Cannot connect to DNS server in sub-domain

Alright, after a good run, I have run into a problem. I have a domain contoso.com and created a subdomain called melbourne.contoso.com. The sub-domain is on a DC called server5.

All machines CAN ping each other by IP and name.

Brief configs:

server1 (DC of contoso.com) (hosts contoso.com DNS zone)
IP: 192.168.121.1
Pref DNS: 192.168.121.1

server3 (member of contoso.com) (secondary DNS server in contoso.com)
IP: 192.168.121.128
Pref DNS: 192.168.121.1

server5 (DC of melbourne.contoso.com) (hosts melbourne.contoso.com)
IP: 192.168.121.129
Pref DNS: 192.168.121.129

I have logged onto server1 with enterprise admin membership and am able to connect to server3 in the DNS snap-in but cannot connect to server5, says access is denied. Why?

On server1 I have been getting error logs for the KDC saying there are multiple accounts with name cifs/server5 of type DS_SERVICE_PRINCIPAL_NAME.. Also the consistency checker's been saying that it is consistently unable to replicate with server5.

Another thing I noticed is that like James did in the CBT Nuggets, I deleted the sub-domain from server1 and did a netdiag /fix on server5. When I restarted server1, the sub-domain was back in server1.

Please help.

Find more posts tagged with

Comments

Sie

Are all three setup as Active Directory Intergated Zones??

Are they all Virtual Machines this time?

How have you configured the subdomain in Server1? Secondary Zone? Delegation? etc?

Is replication setup correctly? Ie: Is it just for contoso.com??

Whats the output of dnscmd /zoneinfo melbourne.contoso.com?

Also can you force replication? Right click the directory partition (found above) in Replication Monitor and select synchronize.

Edit: Also just out of interest can you log directly into Server 5 with the enterprise admin account?

mrhaun03

Just wondering; why is the DNS address for Server 5 different from Server 1 & 3?

Essendon

mrhaun03 wrote:

Just wondering; why is the DNS address for Server 5 different from Server 1 & 3?

Because server5 is in a different subdomain and if it had server1 as the preferred DNS server, then clients in the subdomain would not have been able to find server5 to query although they are in the same subdomain.

Essendon

Are all three setup as Active Directory Intergated Zones??

No, only server1 and server5 as setup as Active Directory Intergated Zones as they are the DC's in respective domains.

Are they all Virtual Machines this time?

LOL...server3 and server5 are the VM's, server1 is still the physical host machine. There was absolutely no problem before I added server5.

How have you configured the subdomain in Server1? Secondary Zone? Delegation? etc?

The subdomain was automatically configured on server1, though it's only got the glue record for server5 and the other directories i.e. _msdcs, _sites etc. But shouldnt this subdomain NOT be in server1 at all?? It should only be in server5??

Is replication setup correctly? Ie: Is it just for contoso.com??

Unsure of what you mean by this.

Whats the output of dnscmd /zoneinfo melbourne.contoso.com?

I did this on server1, and it said Command Failed: DNS_ERROR_ZONE_DOES_NOT_EXIST 9601. Doesnt look good, does it? Bu the zone's there on server1??

Edit: Also just out of interest can you log directly into Server 5 with the enterprise admin account?

No, I cant. Can only logon to server5 with the admin account created while installing the OS.

There's definitely a problem with replication. server5 is not getting any information from server1, seems like a DNS issue to me. Going through royal's sticky now to find information on configuring subdomains.[/quote]

royal

http://www.techexams.net/forums/viewtopic.php?t=32869
http://www.techexams.net/forums/viewtopic.php?t=24905
http://www.techexams.net/forums/viewtopic.php?t=24233
http://www.techexams.net/forums/viewtopic.php?t=23279

And your Server3 isn't a secondary DNS server. AD-Integrated Zones are always primary zones.

Essendon

Thank you for the links, royal. I have setup conditional forwarders on both server1 and server5. I forced replication using replmon and it said that replication was successful. But I still cannot logon to server5 using the enterprise admin account. It sill denies me access when I try to add server5 in the DNS snap-in on server1. I have tried doing a delegation as well on server1. Still a no-go.

Essendon

Hey, I can now add server5 to the snap-in using ONLY its IP address, not the hostname. Wonder why this is??

All DNS entries appear to be correct.

Essendon

I removed the conditional forwarders from server1 and server5 and now have stub zones pointing to one another on both servers. Still cannot add server5 using its name.

Also I just noticed that the _msdcs subdomain is dimmed out, like it was delegated, and it only has an NS record for server1. Could this be a problem or is this normal in my scenario?

Another thing I noticed, when I logon with the enterprise admin account on server5 in the contoso.com domain, there are no problems, there is no problem with DNS. I can add server5 to the snap-in on server1, do zone transfers back and forth, the works. But I cannot logon when I choose the melbourne domain. And if I logon using the admin account (created when installing the OS), I cannot add server5 to the DNS snap-in on server1.

I have tried conditional forwarders/delegation/stub zones, but none of them have fixed this issue. There's an error on server1's System event logs saying " There are multiple accounts with name cifs/SERVER5 of type DS_SERVICE_PRINCIPAL_NAME, Source:KDC"

Essendon

There's an error on server1's System event logs saying " There are multiple accounts with name cifs/SERVER5 of type DS_SERVICE_PRINCIPAL_NAME, Source:KDC"

I did a search (in entire directory) for server5 in ADUC on server1, and sure there were two accounts for server5, one a DC, and the other a Workstation/Server. This is causing the error to pop up on server1. Now should I delete the Workstation/Server account?

royal

That would most likely be causing the error. Go ahead and delete the workstation if it's not in use. If it's in use, you can rename the computer. Or if it's a DC, you can go through the motions of using Netdom.

And yes it's the _msdcs is greyed out and delegated. The reason why is the domain's dns zone is replicated domain-wide. The _msdcs is replicated forest wide. This assists in removing island dns issues and ensures that every domain controller in the entire forest knows about every other domain controller. So don't remove that delegation.

The enterprise admin account can ONLY live in the forest root domain. Because of this, you will only be able to log onto the enterprise admin account via one domain. Because there are transitive trusts throughout your forest, you will be able to logon using that forest root enterprise admin account in any domain.

Also, your DNS lookups to server5 is probably failing because server5 doesn't seem like it's a DNS Server. You had no forwarders or anything like that when you promoted. You had no delegations set for your subbdomain when promoting your new domain. And because of that, your DNS subdomain got created as a subfolder within your contoso.com domain on Server1 and Server3. You'll need to make sure you have your Server5.melbournge.contoso.com A record within this melbourne folder in the DNS properties on Server1 and Server3.

Essendon

Thank you for your posts, royal. I needed to use the full FQDN to get to server5 in the DNS snap-in on server1. Probably it was because it was in a different domain and wasnt able to resolve the partial name.

I now have stubs pointing to both domains. Updates are happening automatically, the thing's working like a beauty now!

P.S. Thanks also for that _msdcs info, royal.