domain controller- automatic private address

[lockmac]

Hi guys. Need your help please.

We have a distributed network with each site having a Domain Controller. We were having performance issues, and apparently (according to another IT guy here), pinging the domain name (lets say restore.local), it was receiving responses from all over the joint (other branches), so for a quick fix we have hardcoded the hosts files.

So for example, we have a server in adelaide called "adelaide". When we are on the server, if we ping our domain name "restore.local", we get a reply from Sydney.

Before, we were getting a reply from a private address (169.xxx.xxx.xxx), and when we would ping that address, we wouldnt get a reply.

Any ideas why? This is causing speed issues as when we access a share (DFS) that should be on our adelaide server, it is accessing the sydney server.

Our hosts and lmhosts files are clean.

Any help appreciated. Thanks

 

[MoMeanMugs]

Do the domain controllers have multiple NIC's in them? Are they also DNS servers? If so, go into Administrative tools and open DNS. Right-click on the domain controller and select properties. I think on the first tab, there is an option to select on which IP's the DC responds to DNS queries on. Make sure to set it to only the IP it's supposed to be using. I hope that makes sense. I can't tell you what exactly it says because I'm not in front of a DC, but you should be able to figure it out.

 

[MoMeanMugs]

Also might want to make sure the DC is in the reverse lookup zone. It's not there by default.

 

[lockmac]

Hi there. Thanks for the reply- yeh one of our servers had teamviewer VPN installed, so thats fine.

Still, the problem is this: say we are in adelaide, if we ping the domain name, we are getting replys from sydney and other places, but not always from the closest DC- why would this be? cheers

 

[yinan]

If I am not mistaken doesnt Microsoft DNS use round robin load balancing for requests? As far as logon requests and the like having those respond from the closest DC should be taken care of by correctly setting up your AD sites.

 

[dphantom]

Look at how your sites are setup. This is most likely the problem. It does not sound like a DNS issue, but either sites are not setup or incorrectly configured.

 

[lockmac]

Thanks for the replies guys. What settings am I looking for exactly?

Im at the Melbourne branch and if I nslookup our domain name, it shows all the addresses but the Adelaide address, so obviously its not working as a domain controller properly...

The adelaide site does appear in Sites and Services and seems to be setup just like the others..

Edit: On our main server, under DNS, all severs are listed except the Adeaide server..

 

[dphantom]

Originally posted by: lockmac
Thanks for the replies guys. What settings am I looking for exactly?

Im at the Melbourne branch and if I nslookup our domain name, it shows all the addresses but the Adelaide address, so obviously its not working as a domain controller properly...

The adelaide site does appear in Sites and Services and seems to be setup just like the others..

Edit: On our main server, under DNS, all severs are listed except the Adeaide server..

Are your sites on separate subnets? If the DCs are on the same subnet, then GPO and other settings could be pulled from any available DC regardless of site.

Run dcdiag in verbose mode and see if there are any errors. All DCs should be listed in DNS and in AD Sites/Services, you should also have a listing under Subnets of each subnet you are using for your various sites.

 

[lockmac]

Hi their. Each site is on the same subnet.
Our scheme is like this: 192.168.3.0 is Mebourne, 4.0 is Brisbane, 5.0 is Adelaide etc.

I just ran dcdiag on the Adelaide server (192.168.5.0) and the results came back from the Brisbane server.

This is the result i got after running the command dcdiag /test:dns /v /s:iwsmel.local


Domain Controller Diagnosis

Performing initial setup:
* Connecting to directory service on server iwsmel.local.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 6 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Brisbane\BRISBANE
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... BRISBANE passed test Connectivity

Doing primary tests

Testing server: Brisbane\BRISBANE
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

DNS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : iwsmel
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running enterprise tests on : iwsmel.local
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Starting test: DNS
Test results for domain controllers:

DC: brisbane.iwsmel.local
Domain: iwsmel.local


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000007] Broadcom NetXtreme Gigabit Ethernet:
MAC address is 00:19:B9:xx:xx:xx
IP address is static
IP address: 192.168.4.10
DNS servers:
192.168.4.10 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found

TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
10.10.20.11 (<name unavailable>) [Valid]

TEST: Delegations (Del)
No delegations were found in this zone on this DNS server

TEST: Dynamic update (Dyn)
Dynamic update is enabled on the zone iwsmel.local.
Test record _dcdiag_test_record added successfully in zone iwsmel.local.
Test record _dcdiag_test_record deleted successfully in zone iwsmel.local.

TEST: Records registration (RReg)
Network Adapter [00000007] Broadcom NetXtreme Gigabit Ethernet:
Matching A record found at DNS server 192.168.4.10:
brisbane.iwsmel.local

Matching CNAME record found at DNS server 192.168.4.10:
670d605f-0b24-4c33-95db-d9ec4bc2ecc3._msdcs.iwsmel.local

Matching DC SRV record found at DNS server 192.168.4.10:
_ldap._tcp.dc._msdcs.iwsmel.local


Summary of test results for DNS servers used by the above domain controllers:

DNS server: 10.10.20.11 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server

DNS server: 192.168.4.10 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg Ext
________________________________________________________________
Domain: iwsmel.local
brisbane PASS PASS PASS PASS PASS PASS n/a

......................... iwsmel.local passed test DNS

 

[lockmac]

See if I nslookup our domain, I get the following:

Server: melb.iwsmel.local
Address: 192.168.3.10

Name: iwsmel.local
Addresses: 192.168.3.10
192.168.20.10
10.10.20.10
10.10.20.11
192.168.4.10

Our adelaide DC is not listed..

 

[GeekDrew]

A few questions, that may or may not help:

- any errors being thrown on the Adelaide DC in the event logs?
- is the Adelaide DC appearing in the appropriate OU or container in ADUC?
- is DNS server running on the Adelaide DC?
- where is the Adelaide DC's network interface(s) pointed to for DNS?

 

[lockmac]

Originally posted by: GeekDrew
A few questions, that may or may not help:

- any errors being thrown on the Adelaide DC in the event logs?
- is the Adelaide DC appearing in the appropriate OU or container in ADUC?
- is DNS server running on the Adelaide DC?
- where is the Adelaide DC's network interface(s) pointed to for DNS?

Hi their.
- No errors are being thrown in the event log. The only error was about a week ago:

DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error
should be ignored.

If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

- The Adelaide server is appaering under "Domain Controllers" in ADUC
- The DNS server is running on the Adelaide DC
- Adelaide's DNS Server is itself as primary, and secondary is another DC that we use as our secondary.

..

 

[GeekDrew]

Did this trouble start about a week ago, around the time of that DNS error?

Have you performed the appropriate steps in the "To ensure proper replication" procedure, that you posted, or did the A records for Adelaide already exist on the other DNS servers?

If you run nslookup on both Adelaide and Melbourne, searching for both iwsmel.local and adelaide.iwsmel.local, what are the results, respectively? Force nslookup to use the appropriate servers in Adelaide and Melbourne, if necessary.

I also notice that when you used dcdiag, you used "dcdiag /test:dns /v /s:iwsmel.local". I could be mistaken because it's been a while, but I think that you should have used /s:adelaide.iwsmel.local so that it forces dcdiag to run on that specific server.

 

[lockmac]

Hi.

On adelaide, if I run nslookup iwsmel.local adelaide.iwsmel.local, I get:

Server: adelaide.iwsmel.local
Address: 192.168.5.10

Name: iwsmel.local
Addresses: 192.168.20.10, 192.168.3.10, 10.10.20.11, 192.168.4.10
10.10.20.10

Adelaide is not listed above

On adelaide, if I run nslookup adelaide.iwsmel.local adelaide.iwsmel.local, I get:

Server: adelaide.iwsmel.local
Address: 192.168.5.10

Name: adelaide.iwsmel.local
Address: 192.168.5.10

On Melbourne, If I run nslookup iwsmel.local melb.iwsmel.local, I get:

Server: melb.iwsmel.local
Address: 192.168.3.10

Name: iwsmel.local
Addresses: 192.168.3.10, 10.10.20.10, 192.168.20.10, 192.168.4.10
10.10.20.11

On Melbourne, If I run nslookup iwsmel.local melb.iwsmel.local, I get:

Server: melb.iwsmel.local
Address: 192.168.3.10

Name: melb.iwsmel.local
Address: 192.168.3.10
_______________________

I ran the dcdiag as you said using adelaide as the host and it had the same results- all passed.

I'm not too sure when this problem started to be honest- our main IT guy told me about it the other day and thought all was fixed: apparently he hard coded the hosts files at the adelaide site (theres only like 5 computers their).

I had someone at adelaide just then perform a "set logonserver" and it returned adelaide..

 

[GeekDrew]

how about
nslookup adelaide.iwsmel.local melb.iwsmel.local
nslookup melb.iwsmel.local adelaide.iwsmel.local

the results of iwsmel.local aren't driven by the named host records for the servers.

also try running dcdiag, specifying adelaide as the target.

 

[lockmac]

Hi.

I ran dcdiag for Adeaide and it all passed just as with the previous one.
I also ran nslookup with those commands and they all seemed normal, returning the correct IP address for both the server performing the request and the hostname being resolved.

OK, I had a look at the hosts file to see what the other IT guy did and I couldnt really see anything. All I see is two lines: one is the loopback address and the other has ::1 as the address and localhost as the hostname.

On that client machine, if I ping iwsmel.local, I get a reply from the adelaide server, but on the adelaide server, if I ping iwsmel.local, I get a reply from Sydney...

I might talk to the other IT guy and see what he actually did.

 

[lockmac]

Hi guys.

Do you think if I demote my server and then promote it again using dcpromo, that could fix my issue?

Cheers

 

[GeekDrew]

Have you rebooted the Adelaide DC?

I'm hesitant to offer any more suggestions because of the number of things that could get much worse if you took action before figuring out exactly what the problem is, not just the symptom.

 

[lockmac]

Will reboot the server tonite and see how we go.