DNS Server on Windows Server 2012 does not pass basic, delegations, dynamic updates, and records registration tests upon running DCDiag /c /v, how do I fix this problem? I am new to managing DNS in a small server forest.

Vincent Badenhorst 0

C:\Users\Administrator>DCDiag /c /v

 

Directory Server Diagnosis

 

Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine server1, is a Directory Server.

   Home Server = server1

   * Connecting to directory service on server server1

   * Identified AD Forest.

   Collecting AD specific global data

   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=dc,DC=ca,LD

AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......

   The previous call succeeded

   Iterating through the sites

   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name

,CN=Sites,CN=Configuration,DC=dc,DC=ca

   Getting ISTG and options for the site

   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=dc,DC=ca,LD

AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......

   The previous call succeeded....

   The previous call succeeded

   Iterating through the list of servers

   Getting information for the server CN=NTDS Settings,CN=server1,CN=Servers,C

N=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dc,DC=ca

   objectGuid obtained

   InvocationID obtained

   dnsHostname obtained

   site info obtained

   All the info for the server collected

   * Identifying all NC cross-refs.

   * Found 1 DC(s). Testing 1 of them.

   Done gathering initial info.

 

Doing initial required tests

 

   Testing server: Default-First-Site-Name\server1

      Starting test: Connectivity

         * Active Directory LDAP Services Check

         The host host could

         not be resolved to an IP address. Check the DNS server, DHCP, server

         name, etc.

         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... server1 failed test Connectivity

 

Doing primary tests

 

   Testing server: Default-First-Site-Name\server1

      Skipping all tests, because server server1 is not responding to

      directory service requests.

      Test omitted by user request: Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Test omitted by user request: FrsEvent

      Test omitted by user request: DFSREvent

      Test omitted by user request: SysVolCheck

      Test omitted by user request: KccEvent

      Test omitted by user request: KnowsOfRoleHolders

      Test omitted by user request: MachineAccount

      Test omitted by user request: NCSecDesc

      Test omitted by user request: NetLogons

      Test omitted by user request: ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Test omitted by user request: Replications

      Test omitted by user request: RidManager

      Test omitted by user request: Services

      Test omitted by user request: SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Test omitted by user request: VerifyReferences

      Test omitted by user request: VerifyReplicas

 

      Starting test: DNS

 

         DNS Tests are running and not hung. Please wait a few minutes...

         See DNS test in enterprise tests section for results

         ......................... server1 passed test DNS

 

   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

 

   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

 

   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

 

   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

 

   Running partition tests on : domain

      Starting test: CheckSDRefDom

         ......................... domain passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... domain passed test CrossRefValidation

 

   Running enterprise tests on : domain.ca

      Starting test: DNS

         Test results for domain controllers:

 

            DC: server1.domain.ca

            Domain: domain.ca

 

 

               TEST: Authentication (Auth)

                  Authentication test: Successfully completed

 

               TEST: Basic (Basc)

                  Error: No LDAP connectivity

                  The OS

                  Microsoft Windows Server 2012 Standard (Service Pack level: 0.

0)

                  is supported.

                  NETLOGON service is running

                  kdc service is running

                  DNSCACHE service is running

                  DNS service is running

                  DC is a DNS server

                  Network adapters information:

                  Adapter adapter:

                     MAC address is AA:AA:AA:AA:AA

                     IP Address is static

                     IP address: 0.0.0.0,

                     DNS servers:

                        Warning:

                        0.0.0.0 (server1) [Invalid]

                        Warning: adapter

                        [00000010] adapter has

                        invalid DNS server: 0.0.0.0 (server1)

                  Error: all DNS servers are invalid

                  No host records (A or AAAA) were found for this DC

                  The SOA record for the Active Directory zone was found

                  The Active Directory zone on this DC/DNS server was found prim

ary

                  Root zone on this DC/DNS server was not found

 

               TEST: Forwarders/Root hints (Forw)

                  Recursion is enabled

                  Forwarders Information:

                    some forwarder addresss (<name unavailable>) [Valid]

 

               TEST: Delegations (Del)

                  Delegation information for the zone: domain.ca

                     Delegated domain name: corp.domain.ca

                        Warning: Delegation of DNS server server1. is broken o

n IP:0.0.0.1

                        Warning: Delegation of DNS server server1. is broken o

n IP:ip

                        Error: DNS server: server1

                        IP:ip

                        [Broken delegation]

 

               TEST: Dynamic update (Dyn)

                  Warning: Failed to add the test record dcdiag-test-record in z

one domain.ca

                  [Error details: 9002 (Type: Win32 - Description: DNS server fa

ilure.)]

                  Test record dcdiag-test-record deleted successfully in zone domain.ca

 

            TEST: Records registration (RReg)

               Error: Record registrations cannot be found for all the network

               adapters

 

         Summary of test results for DNS servers used by the above domain

         controllers:

 

            DNS server: 0.0.0.1 (server2.)

               1 test failure on this DNS server

               PTR record query for the something.in-addr.arpa. failed on the DN

S server 0.0.0.1               [Error details: 1460 (Type: Win32 - Descripti

on: This operation returned because the timeout period expired.)]

               DNS delegation for the domain corp.domain.ca. is broken on IP 0.0.0.1

 

               [Error details: 1460 (Type: Win32 - Description: This operation r

eturned because the timeout period expired.)]

 

            DNS server: 0.0.0.0 (server1)

               1 test failure on this DNS server

               Name resolution is not functional. _ldap._tcp.domain.ca failed on

 the DNS server 0.0.0.0

               [Error details: 9003 (Type: Win32 - Description: DNS name does no

t exist.)]

 

            DNS server: dnsaddress (server1.)

               1 test failure on this DNS server

               PTR record query for the address.ip6.arpa failed on the DNS server server address            [Error details: 1460 (Type: Win32 - Description: This

 operation returned because the timeout period expired.)]

               DNS delegation for the domain corp.domain.ca. is broken on IP ip address

 

               [Error details: 1460 (Type: Win32 - Description: This operation r

eturned because the timeout period expired.)]

 

            DNS server: server address (<name unavailable>)

               All tests passed on this DNS server

 

         Summary of DNS test results:

 

                                            Auth Basc Forw Del  Dyn  RReg Ext

            _________________________________________________________________

            Domain: domain.ca

               server1                    PASS FAIL PASS FAIL WARN FAIL n/a

 

         ......................... domain.ca failed test DNS

      Starting test: LocatorCheck

         GC Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         PDC Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         Time Server Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         Preferred Time Server Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         KDC Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         ......................... domain.ca passed test LocatorCheck

      Starting test: FsmoCheck

         GC Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         PDC Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         Time Server Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         Preferred Time Server Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         KDC Name: \\server1.domain.ca

         Locator Flags: 0xe00073fd

         ......................... domain.ca passed test FsmoCheck

      Starting test: Intersite

         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.

         ......................... domain.ca passed test Intersite

8 answers

Dave Patrick 426.1K Reputation points MVP

2023-05-31T19:16:47.1333333+00:00
Did you do below? and possibly reboot it?

ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service?

Another issue when a single domain controller is used is described below.

When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.

If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

When you have a single domain controller there can be a race condition that will cause the network firewall to start up as Public. In this case restarting the NLA (network location awareness) service should solve it.

Also another small one is a domain controller should always have two listings for DNS

own static ip (which it has)

plus the loopback address (127.0.0.1)
Please sign in to rate this answer.
Vincent Badenhorst 0 Reputation points

2023-05-31T19:30:00.8066667+00:00

I did reboot it before and /flushdns /register dns and restart netlogon before running the diagnostics. Also how would I change the DC listings for DNA? And how would I determine which profile NLA is using?

Vincent Badenhorst 0 Reputation points

2023-05-31T19:30:43.28+00:00

DNA -> DNS

Vincent Badenhorst 0 Reputation points

2023-05-31T19:34:27.2733333+00:00

Also I'm a wet lab assistant not server admin lol so my knowledge is pretty limited
Sign in to comment
Dave Patrick 426.1K Reputation points MVP

2023-05-31T19:43:50.5333333+00:00

Look here.
Please sign in to rate this answer.
Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:10:27.8466667+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

Vincent Badenhorst 0 Reputation points

2023-05-31T20:11:14.09+00:00

Thanks! Now how do I check the NLA profile?

Vincent Badenhorst 0 Reputation points

2023-05-31T20:11:53.1333333+00:00

Sorry it took me a while I had to manage something else

Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:15:10.3833333+00:00

Now how do I check the NLA profile?

In the screenshot above. Mine says "Domain"

Vincent Badenhorst 0 Reputation points

2023-05-31T20:16:53.69+00:00

Yup it is a Domain network

Vincent Badenhorst 0 Reputation points

2023-05-31T20:18:28.58+00:00

Should I rerun diagnostics and update the files again?

Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:18:31.2133333+00:00

Ok, good deal.

Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:21:34.46+00:00

yes, if it isn't working then also need to know all the System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs for any found

Vincent Badenhorst 0 Reputation points

2023-05-31T20:24:40.7+00:00

I updated the files, there's still an error. I'll bring up the System and Replication logs errors

Vincent Badenhorst 0 Reputation points

2023-05-31T20:28:16.4366667+00:00

Oh! There's no Replication (DFS) logs in the last 12 hours. Either the log for DFS is disabled or it's not running I think.

Vincent Badenhorst 0 Reputation points

2023-05-31T20:28:37.3066667+00:00

I'm uploading the system logs now

Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:29:00.0366667+00:00

Ok, sounds good, please post the link here too as its on another page now.

Vincent Badenhorst 0 Reputation points

2023-05-31T20:29:46.8466667+00:00

https://1sfu-my.sharepoint.com/:f:/g/personal/vbadenho_sfu_ca/EkZrAalJlT1Cr4QjfjYSJkgB96poxcEhKfW1Tq5vVsL_3g?e=ysdQNC

Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:30:02.4266667+00:00

Ok, its either DFS or FRS so look for the other event log.

Vincent Badenhorst 0 Reputation points

2023-05-31T20:31:15.1966667+00:00

There are only DFS logs from yesterday

Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:31:32.6533333+00:00

I'll be back to look in about 30 mins

Vincent Badenhorst 0 Reputation points

2023-05-31T20:32:30.64+00:00

Thanks!

Dave Patrick 426.1K Reputation points MVP

2023-05-31T20:35:22.6466667+00:00

don't want an EVTX file, just the the Event Source and Event IDs for any found since last boot.

Vincent Badenhorst 0 Reputation points

2023-05-31T20:41:13.22+00:00

There are no events for DFS since last boot

Vincent Badenhorst 0 Reputation points

2023-05-31T20:42:06.1566667+00:00

The event last seen was ID:2213, Source:DFSR

Vincent Badenhorst 0 Reputation points

2023-05-31T21:15:15.74+00:00

Ok turns out the Replication service was down so I restarted it

Vincent Badenhorst 0 Reputation points

2023-05-31T21:15:29.92+00:00

Running diagnostics now

Vincent Badenhorst 0 Reputation points

2023-05-31T21:17:16.51+00:00

Ok it still doesn't appear to work

Vincent Badenhorst 0 Reputation points

2023-05-31T23:03:16.6766667+00:00

Hi Dave, sorry to bother you, but do you have any idea what I can do next to troubleshoot?
Sign in to comment
Dave Patrick 426.1K Reputation points MVP

2023-05-31T23:22:18.9+00:00
I never got to look at the system event Event Source and Event IDs I'm not sure if you got them or not but looks like the shared files are gone now. These ones below are problematic.

No host records (A or AAAA) were found for this DC The SOA record for the Active Directory zone was found

Check for non-starting services. Looks like in general active directory domain and DNS services do not start up. A couple of things you could try
https://itsimple.info/?p=876
and the steps in last post found here https://social.technet.microsoft.com/Forums/windowsserver/en-US/832de388-ada3-48b1-a23f-95cce8882797/the-soa-record-for-the-active-directory-zone-was-not-found-windows-2008-domain-dcdiag-testdns-?forum=winserverNIS
Please sign in to rate this answer.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Dave Patrick 426.1K Reputation points MVP

2023-06-05T12:57:23.65+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sign in to comment