Active directory cant contact DNS server

  • Thread starter Thread starter Ash Ridley
  • Start date Start date
A

Ash Ridley

I have a very strange problem here and dont know what to try next.

I've just taken on looking after an SBS 2000 server running Active Directory
and I've noticed a few things that have resulted in me finding this problem.
The server in question has 2 network cards (one internal one to the internet
via ADSL router), both only have a single DNS server configured and both of
these are the internal IP address of the server (not the loopback). The DNS
server is set to forward requests to the ISP's DNS servers.

Initially I noticed that nothing was listed in the forward lookup zone and
the server name in the computer identification field in the system
properties did not contain the domain suffix (although the domain was
correctly listed in the domain field - its a single name domain with no
'dot' extension). I compared the registry information between this and
another SBS 2k box and entered the domain suffix in several registry keys
from which it was missing. This resulted in a correct DNS registration and
the correct display of the computer name in the identification window of the
system properties

However the forward lookup DNS zone does not contain any of the active
directory information (the _ folders etc). I have tried recreating the
forward lookup zone as well as uninstalling and reinstalling the entire DNS
server but this has not helped.

IPCONFIG /registerdns only results in an event log entry saying the DNS
server cannot be contacted. Event log has no other relvant errors (so
nothing in the DNS or Directory service logs either)

However NSLOOKUP does work correctly from either the server or a client and
I am able to ping the server by name, the DNS server forwarders also work
correctly

If you examing the operations master information in Active Directory User &
Computers it tells you that the roles cannot be transfered because the
current master is not online (the server names are the same but the domain
suffix is missing from the entry in one of the boxes on all the roles).

I have used the command line tools to seize the FSMO roles but this hasnt
fixed the problem and the operations master screens still show the same
information as listed above

I have run DCDIAG and NETDIAG /fix and neither of these utilties are able to
resolve the problem (both however report that the DNS server cannot be
contacted).
Oddly enough no users have reported any problems accessing the server,
despite this problem.

I really dont want to have to reinstall Active Directlry but I suspect thats
where this one is heading......

Appreciate any help
 
Ash Ridley said:
I have a very strange problem here and dont know what to try next.

I've just taken on looking after an SBS 2000 server running Active Directory
and I've noticed a few things that have resulted in me finding this problem.
The server in question has 2 network cards (one internal one to the internet
via ADSL router), both only have a single DNS server configured and both of
these are the internal IP address of the server (not the loopback). The DNS
server is set to forward requests to the ISP's DNS servers.
Click to expand...

That sounds right -- the only reason for putting the internal
DNS server on the outside (rather than leaving it blank) is
that you don't want a DHCP server to "give it" an external
DNS server in the NIC configuration.

That address (or another provided by the ISP) would be
what goes in the "Forwarder" address.
Initially I noticed that nothing was listed in the forward lookup zone and
the server name in the computer identification field in the system
properties did not contain the domain suffix (although the domain was
correctly listed in the domain field - its a single name domain with no
'dot' extension).
Click to expand...

Have you made sure to DISABLE "registration in DNS" on the
external NIC?

(Or give that NIC a different DNS name, like ADSL.yourdomain.com)
However the forward lookup DNS zone does not contain any of the active
directory information (the _ folders etc). I have tried recreating the
forward lookup zone as well as uninstalling and reinstalling the entire DNS
server but this has not helped.
Click to expand...

You should never have to 'create' those zones -- being missing is sign
one of the following it likely wrong:

DNS server is dynamic (needs to be)
Server is itself (NIC\IP\DNS Server) pointed to the internal server
so it will dynamically register itself
Clients are pointed ONLY at the internal DNS server (no second
external server listed) -- let the DNS server worry about the
external Internet resolution

IPCONFIG /registerdns only results in an event log entry saying the DNS
server cannot be contacted. Event log has no other relvant errors (so
nothing in the DNS or Directory service logs either)
Click to expand...

That implies it's client settings are not set to the internal server, the
internal
server is not listening on the internal address, or is not dynamic.

Also note, "/registerDNS" is INSUFFICIENT for a DC -- it only
registers "client-type" settings. You must restart NetLogon to register
the _domains and other DC-type stuff.
However NSLOOKUP does work correctly from either the server or a client and
I am able to ping the server by name, the DNS server forwarders also work
correctly
Click to expand...

Ok, what does NSLookup do?
What if you are explicit by specifying the DNS server address, e.g.,
do NOT use:
nslookup www.name.com
....but rather use:
nslookup www.name.com Actual.Ip.DNS.Address
e.g.,
nslookup www.name.com 192.168.0.1
If you examing the operations master information in Active Directory User &
Computers it tells you that the roles cannot be transfered because the
current master is not online (the server names are the same but the domain
suffix is missing from the entry in one of the boxes on all the roles).
Click to expand...

Another symptom of the DNS problem you need to fix first.
I have used the command line tools to seize the FSMO roles but this hasnt
fixed the problem and the operations master screens still show the same
information as listed above
Click to expand...

That's bad -- you now should (must) remove the original roll holder
by doing a DCPromo-- when you seize a roll it gives unpredicatable
and unreliable results for the original roll holder to continue on the net.

Note, it says this in the ResKit and I tried it ANYWAY since no explantation
was given -- my domain acted goofy and when I removed the original holder
those weird, intermittent errrors ceased.

In other words, someone might say, "Doesn't matter, I did it" and I still
would
never trust that DC again until DCPromo cycled.
I have run DCDIAG and NETDIAG /fix and neither of these utilties are able to
resolve the problem (both however report that the DNS server cannot be
contacted).
Click to expand...

Did you capture the output in a text file and search for FAIL, WARN, and
ERROR?
I really dont want to have to reinstall Active Directlry but I suspect thats
where this one is heading......
Click to expand...

I don't think you original (at the top DNS problem) requires re-installation
but I will tell you that if you seized a role (trying to fix it) you now
must
cycle the original DC through DCPromo/DCPromo.

Also make sure to transfer (not seize if possible) the other roles and
add another GC before cycling.
 
Herb,

Thanks for the reply

Unfortunately being an SBS box I cannot add another DC (so I cannot add
another GC).

I probably should also have mentioned that I have tried removing and re
selecting the GC box, and have tried restarting NETLOGON on numerous
occasional and neither of these have helped (restarting NETLOGON just
results in the same event log error that the DNS server cannot be
contacted) - sorry for this omission I've just been running around in
cirlces with this so much its hard to list everything I've tried so far.

I have saved the output of NETDIAG and DCDIAG to file, I dont have the files
to hand right now (I dont work on the site the server is at) suffice to say
that there are alot of errors all basically saying the same thing (DNS
cannot be contacted) and none of the error messages bring up anything
helpful in the Microsoft kb.

With regards to your comment about running DCPROMO - surely by doing this in
a single DC environment (as SBS servers are) I will be uninstalling Active
Directory?

Ash
 
Ok here is the error from DCDIAG

Testing server: Default-First-Site-Name\IDTSERVER01
Starting test: Connectivity
* Active Directory LDAP Services Check
IDTSERVER01's server GUID DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(d289bfd3-5d87-471c-8996-878f781ffef5._msdcs.IDTECH) couldn't be

resolved, the server name (IDTServer01.idtech) resolved to the IP

address (192.168.0.1) and was pingable. Check that the IP address
is

registered correctly with the DNS server.
......................... IDTSERVER01 failed test Connectivity

and from NETDIAG

DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'IDTServer01.idtech.'. [RCODE_SERVER_FAILURE]
The name 'IDTServer01.idtech.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server for the
name
'IDTServer01.idtech.'. [RCODE_SERVER_FAILURE]
The name 'IDTServer01.idtech.' may not be registered in DNS.
[FATAL] Failed to fix: DC DNS entry IDTECH. re-registeration on DNS
server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry IDTECH. re-registeration on DNS
server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry IDTECH. re-registeration on DNS
server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.IDTECH. re-registeration
on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.IDTECH. re-registeration on DNS
server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.IDTECH. re-registeration
on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.5e9ea29a-4a57-48e3-8e5e-0017a7c430e1.domains._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.IDTECH. re-registeration
on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.IDTECH. re-registeration
on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.IDTECH. re-registeration
on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
d289bfd3-5d87-471c-8996-878f781ffef5._msdcs.IDTECH. re-registeration on DNS
server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IDTECH. re-registeration
on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.IDTECH. re-registeration on
DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _gc._tcp.IDTECH. re-registeration on
DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_gc._tcp.Default-First-Site-Name._sites.IDTECH. re-registeration on DNS
server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
for this DC on DNS server '127.0.0.1'.
[FATAL] No DNS servers have the DNS records for this DC registered.

I can successfully use NSLOOKUP on the server in the following manner

NSLOOKUP www.novell.com 192.168.0.1

and I've double checked the registry setting from the article provided by
Matjaz and they are present and correct. I've also used the VB tool from
Microsoft that check the FSMO roles and they are coming up with the correct
information - given that the current server name displayed in the operation
masters transfer windows is missing the domain suffix I can only come to the
conclusion that the domain name is missing from somewhere important (which
takes me right back to my original observation that the domain suffix was
missing in the computer identification tab of the system properties) but I
have no idea where as I'm compared the registry with a working server (on a
different site) and they match up - although this doesnt explain why it cant
contact the DNS server.

Does anyone have any other suggestions?
 
Ash Ridley said:
Herb,

Thanks for the reply

Unfortunately being an SBS box I cannot add another DC (so I cannot add
another GC).
Click to expand...

Yes, I see you have SBS at the top of your original but if you
cannot add another DC, HOW ON EARTH did you seize a
role?

Seizing a role moves that role to another DC!!!

It's likely the "single tag domain name" that is plaguing you.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names [needs the domain.com name and cannot be
just --domain--]:
http://support.microsoft.com/?id=300684
I probably should also have mentioned that I have tried removing and re
selecting the GC box,
Click to expand...

Never remove the "last GC" (or "only GC") checkbox.
and have tried restarting NETLOGON on numerous
occasional and neither of these have helped (restarting NETLOGON just
results in the same event log error that the DNS server cannot be
contacted) - sorry for this omission I've just been running around in
cirlces with this so much its hard to list everything I've tried so far.
Click to expand...

Did you first confirm the DNS settings I gave you? You aren't running
with a "single tag" domain name are you? (e.g., Domain instead of,
at least, Domain.Com)
I have saved the output of NETDIAG and DCDIAG to file, I dont have the files
to hand right now (I dont work on the site the server is at) suffice to say
that there are alot of errors all basically saying the same thing (DNS
cannot be contacted) and none of the error messages bring up anything
helpful in the Microsoft kb.
Click to expand...

Well there you go! You can re-start NetLogon all day long until you
fix the root causes of the DNS problems.

Most likely: non-Dynamic DNS, DC(s) not pointed at that DNS,
DCs pointed at that DNS AND at some other DNS, single tag domain
names.
With regards to your comment about running DCPROMO - surely by doing this in
a single DC environment (as SBS servers are) I will be uninstalling Active
Directory?
Click to expand...

Yes, but I understood you "seized a role" to a second DC which
indicated you had more than one DC. That seizing reference must
have been misreported.
 
Herb,

I used the command line utility (in the support tools?) to seize all the
FSMO roles

It looks like you may have hit the issue on the head because it is indeed a
single tag domain (dont blame me I didnt set it up :-) ). I'll get the
changes done and reboot it overnight and see what happens.

Ash

Herb Martin said:
Ash Ridley said:
Herb,

Thanks for the reply

Unfortunately being an SBS box I cannot add another DC (so I cannot add
another GC).
Click to expand...

Yes, I see you have SBS at the top of your original but if you
cannot add another DC, HOW ON EARTH did you seize a
role?

Seizing a role moves that role to another DC!!!

It's likely the "single tag domain name" that is plaguing you.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names [needs the domain.com name and cannot be
just --domain--]:
http://support.microsoft.com/?id=300684
I probably should also have mentioned that I have tried removing and re
selecting the GC box,
Click to expand...

Never remove the "last GC" (or "only GC") checkbox.
and have tried restarting NETLOGON on numerous
occasional and neither of these have helped (restarting NETLOGON just
results in the same event log error that the DNS server cannot be
contacted) - sorry for this omission I've just been running around in
cirlces with this so much its hard to list everything I've tried so far.
Click to expand...

Did you first confirm the DNS settings I gave you? You aren't running
with a "single tag" domain name are you? (e.g., Domain instead of,
at least, Domain.Com)
I have saved the output of NETDIAG and DCDIAG to file, I dont have the files
to hand right now (I dont work on the site the server is at) suffice to say
that there are alot of errors all basically saying the same thing (DNS
cannot be contacted) and none of the error messages bring up anything
helpful in the Microsoft kb.
Click to expand...

Well there you go! You can re-start NetLogon all day long until you
fix the root causes of the DNS problems.

Most likely: non-Dynamic DNS, DC(s) not pointed at that DNS,
DCs pointed at that DNS AND at some other DNS, single tag domain
names.
With regards to your comment about running DCPROMO - surely by doing
Click to expand...
this
in
a single DC environment (as SBS servers are) I will be uninstalling Active
Directory?
Click to expand...

Yes, but I understood you "seized a role" to a second DC which
indicated you had more than one DC. That seizing reference must
have been misreported.
Click to expand...
 
Ash Ridley said:
Herb,

I used the command line utility (in the support tools?) to seize all the
FSMO roles

It looks like you may have hit the issue on the head because it is indeed a
single tag domain (dont blame me I didnt set it up :-) ). I'll get the
changes done and reboot it overnight and see what happens.
Click to expand...

Heck, I don't blame you or any other new admin -- as far as I am
concerned it is a BUG -- anything that works that badly and doesn't
even warn you is just plain wrong.

And consider that the name is chosen frequently by a newcomer to
the operating system -- it should be relatively hard to mess up at that
point.

As to seizing, you must have run the tool but never actually accomplished
anything (good) because seizing implies a (forceful) transfer of a role to
a new master. A simple transfer does this gracefully, arranging for the
original role holder to give up the role in the process.
 
In
Ash Ridley said:
Ok here is the error from DCDIAG

Testing server: Default-First-Site-Name\IDTSERVER01
Starting test: Connectivity
* Active Directory LDAP Services Check
IDTSERVER01's server GUID DNS name could not be resolved to
an IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(d289bfd3-5d87-471c-8996-878f781ffef5._msdcs.IDTECH)
couldn't be

resolved, the server name (IDTServer01.idtech) resolved to
the IP

address (192.168.0.1) and was pingable. Check that the IP
address is

registered correctly with the DNS server.
......................... IDTSERVER01 failed test
Connectivity

and from NETDIAG

DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server
for the name
'IDTServer01.idtech.'. [RCODE_SERVER_FAILURE]
The name 'IDTServer01.idtech.' may not be registered in
DNS. [WARNING] Cannot find a primary authoritative DNS
server for the
name
'IDTServer01.idtech.'. [RCODE_SERVER_FAILURE]
The name 'IDTServer01.idtech.' may not be registered in
DNS. [FATAL] Failed to fix: DC DNS entry IDTECH. re-registeration
on DNS
server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry IDTECH. re-registeration on
DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry IDTECH. re-registeration on
DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.IDTECH. re-registeration on
DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.5e9ea29a-4a57-48e3-8e5e-0017a7c430e1.domains._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
d289bfd3-5d87-471c-8996-878f781ffef5._msdcs.IDTECH. re-registeration
on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.IDTECH. re-registeration on DNS server
'127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _gc._tcp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_gc._tcp.Default-First-Site-Name._sites.IDTECH. re-registeration on
DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.IDTECH.
re-registeration on DNS server '127.0.0.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Fix Failed: netdiag failed to re-register missing DNS
entries for this DC on DNS server '127.0.0.1'.
[FATAL] No DNS servers have the DNS records for this DC
registered.

I can successfully use NSLOOKUP on the server in the following manner

NSLOOKUP www.novell.com 192.168.0.1

and I've double checked the registry setting from the article
provided by Matjaz and they are present and correct. I've also used
the VB tool from Microsoft that check the FSMO roles and they are
coming up with the correct information - given that the current
server name displayed in the operation masters transfer windows is
missing the domain suffix I can only come to the conclusion that the
domain name is missing from somewhere important (which takes me right
back to my original observation that the domain suffix was missing in
the computer identification tab of the system properties) but I have
no idea where as I'm compared the registry with a working server (on
a different site) and they match up - although this doesnt explain
why it cant contact the DNS server.

Does anyone have any other suggestions?
Click to expand...

There's the problem. Your AD DNS domain name is still a single label name.
Even though you changed the Primary DNS Suffix thru the registry, this does
not change anything with the Active Directory DNS domain name (as it shows
up in ADUC). So the AD name is still single label.

Unfortunately a resinstall will be needed to change AD to reflect this
change. This is an AD issue. You could possibly change the Primary DNS
Suffix back to the single label name and use this reg entry to allow
registration. (But keep in mind this is only a bandaid):

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names [needs the domain.com name and cannot be
just --domain--]:
http://support.microsoft.com/?id=300684


Keep in mind, for registration to properly occur, the Primary DNS Suffix,
the AD DNS Domain name (as it shows up in ADUC) and the zone name in DNS
must all be spelled the same.
More info on that:
240943 - Dynamic DNS Host Name Registrations [Primary DNS Suffix must be set
to zone name and to AD name]:
http://support.microsoft.com/?id=240943


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top