AD Authentication and DNS required records

Question

question

SeekingTruth-2322 asked Jan 18, '21 SeekingTruth-2322 answered Jan 25, '21

AD Authentication and DNS required records

I am in the process of decommissioning an old domain controller (Windows 2008 R2 server called OLDDC). The domain has several Domain Controller running Windows 2016. Everything is working fine accept when I take this old server online. I did this as a test and found users could not log on or access network drives.

After researching and reading up on the "DC Locator process" it appears to me that some entries are missing in DNS or possibly one entry to many (Default-First-Site-Name)?

There are two zones in "Forward Lookup Zones". These are "_msdcs.domain.lcl" and "domain.lcl". All my DC's appear with the appropriate records in DNS under the correct site names.

However there is a entries "_tcp.Default-First-Site-Name._sites.gc._msdcs.domain.lcl" which only contain one LDAP entry (SRV record) for the OLDDC, which is the server to be decommissioned. Everywhere there is a "Default-First-Site-Name" it only contains the one entry being OLDDC.

In DOMAIN.LCL zone there is a record "_msdcs" which also contains just the OLDDC.

Should I just manually add the required DCs ?

All guidance on how to resolve this are greatly appreciated.
Thanks

windows-server windows-dhcp-dns

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT · Jan 22, 2021 at 07:17 AM

Hello @SeekingTruth-2322,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

1 ·

Answer 1 · 2021-01-25T05:23:18.047Z

SeekingTruth-2322 answered Jan 25, '21

Hi Daisy,
I have done numerous research and testing since we last communicated and found the following.

It appears that the issue of users not being able to login or RDP when that particular server was shutdown is..

Some of the computers / users were using that DC we shutdown for checking their "Trust Relationship". Windows will eventually try another DC to check the "Trust Relationship". My testing showed this to be around 3-4 minutes.
The server which is providing the "Trust Relationship" can be found by using the command "NLTEST /sc_query:domain.lcl"
You can use "NLTEST /sc_reset:domain.lcl" to set the next available DC to be used by that computer when checking the "Trust Relationship in the future.

Tests in relation to the DSN and Sites & Services shows that the creation of a new "Sites" in "Sites and Services" will also create appropriate DNS entries in .....

_sites.dc._msdcs.domain.lcl
_sites.gc._msdcs.domain.lcl
_sites.domain.lcl
_sites.DomainDnsZones.domain.lcl
_sites.ForestDnsZones.domain.lcl

I also found that renaming "Sites" in "Sites and Services" will also create appropriate DNS entries for the new site, with an additional _ldap records , BUT also leaves the old DNS Site and its entries.

So as far as I am now concerned we should be able to close this question.

Thanks

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-01-18T09:29:34.43Z

DaisyZhou-MSFT answered Jan 18, '21

Hello @SeekingTruth-2322,

Thank you for posting here.

Based on the description, I understand we have several Domain Controllers (one Windows 2008 R2 DC and several Windows server 2016 DCs), now we want to demote the Windows 2008 R2 DC (now this Windows 2008 R2 DC is still existing in the domain, we have not demoted it).

Q:Should I just manually add the required DCs ?
A:If you promote a new DC in the domain successfully, all the DNS records related to that DC should be created automatically in DNS manager on the DC.

Check if you put other DCs in different sites.

For example:

Or maybe the AD replication issue caused the DNS records missing.

1.Based on "I did this as a test and found users could not log on or access network drives.", what error message did you see?
2.Would you please check FSMO role DC? Run command netdom query fsmo.
3.How many site do you have?

4.Which site are all the DCs put?
5.Is your domain a forest with single domain or a forest with weveral domains?
6.What is your domain functional level / forest functional level?

Best Regards,
Daisy Zhou

site2.png (57.2 KiB)

site1.png (17.3 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2021-01-18T12:00:02.12Z

SeekingTruth-2322 answered Jan 18, '21

Hi Diasy,
Thank you for getting back.

I would be interested in knowing what entries you have in "Default-First-Site-Name" and what changes occur if you add a second DC.

I have all my DCs spread over two sites. All DCs were installed via DCPROMO which worked successfully.

To answer your questions.
Q1. Based on "I did this as a test and found users could not log on or access network drives.", what error message did you see?
A1. I had other users testing and this was the information passed to me. "Enter network credentials", "the specified network password is not correct".

Q2. Would you please check FSMO role DC? Run command netdom query fsmo.
A2. All roles pointing to my new DCs. No references to OLDDC.

Q3. How many site do you have?
A3. I have 2 sites.

Q4. Which site are all the DCs put?
A4. The DCs are spread over 2 sites.

Q5. Is your domain a forest with single domain or a forest with several domains?
A5. It is a forest with single domain.

Q6. What is your domain functional level / forest functional level?
A6. Both the Forest and Domain are at the functional level of "Windows Server 2008 R2"

I notice that in "Sites and Services" you have Default-First-Site-Name. This does not appear in mine. It does however in DNS.

Kind Regards

sites.jpg (13.6 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2021-01-19T06:28:50.677Z

DaisyZhou-MSFT answered Jan 19, '21

Hello @SeekingTruth-2322,

There is a default site named "Default-First-Site-Name" in AD when we deploy AD domain (on DC).

We can also create new site if needed. Site1, site2 and site3 are site that I created.

When we promote a DC, we can select a site for this DC.

We can check as below:
1.Please check if you can see all the DCs in site VDC1 and site VDC2.
2.Please check if you can see VDC1 with DC records and VDC2 with DC records in DNS manager (I mean we can check whether all SRV records that should exist do exist).

For example:

3.Run Dcdiag /v on every DC to check the DC health.
4.Run repadmin /replsum and **repadmin /showrepl /csv >c:\repsum.csv* on PDC to check AD replication.

Tip: If there is no any error in the command result, it means every DC itself and AD replication works fines.

If these records are missing on only one DC or some DCs, maybe AD replication does not work fine, it cased all DC does not synced.

If these records are missing on all DCs, there is issue on the DC itself.

All DCs should have ldap SRV and kerberos SRV records. If one DC is also a GC, this DC should have gc SRV record.

Best Regards,
Daisy Zhou

site1.png (28.9 KiB)

site111.png (175.0 KiB)

site3.png (35.3 KiB)

gc1.png (7.2 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 5 · 2021-01-19T07:47:19.627Z

SeekingTruth-2322 answered Jan 19, '21 DaisyZhou-MSFT commented Jan 19, '21

Hi Daisy,
Unfortunately I do not appear to have "Default-First-Site-Name" in AD. I only see it in DNS.

What entries do you have in DNS for

I have the following for

one entry ( _ldap SRV OLDDC )
three entries _gc , _kerberos , _ldap all for the old domain controller OLDDC .

Kind Regards

.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT · Jan 19, 2021 at 09:09 AM

Hello @SeekingTruth-2322,

Thank you for your update.

We can run nltest /dclist:domain.com to check DC numbers.

Meanwhile, please check if DCs themselives work fine and if AD replication works fine as I mentioned above.

Best Regards,
Daisy Zhou

1 ·

dclist1.png (19.7 KiB)

Answer 6 · 2021-01-19T11:17:05.14Z

SeekingTruth-2322 answered Jan 19, '21 SeekingTruth-2322 commented Jan 25, '21

Hi @DaisyZhou-MSFT ,

Here is the output from nltest and repadmin /replsummary

Kind Regards

image.png (26.1 KiB)

image.png (41.3 KiB)

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT · Jan 20, 2021 at 02:44 AM

Hello @SeekingTruth-2322,

Thank you for your update.

Would you please tell us the name of your Windows server 2008 R2 DC?

Is it listed in the dc list below?

Best Regards,
Daisy Zhou

1 ·

dc1.png (36.1 KiB)

SeekingTruth-2322 DaisyZhou-MSFT · Jan 25, 2021 at 02:57 AM

Hi Daisy,
Sorry I missed you question.
The server name is DC2.vifm.lcl

Regards

0 ·

Answer 7 · 2021-01-20T01:46:02.303Z

SeekingTruth-2322 answered Jan 20, '21

Hi @DaisyZhou-MSFT ,
Here is the correct DCDIAG /v /c /d /e

58461-ad01-dcdiag-debug.txt

Thanks

ad01-dcdiag-debug.txt (178.6 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question