Dealing with an upgraded domain and _msdcs, and potentially other problems

  • 188 Views
  • Last Post 30 January 2020
kurtbuff posted this 29 January 2020

All,

We have 3 x 2012 R2 DCs in HQ (DC0, DC1, DC2), and none in our remote locations.

On Monday I deleted a conflicting DNS zone from AD, with no apparent
ill result, following Ace Fekay's article:
https://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/

Tuesday morning (yesterday) around 10:30, I performed an FRS-DFRS
migration on the domain, and it went very smoothly, following the
quick migration directions here:
https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405

However, that afternoon, around 14:30, we started getting calls from
one of our remote locations, and we diagnosed it as a problem with
name resolution. No other location is having this problem.

On DC1, I'm seeing a couple of errors in the Server Manager which do
not appear on the other DCs[1,2], but in the event logs on all of the
DCs, under Directory Service, I'm seeing a lot of 1535, 1213 and 1216
errors

Regarding error [1], I see that the msdcs zone is child to domain.tld
(and is not its own AD-integrated forward zone itself), which would
indicate that the domain was upgraded from a 2003 domain, IIRC.

Can I simply manually create the forward zone _msdcs.domain.tld, and
this article suggests?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/3eca6eba-68ad-43e2-9580-16e72cf8e95a/the-active-directory-integrated-dns-zone-msdcsdomainname-was-not-found?forum=winserverMigration

Regarding error [2], I've looked over the results of "gpresult /h",
and it looks fine, with "Access this computer from the network" being
set with "Administrators, Authenticated Users, ENTERPRISE DOMAIN
CONTROLLERS, Remote Desktop Users" being set by a GPO, though I'm not
terribly happy about a GPO named "CIS Level One - Windows Servers -
Computer Settings" being applied to the DCs.

We've checked the firewall settings on each end, and the firewall guy
says they are WFO both ways - no filtering.

Lastly (and I think this is related, because it wasn't broken before
Tuesday), I attempted to RDP to the file server in this remote
location, and could not do it via the netbios name or the FQDN,
getting the error that the clocks were too different. However, I was
able to RDP via IP address, and verified that the clocks were within a
minute of each other, and that the time zones matched.

Any help appreciated.

[1]
DC1 1216 Warning
Microsoft-Windows-ActiveDirectory
DomainService Directory Service
1/29/2020 8:13:04 AM

Title:
DNS: Zone _msdcs.domain.tld is an Active Directory integrated DNS Zone
and must be available.

Severity
Error

Date:
6/13/2019 9:59:39 PM

Category:
Configuration

Problem:
The Active Directory integrated DNS zone _msdcs.domain.tld was not found.

Impact:
DNS queries for the Active Directory integrated zone _msdcs.domain.tld
might fail.

Resolution
Restore the Active Directory integrated DNS zone _msdcs.domain.tld.

http://go.microsoft.com/fwlink/?LinkId=189238

[2]
Title:
Domain controller DC1.domain.tld must have "Access this Computer from
the Network" granted to the appropriate security principals

Severity
Error

Date:
6/13/2019 9:59:53 PM

Category:
Configuration

Problem:
Domain Controller DC1.domain.tld does not have user right "Access this
computer from the network" granted to 'Builtin Administrators',
'Enterprise Domain Controllers' or 'Authenticated Users', or has the
user right "Deny access to this computer from the network" assigned to
either of those groups or 'Everyone'.

Impact:
Replication operations initiated by other domain controllers in the
domain or by administrators may fail. Users and computers may also
experience failure to apply Group Policy objects.

Resolution
Verify that the domain controllers in the domain domain.tld have this
user right granted to the appropriate security principals. Using Group
Policy Management and Group Policy Results, verify that the winning
Group Policy for the "Access this computer from the network" user
right grants that right to the 'Builtin Administrators', 'Enterprise
Domain Controllers', and 'Authenticated Users' groups. Verify that the
policy setting "Deny access to this computer from the network" does
not have 'Everyone', 'Authenticated Users', 'Builtin Administrators'
or 'Enterprise Domain Controllers' groups defined in it.

http://go.microsoft.com/fwlink/?LinkId=168844

Order By: Standard | Newest | Votes
ZJORZ posted this 29 January 2020

A domain based zone has the replication scooe of the domain

The msdcs zone has or should have the replication scope of the forest




By moving the _msdcs data from the domain zone into its own zone following the replication scopes per zone as listed above, you are basically deleting the _msdcs from one repl scope and recreating in the other. Due to replication the recreation

follows somewhat delayed the deletion. That might have a momentary impact on name resolution until replication is complete 




Make sure sysvol repl is working with conflicts. Monitor and add a text file to see if it replicates to all other dcs




For the additional stuff, it is an open door, but check and fix anything that was done mistakenly or is incorrect regarding the user rights and security options. If you do not know what the correct values are, install

new dc in testlab to get the default values. Then compare






Met Vriendelijke Groet / Cumprimentos / Kind Regards,

Jorge de Almeida Pinto




MVP Enterprise Mobility and Security (EMS) | MCP/MCSE/MCITP/exMCT




Profile: http://tiny.cc/JorgeMVPDS

Blog: http://tiny.cc/JQFKblog

Facebook: http://tiny.cc/JQFKfacebook

Twitter: http://tiny.cc/JQFKtwitter




(+++Sent from my mobile device +++)

(Apologies for any typos)










show

ElasticSky posted this 29 January 2020

Hi Kurt,

 

I’m just focusing on the File Server and time here so wondering if you have tried

w32tm /monitor to absolutely confirm that time is correct on the domain controllers? While I tend to agree it seems connected to the other changes, the error is normally pretty much on the money.

 

Kind regards,

 

Glen

 

show

kurtbuff posted this 29 January 2020

I've run DCDiag, replsum, repadmin with various switches and the AD Replication Status Tool, and see no errors in replication (except for one that is due to backups being performed, and then success afterward).
I've tested replication as suggested, with a text file in C:\Windows\SYSVOLDFSR\sysvol\domain.tld\Shared - replication was immediate.
I've compared the security options between DCs, regarding "Access this computer from the network", and they're all the same.
Just for clarity, I'll put up the ASCII diagram, then note something I just now found: All of the forward zones are forest replicated, but most of the reverse zones are domain replicated.:
DC0 (same on DC1 and DC2)
|
Forward Lookup Zones
   |
   |
 msdcs.domain.tld (this does not exist)
   |
   |
domain.tld
        |
        |_  msdcs (this exists)
        |
        |
 sites
        |
        |
 tcp
        |
        |
 udp
        |
        |
 DomainDnsZones
        |
        |_  ForestDnsZones
Now a couple of questions:- If I manually create msdcs.domain.tld as and where indicated, and let it replicate, that's a good thing, correct? Modulo a few moments outage for replication, as you noted.- Does it make sense to move the reverse zones to forest replication?
Kurt


show

kurtbuff posted this 29 January 2020

C:\Windows\system32>w32tm /monitor
GetDcList failed with error code:  0x8007054B.
Exiting with error 0x8007054B
I checked config with "w32tm /query /config", and it was pointing a time.microsoft.com, so I corrected that with "w32tm /config /syncfromflags:domhier /update", but get the same error as above when trying "w32tm /monitor" once more.
Also cannot ping our DCs by netbios name or fqdn at this point from that location's file server.


show

michael1 posted this 29 January 2020

A bit more than that is likely needed:

 

w32tm /config /syncfromflags:domhier


w32tm /config /update


net stop w32time


net start w32time


W32tm /resync /rediscover

 

Does

 

     Nslookup <target-dns-name> <dc-ip-address>

 

 

Work? Or return a meaningful error?

 

For example:

 

               Nslookup server1 192.168.231.42

 

show

ZJORZ posted this 29 January 2020

RE: reverse lookup zones




Depends on how you setup the zones and where the info is needed from a dns query perspective






Met Vriendelijke Groet / Cumprimentos / Kind Regards,

Jorge de Almeida Pinto




MVP Enterprise Mobility and Security (EMS) | MCP/MCSE/MCITP/exMCT




Profile: http://tiny.cc/JorgeMVPDS

Blog: http://tiny.cc/JQFKblog

Facebook: http://tiny.cc/JQFKfacebook

Twitter: http://tiny.cc/JQFKtwitter




(+++Sent from my mobile device +++)

(Apologies for any typos)










show

ZJORZ posted this 29 January 2020

For setting up time config in AD through gpo to target the pdc fsmo in forest root, read the following

https://jorgequestforknowledge.wordpress.com/2010/09/26/configuring-and-managing-the-windows-time-service-part-1/

https://jorgequestforknowledge.wordpress.com/2010/09/26/configuring-and-managing-the-windows-time-service-part-2/

https://jorgequestforknowledge.wordpress.com/2010/09/26/configuring-and-managing-the-windows-time-service-part-3/

https://jorgequestforknowledge.wordpress.com/2010/09/26/configuring-and-managing-the-windows-time-service-part-4/









Met Vriendelijke Groet / Cumprimentos / Kind Regards,

Jorge de Almeida Pinto




MVP Enterprise Mobility and Security (EMS) | MCP/MCSE/MCITP/exMCT




Profile: http://tiny.cc/JorgeMVPDS

Blog: http://tiny.cc/JQFKblog

Facebook: http://tiny.cc/JQFKfacebook

Twitter: http://tiny.cc/JQFKtwitter




(+++Sent from my mobile device +++)

(Apologies for any typos)






















show

kurtbuff posted this 29 January 2020

C:\Windows\system32>net stop w32time && net start w32time && w32tm /resync /rediscover
The Windows Time service is stopping.
The Windows Time service was stopped successfully.
The Windows Time service is starting.
The Windows Time service was started successfully.
Sending resync command to local computer
The computer did not resync because no time data was available.
C:\Windows\system32>nslookup dc0.domain.tld dc1.domain.tld
* Can't find server address for 'dc0.domain.tld':
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.5.40.21
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*
Request to UnKnown timed-out


show

kurtbuff posted this 29 January 2020

We have a single-forest/single-domain environment - does that provide enough context, or are there other questions I should be asking?
Kurt


show

ZJORZ posted this 29 January 2020

Then domain scope is forest scope




Nevertheless, In that case I would:

msdcs as forest repl scope

• domain fqdn as domain repl scope

• reverse lookup as forest repl scope




Be aware that when moving between repl scopes you are actually deleting the data from one scope and adding it to the other scope. That may cause some dns query failure for a short time until repl finishes. Nothing to worry about, just to be aware






Met Vriendelijke Groet / Cumprimentos / Kind Regards,

Jorge de Almeida Pinto




MVP Enterprise Mobility and Security (EMS) | MCP/MCSE/MCITP/exMCT




Profile: http://tiny.cc/JorgeMVPDS

Blog: http://tiny.cc/JQFKblog

Facebook: http://tiny.cc/JQFKfacebook

Twitter: http://tiny.cc/JQFKtwitter




(+++Sent from my mobile device +++)

(Apologies for any typos)










show

michael1 posted this 29 January 2020

Replace dc1.domain.tld in the command below with the IP address.

 

Regardless, this seems to indicate that the time port (123) is being blocked.

 

show

michael1 posted this 29 January 2020

And likely DNS too

J

 

show

kurtbuff posted this 29 January 2020

The PDCe seems to be set up correctly, but a GPO hadn't been configured. That's a great set of articles, so thank you for those.
Kurt


show

ZJORZ posted this 29 January 2020

By using the GPO, the settings follow the RWDC with the PDCe due to the WMI filter looking for it

 

Met Vriendelijke Groeten / Cumprimentos / Kind Regards,

Jorge de Almeida Pinto

 

MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCT

MVP Profile

| Blog

| Facebook

| Twitter

 

Description: Description: Description: Description: Think Green

 

show

kurtbuff posted this 29 January 2020

For now, I'm going to leave the domain as forest-replicated, and move that later.
But immediately, I'm going to create msdcs.domain.tld as a forward zone and make it forest-replicated.
I'll also start the process of moving the reverse zone to forest-replicated - that should be pretty low impact.
Kurt


show

kurtbuff posted this 29 January 2020

Same result after replacing with IP address.
Unfortunately, I'm not conversant enough with the firewalls to validate the assertion that there's no filtering. I'll have to work with the firewall guy to see if we can work through that.
Kurt


show

kurtbuff posted this 29 January 2020

I caught that - I am just about ready to giggle over that,
it's a great approach, as far as I'm concerned.
Kurt


show

michael1 posted this 29 January 2020

Do name lookups work externally? That is, can you do a



 

               Nslookup yahoo.com 8.8.8.8

 

If yes, but you can’t replace the 8.8.8.8 with your DCs IP address, then DNS is blocked.

 

Can you replace your (properly configured) time service with time.windows.com (temporarily), restart the services, and get time data? If so, but your properly

configured service fails, then time is blocked.

 

Not trying to teach g’ma how to suck eggs, but just something you might not have thought of.

 

show

ElasticSky posted this 29 January 2020

Hi Kurt,

Use PortQry to confirm the firewall status. It’s a fantastic tool for this sort of stuff.

Kind regards,

Glen

show

kurtbuff posted this 29 January 2020

Ya know that's a good thought. In the heat of the moment I overlooked that.
It indeed doesn't work, but that might be because we specifically don't allow name resolution to outside DNS servers, reserving that to our internal servers.
I'll check with the firewall guy to see if that's the case.
Kurt


show

Show More Posts
Close