Domain – Problems with Windows Domain

active-directorydomain

I have a problem in a Windows Domain. About the creation of this domain i can not tell very much – i got this job last month, without propper handover due to illness of the main admin.
What i know is the following:
we have one domain contoso-5.contoso-hq.old (contoso-hq is not under our control – kind of a wide area network with other companys) with two Domain Controlers, dc01 and dc02 (Windows Server 2003). My predecessor started to build a new Domain contoso.new with Domain controlers dc04, dc05 (both Windows Server 2012R2, physical servers) and dc06 (Windows Server 2008r2, virtualized on VMware esx).
We configured a trust realtionship between the two domains.

dc05 is the PDC, DHCP and DNS, dc4 is infrastructure Master, also DNS and failover DHCP.

After starting a monitoring system, i saw a lot of errors on the domain controlers. One that i still can't resolve is only comming on dc04, but appearing exactly every 4 hours and 4 minutes:

This computer was not able to set up a secure session with a domain controller in domain CONTOSO.NEW due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

Running dcdiag shows two errors:

 Starting test: Advertising

     Warning: dc04 is not advertising as a time server.

     ......................... dc04 failed test Advertising

and

  Starting test: LocatorCheck

     Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

     A Primary Domain Controller could not be located.

     The server holding the PDC role is down.

     ......................... contoso.new failed test LocatorCheck

(all other tests are passed).

to the first error: our network connection to the world is very restricted: we have a proxy server that only allowes port 80 and 443, all other ports need to be requested at Contoso HQ. so there was never a time sync with an external source. Now i have configured dc05 (PDC) to get time from Contoso HQ-NTP-Server. All other clients and servers are getting the new time from dc05, but not dc04.
w32tm /query /status shows:

Leap Indicator: 3(last minute has 61 seconds)

Stratum: 0 (unspecified)

Precision: -6 (15.625ms per tick)

Root Delay: 0.0000000s

Root Dispersion: 0.0000000s

ReferenceId: 0x00000000 (unspecified)

Last Successful Sync Time: unspecified

Source: Local CMOS Clock

Poll Interval: 6 (64s)

I alredy compared the registry entries of dc4 and dc6 (who is getting time from dc05 like he should), they look the same. Also tried w32tm unregister, resync, nothing changed it.

It seems like dc04 does not even recognize dc05 as domain controler. The dns and dhcp replication is working fine, i can ping dc05 from dc04, nslookup is working from both dc's to internal and external targets. nslookup contoso.new shows the ip-adresses of dc4, dc5 and dc6 as adresses.

On dc04 i have another error, i'm not sure if this has something to do with it:

"Name resolution for the name 2.0.0.2.ip6.arpa timed out after none of the configured DNS servers responded."

DNS-Configuration on dc04 is the same as on dc05.

After hours of internet searches my only option now is to remove DC04 from the Domain an reinstall it. But i would be glad if anyone could safe me that trouble and has an idea what is going on in my system…

And by the why, if you ask yourself what happened to the dc03… i'm asking myself the same question… could an uncleanly removed DC03 cause these problems?

Thanks for helping!

EDIT

As asked by STTR, here are the results from cmd of a normal client (win7) (it's a german System, tell me if you need any translations):

"ipconfig /all"

Windows-IP-Konfiguration

Hostname . . . . . . . . . . . . : GPO-TEST-TH

Prim„res DNS-Suffix . . . . . . . : domain.com

Knotentyp . . . . . . . . . . . . : Hybrid

IP-Routing aktiviert . . . . . . : Nein

WINS-Proxy aktiviert . . . . . . : Nein

DNS-Suffixsuchliste . . . . . . . : domain.com

Ethernet-Adapter LAN-Verbindung:

Verbindungsspezifisches DNS-Suffix: domain.com

Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM

Physikalische Adresse . . . . . . : xx-xx-xx-xx-xx-xx

DHCP aktiviert. . . . . . . . . . : Ja

Autokonfiguration aktiviert . . . : Ja

Verbindungslokale IPv6-Adresse . : xxxx::xxxx:e24c:xxxx:xxxx%13(Bevorzugt)

IPv4-Adresse . . . . . . . . . . : xxx.xxx.43.4(Bevorzugt)

Subnetzmaske . . . . . . . . . . : 255.255.255.0

Lease erhalten. . . . . . . . . . : Dienstag, 17. Februar 2015 09:27:00

Lease l„uft ab. . . . . . . . . . : Freitag, 20. Februar 2015 09:27:00

Standardgateway . . . . . . . . . : xxx.xxx.43.254

DHCP-Server . . . . . . . . . . . : xxx.xxx.182.69

DHCPv6-IAID . . . . . . . . . . . : 277879566

DHCPv6-Client-DUID. . . . . . . . : xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-18-B6-30

DNS-Server . . . . . . . . . . . : xxx.xxx.182.67
xxx.xxx.182.66
xxx.xxx.80.51

NetBIOS ber TCP/IP . . . . . . . : Aktiviert

Tunneladapter isatap.domain.com:

Medienstatus. . . . . . . . . . . : Medium getrennt

Verbindungsspezifisches DNS-Suffix: domain.com

Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter

Physikalische Adresse . . . . . . : xx-xx-xx-xx-xx-xx

DHCP aktiviert. . . . . . . . . . : Nein

Autokonfiguration aktiviert . . . : Ja

Tunneladapter LAN-Verbindung* 3:

Medienstatus. . . . . . . . . . . : Medium getrennt

Verbindungsspezifisches DNS-Suffix:

Beschreibung. . . . . . . . . . . : Microsoft-6zu4-Adapter

Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0

DHCP aktiviert. . . . . . . . . . : Nein

Autokonfiguration aktiviert . . . : Ja

Tunneladapter LAN-Verbindung* 9:

Medienstatus. . . . . . . . . . . : Medium getrennt

Verbindungsspezifisches DNS-Suffix:

Beschreibung. . . . . . . . . . . : Microsoft-Teredo-Tunneling-Adapter

Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0

DHCP aktiviert. . . . . . . . . . : Nein

Autokonfiguration aktiviert . . . : Ja

"nslookup domain.com"

Server: dc04.domain.com

Address: xxx.xxx.182.67

Name: domain.com

Addresses: xxxx:xxxx:xxxx::c1c5:b648
xxxx:xxxx:xxxx::c1c5:b645
xxxx:xxxx:xxxx::c1c5:b643
xxx.xxx.182.72
xxx.xxx.182.69
xxx.xxx.182.67

"net view domain.com"
Freigegebene Ressourcen auf domain.com

Freigabename Typ Verwendet als Kommentar

NETLOGON Platte Logon server share

SYSVOL Platte Logon server share

Der Befehl wurde erfolgreich ausgefhrt.

"cd \domain.com\"

"cd \domain.com\SYSVOL\domain.com\"

"cd \domain.com\SYSVOL\domain.com\Policies"

"dsquery server -domain domain.com -isgc"

"nslookup gc._msdcs.domain.com"

Server: dc04.domain.com

Address: xxx.xxx.182.67

Name: gc._msdcs.domain.com

Addresses: xxxx:xxxx:xxxx::c1c5:b643
xxxx:xxxx:xxxx::c1c5:b645
xxx.xxx.182.67
xxx.xxx.182.69

Best Answer

Please, test command at workstation in domain, and add output in answer, change dns suffics to domain.com in output:

```
ipconfig /all
```
```
nslookup %USERDNSDOMAIN%
```
```
net view %USERDNSDOMAIN%
```
```
cd \\%USERDNSDOMAIN%\
```

cd \\%USERDNSDOMAIN%\SYSVOL\%USERDNSDOMAIN%\

cd \\%USERDNSDOMAIN%\SYSVOL\%USERDNSDOMAIN%\Policies

dsquery server -domain %USERDNSDOMAIN% -isgc

```
nslookup gc._msdcs.%USERDNSDOMAIN%
```

Best Answer

Related Solutions

Domain – missing PTR record for one of the domain controllers in Active Directory Integrated reverse lookup zone

Domain – Which GPO is making the Domain Controller the clients’ DNS server

Related Topic