# Help strange problem with DNS / Connection / GPO issue



## Nub (Apr 27, 2009)

Hi, I'm running a windows 2016 standard server with 15 client machines runnign Windows 10 pro or 7 pro, but some of them are having connection problems to the server. Logging in takes a long time for these computers, there is errors in the event logs regarding having problems contacting the domain controller or executing GPO's. Running NSLookup shows issues with clients seeing DC/DNS server. Even running NSlookup from the actuall server running DNS shows dns time out errors. All services are setup and running to the best of my knowledge (still learning). The topology of the network is simple, there are no bridging connections, tunnelling etc. just 15 client machines connected to a switch, connected to 1 server and router. Just not sure what im doing wrong, hopefully someone can point me in the right direction here as its driving me mad.

gpupdate

Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

When i run GPResult I get the following report

Group Policy Infrastructure failed due to the error listed below.


The specified domain either does not exist or could not be contacted. 

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

This is only happening on a few machines, so im a bit confused as if there was a problem with DNS, Domain Controller or GPO the other machines would have issues also.

Any ideas what might be causing this issue?



Pretty sure its not a connection issue now but something wrong with the way DNS is setup but im not sure what..

>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : EBLSVR
Primary Dns Suffix . . . . . . . : ebldomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ebldomain.local

Ethernet adapter NIC1:

Connection-specific DNS Suffix . : EBLDOMAIN.local
Description . . . . . . . . . . . : Intel(R) Gigabit 2P I350-t LOM
Physical Address. . . . . . . . . : 14-18-77-4C-F5-D4
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.5
192.168.0.1
1.1.1.1
Primary WINS Server . . . . . . . : 192.168.0.5
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.EBLDOMAIN.local:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : EBLDOMAIN.local
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

> NSLOOKUP

Default Server: EBLSVR.ebldomain.local
Address: 192.168.0.5


> dns

Server: EBLSVR.ebldomain.local
Address: 192.168.0.5

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to EBLSVR.ebldomain.local timed-out

????????????????????

> eblsvr
Server: EBLSVR.ebldomain.local
Address: 192.168.0.5

Name: eblsvr.ebldomain.local
Address: 192.168.0.5

> 192.168.0.5
Server: EBLSVR.ebldomain.local
Address: 192.168.0.5

Name: EBLSVR.ebldomain.local
Address: 192.168.0.5

ping -a 192.168.0.5

Pinging EBLSVR.ebldomain.local [192.168.0.5] with 32 bytes of data:
Reply from 192.168.0.5: bytes=32 time<1ms TTL=128
Reply from 192.168.0.5: bytes=32 time<1ms TTL=128
Reply from 192.168.0.5: bytes=32 time<1ms TTL=128
Reply from 192.168.0.5: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

ping -a eblsvr

Pinging EBLSVR.ebldomain.local [::1] with 32 bytes of data:
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms

Ping statistics for ::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Not sure why the reverse host name is ::1: cant find reference to this anywhere in DNS, any ideas? Could this be the cause of my issues?

Thanks in advance...


----------



## djaburg (May 15, 2008)

The reverse hostname resolves to 127.0.0.1, which is normal. I'm assuming you're running all these tests from the server, what happens if you run them from a client machine? The DNS server details in the NIC of the server, should only be set to 127.0.0.1 and forwards of the DNS server configuration should be set to resolve outside the network. The client machines should have the IP of the server as the first DNS entry and then if you want, something else, but always the server IP as the first one.


----------



## Nub (Apr 27, 2009)

Hi thaks for the the reply... I have done further digging and found this... could someone please point me in the right direction to fix the problems described in this log... clients all having on/off issues connecting/seeing DC on boot, loading GPO's etc. I believe it is a DC / DHCP / DNS setting that is wrong somewhere. Firewall dissabled for domain during testing. Got to be something in this log, thanks in advance... driving me nuts this, desprate for a solution.

dcdiag /v /test:dns

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
* Verifying that the local machine EBLSVR, is a Directory Server.
Home Server = EBLSVR
* Connecting to directory service on server EBLSVR.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ebldomain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ebldomain,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ebldomain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=EBLSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ebldomain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\EBLSVR
Starting test: Connectivity
* Active Directory LDAP Services Check
The host d80ff300-e9e0-4e23-b97f-8f443dd47e24._msdcs.ebldomain.local could not be resolved to an IP address.
Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... EBLSVR failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\EBLSVR
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas

Starting test: DNS

DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... EBLSVR passed test DNS

Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation

Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation

Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation

Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation

Running partition tests on : ebldomain
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation

Running enterprise tests on : ebldomain.local
Starting test: DNS
Test results for domain controllers:

DC: EBLSVR.ebldomain.local
Domain: ebldomain.local


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Error: No LDAP connectivity
The OS Microsoft Windows Server 2016 Standard (Service Pack level: 0.0) is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000000] Intel(R) Gigabit 2P I350-t LOM:
MAC address is 14:18:77:4C:F54
IP Address is static
IP address: 192.168.0.5
DNS servers:
192.168.0.5 (eblsvr.ebldomain.local.) [Valid]
No host records (A or AAAA) were found for this DC
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found

TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
1.0.0.1 (<name unavailable>) [Valid]
1.1.1.1 (<name unavailable>) [Valid]
8.8.8.8 (<name unavailable>) [Valid]

TEST: Delegations (Del)
Delegation information for the zone: ebldomain.local.
Delegated domain name: _msdcs.ebldomain.local.
DNS server: eblsvr.ebldomain.local. IP:192.168.0.5 [Valid]

TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone ebldomain.local
Warning: Failed to delete the test record dcdiag-test-record in zone ebldomain.local
[Error details: 9505 (Type: Win32 - Description: Unsecured DNS packet.)]

TEST: Records registration (RReg)
Network Adapter [00000000] Intel(R) Gigabit 2P I350-t LOM:
Warning:
Missing CNAME record at DNS server 192.168.0.5:
d80ff300-e9e0-4e23-b97f-8f443dd47e24._msdcs.ebldomain.local
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.5f867cd1-5dfc-465a-a720-0bab14d03a12.domains._msdcs.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_kerberos._tcp.dc._msdcs.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.dc._msdcs.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_kerberos._tcp.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_kerberos._udp.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_kpasswd._tcp.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.Default-First-Site-Name._sites.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_kerberos._tcp.Default-First-Site-Name._sites.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.gc._msdcs.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_gc._tcp.Default-First-Site-Name._sites.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ebldomain.local

Matching SRV record found at DNS server 192.168.0.5:
_ldap._tcp.pdc._msdcs.ebldomain.local

Error: Record registrations cannot be found for all the network adapters

Summary of test results for DNS servers used by the above domain controllers:

DNS server: 1.0.0.1 (<name unavailable>)
All tests passed on this DNS server

DNS server: 1.1.1.1 (<name unavailable>)
All tests passed on this DNS server

DNS server: 192.168.0.5 (eblsvr.ebldomain.local.)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS delegation for the domain _msdcs.ebldomain.local. is operational on IP 192.168.0.5


DNS server: 8.8.8.8 (<name unavailable>)
All tests passed on this DNS server

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: ebldomain.local
EBLSVR PASS FAIL PASS PASS WARN FAIL n/a

......................... ebldomain.local failed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite


----------



## djaburg (May 15, 2008)

If you set static DNS entries on the client machines, does that issue still exist? All the tests you're showing results from are being run on the server itself, what happens when you run the test on a client machine when it's having an issue. The only real time I've experienced something like that was when the client machines received config via DHCP and even though it "showed" the right DNS server(s) using ipconfig /all, it wouldn't find the server. Setting the DNS entry manually (leaving the IP/SM/GW to auto) resolved the issue for me and since these are all desktops it was never an issue for them again.

Again, it's helpful to see the information for the NIC config, the DNS config (ie Forwards) from the server, and some information from a client machine having the issue.


----------

