Announcement

Collapse
No announcement yet.

Cannot find a primary authoritative DNS server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot find a primary authoritative DNS server

    Hi all. New to the forum although I reference it quite a bit. This is puzzling me, and I don't know how to resolve it. After a server restart, or sometimes just coming in to work first thing, authentication into the server using AD credentials for a domain admin on that server fails. Other users also regularly fail to authenticate in the morning. There is absolutely no reason I can see for this.

    So I ran netdiag and everything checks out except for this:

    DNS test . . . . . . . . . . . . . : Failed
    [WARNING] Cannot find a primary authoritative DNS server for the name
    'kwve-pdm-serv01.kwve.cccm.lan.'. [ERROR_TIMEOUT]
    The name 'kwve-pdm-serv01.kwve.cccm.lan.' may not be registered in D
    NS.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
    rver '172.16.3.89'. Please wait for 30 minutes for DNS server replication.
    [FATAL] No DNS servers have the DNS records for this DC registered.

    Now after getting this, I TORE DOWN COMPLETELY my DNS for this domain and recreated it from scratch. STILL I get this error! Shouldn't Windows Server 2003 own DNS wizard be able to properly create it's own DNS?? Why is it many people can connect one day and fail the next, until I run ipconfig /flushdns then ipconfig/registerdns and suddenly they can log in again? I need to get this working without a hitch and heretofore nothing in these forums has really helped, except to ensure me that AD DNS is a fricking nightmare, even if I am doing nothing special.

    The primary DNS for my clients and the server are in fact the IP of the server itself. I am running a second adapter connected to another LAN, but there is no router or DNS configured for that adapter. It is just for connectivity to that LAN segment. But even if that were a problem from the server, it doesn't explain why users are not authenticating until I flush their DNS cache. This server KWVE is a subdomain of CCCM. The FQDN is kwve-pdm-serv01.kwve.cccm.lan. Pings work, but authentication does not, at least until I flush the DNS cache.

    Frankly I am at a complete loss here. AD needs to be absolutely reliable, and I cannot for the life of me make it so.

    Thanks for any help anyone can give.
    Last edited by slylabs13; 11th October 2010, 22:35. Reason: Not complete

  • #2
    Re: Cannot find a primary authoritative DNS server

    Hi,

    What I understand from your description is that user's are unable to athenticate certain times unless you go ahead and do the work around.

    can you get me ipconfig /all from client / DC and DNS server [in case you dc is also serving as dns]

    how ur AD and DNS setup [network topology]

    Additional is this ur domain kwve.cccm.lan, and which server is this 'kwve-pdm-serv01.kwve.cccm.lan
    The error states No DNS servers have the DNS records for this DC registered

    what is the purpose of second nic and different lan connection to DC, have you specified dns on it and check other options like register in dns, if yes remove those options and check your binding order. Primary nic needs to be on top.
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: Cannot find a primary authoritative DNS server

      Originally posted by v-2nas View Post
      Hi,

      What I understand from your description is that user's are unable to athenticate certain times unless you go ahead and do the work around.

      can you get me ipconfig /all from client / DC and DNS server [in case you dc is also serving as dns]

      how ur AD and DNS setup [network topology]

      Additional is this ur domain kwve.cccm.lan, and which server is this 'kwve-pdm-serv01.kwve.cccm.lan
      The error states No DNS servers have the DNS records for this DC registered

      what is the purpose of second nic and different lan connection to DC, have you specified dns on it and check other options like register in dns, if yes remove those options and check your binding order. Primary nic needs to be on top.
      The DNS for the client is the forest master controller cccm.lan 172.16.0.5, and has the DNS for kwve.cccm.lan incorporated into it's DNS. This way I can have a single DNS that the DHCP server hands out to everyone without making individual edits to everyone's ethernet adapter.

      The reason that I have a second adapter is so that I can connect to another isolated LAN for the Radio Station. The people who write the software that runs the digital consoles was adamant about being on an isolated network with limited or no access to the internet. But people who work every day with the internet need access to the shares with the logs so they can generate billings and such, and query for commercial spots played etc.

      I already have made the primary NIC the one on top, and I have also set up the metrics of the adapters so that the primary NIC has the lower metric, making it the default adapter. But since the secondary adapter does not have a router configured, Windows will use the primary first anyway.

      FYI I tore down DNS on the KWVE server and recreated it after I removed KWVE from the master PDC. Now both DNS seem to be registering correctly. I am still getting the error in netdiag, but people seem to be able to log on consistently now. No one in any of the tech blogs seem to know why this is happening. The records that everyone says must not be there, are in fact there. I think this is some kind of bug with MS DNS.

      IPCONFIG for the client:
      C:\WINDOWS\system32>ipconfig /all

      Windows IP Configuration

      Host Name . . . . . . . . . . . . : CRN-ACCT01
      Primary Dns Suffix . . . . . . . : kwve.cccm.lan
      Node Type . . . . . . . . . . . . : Unknown
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : kwve.cccm.lan
      cccm.lan

      Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethern
      et
      Physical Address. . . . . . . . . : 00-21-9B-83-2D-00
      Dhcp Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . : 172.16.3.41
      Subnet Mask . . . . . . . . . . . : 255.255.0.0
      Default Gateway . . . . . . . . . : 172.16.0.7
      DHCP Server . . . . . . . . . . . : 172.16.200.1
      DNS Servers . . . . . . . . . . . : 172.16.0.5
      206.13.28.12
      Lease Obtained. . . . . . . . . . : Friday, October 15, 2010 8:00:10 AM
      Lease Expires . . . . . . . . . . : Saturday, October 16, 2010 8:00:09 A
      M

      IPCONFIG for the server:
      Windows IP Configuration

      Host Name . . . . . . . . . . . . : kwve-pdm-serv01
      Primary Dns Suffix . . . . . . . : kwve.cccm.lan
      Node Type . . . . . . . . . . . . : Unknown
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : cccm.lan

      Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : Realtek RTL8029(AS)-based Ethernet Adapte
      r (Generic)
      Physical Address. . . . . . . . . : 00-1C-42-CC-80-03
      DHCP Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 172.16.3.89
      Subnet Mask . . . . . . . . . . . : 255.255.0.0
      Default Gateway . . . . . . . . . : 172.16.0.7
      DNS Servers . . . . . . . . . . . : 172.16.3.89

      Ethernet adapter Local Area Connection 2:

      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : Realtek RTL8029(AS)-based Ethernet Adapte
      r (Generic) #2
      Physical Address. . . . . . . . . : 00-1C-42-8C-5F-20
      DHCP Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 192.168.1.99
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :
      DNS Servers . . . . . . . . . . . : 192.168.1.99

      Comment


      • #4
        Re: Cannot find a primary authoritative DNS server

        can you run netdiag /fix, dcdiag /fix
        and then just upload netdiag and dcdiag outputs
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: Cannot find a primary authoritative DNS server

          your initial error seems to say that the record is not registered on 172.16.3.89 - this is the IP address of one of your secondary nics.

          is DNS listening on both adaptors?

          Maybe decide on one adaptor, and then set the DNS Server on the second to be the same as the first

          (or, set them all to 127.0.0.1)

          I don't think this is a DNS bug, I think it's soemthing in your network configuration... I just can't put my finger on it yet
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: Cannot find a primary authoritative DNS server

            Well this is interesting. I ran netdom query fsmo and got this:

            Schema owner cccm-serv2.cccm.lan

            Domain role owner cccm-serv2.cccm.lan

            PDC role kwve-pdm-serv01.kwve.cccm.lan

            RID pool manager kwve-pdm-serv01.kwve.cccm.lan

            Infrastructure owner kwve-pdm-serv01.kwve.cccm.lan

            I find this unusual. Shouldn't the primary DC for kwve.cccm.lan ALSO be the Schema owner and the Domain role owner?? Or is this the way it works for forests, where the parent owns those roles?

            Bob

            Comment


            • #7
              Re: Cannot find a primary authoritative DNS server

              schema, domain are forest wide so only first dc will hold those roles for entire forest and other 3 are domain wide which means each domain will have those 3 roles.
              Thanks & Regards
              v-2nas

              MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
              Sr. Wintel Eng. (Investment Bank)
              Independent IT Consultant and Architect
              Blog: http://www.exchadtech.blogspot.com

              Show your appreciation for my help by giving reputation points

              Comment


              • #8
                Re: Cannot find a primary authoritative DNS server

                Originally posted by v-2nas View Post
                schema, domain are forest wide so only first dc will hold those roles for entire forest and other 3 are domain wide which means each domain will have those 3 roles.
                Hi and thanks for the replies. Well it looks like no one anywhere has been able to solve this without tearing down AD and starting over as a standalone AD. I think this is a very real bug in AD. This has happened to almost every 2003 AD I have ever set up. To my mind, the only ones this has NOT happened to is ones I have upgraded from 2000.

                Nothing special was done to this AD server. At one point I had a replica, but that got taken down by someone else, and I have already followed the instructions for removing old schema data from AD using this article: <blah>support.microsoft.com/kb/216498<blah> (strip blahs)

                I also followed the very good article about how to repair AD DNS hosted on these forums, also to no avail. Everything that everyone says should be there, IS there. It is all correct. And yet, I still throw these errors in netdiag and dcdiag.

                Okay so now my rant. I think that MS should NEVER have made AD authentication critically dependent on DNS. WHY? What is the point? What do you gain? If I can PING the FQDN of a DC then I should d*mn well be able to log into it with the right credentials!

                My strong opinion on all of this is that if Microsoft is not capable of properly setting up their own AD DNS, then there is something very very wrong with their software. Virgin installs of Server 2003 should NOT EVER have ANY problems WHATSOEVER. Period. There is no arguing that point. If they do, and I have to pay someone to come fix it, or pay Microsoft for training on how to fix it, then it makes me feel like I paid MS to make me pay them more. I feel like I have been cheated.

                Further, no configuration changes that can cause AD DNS to begin to malfunction (and therefore reject logins) should be allowed. EVER. I know this sounds simplistic, but I have a saying: When a few users have a problem with your software, it's the users. When LOTS of people have the same problems with your software, IT'S THE DEVELOPER! And LOTS of people are having this particular problem.

                Thanks for putting up with my rants. Microsoft needs to get it's act together. I am on the verge of tearing down every AD forest I have and only using standalone servers for everything. And by the way, if you doubt my point of view, try actually reading through every AD fix it article Microsoft puts out, and then see all the unsolved issues on all the tech forums. You will begin to see things my way.

                Bob

                Comment


                • #9
                  Re: Cannot find a primary authoritative DNS server

                  May i see a "route print" from the server??

                  Comment


                  • #10
                    Re: Cannot find a primary authoritative DNS server

                    Originally posted by Alehva View Post
                    May i see a "route print" from the server??
                    Sure if you think it will help. Here you go: (sorry it doesn't parse columns very well)

                    IPv4 Route Table
                    ================================================== =========================
                    Interface List
                    0x1 ........................... MS TCP Loopback interface
                    0x10003 ...00 1c 42 8c 5f 20 ...... Realtek RTL8029(AS)-based Ethernet Adapter (
                    Generic) #2
                    0x10004 ...00 1c 42 cc 80 03 ...... Realtek RTL8029(AS)-based Ethernet Adapter (
                    Generic)
                    ================================================== =========================
                    ================================================== =========================
                    Active Routes:
                    Network Destination Netmask Gateway Interface Metric
                    0.0.0.0 0.0.0.0 172.16.0.7 172.16.3.89 10
                    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
                    172.16.0.0 255.255.0.0 172.16.3.89 172.16.3.89 10
                    172.16.3.89 255.255.255.255 127.0.0.1 127.0.0.1 10
                    172.16.255.255 255.255.255.255 172.16.3.89 172.16.3.89 10
                    192.168.1.0 255.255.255.0 192.168.1.99 192.168.1.99 20
                    192.168.1.99 255.255.255.255 127.0.0.1 127.0.0.1 20
                    192.168.1.255 255.255.255.255 192.168.1.99 192.168.1.99 20
                    224.0.0.0 240.0.0.0 172.16.3.89 172.16.3.89 10
                    224.0.0.0 240.0.0.0 192.168.1.99 192.168.1.99 20
                    255.255.255.255 255.255.255.255 172.16.3.89 172.16.3.89 1
                    255.255.255.255 255.255.255.255 192.168.1.99 192.168.1.99 1
                    Default Gateway: 172.16.0.7
                    ================================================== =========================
                    Persistent Routes:
                    None

                    Comment


                    • #11
                      Re: Cannot find a primary authoritative DNS server

                      This may also be of interest. I ran nslookup and got this:

                      C:\Documents and Settings\cccmadmn.KWVE>nslookup
                      Default Server: kwve-pdm-serv01.kwve.cccm.lan
                      Address: 172.16.3.89

                      > name
                      Server: kwve-pdm-serv01.kwve.cccm.lan
                      Address: 172.16.3.89

                      *** kwve-pdm-serv01.kwve.cccm.lan can't find name: Non-existent domain
                      >

                      If I could send screen shots I could show you that the domain does in fact exist! Is it possible that some kind of malware altered the SID of the server?

                      Comment


                      • #12
                        Re: Cannot find a primary authoritative DNS server

                        It's OK, why external dns should now something about yours internal servers, shouldn't it?
                        Could you describe little bit more about LAN branches?
                        i think there is a possibility to disable listening of DNS to one network interface

                        Comment


                        • #13
                          Re: Cannot find a primary authoritative DNS server

                          Originally posted by Alehva View Post
                          It's OK, why external dns should now something about yours internal servers, shouldn't it?
                          Could you describe little bit more about LAN branches?
                          i think there is a possibility to disable listening of DNS to one network interface
                          Why would it?? External DNS should NOT be part of the TCP/IP configuration on a server adapter.

                          And it's irrelevant if DNS is listening on all adapters or just one. The output of netdiag is indicating that there is NO RECORD for the domain kwve.cccm.lan, when in fact there IS. Everything is right, according to everything I have read, and still it throws errors.

                          No disrespect intended, but I think you are barking up the wrong tree here. The problem is that DNS is failing, and therefore AD logins are failing, and this has been happening since I first built the server from the ground up. Certain things have helped the login issue, like shortening the time between policy reloads, and a couple other things, but nothing is solving this problem, that netdiag throws errors, and the /fix option fails because it says it cannot find an authoritative DNS server for the domain. That is of course impossible, because the DNS is running on the same machine as AD and all the right records are right there.

                          It's more like the DNS server is not responding to netdiag, refusing for some reason to talk to the process.

                          Comment


                          • #14
                            Re: Cannot find a primary authoritative DNS server

                            Okay, well I found out what the nslookup problem was. They do not want you to type NAME (as the help suggests) but rather they want you to type the NAME OF THE DEVICE! DOH! DOS Help Vagaries strike again! Still no love on the netdiag though.

                            Comment

                            Working...
                            X