Our network of Windows 2003 and Windows 2008 servers suddenly hasDNS issues. There are 7 DCs. Two at our main office and one each at branch sites (one branch has two a 2008R2 and WIN2K3) Only two are WIN2008R2 Running DCDIAG on the WIN2K3 at main site (DC1) reports no issues. Running at any branch site reports two issues All other test pass. The server DC1 can be PINGed by name from any site
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Netdom.exe /query DC reports the expected servers.
netdom query fsmo
This reports the server at the main office holds the following roles:
* Schema owner
Domain role owner
PDC role
RID pool manager
Infrastructure owner
In the DNS management snap-in, DC1 appears as DNS server but does not appear in
_msdcs-dc-_sites-Default-First-Site-Name-_TCP
There is no _ldap or –kerberos record pointing to DC1
Same issue msdcs-dc-_sites- -_TCP
Again there is no _ldap or –kerberos record pointing to DC1
Under Domain DNS Zones there is no entry for the server. This is the case for any _tcp folder in the DNS.
The server DC1 appears correctly as a name server in the Reverse Lookup Zone. There is a Host(A) record for DC1 but in the Forward Lookup Zone there is no (same as parent folder) Host(A) for the DC1 server but such an entry exists for the other DCs at branch sites and the other DC at the main office.
We have tried stopping and starting the netlogon service, restarting DNS and also dcdiag /fix.
Netdiag reports error:
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'XXX' is broken. [ERROR_NO_LOGON_SERVERS]
[WARNING] Failed to query SPN registration on DC- One entry for each branch DC
All braches lsit the problem server and it can be Pinged by name from any branch
Fixing is number one priority but also would like to determine the casue.
I would check DNS and make sure that the branch offices have the correct server listed for the PDC role.
I've seen you have tried restarting the
netlogon
service. I would try recreating the_msdcs.<domain_name>
folder to flush out any oddities.netlogon
service.netlogon.dns
.netlogon.dnb
._msdcs.<zone>
folder._msdcs.<zone>
folder.netlogon
service.Good luck!
As a late thought, have you tried using
setspn
to determine if you have any duplicate SPN records?