AD Issue ... Windows 10 or the Domain?

BRRABill

LOL, yeah I don't really have a choice.

BRRABill

DCDIAG results...

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC04
      Starting test: Connectivity
         ......................... DC04 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC04
      Starting test: Replications
         ......................... DC04 passed test Replications
      Starting test: NCSecDesc
         ......................... DC04 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC04 passed test NetLogons
      Starting test: Advertising
         ......................... DC04 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC04 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DC04 passed test RidManager
      Starting test: MachineAccount
         ......................... DC04 passed test MachineAccount
      Starting test: Services
         ......................... DC04 passed test Services
      Starting test: ObjectsReplicated
         ......................... DC04 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC04 passed test frssysvol
      Starting test: frsevent
         ......................... DC04 passed test frsevent
      Starting test: kccevent
         ......................... DC04 passed test kccevent
      Starting test: systemlog
         ......................... DC04 passed test systemlog
      Starting test: VerifyReferences
         ......................... DC04 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : brra
      Starting test: CrossRefValidation
         ......................... brra passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... brra passed test CheckSDRefDom

   Running enterprise tests on : brra.com
      Starting test: Intersite
         ......................... brra.com passed test Intersite
      Starting test: FsmoCheck
         ......................... brra.com passed test FsmoCheck

BRRABill

I think I have found the culprit.

When I added the most recent DC, I demoted another one, named ORCA.(I am a JAWS fan, what can I say?)

In DCDIAG DNS testing, that server is still listed, and as an error. I looked through the AD DNS and noticed it is still in there in multiple places.

Is it safe/proper to delete all orphaned entries/mentions of that?

From DCDIAG:

            DNS server: 10.0.2.1 (orca.domain.com.)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.0.2.1
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.) - Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1]

dbeato

@brrabill said in AD Issue ... Windows 10 or the Domain?:

I think I have found the culprit.

When I added the most recent DC, I demoted another one, named ORCA.(I am a JAWS fan, what can I say?)

In DCDIAG DNS testing, that server is still listed, and as an error. I looked through the AD DNS and noticed it is still in there in multiple places.

Is it safe/proper to delete all orphaned entries/mentions of that?

From DCDIAG:

            DNS server: 10.0.2.1 (orca.domain.com.)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.0.2.1
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.) - Delegation is broken for the domain _msdcs.domain.com. on the DNS server 10.0.2.1]

yes, it is okay to removed them. I have been cleaning AD DNS for a long time and this always happens. Yesterday I did the same for a domain that had this issue for months.

dbeato

@brrabill said in AD Issue ... Windows 10 or the Domain?:

Still on "Server 2003"

I know, I know ... working as fast as I can to get all this upgraded.

Literally almost to the point of being able to upgrade to 2016, but had a few road bumps, and now this road bump.

That doesn't affect functionality on the domain also. I would just make sure there is no other Server 2003 as a DC and upgrade to the lowest DC OS you have.

BRRABill

When you run dcdiag /dns ... do you get errors with the root servers, such as this?

DNS server: 198.41.0.4 (a.root-servers.net.)
2 test failures on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

dbeato

@brrabill said in AD Issue ... Windows 10 or the Domain?:

When you run dcdiag /dns ... do you get errors with the root servers, such as this?

DNS server: 198.41.0.4 (a.root-servers.net.)
2 test failures on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

No, I don't

BRRABill

I had it on all the root hint servers, and also the forwarders.

  The A record for this DC was found
  The SOA record for the Active Directory zone was found
  The Active Directory zone on this DC/DNS server was found
  Root zone on this DC/DNS server was not found

  TEST: Forwarders/Root hints (Forw)
           Recursion is enabled
           Root hint Information:
              Name: a.root-servers.net. IP: 198.41.0.4 [Invalid]
              Name: b.root-servers.net. IP: 192.228.79.201 [Invalid]
              Name: b.root-servers.net. IP: 199.9.14.201 [Invalid]
              Name: c.root-servers.net. IP: 192.33.4.12 [Invalid]
              Name: d.root-servers.net. IP: 199.7.91.13 [Invalid]
              Name: e.root-servers.net. IP: 192.203.230.10 [Invalid]
              Name: f.root-servers.net. IP: 192.5.5.241 [Invalid]
              Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
              Name: h.root-servers.net. IP: 198.97.190.53 [Invalid]
              Name: i.root-servers.net. IP: 192.36.148.17 [Invalid]
              Name: j.root-servers.net. IP: 192.58.128.30 [Invalid]
              Name: k.root-servers.net. IP: 193.0.14.129 [Invalid]
              Name: l.root-servers.net. IP: 199.7.83.42 [Invalid]
              Name: m.root-servers.net. IP: 202.12.27.33 [Invalid]

BRRABill

Well, except for "G" ... WTH?

BRRABill

BTW:

Turns out the issue was a 1803 thing.

Maybe it is just my environment, but have never had to enable SMB1 before.

Though I did have a couple errors in DNS that I also fixed while I was in there.

And of course the errors above that I posted. Though everything is working perfectly.

JaredBusch

@brrabill said in AD Issue ... Windows 10 or the Domain?:

BTW:

Turns out the issue was a 1803 thing.

Maybe it is just my environment, but have never had to enable SMB1 before.

Though I did have a couple errors in DNS that I also fixed while I was in there.

And of course the errors above that I posted. Though everything is working perfectly.

SMBv1 Is recently just disabled on all new windows systems

BRRABill

@jaredbusch said in AD Issue ... Windows 10 or the Domain?:

@brrabill said in AD Issue ... Windows 10 or the Domain?:

BTW:

Turns out the issue was a 1803 thing.

Maybe it is just my environment, but have never had to enable SMB1 before.

Though I did have a couple errors in DNS that I also fixed while I was in there.

And of course the errors above that I posted. Though everything is working perfectly.

SMBv1 Is recently just disabled on all new windows systems

Probably why this is the first time I have seen it.

And assuming any upgrades would just keep it.

BRRABill

BTW: those DNS errors were caused by using an older version of DCDIAG, apparently.

Installed newest version and it works like a charm.

DustinB3403

@jaredbusch I've heard this before, but has anyone actually checked to see if it is disabled.

On 2016 that we just recently deployed it is active by default when configuring it as a file server.

BRRABill

I had to go into the Features section of the 1803 client (fresh install) and enable it.

BRRABill

It also warned that the share (when trying to connect to the domain) was insecure and SMB1.

dbeato

@dustinb3403 said in AD Issue ... Windows 10 or the Domain?:

@jaredbusch I've heard this before, but has anyone actually checked to see if it is disabled.

On 2016 that we just recently deployed it is active by default when configuring it as a file server.

It is disabled by default on RS3 of Server 2016 onwards.

dbeato

@brrabill said in AD Issue ... Windows 10 or the Domain?:

I had to go into the Features section of the 1803 client (fresh install) and enable it.

Yeah, makes sense since Server 2003 still uses SMBv1.

IRJ

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously question IT and business leadership for making this decision.

EOL was over 4 years ago!!!!!! seroiously WTF is your company doing? and like @JaredBusch said at least dont use it for DCs?

dbeato

@irj said in AD Issue ... Windows 10 or the Domain?:

I hate to be rude, but using 2003 as DCs is asking the company and IT to bend over and just take it. I would seriously questions IT and business leadership for making this decision.

I am not sure if the they have but @BRRABill will explain better. Sometimes reality is different than what we feel needs to be done.