Ok... this is a bit of weird & long one.
Customer called us because they were having some domain issues. None of the 3 DCs were publishing NetLogon, only one has SYSVOL. Small domain for a non-profit.
What I understand has happened is they had a Hyper-V cluster with the DCs as VMs on that cluster. (not good) Had an issue, had to break the cluster to get the VMs to boot again. Caused all types of AD issues. Somewhere along the line it looks like they did a non-authoritative restore to recover SYSVOL. (that was 4 months ago)
No Ntfrs was working. Reporting DNS error. Extensive troubleshooting... nada
FSMO roles split up between two servers, but none considered valid
Long story short:
Seized roles on one server with the published sysvol
demoted other servers
did an authoritative restore. (Bur flag D4)
had to force NetLogon with kb947022
re-promoted servers.
AD/NtFrs is working & replicating
When troubleshooting I noticed that a nslookup of the ldap returned a Non-authoritative answer outside the domain.
nslookup
Set type=all
ldap._tcp.dc._msdcs.acmeinc.org
Server: domaincontroller.acmeinc.org
Address: 10.10.0.14
Non-authoritative answer:
_ldap._tcp.dc._msdcs.acmeinc.org.acmeinc.org internet address = 151.x.x.80
Everything in DNS appears correct. Had several co-works look @ it too... has all the correct ldap/kerberos/srv records & all DCs are present.
DCDIAG DNS returns no errors.
No forwarders are set. Just root hints. Disable root hints & it times out
FSMO roles are all good
The IP address returned is for their WWW location
Interesting that the lookup appends the domain twice: _ldap._tcp.dc._msdcs.acmeinc.org.acmeinc.org
Trying to run an AD promo returns: A delegation for this DNS Server cannot be crate because no authoritative parent zone can be found.
No host files
Any idea where I should look or solutions?
Cheers - James