Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

issue with Secondary DNS AD?


  • Please log in to reply
5 replies to this topic

#1 killmasta93

killmasta93

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 07 October 2017 - 09:26 AM

Hi,

I was wondering if someone could shed some light on the issue im having. this week migrated the Secondary DNS server from hardware to a VM then booting it up took a while and  when i wanted to see the AD showed me the error about cannot contact the primary DNS, whats odd i can nslookup perfect. to fix the issue i had to run these commands in order

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

and after that it works and i can open the AD with the sites and services, but when it reboots it takes an eternity and that's when i know again it wont open the AD

sorry for the Spanish pictures

any ideas?

I was thinking to take it out of the domain and put it back in, but not sure how it will affect because its the secondary DNS.

 

My primary DNS is called Zeus which is 192.168.3.253 and the secundary DNS is called Poseidon which is 192.168.6.200 there connected though pfSense Site to Site openVPN

Thank you

 

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 08 October 2017 - 01:24 PM

Not sure why you're using primary and secondary DNS, instead of AD-replicated DNS zones.

 

How is the server running the secondary DNS configured to get its DNS information? It should be set to use the primary's IP address first, and then itself second.



#3 killmasta93

killmasta93
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 08 October 2017 - 04:01 PM

Thanks for the reply, I am using AD-replicated DNS zones, but when i try to replicate i get this error (see picture),

 

Thank you

 

https://imgur.com/a/qoQe0

https://imgur.com/a/7vNqD

 

Look at the event log saw this

 

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server poseidon$. The target name used was DNS/poseidon.casa.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (CASA.LOCAL) is different from the client domain (CASA.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

and this also

 

 

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server poseidon$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/4a6b0485-e402-4777-80d2-4c74a5d539ee/casa.local@casa.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (CASA.LOCAL) is different from the client domain (CASA.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.


Edited by killmasta93, 08 October 2017 - 04:16 PM.


#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 08 October 2017 - 05:24 PM

en-us/If you are using AD replication for DNS, then there are no primary or secondary DNS servers. DNS zones are replicated like any other Active Directory data.

 

The errors indicate there Kerberos issues, most likely with the server's computer passwords. That is why you are getting the error.

 

You can try resetting the computer password for Poseidon. https://support.microsoft.com/en-us/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows

 

That may not fix it, however. I suspect migrating the server from hardware to a VM may have affected other machine settings. You may have to remove the server as a domain controller from your domain, and then add it back again. https://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx



#5 killmasta93

killmasta93
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 09 October 2017 - 04:29 PM

Thanks for the reply, as your right i think im going to have to demote the secondary DNS, ill postback if everything went well, on a side note so demoting first then deleting any files that are left of Poseidon?

 

Thank you



#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 10 October 2017 - 08:15 AM

Yes, depromote, remove the server completely from the domaon, rejoin it to the domain and then repromote it to a DC.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users