Active Directory/DNS problem in Windows 2003 network

Q:

I have just upgraded my 2 DC's to Win2003 (I totally recreated Active Directory and did a clean install). I set the first DC up with DNS which seemed to work fine. I then set the 2nd DC up with active directory integrated DNS. That seemed to work fine too and it populated itself and generally looked OK. However, I can't ping anyone on the network from either DC (they can ping themselves quite happily though). The primary DC has itself as the preferred DNS server and the secondary DC has the first as preferred and itself as alternative.

I used dcdiag to test DNS on both DC's and they both pass OK, but come up with the following connectivity error which I fear may mean my Active Directory has become corrupt:-

Performing initial setup:
[first DC] Directory Binding Error -2146892976:
Win32 Error -2146892976
This may limit some of the texts that can be performed.
Done gathering initial info.

Doing initial required tests
Testing server: Default-First-Site-Name[first DC]
Starting test: Connectivity
[first DC] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
...................... [first DC] failed test Connectivity

then later on....
Performing initial setup:
* Verifying that the local machine [first DC] is a DC
* Connecting to directory service on server [first DC]
[first DC] Directory Binding Error -2146892976 etc.

On the secondary DC the error is as follows:-

Performing initial setup:
* Verifying that the local machine [second DC] is a DC
* Connecting to directory service on server [second DC]
[second DC] Directory Binding Error -2146892976 etc.

then:-

Doing initial required tests
Testing server: Default-First-Site-Name[second DC]
Starting test: Connectivity
*Active Directory LDAP Services Check
*Active Directory RPC Services Check
[second DC] DsBindWithSpnEx() failed with error -2146892976
Win32 Error -214etc.

Further down on both it says "Root zone on this DC/DNS server was not found" but everything else passes ok.

In the event viewer of the first DC there haven't really been any problems reported, but today I had the following "DCOM was unable to communicate with the computer [gateway address] using any of the configured protocols."

I also had "The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error".

And "The Secutiry System detected an authentication error for the server host/[second DC]. The failure code from the authentication protocol Kerberos was "The handle specified is invalid (0x80090301)" Plus the same error for the first DC. and the same error for the LDAP _msdcs.domain.local.

I have also found that the Help & Support Service has not been installed on my first DC (its fine on the 2nd) so I can't click on an error and get help for it.

I'm beginning to think I might have to re-install the first DC but would really like to avoid it. After all my ramblings, does anyone have a clue what's going on with my system?

Thanks

ASKED: Sep 5 2005 5:38 AM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

A:

RATE THIS ANSWER

0
Click to Vote:

0
0

It's a simple thing , but did you check that the TCP/IP configuration is correct? It almost looks like a subnet mask is wrong on the systems. The next thing is to check that the servers are actually domain controllers. If you rebuilt the first system and it wasn't completely a domain controller prior to the second system being built, you could have this type of issue. The systems would not be part of a real domain. Check to see that the SYSVOL share has been created on the first domain controller. You can also check the FRS event log to see that the Replication Service is no longer preventing this system from being a domain controller. You may need to reboot the first domain controller to kick it into action. Once you get the first domain controller fully into domain controller operation, I would demote and promote the second domain controller to make sure the process completes properly.

If you have not applied any service pack you could do a repair on the first domain controller to make sure that all of the files are back in place. This would help with the Help File missing - and anything else that might be missing. Then apply all of the service packs and patches. Don't forget to do the same SP's and patches on the second domain controller immediately after the first one is completed and operational again.

Good Luck

Last Answered: Sep 5 2005 12:03 AM GMT by PaulHinsberg

0 pts.

View History

A:

It's a simple thing , but did you check that the TCP/IP configuration is correct?  It almost looks like a subnet mask is wrong on the systems.  The next thing is to check that the servers are actually domain controllers. If you rebuilt the first system and it wasn't completely a domain controller prior to the second system being built, you could have this type of issue.  The systems would not be part of a real domain.  Check to see that the SYSVOL share has been created on the first domain controller.  You can also check the FRS event log to see that the Replication Service is no longer preventing this system from being a domain controller. You may need to reboot the first domain controller to kick it into action. Once you get the first domain controller fully into domain controller operation, I would demote and promote the second domain controller to make sure the process completes properly.

If you have not applied any service pack you could do a repair on the first domain controller to make sure that all of the files are back in place. This would help with the Help File missing - and anything else that might be missing.  Then apply all of the service packs and patches. Don't forget to do the same SP's and patches on the second domain controller immediately after the first one is completed and operational again.

Good Luck

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Ozraelised 5 pts. | Sep 6 2005 3:41AM GMT

You need to check your setting in the DNS and see if you move the “.” from the root of the dns.

Must configure the tcp/ip setting on the accounts.

Try and change one of the client name and register it to the active directory and the dns. If you are unable to do this you must have some tcp/ip problems

kbinger 0 pts. | Sep 7 2005 9:32AM GMT

I would uninstall & then re-insall DNS. It sounds like your root “.” is missing. Also, to illiminate a network issue, are you able to ping the servers by their IP Addresses?

PaulieEddie 0 pts. | Sep 7 2005 12:10PM GMT

Regarding the Root DNS zone… the root zone generally should not exist - as long as the root hints is configured on the system. The only time a Root Zone the “.” zone should exist if the Active Directory is a completely closed system and you will not be access the Internet. The existence of the root zone says to DNS that this is a ROOT SERVER for all of the hierarchy. I have used this in enclosed test labs, but as a production network that utilizes Internet access it does not work well. The problem could be that the root hints, which points to the legitamit Internet servers that house the framework of the .com/.net/.whatever world, is missing. This can easily be corrected. Here is a white paper on DNS information that discusses this topic and steps through corrective measures.

<a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;323380#XSLTH4139121122120121120120" title="http://support.microsoft.com/default.aspx?scid=kb;en-us;323380#XSLTH4139121122120121120120" target="_blank">http://support.microsoft.com/default.asp…</a>

Paul

Ask a Question

Browse IT Answers by Topic