Join Log in
Score:0
Zsolt J avatar Server

ERROR_NO_SUCH_DOMAIN When 2 of 3 DCs are down

in flag
Zsolt J

I have 3 DCs on my domain, (2 on local office, 1 in Amazon AWS), and I would like to move to Amazon and cut off the 2 local DCs.

I have shut down the 2 local DCs, to test if the AmazonDC is working correctly, but then I receive "ERROR_NO_SUCH_DOMAIN" errors using nltest on Client computers, and I am no longer able to login to client computers with domain accounts.

I am not an expert, but I have tried the following:

  • Replication works, check with "repadmin /showrepl"
  • Client see all 3 DCs when using "nltest /dclist:mydomain.com"
  • Secure Channel seems ok when checking with "nltest /sc_query:mydomain.com" and also with PowerShell "Test-ComputerSecureChannel -Server "amazonDC.mydomain.com"
  • Firewall turned off, does not help
  • All 5 FSMO roles are on one of the local DC (this could be the problem?)

I would appreciate any help, idea, or observation of what could be the problem here, or how should I properly move up to Amazon without the local office DCs, and how to test it before moving.

Edit1: Installing the DNS role on the Amazon DC did solve the problem, I no longer receive the "ERROR_NO_SUCH_DOMAIN" errors, although when I try to login, I now get an error "the remote computer that you are trying to connect to requires network level authentication", but I guess that's a different story. Thank you for the help!

79
0 + 0
Score:0
vidarlo avatar Server
ar flag
vidarlo

You probably have your two local DC's set as DNS servers for your clients. When either of them is online DNS lookups work fine, and you can see the AWS DC.

When both local DC's go offline your clients are left without functioning name resolution, and can no longer reach the AWS DC.

Set the secondary DNS server to the IP of the AWS DC for the duration of the test. If it works fine at that point, update your DHCP DNS configuration.

0 + 0
Zsolt J avatar
in flag
Zsolt J
You are correct, the 2 offline DC is also a DNS, while on Amazon I have only a DC. Would it be a solution if I install the DNS role to Amazon too?
1
Reply
joeqwerty avatar
cv flag
joeqwerty
If the two DC's with DNS are down and the AWS DC does not have DNS then how do you expect domain clients to find the domain and the DC? Yes, you need to add DNS to the AWS DC and configure your clients to use it for DNS.
0
Reply
Zsolt J avatar
in flag
Zsolt J
@joeqwerty I do have an external DNS service called DNSMadeEasy, which is configured as a primary DNS provider on the client computers (DNSMadeEasy nameserver IP). The clients are able to access websites, and name resolution works correctly, but only when the two DC is running, so yeah, something obviously not configured correcltly.
0
Reply
vidarlo avatar
ar flag
vidarlo
Active Directory uses DNS to discover domain controllers. You *should* use a DNS server integrated with AD as DNS server in a AD enviroment. Not doing so will lead to a huge mess. It doesn't *have* to be the DCs; it's fully possible to use `bind` with a stub zone for instance, or configure forwarders, or even configure AD to update a `bind` server. However, if you don't know how AD works, it's *recommended* to use the DC's as DNS server for the clients.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.