DNS Issue - Event 5781 NETLOGON (Network Steve Forum)

DNS Issue - Event 5781 NETLOGON

I have two Server 2012 Domain Controllers. Each has DNS and DHCP with failover. The NIC properties of each server have the primary DNS pointing to the other server and the secondary DNS pointing to itself (127.0.0.1).

When I reboot these servers...or when I restart the Netlogon service and DNS service in that order, I get three event 5781 NETLOGON warnings...

-
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'company.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.

-
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.company.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

-
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.company.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Also, under my Forward Lookup Zones, I have a _msdcs.company.local zone. Then, under the company.local zone I have a greyed _msdcs. The greyed _msdcs contains the two DCs. This greyed _msdcs did contain the name of a demoted DC but I replaced it with our two current DCs. I found a post online where it was recommended to delete the greyed _msdcs and the _msdcs.company.local zone and restart the netlogon service to recreate these. Don't know if that applies in my case.

My Reverse Lookup Zone does not have a PTR record for the two Name Servers. It just has the two NS records. Any ideas?

July 10th, 2014 4:06pm

Hi,

never change/add the domain resource records manually (this might actually be the root cause of DC's failing to register/update their records). Instead remove them and have the dc's re-register their records. using 'nltest.exe /dsregdns' or restartoing netlogon service as described in the USER ACTION section of the event you posted.

I think the USER ACTION sections are pretty clear. if this does not work, make sure the DC's nics are configured correctly (dns servers!) and other dynamic dns registrtaion still works.

If the reverse lookup zone is empty that can mean:

-clients are configured not to register their PTR record

-clients attempt to register their PTR but the required zone does not exist (note the zone used is dependent on the client subnet)

-any other issue that impacts dynmic dns registration.

Free Windows Admin Tool Kit Click here and download it now

July 10th, 2014 5:18pm

Hi. The USER ACTION section is clear but...

- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers (They are correct)
- Specified preferred and alternate DNS servers are not running (When I am rebooting or restarting DNS...only the preferred DNS is obviously running)
- DNS server(s) primary for the records to be registered is not running (I don't know what this means)
- Preferred or alternate DNS servers are configured with wrong root hints (Root hints appear to be correct but I am using three forwarders)
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration (This may be an issue because of the greyed _msdcs)

The DC NICs are correctly configured and DNS registration is working on other PCs. The clients are configured to register their PTR record and other PTR records are there...just not the two DCs. I have seen images on the web of Reverse DNS Zones that have PTR records of the Name Servers and images that do not. I do not know if I need them there. The NS records say (Same as parent folder) for the name and if I look in the parent folder the IPs are in there and they are correct.

I was getting these warnings before I removed the old NS record from the greyed _msdcs. I read elsewhere that DNS does not auto-populate the greyed _msdcs.

Edited by MIS Admin Thursday, July 10, 2014 4:13 PM

July 10th, 2014 7:11pm

Any other thoughts about this?

Free Windows Admin Tool Kit Click here and download it now

August 6th, 2014 2:25pm

I assume you are not restarting them together at the same time. If you are, then I can see why this error is being generated.

If you see a demoted DC that is still in there, you can manually delete it. I would also check other places to make sure that it's gone. For example, if it's still has an NS record for the zone, that could be problem.

Are there any other DCs that were either demoted or forced removed? Let's take a look at the AD database by using the Metadata Cleanup process to make sure nothing is listed, and if there is, remove it. This also shows what else to cleanup after a demotion.

Complete Step by Step Guideline to Remove an Orphaned Domain controller or a DC that's been demoted using the /forceremoval switch. This includes seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameservertab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
http://blogs.msmvps.com/acefekay/2010/10/04/complete-step-by-step-to-remove-an-orphaned-domain-controller/

August 8th, 2014 5:12am

Hi Ace. I am starting/rebooting the servers one-at-a-time. I recently demoted a DC...

http://social.technet.microsoft.com/Forums/en-US/795b5718-d866-4756-b316-f2c3f3b69c30/proper-steps-to-remove-a-2003-domain-controller?forum=winserverNIS

which was successful. I didn't have to force remove it. After demoting it, I removed it from AD. The roles were properly assigned to my two other DCs before I demoted it.

The demoted server was still listed as a Domain Controller under Active Directory Sites and Services, Default-First-Site-Name, Servers. I deleted it as instructed in my thread above. I went through DNS several times and I didn't see any references to the old DC. This was all prior to me starting this thread. Since then, I have looked through DNS again and I tried the metadata cleanup tool per your post and it doesn't list the old DC. It just finds my two current DCs.

I must be missing something.

Edit: It is also not listed in adsi edit.

Edited by MIS Admin Monday, August 11, 2014 5:19 PM

Free Windows Admin Tool Kit Click here and download it now

August 11th, 2014 8:15pm

Ok, what part in ADSI Edit? Did you check the following?

===
If any DCs are prior to Windows 2008, or if the DCs are not configured properly and there are pre-existent issues, metadata cleanup may not get everything due to AD communication problems, such as the FRS and may require manually deleting it.

In ADSI Edit, connect to the Domain NC (Default Name Context), then expand and drill down to:
1.Domain.com (your domain name)
2.System
3.File Replication Service
4.Click on Domain System Volume (SYSVOL)

Do you see the old DC in there? If so, carefully just delete that object, and nothing else.

August 12th, 2014 4:10am

Are you still seeing a 5781 when rebooting them one at a time?

Free Windows Admin Tool Kit Click here and download it now

August 12th, 2014 4:11am

That's the same place I checked in adsi edit. It just has my two new DCs there. The old DC was a 2003 box. I still see the warnings. All I need to do is restart the Netlogon service and then the DNS Server service.

August 12th, 2014 2:51pm

If a big mess hasn't already been made here,....looking back at the first post at the beginning,....127.0.0.1 will never resolve to "company.local". Remove 127.0.0.1 from the DC. List the actual IP#s only. There is always some debate to point them to themselves first then to the other,..or the other way around,...but my 2012 DCs points to itself first, then to the other. But in either order it will ultimately still work,...but get rid of 127.0.0.1,...it can only resolve to "localhost".

Hopefully it hasn't gotten messed up worse by all the other things that have been tweaked during this process.

(Hi Ace!,...been a while)

Edited by Phillip Windell 15 hours 18 minutes ago

Free Windows Admin Tool Kit Click here and download it now

August 15th, 2014 3:23pm

This topic is archived. No further replies will be accepted.