Sdílet prostřednictvím

DNS Troubleshooter Related to Active Directory Issues

  • Článek

DC Promotion/Demotion Fails

What to check for:

  • If joining a domain controller to a domain, verify that the current domain controller(s) do not have disjointed namespace; see KB article 257623.
  • If promoting or demoting a server in an existing domain, verify SRV records are properly registered in the forward lookup zone. As an initial check, verify that the following four folders exist directly beneath the root or child domain: _msdcs, _sites, _tcp, _udp
    • Some examples of records that should be registered in the DNS zone are:

_ldap._tcp.dc._msdcs.<domain>

_ldap._tcp.<site>._sites.dc._msdcs.<domain>

_kerberos._tcp.<site>._sites.dc._msdcs.<domain>

  • If some or all of the previous records are missing, verify the following:
    • Verify that the Kerberos Key Distribution Center service is started on the Domain Controller
    • Verify that the Netlogon Service is started on Domain Controller
    • Verify that the DHCP Client service (W2K3) & DNS Client service (W2K8) is started on Domain Controller
    • Verify that the domain controller has a host record registered
    • If Domain subfolders are missing, see KB article 310568 .

Replication Issues

What to check for:

  • Verify domain controllers that are replication partners in the domain have their global universal ID (GUID) registered in the forest root zone.
    • Example of an NTDSA object GUID record:

name = e99e82d5-deed-11d2-b15c-00c04f5cb502._msdcs.domain.com

type = cname

data = server.domain.com

Note: Every Windows 2000/2003 domain controller registers a CNAME record corresponding to the GUID of its NTDSA object (example above) in the forest root domain, regardless of whether the domain controller is in a child domain, or a different tree of the forest. The forest root domain is the first domain created in the forest.

· Domain controllers attempting to replicate initiate a query to Active Directory for their configured replication partner and GUID. They then initiate a DNS query for the cname record for the GUID, similar to the record in the example above. If the GUID is not present in the DNS zone, the domain controller will not replicate with that partner.

· Each domain controller must also have a host record registered for their name (cname) in the DNS zone

· Verify that both domain controllers involved in the replication can resolve the above DNS records for each other.

  • If there are replication problems in the forest root zone, verify that domain controllers are not pointing to themselves for DNS. As a rule for Windows 2000, only one Domain Controller in the forest root domain should be pointed to itself for either Preferred or Alternate DNS server in their TCP/IP properties setting, and all other domain controllers should be pointed to DNS servers other than themselves. See KB article 275278. For Windows 2003, it is preferred to point to themselves for Preferred and to another Domain Controller server as we have moved _MSDCS folder to forest wide replication and GUID information will be available locally on domain controllers.

Logon Slow or Failed

What to check for:

  • Usually associated with failed logon 5719 Event log error. See KB article 244474.
  • Verify host is not pointing to an ISP’s DNS server for Preferred or Alternate.
  • A host that is logging on must be pointed to a DNS server that can resolve records for local domain and forest root.
  • If logon is in a child domain, insure child is properly delegated from parent zone if applicable. See KB article 255248.