Hi everybody, all of my Windows Servers 2012 decided to collapse after innocuous group policy update that was meant to make user passwords more secure.
The AD and DNS seem to be functioning "normally", I am able to add new Windows7 and Windows Server 2008 machines to the domain, I can see them in listed in the AD and DNS record are update correctly, however, as soon as I try to join Windows Server 2012 it breaks.
The event log is littered on the new server with:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:
Adapter Name : {DB7F73CE-E011-4F3C-BEBC-2CE7A871DF51}
Host Name : CHEETAH
Primary Domain Suffix : somedomain.com
DNS server list :
192.168.0.5
Sent update to server : <?>
IP Address(es) :
192.168.0.15
The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running at this time.
You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
and
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.somedomain.com. timed out after none of the configured DNS servers responded.
When I try to ping the primary DC (WS2003) it fails, the Secondary DC (WS2012) responds.
The >nltest /sc_query:somedomain.com on Windows Servers 2012 returns:
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
yet it works on all other machines.
I tried removing 2012 servers from the domain and rejoining - without success. The cookie crumbled when I added two new installations of Windows Server 2012 & 2008 and 2008 worked fine but 2012 showed same symptoms.
There is one peculiar thing that I had noticed on all Windows 2012 machines, it constantly showing "Workplace Connection - Connecting" in the networks pane on the right side of the screen, which I can't say i ever noticed before.
Unfortunately, the secondary DC is a multihoming server with Direct Access role - I am not sure if this may play some part but our existing configuration worked for a year now without any problems. Issue appeared when I changed the password complexity rule, which boggles the mind. I wonder if there has been some other changes in GPO that did not propagate from years ago and finally comeback to break things.
Any suggestions would be really appreciated.
wmin