DCDiag: Misleading DNS Test Failure in a Multi-Sited Parent/Child-Domain Scenario
The below described behavior happens on Microsoft Windows Server 2012 R2 Datacenter, I haven't tested it on older Windows versions.
Consider you have a domain + childdomain in 2 separate ip ranges across 2 sites
SiteA:
SiteA-DC01.root.local (10.10.0.1/16)
SiteA-DC02.root.local (10.10.0.2/16)
SiteB:
SiteB-DC03.root.local (10.11.0.1/16)
SiteB-cDC01.child.root.local (10.11.1.1/16)
Running dcdiag /e /v /test:DNS /f:output.txt from SiteA-DC01.root.local or SiteA-DC02.root.local will give you the following error (parts from output snipped):
DC: SiteB-cDC01.child.root.local
Domain: child.root.local
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
[Error details: 53 (Type: Win32 - Description: The network path was not found.) - Add connection failed]
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
is supported.
Error: Open Service Control Manager failed
[Error details: 1722 (Type: Win32 - Description: The RPC server is unavailable.) - Could not open Service Control Manager]
No host records (A or AAAA) were found for this DC
-- snipped log --
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: root.local
SiteA-DC01 PASS PASS PASS PASS PASS PASS n/a
SiteA-DC02 PASS PASS PASS PASS PASS PASS n/a
SiteB-DC03 PASS PASS PASS PASS PASS PASS n/a
Domain: child.root.local
SiteB-cDC01 FAIL FAIL n/a n/a n/a n/a n/a
while running the command from SiteB-DC03.root.local gives the expected:
DC: SiteB-cDC01.child.root.local
Domain: child.root.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Microsoft Hyper-V Network Adapter:
MAC address is 00:15:5D:0A:33:0C
IP Address is static
IP address: 10.11.1.1, fe80::61fb:37f9:4f81:2d98
DNS servers:
10.10.0.1 (SiteA-DC01.root.local.) [Valid]
10.10.0.2 (SiteA-DC02.root.local.) [Valid]
127.0.0.1 (SiteB-cDC01.child.root.local.) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
-- snipped log --
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: root.local
SiteA-DC01 PASS PASS PASS PASS PASS PASS n/a
SiteA-DC02 PASS PASS PASS PASS PASS PASS n/a
SiteB-DC03 PASS PASS PASS PASS PASS PASS n/a
Domain: child.root.local
SiteB-cDC01 PASS PASS PASS PASS PASS PASS n/a
Enterprise DNS infrastructure test results:
For parent domain root.local and subordinate domain child:
Forwarders or root hints are not misconfigured from parent domain to subordinate domain
Forwarders are configured properly from subordinate to parent domain
Delegation is configured properly from parent to subordinate domain
......................... root.local passed test DNS
It seems like there happens a NetBIOS fallback to resolve the child-domains DC in SiteB, which works from DC03 (same broadcast domain) but not from DC01 and DC02. This doesn't affect replication or anything else as far as i noticed, so the domain seems to be ok despite the dns test error. To verify that it seems to be the NetBIOS resolve issue, you can create an A Record for SiteB-cDC01 in the root.local Zone pointing to 10.11.1.1/16. After flushing dns caches (ipconfig /flushdns + clear cache in the DNS servers), the dcdiag will run successfull from DC01 and DC02 as well.