AD-Integrated DNS failure: "Access was Denied"

Question

I have a single Windows 2008 R2 server configured as a domain controller with Active Directory Domain Services and DNS Server.

The DNS Server was recently uninstalled and reinstalled in an attempt to fix a (possibly unrelated) problem; the event log was previously flooded with errors (#4000, "The DNS Server was unable to open Active Directory...") which reinstalling did not fix. However, while before it was at least showing and resolving names from the local network (slowly), now it's showing nothing at all.

^{(The original error started with a #4015 error "The DNS server has encountered a critical error from the Active Directory," followed by a long string of #4000 and a few #4004. This may have been caused when a new DNS name was recently added, but I can't be sure of the timing.)}

Attempting to manage the DNS through Administrative Tools > DNS brings up an error:

The server SERVERNAME could not be contacted.
The error was:
Access was denied.

Would you like to add it anyway?

Selecting yes just puts a SERVERNAME item on the list, but with all the configuration options grayed out.

I attempted editing my hosts file as per this post but to no avail.

Running dcdiag, it does identify the home server properly, but fails right away testing connectivity with:

Starting test: Connectivity
The host blahblahblahyaddayaddayadda could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings. ......................... SERVERNAME failed test Connectivity

Adding the blahblahblahyaddayaddayadda address to hosts (pointing at 127.0.0.1), the connectivity test succeeded but it didn't seem to solve the fundamental problem (Access was denied) so I hashed it out again.

Primary DNS server is properly pointing at 127.0.0.1 according to ipconfig /all. And the DNS server is forwarding requests to external addresses properly (if slowly), but the resolving of local network names is borked.

The DNS database itself is small enough that I am (grudgingly) able to rebuild it if need be, but the DNS Server doesn't seem willing to let me work with (or around) it at all.

^{(and yes before you ask there are no system backups available)}

Where do I go from here?

As requested, my (slightly obfuscated) dcdiag output:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = bulgogi

   * Identified AD Forest.
 Done gathering initial info.


Doing initial required tests

       Testing server: Obfuscated\BULGOGI

      Starting test: Connectivity

         The host a-whole-lot-of-numbers._msdcs.obfuscated.address

         could not be resolved to an IP address. Check the DNS server, DHCP,

         server name, etc.

         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... BULGOGI failed test Connectivity



Doing primary tests

       Testing server: Obfuscated\BULGOGI

      Skipping all tests, because server BULGOGI is not responding to directory

      service requests.


       Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

       Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

       Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

       Running partition tests on : obfuscated

      Starting test: CheckSDRefDom

         ......................... obfuscated passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... obfuscated passed test CrossRefValidation

       Running enterprise tests on : obfuscated.address

      Starting test: LocatorCheck

         ......................... obfuscated.address passed test LocatorCheck

      Starting test: Intersite

         ......................... obfuscated.address passed test Intersite

And my hosts file (minus the hashed lines for brevity):

127.0.0.1       localhost
::1             localhost

And, for the sake of completion, here's selected chunks of my (5000-line plus) netstat -a -n output:

  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49158          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49164          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49178          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49179          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:50480          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING
  TCP    192.168.12.127:53      0.0.0.0:0              LISTENING
  TCP    192.168.12.127:139     0.0.0.0:0              LISTENING
  TCP    192.168.12.127:445     192.168.12.50:51118    ESTABLISHED
  TCP    192.168.12.127:3389    192.168.12.4:33579     ESTABLISHED
  TCP    192.168.12.127:3389    192.168.12.100:1115    ESTABLISHED
  TCP    192.168.12.127:50784   192.168.12.50:49174    ESTABLISHED
  TCP    [::]:88                [::]:0                 LISTENING
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:389               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:464               [::]:0                 LISTENING
  TCP    [::]:593               [::]:0                 LISTENING
  TCP    [::]:636               [::]:0                 LISTENING
  TCP    [::]:3268              [::]:0                 LISTENING
  TCP    [::]:3269              [::]:0                 LISTENING
  TCP    [::]:3389              [::]:0                 LISTENING
  TCP    [::]:9389              [::]:0                 LISTENING
  TCP    [::]:47001             [::]:0                 LISTENING
  TCP    [::]:49152             [::]:0                 LISTENING
  TCP    [::]:49153             [::]:0                 LISTENING
  TCP    [::]:49154             [::]:0                 LISTENING
  TCP    [::]:49155             [::]:0                 LISTENING
  TCP    [::]:49157             [::]:0                 LISTENING
  TCP    [::]:49158             [::]:0                 LISTENING
  TCP    [::]:49164             [::]:0                 LISTENING
  TCP    [::]:49178             [::]:0                 LISTENING
  TCP    [::]:49179             [::]:0                 LISTENING
  TCP    [::]:50480             [::]:0                 LISTENING
  TCP    [::1]:53               [::]:0                 LISTENING
  TCP    [::1]:389              [::1]:49745            ESTABLISHED
  TCP    [::1]:389              [::1]:49746            ESTABLISHED
  TCP    [::1]:389              [::1]:52383            ESTABLISHED
  TCP    [::1]:389              [::1]:52493            ESTABLISHED
  TCP    [::1]:389              [::1]:52494            ESTABLISHED
  TCP    [::1]:389              [::1]:52498            ESTABLISHED
  TCP    [::1]:49745            [::1]:389              ESTABLISHED
  TCP    [::1]:49746            [::1]:389              ESTABLISHED
  TCP    [::1]:52383            [::1]:389              ESTABLISHED
  TCP    [::1]:52493            [::1]:389              ESTABLISHED
  TCP    [::1]:52494            [::1]:389              ESTABLISHED
  TCP    [::1]:52498            [::1]:389              ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:53  [::]:0                 LISTENING
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:135  [fe80::f1da:cb41:d0f5:5c0e%20]:52495  ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:445  [fe80::f1da:cb41:d0f5:5c0e%20]:51057  ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:445  [fe80::f1da:cb41:d0f5:5c0e%20]:52506  ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:49158  [fe80::f1da:cb41:d0f5:5c0e%20]:52501  ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:51057  [fe80::f1da:cb41:d0f5:5c0e%20]:445  ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:52495  [fe80::f1da:cb41:d0f5:5c0e%20]:135  ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:52496  [fe80::f1da:cb41:d0f5:5c0e%20]:49158  TIME_WAIT
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:52500  [fe80::f1da:cb41:d0f5:5c0e%20]:135  TIME_WAIT
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:52501  [fe80::f1da:cb41:d0f5:5c0e%20]:49158  ESTABLISHED
  TCP    [fe80::f1da:cb41:d0f5:5c0e%20]:52506  [fe80::f1da:cb41:d0f5:5c0e%20]:445  ESTABLISHED
  UDP    0.0.0.0:123            *:*                    
  UDP    0.0.0.0:500            *:*                    
  UDP    0.0.0.0:1645           *:*                    
  UDP    0.0.0.0:1645           *:*                    
  UDP    0.0.0.0:1646           *:*                    
  UDP    0.0.0.0:1646           *:*                    
  UDP    0.0.0.0:1812           *:*                    
  UDP    0.0.0.0:1812           *:*                    
  UDP    0.0.0.0:1813           *:*                    
  UDP    0.0.0.0:1813           *:*                    
  UDP    0.0.0.0:4500           *:*                    
  UDP    0.0.0.0:5355           *:*                    
  UDP    0.0.0.0:59638          *:*                    

<snip a few thousand lines>

  UDP    0.0.0.0:62140          *:*                    
  UDP    127.0.0.1:53           *:*                    
  UDP    127.0.0.1:49540        *:*                    
  UDP    127.0.0.1:49541        *:*                    
  UDP    127.0.0.1:53655        *:*                    
  UDP    127.0.0.1:54946        *:*                    
  UDP    127.0.0.1:58345        *:*                    
  UDP    127.0.0.1:63352        *:*                    
  UDP    127.0.0.1:63728        *:*                    
  UDP    127.0.0.1:63729        *:*                    
  UDP    127.0.0.1:64215        *:*                    
  UDP    127.0.0.1:64646        *:*                    
  UDP    192.168.12.127:53      *:*                    
  UDP    192.168.12.127:67      *:*                    
  UDP    192.168.12.127:68      *:*                    
  UDP    192.168.12.127:88      *:*                    
  UDP    192.168.12.127:137     *:*                    
  UDP    192.168.12.127:138     *:*                    
  UDP    192.168.12.127:389     *:*                    
  UDP    192.168.12.127:464     *:*                    
  UDP    192.168.12.127:2535    *:*                
  UDP    [::]:123               *:*                    
  UDP    [::]:500               *:*                    
  UDP    [::]:4500              *:*                    
  UDP    [::]:5355              *:*                    
  UDP    [::]:59639             *:*                    

<snip another few thousand lines>

  UDP    [::]:64645             *:*                    
  UDP    [::1]:53               *:*                    
  UDP    [::1]:54944            *:*                    
  UDP    [::1]:54945            *:*                    
  UDP    [::1]:59637            *:*                    
  UDP    [::ffff:192.168.12.127]:1645  *:*                    
  UDP    [::ffff:192.168.12.127]:1646  *:*                    
  UDP    [::ffff:192.168.12.127]:1812  *:*                    
  UDP    [::ffff:192.168.12.127]:1813  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:53  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:88  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:389  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:464  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:1645  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:1646  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:1812  *:*                    
  UDP    [fe80::f1da:cb41:d0f5:5c0e%20]:1813  *:*

Please remove all hosts file entries pointing to internal services and post the entire output of DCDIAG here for review. — Alex Berry, Nov 09 '12 at 09:08
I'd be interested in seeing the output of a `netstat -a -n`, personally. It sounds, to me, like the RPC listener isn't getting your connection attempts. I'm not sure why, but that's sure what it feels like. — Evan Anderson, Nov 09 '12 at 09:47
@EvanAnderson: My `netstat -a -n` is quite long; any particular segment you'd like to see? — goldPseudo, Nov 09 '12 at 10:00

score -1 · Answer 1 · answered Nov 09 '12 at 08:52

-1

Have you tried to install 2nd DC with AD DS, DNS roles? and then seize FSMO roles from an old DC?

After that, you can demote old DC and promote it a later time.

answered Nov 09 '12 at 08:52

Volodymyr Molodets

2,404
9
35
52

That would've been my next course of action had I a second such system to work with. Stuck on the single system until I can talk the powers that be into funding a redundant (not holding my breath). – goldPseudo Nov 09 '12 at 09:00
-1 - I can't get behind an answer that includes "seize FSMO roles" so soon into the "resolution" process. That aside, he's not going to be able to put up a replica DC because DNS isn't working! – Evan Anderson Nov 09 '12 at 09:46
Yes, maybe this is a little bit to fast and radical approach, but trying to install 2nd DC will not have any critical impact on current situation, at the same time - seazing FSMO roles - Yes. – Volodymyr Molodets Nov 09 '12 at 10:01

AD-Integrated DNS failure: "Access was Denied"

1 Answers1