Windows Server 2016 DNS LDAP connectivity issues after windows update

Question

Windows Server 2016 DNS LDAP connectivity issues after windows update

Bojan Hrnkas 0

We have a small business with a single server acting as domain controller and VPN Server (single network interface).
DHCP is served by load balancer (multi-WAN router).
Server has a static ip address.

Apparently after windows update we have multiple problems (authentication, sshd not able to authenticate with kerberus).

I believe it has to do with AD or DNS or both or maybe Kerberus itself, which causes problems with DNS and AD.

If I start DNS Manager as Administrator (built-in), I get Access Denied.
If I start Active Directory Administrative Center, it closes with "unknown error".
I can open AD users and Computers, browse them and even change settings for users.

Event Log shows following errors:

SERVER03	1655	Warning	Microsoft-Windows-ActiveDirectory_DomainService	Directory Service	2/13/2024 3:37:36 PM
SERVER03	1655	Warning	Microsoft-Windows-ActiveDirectory_DomainService	Directory Service	2/13/2024 3:37:36 PM
SERVER03	1126	Error	Microsoft-Windows-ActiveDirectory_DomainService	Directory Service	2/13/2024 3:37:36 PM
SERVER03	4000	Error	Microsoft-Windows-DNS-Server-Service	DNS Server	2/13/2024 3:35:34 PM
SERVER03	4007	Error	Microsoft-Windows-DNS-Server-Service	DNS Server	2/13/2024 3:10:08 PM

dcdiag /test:dns gives this error:
Testing server: Default-First-Site-Name\SERVER03

  Starting test: Connectivity
     * Active Directory LDAP Services Check
     The host be65bd94-0221-47fb-8e6b-321e0afd30ef._msdcs.future.int could
     not be resolved to an IP address. Check the DNS server, DHCP, server
     name, etc.

....

TEST: Basic (Basc)

              Error: No LDAP connectivity
              Warning: adapter
              [00000017] Realtek Gaming 2.5GbE Family Controller has
              invalid DNS server: 8.8.8.8 (<name unavailable>)
              Warning: adapter
              [00000017] Realtek Gaming 2.5GbE Family Controller has
              invalid DNS server: 127.0.0.1 (SERVER03)
              Error: all DNS servers are invalid
              No host records (A or AAAA) were found for this DC
              Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)
     
     Summary of test results for DNS servers used by the above domain
     controllers:
     
        DNS server: 192.168.0.6 (SERVER03)
           1 test failure on this DNS server
           Name resolution is not functional. _ldap._tcp.future.int. failed on the DNS server 192.168.0.6
           
        DNS server: 8.8.8.8 (<name unavailable>)
           1 test failure on this DNS server
           Name resolution is not functional. _ldap._tcp.future.int. failed on the DNS server 8.8.8.8
           
     Summary of DNS test results:
     
                                        Auth Basc Forw Del  Dyn  RReg Ext
        _________________________________________________________________
        Domain: future.int
           SERVER03                     PASS FAIL n/a  n/a  n/a  n/a  n/a  
     
     ......................... future.int failed test DNS

Pinging server works: ping server03.future.int /4

Pinging any of the donaims from the test above fails:
PS C:\Users\Administrator> ping _ldap._tcp.future.int Ping request could not find host _ldap._tcp.future.int. Please check the name and try again. Best Practice Analyzer for DnsServer finds following errors:

RAS (Dial In) Interface does not have any DNS servers configured.
The interface RAS (Dial In) Interface is not configured to register its addresses in DNS.
The DNS server 127.0.0.1 on Ethernet 3 did not successfully resolve the name _ldap._tcp.gc._msdcs.future.int
The DNS server 127.0.0.1 on Ethernet 3 did not successfully resolve the name _kerberos._tcp.future.int.
The DNS server 127.0.0.1 on Ethernet 3 did not successfully resolve the name _ldap._tcp.future.int.
The DNS server 127.0.0.1 on Ethernet 3 did not successfully resolve the name _ldap._tcp.pdc._msdcs.future.int.
The DNS server 127.0.0.1 on Ethernet 3 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's forest root domain name.
The DNS server 127.0.0.1 on Ethernet 3 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's primary DNS domain name.

I have tried restaring DNS and AD services.
I have tried rebooting server.
I have changed the password for krbtgt user as I tried to solve sshd issue.
I have removed stored user credentials for the server in credential manager I have added the credential for admin user again.

Any idea what else can I try?

Bojan Hrnkas 0 Reputation points

2024-02-13T15:45:11.2233333+00:00

I could start DNS manager and connect to DNS server by running dnsmgmt.msc from elevated powershell.
Marius Ene 345 Reputation points

2024-02-13T15:57:03.3066667+00:00

Hi, First of all, as you probably know, having a domain controller and VPN role on the same box is a very bad security practice. Now that we got that out of the way, the error is pointing to a name resolution issue (obviously...). That could be to many things but usually its misconfigured network cards. You said you only have 1 NIC, but normally VPN servers would have an additional NIC for clients to dial in with a public IP. Just in case, can you review all network interfaces on the server and make sure that the internal network card has the IP 192.168.0.6 and is using the right DNS server (192.168.0.6) and that this server has the ADDS and DNS roles installed? If possible paste an IPCONFIG /ALL here. Normally you would check in DNS and make sure you have the service records for LDAP, but you say that you get Access Denied, then it seems that you are missing permissions. Can you open a CMD as Administrator and run WHOAMI /GROUPS? You should have the Domain Admin permissions to be able to manage the DNS, or at least membership in the DNS Admins group.
Marius Ene 345 Reputation points

2024-02-13T16:00:03.4166667+00:00

Check in DNS if you have the service records for LDAP. Here is an example:
Bojan Hrnkas 0 Reputation points

2024-02-13T16:07:04.15+00:00
@Marius, thanks.

Yes we really have a single network adapter on the server. The VPN ip address is 192.168.0.220.

All of the above DNS records are present.

As you can see below, the problems have been caused by changing administrator user password.

1 answer

Your answer

Bojan Hrnkas 0 Reputation points

2024-02-13T15:45:11.2233333+00:00

I could start DNS manager and connect to DNS server by running dnsmgmt.msc from elevated powershell.
Marius Ene 345 Reputation points

2024-02-13T15:57:03.3066667+00:00

Hi, First of all, as you probably know, having a domain controller and VPN role on the same box is a very bad security practice. Now that we got that out of the way, the error is pointing to a name resolution issue (obviously...). That could be to many things but usually its misconfigured network cards. You said you only have 1 NIC, but normally VPN servers would have an additional NIC for clients to dial in with a public IP. Just in case, can you review all network interfaces on the server and make sure that the internal network card has the IP 192.168.0.6 and is using the right DNS server (192.168.0.6) and that this server has the ADDS and DNS roles installed? If possible paste an IPCONFIG /ALL here. Normally you would check in DNS and make sure you have the service records for LDAP, but you say that you get Access Denied, then it seems that you are missing permissions. Can you open a CMD as Administrator and run WHOAMI /GROUPS? You should have the Domain Admin permissions to be able to manage the DNS, or at least membership in the DNS Admins group.
Marius Ene 345 Reputation points

2024-02-13T16:00:03.4166667+00:00

Check in DNS if you have the service records for LDAP. Here is an example:
Bojan Hrnkas 0 Reputation points

2024-02-13T16:07:04.15+00:00

@Marius, thanks.

Yes we really have a single network adapter on the server. The VPN ip address is 192.168.0.220.

All of the above DNS records are present.

As you can see below, the problems have been caused by changing administrator user password.

Answer 1

Bojan Hrnkas 0

All problems resolved by reverting Password change for Administrator.

I have forgotten that we changed user password for our FUTURE\Administrator user.

This was now try-anything-desperation-move to change the password back to what is was before.

After that, all of the problem dissapeared.

How can this be?

Is there a method to change user password without messing up the entire system?

Marius Ene 345 Reputation points

2024-02-13T16:32:36.7566667+00:00

You should not use the domain built-in Administrator for management of resources. Until recently, the best practices stated that it should be kept disabled but the latest best practices say finally it can be kept enabled but still that account should be used for disaster recovery situations.

"Use of a domain's Administrator account should be reserved only for initial build activities, and possibly, disaster-recovery scenarios."> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory

Most common usage these days is that IT admins would have a standard user account and a privileged user account such as admUsername that would be a member of Domain Admins, etc. Today this is also a bad practice and Microsoft advises against that. I have recently blogged a more summarized version on how to implement today's best practices wen it comes to Active Directory. Please have a look: https://mariusene.com/2024/02/13/active-directory-principle-of-least-privilege-pim-rbac/ Hope it helps!

Share via

Windows Server 2016 DNS LDAP connectivity issues after windows update

1 answer

Your answer