Domain error no such domain

Hi
  • Remove From My Forums
  • Question

  • Hi<o:p></o:p>

    I get the
    following error (I_NetLogonControlfailed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN) on our PDC when
    running the NLTEST Command. As mentioned before all the forums I’ve read
    relating to this error, is that we have numerous domain controllers and this
    fault/error only pops up on the PDC.<o:p></o:p>

    I have disabled
    all firewall settings within the OS and the AV End Point. However highly doubt
    that this is the problem, as these are set by policies that apply to all DC.<o:p></o:p>

    We have a
    trust with one of our Subsidiaries in South Africa, where our Exchange is hosted;
    they report that this is causing issues on their side. I would like to confirm
    this, is this error related to the DC hosting the PDC Role or is this somewhere
    else I need to start investigating. Other individuals stated in the forums that
    when the move the PDC role, the error moves with it. <o:p></o:p>

I have 3 domain controlers
2x 2008
1x 2003 server

When i use the nltest /server:dcN.domain.local /sc_verify:domain.local
i get: on the 2 of them OK status
on one of them i get
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

i did some tests and when i moved the role «Domain Role Owner» from the server i had the error to another DC the error moved also

is there any connection with the Domain role owner role? and the 1355 error?
////

To be more clear about:

  1. dc1 server
    FMSO role «domain owner role»
    testing nltest /sc_verify:domain.local
    error: I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

  2. dc2 server
    no FMSO role
    testing nltest /sc_verify:domain.local
    success

now i move fmso domain owner rule to server DC2

  1. dc1 server
    FMSO none
    testing nltest /sc_verify:domain.local
    sucess

  2. dc2 server
    FMSO role «domain owner role»
    testing nltest /sc_verify:domain.local
    error: I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Ben Pilbrow's user avatar

Ben Pilbrow

12k5 gold badges36 silver badges57 bronze badges

asked Nov 22, 2010 at 15:38

Elgreco08's user avatar

1

«nltest /sc_verify:domain.com» is not a reliable test to check the current secure channel status because it reports the last known state.

If the SC is broken you’ll get replication errors and access denied in ie. dcdiag logs.

If replication is good, then the SC is good. Verify with ie. «repadmin /replsum»

answered Nov 26, 2010 at 10:10

Elgreco08's user avatar

Elgreco08Elgreco08

2283 gold badges4 silver badges16 bronze badges

It is strange that the error moved with the Domain Role Owner. I checked with a domain with a 2008 and a 2003 DC and got the error on the one not holding the role and the error stayed there after transferring the role to this server.

answered Nov 30, 2010 at 1:34

boston's user avatar

bostonboston

1901 silver badge5 bronze badges

This is a normal error. I have deployed a test domain with two Domain Controllers, because I had exactly the same error on my production environment. Additionally, the following would also generate an error normally:

netdom verify DC2 /domain:test.local

The specified domain either does not exist or could not be contacted.
The command failed to complete successfully.

After I open a support ticket with Microsoft, and they told me that it is normal. I deployed a test environment forest similar to my production forest, and the results are the same.

Don’t worry about this result. This will also occur in Windows Server 2012 R2. And will always occur on Domain Controller with PDC role.

Cory Knutson's user avatar

answered Oct 2, 2017 at 14:10

Paul Andres Pedroza M's user avatar

Содержание

  1. Error no such domain 1355
  2. Error no such domain 1355
  3. Asked by:
  4. Question
  5. All replies
  6. Error no such domain 1355
  7. Answered by:
  8. Question
  9. Error no such domain 1355
  10. Answered by:
  11. Question
  12. Answers
  13. All replies

Error no such domain 1355

Если у вас не работает один из способов авторизации, сконвертируйте свой аккаунт по ссылке

Авторизуясь в LiveJournal с помощью стороннего сервиса вы принимаете условия Пользовательского соглашения LiveJournal

  • October 2022
    1
    2 3 4 5 6 7 8
    9 10 11 12 13 14 15
    16 17 18 19 20 21 22
    23 24 25 26 27 28 29
    30 31

РЕШЕНИЕ: проблема была в файерволе, блокирующем запросы к контроллерам домена.

Имеется домен win 2008, my.domain.local, с двумя домен контроллерами, один из которых ad1.my.domain.local — по совместительству DNS сервер
Все работало хорошо, пока в один день на всех серверах сети в логах не стали появляться ошибки о невозможности соединения с контролларами домена.
Действительно, на всех серверах команда nltest /dclist:my.domain.local дает результат:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
При этом если запускать ту же команду на самом контроллере домена, то все находится нормально:
nltest /dclist:my.domain.local
Get list of DCs in domain ‘my.domain.local’ from ‘\ad1.my.domain.local’.
ad1.my.domain.local [PDC] [DS] Site: mysite
AD2.my.domain.local [DS] Site: mysite
The command completed successfully

dcdiag ошибок не выдает.

DNS для домена, вроде, работает нормально: на всех серверах если запустить nslookup _ldap._tcp.mysite._sites.my.domain.local
То получится

_ldap._tcp.mysite._sites.my.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ad2.my.domain.local
_ldap._tcp.mysite._sites.my.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ad1.my.domain.local
ad2.my.domain.local internet address = xxx.xxx.xxx.xxx
ad2.my.domain.local AAAA IPv6 address = xxxx:xxxx:xxxx::xxxx:xxxx
ad1.my.domain.local internet address = xxx.xxx.xxx.xxx

Как бы еще понять, в чем может быть проблема?

Источник

Error no such domain 1355

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I get the
following error (I_NetLogonControlfailed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN) on our PDC when
running the NLTEST Command. As mentioned before all the forums I’ve read
relating to this error, is that we have numerous domain controllers and this
fault/error only pops up on the PDC.

I have disabled
all firewall settings within the OS and the AV End Point. However highly doubt
that this is the problem, as these are set by policies that apply to all DC.

We have a
trust with one of our Subsidiaries in South Africa, where our Exchange is hosted;
they report that this is causing issues on their side. I would like to confirm
this, is this error related to the DC hosting the PDC Role or is this somewhere
else I need to start investigating. Other individuals stated in the forums that
when the move the PDC role, the error moves with it.

Make sure DC Is not multihomed. Please disable unused NIC’s from DC.

Also make sure DNS is setup properly and there is no name resolution problem. Verify SRV Records are registred in DNS properly — http://support.microsoft.com/kb/241515

If nothing helps post DCDiag /q results from your PDC.

MCSA|MCITP SA|Microsoft Exchange 2003 Blog — http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

please exclude http://support.microsoft.com/kb/253096 as you didn’t mention the OS version. Please post the complete command you use, no porblem to change domain names, BUT keep the format.

Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP — Directory Services
My Blog: http://msmvps.com/blogs/mweber/

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

COMMAND>nltest /server:SERVER (PDC) /sc_QUERY:DOMAIN
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

OS Version in Post : Server 2008 R2

DCDIAG /Q Results run on PDC , with elevated rights

C:>dcdiag /q
Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration,DC=fnb,DC=root
Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=x,DC=x
. server failed test NCSecDesc
An error event occurred. EventID: 0x0000165B
Time Generated: 07/11/2012 11:30:35
Event String:
The session setup from computer ‘x’ failed because the se
curity database does not contain a trust account ‘x$’ referenced by t
he specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 07/11/2012 11:32:59
Event String:
The session setup from the computer x failed to authentic
ate. The following error occurred:
. x failed test SystemLog

Источник

Error no such domain 1355

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

We have two Active directory domain forest. We need to enable two way trust between both the domains so as to enable resource sharing. Below is the details:

1. Domain 1- Functional level 2003- All DC are on 2008 R2 OS

2. Domain 2- Functional level 2003- All DC are on Win 2003.

Below ports are open bi-directionally as these domains are separated by a Firewall

389 UDP+TCP,445 TCP,88 UDP+TCP,135 TCP,53 TCP+UDP, 3268 TCP

Conditional forwarder is being added on both domain DNS and is pointing to respective Domain controller IP.

While creating domain trust after entering the domain name, only two options is coming 1. To create realm trsut and other Trust with windows domain. This option should not come ideally as both my domains are Window domain. Also on clicking next teh trust wizard is finishing saying cannot continue. While running NLTEST /dsgetdc: domain FQDN from either domain getting below error:

Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Just to mention, while creating trust we have checked for the connection log in the firewall and only the above mentioned ports was getting hit from one DC IP to other DC Ip and teh connection was successful. This was to get sure i am not missing any ports which is required and communication is not opened.

Источник

Error no such domain 1355

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I have a domain with two Windows Server 2008 DCs, let’s say it’s DC01 and DC02. Both DCs are DNS servers authoritative for the domain. DC01 holds all FSMO roles, incuding PDC Emulator.

The problem is sometimes one can’t access various domain-related resources: two examples are frequent lags when opening domain DFS shares and failed Exchange 2010 SP1 installation that logged «DC is no longer available» but later succedeed on another installation attempt (and the DC was up all the time). I think I narrowed the problem down to the PDC Emulator role which simply doesn’t seem to respond properly. I was able to transfer PDC Emulator role from DC01 to DC02 to test whether the problem is related to the underlying server but it seems the problem just moved with the role.

Here is an excert from nltest command (DC02 is the PDC here):

You also can’t find PDC Emulator using /dcname switch:

There are no suspicious entries in either DC’s event logs. In spite of the PDC problem it seems that PDC role itself works fine because users can change passwords, login on a workstation for the first time etc. Nonetheless I believe something is wrong now. I checked DNS domain zone and all important entries, including SRVs, are in place.

I’d appreciate any suggestions about where to start troubleshooting.

Answers

I would like to confirm that can you read any error message from the Event Viewer?

According to our internal material, this behavior is expected when this command is issued on the PDC for its own domain. The PDC is the source of the secure channel.

Sometimes, high load on domain controllers and firewalls can cause some network connectivity lags. You may read the following Microsoft TechNet articles for configuring Windows Firewall and troubleshooting network connectivity.

Active Directory Replication over Firewalls

I also would like to collect the following information to check if the domain controllers are health. For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose «Send Files to Microsoft»)

Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between ‘(‘ and ‘)’ when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

dcdiag /v /c /d /e /s:dcname >c:dcdiag.txt

repadmin /showrepl dc* /verbose /all /intersite >c:repl.txt

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I would like to confirm that can you read any error message from the Event Viewer?

According to our internal material, this behavior is expected when this command is issued on the PDC for its own domain. The PDC is the source of the secure channel.

Sometimes, high load on domain controllers and firewalls can cause some network connectivity lags. You may read the following Microsoft TechNet articles for configuring Windows Firewall and troubleshooting network connectivity.

Active Directory Replication over Firewalls

I also would like to collect the following information to check if the domain controllers are health. For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose «Send Files to Microsoft»)

Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between ‘(‘ and ‘)’ when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

dcdiag /v /c /d /e /s:dcname >c:dcdiag.txt

repadmin /showrepl dc* /verbose /all /intersite >c:repl.txt

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you for your time! I uploaded the text files containing dcdiag, repadmin and dnslint output. DC02 is the PDC there.

Regarding the rest of your post:

1. I can read all event logs without issues.

2. Firewalls are disabled on DCs and member servers.

3. Quick note: running nltest /dcname:contoso.com gets NERR_DCNotFound as I said, but running /dcname:CONTOSO (with NetBIOS name) gets correct results. Also the behavior of using nltest /sc_verify against PDC that you mentioned seems to explain the ERR_NO_SUCH_DOMAIN error.

4. I wouldn’t say I have highly loaded DCs as there is about 10 member web servers and about 20 workstations. I’d say it’s relatively small environment.

There are in fact some warnings and errors in dcdiag and dnslint outputs. I’m looking forward to hearing from you about them!

if you upload the files also to Windows Sky drive we can also follow them and help you.

The PDCEmulaor role is not used to access resources on domain servers, so this can’t be the reason for your problem. An unedited ipconfig /all can also help for starting to exclude some problems.

Is the second DC also Global catalog server, this is essential for Exchange, this requires access to GCs?

Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

I have uploaded the log files “Wojciech Kowasz” provided to my SkyDrive for our further research. Here is the public link: http://cid-49401e22fd9c1bd2.office.live.com/self.aspx/.Public/tests.zip.

Here are the error message I find in dcdiag.txt:

Summary of test results for DNS servers used by the above domain

DNS server: 198.32.64.12 (l.root-servers.net.)

2 test failure on this DNS server

PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:500:1::803f:235 (h.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:500:2f::f (f.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:7fe::53 (i.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

Based on the current situation, I would like to suggest you clear the DNS server cache by the command: Dnscmd ServerName /clearcache and the client machines’ DNS cache by the command: ipconfig /flushdns. For more information, please refer to the following Microsoft TechNet articles:

Clear the server names cache

Flush and reset a client resolver cache using the ipconfig command

In addition, please also disable IPv6 to test the issue. For the detailed steps, please refer to the following Microsoft KB article:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008

If it does not work, please also upload the output of the command: ipconfig /all of the domain controllers and client machine to SkyDrive as “Meinolf Weber” required for our further research.

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Edited by Arthur_Li Microsoft contingent staff Monday, January 3, 2011 5:12 AM add signature

please make sure the correct values exist «Missing Expected Value» according to:

Also you should run adprep /rodcprep to remove the error message in dcdaig about «Starting test: NCSecDesc», not a problem or required but keeps the output cleaner and doesn’t require to run RODCs.

Additional check the useraccountcontrol flag setting with:

Keep in mind that you use the public iprange on the DCs and you are open for attackers that way. Better reconfigure your design and use private iprange on them and connect via a router/firewall to the internet. Why is the public iprange used on them? At least you have to configure the firewall properly.

Which ip addresses does your domain members use? If they are in the private ip range you have the problem with DNS i assume, so please post an unedited ipconfig /all from a domain machine with problems.

Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

Sorry for the delay. I uploaded ipconfigs on my SkyDrive: http://cid-8bda2ed637ed7df5.office.live.com.

Some quick facts:

— all servers use public IP addresses
— IPv6 is already disabled on all servers
— firewall is disabled as well
— both DCs are Global Catalogs
— UAC is configured so that Admin-Approval is disabled (maybe this is why useraccountcontrol flag setting is incorrect?)

I don’t know what do you mean about the attackers part? The fact that I use public IP address on DCs with firewall disabled does not necessary mean that there is no firewall above. There is, of course, and only DNS traffic is allowed to DCs from the Internet. DNS is also the reason why the public addresses are there.

I’ll look into your suggestions with FRS parameter, RODC-related schema extensions and DNS cache clearing.

edit:

About «Missing expected value» error in dcdiag:

I did find out that msDFSR-ComputerReferenceBL attribute on both DCs here is Not Set so I guess that’s why the error pops out. I also found this post: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2ce07c3f-9956-4bec-ae46-055f311c5d96/ but unfortunately there is no guide on how to change that attribute because it’s read only.

As a side note, I use FRS for SYSVOL replication and never tried to migrate it to DFS-R. I have some DFS-R groups in the domain but DCs are not members of any of them. Is this parameter really needed then and why it’s Not Set (I assume it’s a default value).

to modify the «Missing expected value» settings make sure to use RUNAS or an elevated command prompt to change them. Also make sure the used account is member of enterprise admins.

Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

Unfortunately, although I ran dsa.msc and adsiedit.msc as an administrator, the Add field is grayed out so I cannot modify this parameter.

The error message “Missing expected value” on msDFSR-ComputerReferenceBL mostly can be caused due to the DC is using NTFRS to replicate SYSVOL instead of DFSR.

To fix this issue, I would like to suggest you use DSFR for replication of SYSVOL. For the detailed steps, please refer to the following Microsoft TechNet article:

SYSVOL Replication Migration Guide: FRS to DFS Replication

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

can you describe exactly the negative symptoms you are seeing that prompted you to search for help? What exactly made you conclude that this is related to PDC Emulator?

As Arthur has pointed out, the nltest behavior you mentioned is expected when being run on the PDC Emulator itself. In regard to DFS delay, are you using domain-based DFS implementation? Have you tried running network trace to determine what exactly is happening when a client attempts to contact a DFS target?

There is no single symptom that prompted me to search for help.

I see my applications failing from time to time and want to troubleshoot it. The most important symptom is my IIS application that fails several times a week (I mean, the application pool itself fails and w3wp.exe is terminated) due to being unable to access shared folders located on other servers. I don’t think it’s DFS-related because when I changed UNC path to point directly to the underlying file servers, the issue was still there. Then I saw another errors like Exchange setup that failed with «DC01 is no longer available» error when it was up and running all the time and even 10 minutes later the installation succeeded when run for the second time. I also saw some strange errors in DC’s Security event logs that stated «account doesn’t exist» for my IIS application’s context that was successfully logged in a few minutes back and later on. That makes me think that Active Directory problem is the root issue here.

So, as you can see, there are a few «weird» situations and I just want to look into them and see if it can improve. It’s hard to troubleshoot by, say, network trace because I would have to capture all-day-long network traffic to catch just the exact moment when the issues occur. It may be seconds that matter here.

I tied the whole problem with PDC Emulator because I observed the ERR_NO_SUCH_DOMAIN on PDC server but didn’t know it’s a «by design» behavior. That was something (easy to explain) I could escalate on the forums and I did. By the way, it really should be documented somewhere. I did google it extensively and had no luck finding any information that it’s ok to see such an error on PDC.

So, to sum up this thread, my question actuallly was answered (I marked it) even though it didn’t help. I don’t think that following the advices like rodcprep or migrate to DFSR replication could really help here. At the same time, however, I don’t expect more because I know it’s hard to help when you don’t know what the problem exactly is 🙂 So I think we should stop here. Thank you for your time! 🙂 I think maybe I will open up another thread on IIS forums to see if we can debug the failing apppool issue (maybe it’s not AD, after all).

Источник

Приветствую!
Заранее извиняюсь за сумбур.
Случилась беда. Лежит весь домен.
Всего 3 контроллера домена. DC1, DC4 в одном сайте, DC3 — в другом.
Началось с того, что основной контроллер (DC1) внезапно и безнадежно канул в лету. После тщетных попыток его восстановить из единственного систем-стэйта, было решено поднять новый по этой инструкции https://technet.microsoft.com/ru-ru/library/cc785849.aspx
Роли захватывал DC4. Всё прошло отлично до пункта с SYSVOL. NTFRS-репликация на вновь поднятый DC1 почему-то не шла и неудачные попытки ее оживить привели к полной неработоспособности вообще всего домена.
Признаюсь честно, пробовал рецепт из первого комментария отсюда http://eventid.net/display.asp?eventid=13568&eventno=1743&source=NtFrs&phase=1
Сначала исчезли ошибки и пошли нормальные сообщения, и потом я вернул «Enable Journal Wrap Automatic Restore» в 0 на всех доменах. Возможно после этого всё и началось.
При попытке залогиниться пользователь получает сообщение «The system cannot log you on due to the following error: The specified domain either does not exist or could not be contacted.»
DC4 (основной, на который были переданы все основные роли):
C:Documents and Settingsadmin>netdiag

…………………………………

Computer Name: DC4
DNS Host Name: dc4.concord.com
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 6 Stepping 5, GenuineIntel
List of installed hotfixes :
KB2570791
KB2998527
KB3013410
KB957097
KB958644
KB958687
Q147222

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : dc4
IP Address . . . . . . . . : 192.168.0.14
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 192.168.0.1
Primary WINS Server. . . . : 192.168.0.10
Secondary WINS Server. . . : 192.168.0.14
Dns Servers. . . . . . . . : 192.168.0.14
192.168.0.10

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Failed
The test failed. We were unable to query the WINS servers.

Global results:

Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{DCDCBD18-BEB6-425A-A017-B97CFEC98B49}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
PASS — All the DNS entries for DC are registered on DNS server ‘192.168.0.14
‘ and other DCs also have some of the names registered.
PASS — All the DNS entries for DC are registered on DNS server ‘192.168.0.10
‘ and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{DCDCBD18-BEB6-425A-A017-B97CFEC98B49}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{DCDCBD18-BEB6-425A-A017-B97CFEC98B49}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Failed
[FATAL] Cannot find DC in domain ‘CONCORD’. [ERROR_NO_SUCH_DOMAIN]

DC list test . . . . . . . . . . . : Failed
‘CONCORD’: Cannot find DC to get DC list from [test skipped].

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Skipped
‘CONCORD’: Cannot find DC to get DC list from [test skipped].

LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The specified d
omain either does not exist or could not be contacted.

[WARNING] Cannot find DC in domain ‘CONCORD’. [ERROR_NO_SUCH_DOMAIN]

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run «netsh ipsec dynamic show /?» for more detailed information

The command completed successfully

C:Documents and Settingsadmin>ntfrsutl ds
NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
FRS DomainControllerName: (null)
Computer Name : DC4
Computer DNS Name : dc4.concord.com

BINDING TO THE DS:
ldap_connect : dc4.concord.com
DsBind : dc4.concord.com

NAMING CONTEXTS:
SitesDn : CN=Sites,cn=configuration,dc=concord,dc=com
ServicesDn : CN=Services,cn=configuration,dc=concord,dc=com
DefaultNcDn: DC=concord,DC=com
ComputersDn: CN=Computers,DC=concord,DC=com
DomainCtlDn: OU=Domain Controllers,DC=concord,DC=com
Fqdn : CN=DC4,OU=Domain Controllers,DC=concord,DC=com
Searching : Fqdn

COMPUTER: DC4
DN : cn=dc4,ou=domain controllers,dc=concord,dc=com
Guid : a7f4fd77-6f6b-491d-8ac256fab14c9a88
UAC : 0x00082000
Server BL : CN=DC4,CN=Servers,CN=Akonit,CN=Sites,CN=Configuration,DC=concord,
DC=com
Settings : cn=ntds settings,cn=dc4,cn=servers,cn=akonit,cn=sites,cn=configur
ation,dc=concord,dc=com
DNS Name : dc4.concord.com
WhenCreated : 2/12/2009 9:20:44 Russia TZ 2 Standard Time Russia TZ 2 Standa
rd Time [-180]
WhenChanged : 10/3/2015 19:32:52 Russia TZ 2 Standard Time Russia TZ 2 Stand
ard Time [-180]

SUBSCRIPTION: NTFRS SUBSCRIPTIONS
DN : cn=ntfrs subscriptions,cn=dc4,ou=domain controllers,dc=concord,dc=c
om
Guid : cfb61ea1-34c8-4979-8ea72df65283a7f3
Working : c:windowsntfrs
Actual Working: c:windowsntfrs
WhenCreated : 2/12/2009 10:20:38 Russia TZ 2 Standard Time Russia TZ 2 St
andard Time [-180]
WhenChanged : 2/12/2009 10:20:38 Russia TZ 2 Standard Time Russia TZ 2 St
andard Time [-180]

SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn
=dc4,ou=domain controllers,dc=concord,dc=com
Guid : 450298ae-e734-4abf-9e4fc3f47d6baee2
Member Ref: CN=DC4,CN=Domain System Volume (SYSVOL share),CN=File Repli
cation Service,CN=System,DC=concord,DC=com
Root : c:windowssysvoldomain
Stage : c:windowssysvolstagingdomain
WhenCreated : 2/12/2009 10:20:38 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]
WhenChanged : 2/12/2009 10:20:38 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]
Subscriber Member Back Links:
cn=dc4,cn=domain system volume (sysvol share),cn=file replication service,
cn=system,dc=concord,dc=com

SETTINGS: FILE REPLICATION SERVICE
DN : cn=file replication service,cn=system,dc=concord,dc=com
Guid : 2c15400f-6070-44be-90293824d8c1648e
WhenCreated : 11/10/2001 20:28:33 Russia TZ 2 Standard Time Russia TZ 2 Stan
dard Time [-180]
WhenChanged : 2/12/2009 10:14:6 Russia TZ 2 Standard Time Russia TZ 2 Standa
rd Time [-180]

SET: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=file replication service,
cn=system,dc=concord,dc=com
Guid : d2f74eee-9985-48b1-b5d7dcb5b56d77ea
Type : 2
Primary Member: (null)
File Filter : *.tmp, *.bak, ~*
Dir Filter : (null)
FRS Flags : (null)
WhenCreated : 11/10/2001 20:35:47 Russia TZ 2 Standard Time Russia TZ 2 S
tandard Time [-180]
WhenChanged : 2/12/2009 10:15:8 Russia TZ 2 Standard Time Russia TZ 2 Sta
ndard Time [-180]

MEMBER: DC1
DN : cn=dc1,cn=domain system volume (sysvol share),cn=file replicatio
n service,cn=system,dc=concord,dc=com
Guid : 030f326e-540a-4fe5-910893e83caac413
Server Ref : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Akonit,CN=Sites,
CN=Configuration,DC=concord,DC=com
Computer Ref : cn=dc1,ou=domain controllers,dc=concord,dc=com
Cracked Domain : concord.com
Cracked Name : 00000002 CONCORDDC1$
Cracked Domain : concord.com
Cracked Name : fffffff4 S-1-5-21-1304569826-626877892-1847928074-1758
6
Computer’s DNS : dc1.concord.com
WhenCreated : 10/9/2015 22:1:55 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]
WhenChanged : 10/9/2015 22:2:32 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]

CXTION: 27A9F25E-5F90-4F2D-A9F8-920AFD54D41F
DN : cn=27a9f25e-5f90-4f2d-a9f8-920afd54d41f,cn=ntds settings,cn=d
c1,cn=servers,cn=akonit,cn=sites,cn=configuration,dc=concord,dc=com
Guid : 70be9b5b-18b1-4068-94d30f3d8436e007
Partner Dn : cn=ntds settings,cn=dc4,cn=servers,cn=akonit,cn=sites
,cn=configuration,dc=concord,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 10/9/2015 22:6:54 Russia TZ 2 Standard Time Russia TZ
2 Standard Time [-180]
WhenChanged : 10/9/2015 22:37:32 Russia TZ 2 Standard Time Russia T
Z 2 Standard Time [-180]
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

MEMBER: DC3
DN : cn=dc3,cn=domain system volume (sysvol share),cn=file replicatio
n service,cn=system,dc=concord,dc=com
Guid : d1330c13-8dfe-41ac-aa99f911e0951e9a
Server Ref : CN=NTDS Settings,CN=DC3,CN=Servers,CN=Farmproekt,CN=Si
tes,CN=Configuration,DC=concord,DC=com
Computer Ref : cn=dc3,ou=domain controllers,dc=concord,dc=com
Cracked Domain : concord.com
Cracked Name : 00000002 CONCORDDC3$
Cracked Domain : concord.com
Cracked Name : fffffff4 S-1-5-21-1304569826-626877892-1847928074-1534
9
Computer’s DNS : dc3.concord.com
WhenCreated : 3/26/2008 12:34:47 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]
WhenChanged : 2/12/2009 10:15:58 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]

CXTION: F8FDF71C-636F-42FA-BFD3-789EB493614D
DN : cn=f8fdf71c-636f-42fa-bfd3-789eb493614d,cn=ntds settings,cn=d
c3,cn=servers,cn=farmproekt,cn=sites,cn=configuration,dc=concord,dc=com
Guid : cc83954c-ec7e-4ee0-abc31ad9d5b743af
Partner Dn : cn=ntds settings,cn=dc4,cn=servers,cn=akonit,cn=sites
,cn=configuration,dc=concord,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 10/9/2015 1:9:54 Russia TZ 2 Standard Time Russia TZ
2 Standard Time [-180]
WhenChanged : 10/9/2015 21:28:15 Russia TZ 2 Standard Time Russia T
Z 2 Standard Time [-180]
Options : 0x00000005 [AutoGenCxtion OverrideNotifyDefault ]
Schedule
Day 1: ffffffffffffffffffffffff
Day 2: ffffffffffffffffffffffff
Day 3: ffffffffffffffffffffffff
Day 4: ffffffffffffffffffffffff
Day 5: ffffffffffffffffffffffff
Day 6: ffffffffffffffffffffffff
Day 7: ffffffffffffffffffffffff

MEMBER: DC4
DN : cn=dc4,cn=domain system volume (sysvol share),cn=file replicatio
n service,cn=system,dc=concord,dc=com
Guid : db9b3e11-0804-4a55-a37f3aded21aa45a
Server Ref : CN=NTDS Settings,CN=DC4,CN=Servers,CN=Akonit,CN=Sites,
CN=Configuration,DC=concord,DC=com
Computer Ref : cn=dc4,ou=domain controllers,dc=concord,dc=com
Cracked Domain : concord.com
Cracked Name : 00000002 CONCORDDC4$
Cracked Domain : concord.com
Cracked Name : fffffff4 S-1-5-21-1304569826-626877892-1847928074-1580
9
Computer’s DNS : dc4.concord.com
WhenCreated : 2/12/2009 10:20:38 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]
WhenChanged : 2/12/2009 10:20:38 Russia TZ 2 Standard Time Russia TZ 2
Standard Time [-180]

CXTION: B9410A0F-1C4B-4E81-9E23-19A174FD89F8
DN : cn=b9410a0f-1c4b-4e81-9e23-19a174fd89f8,cn=ntds settings,cn=d
c4,cn=servers,cn=akonit,cn=sites,cn=configuration,dc=concord,dc=com
Guid : da19afff-5f7c-4c28-a08298c16bdad88d
Partner Dn : cn=ntds settings,cn=dc3,cn=servers,cn=farmproekt,cn=s
ites,cn=configuration,dc=concord,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 10/9/2015 1:18:38 Russia TZ 2 Standard Time Russia TZ
2 Standard Time [-180]
WhenChanged : 10/9/2015 1:34:20 Russia TZ 2 Standard Time Russia TZ
2 Standard Time [-180]
Options : 0x00000005 [AutoGenCxtion OverrideNotifyDefault ]
Schedule
Day 1: ffffffffffffffffffffffff
Day 2: ffffffffffffffffffffffff
Day 3: ffffffffffffffffffffffff
Day 4: ffffffffffffffffffffffff
Day 5: ffffffffffffffffffffffff
Day 6: ffffffffffffffffffffffff
Day 7: ffffffffffffffffffffffff

CXTION: DD46D695-73A5-4356-A76C-F640558EB472
DN : cn=dd46d695-73a5-4356-a76c-f640558eb472,cn=ntds settings,cn=d
c4,cn=servers,cn=akonit,cn=sites,cn=configuration,dc=concord,dc=com
Guid : 82f15a02-b94e-4e52-849b14d1abf9b88b
Partner Dn : cn=ntds settings,cn=dc1,cn=servers,cn=akonit,cn=sites
,cn=configuration,dc=concord,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 10/9/2015 22:2:31 Russia TZ 2 Standard Time Russia TZ
2 Standard Time [-180]
WhenChanged : 10/9/2015 22:40:41 Russia TZ 2 Standard Time Russia T
Z 2 Standard Time [-180]
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

C:Documents and Settingsadmin>dcdiag /q
[Replications Check,DC4] A recent replication attempt failed:
From DC1 to DC4
Naming Context: CN=Schema,CN=Configuration,DC=concord,DC=com
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2015-10-10 00:49:44.
The last success occurred at 2015-10-10 00:14:25.
1 failures have occurred since the last success.
The guid-based DNS name 5d8285c5-071e-4968-8c56-cd91925ba31c._msdcs.
concord.com
is not registered on one or more DNS servers.
[Replications Check,DC4] A recent replication attempt failed:
From DC1 to DC4
Naming Context: CN=Configuration,DC=concord,DC=com
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2015-10-10 00:49:47.
The last success occurred at 2015-10-10 00:29:47.
1 failures have occurred since the last success.
The guid-based DNS name 5d8285c5-071e-4968-8c56-cd91925ba31c._msdcs.
concord.com
is not registered on one or more DNS servers.
Unable to connect to the NETLOGON share! (\DC4netlogon)
[DC4] An net use or LsaPolicy operation failed with error 1203, Win32 E
rror 1203.
……………………. DC4 failed test NetLogons
Fatal Error:DsGetDcName (DC4) call failed, error 1355
The Locator could not find the server.
……………………. DC4 failed test Advertising
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
……………………. DC4 failed test frsevent
An Error Event occured. EventID: 0xC00038BB
Time Generated: 10/10/2015 00:48:52
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00110CD
Time Generated: 10/10/2015 00:49:00
Event String: The computer running the WINS server does not
An Error Event occured. EventID: 0x00000411
Time Generated: 10/10/2015 00:49:07
Event String: The DHCP service is not servicing any clients
An Error Event occured. EventID: 0xC0001B6F
Time Generated: 10/10/2015 00:50:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B70
Time Generated: 10/10/2015 00:50:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000423
Time Generated: 10/10/2015 00:55:17
Event String: The DHCP service failed to see a directory server
……………………. DC4 failed test systemlog
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located — All GC’s are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135
5
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located — All the KDCs are down.
……………………. concord.com failed test FsmoCheck

Ситуация усугубляется еще тем, что еще и Exchange 2010 с самого падения DC1 стоит колом. Очень надеюсь на вашу скорейшую помощь, вплоть до денежного вознаграждения, иначе мне край :-(

UPD: Проблема решилась следующим образом:
1. Выравнивание SOA DNS-серверов исправлением настроек
2. Восстановление SYSVOL при помощи burflag D4 — на основном и затем D2 — на вторичных.
Всем спасибо за советы!
Отдельное спасибо poor_sysadm !

Редактировать | Профиль | Сообщение | ICQ | Цитировать | Сообщить модератору Товарищи из Microsoft об этом говорят так: Ссылка

Проверьте соединения DC вообще: Ссылка

И в заключение есть похожая тема в новостных группах: Ссылка

Источник

0x54b error no such domain

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I get the
following error (I_NetLogonControlfailed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN) on our PDC when
running the NLTEST Command. As mentioned before all the forums I’ve read
relating to this error, is that we have numerous domain controllers and this
fault/error only pops up on the PDC.

I have disabled
all firewall settings within the OS and the AV End Point. However highly doubt
that this is the problem, as these are set by policies that apply to all DC.

We have a
trust with one of our Subsidiaries in South Africa, where our Exchange is hosted;
they report that this is causing issues on their side. I would like to confirm
this, is this error related to the DC hosting the PDC Role or is this somewhere
else I need to start investigating. Other individuals stated in the forums that
when the move the PDC role, the error moves with it.

All replies

Make sure DC Is not multihomed. Please disable unused NIC’s from DC.

Also make sure DNS is setup properly and there is no name resolution problem. Verify SRV Records are registred in DNS properly — http://support.microsoft.com/kb/241515

If nothing helps post DCDiag /q results from your PDC.

MCSA|MCITP SA|Microsoft Exchange 2003 Blog — http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

please exclude http://support.microsoft.com/kb/253096 as you didn’t mention the OS version. Please post the complete command you use, no porblem to change domain names, BUT keep the format.

Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP — Directory Services
My Blog: http://msmvps.com/blogs/mweber/

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

COMMAND>nltest /server:SERVER (PDC) /sc_QUERY:DOMAIN
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

OS Version in Post : Server 2008 R2

DCDIAG /Q Results run on PDC , with elevated rights

C:>dcdiag /q
Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration,DC=fnb,DC=root
Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=x,DC=x
. server failed test NCSecDesc
An error event occurred. EventID: 0x0000165B
Time Generated: 07/11/2012 11:30:35
Event String:
The session setup from computer ‘x’ failed because the se
curity database does not contain a trust account ‘x$’ referenced by t
he specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 07/11/2012 11:32:59
Event String:
The session setup from the computer x failed to authentic
ate. The following error occurred:
. x failed test SystemLog

Источник

0x54b error no such domain

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

We have two Active directory domain forest. We need to enable two way trust between both the domains so as to enable resource sharing. Below is the details:

1. Domain 1- Functional level 2003- All DC are on 2008 R2 OS

2. Domain 2- Functional level 2003- All DC are on Win 2003.

Below ports are open bi-directionally as these domains are separated by a Firewall

389 UDP+TCP,445 TCP,88 UDP+TCP,135 TCP,53 TCP+UDP, 3268 TCP

Conditional forwarder is being added on both domain DNS and is pointing to respective Domain controller IP.

While creating domain trust after entering the domain name, only two options is coming 1. To create realm trsut and other Trust with windows domain. This option should not come ideally as both my domains are Window domain. Also on clicking next teh trust wizard is finishing saying cannot continue. While running NLTEST /dsgetdc: domain FQDN from either domain getting below error:

Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Just to mention, while creating trust we have checked for the connection log in the firewall and only the above mentioned ports was getting hit from one DC IP to other DC Ip and teh connection was successful. This was to get sure i am not missing any ports which is required and communication is not opened.

Источник

0x54b error no such domain

Если у вас не работает один из способов авторизации, сконвертируйте свой аккаунт по ссылке

Авторизуясь в LiveJournal с помощью стороннего сервиса вы принимаете условия Пользовательского соглашения LiveJournal

  • October 2022
    1
    2 3 4 5 6 7 8
    9 10 11 12 13 14 15
    16 17 18 19 20 21 22
    23 24 25 26 27 28 29
    30 31

РЕШЕНИЕ: проблема была в файерволе, блокирующем запросы к контроллерам домена.

Имеется домен win 2008, my.domain.local, с двумя домен контроллерами, один из которых ad1.my.domain.local — по совместительству DNS сервер
Все работало хорошо, пока в один день на всех серверах сети в логах не стали появляться ошибки о невозможности соединения с контролларами домена.
Действительно, на всех серверах команда nltest /dclist:my.domain.local дает результат:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
При этом если запускать ту же команду на самом контроллере домена, то все находится нормально:
nltest /dclist:my.domain.local
Get list of DCs in domain ‘my.domain.local’ from ‘\ad1.my.domain.local’.
ad1.my.domain.local [PDC] [DS] Site: mysite
AD2.my.domain.local [DS] Site: mysite
The command completed successfully

dcdiag ошибок не выдает.

DNS для домена, вроде, работает нормально: на всех серверах если запустить nslookup _ldap._tcp.mysite._sites.my.domain.local
То получится

_ldap._tcp.mysite._sites.my.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ad2.my.domain.local
_ldap._tcp.mysite._sites.my.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ad1.my.domain.local
ad2.my.domain.local internet address = xxx.xxx.xxx.xxx
ad2.my.domain.local AAAA IPv6 address = xxxx:xxxx:xxxx::xxxx:xxxx
ad1.my.domain.local internet address = xxx.xxx.xxx.xxx

Как бы еще понять, в чем может быть проблема?

Источник

Adblock
detector

I am in the process of migrating our ADDS to a test environment.

The steps were as such:

  1. Install Win2008R2; dcpromo.exe to DC
  2. Isolate DC (separate network)
  3. Create DNS server with A records & Update rights for domain + domaincontroller
  4. Ran ipconfig /flushdns + ipconfig /registerdns
  5. Confirmed _msdcs entries in DNS server
  6. Reseize FMSO roles on DC
  7. Performed metadata cleanup

Environment:

  • Windows 2008 R2 with ADDS Roles
  • DNS Server (separate machine)

Symptoms:  

  • Best Practices Analyzer fails with 23 warnings, all related to:
    «This domain controller must register its correct IP addresses with the DNS server»
  • Event ID:   1126  — Active Directory Domain Services was unable to establish a connection with the global catalog
  • nltest /dsgetdc:domainname
    Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
  • nltest /server:lefdc /sc_query:domainname
    I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE
  • dcdiag /test:dns reports — OK
  • dcdiag /fix  — reports:
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
             A Global Catalog Server could not be located — All GC’s are down.

Full logs provided below:
servername : LEFDC1

Text

PS C:Windowssystem32> nslookup
Default Server:  testdns.my.domain.name
Address:  10.140.1.10

> set type=all
> _ldap._tcp.dc._msdcs.my.domain.name
Server:  testdns.my.domain.name
Address:  10.140.1.10

_ldap._tcp.dc._msdcs.my.domain.name     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = lefdc1.my.domain.name
my.domain.name  nameserver = testdns.my.domain.name
lefdc1.my.domain.name   internet address = 10.140.1.15
testdns.my.domain.name  internet address = 10.140.1.10

PS C:Windowssystem32> nltest /server:lefdc /sc_query:my.domain.name
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

PS C:Windowssystem32> dcdiag /test:dns /v /e /f:c:dcdiag.log

PS C:Windowssystem32> nltest /dsgetdc:my.domain.name
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

PS C:Windowssystem32> ntdsutil
C:Windowssystem32ntdsutil.exe: roles
fsmo maintenance: connection
server connections: connect to server lefdc1.my.domain.name
Binding to lefdc1.my.domain.name ...
Connected to lefdc1.my.domain.name using credentials of locally logged on user.
server connections: quit
fsmo maintenance: seize pdc
Attempting safe transfer of PDC FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "lefdc1.my.domain.name" knows about 5 roles
Schema - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,DC=
edu
Naming Master - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,DC=simm
ons,dc=name
PDC - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name

RID - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name

Infrastructure - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,DC=sim
mons,dc=name
fsmo maintenance:

PS C:Windowssystem32> dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = lefdc1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-NameLEFDC1
      Starting test: Connectivity
         ......................... LEFDC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-NameLEFDC1
      Starting test: Advertising
         Fatal Error:DsGetDcName (LEFDC1) call failed, error 1355
         The Locator could not find the server.
         ......................... LEFDC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... LEFDC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... LEFDC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... LEFDC1 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000B46
            Time Generated: 10/07/2013   09:14:11
            Event String:
            The security of this directory server can be significantly enhanced by configuring the server to reject SASL
 (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds,
configuring the server to reject them will improve the security of this server.
         ......................... LEFDC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LEFDC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LEFDC1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LEFDC1 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\LEFDC1netlogon)
         [LEFDC1] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... LEFDC1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LEFDC1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... LEFDC1 passed test Replications
      Starting test: RidManager
         ......................... LEFDC1 passed test RidManager
      Starting test: Services
         ......................... LEFDC1 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x0000A001
            Time Generated: 10/07/2013   08:47:14
            Event String:
            The Security System could not establish a secured connection with the server ldap/my.domain.name/ad.simmons.
edu@my.domain.name. No authentication protocol was available.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 10/07/2013   08:50:24
            Event String:
            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but
 it will periodically retry the operation. The return code is in the record data.
         A warning event occurred.  EventID: 0x000016AA
            Time Generated: 10/07/2013   08:59:19
            Event String:
            None of the IP addresses (10.140.1.15) of this Domain Controller map to the configured site 'Default-First-S
ite-Name'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP ad
dress of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above l
ist of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such t
hat the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range in
cludes the above IP address) which maps to the selected site object.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 10/07/2013   09:08:02
            Event String:
            Name resolution for the name www.microsoft.com timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0xC0002719
            Time Generated: 10/07/2013   09:08:23
            Event String:
            DCOM was unable to communicate with the computer 10.140.1.10 using any of the configured protocols.
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 10/07/2013   09:14:27
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KD
C certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
         A warning event occurred.  EventID: 0x000016AA
            Time Generated: 10/07/2013   09:14:31
            Event String:
            None of the IP addresses (10.140.1.15) of this Domain Controller map to the configured site 'Default-First-S
ite-Name'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP ad
dress of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above l
ist of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such t
hat the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range in
cludes the above IP address) which maps to the selected site object.
         ......................... LEFDC1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... LEFDC1 passed test VerifyReferences


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : my.domain.name
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... my.domain.name failed test LocatorCheck
      Starting test: Intersite
         ......................... my.domain.name passed test Intersite
PS C:Windowssystem32>

PS C:Windowssystem32> ntdsutil
C:Windowssystem32ntdsutil.exe: metadata cleanup
metadata cleanup: connections
server connections: connect to server lefdc1
Binding to lefdc1 ...
Connected to lefdc1 using credentials of locally logged on user.
server connections: q
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - dc=my,dc=domain,dc=name
select operation target: select domain 0
No current site
Domain - dc=my,dc=domain,dc=name
No current server
No current Naming Context
select operation target: list sites
Found 2 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
1 - CN=SchoolofManagement,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
select operation target: select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
Domain - dc=my,dc=domain,dc=name
No current server
No current Naming Context

Output from dcdiag /testdns:

Text

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine lefdc1, is a Directory Server. 
   Home Server = lefdc1

   * Connecting to directory service on server lefdc1.

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=SchoolofManagement,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 1 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-NameLEFDC1

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... LEFDC1 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-NameLEFDC1

      Test omitted by user request: Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Test omitted by user request: FrsEvent

      Test omitted by user request: DFSREvent

      Test omitted by user request: SysVolCheck

      Test omitted by user request: KccEvent

      Test omitted by user request: KnowsOfRoleHolders

      Test omitted by user request: MachineAccount

      Test omitted by user request: NCSecDesc

      Test omitted by user request: NetLogons

      Test omitted by user request: ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Test omitted by user request: Replications

      Test omitted by user request: RidManager

      Test omitted by user request: Services

      Test omitted by user request: SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Test omitted by user request: VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         See DNS test in enterprise tests section for results
         ......................... LEFDC1 passed test DNS

   
   Running partition tests on : Schema

      Test omitted by user request: CheckSDRefDom

      Test omitted by user request: CrossRefValidation

   
   Running partition tests on : Configuration

      Test omitted by user request: CheckSDRefDom

      Test omitted by user request: CrossRefValidation

   
   Running partition tests on : ad

      Test omitted by user request: CheckSDRefDom

      Test omitted by user request: CrossRefValidation

   
   Running enterprise tests on : my.domain.name

      Starting test: DNS

         Test results for domain controllers:

            
            DC: lefdc1.my.domain.name

            Domain: my.domain.name

            

                  
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                  
               TEST: Basic (Basc)
                  The OS Microsoft Windows Server 2008 R2 Enterprise  (Service Pack level: 1.0) is supported.

                  NETLOGON service is running

                  kdc service is running

                  DNSCACHE service is running

                  DNS service is running

                  DC is not a DNS server

                  Network adapters information:

                  Adapter [00000007] Broadcom NetXtreme 57xx Gigabit Controller:

                     MAC address is 00:19:B9:30:85:DF
                     IP address: 10.140.1.15
                     DNS servers:

                        10.140.1.10 (<name unavailable>) [Valid]
                  The A host record(s) for this DC was found
                  The SOA record for the Active Directory zone was found
                  
               TEST: Records registration (RReg)
                  Network Adapter [00000007] Broadcom NetXtreme 57xx Gigabit Controller:

                     Matching CNAME record found at DNS server 10.140.1.10:
                     228de4e0-d8f0-447c-aad3-9c07ca7dd6c8._msdcs.my.domain.name

                     Matching A record found at DNS server 10.140.1.10:
                     lefdc1.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.a7ed6b46-86fe-471c-9a41-9fddd53d2e4c.domains._msdcs.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _kerberos._tcp.dc._msdcs.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.dc._msdcs.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _kerberos._tcp.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _kerberos._udp.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _kpasswd._tcp.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.Default-First-Site-Name._sites.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _kerberos._tcp.Default-First-Site-Name._sites.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.gc._msdcs.my.domain.name

                     Matching A record found at DNS server 10.140.1.10:
                     gc._msdcs.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _gc._tcp.Default-First-Site-Name._sites.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.name

                     Matching  SRV record found at DNS server 10.140.1.10:
                     _ldap._tcp.pdc._msdcs.my.domain.name

         
         Summary of test results for DNS servers used by the above domain controllers:

         

            DNS server: 10.140.1.10 (<name unavailable>)

               All tests passed on this DNS server

               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered 
               
         Summary of DNS test results:

         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: my.domain.name

               lefdc1                       PASS PASS n/a  n/a  n/a  PASS n/a  
         
         ......................... my.domain.name passed test DNS

      Test omitted by user request: LocatorCheck

      Test omitted by user request: Intersite


Output from dcdiag /q

Text

         Fatal Error:DsGetDcName (LEFDC1) call failed, error 1355

         The Locator could not find the server.

         ......................... LEFDC1 failed test Advertising

         Unable to connect to the NETLOGON share! (\LEFDC1netlogon)

         [LEFDC1] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..

         ......................... LEFDC1 failed test NetLogons

         An error event occurred.  EventID: 0xC00038D6

            Time Generated: 10/07/2013   08:50:24

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 10/07/2013   09:08:23

            Event String:

            DCOM was unable to communicate with the computer 10.140.1.10 using any of the configured protocols.

         ......................... LEFDC1 failed test SystemLog

         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

         A Global Catalog Server could not be located - All GC's are down.

         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

         A Time Server could not be located.

         The server holding the PDC role is down.

         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355

         A Good Time Server could not be located.

         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

         A KDC could not be located - All the KDCs are down.

         ......................... my.domain.name failed test LocatorCheck

Read these next…

  • Curated Green Brand Rep Wrap-Up: January 2023

    Green Brand Rep Wrap-Up: January 2023

    Spiceworks Originals

    Hi, y’all — Chad here. A while back, we used to feature the top posts from our brand reps (aka “Green Gals/Guys/et. al.) in a weekly or monthly wrap-up post. I can’t specifically recall which, as that was approximately eleven timelines ago. Luckily, our t…

  • Curated Help with domain controller setup

    Help with domain controller setup

    Windows

    I just got a new job as the only IT person for a business with around 270 employees (I would say probably less than half use computers) They don’t have any policies or procedures when it comes to IT, as they have never had an IT person. My background cons…

  • Curated Malicious URLs

    Malicious URLs

    Security

    We have firewall, we have endpoint protection, we have Safe links and Attachments for Office 365 (Microsoft Defense for Office 365 Plan 1), and still receiving links that lead to malicious web sites.It seems like security companies still didn’t develop a …

  • Curated Snap! -- Old Batteries, Lovable Bots, Quantum Breakthrough, Should We Trust AI?

    Snap! — Old Batteries, Lovable Bots, Quantum Breakthrough, Should We Trust AI?

    Spiceworks Originals

    Your daily dose of tech news, in brief.

    Welcome to the Snap!

    Flashback: February 8, 1996: The massive Internet collaboration “24 Hours in Cyberspace” takes place (Read more HERE.)

    Bonus Flashback: February 8, 1974: Americans end outer spa…

  • Curated Large collection of Mac Minis

    Large collection of Mac Minis

    Best Practices & General IT

    We are getting rid of a lot of older equipment that doesn’t have a purpose anymore on our campus. Most of it is 2010 and 2014 Mac Minis. When they were purchased, they were the absolute base model, so nothing special about them. I’ve reached out to multip…

Понравилась статья? Поделить с друзьями:
  • Dom invalid character error
  • Dolphin emulator error
  • Doh server connection error ssl internal error
  • Doh server connection error ssl handshake timed out 6
  • Doh server connection error ssl handshake failed unable to get certificate crl 6