Windows 2012 Domain Controller NETLOGON error
There were two issues with this case
1) Domain Controllers's Primary DNS has to loop-back address.
2)Second issue was very trivial.. The users I was trying to logon got its passwords expired. :-)
Thanks Colyn1337 for your help.
Related videos on Youtube
user2201980
Updated on September 18, 2022Comments
-
user2201980 over 1 year
We have Sonicwall firewall user authentication System active since last two months. We have Windows 2012 Active directory server setup with around 1400 user account created. These accounts were created by using following PowerShell scripts
Import-Module ActiveDirectory #Import CSV $csv = @() $csv = Import-Csv -Path C:\Users\Administrator\Desktop\"College User Ac Password Details"\FE\civil.csv FOREACH ($Person in $csv) { $name = $Person.UserName $displayname = $Person.Name $path = "OU=here,DC=comp,DC=com" $password = $Person.Password $enabled = $True $changePW = $False $description="CIVIL" new-ADUser -SamAccountName $name -Name $name -Description $description -DisplayName $displayname -Path $path -AccountPassword (ConvertTo-SecureString $password -AsPlainText -force) -Enabled $enabled -ChangePasswordAtLogon $changePW -PassThru
}
Above script reads an CSV file with username and passwords and create user accounts on Active Directory.
But since today we are facing issue during authentication process. We are unable to logon to Directory server. When Sonicwall firewall tries to authenticate an user, it logged-out same user. When I checked Event logger on Windows Active Directory server it shows following message.
The dynamic registration of the DNS record 'ForestDnsZones.comp.com. 600 IN A 192.168.0.12' failed on the following DNS server: DNS server IP address: (removed) Returned Response Code (RCODE): 5 Returned Status Code: 9017 For computers and users to locate this domain controller, this record must be registered in DNS. USER ACTION Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Or, you can manually add this record to DNS, but it is not recommended. ADDITIONAL DATA Error Value: DNS bad key.
Above log entry talks about DNS issue. But I did non configured any DNS server on this machine.Authentication was working fine for last two months , but suddenly from today we are facing above issue. Kindly help me out in resolving this issue.
EDIT1
Getting following warning in DNS Server Log
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
-
Colyn1337 almost 10 yearsRun this command and check the output
dcdiag /test:dns
-
user2201980 almost 10 yearsOutput is copied to ur1.ca/h7rs8
-
Colyn1337 almost 10 yearsBased on the output, do you have a firewall running on that box?
-
user2201980 almost 10 yearsI had stopped DNS client and DNS server services . Windows firewall is running.
-
Colyn1337 almost 10 yearsCan you join the chat? Also, just for clarification, I was asking if you had a firewall running on the DC.
-
user2201980 almost 10 yearsyes.I can join chat. Yes, windows firewall is running on DC
-
user2201980 almost 10 yearsoutput of dcdiag /test:dns is copied to ur1.ca/h7s89
-
user2201980 almost 10 yearsI have changed Primary DNS of DC to loopback address. Now my DC has passed DNS test. But the issue still persist..
-