Server 2012 R2 Active Directory Domain SRV dns records suddenly disappeared

domain-name-system active-directory domain-controller windows-server-2012-r2 srv-record

I have a test domain that I recently configured. All of a sudden, no users can log in except those with cached credentials. The domain includes two domain controllers that are both global catalogs that replicate to each other.

After investigating the issue, I discovered that all of the _mcdcs domain records are completely gone on both of the DNS servers. This makes it impossible to locate a domain controller because SRV records such as _ldap and _kerberos are unresolvable.

I'm not quite sure how this happened... is this something that clearing the DNS cache or DNS scavenging would cause?

At this point I need to restore the records somehow. I looked at the settings of another domain, and it looks like they can be recreated manually... but I noticed that some of the DNS records appear to have SID names in them... and I have no idea what identifier would need to be used to recreate them.

Is there is a better process that one can use for getting out of a situation like this?


Solution 1:

1. Restart the Netlogon service on one of the Domain Controllers

OR

2. Run DCDiag /fix

OR

3. Manually create the records from the netlogon.dns file from one of the Domain Controllers

Solution 2:

It's unusual for DNS records to be deleted (unless a person deleted them). Usually they are dnsTombstoned, so the records may still appear if using another tool like ADSIEdit even if not visible in DNS Manager or nslookup.

There are edge cases where scavenging can cause this (and a lot of other problems if scavenging is not configured properly).

http://blogs.technet.com/b/askpfeplat/archive/2012/07/09/the-case-of-the-missing-srv-records.aspx

http://blogs.technet.com/b/ad/archive/2008/08/08/a-complicated-scenario-regarding-dns-and-the-dc-locator-srvs.aspx

Solution 3:

I did restart NetLogon service and run dcdiag /fix but there was no luck. After 3-4 hours of searching and reading, I decided to uninstall Active Directory Services and install it again but the installation failed too!

Then I decided to add DNS records manually according to this and this, so I deleted the domain's zone and added it again, and when adding the zone I noticed Allow only secure dynamic updates, and I remembered from somewhere that this setting should be enabled, so I checked this check box and then restarted the netlogon service and tadaaa !! It added all the records. I also ran dcdiag /fix and then dcdiag. All the tests were passed except one (SystemLog I think) which I ignored. After that I could join other PCs to the domain. This maybe the case for others. Just needed to enable secure dynamic updates on my domain's zone.

Hope this prevents others going through all that trouble that I went.

Related

Failed to configure CA certificate chain
Joining Ubuntu Server 17.04 to Windows AD: Likewise vs Centrify vs Winbind vs SSSD
A few websites are not reachable using Linux gateway
Can a developer change the minimum payment threshold?
How to transfer voice memo with their titles?
Restarting or resetting diplay and/or GPU without logging out or rebooting?
Suspended (tty output) when launching editors like vim, vi, emacs, or nano
Where can I purchase Female Thunderbolt to HDMI cable?
Can't restore iPhone 6S to latest iPhone 5 backup
Acceptable CPU usage for 4 core 3.4gHz i7
OS X - how to check if installer is signed
Where are iOS updates in El Capitan located on Mac