Troubleshooting Active Directory—Related DNS Problems

On This Page

Overview
Troubleshooting Active Directory Replication Failure Due to Incorrect DNS Configuration
Troubleshooting Domain Controller Locator DNS Records Registration Failure
Troubleshooting Active Directory Installation Wizard Failure to Locate Domain Controller
Troubleshooting Failure to Locate Domain Controller when Attempting to Join a Domain

Overview

Active Directory functionality depends on the proper configuration of the DNS infrastructure. This includes the following:

  • DNS client configuration, including domain controllers, domain members, and other computers.

  • DNS server and zone configuration and proper delegations in parent DNS zones.

  • Presence of DNS domain controller locator records.

Table 2.4 shows the DNS records that are required for proper Active Directory functionality.

Table 2.4 Required DNS Records

Mnemonic

Type

DNS Record

Requirements

Pdc

SRV

_ldap._tcp.pdc._msdcs.<DnsDomainName>

One per domain

GC

SRV

_ldap._tcp.gc._msdcs.<DnsForestName>

At least one per forest

GcIpAddress

A

_gc._msdcs.<DnsForestName>

At least one per forest

DsaCname

CNAME

<DsaGuide>._msdcs.<DnsForestName>

One per domain controller

Kdc

SRV

_kerberos._tcp.dc._msdcs.<DnsDomainName>

At least one per domain

Dc

SRV

_ldap._tcp.dc._msdcs.<DnsDomainName>

At least one per domain

 

A

<DomainControllerFQDN>

One per domain controller (domain controllers that have multiple IP addresses can have more than one A resource record)

Following the best practices recommendations regarding DNS configuration from the beginning of the deployment is key for successful Active Directory deployment and operations. For more information about best practices for Active Directory design and deployment, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources/ Search under "Planning & Deployment Guides" and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks.

For comprehensive information about troubleshooting DNS problems, see "Windows 2000 DNS" in the TCP/IP Core Networking Guide of the Windows 2000 Server Resource Kit.

For more information about troubleshooting WINS name resolution problems, see "Windows Internet Name Service" in the TCP/IP Core Networking Guide of the Windows 2000 Server Resource Kit. For an online version of this book, see https://www.microsoft.com/windows2000/techinfo/reskit/default.asp.

Table 2.5 shows common events and symptoms that indicate DNS problems and points to sections where solutions can be found.

Table 2.5 Netlogon Events that Indicate DNS Problems

Event or Symptom

Root Cause

Solution

Netlogon Event ID 5774

The domain controller cannot dynamically register DNS records that advertise its availability as a domain controller.

Troubleshoot domain controller locator DNS records registration failure.

Netlogon Event ID 5775

The domain controller cannot dynamically register DNS records that advertise its availability as a domain controller.

Troubleshoot domain controller locator DNS records registration failure.

Netlogon Event ID 5781

The domain controller cannot dynamically register DNS records that advertise its availability as a domain controller.

Troubleshoot domain controller locator DNS records registration failure.

Netlogon Event ID 5783

The source server listed in the error message was unable to complete a remote procedure call (RPC) call to the destination server. Most commonly, this means that either the source server could not locate the server in DNS or the RPC interface on the destination server is not working.

If the source server could not locate the server in DNS, troubleshoot Active Directory replication failure due to incorrect DNS configuration.

If this is not a DNS problem, troubleshoot RPC problems.

Active Directory Installation Wizard failed because it was unable to locate a domain controller

In order to add a server to an existing forest, the Active Directory Installation Wizard must be able to find a domain controller in the domain or the forest.

Troubleshoot Active Directory Installation Wizard failure to locate domain controller.

Unable to join a domain

The failure might be due to being unable to locate a domain controller, which usually indicates DNS problems.

Troubleshoot failure to locate domain controller when attempting to join a domain.

Troubleshooting Active Directory Replication Failure Due to Incorrect DNS Configuration

Improper DNS configuration can lead to a wide variety of failures, because all Active Directory services depend on the ability of the devices to locate domain controllers, which is performed through DNS queries.

Procedures for Troubleshooting Active Directory Replication Failure Due to Incorrect DNS Configuration

  1. Verify DNS records and determine whether all the necessary DNS records of the source domain controller exist in the DNS server used by the destination domain controller.

  2. If the destination domain controller is able to resolve the necessary DNS records, the problem is most likely with network connectivity or a stopped or malfunctioning Active Directory-related service. Use the Ping command to verify network connectivity between the source domain controller and the destination domain controller.

    If the Ping command fails, you must troubleshoot network connectivity between the source domain controller and the destination domain controller. For more information about troubleshooting network connectivity, see "TCP/IP Troubleshooting" in the TCP/IP Core Networking Guide of the Windows 2000 Server Resource Kit.

    If you are able to ping the destination domain controller, troubleshoot Active Directoryrelated services. Verify that they are started and functional. For more information about troubleshooting Active Directoryrelated services, see "Verifying Service Health" in this guide, or see the individual sections in this guide for each service.

    If you are unable to resolve the problem, contact either your designated support provider or Microsoft Product Support Services.

  3. If the destination domain controller is not able to resolve the necessary DNS records, then the problem is most likely with DNS configuration.

    1. Verify network configuration to ensure that the preferred and alternate DNS server settings specified in the IP configuration of the destination domain controller are correct. For more information about correct DNS server settings for Active Directory, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources/. Search under "Planning & Deployment Guides" and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks.

    2. If the settings for the destination domain controller are incorrect, change the configuration, flush the DNS cache, and retry the operation that failed.

      or

      If the client settings for the destination domain controller are configured correctly, verify that the primary zone that is authoritative for the CNAME resource record for <DSAGuid>._msdcs.<ForestName> allows dynamic updates. (DSAGuid is a value of the objectDSA attribute of the NTDS Settings container for the Server object corresponding to the source domain controller.)

      At a command prompt on the source domain controller, type the following command and press ENTER:

dcdiag /test:registerindns /dnsdomain

    If the primary zone that is authoritative for the CNAME resource record does not allow dynamic updates, [enable secure dynamic updates](bb727062\(v=technet.10\).md) on this zone.
    
    Repeat this step for the A resource record of the source domain controller.

3.  [Verify network configuration](bb727062\(v=technet.10\).md) to ensure that the preferred and alternate DNS server settings specified in the IP configuration of the source domain controller are correct. For more information about correct DNS server settings for Active Directory, see the Active Directory link on the Web Resources page at <https://www.microsoft.com/windows/reskits/webresources/> Search under "Planning & Deployment Guides" and download *Best Practice Active Directory Design for Managing Windows Networks* and *Best Practice Active Directory Deployment for Managing Windows Networks*.

4.  If the settings for the source domain controller are incorrect, change the configuration, [flush the DNS cache](bb727062\(v=technet.10\).md), and [stop and start the Net Logon](bb727062\(v=technet.10\).md) service.

5.  Verify that the required DNS resource records are registered on the destination domain controller. At a command prompt, type the following command and press ENTER:
    
    <pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">

dcdiag /test:connectivity

6.  [Flush the DNS cache](bb727062\(v=technet.10\).md) and retry replication.
  1. If the problem continues, it might be due to a problem with DNS data replication. Review your DNS design to determine whether it includes end-to-end DNS replication. Determine whether DNS replication is failing due to an Active Directory replication failure. For more information about detecting and troubleshooting an Active Directory replication failure, see "Troubleshooting Active Directory Replication" in this guide.

  2. If the problem continues, configure the IP settings of the affected domain controllers so that they all have the same primary and secondary DNS servers. Then stop and start Net Logon, flush the DNS cache, and retry the operation that failed. This is a temporary configuration that you can use to recover from the failure, but be sure to return to the original configuration that you designed based on the recommendations provided in Best Practice Active Directory Design for Managing Windows Networks. For more information about correct DNS server settings for Active Directory, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources/ Search under "Planning & Deployment Guides" and download Best Practice Active Directory Deployment for Managing Windows Networks.

  3. If the problem continues, see more DNS troubleshooting information in "Windows 2000 DNS" in the TCP/IP Core Networking Guide of the Windows 2000 Server Resource Kit.

Troubleshooting Domain Controller Locator DNS Records Registration Failure

Presence of the event IDs 5774, 5775, or 5781 logged by the Net Logon service in the System Event Log indicate that the corresponding domain controller cannot dynamically register DNS records that advertise its availability as a domain controller. The consequence of this failure is that domain controllers, domain members, and other devices cannot locate this domain controller. As a result, other domain controllers might not be able to replicate from this domain controller. In addition, other computers might not be able to join this domain, and you might not be able to add other domain controllers to this domain (unless other domain controllers for this domain have successfully registered domain controller Locator DNS records).

Procedures for Troubleshooting Domain Controller Locator DNS Records Registration Failure

  1. Verify network configuration to ensure that the preferred and alternate DNS servers specified in the IP configuration of the domain controller are correct. For more information about correct DNS settings, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources/ Search under "Planning & Deployment Guides" and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks. If the problem persists, continue to the next step.

  2. At a command prompt, type the following command and press ENTER:

dcdiag /test:registerindns /dnsdomain:FQDN /v

  1. Follow the recommendations provided in the output.

Troubleshooting Active Directory Installation Wizard Failure to Locate Domain Controller

To install Active Directory on a server in an existing Active Directory forest, the server must be able to locate a domain controller for the same domain (if you are adding a domain controller to an existing domain) or for the forest root domain.

Procedures for Troubleshooting Active Directory Installation Wizard Failure to Locate Domain Controller

  1. Verify network configuration to ensure that the preferred and alternate DNS servers specified in the IP configuration of the server that is being promoted are correct. For more information about correct DNS settings, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources/ Search under "Planning & Deployment Guides" and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks. If the problem persists, continue to the next step.

  2. At a command prompt, type one of the following commands and press ENTER:

dcdiag /test:dcpromo /dnsdomain:FQDN /NewTree /ForestRoot:Forest_Root_Domain_DNS_Name/v dcdiag /test:dcpromo /dnsdomain:FQDN /ChildDomain /v dcdiag /test:dcpromo /dnsdomain:FQDN /ReplicaDC /v

This tests the existing DNS infrastructure to see whether a domain controller can be promoted.
  1. Follow the recommendations provided in the output.

Troubleshooting Failure to Locate Domain Controller when Attempting to Join a Domain

Failure to join a computer to an existing Active Directory domain because the computer cannot locate a domain controller for the domain is usually caused by incorrect DNS configuration.

Procedures for Troubleshooting Failure to Locate Domain Controller when Attempting to Join a Domain

  1. Verify network configuration to ensure that the preferred and alternate DNS servers specified in the IP configuration of the computer attempting to join the domain are correct. For more information about correct DNS settings, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources/. Search under "Planning & Deployment Guides" and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks. If there is still a problem, continue to the next step.

  2. At a command prompt, type the following and press ENTER:

netdiag /test:dsgetdc /d:DomainName /v

  1. If any of the tests fail, follow the recommendations provided in the output.