Demoting Secondary DC - FQDN no longer resolves

kbc · 8 May 2011 at 04:43

I've just demoted a secondary domain controller, it demoted gracefully. However I am now no longer able to logon to the domain with any of the client machines, the client machines were already hooked onto the FQDN.

I can however join new client machines using the pre-windows 2000 domain name. I ran DCDIAG and NETDIAG and both instances have reported no issues, so I'm in a dilemma here. :confused:

oddjob62 · 8 May 2011 at 07:53

Check DNS is working fine. The issue you are seeing looks similar to what people see when they first set up a domain and don't have their clients DNS pointing to their internal DNS server ie joining works (uses netbios), but login doesn't (uses DNS).

Check your clients can resolve your internal domain and domain controllers by FQDN. Check what they are looking at for DNS.

kbc · 8 May 2011 at 17:38

All client machines refer to the primary DC.

It's probably worth mentioning that our secondary domain controller that we have demoted also housed Exchange, we have since moved away from Exchange to an online email service. We are now left with a single domain controller. Previous to this, every time the secondary domain controller suffered downtime - our clients have no ability to log on.

With the secondary DC going down, the FQDN no longer functions. All DNS entries have been checked and have no reference to the secondary DC, am I right in saying that we can no longer use the FQDN?

ashrobbo · 8 May 2011 at 18:06

SO in essence you had 2 dc's, now you only have 1.

Try nslookups of various clients and see if it resolves and check the dns server susing ipconfig /all

Check the dns records on the primary DC are correct and updating. check it isnt forwarding requests to the now dead secondary DC.

Burnsy2023 · 8 May 2011 at 18:13

Just to confirm the obvious, the other DC is a GC holder right?

kbc · 8 May 2011 at 18:19

Here are the nslookup logs, which look correct:

Code:

C:\WINNT\Profiles\Administrator>nslookup abyss.zeus.co.uk
Server:  zeusw2k3dc-01.abyss.zeus.co.uk
Address:  100.100.100.199

Name:    abyss.zeus.co.uk
Address:  100.100.100.199


C:\WINNT\Profiles\Administrator>nslookup
Default Server:  zeusw2k3dc-01.abyss.zeus.co.uk
Address:  100.100.100.199

> set type=srv
> _ldap._tcp.dc._msdcs.abyss.zeus.co.uk
Server:  zeusw2k3dc-01.abyss.zeus.co.uk
Address:  100.100.100.199

_ldap._tcp.dc._msdcs.abyss.zeus.co.uk   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = zeusw2k3dc-01.abyss.zeus.co.uk
zeusw2k3dc-01.abyss.zeus.co.uk   internet address = 100.100.100.199

DCDIAG Results:

Code:

Domain Controller Diagnosis

Performing initial setup:
  * Verifying that the local machine zeusw2k3dc-01, is a DC. 
  * Connecting to directory service on server zeusw2k3dc-01.
  * Collecting site info.
  * Identifying all servers.
  * Identifying all NC cross-refs.
  * Found 1 DC(s). Testing 1 of them.
  Done gathering initial info.

Doing initial required tests
  
  Testing server: Default-First-Site-Name\ZEUSW2K3DC-01
   Starting test: Connectivity
     * Active Directory LDAP Services Check
     * Active Directory RPC Services Check
     ......................... ZEUSW2K3DC-01 passed test Connectivity

Doing primary tests
  
  Testing server: Default-First-Site-Name\ZEUSW2K3DC-01
   Starting test: Replications
     * Replications Check
     * Replication Latency Check
      CN=Schema,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
        Latency information for 9 entries in the vector were ignored.
         9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). 
      CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
        Latency information for 9 entries in the vector were ignored.
         9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). 
      DC=abyss,DC=zeus,DC=co,DC=uk
        Latency information for 9 entries in the vector were ignored.
         9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). 
     ......................... ZEUSW2K3DC-01 passed test Replications
   Test omitted by user request: Topology
   Test omitted by user request: CutoffServers
   Starting test: NCSecDesc
     * Security Permissions check for all NC's on DC ZEUSW2K3DC-01.
     * Security Permissions Check for
      DC=ForestDnsZones,DC=abyss,DC=zeus,DC=co,DC=uk
      (NDNC,Version 2)
     * Security Permissions Check for
      DC=DomainDnsZones,DC=abyss,DC=zeus,DC=co,DC=uk
      (NDNC,Version 2)
     * Security Permissions Check for
      CN=Schema,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
      (Schema,Version 2)
     * Security Permissions Check for
      CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
      (Configuration,Version 2)
     * Security Permissions Check for
      DC=abyss,DC=zeus,DC=co,DC=uk
      (Domain,Version 2)
     ......................... ZEUSW2K3DC-01 passed test NCSecDesc
   Starting test: NetLogons
     * Network Logons Privileges Check
     Verified share \\ZEUSW2K3DC-01\netlogon
     Verified share \\ZEUSW2K3DC-01\sysvol
     ......................... ZEUSW2K3DC-01 passed test NetLogons
   Starting test: Advertising
     The DC ZEUSW2K3DC-01 is advertising itself as a DC and having a DS.
     The DC ZEUSW2K3DC-01 is advertising as an LDAP server
     The DC ZEUSW2K3DC-01 is advertising as having a writeable directory
     The DC ZEUSW2K3DC-01 is advertising as a Key Distribution Center
     The DC ZEUSW2K3DC-01 is advertising as a time server
     The DS ZEUSW2K3DC-01 is advertising as a GC.
     ......................... ZEUSW2K3DC-01 passed test Advertising
   Starting test: KnowsOfRoleHolders
     Role Schema Owner = CN=NTDS Settings,CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
     Role Domain Owner = CN=NTDS Settings,CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
     Role PDC Owner = CN=NTDS Settings,CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
     Role Rid Owner = CN=NTDS Settings,CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
     Role Infrastructure Update Owner = CN=NTDS Settings,CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk
     ......................... ZEUSW2K3DC-01 passed test KnowsOfRoleHolders
   Starting test: RidManager
     * Available RID Pool for the Domain is 8225 to 1073741823
     * zeusw2k3dc-01.abyss.zeus.co.uk is the RID Master
     * DsBind with RID Master was successful
     * rIDAllocationPool is 1725 to 2224
     * rIDPreviousAllocationPool is 1725 to 2224
     * rIDNextRID: 1953
     ......................... ZEUSW2K3DC-01 passed test RidManager
   Starting test: MachineAccount
     Checking machine account for DC ZEUSW2K3DC-01 on DC ZEUSW2K3DC-01.
     * SPN found :LDAP/zeusw2k3dc-01.abyss.zeus.co.uk/abyss.zeus.co.uk
     * SPN found :LDAP/zeusw2k3dc-01.abyss.zeus.co.uk
     * SPN found :LDAP/ZEUSW2K3DC-01
     * SPN found :LDAP/zeusw2k3dc-01.abyss.zeus.co.uk/ZEUS_EXCHANGE
     * SPN found :LDAP/033b73dc-a210-49ce-9a5f-787845575be9._msdcs.abyss.zeus.co.uk
     * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/033b73dc-a210-49ce-9a5f-787845575be9/abyss.zeus.co.uk
     * SPN found :HOST/zeusw2k3dc-01.abyss.zeus.co.uk/abyss.zeus.co.uk
     * SPN found :HOST/zeusw2k3dc-01.abyss.zeus.co.uk
     * SPN found :HOST/ZEUSW2K3DC-01
     * SPN found :HOST/zeusw2k3dc-01.abyss.zeus.co.uk/ZEUS_EXCHANGE
     * SPN found :GC/zeusw2k3dc-01.abyss.zeus.co.uk/abyss.zeus.co.uk
     ......................... ZEUSW2K3DC-01 passed test MachineAccount
   Starting test: Services
     * Checking Service: Dnscache
     * Checking Service: NtFrs
     * Checking Service: IsmServ
     * Checking Service: kdc
     * Checking Service: SamSs
     * Checking Service: LanmanServer
     * Checking Service: LanmanWorkstation
     * Checking Service: RpcSs
     * Checking Service: w32time
     * Checking Service: NETLOGON
     ......................... ZEUSW2K3DC-01 passed test Services
   Test omitted by user request: OutboundSecureChannels
   Starting test: ObjectsReplicated
     ZEUSW2K3DC-01 is in domain DC=abyss,DC=zeus,DC=co,DC=uk
     Checking for CN=ZEUSW2K3DC-01,OU=Domain Controllers,DC=abyss,DC=zeus,DC=co,DC=uk in domain DC=abyss,DC=zeus,DC=co,DC=uk on 1 servers
      Object is up-to-date on all servers.
     Checking for CN=NTDS Settings,CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk in domain CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk on 1 servers
      Object is up-to-date on all servers.
     ......................... ZEUSW2K3DC-01 passed test ObjectsReplicated
   Starting test: frssysvol
     * The File Replication Service SYSVOL ready test 
     File Replication Service's SYSVOL is ready 
     ......................... ZEUSW2K3DC-01 passed test frssysvol
   Starting test: frsevent
     * The File Replication Service Event log test 
     ......................... ZEUSW2K3DC-01 passed test frsevent
   Starting test: kccevent
     * The KCC Event log test
     An Warning Event occured. EventID: 0x80250829
      Time Generated: 05/08/2011  05:32:18
      (Event String could not be retrieved)
     An Warning Event occured. EventID: 0x80250829
      Time Generated: 05/08/2011  05:32:18
      (Event String could not be retrieved)
     An Warning Event occured. EventID: 0x80250829
      Time Generated: 05/08/2011  05:32:18
      (Event String could not be retrieved)
     An Warning Event occured. EventID: 0x80250829
      Time Generated: 05/08/2011  05:32:18
      (Event String could not be retrieved)
     An Warning Event occured. EventID: 0x80250829
      Time Generated: 05/08/2011  05:32:18
      (Event String could not be retrieved)
     ......................... ZEUSW2K3DC-01 failed test kccevent
   Starting test: systemlog
     * The System Event log test
     Found no errors in System Event log in the last 60 minutes.
     ......................... ZEUSW2K3DC-01 passed test systemlog
   Test omitted by user request: VerifyReplicas
   Starting test: VerifyReferences
     The system object reference (serverReference)

     CN=ZEUSW2K3DC-01,OU=Domain Controllers,DC=abyss,DC=zeus,DC=co,DC=uk and

     backlink on

     CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk

     are correct. 
     The system object reference (frsComputerReferenceBL)

     CN=ZEUSW2K3DC-01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=abyss,DC=zeus,DC=co,DC=uk

     and backlink on

     CN=ZEUSW2K3DC-01,OU=Domain Controllers,DC=abyss,DC=zeus,DC=co,DC=uk are

     correct. 
     The system object reference (serverReferenceBL)

     CN=ZEUSW2K3DC-01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=abyss,DC=zeus,DC=co,DC=uk

     and backlink on

     CN=NTDS Settings,CN=ZEUSW2K3DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abyss,DC=zeus,DC=co,DC=uk

     are correct. 
     ......................... ZEUSW2K3DC-01 passed test VerifyReferences
   Test omitted by user request: VerifyEnterpriseReferences
   Test omitted by user request: CheckSecurityError
  
  Running partition tests on : ForestDnsZones
   Starting test: CrossRefValidation
     ......................... ForestDnsZones passed test CrossRefValidation
   Starting test: CheckSDRefDom
     ......................... ForestDnsZones passed test CheckSDRefDom
  
  Running partition tests on : DomainDnsZones
   Starting test: CrossRefValidation
     ......................... DomainDnsZones passed test CrossRefValidation
   Starting test: CheckSDRefDom
     ......................... DomainDnsZones passed test CheckSDRefDom
  
  Running partition tests on : Schema
   Starting test: CrossRefValidation
     ......................... Schema passed test CrossRefValidation
   Starting test: CheckSDRefDom
     ......................... Schema passed test CheckSDRefDom
  
  Running partition tests on : Configuration
   Starting test: CrossRefValidation
     ......................... Configuration passed test CrossRefValidation
   Starting test: CheckSDRefDom
     ......................... Configuration passed test CheckSDRefDom
  
  Running partition tests on : abyss
   Starting test: CrossRefValidation
     ......................... abyss passed test CrossRefValidation
   Starting test: CheckSDRefDom
     ......................... abyss passed test CheckSDRefDom
  
  Running enterprise tests on : abyss.zeus.co.uk
   Starting test: Intersite
     Skipping site Default-First-Site-Name, this site is outside the scope

     provided by the command line arguments provided. 
     ......................... abyss.zeus.co.uk passed test Intersite
   Starting test: FsmoCheck
     GC Name: \\zeusw2k3dc-01.abyss.zeus.co.uk
     Locator Flags: 0xe00001fd
     PDC Name: \\zeusw2k3dc-01.abyss.zeus.co.uk
     Locator Flags: 0xe00001fd
     Time Server Name: \\zeusw2k3dc-01.abyss.zeus.co.uk
     Locator Flags: 0xe00001fd
     Preferred Time Server Name: \\zeusw2k3dc-01.abyss.zeus.co.uk
     Locator Flags: 0xe00001fd
     KDC Name: \\zeusw2k3dc-01.abyss.zeus.co.uk
     Locator Flags: 0xe00001fd
     ......................... abyss.zeus.co.uk passed test FsmoCheck
   Test omitted by user request: DNS
   Test omitted by user request: DNS

This server is a GC as was the other one. Under Active Directory Sites and Services, we have a default site, a subnet hasn't been defined. I gather replication issues isn't a concern when we're talking about 1 domain controller?

droyden · 8 May 2011 at 20:26

Did you transfer all of the FMSO roles before demoting? (or confirm that the demoted DC didnt hold the roles)

kbc · 8 May 2011 at 21:00

It demoted gracefully and the roles were transferred.

s0ck · 9 May 2011 at 11:48

Are they able to log on with cached creds? Or was that disabled? Are you getting 'the domain BLAH is unavailable' ? If so, you can presumably log on with NIC detached?

Does zeusw2k3dc-01 have any host entries? Is it referring to localhost for DNS? Do the clients have any host entries? They should all be pointing to dc01 as their single DNS entry. Are you running DHCP from this box? Any oldDC entries being pushed there?
Are there any old SRV entries for the oldDC?

There should be something in event logs, clientside, you can go on with or failing that, run TCPView locally and see which app is requesting resources from the oldDC.

It might be worth confirming via 'net share' that SYSVOL and NETLOGON are there although this would have been flagged by DC/Netdiag usually.