We have one domain and two domain controllers (on Windows Server 2008 Enterprise).
For about a week, we have enormous problems: some users can’t log in to Windows (domain could not be contacted). Sometimes restart of Windows helps, but mostly it doesn’t.
As administrator, I can’t log in to DC0, on DC1 I can. The other administrator for example can log in to both DC.
I attached dcdiag /test:dns for both DC0. DC0:
Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = DC0 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DC0 Starting test: Connectivity ......................... DC0 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DC0 Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... ......................... DC0 passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : our_domain Running enterprise tests on : our_domain.si Starting test: DNS Test results for domain controllers: DC: DC0.our_domain.si Domain: our_domain.si TEST: Records registration (RReg) Network Adapter [00000006] Intel(R) PRO/1000 MT Network Connection: Warning: Missing AAAA record at DNS server 193.77.60.214: gc._msdcs.our_domain.si Warning: Record Registrations not found in some network adapters DC0 PASS PASS PASS PASS PASS WARN n/a ......................... our_domain.si passed test DNSDC1:
Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = DC1 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DC1 Starting test: Connectivity ......................... DC1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DC1 Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... ......................... DC1 passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : our_domain Running enterprise tests on : our_domain.si Starting test: DNS Test results for domain controllers: DC: DC1.our_domain.si Domain: our_domain.si TEST: Dynamic update (Dyn) Warning: Failed to add the test record _dcdiag_test_record in zone our_domain.si TEST: Records registration (RReg) Network Adapter [00000006] Intel(R) PRO/1000 MT Network Connection: Warning: Missing AAAA record at DNS server 193.77.60.213: DC1.our_domain.si Warning: Missing AAAA record at DNS server 193.77.60.213: gc._msdcs.our_domain.si Warning: Missing AAAA record at DNS server 193.77.60.214: DC1.our_domain.si Warning: Missing AAAA record at DNS server 193.77.60.214: gc._msdcs.our_domain.si Warning: Record Registrations not found in some network adapters DC1 PASS PASS PASS PASS WARN WARN n/a ......................... our_domain.si passed test DNSHere are IP’s for DC0 and DC1 – they are all right (why there are so many?):
Here is ‘ipconfig /all’ on DC0:
Answer
There are a couple of glaring problems here:
-
Your Domain Controller that you’ve screen shotted is multi-homed. This is a problem. There is usually not a good reason to do this and there are special consideration to take in regards to DNS registration, etc. Have you followed these? I’m assuming not. Really consider redesigning your network to not multihome your DCs.
-
Your DCs are using themselves first for DNS resolution. This can lead to a replication island like you’re experiencing. They should use each other first and themselves (127.0.0.1) second.
-
That 193 address that you’ve provided is a publicly routable IP. There is absolutely no reason that a Domain Controller should be Internet accessible. This in and of itself isn’t going to break what you’re seeing, but it’s a huge security issue that you should fix asap.
Attribution
Source : Link , Question Author : user1452932 , Answer Author : MDMarra
