question

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 asked DSPatrick commented

I can not see DNS records inside DNS zones in secondary domain controller

Hi all,
I have two Domain Controller inside company.
Both of them are Windows 2016 DataCenter and they are installed in English Language.

Today I noted this issue:

On the first domain controller, inside DNS I can see all records inside the DNS zones.
On the second domain controller, inside DNS I see just DNS zones but inside domain zone there aren't DNS record, there are just the NameServer record!

After that I tried to the first domain controller, using DNS console, to connect to the second domain controller.
In this case I can see all DNS zones and records properly

What can I do?

Thanks
Federico

windows-serverwindows-server-2016windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered FedericoCoppola-2569 edited

Hi @DSPatrick
In this moment I tryed to access to DC01 and DC02 with Administrator domain account.
I usually use my personal administrator account.
I noted that with Default Administrator domain account I see all DNS records in DC02 and DC01 without issue!

Anyway we noted that some time there are replication issue.

I tryed to create a simple TXT file in \\DC01\netlogon and in \\DC02\netlogon.
Both of time, after a second I see the new file replicated in the other DC.

Do you think that it is necessary demote the second DC?

After all, I noted that warning are at about 12 p.m. and 23 pm. Inside company running backup at 12pm and at 11 pm with AD integration via Veeam, but not all of that.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Do you think that it is necessary demote the second DC?

If the problem is fixed and the event logs are clear then no you don't need to do anything further.

--please don't forget to upvote and Accept as answer if the reply is helpful--









5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

I noted that with Default Administrator domain account I see all DNS records in DC02 and DC01 without issue!

Ok, that's good news, that issue appears to be confined to a problematic account, but the "no more end points available" and other problems are machine level issues. I'd check for errors since last boot (source and event IDs, no screenshot)


--please don't forget to upvote and Accept as answer if the reply is helpful--






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered FedericoCoppola-2569 published

Dear @DSPatrick,
In this moment this is the situation:

  • I rebooted DC01 and DC02 today

  • If I am logged using my Personal Domain Administrator Account (Name.Surname AD account) and I open DNS application on DC01 I can see all DNS records.
    Instead, if I am logged using my Personal Domain Administrator Account (Name.Surname AD account) and I open DNS application on DC02 I can't see any DNS records in DNS Zones.

  • If I am logged in DC01 and DC02 using Default Domain Account (DOMAIN\Administrator) I can see all DNS records without issue.

  • In the past I always used my Domain Administrator Account (Name.Surname AD account) and I am sure that I could see all DNS records in DC01 and DC02

  • Repadmin /showrepl does not show error

  • Dcdiag /v continue to show warning about EventID: 0x80001396 at about 12:00

  • Company backup runs every day at 12:00pm and 11pm with AD Integration (Veeam). Probably this job can generate warning log.


    > C:\Windows\system32>Repadmin /showrepl
    Repadmin: running command /showrepl against full DC localhost
    Default-First-Site-Name\PE-DC-001
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: d7d7aaf2-319a-49b3-85b3-0e82ede30113
    DSA invocationID: 3195c75a-0133-4529-98cd-f490a23ea069

    ==== INBOUND NEIGHBORS ======================================

    DC=PE,DC=local
    Default-First-Site-Name\PE-DC-002 via RPC
    DSA object GUID: 18ac0425-2e09-434e-823b-b41f6b1939a6
    Last attempt @ 2021-06-18 22:20:08 was successful.

    CN=Configuration,DC=PE,DC=local
    Default-First-Site-Name\PE-DC-002 via RPC
    DSA object GUID: 18ac0425-2e09-434e-823b-b41f6b1939a6
    Last attempt @ 2021-06-18 22:12:12 was successful.

    CN=Schema,CN=Configuration,DC=PE,DC=local
    Default-First-Site-Name\PE-DC-002 via RPC
    DSA object GUID: 18ac0425-2e09-434e-823b-b41f6b1939a6
    Last attempt @ 2021-06-18 22:12:12 was successful.

    DC=DomainDnsZones,DC=PE,DC=local
    Default-First-Site-Name\PE-DC-002 via RPC
    DSA object GUID: 18ac0425-2e09-434e-823b-b41f6b1939a6
    Last attempt @ 2021-06-18 22:17:48 was successful.

    DC=ForestDnsZones,DC=PE,DC=local
    Default-First-Site-Name\PE-DC-002 via RPC
    DSA object GUID: 18ac0425-2e09-434e-823b-b41f6b1939a6
    Last attempt @ 2021-06-18 22:17:45 was successful.

    [107145-diag-output.txt][1]


    The main issue is not solved because using my AD Domain Account I continue to not see DNS records in DNS Zones just on DC02.
    What can I do?


    [1]: /answers/storage/attachments/107145-diag-output.txt

diag-output.txt (19.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

The default permissions should be EVERYONE has READ permissions. Right-click the zone, then Properties\Security Tab to check that or at least add the problematic user (or group) and give at least READ permissions.

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered FedericoCoppola-2569 edited

Hi @DSPatrick,

The default permissions should be EVERYONE has READ permissions. Right-click the zone, then Properties\Security Tab to check that or at least add the problematic user (or group) and give at least READ permissions.


I have checked permission settings in Propertis > Security.
The issue that I described, that is I can see only SOA Record and NS records in DNS Zones if I use DNS Manager in DC02, is applied t all DNS Zones.
I compared Security Settings in DC01's DNS Manager and in DC02's DNS Manager. This security settings in my opinion are the same.

107039-image.png

Thanks



image.png (330.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered

Dear @DSPatrick,
This morning I decided to do this simple test (Sorry If I did not do before):

  1. I connected throught RDP to company DC02 (again)

  2. Windows+R > mmc

  3. File > Add/Remove SnapIn > DNS

  4. In MMC on DC02 I can see DNS records of DC02 in all DNS Zones! If I open DNS Manager of DC02 I can see only SOA and NS records.

107149-image.png

It is quite strange. It seems that DNS Manager doesn't load all DNS records


image.png (951.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered DSPatrick commented

Dear @DSPatrick,
Thanks for this suggestion!

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations

Yes you are right, you tought me new command to check health. Thanks!

There seems to be some sort of corruption on this server. As a work-around it sounds like you can just use the newly created MSC but in my opinion I'd replace that domain controller ASAP.

Yes it is the best solution.

Thanks
Federico





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Glad to hear, you're welcome.




0 Votes 0 ·