Windows Server DC broke AD DS ldap

Daviid · 2024-05-31T12:08:58.607Z

Someone else set it up like that and I’ve only ever worked with linux.

192.168.1.9

Windows IP Configuration

   Host Name . . . . . . . . . . . . : MYORG-AD01
   Primary Dns Suffix  . . . . . . . : MYORGANIZATION.COM
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MYORGANIZATION.COM

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
   Physical Address. . . . . . . . . : A0-36-BC-C8-1A-49
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : A0-36-BC-C8-1A-4A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #3
   Physical Address. . . . . . . . . : A0-36-BC-C8-1A-4B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #4
   Physical Address. . . . . . . . . : A0-36-BC-C8-1A-4C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.8(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.9
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-15-5D-7C-AB-BF
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::98f0:d53a:49a2:12d4%39(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.26.176.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 654316893
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-6C-11-4E-A0-36-BC-C8-1A-49
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

192.168.1.20

Configuración IP de Windows

   Nombre de host. . . . . . . . . : MYORG-OTHER
   Sufijo DNS principal  . . . . . : MYORGANIZATION.COM
   Tipo de nodo. . . . . . . . . . : híbrido
   Enrutamiento IP habilitado. . . : no
   Proxy WINS habilitado . . . . . : no
   Lista de búsqueda de sufijos DNS: MYORGANIZATION.COM

Adaptador de Ethernet LAN:

   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS específico para la conexión. . :
   Descripción . . . . . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
   Dirección física. . . . . . . . . . . . . : 34-97-F6-5C-67-B1
   DHCP habilitado . . . . . . . . . . . . . : sí
   Configuración automática habilitada . . . : sí

Adaptador de Ethernet WAN:

   Sufijo DNS específico para la conexión. . :
   Descripción . . . . . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #2
   Dirección física. . . . . . . . . . . . . : 34-97-F6-5C-67-B2
   DHCP habilitado . . . . . . . . . . . . . : no
   Configuración automática habilitada . . . : sí
   Dirección IPv4. . . . . . . . . . . . . . : 192.168.1.20(Preferido)
   Máscara de subred . . . . . . . . . . . . : 255.255.255.0
   Puerta de enlace predeterminada . . . . . : 192.168.1.1
   Servidores DNS. . . . . . . . . . . . . . : 192.168.1.20
                                       127.0.0.1
   NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado

Adaptador de túnel isatap.{70D1EF34-40D9-454B-97F3-BF6DC6D5F7B6}:

   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS específico para la conexión. . :
   Descripción . . . . . . . . . . . . . . . : Microsoft ISATAP Adapter
   Dirección física. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP habilitado . . . . . . . . . . . . . : no
   Configuración automática habilitada . . . : sí

Adaptador de túnel Teredo Tunneling Pseudo-Interface:

   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS específico para la conexión. . :
   Descripción . . . . . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Dirección física. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP habilitado . . . . . . . . . . . . . : no
   Configuración automática habilitada . . . : sí

Adaptador de túnel isatap.{0523CB30-091E-4E3B-9B9E-7754D1308C8F}:

   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS específico para la conexión. . :
   Descripción . . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Dirección física. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP habilitado . . . . . . . . . . . . . : no
   Configuración automática habilitada . . . : sí

Rod-IT · 2024-05-31T12:33:10.033Z

Daviid:

Someone else set it up like that and I’ve only ever worked with linux.

That’s fine, thank you for clarifying - I posted my reply for information and others who follow this topic.

Your first machine has two IP for some reason and is configure to only use itself as DNS, so it will never replicate.

The second server only uses itself as DNS too, so neither of these machines will ever replicate with each other.

I’m not sure from your post if you want/need them to or prefer them to be completely segregated.

If they do need to replicate domain usernames, passwords, policies etc. Then they should be configured to use each other as the primary DNS and 127.0.0.1 as their secondary.

Daviid · 2024-05-31T12:38:12.069Z

For now I think it’s best to keep them segregated.

The 2 IPs on 192.168.1.9 are intentional, there’s IIS running and I need to also run Apache, so I added a second IP to the same NIC to avoid port conflicts.

Rod-IT · 2024-05-31T13:06:30.477Z

Noted re the IPs, but adding Apache to a DC is only making matters worse.

Daviid · 2024-05-31T13:09:44.364Z

What do you suggest?
We only have those 2 servers and a QNAP NAS.

I’m pretty sure 192.168.1.9 was bought to move (Websites, Databases, other apps) off the NAS and keep it as storage only.

Rod-IT · 2024-05-31T13:39:16.252Z

It’s a fair bit of work now, but I would install Hyper-V directly on the hardware, then virtualize these servers.

With each STD license you can run 2 Windows VMs (server OS only).

1 DC, 1 file server/webs server
If you need a separate system for external people, 2 move VMs (1 more OS license)

erkind39 · 2024-06-01T05:41:17.285Z

Multiple NICs on a Domain Controller is never recommended.

adrian_ych · 2024-06-01T06:18:10.283Z

Daviid:

I have a server 192.168.1.9 with Windows Server 2022 and a server 192.168.1.20 with Windows Server 2016 they both have the following roles:

AD CS (1.9)
AD DS (1.9 and 1.20)
DHCP (1.9)
DNS (1.9 and 1.20)
File and Storage Services (1.9 and 1.20)
Hyper-V (1.9)
IIS (1.9 and 1.20)

As far as I can tell 1.9 gets replicated onto 1.20 (I’ve been told however that these 2 servers should be separate 1.9 is for employees to use and 1.20 is for an external company to work on, so very likely that this replication wouldn’t even be happening.)

Right after installing DHCP and restarting things started to break.

apps which used ldap as ldap://192.168.1.9:389 stopped working and for some reason I had to start using 192.168.1.20

I get the error “Server is non functional” or just a crash whenever I try to do anything that might use Active Directory

If I try to open DNS I get “Access was denied would you like to add it anyway?”

Help, I don’t even know where to start.

On 192.168.1.9

PS C:\Users\daviid> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MYORG-AD01
   Ldap search capability attribute search failed on server MYORG-AD01, return value = 52

On 192.168.1.20 (Sorry it’s in spanish)

PS C:\Users\daviid> dcdiag

Diagnóstico del servidor de directorio

Realizando instalación inicial:
   Intentando encontrar el servidor principal...
   Servidor principal = MYORG-OTHER
   * Se identificó el bosque de AD.
   Recopilación de información inicial finalizada.

Realizando pruebas requeridas iniciales

   Probando servidor: Default-First-Site-Name\MYORG-OTHER
      Iniciando prueba: Connectivity
         El host bb2ad125-79e5-4d8a-975a-c9e62e1827a7._msdcs.MYORGANIZATION.COM no se pudo resolver en una dirección IP. Compruebe el servidor DNS, el DHCP, el nombre de servidor, etc.
         Error al comprobar la conectividad de LDAP y RPC. Compruebe la configuración del firewall.
         ......................... MYORG-OTHER no superó la prueba Connectivity

Realizando pruebas principales

   Probando servidor: Default-First-Site-Name\MYORG-OTHER
      Omitiendo todas las pruebas porque el servidor MYORG-OTHER no responde a las solicitudes de servicio de directorio.


   Ejecutando pruebas de partición en: ForestDnsZones
      Iniciando prueba: CheckSDRefDom
         ......................... ForestDnsZones superó la prueba CheckSDRefDom
      Iniciando prueba: CrossRefValidation
         ......................... ForestDnsZones superó la prueba CrossRefValidation

   Ejecutando pruebas de partición en: DomainDnsZones
      Iniciando prueba: CheckSDRefDom
         ......................... DomainDnsZones superó la prueba CheckSDRefDom
      Iniciando prueba: CrossRefValidation
         ......................... DomainDnsZones superó la prueba CrossRefValidation

   Ejecutando pruebas de partición en: Schema
      Iniciando prueba: CheckSDRefDom
         ......................... Schema superó la prueba CheckSDRefDom
      Iniciando prueba: CrossRefValidation
         ......................... Schema superó la prueba CrossRefValidation

   Ejecutando pruebas de partición en: Configuration
      Iniciando prueba: CheckSDRefDom
         ......................... Configuration superó la prueba CheckSDRefDom
      Iniciando prueba: CrossRefValidation
         ......................... Configuration superó la prueba CrossRefValidation

   Ejecutando pruebas de partición en: MYORGANIZATION
      Iniciando prueba: CheckSDRefDom
         ......................... MYORGANIZATION superó la prueba CheckSDRefDom
      Iniciando prueba: CrossRefValidation
         ......................... MYORGANIZATION superó la prueba CrossRefValidation

   Ejecutando pruebas de empresa en: MYORGANIZATION.COM
      Iniciando prueba: LocatorCheck
         ......................... MYORGANIZATION.COM superó la prueba LocatorCheck
      Iniciando prueba: Intersite
         ......................... MYORGANIZATION.COM superó la prueba Intersite

I would recommend that you speak to the person who set this up, the people who design this and whoever told you whatever ?

DCs should be by themselves (only probably DNS & DHCP on DCs)
NEVER run IIS or web servers on DCs
NEVER allow users and vendors to use DCs directly unless to manage Domain Users, Domain machines or manage the DCs
Have file servers on their on machine (VMs or NAS etc).
DCs should never have more than 1 IP, if there are 2 NICs, team them so only 1 IP exist.
limit the number of users as Domain Admins who can RDP into DCs.

Daviid · 2024-06-03T06:52:43.849Z

Well now I know what not to do and I’ll let my boss know.

This 1.9 server is a Xeon 128 GB RAM and 8 TB of HDD for a heavy MySQL and MongoDB use.

I’ll let them know to move the DC and AD stuff to a separate machine, right now I need to fix this and leave it as it was before so I can setup backups and stuff because I assume they won’t want downtime so I’ll need to set up the new machine in parallel with 1.9 (DC1)

FSMO Roles BTW:

PS C:\Windows\system32> Get-ADForest myorganization.com | fl GlobalCatalogs
GlobalCatalogs : {DC1.MYORGANIZATION.COM, DC2.MYORGANIZATION.COM}



PS C:\Windows\system32> netdom query fsmo
Maestro de esquema          DC1.MYORGANIZATION.COM
Maestro nomencl. dominios   DC1.MYORGANIZATION.COM
PDC                         DC1.MYORGANIZATION.COM
Administrador de grupos RID DC1.MYORGANIZATION.COM
Maestro de infraestructura  DC1.MYORGANIZATION.COM
El comando se completó correctamente.

These commands only work on DC2 1.20

on DC1 1.9 I get

PS C:\Users\daviid> Get-ADForest myorganization.com | fl GlobalCatalogs
Get-ADForest: Server instance not found on the given port.
PS C:\Users\daviid> netdom query fsmo
The specified server cannot perform the requested operation.

The command failed to complete successfully.

Rod-IT · 2024-06-03T09:28:23.195Z

IS DC1 still a DC?

Does it point to DC2 as it’s primary DNS?

Daviid · 2024-06-03T09:30:22.294Z

Rod-IT:

IS DC1 still a DC?

I would assume so, how can I check?

Rod-IT:

Does it point to DC2 as it’s primary DNS?

It points to it’s own IP as primary, loopback as secondary and DC2 as tertiary. Same with DC2 pointing at DC1 as tertiary.

Edit:
Test-ComputerSecureChannel -Verbose fails on DC1 but works on DC2

GetADDomainController

PS C:\Windows\system32> Get-ADDomainController -Identity DC2


ComputerObjectDN           : CN=DC2,OU=Domain Controllers,DC=MYORGANIZATION,DC=COM
DefaultPartition           : DC=MYORGANIZATION,DC=COM
Domain                     : MYORGANIZATION.COM
Enabled                    : True
Forest                     : MYORGANIZATION.COM
HostName                   : DC2.MYORGANIZATION.COM
InvocationId               : 9d4d6c31-64fd-45f3-8e9d-6bdb1d640082
IPv4Address                : 169.254.60.149
IPv6Address                : ::1
IsGlobalCatalog            : True
IsReadOnly                 : True
LdapPort                   : 389
Name                       : DC2
NTDSSettingsObjectDN       : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYORGANIZATION,DC=COM
OperatingSystem            : Windows Server 2016 Standard
OperatingSystemHotfix      :
OperatingSystemServicePack :
OperatingSystemVersion     : 10.0 (14393)
OperationMasterRoles       : {}
Partitions                 : {DC=ForestDnsZones,DC=MYORGANIZATION,DC=COM, DC=DomainDnsZones,DC=MYORGANIZATION,DC=COM, CN=Schema,CN=Configuration,DC=MYORGANIZATION,DC=COM, CN=Configuration,DC=MYORGANIZATION,DC=COM...}
ServerObjectDN             : CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYORGANIZATION,DC=COM
ServerObjectGuid           : 4cdc684b-e43c-4431-8423-acf4ca58b941
Site                       : Default-First-Site-Name
SslPort                    : 636



PS C:\Windows\system32> Get-ADDomainController -Identity DC1


ComputerObjectDN           : CN=DC1,OU=Domain Controllers,DC=MYORGANIZATION,DC=COM
DefaultPartition           : DC=MYORGANIZATION,DC=COM
Domain                     : MYORGANIZATION.COM
Enabled                    : True
Forest                     : MYORGANIZATION.COM
HostName                   : DC1.MYORGANIZATION.COM
InvocationId               : feb76bdd-6ac3-4219-bd64-35ff0c22debd
IPv4Address                : 192.168.1.9
IPv6Address                :
IsGlobalCatalog            : True
IsReadOnly                 : False
LdapPort                   : 389
Name                       : DC1
NTDSSettingsObjectDN       : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYORGANIZATION,DC=COM
OperatingSystem            : Windows Server 2022 Standard
OperatingSystemHotfix      :
OperatingSystemServicePack :
OperatingSystemVersion     : 10.0 (20348)
OperationMasterRoles       : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...}
Partitions                 : {DC=ForestDnsZones,DC=MYORGANIZATION,DC=COM, DC=DomainDnsZones,DC=MYORGANIZATION,DC=COM, CN=Schema,CN=Configuration,DC=MYORGANIZATION,DC=COM, CN=Configuration,DC=MYORGANIZATION,DC=COM...}
ServerObjectDN             : CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYORGANIZATION,DC=COM
ServerObjectGuid           : 7208a0a7-dc1b-4fa4-b40d-02310bbdddde
Site                       : Default-First-Site-Name
SslPort                    : 636

Rod-IT · 2024-06-03T11:42:50.474Z

Daviid:

It points to it’s own IP as primary, loopback as secondary and DC2 as tertiary. Same with DC2 pointing at DC1 as tertiary.

This is wrong.

Each DC should point to another DC first and loopback second.

Your current setup is likely why you have issues.

DC1 should point to DC2 then 127.0.0.1
DC2 should point to DC1 then 127.0.0.1

Please have a read here Active Directory DNS Refresher - Windows - Spiceworks Community

Daviid · 2024-06-03T11:56:02.201Z

Honestly I’ve seen both and tried both. (I’m not sure if there’s a way to separate DC1 and DC2 and make it act as if only DC1 existed, which I believe is primary DNS to itself and secondary to loopback)

Still not working, or maybe that was the initial problem and I messed it up even more trying to fix it. I don´t know.

Right now it’s like DC1 does nothing. Anything I try to do with it is “Server not operational” Error 52 or error 81/82 on LDAP, access denied on DNS Server…

Rod-IT · 2024-06-03T13:01:11.380Z

Daviid:

Honestly I’ve seen both and tried both. (I’m not sure if there’s a way to separate DC1 and DC2 and make it act as if only DC1 existed, which I believe is primary DNS to itself and secondary to loopback)

You just posted earlier

Daviid:

It points to it’s own IP as primary, loopback as secondary and DC2 as tertiary

It MUST point to another DC first, pointing to itself means it only knows about itself, similarly, DC2 only knows about itself, they are not related or talking to each other.

Which DC has the fsmo roles?

Daviid · 2024-06-03T13:08:33.595Z

Right now they point to each other. But I’ve tried every combination.

On DC1 192.168.1.9 GC

PS C:\Users\daviid> netdom query fsmo
The specified server cannot perform the requested operation.

The command failed to complete successfully.

On DC2 192.168.1.20 GC RODC

PS C:\Windows\system32> netdom query fsmo
Maestro de esquema          DC1.MYORGANIZATION.COM
Maestro nomencl. dominios   DC1.MYORGANIZATION.COM
PDC                         DC1.MYORGANIZATION.COM
Administrador de grupos RID DC1.MYORGANIZATION.COM
Maestro de infraestructura  DC1.MYORGANIZATION.COM
El comando se completó correctamente.

Could it be that DC2 shows ‘DC1.MYORGANIZATION.COM’ because that’s how it was when the last replica was made but DC1 AD DS is just completely broken?

Rod-IT · 2024-06-03T13:18:56.414Z

DC1 is your fsmo role holder, but dc1 doesn’t know this.

How long has this been the case?

The DCs are not replicating, you have websites on the DCs along with a bunch of other unnecessary services, you have users (in this case, they will be domain admins) logging on externally. While you may not have put this together, it’s a mess.

I would get someone in to separate it all out and get the business back to a healthy state, I’m not sure how helpful a forum can be given the situation you find yourself in.

I could sit here and reply giving your small bits of advice and still get nowhere, I wouldn’t want for things to get worse, especially if you’re not familiar with this.

My advice is to contract someone to unpick this for you.

Rod-IT · 2024-06-03T13:19:39.945Z

Daviid:

Could it be that DC2 shows ‘DC1.MYORGANIZATION.COM’ because that’s how it was when the last replica was made but DC1 AD DS is just completely broken?

fsmo roles are not replicated, they are static and only move if manually done.

Daviid · 2024-06-03T13:22:48.612Z

I’ll let the boss know, I agree that it’d be best to start from scratch and separate things, whether by making VMs on the 1.9 server or even by using a regular computer as DC (I don´t think there will ever be more than 20 users so the bare minimum so the DC runs it’s ok)

Rod-IT · 2024-06-03T13:25:49.632Z

Consider the future too, will systems be on site?

If not, consider AzureAD.

eaglesfan87 · 2024-06-03T14:40:59.329Z

DC2 shows its a read only domain controller. Maybe change it to a standard DC, fix your DNS settings , and then seize the FISMO roles on DC02 to see if things start working better.