Troubleshooting a special case for DC and DNS servers

Â

“My DC is online, the TCP/IP it´s OK, the DNS service running but I still cannot make a valid connection with AD!

This is a problem that can be present in many ways. The most common example is: you have your DC completely configure for Active Directory, the DNS server too, and you try to join a workstation to your domain and the following error appears:

An Active Directory Domain Controller for the domain [yourdomain.com] could not be contacted.
Ensure that the domain name is typed correctly
(…)

First of all, the obvious: Check that the connectivity is working fine… the DNS server and the DC both of them responds to PING requests. It’s most likely that if you cannot connect to the domain, the PING requests for the FQDN (such as: ping dcname.yourdomain.com or ping yourdomain.com) will not respond as well… but with the IP parameter should be working… if it’s not, then there’s definitely a connectivity problem, a bad TCP/IP configuration or a firewall within the way .

Well, let’s see, this is a problem that can really make you nuts trying to solve it.

Let’s assume that you have the correct configuration in your DC and workstations. If you have a DHCP server in you network, check that he is doing his job… giving the correct IP address for the workstations, the subnet mask, the DNS server and the other parameters that you are using.

DCDIAG really? Can that help me?

One of the possible reasons of your problem is that DC didn’t register himself in the DNS for let the AD know that he is a valid domain controller. To do that, use the DCDIAG tool (included in the Windows 2003 Support Tools) as it follows:

dcdiag /test:registerindns /dnsdomain:yourdomain.com /v

Where yourdomain.com is the complete FQDN of your domain

If everything goes ok, you will get a message like this:

Using NSLOOKUP

NSLOOKUP is a very helpful utility to test the name resolution in a DNS server. You’ll use this tool to check the SRV (service) records are in place for the correct functionality of Active Directory.
Type in the command line nslookup and press enter. You will probably find a message like this:

“*** Can’t find name server for the address : Non-existent domain”, don’t worry about it. This happens when you don’t have set any PTR (or reverse records) in your DNS server, to resolve IP address in names.

Carry on then, at nslookup (“>”) prompt type:

set q=srv press enter.

Then type: _ldap._tcp.dc._msdcs.yourdomain.com

Again, sometimes because you don’t have any PTR records you may find some “time out” messages, but there is nothing vital at this point.

If there is no problem with that, you will see the DNS server name and its IP address… if you don’t, you still have one thing to do.

That thing you never wanted to do… modifying a .dns file

The file that probably will save you is saved in: C:WINDOWSsystem32config and with the name netlogon.dns.

You have to open this file with the notepad and take a look to it, but don’t get frightened! … You will see a bunch of lines that will probably don’t have much sense to you, but one of them we are looking for:

_ldap._tcp.yourdomain.com IN SRV 0 0 389 ldap_server_name
_ldap._tcp.dc._msdcs.yourdomain.com IN SRV 0 0 389 domain_controller_name

The LDAP server name should be the same for the DC server name. So if you are going to manually change this file, use them as the same.

I’m gonna publish some other documents for similar problems. They all are from situations like you lost your only DC and you get back on service an old backup that has a different configuration. Check them too.

Cheers everyone!



Leave a Reply