AD Issue ... Windows 10 or the Domain?



  • I think I might be having some trouble with my domain.

    The other day I rebooted one of my DCs, and it took a while for me to be able to log in. I kept saying that it could not find a domain controller.

    Today, I tried joining a clean install Windows 10 machine to the domain, and am getting a

    "DNS name does not exist" error
    The query was for the SRV record for _ldap._tcp.dc._msdcs.BANDR

    No issue logging in or anything, so I tok another WIn10 machine off the domain and tried to add it back in, and got the same error message.

    I have the original DC that we've had forever on the network. I added a second DC a while back, the does AD and DNS.

    Thoughts on where to start?



  • What is your domain functional level?



  • Still on "Server 2003"

    I know, I know ... working as fast as I can to get all this upgraded.

    Literally almost to the point of being able to upgrade to 2016, but had a few road bumps, and now this road bump.



  • I'd check your AD health, there is very likely an issue that needs to be addressed.

    Being server 2003 though, I personally wouldn't touch it.



  • LOL, yeah I don't really have a choice.



  • DCDIAG results...

    Domain Controller Diagnosis
    
    Performing initial setup:
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: Default-First-Site-Name\DC04
          Starting test: Connectivity
             ......................... DC04 passed test Connectivity
    
    Doing primary tests
    
       Testing server: Default-First-Site-Name\DC04
          Starting test: Replications
             ......................... DC04 passed test Replications
          Starting test: NCSecDesc
             ......................... DC04 passed test NCSecDesc
          Starting test: NetLogons
             ......................... DC04 passed test NetLogons
          Starting test: Advertising
             ......................... DC04 passed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... DC04 passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... DC04 passed test RidManager
          Starting test: MachineAccount
             ......................... DC04 passed test MachineAccount
          Starting test: Services
             ......................... DC04 passed test Services
          Starting test: ObjectsReplicated
             ......................... DC04 passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... DC04 passed test frssysvol
          Starting test: frsevent
             ......................... DC04 passed test frsevent
          Starting test: kccevent
             ......................... DC04 passed test kccevent
          Starting test: systemlog
             ......................... DC04 passed test systemlog
          Starting test: VerifyReferences
             ......................... DC04 passed test VerifyReferences
    
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
    
       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
    
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
    
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
    
       Running partition tests on : brra
          Starting test: CrossRefValidation
             ......................... brra passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... brra passed test CheckSDRefDom
    
       Running enterprise tests on : brra.com
          Starting test: Intersite
             ......................... brra.com passed test Intersite
          Starting test: FsmoCheck
             ......................... brra.com passed test FsmoCheck
    
    


  • I think I have found the culprit.

    When I added the most recent DC, I demoted another one, named ORCA.(I am a JAWS fan, what can I say?)

    In DCDIAG DNS testing, that server is still listed, and as an error. I looked through the AD DNS and noticed it is still in there in multiple places.

    Is it safe/proper to delete all orphaned entries/mentions of that?

    From DCDIAG:

                DNS server: 10.0.2.1 (orca.domain.com.)
                   2 test failures on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.0.2.1
                   [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                   Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1
                   [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.) - Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1]
    


  • @brrabill said in AD Issue ... Windows 10 or the Domain?:

    I think I have found the culprit.

    When I added the most recent DC, I demoted another one, named ORCA.(I am a JAWS fan, what can I say?)

    In DCDIAG DNS testing, that server is still listed, and as an error. I looked through the AD DNS and noticed it is still in there in multiple places.

    Is it safe/proper to delete all orphaned entries/mentions of that?

    From DCDIAG:

                DNS server: 10.0.2.1 (orca.domain.com.)
                   2 test failures on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.0.2.1
                   [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                   Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1
                   [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.) - Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1]
    

    yes, it is okay to removed them. I have been cleaning AD DNS for a long time and this always happens. Yesterday I did the same for a domain that had this issue for months.



  • @brrabill said in AD Issue ... Windows 10 or the Domain?:

    Still on "Server 2003"

    I know, I know ... working as fast as I can to get all this upgraded.

    Literally almost to the point of being able to upgrade to 2016, but had a few road bumps, and now this road bump.

    That doesn't affect functionality on the domain also. I would just make sure there is no other Server 2003 as a DC and upgrade to the lowest DC OS you have.



  • When you run dcdiag /dns ... do you get errors with the root servers, such as this?

    DNS server: 198.41.0.4 (a.root-servers.net.)
    2 test failures on this DNS server
    This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
    [Error details: 9002 (Type: Win32 - Description: DNS server failure.)]



  • @brrabill said in AD Issue ... Windows 10 or the Domain?:

    When you run dcdiag /dns ... do you get errors with the root servers, such as this?

    DNS server: 198.41.0.4 (a.root-servers.net.)
    2 test failures on this DNS server
    This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
    [Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

    No, I don't



  • I had it on all the root hint servers, and also the forwarders.

      The A record for this DC was found
      The SOA record for the Active Directory zone was found
      The Active Directory zone on this DC/DNS server was found
      Root zone on this DC/DNS server was not found
    
      TEST: Forwarders/Root hints (Forw)
               Recursion is enabled
               Root hint Information:
                  Name: a.root-servers.net. IP: 198.41.0.4 [Invalid]
                  Name: b.root-servers.net. IP: 192.228.79.201 [Invalid]
                  Name: b.root-servers.net. IP: 199.9.14.201 [Invalid]
                  Name: c.root-servers.net. IP: 192.33.4.12 [Invalid]
                  Name: d.root-servers.net. IP: 199.7.91.13 [Invalid]
                  Name: e.root-servers.net. IP: 192.203.230.10 [Invalid]
                  Name: f.root-servers.net. IP: 192.5.5.241 [Invalid]
                  Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
                  Name: h.root-servers.net. IP: 198.97.190.53 [Invalid]
                  Name: i.root-servers.net. IP: 192.36.148.17 [Invalid]
                  Name: j.root-servers.net. IP: 192.58.128.30 [Invalid]
                  Name: k.root-servers.net. IP: 193.0.14.129 [Invalid]
                  Name: l.root-servers.net. IP: 199.7.83.42 [Invalid]
                  Name: m.root-servers.net. IP: 202.12.27.33 [Invalid]
    


  • Well, except for "G" ... WTH?



  • BTW:

    Turns out the issue was a 1803 thing.

    Maybe it is just my environment, but have never had to enable SMB1 before.

    Though I did have a couple errors in DNS that I also fixed while I was in there.

    And of course the errors above that I posted. Though everything is working perfectly.



  • @brrabill said in AD Issue ... Windows 10 or the Domain?:

    BTW:

    Turns out the issue was a 1803 thing.

    Maybe it is just my environment, but have never had to enable SMB1 before.

    Though I did have a couple errors in DNS that I also fixed while I was in there.

    And of course the errors above that I posted. Though everything is working perfectly.

    SMBv1 Is recently just disabled on all new windows systems



  • @jaredbusch said in AD Issue ... Windows 10 or the Domain?:

    @brrabill said in AD Issue ... Windows 10 or the Domain?:

    BTW:

    Turns out the issue was a 1803 thing.

    Maybe it is just my environment, but have never had to enable SMB1 before.

    Though I did have a couple errors in DNS that I also fixed while I was in there.

    And of course the errors above that I posted. Though everything is working perfectly.

    SMBv1 Is recently just disabled on all new windows systems

    Probably why this is the first time I have seen it.

    And assuming any upgrades would just keep it.



  • BTW: those DNS errors were caused by using an older version of DCDIAG, apparently.

    Installed newest version and it works like a charm.



  • @jaredbusch I've heard this before, but has anyone actually checked to see if it is disabled.

    On 2016 that we just recently deployed it is active by default when configuring it as a file server.

    0_1525874957911_RDCMan_2018-05-09_10-08-24.png



  • I had to go into the Features section of the 1803 client (fresh install) and enable it.



  • It also warned that the share (when trying to connect to the domain) was insecure and SMB1.



  • @dustinb3403 said in AD Issue ... Windows 10 or the Domain?:

    @jaredbusch I've heard this before, but has anyone actually checked to see if it is disabled.

    On 2016 that we just recently deployed it is active by default when configuring it as a file server.

    0_1525874957911_RDCMan_2018-05-09_10-08-24.png

    It is disabled by default on RS3 of Server 2016 onwards.



  • @brrabill said in AD Issue ... Windows 10 or the Domain?:

    I had to go into the Features section of the 1803 client (fresh install) and enable it.

    Yeah, makes sense since Server 2003 still uses SMBv1.



  • I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously question IT and business leadership for making this decision.

    EOL was over 4 years ago!!!!!! seroiously WTF is your company doing? and like @JaredBusch said at least dont use it for DCs?



  • @irj said in AD Issue ... Windows 10 or the Domain?:

    I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

    I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.



  • @dbeato said in AD Issue ... Windows 10 or the Domain?:

    @irj said in AD Issue ... Windows 10 or the Domain?:

    I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

    I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

    I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.



  • @irj said in AD Issue ... Windows 10 or the Domain?:

    @dbeato said in AD Issue ... Windows 10 or the Domain?:

    @irj said in AD Issue ... Windows 10 or the Domain?:

    I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

    I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

    I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.

    I understand that Server 2003 should be gone and I don’t have it in any of my networks or costumers. But I knkw plenty of government and organizations that have not fully replaced server 2003 for various reasons. All that with IT Department telling them to upgrade... and yeah you can question leadership.



  • @irj said in AD Issue ... Windows 10 or the Domain?:

    @dbeato said in AD Issue ... Windows 10 or the Domain?:

    @irj said in AD Issue ... Windows 10 or the Domain?:

    I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

    I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

    I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.

    Even then, I'd say anything that depends on MS support is reckless. MS Support doesn't qualify as "support" by any normal standard.



  • @dbeato said in AD Issue ... Windows 10 or the Domain?:

    @irj said in AD Issue ... Windows 10 or the Domain?:

    @dbeato said in AD Issue ... Windows 10 or the Domain?:

    @irj said in AD Issue ... Windows 10 or the Domain?:

    I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

    I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.

    I disagree. The only way it makes any sense to run a product that is 4 years EOL as your DC is if you are paying for support for Microsoft. Anything else is reckless.

    I understand that Server 2003 should be gone and I don’t have it in any of my networks or costumers. But I knkw plenty of government and organizations that have not fully replaced server 2003 for various reasons. All that with IT Department telling them to upgrade... and yeah you can question leadership.

    But they ARE reckless and unprofessional. Just because reckless people do bad things doesn't make it any better. Its' not questioning the leadership, it's outright bad leadership.



  • Yeah the IT guy at this place is a real jackhole, let me tell you...



  • What's keeping the company from at least migrating the domain controllers? That's actually one of the easier services to migrate.

    I've sometimes seen 2003 with legacy applications that management does not want to change for whatever reason. Just not with DCs.


Log in to reply