Single domain forest, had 2 DCs, "primary" DCserver-1 server 2003 64 bit held the forrest wide FSMO roles, DNS and DHCP, "secondary" DCserver-2 Server 2003 32-bit had domain specific FSMO roles, time master and DNS. DCserver-2 died unexpectedly. I had to sieze the FSMO Roles to DCserver-1.since that time, none of the clients are getting DHCP or DNS. netdiag and dcdiag both show no failures. nltest and nslookup both succeed when run on DCserver-1, but fail to find DNS/DC when run from any client. All of this of course means that other resources like network shares are unavailable (no logon server available errors) can ping DCserver-1 (and other computers, of course) by IP, but not by name. I'm a bit lost as to where to go from here. My gut tells me DNS is the issue, but I can't find anything wrong with it. I have of course cleaned metadata after seizing the FSMO Roles, deleted and recreated the DNS forward lookup zone, etc with no success... ipconfig, dcdiag, netdiag and nl test results are pasted below. Any help would be greatly appreciated! ______IPCONFIG:DCserver-1_________ Windows IP Configuration Host Name . . . . . . . . . . . . : dcserver-1 Primary Dns Suffix . . . . . . . : NEWSCHANNEL10.local Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : NEWSCHANNEL10.local Ethernet adapter Static165: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection Physical Address. . . . . . . . . : 00-25-90-75-2A-B2 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.0.0.165 Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway . . . . . . . . . : 10.0.0.1 DNS Servers . . . . . . . . . . . : 10.0.0.165 ______DCDIAG__________ Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site\DCSERVER-1 Starting test: Connectivity ......................... DCSERVER-1 passed test Connectivity Doing primary tests Testing server: Default-First-Site\DCSERVER-1 Starting test: Replications ......................... DCSERVER-1 passed test Replications Starting test: NCSecDesc ......................... DCSERVER-1 passed test NCSecDesc Starting test: NetLogons ......................... DCSERVER-1 passed test NetLogons Starting test: Advertising ......................... DCSERVER-1 passed test Advertising Starting test: KnowsOfRoleHolders ......................... DCSERVER-1 passed test KnowsOfRoleHolders Starting test: RidManager ......................... DCSERVER-1 passed test RidManager Starting test: MachineAccount ......................... DCSERVER-1 passed test MachineAccount Starting test: Services ......................... DCSERVER-1 passed test Services Starting test: ObjectsReplicated ......................... DCSERVER-1 passed test ObjectsReplicated Starting test: frssysvol ......................... DCSERVER-1 passed test frssysvol Starting test: frsevent ......................... DCSERVER-1 passed test frsevent Starting test: kccevent ......................... DCSERVER-1 passed test kccevent Starting test: systemlog ......................... DCSERVER-1 passed test systemlog Starting test: VerifyReferences ......................... DCSERVER-1 passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : NEWSCHANNEL10 Starting test: CrossRefValidation ......................... NEWSCHANNEL10 passed test CrossRefValidation Starting test: CheckSDRefDom ......................... NEWSCHANNEL10 passed test CheckSDRefDom Running enterprise tests on : NEWSCHANNEL10.local Starting test: Intersite ......................... NEWSCHANNEL10.local passed test Intersite Starting test: FsmoCheck ......................... NEWSCHANNEL10.local passed test FsmoCheck _______NETDIAG:from DCserver-1______ .................................. Computer Name: DCSERVER-1 DNS Host Name: dcserver-1.NEWSCHANNEL10.local System info : Microsoft Windows Server 2003 (Build 3790) Processor : EM64T Family 6 Model 42 Stepping 7, GenuineIntel List of installed hotfixes : KB2079403 KB2115168 KB2229593 KB2264107 KB2296011 KB2345886 KB2347290 KB2360937 KB2378111 KB2387149 KB2393802 KB2419635 KB2423089 KB2440591 KB2443105 KB2467659 KB2476490 KB2478953 KB2478960 KB2478971 KB2481109 KB2483185 KB2485663 KB2492386 KB2506212 KB2507618 KB2507938 KB2508429 KB2509553 KB2510531-IE8 KB2510587 KB2535512 KB2536276-v2 KB2544521 KB2544521-IE8 KB2544893-v2 KB2564958 KB2566454 KB2570947 KB2584146 KB2585542 KB2598479 KB2603381 KB2618444-IE8 KB2618451 KB2620712 KB2621146 KB2621440 KB2624667 KB2631813 KB2632503-IE8 KB2633952-v2 KB2638806 KB2641690-v2 KB2644615 KB2645640 KB2646524 KB2647516-IE8 KB2653956 KB2659262 KB2675157 KB2675157-IE8 KB2676562 KB2686509 KB2695962 KB923561 KB924667-v2 KB925398_WMP64 KB925876 KB925902 KB926122 KB927891 KB929123 KB932168 KB936357 KB941569 KB943729 KB944653 KB946026 KB948496 KB950762 KB950974 KB952004 KB952069 KB952954 KB954155 KB954550-v7 KB956572 KB956802 KB956844 KB958469 KB958644 KB959426 KB960803 KB960859 KB961118 KB961501 KB967723 KB968389 KB969059 KB970430 KB971029 KB971032 KB971657 KB972270 KB973507 KB973540 KB973815 KB973869 KB973904 KB974112 KB974318 KB974392 KB974571 KB975025 KB975467 KB975558_WM8 KB975560 KB975713 KB977816 KB977914 KB978338 KB978542 KB978695 KB978706 KB979309 KB979482 KB979687 KB980232 KB981322 KB982132 KB982381-IE8 KB982632-IE8 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Static165 Netcard queries test . . . : Passed Host Name. . . . . . . . . : dcserver-1 IP Address . . . . . . . . : 10.0.0.165 Subnet Mask. . . . . . . . : 255.255.252.0 Default Gateway. . . . . . : 10.0.0.1 Dns Servers. . . . . . . . : 10.0.0.165 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing. WINS service test. . . . . : Skipped There are no WINS servers configured for this interface. Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{E8EDE45F-EC9B-4CE4-904E-4393ED5BEC0E} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined. Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '10.0.0.165'. Redir and Browser test . . . . . . : Passed List of NetBt transports currently bound to the Redir NetBT_Tcpip_{E8EDE45F-EC9B-4CE4-904E-4393ED5BEC0E} The redir is bound to 1 NetBt transport. List of NetBt transports currently bound to the browser NetBT_Tcpip_{E8EDE45F-EC9B-4CE4-904E-4393ED5BEC0E} The browser is bound to 1 NetBt transport. DC discovery test. . . . . . . . . : Passed DC list test . . . . . . . . . . . : Passed Trust relationship test. . . . . . : Skipped Kerberos test. . . . . . . . . . . : Passed LDAP test. . . . . . . . . . . . . : Passed Bindings test. . . . . . . . . . . : Passed WAN configuration test . . . . . . : Skipped No active remote access connections. Modem diagnostics test . . . . . . : Passed IP Security test . . . . . . . . . : Skipped Note: run "netsh ipsec dynamic show /?" for more detailed information The command completed successfully ___________NLTEST:DCserver-1__________ DC: \\dcserver-1.NEWSCHANNEL10.local Address: \\10.0.0.165 Dom Guid: 4f8fe483-6fdb-4478-9673-e0a26010b196 Dom Name: NEWSCHANNEL10.local Forest Name: NEWSCHANNEL10.local Dc Site Name: Default-First-Site Our Site Name: Default-First-Site Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully ___________NLTEST:from client, calling server by name________ C:\Windows\system32>nltest /server:dcserver-1.newschannel10.local /dsgetdc:newsc hannel10.local Getting DC name failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE . . and calling server by IP... C:\Windows\system32>nltest /server:10.0.0.165 /dsgetdc:newschannel10.local DC: \\dcserver-1.NEWSCHANNEL10.local Address: \\10.0.0.165 Dom Guid: 4f8fe483-6fdb-4478-9673-e0a26010b196 Dom Name: NEWSCHANNEL10.local Forest Name: NEWSCHANNEL10.local Dc Site Name: Default-First-Site Our Site Name: Default-First-Site Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE

The DHCP delivers the right DNS server (10.0.0.165)?

Yes, DHCP is configured to deliver 10.0.0.165 for DNS... But at this point, nobody is even getting DHCP...

Oops, I missed that. Then the client you ran nltest from has a fixed ip? What happens if you try (on the client) ipconfig /release ipconfig /flushdns ipconfig /renew

Oops, I missed that. Then the client you ran nltest from has a fixed ip? What happens if you try (on the client) ipconfig /release ipconfig /flushdns ipconfig /renew just tested (I didn't think about flushing DNS before renewing...) An error occurred while renewing interface Local Area Connection 3 : unable to c ontact your DHCP server. Request has timed out.

If you give the client a fixed IP and DNS, does nslookup work? Does nslookup work on the server (including forwarding)? Can you plug a laptop in the same switch the server is connected to, and if so, try to get an IP from dhcp there? Anything regarding DHCP in the event log? Service running? Sorry for the bunch of questions, but the best I can think of at the moment is trying to systematically narrow down the problem.

If you give the client a fixed IP and DNS, does nslookup work? Does nslookup work on the server (including forwarding)? Can you plug a laptop in the same switch the server is connected to, and if so, try to get an IP from dhcp there? Anything regarding DHCP in the event log? Service running? Sorry for the bunch of questions, but the best I can think of at the moment is trying to systematically narrow down the problem. Client with fixed IP and DNS = nslookup does NOT work DNS request timed out. timeout was 2 seconds. Default Server: UnKnown Address: 10.0.0.165 nslookup on the server: (this actually returned the server name last time I looked, hmmm...) *** Can't find server name for address 10.0.0.165: Non-existent domain Default Server: UnKnown Address: 10.0.0.165 > google.com Server: UnKnown Address: 10.0.0.165 Non-authoritative answer: Name: google.com Addresses: 74.125.227.7, 74.125.227.9, 74.125.227.4, 74.125.227.6 74.125.227.5, 74.125.227.14, 74.125.227.3, 74.125.227.8, 74.125.227.2 74.125.227.0, 74.125.227.1 laptop on same switch as server = still no DHCP DHCP service is running, server is authorized... event log for the past 24 hours... there are 4 warnings for netlog service ID=5782 "Dynamic registration on dns failed... no DNS server configured for local system" - This one seems odd. Only one NIC enabled, with static IP and DNS as shown in ipconfig output in original post.. I'll have to google it and see what else could be causing it... Nothing in the event log from DHCP except the notices from when I restarted the service (no errors reported) and one error that w32time had to shutdown with error 0xC0000022 (I haven't googled it yet) but a notice just 15 minutes later that it was running and getting time updates again Thanks for the help! I'll keep plugging away here...

Ok, so DNS defintely has some problems. Check if SOA and NS records in your DNS zone point to dcserver-1. Remove the NS record for dcserver-2. It can not hurt to check that the DNS server is listening on the correct IP addresses though I believe that it does. Then restart DNS service and try a nslookup on the server. If it shows the servername, try the clients again.

Ok, so DNS defintely has some problems. Check if SOA and NS records in your DNS zone point to dcserver-1. Remove the NS record for dcserver-2. It can not hurt to check that the DNS server is listening on the correct IP addresses though I believe that it does. Then restart DNS service and try a nslookup on the server. If it shows the servername, try the clients again. SOA and NS records are both pointing to DCserver-1 with correct IP, no listings remaining for DCserver-2. Server is listening on IP 10.0.0.165. restarted, nslookup still returns *** Can't find server name for address 10.0.0.165: Non-existent domain Default Server: UnKnown Address: 10.0.0.165 > google.com Server: UnKnown Address: 10.0.0.165 Non-authoritative answer: Name: google.com Addresses: 74.125.227.7, 74.125.227.9, 74.125.227.4, 74.125.227.6 74.125.227.5, 74.125.227.14, 74.125.227.3, 74.125.227.8, 74.125.227.2 74.125.227.0, 74.125.227.1 on DCserver-1...

not to reply to myself here, but.. I just noticed that the NS listing and SOA listings read "dcserver-1.newschannel10.local." with a period after local... forgive me if it is a silly question, but are they supposed to be that way, or could the extra period be the reason for getting the non-existent domain error from nslookup?

Just a bit more info... Here is a dnslinkt report below, and I have started debug logging on DNS hoping to maybe catch something there... DNSLint Report System Date: Fri Jun 01 12:27:42 2012 Command run: dnslint /d newschannel10.local /s 10.0.0.165 /y Domain name tested: newschannel10.local The following 2 DNS servers were identified as authoritative for the domain: DNS server: User Specified DNS Server IP Address: 10.0.0.165 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: Unknown SOA record data from server: Authoritative name server: dcserver-1.newschannel10.local Hostmaster: hostmaster.newschannel10.local Zone serial number: 64 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds Additional authoritative (NS) records from server: dcserver-1.newschannel10.local 10.0.0.165 Host (A) records for domain from server: 10.0.0.165 Mail Exchange (MX) records from server (preference/name/IP address): None found Additional authoritative (NS) records from server: dcserver-1.newschannel10.local 10.0.0.165 Host (A) records for domain from server: 10.0.0.165 Mail Exchange (MX) records from server (preference/name/IP address): None found Notes: One or more DNS servers may not be authoritative for the domain DNS server: dcserver-1.newschannel10.local IP Address: 10.0.0.165 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dcserver-1.newschannel10.local Hostmaster: hostmaster.newschannel10.local Zone serial number: 64 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds

not to reply to myself here, but.. I just noticed that the NS listing and SOA listings read "dcserver-1.newschannel10.local." with a period after local... forgive me if it is a silly question, but are they supposed to be that way, or could the extra period be the reason for getting the non-existent domain error from nslookup? Nope, the trailing point is correct.

Only thing that comes to mind is a wrong/missing ptr record for 10.0.0.165. Could you look under Reverse Lookup Zones if the entry for 10.0.0.165 points to dcserver-1.newschannel10.local and that the SOA records in that zone are correct. And what does nslookup 10.0.0.165 say?

O...M...G.... First of all, thanks for all the help. I did get the DNS sorted out. I removed and re-registered the NS and SOA records under both forward and reverse lookup zones. that got nslookup and dnslint reporting properly on the server. Wile talking about this with one of the engineers here who has filled in for me on occassion, he mentioned that he "fixed" some things in the firewall last month. So the final piece of the puzzle was simply that the windows firewall was blocking DNS and DHCP. It has never been noticed before, because DCserver-2 was taking up all the slack. grrrr.... Thanks again for all the help!

You're very welcome! Nice that you're up'n running again :-)