Hi,
I just recently started a new job and as a first project i got was to fix a DC problem they have had for quite some time.
The environment is a pretty simple one where they have 3 DCs, one old with 2008 R2 (that was the primary one), and two newer with 2012 R2.
While doing some investigation why it had issues i noticed that the DNS was missing some records. I also noticed that the dcdiag said that the GC was nowhere to be found. After further research i got a tip that a restart of the NETLOGON service could get the AD to locate the GC again. After the service restart none of the user in the environment was able to login again.
The workaround was to give all the users Domain Admin access (which you dont have to be Einstein to figure out that its not a good idea).
So as long as no one knows what powers they are sitting on right now i think we are all OK, but i really need to fix this somehow and i was hoping that there could be some kind of super brain here to help out.
Here is a the dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC1, is a Directory Server.
Home Server = DC1
* Connecting to directory service on server DC1
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 3 of them.
Done gathering initial info.
Doing initial required tests
Testing server:
Default-First-Site-Name\DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
.........................
DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a passed test
Connectivity
Testing server: Default-First-Site-Name\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Testing server: Default-First-Site-Name\DC3
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC3 passed test Connectivity
Doing primary tests
Testing server:
Default-First-Site-Name\DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\DC2
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\DC3
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few
minutes...
Starting test: DNS
See DNS test in enterprise tests section for results
.........................
DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a
failed test DNS
See DNS test in enterprise tests section for results
......................... DC3 passed test DNS
See DNS test in enterprise tests section for results
......................... DC2 passed test DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : domain
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : domain.local
Starting test: DNS
Test results for domain controllers:
DC: DC1.domain.local
Domain: domain.local
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
[Error details: 53 (Type: Win32 - Description: The network path was not found.) - Add connection failed]
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2008 R2 Enterprise (Service Pack level: 1.0)
is supported.
Error: Open Service Control Manager failed
[Error details: 1707 (Type: Win32 - Description: The network address is invalid.) - Could not open Service Control Manager]
No host records (A or AAAA) were found for this DC
DC: DC2.domain.local
Domain: domain.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard Evaluation (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Microsoft Hyper-V Network Adapter:
MAC address is 00:15:5D:0A:16:0D
IP Address is static
IP address: 192.168.10.27, fe80::f50b:f416:4087:56ab
DNS servers:
192.168.10.27 (DC2) [Valid]
192.168.100.101 (DC3) [Valid]
192.168.10.22 (DC1) [Valid]
127.0.0.1 (DC2) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
8.8.4.4 (<name unavailable>) [Valid]
8.8.8.8 (<name unavailable>) [Valid]
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone domain.local
Test record dcdiag-test-record deleted successfully in zone domain.local
TEST: Records registration (RReg)
Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
Matching CNAME record found at DNS server 192.168.10.27:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.10.27:
DC2.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.pdc._msdcs.domain.local
Matching CNAME record found at DNS server 192.168.100.101:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.100.101:
DC2.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.pdc._msdcs.domain.local
Matching CNAME record found at DNS server 192.168.10.22:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.10.22:
DC2.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.pdc._msdcs.domain.local
Matching CNAME record found at DNS server 192.168.10.27:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.10.27:
DC2.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.pdc._msdcs.domain.local
DC: DC3.domain.local
Domain: domain.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard Evaluation (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Microsoft Hyper-V Network Adapter:
MAC address is 00:15:5D:64:EC:16
IP Address is static
IP address: 192.168.100.101
DNS servers:
192.168.10.27 (DC2) [Valid]
192.168.100.101 (DC3) [Valid]
192.168.10.22 (DC1) [Valid]
127.0.0.1 (DC3) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
8.8.4.4 (<name unavailable>) [Valid]
8.8.8.8 (<name unavailable>) [Valid]
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone domain.local
Test record dcdiag-test-record deleted successfully in zone domain.local
TEST: Records registration (RReg)
Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
Matching CNAME record found at DNS server 192.168.10.27:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.10.27:
DC3.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching CNAME record found at DNS server 192.168.100.101:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.100.101:
DC3.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching CNAME record found at DNS server 192.168.10.22:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.10.22:
DC3.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching CNAME record found at DNS server 192.168.100.101:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.100.101:
DC3.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 192.168.10.22 (DC1)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS server: 192.168.10.27 (DC2)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS server: 192.168.100.101 (DC3)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS server: 8.8.4.4 (<name unavailable>)
All tests passed on this DNS server
DNS server: 8.8.8.8 (<name unavailable>)
All tests passed on this DNS server
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.local
DC1 FAIL FAIL n/a n/a n/a n/a n/a
DC2 PASS PASS PASS PASS PASS PASS n/a
DC3 PASS PASS PASS PASS PASS PASS n/a
......................... domain.local failed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
I just recently started a new job and as a first project i got was to fix a DC problem they have had for quite some time.
The environment is a pretty simple one where they have 3 DCs, one old with 2008 R2 (that was the primary one), and two newer with 2012 R2.
While doing some investigation why it had issues i noticed that the DNS was missing some records. I also noticed that the dcdiag said that the GC was nowhere to be found. After further research i got a tip that a restart of the NETLOGON service could get the AD to locate the GC again. After the service restart none of the user in the environment was able to login again.
The workaround was to give all the users Domain Admin access (which you dont have to be Einstein to figure out that its not a good idea).
So as long as no one knows what powers they are sitting on right now i think we are all OK, but i really need to fix this somehow and i was hoping that there could be some kind of super brain here to help out.
Here is a the dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC1, is a Directory Server.
Home Server = DC1
* Connecting to directory service on server DC1
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 3 of them.
Done gathering initial info.
Doing initial required tests
Testing server:
Default-First-Site-Name\DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
.........................
DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a passed test
Connectivity
Testing server: Default-First-Site-Name\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Testing server: Default-First-Site-Name\DC3
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC3 passed test Connectivity
Doing primary tests
Testing server:
Default-First-Site-Name\DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\DC2
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\DC3
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few
minutes...
Starting test: DNS
See DNS test in enterprise tests section for results
.........................
DC1\0ACNF:9fd3679b-a169-45b1-b038-2767c9514e7a
failed test DNS
See DNS test in enterprise tests section for results
......................... DC3 passed test DNS
See DNS test in enterprise tests section for results
......................... DC2 passed test DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : domain
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : domain.local
Starting test: DNS
Test results for domain controllers:
DC: DC1.domain.local
Domain: domain.local
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
[Error details: 53 (Type: Win32 - Description: The network path was not found.) - Add connection failed]
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2008 R2 Enterprise (Service Pack level: 1.0)
is supported.
Error: Open Service Control Manager failed
[Error details: 1707 (Type: Win32 - Description: The network address is invalid.) - Could not open Service Control Manager]
No host records (A or AAAA) were found for this DC
DC: DC2.domain.local
Domain: domain.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard Evaluation (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Microsoft Hyper-V Network Adapter:
MAC address is 00:15:5D:0A:16:0D
IP Address is static
IP address: 192.168.10.27, fe80::f50b:f416:4087:56ab
DNS servers:
192.168.10.27 (DC2) [Valid]
192.168.100.101 (DC3) [Valid]
192.168.10.22 (DC1) [Valid]
127.0.0.1 (DC2) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
8.8.4.4 (<name unavailable>) [Valid]
8.8.8.8 (<name unavailable>) [Valid]
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone domain.local
Test record dcdiag-test-record deleted successfully in zone domain.local
TEST: Records registration (RReg)
Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
Matching CNAME record found at DNS server 192.168.10.27:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.10.27:
DC2.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.pdc._msdcs.domain.local
Matching CNAME record found at DNS server 192.168.100.101:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.100.101:
DC2.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.pdc._msdcs.domain.local
Matching CNAME record found at DNS server 192.168.10.22:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.10.22:
DC2.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.pdc._msdcs.domain.local
Matching CNAME record found at DNS server 192.168.10.27:
989c1f57-f236-4e97-91fe-80f9607d0025._msdcs.domain.local
Matching A record found at DNS server 192.168.10.27:
DC2.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.pdc._msdcs.domain.local
DC: DC3.domain.local
Domain: domain.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard Evaluation (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Microsoft Hyper-V Network Adapter:
MAC address is 00:15:5D:64:EC:16
IP Address is static
IP address: 192.168.100.101
DNS servers:
192.168.10.27 (DC2) [Valid]
192.168.100.101 (DC3) [Valid]
192.168.10.22 (DC1) [Valid]
127.0.0.1 (DC3) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
8.8.4.4 (<name unavailable>) [Valid]
8.8.8.8 (<name unavailable>) [Valid]
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone domain.local
Test record dcdiag-test-record deleted successfully in zone domain.local
TEST: Records registration (RReg)
Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
Matching CNAME record found at DNS server 192.168.10.27:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.10.27:
DC3.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.27:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching CNAME record found at DNS server 192.168.100.101:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.100.101:
DC3.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching CNAME record found at DNS server 192.168.10.22:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.10.22:
DC3.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.10.22:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Matching CNAME record found at DNS server 192.168.100.101:
a8ce0cce-2210-49b0-82d1-7ac31faeb2a6._msdcs.domain.local
Matching A record found at DNS server 192.168.100.101:
DC3.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.27ff7a33-1526-4a65-b8d2-2eb80e7567bc.domains._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._udp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kpasswd._tcp.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
Matching SRV record found at DNS server 192.168.100.101:
_kerberos._tcp.Default-First-Site-Name._sites.domain.local
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 192.168.10.22 (DC1)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS server: 192.168.10.27 (DC2)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS server: 192.168.100.101 (DC3)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS server: 8.8.4.4 (<name unavailable>)
All tests passed on this DNS server
DNS server: 8.8.8.8 (<name unavailable>)
All tests passed on this DNS server
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.local
DC1 FAIL FAIL n/a n/a n/a n/a n/a
DC2 PASS PASS PASS PASS PASS PASS n/a
DC3 PASS PASS PASS PASS PASS PASS n/a
......................... domain.local failed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite