AD-Integrated DNS failure: "Access was Denied"

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by goldPseudo on Server Fault See other posts from Server Fault or by goldPseudo
Published on 2012-11-09T06:27:38Z Indexed on 2012/11/09 11:06 UTC
Read the original article Hit count: 421

Filed under:
|
|

I have a single Windows 2008 R2 server configured as a domain controller with Active Directory Domain Services and DNS Server.

The DNS Server was recently uninstalled and reinstalled in an attempt to fix a (possibly unrelated) problem; the event log was previously flooded with errors (#4000, "The DNS Server was unable to open Active Directory...") which reinstalling did not fix. However, while before it was at least showing and resolving names from the local network (slowly), now it's showing nothing at all.

(The original error started with a #4015 error "The DNS server has encountered a critical error from the Active Directory," followed by a long string of #4000 and a few #4004. This may have been caused when a new DNS name was recently added, but I can't be sure of the timing.)

Attempting to manage the DNS through Administrative Tools > DNS brings up an error:

The server SERVERNAME could not be contacted.
The error was:
Access was denied.

Would you like to add it anyway?

Selecting yes just puts a SERVERNAME item on the list, but with all the configuration options grayed out.

I attempted editing my hosts file as per this post but to no avail.

Running dcdiag, it does identify the home server properly, but fails right away testing connectivity with:

Starting test: Connectivity
The host blahblahblahyaddayaddayadda could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings. ......................... SERVERNAME failed test Connectivity

Adding the blahblahblahyaddayaddayadda address to hosts (pointing at 127.0.0.1), the connectivity test succeeded but it didn't seem to solve the fundamental problem (Access was denied) so I hashed it out again.

Primary DNS server is properly pointing at 127.0.0.1 according to ipconfig /all. And the DNS server is forwarding requests to external addresses properly (if slowly), but the resolving of local network names is borked.

The DNS database itself is small enough that I am (grudgingly) able to rebuild it if need be, but the DNS Server doesn't seem willing to let me work with (or around) it at all.

(and yes before you ask there are no system backups available)

Where do I go from here?

As requested, my (slightly obfuscated) dcdiag output:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = bulgogi

   * Identified AD Forest.
 Done gathering initial info.


Doing initial required tests

       Testing server: Obfuscated\BULGOGI

      Starting test: Connectivity

         The host a-whole-lot-of-numbers._msdcs.obfuscated.address

         could not be resolved to an IP address. Check the DNS server, DHCP,

         server name, etc.

         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... BULGOGI failed test Connectivity



Doing primary tests

       Testing server: Obfuscated\BULGOGI

      Skipping all tests, because server BULGOGI is not responding to directory

      service requests.


       Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

       Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

       Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

       Running partition tests on : obfuscated

      Starting test: CheckSDRefDom

         ......................... obfuscated passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... obfuscated passed test CrossRefValidation

       Running enterprise tests on : obfuscated.address

      Starting test: LocatorCheck

         ......................... obfuscated.address passed test LocatorCheck

      Starting test: Intersite

         ......................... obfuscated.address passed test Intersite

And my hosts file (minus the hashed lines for brevity):

127.0.0.1       localhost
::1             localhost

And, for the sake of completion, here's selected chunks of my netstat -a -n output:

  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49158          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49164          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49178          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49179          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:50480          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING
  TCP    192.168.12.127:53      0.0.0.0:0              LISTENING
  TCP    192.168.12.127:139     0.0.0.0:0              LISTENING
  TCP    192.168.12.127:445     192.168.12.50:51118    ESTABLISHED
  TCP    192.168.12.127:3389    192.168.12.4:33579     ESTABLISHED
  TCP    192.168.12.127:3389    192.168.12.100:1115    ESTABLISHED
  TCP    192.168.12.127:50784   192.168.12.50:49174    ESTABLISHED
<snip ipv6>
  UDP    0.0.0.0:123            *:*                    
  UDP    0.0.0.0:500            *:*                    
  UDP    0.0.0.0:1645           *:*                    
  UDP    0.0.0.0:1645           *:*                    
  UDP    0.0.0.0:1646           *:*                    
  UDP    0.0.0.0:1646           *:*                    
  UDP    0.0.0.0:1812           *:*                    
  UDP    0.0.0.0:1812           *:*                    
  UDP    0.0.0.0:1813           *:*                    
  UDP    0.0.0.0:1813           *:*                    
  UDP    0.0.0.0:4500           *:*                    
  UDP    0.0.0.0:5355           *:*                    
  UDP    0.0.0.0:59638          *:*                    
<snip a few thousand lines>
  UDP    0.0.0.0:62140          *:*                    
  UDP    127.0.0.1:53           *:*                    
  UDP    127.0.0.1:49540        *:*                    
  UDP    127.0.0.1:49541        *:*                    
  UDP    127.0.0.1:53655        *:*                    
  UDP    127.0.0.1:54946        *:*                    
  UDP    127.0.0.1:58345        *:*                    
  UDP    127.0.0.1:63352        *:*                    
  UDP    127.0.0.1:63728        *:*                    
  UDP    127.0.0.1:63729        *:*                    
  UDP    127.0.0.1:64215        *:*                    
  UDP    127.0.0.1:64646        *:*                    
  UDP    192.168.12.127:53      *:*                    
  UDP    192.168.12.127:67      *:*                    
  UDP    192.168.12.127:68      *:*                    
  UDP    192.168.12.127:88      *:*                    
  UDP    192.168.12.127:137     *:*                    
  UDP    192.168.12.127:138     *:*                    
  UDP    192.168.12.127:389     *:*                    
  UDP    192.168.12.127:464     *:*                    
  UDP    192.168.12.127:2535    *:*                    
<snip ipv6 again>

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about active-directory

Related posts about windows-server-2008-r2

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle