VPN connection from anywhere. I’ve got my firewall configured to work as my NAT so I’ve got my internet access for all my devices under my LAN. Before the Firewall I had my NAT server doing this job.

2 were on one domain > exported from (Laptop) Hyper-V > Imported to (HP Server) Hyper-V. I mentioned this and how I removed them on my initial post.

All clients and servers do have a primary DNS. I got confused when I had copilot tell me a secondary DNS needs to be configured.

Thanks anyway guys

11

Production-like setups can operate on the 192.168 range as well, you don’t have to go that exact with a lab, part of running a lab is to understand things, but in a slightly different way. If you had to do this for production in another company and mimicked another companies setup, including IP ranges, server names etc, it would get confusing. If any of these companies ever merged, it would be a very difficult merge as they overlap.

You don’t need to purchase a public IP, you will already have one via your ISP, it doesn’t have to be static, there a ways around this.

So you migrated them, this isn’t how it sounded, hence why I kept asking for clarification.

I get the setup being like a business setup, but you’re goal here is to configure things the same way, it doesn’t need to be so deep and use the same Ip address scheme, you’ll learn more buy replicating the setup (technically), but not the same physically.

If it helps, consider your home lab a small business, set up things ‘like’ your business, but as if it’s for a new client, learn as you do this, including new IP structures, routes etc.

(phildrew) 12

There’s certainly no need to spend real dollars on a lab environment. Frankly, it’s not even desirable.

In production you might have HA firewall pair going to two ISPs for no single points of failure connecting to the Internet. You likely won’t in a home-lab. The only thing to understand is that it’s a lab and HA firewall pair (and dual ISP) isn’t worth it. If we’re talking about a production environment, where unexpected downtime is prohibitively expensive, then redundant firewalls and ISPs becomes very desirable. ISCSI on 1Gig ethernet? Why not? We’re not trying to break IOPS records in the lab, we’re testing that connecting a host to external storage works in concept.

So, like I said, it’s totally fine - the lab is to understand the base concepts, and understand what and why you would do things differently in a production environment.

1 Spice up