Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, September 24, 2015 5:41 PM
I am having a very strange issue with 2 DNS records re-appearing even after I delete them.
I had a 2003 domain with 2 domain servers(dc1 and dc2) running Windows Server 2003. I ran dcpromo to demote dc1. I then installed Windows Server 2012 R2 on a new server. I promoted it to be a domain controller and then renamed it to dc1. When I did that replication broke. To fix it I tried renaming it to dc3 and dc4 but eventually I had to demote it again, rename to hc-dc1 and then promote it again to a domain controller. dc2 had the 5 FSMO roles the whole time. Now, everything seems to be working fine but whenever I restart either server or DNS server service on either dc2 or hc-dc1, 2 DNS A records appear: dc3 and dc4 that are pointing to the IP address of hc-dc2. I tried changing the IP address of hc-dc1 but the records still pointed to the new IP address when they re-appeared. I tried deleting them using power shell but they still reappear. When they reappear replication between dc2 and hc-dc1 breaks. When I delete them, replication starts workign after a while again. Here's the output of repadmin and dcdiag. Any help would be appreciated.
C:\Windows\system32>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\HCG-DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 8acb1f7c-020d-46db-8a18-d3c762963c2e
DSA invocationID: 76f2fb88-7ec5-48c1-b35b-fabf58837f93
==== INBOUND NEIGHBORS ======================================
DC=hc-domain,DC=corp
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c6c9b9b6-689c-418c-ac85-b55ae4b91f65
Last attempt @ 2015-09-24 13:24:45 was successful.
CN=Configuration,DC=hc-domain,DC=corp
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c6c9b9b6-689c-418c-ac85-b55ae4b91f65
Last attempt @ 2015-09-24 13:08:43 was successful.
CN=Schema,CN=Configuration,DC=hc-domain,DC=corp
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c6c9b9b6-689c-418c-ac85-b55ae4b91f65
Last attempt @ 2015-09-24 12:54:51 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
1 consecutive failure(s).
Last success @ 2015-09-24 12:46:50.
DC=DomainDnsZones,DC=hc-domain,DC=corp
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c6c9b9b6-689c-418c-ac85-b55ae4b91f65
Last attempt @ 2015-09-24 13:26:05 was successful.
DC=ForestDnsZones,DC=hc-domain,DC=corp
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c6c9b9b6-689c-418c-ac85-b55ae4b91f65
Last attempt @ 2015-09-24 13:10:29 was successful.
Source: Default-First-Site-Name\DC2
******* 1 CONSECUTIVE FAILURES since 2015-09-24 12:46:50
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hc-dc1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\hc-dc1
Starting test: Connectivity
......................... hc-dc1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\hc-dc1
Starting test: Advertising
......................... hc-dc1 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... hc-dc1 passed test FrsEvent
Starting test: DFSREvent
......................... hc-dc1 passed test DFSREvent
Starting test: SysVolCheck
......................... hc-dc1 passed test SysVolCheck
Starting test: KccEvent
......................... hc-dc1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... hc-dc1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... hc-dc1 passed test MachineAccount
Starting test: NCSecDesc
......................... hc-dc1 passed test NCSecDesc
Starting test: NetLogons
......................... hc-dc1 passed test NetLogons
Starting test: ObjectsReplicated
......................... hc-dc1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,hc-dc1] A recent replication attempt failed:
From DC2 to hc-dc1
Naming Context: CN=Schema,CN=Configuration,DC=hc-domain,DC=corp
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2015-09-24 12:54:51.
The last success occurred at 2015-09-24 12:46:50.
1 failures have occurred since the last success.
......................... hc-dc1 failed test Replications
Starting test: RidManager
......................... hc-dc1 passed test RidManager
Starting test: Services
......................... hc-dc1 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 09/24/2015 12:52:12
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 09/24/2015 12:54:24
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.hc-domain.corp. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x800009CA
Time Generated: 09/24/2015 12:54:40
Event String:
The value named DC2 in the server's registry key OptionalNames was not valid, and was ignored. If you want to change the value, change it to one that is the correct type and is within the acceptable range, or delete the value to use the default. This value might have been set up by an older program that did not use the correct boundaries.
An error event occurred. EventID: 0x40000004
Time Generated: 09/24/2015 12:54:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hc-dc1$. The target name used was ldap/dc2.hc-domain.corp. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (hc-domain.CORP) is different from the client domain (hc-domain.CORP), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0xC00010E1
Time Generated: 09/24/2015 12:54:40
Event String:
The name "DC2 :20" could not be registered on the interface with IP address 10.90.20.10. The computer with the IP address 10.90.20.12 did not allow the name to be claimed by this computer.
An error event occurred. EventID: 0x00000406
Time Generated: 09/24/2015 12:54:41
Event String:
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
An error event occurred. EventID: 0x40000004
Time Generated: 09/24/2015 12:54:50
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hc-dc1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/c6c9b9b6-689c-418c-ac85-b55ae4b91f65/[email protected]. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (hc-domain.CORP) is different from the client domain (hc-domain.CORP), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/24/2015 12:54:52
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hc-dc1$. The target name used was ldap/dc2.hc-domain.corp/[email protected]. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (hc-domain.CORP) is different from the client domain (hc-domain.CORP), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
A warning event occurred. EventID: 0x80001421
Time Generated: 09/24/2015 12:54:53
Event String:
The Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group. There may be problems in viewing and setting security permissions with the IIS_IUSRS group. This happens if the machine has been joined and promoted to be a Domain Controller in a legacy domain. Please see the online help for more information and solutions to this problem. The data field contains the error number.
An error event occurred. EventID: 0x40000004
Time Generated: 09/24/2015 12:54:54
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hc-dc1$. The target name used was DNS/dc2.hc-domain.corp. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (hc-domain.CORP) is different from the client domain (hc-domain.CORP), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:54
Event String:
The dynamic registration of the DNS record '_ldap._tcp.hc-domain.corp. 600 IN SRV 0 100 389 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:54
Event String:
The dynamic registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.hc-domain.corp. 600 IN SRV 0 100 389 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:54
Event String:
The dynamic registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hc-domain.corp. 600 IN SRV 0 100 3268 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:54
Event String:
The dynamic registration of the DNS record '_ldap._tcp.dc._msdcs.hc-domain.corp. 600 IN SRV 0 100 389 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:55
Event String:
The dynamic registration of the DNS record '_ldap._tcp.DomainDnsZones.hc-domain.corp. 600 IN SRV 0 100 389 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:55
Event String:
The dynamic registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.hc-domain.corp. 600 IN SRV 0 100 389 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:55
Event String:
The dynamic registration of the DNS record 'ForestDnsZones.hc-domain.corp. 600 IN A 10.90.20.10' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:55
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs.hc-domain.corp. 600 IN SRV 0 100 88 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2015 12:54:55
Event String:
The dynamic registration of the DNS record '_kerberos._udp.hc-domain.corp. 600 IN SRV 0 100 88 hc-dc1.hc-domain.corp.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 09/24/2015 12:54:55
Event String:
The dynamic deletion of the DNS record 'gc._msdcs.hc-domain.corp. 600 IN A 10.90.20.10' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 09/24/2015 12:54:55
Event String:
The dynamic deletion of the DNS record '_gc._tcp.hc-domain.corp. 600 IN SRV 0 100 3268 hc-dc1.hc-domain.corp.' failed on the following DNS server:
A warning event occurred. EventID: 0x000727AA
Time Generated: 09/24/2015 12:54:55
Event String:
The WinRM service failed to create the following SPNs: WSMAN/hc-dc1.hc-domain.corp; WSMAN/hc-dc1.
An error event occurred. EventID: 0x0000106A
Time Generated: 09/24/2015 12:54:55
Event String:
Unable to update the IP address on Isatap interface isatap.{D65E6434-28E3-47F1-8DC4-EAF397284E0B}. Update Type: 1. Error Code: 0x490.
A warning event occurred. EventID: 0x00002724
Time Generated: 09/24/2015 12:54:57
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x40000004
Time Generated: 09/24/2015 12:55:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hc-dc1$. The target name used was hc-domain\DC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (hc-domain.CORP) is different from the client domain (hc-domain.CORP), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 09/24/2015 12:59:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hc-dc1$. The target name used was cifs/dc2.hc-domain.corp. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (hc-domain.CORP) is different from the client domain (hc-domain.CORP), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
A warning event occurred. EventID: 0x00001796
Time Generated: 09/24/2015 13:26:45
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
......................... hc-dc1 failed test SystemLog
Starting test: VerifyReferences
......................... hc-dc1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : hc-domain
Starting test: CheckSDRefDom
......................... hc-domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... hc-domain passed test CrossRefValidation
Running enterprise tests on : hc-domain.corp
Starting test: LocatorCheck
......................... hc-domain.corp passed test LocatorCheck
Starting test: Intersite
......................... hc-domain.corp passed test Intersite
All replies (6)
Friday, September 25, 2015 2:47 PM ✅Answered
That actually didn't help at all because those entries were not there but I found the problem actually. Here's the fix:
Open an elevated command prompt on the affected server and run the
following command:
netdom computername <new_computer_name> /enumerate:allnames
This will display all registered names for the server in question. If
the old name is still listed as an alternate, run this command to
remove it:
netdom computername <new_computer_name> /remove:<old_computer_name>
Looks like the server had a bunch of alternate names that it got while I was renaming the server. For some reason it didn't remove those alternate names. Every time the server was registering its connection in DNS, it was creating those entries. I couldn't find those entries anywhere in AD or the registry. Not sure where netdom stores these alternate names but once I removed them, the problem went away and the replication errors went away too. Strange that it's so hard to find.
------------------------------------------------------------------------
<sub>Thursday, September 24, 2015 7:15 PM</sub>
When you dcpromo the DC's and remove them from the network, did you go into dnsmgmt.msc and remove the names from the name server tabs on all your zones? Did you also look at the reverse lookup zones as well?
------------------------------------------------------------------------
<sub>Thursday, September 24, 2015 10:25 PM</sub>
Yes. The name server tabs now contain only dc2 and hc-dc1 for all zones on both servers.
------------------------------------------------------------------------
<sub>Thursday, September 24, 2015 11:01 PM</sub>
Do you have WINS? Did the records leave there? Which one is the FSMO role holder? Does it hold all 5 roles? In ADUS under system, file replication folder, is all the DC's correctly listed? Did you use ADSI and make sure no latency objects exists? I also noticed that one of the KDC errors states CIFS, Microsoft uses SMB... Does the devices using CIFS have thew correct information? Did you manually scavenge all DNS records? If not using ipv6 did you disable it and see if that helped? DId you use NSLookup and see what the name resolves to?
------------------------------------------------------------------------
<sub>Friday, September 25, 2015 2:36 AM</sub>
We don't use WINS.
dc2 holds all 5 FSMO roles. I don't see any latency objects in ADSIEDIT. We don't scavenge DNS records but the records were manually deleted. They keep reappearing. Not using IPv6. nslookup doesn't resolve dc3 and dc4 - those are the bad records.
------------------------------------------------------------------------
<sub>Friday, September 25, 2015 3:19 AM</sub>
Have you tried the following?
1\. Open ADSI Edit
2\. Right-click "ADSI Edit" in the left column, then choose "Connect to".
3\. Choose "Select or type a Distinguished Name or Naming Context" and enter the dn of your forestdnszones partition in the text box. It should look something like dc=forestdnszones,dc=yourforestroot,dc=com. Change the value of the Name field to ForestDNSZones.
4\. Click OK. You should now have the ForestDNSZones partition in the left column.
5\. Expand the left column as follows (I'm using 192.168.1.0 as the network in this example): (ForestDNSZones) ForestDNSZones \> DC=ForestDNSZones,DC=yourforestroot,DC=com \> CN=MicrosoftDNS \> DC=1.168.192.in-addr.arpa. - OR - (Domain) Domain \> DC=yourdomain,DC=com \> CN=System \> CN=MicrosoftDNS \> DC=1.168.192.in-addr.arpa
6\. Find the duplicate record. Right-click it and choose Properties. Find the distinguishedName attribute and copy/paste the value into a notepad window.
7\. Delete the entire record in adsi edit.
8\. Refresh the reverse lookup zone
9\. Run ipconfig /registerdns on the “New Machine”