4

I have two domain controllers set up something like this:

ServerA.mydomain.local: 10.10.10.2 (Windows Server 2008)
ServerB.mydomain.local: 10.10.10.3 (Windows server 2008 R2)

For login scripts and the like, I use the path: \\mydomain.local\netlogon

This seems to always default to ServerB. If I turn off or restart ServerB (a process which takes several minutes), attempting to visit \\mydomain.local does not flip to ServerA. If I ping mydomain.local, it always returns the IP address of ServerB, even when it has been turned off.

I thought this was supposed to be a round-robin system.

Why am I seeing this behavior, and how can I fix it?

Chris S
  • 77,337
  • 11
  • 120
  • 212
Force Flow
  • 1,155
  • 5
  • 23
  • 45
  • By "domain servers" do you mean "domain controllers"? and can you navigate to `\\serverA\netlogon`? – MDMarra Jun 01 '12 at 14:02
  • Yes, I can reach the server by its direct name. – Force Flow Jun 01 '12 at 14:04
  • A couple of things to check here... First, do both controllers run DNS? Second, are both domain controllers listed as the SOA and NS for the domain? Third, are all of your clients configured to use both DNS servers? Last, what does "nslookup mydomain.local" return? – Brent Pabst Jun 01 '12 at 14:05
  • Both servers are running DNS. ServerA lists ServerA as the SOA, and ServerB lists ServerB as the SOA. NS records list both server names on both servers. No, clients are only configured for 10.10.10.2 nslookup returns "unknown" for 10.10.10.2 and "mydomain.local" for 10.10.10.3 – Force Flow Jun 01 '12 at 14:11
  • On serverA, If I add 10.10.10.3 to DHCP's DNS entries, it is added. On serverB, If I add 10.10.10.3 to DHCP's DNS entires, I get the error after verification: "The IP address 10.10.10.3 is not a valid DNS address, do you still want to add it?" – Force Flow Jun 01 '12 at 14:21

3 Answers3

3

There's not really enough information here to answer your question, but hopefully some of this can give you a better understanding of how Active Directory functions and maybe you'll be pointed on the right path.

For login scripts and the like, I use the path: \\mydomain.local\netlogon

mydomain.local is a DNS zone that lives on the DNS servers for your Active Directory. By default, new domain controllers register A records for themselves in this zone and they also register A records for the zone name itself as their IP. The records should be in the mydomain.local zone and look like this:

(Same as parent folder) Host(A) 10.10.10.2 <timestamp>
(Same as parent folder) Host(A) 10.10.10.3 <timestamp>

If you do nslookup mydomain.local the DNS server should return a list of all domain controllers. If not, you're missing an A record at the very least.

If one of those is missing, you should re-create it manually and do some root-cause analysis to find why it's missing. When a client tries to look up \\mydomain.local in this case, it is doing it by the A record.

You should also check the _msdcs zone and make sure that both servers are listed there where they should be. If you can log on while serverB is offline, then this zone is likely OK.

You should use dcdiag.exe just to make sure that both domain controllers are in fact healthy and functioning properly.

Also, if you're not running DNS on both DCs, you should and your clients should use both servers for DNS.

Also, the DCs should use each other as the primary server for name resolution and themselves as secondaries to prevent replication issues. Just to clarify, this means:

serverA
Primary DNS    10.10.10.3
Secondary DNS  127.0.0.1

serverB
Primary DNS    10.10.10.2
Secondary DNS  127.0.0.1

If you don't do this, you run the risk of breaking replication in certain situations.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • The A records already exist. ServerA passes dcdiag.exe. On serverB, everything passed except for the ServerLog. There was a whole list of error log entries for DNS for "the dynamic registration of the DNS record failed". In the ServerB event logs, there are multiple errors and warnings. The errors give the message event ID 408: "The DNS server could not open socket for address 172.17.0.3. " – Force Flow Jun 01 '12 at 14:33
  • So, when you run `nslookup mydomain.local serverA.mydomain.local` and `nslookup mydomain.local serverB.mydomain.local` they both return both server IPs? And are your domain controllers configured as I suggested? This would resolve any replication or resolution issues. – MDMarra Jun 01 '12 at 14:35
  • nslookup for ServerA returns "server: unknown, address:10.10.10.2, name:ymca.local, address:10.10.10.3" nslookup for ServerB returns "DNS request timed out" – Force Flow Jun 01 '12 at 14:39
  • @ForceFlow Each server, in the Network Configuration, the DNS servers are set to Primary: ServerX (the other server) Secondary: 127.0.0.1. With nothing else. Right? – Chris S Jun 01 '12 at 14:40
  • Both servers have a primary address of 127.0.0.1 and nothing for secondary. – Force Flow Jun 01 '12 at 14:53
  • Yeah, that's a problem. Fix that, let replication happen, and see if you still have issues. – MDMarra Jun 01 '12 at 14:54
  • should primary be 127.0.0.1 and secondary the other server? – Force Flow Jun 01 '12 at 15:02
  • 1
    Yes. Each server should be the secondary for the other. As you add more DNS servers you keep adding DNS servers to the list. This gives you round-robin DNS searches. – Brent Pabst Jun 01 '12 at 15:09
  • Looks like everything is working now. Thank you, I appreciate the troubleshooting :) – Force Flow Jun 01 '12 at 15:22
  • @BrentPabst That's wrong. 127.0.0.1 should never be listed as the primary DNS server on a DC unless it's the **only** DC. There are multiple technet articles on this. Doing so can cause replication "islands" which is never a good thing. – MDMarra Jun 01 '12 at 16:42
  • @MDMarra you'll have to send me those links, I've seen numerous multi-dc setups before where the local machine was listed first and then the other servers listed after that, never had any issue. – Brent Pabst Jun 01 '12 at 16:58
  • 1
    @BrentPabst [this](http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx) is the link that I usually give. – MDMarra Jun 01 '12 at 17:02
  • 1
    @MDMarra +1, Thanks. Good info. I guess I could see how this could happen. Surprised its able to though. Better solution, just use the externally bound IPs whenever possible. – Brent Pabst Jun 01 '12 at 17:06
  • I've seen listing 127.0.0.1 as the standard approach for the server NIC's DNS server as well. But, this is also assuming that you have local DNS services *and* DNS Forwarders to an external Internet-based DNS. – Force Flow Jun 02 '12 at 04:10
  • @ForceFlow it has nothing to do with external name resolution and everything to do with internal replication. – MDMarra Jun 02 '12 at 10:26
1

Based on the fact that DHCP is complaining when you try to add the server IP address I suggest you check the following:

At a Prompt:

C:\> nslookup
C:\> server servera
C:\> mydomain.local

Run this for both Server A & B. If you don't get a response from either of them you may have two issues:

  1. DNS Service is not running or enabled
  2. Firewall may be blocking traffic to the server

Let us know if the commands both come back properly.

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • nslookup for ServerA returns "server: unknown, address:10.10.10.2, name:ymca.local, address:10.10.10.3" nslookup for ServerB returns "DNS request timed out". ServerB has the DNS running and the services are in the "Started" state. The firewall has the auto-added firewall rules for DNS enabled. – Force Flow Jun 01 '12 at 14:41
  • OK, neither server appear to have PTR records, but thats ok. However, I see two other problems, first, ymca.local should have returned two IPs, one for server a and another for server b, check your DNS A records again. Second, You need to do some checking with Server B as the request is getting lost somewhere between your keyboard and the server. You can check to see if its a DNS problem by simply running the Server B test again but swap in the IP address instead of the DNS name on the second command. – Brent Pabst Jun 01 '12 at 14:46
  • using the 10.10.10.3 IP address instead of the server's name still results in a timeout. – Force Flow Jun 01 '12 at 15:00
  • Yea, check the connection, service, and allowed ports, something isn't right there. – Brent Pabst Jun 01 '12 at 15:08
0

If nslookup shows dns timeout 2 seconds, it generally means you are missing a pointer record for that server. Add pointer record in the reverse zone to correct the "unknown" issue in nslookup and queries. I know this question is old. I just thought I would let anyone who has this issue know how to correct it.

Sugar LanCrét
  • 1