Windows clients "no domain controllers could be contacted"

Hi all, I just set up a fresh install of UCS, but seem to be having some DNS issues, or possibly something with AD.

I created the UCS install with a hostname like ucsdc.mydomain.home, where mydomain.home is the current running domain. My windows domain controller was something like windc.mydomain.home. I successfully logged into the UCS machine and it joined the domain properly. I then initiated a domain takeover. All the processes completed successfully, so I shut down the old Windows domain controller, and reassigned the UCS machine with the IP addresses formerly assigned to the Windows DC so I didn’t have to change much else in my system. I was able to verify that DNS seemed to be working last night, but that was it.

This morning I came to find that, in fact, most things were not working properly; my Windows domain client PCs couldn’t seem to find the domain controller this morning. Figuring I might have to remove them and re-add them, I took a Windows 10 VM that was on the old DC and removed it from the domain, then attempted to re-add it, and that’s where the real fun began. I was seeing some weird behavior with DNS; basically, I found that I could ping ucsdc from the command line successfully, but if I pinged ucsdc.mydomain.home, the address could not be found.

I scoured the DNS settings in my server, and only found one old record for the former windows domain controller, but I also noticed that all of the settings didn’t seem to include the domain. For example, I found a record for _ldap._tcp.dc._msdcs., but it should have said _ldap._tcp.dc._msdcs.mydomain.home. So, I went through and corrected all of those entries (I think); in particular, the entries referenced on this page.

Once I tried to add the machine back to the domain, I ran across an error as follows:

[quote]DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain “mydomain.home”:

The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.home

The following domain controllers were identified by the query:
ucsdc.mydomain.home

However no domain controllers could be contacted.

Common causes of this error include:

  • Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

  • Domain controllers registered in DNS are not connected to the network or are not running.
    [/quote]

If I try nslookup ucsdc.mydomain.home, it works, but I get a message stating

I’m basically out of ideas right now, so I’m hoping someone here can help me figure this out. I’ll be happy to provide more info as needed.

Thanks,
Dan

I had same on all ad takeovers i did - but the following procedure fixed it for me:

sdb.univention.de/content/6/274/ … aster.html

and no you don’t need to change the ip of the UCS master to the old WinDC’s as the old address is added as second ip to the new UCS master during ad-takeover process

p.s. you can check the ad dns entries by running following script:
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

rg

Christian

That worked, thanks Christian!

Now as a result of my previous “fix”, I have some duplicate entries in DNS, such as

[quote]_kerberos._tcp.dc_msdcs.mydomain.home
_kerberos._tcp.dc_msdcs[/quote]

This is because previously I edited all of the lines like the second one shown to look like the first one shown (with the FQDN tacked on the end). Should I go through and delete the lines I added with the FQDN, or leave them, or ?

I broke it again, then it fixed itself…the solution: reboot!

At some point a warning popped up on the console that one of the domain join scripts failed to run. So, I went in and executed the script…98univention-samba4-dns. Afterward, I couldn’t join machines to the domain again. Cursed a bit, then rebooted the UCS server…and now we’re good again!

Mastodon