Share via

AD Authentication and DNS required records

SeekingTruth 191 Reputation points
2021-01-18T08:35:53.013+00:00

I am in the process of decommissioning an old domain controller (Windows 2008 R2 server called OLDDC). The domain has several Domain Controller running Windows 2016. Everything is working fine accept when I take this old server online. I did this as a test and found users could not log on or access network drives.

After researching and reading up on the "DC Locator process" it appears to me that some entries are missing in DNS or possibly one entry to many (Default-First-Site-Name)?

There are two zones in "Forward Lookup Zones". These are "_msdcs.domain.lcl" and "domain.lcl". All my DC's appear with the appropriate records in DNS under the correct site names.

However there is a entries "_tcp.Default-First-Site-Name._sites.gc._msdcs.domain.lcl" which only contain one LDAP entry (SRV record) for the OLDDC, which is the server to be decommissioned. Everywhere there is a "Default-First-Site-Name" it only contains the one entry being OLDDC.

In DOMAIN.LCL zone there is a record "_msdcs" which also contains just the OLDDC.

Should I just manually add the required DCs ?

All guidance on how to resolve this are greatly appreciated.
Thanks

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,635 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions
Accepted answer
  1. SeekingTruth 191 Reputation points
    2021-01-25T05:23:18.047+00:00

    Hi Daisy,
    I have done numerous research and testing since we last communicated and found the following.

    It appears that the issue of users not being able to login or RDP when that particular server was shutdown is..

    • Some of the computers / users were using that DC we shutdown for checking their "Trust Relationship". Windows will eventually try another DC to check the "Trust Relationship". My testing showed this to be around 3-4 minutes.
    • The server which is providing the "Trust Relationship" can be found by using the command "NLTEST /sc_query:domain.lcl"
    • You can use "NLTEST /sc_reset:domain.lcl" to set the next available DC to be used by that computer when checking the "Trust Relationship in the future.

    Tests in relation to the DSN and Sites & Services shows that the creation of a new "Sites" in "Sites and Services" will also create appropriate DNS entries in .....

    • _sites.dc._msdcs.domain.lcl
    • _sites.gc._msdcs.domain.lcl
    • _sites.domain.lcl
    • _sites.DomainDnsZones.domain.lcl
    • _sites.ForestDnsZones.domain.lcl

    I also found that renaming "Sites" in "Sites and Services" will also create appropriate DNS entries for the new site, with an additional _ldap records , BUT also leaves the old DNS Site and its entries.

    So as far as I am now concerned we should be able to close this question.

    Thanks

    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 21,361 Reputation points Microsoft Vendor
    2021-01-18T09:29:34.43+00:00

    Hello @SeekingTruth ,

    Thank you for posting here.

    Based on the description, I understand we have several Domain Controllers (one Windows 2008 R2 DC and several Windows server 2016 DCs), now we want to demote the Windows 2008 R2 DC (now this Windows 2008 R2 DC is still existing in the domain, we have not demoted it).

    Q:Should I just manually add the required DCs ?
    A:If you promote a new DC in the domain successfully, all the DNS records related to that DC should be created automatically in DNS manager on the DC.

    Check if you put other DCs in different sites.

    For example:
    57632-site2.png

    Or maybe the AD replication issue caused the DNS records missing.

    1.Based on "I did this as a test and found users could not log on or access network drives.", what error message did you see?
    2.Would you please check FSMO role DC? Run command netdom query fsmo.
    3.How many site do you have?
    57430-site1.png
    4.Which site are all the DCs put?
    5.Is your domain a forest with single domain or a forest with weveral domains?
    6.What is your domain functional level / forest functional level?

    Best Regards,
    Daisy Zhou

    0 comments
  2. SeekingTruth 191 Reputation points
    2021-01-18T12:00:02.12+00:00

    Hi Diasy,
    Thank you for getting back.

    I would be interested in knowing what entries you have in "Default-First-Site-Name" and what changes occur if you add a second DC.

    I have all my DCs spread over two sites. All DCs were installed via DCPROMO which worked successfully.

    To answer your questions.
    Q1. Based on "I did this as a test and found users could not log on or access network drives.", what error message did you see?
    A1. I had other users testing and this was the information passed to me. "Enter network credentials", "the specified network password is not correct".

    Q2. Would you please check FSMO role DC? Run command netdom query fsmo.
    A2. All roles pointing to my new DCs. No references to OLDDC.

    Q3. How many site do you have?
    A3. I have 2 sites.

    Q4. Which site are all the DCs put?
    A4. The DCs are spread over 2 sites.

    57622-sites.jpg

    Q5. Is your domain a forest with single domain or a forest with several domains?
    A5. It is a forest with single domain.

    Q6. What is your domain functional level / forest functional level?
    A6. Both the Forest and Domain are at the functional level of "Windows Server 2008 R2"

    I notice that in "Sites and Services" you have Default-First-Site-Name. This does not appear in mine. It does however in DNS.

    Kind Regards

    0 comments
  3. Daisy Zhou 21,361 Reputation points Microsoft Vendor
    2021-01-19T06:28:50.677+00:00

    Hello @SeekingTruth ,

    There is a default site named "Default-First-Site-Name" in AD when we deploy AD domain (on DC).

    We can also create new site if needed. Site1, site2 and site3 are site that I created.
    57838-site1.png

    When we promote a DC, we can select a site for this DC.
    57993-site111.png

    We can check as below:
    1.Please check if you can see all the DCs in site VDC1 and site VDC2.
    2.Please check if you can see VDC1 with DC records and VDC2 with DC records in DNS manager (I mean we can check whether all SRV records that should exist do exist).

    For example:
    57947-site3.png

    3.Run Dcdiag /v on every DC to check the DC health.
    4.Run repadmin /replsum and repadmin /showrepl * /csv >c:\repsum.csv on PDC to check AD replication.

    Tip: If there is no any error in the command result, it means every DC itself and AD replication works fines.

    If these records are missing on only one DC or some DCs, maybe AD replication does not work fine, it cased all DC does not synced.

    If these records are missing on all DCs, there is issue on the DC itself.

    All DCs should have ldap SRV and kerberos SRV records. If one DC is also a GC, this DC should have gc SRV record.
    57920-gc1.png

    Best Regards,
    Daisy Zhou

    0 comments
  4. SeekingTruth 191 Reputation points
    2021-01-19T07:47:19.627+00:00

    Hi Daisy,
    Unfortunately I do not appear to have "Default-First-Site-Name" in AD. I only see it in DNS.

    What entries do you have in DNS for

    1. _tcp.Default-First-Site-Name._sites.gc._msdcs.a.local
    2. _tcp.Default-First-Site-Name._sites.a.local

    I have the following for

    1. one entry ( _ldap SRV OLDDC )
    2. three entries _gc , _kerberos , _ldap all for the old domain controller OLDDC .

    Kind Regards

    .