I have a problem in a Windows Domain. About the creation of this domain i can not tell very much - i got this job last month, without propper handover due to illness of the main admin. What i know is the following: we have one domain contoso-5.contoso-hq.old (contoso-hq is not under our control - kind of a wide area network with other companys) with two Domain Controlers, dc01 and dc02 (Windows Server 2003). My predecessor started to build a new Domain contoso.new with Domain controlers dc04, dc05 (both Windows Server 2012R2, physical servers) and dc06 (Windows Server 2008r2, virtualized on VMware esx). We configured a trust realtionship between the two domains.
dc05 is the PDC, DHCP and DNS, dc4 is infrastructure Master, also DNS and failover DHCP.
After starting a monitoring system, i saw a lot of errors on the domain controlers. One that i still can't resolve is only comming on dc04, but appearing exactly every 4 hours and 4 minutes:
This computer was not able to set up a secure session with a domain controller in domain CONTOSO.NEW due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Running dcdiag shows two errors:
Starting test: Advertising
Warning: dc04 is not advertising as a time server.
......................... dc04 failed test Advertising
and
Starting test: LocatorCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... contoso.new failed test LocatorCheck
(all other tests are passed).
to the first error: our network connection to the world is very restricted: we have a proxy server that only allowes port 80 and 443, all other ports need to be requested at Contoso HQ. so there was never a time sync with an external source. Now i have configured dc05 (PDC) to get time from Contoso HQ-NTP-Server. All other clients and servers are getting the new time from dc05, but not dc04. w32tm /query /status shows:
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
Poll Interval: 6 (64s)
I alredy compared the registry entries of dc4 and dc6 (who is getting time from dc05 like he should), they look the same. Also tried w32tm unregister, resync, nothing changed it.
It seems like dc04 does not even recognize dc05 as domain controler. The dns and dhcp replication is working fine, i can ping dc05 from dc04, nslookup is working from both dc's to internal and external targets. nslookup contoso.new shows the ip-adresses of dc4, dc5 and dc6 as adresses.
On dc04 i have another error, i'm not sure if this has something to do with it:
"Name resolution for the name 2.0.0.2.ip6.arpa timed out after none of the configured DNS servers responded."
DNS-Configuration on dc04 is the same as on dc05.
After hours of internet searches my only option now is to remove DC04 from the Domain an reinstall it. But i would be glad if anyone could safe me that trouble and has an idea what is going on in my system…
And by the why, if you ask yourself what happened to the dc03… i'm asking myself the same question… could an uncleanly removed DC03 cause these problems?
Thanks for helping!
EDIT
As asked by STTR, here are the results from cmd of a normal client (win7) (it's a german System, tell me if you need any translations):
"ipconfig /all"
Windows-IP-Konfiguration
Hostname . . . . . . . . . . . . : GPO-TEST-TH
Prim„res DNS-Suffix . . . . . . . : domain.com
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein
DNS-Suffixsuchliste . . . . . . . : domain.com
Ethernet-Adapter LAN-Verbindung:
Verbindungsspezifisches DNS-Suffix: domain.com
Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physikalische Adresse . . . . . . : xx-xx-xx-xx-xx-xx
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : xxxx::xxxx:e24c:xxxx:xxxx%13(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : xxx.xxx.43.4(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Dienstag, 17. Februar 2015 09:27:00
Lease l„uft ab. . . . . . . . . . : Freitag, 20. Februar 2015 09:27:00
Standardgateway . . . . . . . . . : xxx.xxx.43.254
DHCP-Server . . . . . . . . . . . : xxx.xxx.182.69
DHCPv6-IAID . . . . . . . . . . . : 277879566
DHCPv6-Client-DUID. . . . . . . . : xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-18-B6-30
DNS-Server . . . . . . . . . . . : xxx.xxx.182.67 xxx.xxx.182.66 xxx.xxx.80.51
NetBIOS ber TCP/IP . . . . . . . : Aktiviert
Tunneladapter isatap.domain.com:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix: domain.com
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter
Physikalische Adresse . . . . . . : xx-xx-xx-xx-xx-xx
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Tunneladapter LAN-Verbindung* 3:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-6zu4-Adapter
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Tunneladapter LAN-Verbindung* 9:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-Teredo-Tunneling-Adapter
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
"nslookup domain.com"
Server: dc04.domain.com
Address: xxx.xxx.182.67
Name: domain.com
Addresses: xxxx:xxxx:xxxx::c1c5:b648 xxxx:xxxx:xxxx::c1c5:b645 xxxx:xxxx:xxxx::c1c5:b643 xxx.xxx.182.72 xxx.xxx.182.69 xxx.xxx.182.67
"net view domain.com"
Freigegebene Ressourcen auf domain.comFreigabename Typ Verwendet als Kommentar
NETLOGON Platte Logon server share
SYSVOL Platte Logon server share
Der Befehl wurde erfolgreich ausgefhrt.
"cd \domain.com\"
"cd \domain.com\SYSVOL\domain.com\"
"cd \domain.com\SYSVOL\domain.com\Policies"
"dsquery server -domain domain.com -isgc"
"nslookup gc._msdcs.domain.com"
Server: dc04.domain.com
Address: xxx.xxx.182.67
Name: gc._msdcs.domain.com
Addresses: xxxx:xxxx:xxxx::c1c5:b643 xxxx:xxxx:xxxx::c1c5:b645 xxx.xxx.182.67 xxx.xxx.182.69
Please, test command at workstation in domain, and add output in answer, change dns suffics to
domain.comin output:After a long time and support requests to our official microsoft support station (where they had no explenation for the problem), i accidenttaly solved the problem:
i replaced one of the DCs which did not make any problems, but the server was initialy build for other purposes, so it was placed in the wrong subnet. And then, the same errors as above showed, and a lot more errors about connection errors to the domain. so i placed the server into the right subnet which solved most of the errors, but not all.
so just for testing, i set an inbound rule on the PDC firewall to allow all connections from the new DC - all errors disapeard. Then i did the same thing with the DC which lead me to open this Thread, and same thing happened there: the errors stopped.
So it seems to be some kind of wrong firewall setting on the PDC. I will try to find the port causing this error (the default ports domain controller communications were opened) and report back if i find the little bad guy!