Cisco ACS 5.1 cannot join Windows AD

Similar Messages

• Cannot join Windows XP machines to the Mac PDC domain

  Frustrated...
  Yesterday, I was able to successfully add 5 Windows XP machines to the Mac PDC Domain (lets call it xyz.lan). Those machines show up as valid computer accounts in Workgroup Mananger (PC1$, PC2$, etc.). Users are able to logon to those Windows XP machines using their Mac Open Directory user account and access their home folder, etc.
  This morning, for some reason, I can no longer join XP machines to the Mac PDC domain. On both PCs I tried it with, I receive a "Insufficient System Resources exist to complete the requested service" on the Windows XP machine. I am using the diradmin user account and password to supply credentials. Same exact process as yesterday (which worked fine).
  A couple things of note. I made sure the PDC domain is set to Enabled for allowing Guest Access and that WINS Registration is also enabled. Authentication is lso set for NTLMv2 and NTLM for enabled. I also tried rebooting the server this morning as well. It's running 10.5.4. This was not an upgrade from 10.4, but a fresh install of Leopard.
  No changes were made on the server between yesterday and today that I am aware of.
  Looking at the /var/log/samba/log.smbd log, there are thousands of entries for "This process has forked and you cannot use this corefunctionality process, You must EXEC()" etc... The log also shows failures when the XP machine tries to join to the domain. Log entries are listed showing, "pdbdefault_createuser: failed to add new account for 'PC6$'". Adding PC6$ manually via Workgroup Manager doesn't help either.
  Any idea what to check next? I read so many varied things about Leopard and SMB not quite playing nice. People mentioning they had to go through all sorts of hurdles to get this working. Any advise is welcome.

  Any news about this? I'm having the same problem trying to join a Vista box to the domain. Here are the logs:
  [2009/04/22 13:25:25, 0, pid=42167] /SourceCache/samba/samba-
  187.8/samba/source/passdb/pdbodsam.c:odssamgetsampwnam(1571)
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no
  dsRecTypeStandard:Computers record for account 'VISTA-02$'[2009/04/22 13:25:25, 0, pid=42167]
  /SourceCache/samba/samba-187.8/samba/source/passdb/pdbodsam.c:odssamgetgrnam(2040)
  odssam_getgrnam gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Groups record for
  'VISTA-02$'!
  [2009/04/22 13:25:25, 0, pid=42167] /SourceCache/samba/samba-187.8/samba/source/passdb/pdbodsam.c:odssamgetsampwnam(1571)
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Computers record for account 'VISTA-02$'
  kDSStdAuthNewUser was successful for account "vista-02$"
  kDSStdAuthNewUser accountid len(375)"0x49ef53056eb8a2630000009a00000214,1024 35
  129849767195843988386717130686365750405143149807097035240997923637742337040903
  506153973871003812041813
  324419007326669993686871371821246150609561416487672279816850996014745064297496
  041484464380321772803933500334864635264176672399865926313147079923364167109976
  966344241501266923849093477
  545323065093504527714303 [email protected]"
  <CFArray 0x127bb0 [0xa087e1a0]>{type = mutable-small, count = 1, values = (
  0 : <CFDictionary 0x10fa70 [0xa087e1a0]>{type = mutable, count = 3, capacity = 3, pairs = (
  0 : <CFString 0x127230 [0xa087e1a0]>{contents = "dsAttrTypeStandard:RecordName"} = <CFArray 0x1273d0 [0xa087e1a0]>{type = mutable-small, count = 1, values = (
  0 : <CFString 0x127830 [0xa087e1a0]>{contents = "passwordserver"}
  1 : <CFString 0x12b1b0 [0xa087e1a0]>{contents = "dsAttrTypeStandard:PasswordServerLocation"} = <CFArray 0x1276e0 [0xa087e1a0]>{type = mutable-small, count = 1, values = (
  0 : <CFString 0x128030 [0xa087e1a0]>{contents = "10.10.1.102"}
  3 : <CFString 0x10b150 [0xa087e1a0]>{contents = "dsAttrTypeStandard:AppleMetaNodeLocation"} = <CFArray 0x127b60 [0xa087e1a0]>{type = mutable-small, count = 1, values = (
  0 : <CFString 0x125b80 [0xa087e1a0]>{contents = "/LDAPv3/127.0.0.1"}
  [2009/04/22 13:25:26, 0, pid=42167] /SourceCache/samba/samba-187.8/samba/source/passdb/pdbodsam.c:odssamgetsampwnam(1571)
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Computers record for account 'VISTA-02$'
  [2009/04/22 13:25:26, 1, pid=42167] /SourceCache/samba/samba-187.8/samba/source/passdb/pdbinterface.c:pdb_default_createuser(371)
  pdbdefault_createuser: failed to add a new account for 'VISTA-02$'
  [2009/04/22 13:25:30, 2, pid=42171] /SourceCache/samba/samba-187.8/samba/source/smbd/reply.c:reply_special(328)
  netbios connect: name1=10.10.1.102 name2=MYMAC
  [2009/04/22 13:25:30, 2, pid=42171] /SourceCache/samba/samba-187.8/samba/source/smbd/reply.c:reply_special(335)
  netbios connect: local=10.10.1.102 remote=mymac, name type = 0
  [2009/04/22 13:25:30, 2, pid=42171] /SourceCache/samba/samba-187.8/samba/source/lib/module.c:dosmb_loadmodule(64)
  Module '/usr/lib/samba/auth/odsam.dylib' loaded
  Thanks!
  Message was edited by: capc

• Macbook pro with OS 10.6.4 cannot join Windows SBS 2008 .local domain

  Hi,
  I just had a windows SBS 2008 installed and it controls a .local domain where all my Windows7 PC's are connected to. I can access the internet wired/wirelessly but i cannot see any of the computers on the network at all, thus i cannot share files or share the printer which is connected to one of the local PC's.
  I have read many threads indicating possible fixes but no one has been able to give me a permanent solution. Is this inability to connect my MAC to the SBS 2008 local domain fixable from my MAC or is it to be resolved from the SBS 2008 side? Any help would be greatly appreciated.

  Greetings,
  Download the combo update (don't install it yet): http://support.apple.com/kb/DL1400
  SafeBoot your computer: http://support.apple.com/kb/HT1455
  While in SafeBoot install the combo update
  Restart the computer to come out of SafeBoot
  Try running software update again and see if it works.
  Hope that helps.

• Cisco ACS 4.2.1 authentication problem

  We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

  Hi there,
  There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
  Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
  Let me know if this helps.

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• Cisco ACS 5.4.0.46.6 - Cannot join to domain

  I am not able to join Cisco ACS to domain.  I get the error "wrong domain".  Nslookup resolves the domain correctly.  ACS troubleshoot adcheck shows the below error
  ADGC     : Check Global Catalog servers
                 : There is no GC in site "INGUA"
                 : It is recommended that a GC exist in each site.
  Checked with AD team and they confirm that GC does exist at this site. It is a Windows 2008 R2.  I am able to telnet to the required ports from the ACS console.  Tried applying the latest patch.  Tried re-imaging the ACS server.  Still the issue remains.  Any help appreciated.
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.3.063
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ZINGUA6001
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.4.0.46.6
  Internal Build ID : B.221
  Patches :
  5-4-0-46-6

  Hi Minakshi,
  I perform the update before your post and I test without deregister all server.
  So far, all was good.
  I had no issue and the update tooks me very less time without following the full UPGRADE procedure.
  The command had also a rollback for the update, so I take the risk.
  This is certainly not the case for upgrade but update seems to easier.
  Kind regards.
  Steve

• [Cisco ACS 5.2] Windows XP - EAP-TLS error

  Hi,
  We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
  We just replaced RADIATOR with Cisco ACS 5.2 .
  Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Description:
  While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
  Resolution Steps :
  Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
  Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
  ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
  If it was a known issue, we would have this error for other computer but we don't have (fortunately )
  Wireless profile is sent to computers using GPO so they trust ACS server certificate...
  Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
  Thanks for your help,
  Patrick

  Patrick,
  One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
  If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
  Thanks,
  Tarik Admani

• Integrating windows AD with cisco ACS

  hi all i am looking for the requirements and any documents in setting up the acs with windows AD for user authentication.
  i am basically testing this.
  i am having a cisco switch a switch acs serevr 4.1 and windows xp host and windows 2003 server.
  can someone pls tell me the procedure for this on the acs and the AD.
  any help would be appreciated.
  regards
  sushil

  hi thanks for the link.
  but can u tell me when installing the acs where it asks for slecting the database the acs only or the windows database should we select the windows database.
  so when we are configuring the acs for 802.1x authentication and authorisation.
  we should select the create the users as in the AD right.but the password for them should be redirected to the AD right.
  can u pls guide me on this.
  regards
  sushil

• Cisco ACS 4.1 Windows License Key Question

  How do I obtain the license key for my Cisco ACS Server for Windows software v4.1?

  For acs windows, there is no license key. You need to purchase the acs software.
  During installation, it does not ask for any key.
  Regards,
  ~JG
  Do rate helpful posts

• Windows Update for Cisco ACS appliance

  Due to the recent security alert from Windows I wish to make sure my systems are updated, but the cisco ACS appiance (cisco 1113) runs a specialized version of win2k with console access disabled. Is there any way get the windows critical security updates, and do I need to?

  If the patch is necessary on acs appliance then they will be releasing it soon.
  As of now we can't apply any windows patch on appliance.

• Unable to generate reports in Cisco ACS 4.2

  Hi All,
  I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
  I have installed Cisco ACS 4.2 on windows 2003 server.
        aaa-server test protocol tacacs+
        aaa-server test (inside) host X.X.X.X
          key **********
        no aaa authentication http console AAA LOCAL
        aaa authentication http console test LOCAL
        no aaa authentication ssh console AAA LOCAL
        aaa authentication ssh console test LOCAL
        aaa authentication telnet console test LOCAL
        aaa authentication enable console test LOCAL
        aaa accounting enable console test
        aaa accounting ssh console test
        aaa accounting telnet console test   
        aaa accounting command test
  Awaiting for soln.
  Thanks in advance.
  Regards,
  Amit.

  I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
  Look in your console log. If you see something like:
  Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
  It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
  -Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
  -increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
  and add something like this:
  kern.sysv.shmmax=167772160
  kern.sysv.shmmin=1
  kern.sysv.shmmni=32
  kern.sysv.shmseg=8
  kern.sysv.shmall=65536
  See also:
  http://forum.servoy.com/viewtopic.php?p=47461

• Cisco Secure Access Control Server for Windows 3.0

  I have to rebuild a server using Cisco Secure Access Control Server for Windows 3.0 ... I cannot locate this software under "download software" in cisco.com ..
  where can I download a copy for Cisco Secure Access Control Server for Windows 3.0 ?

  Hi,
  You can not download the ACS windows Solution engines softwares from the cisco.com > download pages as these s/w are not available there. You can only download patches and remote agent software.
  In order to get any ACS software/ upgrade assistance you need to open up a TAC case.
  Also, ACS 3.0 is not supported by Cisco anymore..getting support for this version or any 3.x is not possible.
  HTH
  Regards,
  JK

• Cisco ACS 4.2 and Radius authentication?

  Hi,
  I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

  To access network devices for administrative purpose, we have only three methods available :
  [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
  [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
  and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
  [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
  Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
  And the most secure way to administer a  device is to use SSH.
  Rgds, Jatin
  Do rate helpful post~

• What does acs 4.1 appliance join a domain????

  Hi all!
  I'm first do acs 4.1, i have a problem as What does acs 4.1 appliance join a domain????
  I lab with acs 4.1 on window server 2003 is ok, but when work with acs 4.1 appliance, i don't know join domain for this appliance so not use window database
  I want setup window database but not successful
  Please help me !!!!!!!
  thanks very much

  Hi,
  Use ACS appliance remote agent:
  ACS SE remote agent installation guide:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp41/rase41/index.htm
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/remote_agent/ra.html
  ACS SE RA:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/LgsRpts.html#wp638135

• New 2012 R2 domain - xp clients cannot join or print

  I just migrated a 2003  domain to 2012 R2.   Things were working ok & then XP clients became AD stupid.
  Steps I took:
  Added a VM 2012 R2 DC to the domain.  Server had DNS installed.  Ran dcdiag & bpa and resolved any issues. 
  About a week later I moved all roles over to the VM DC.
  Tore down one of the NT2003 DCs (not VM) and rebuit it as a 2012 R2 DC w/DNS.  Ran dcdiag & bpa and resolved any issues.   Had problems with DNS scavenging removing some static records.  readded records & made sure the  "Delete
  record when it becomes stale" was unchecked on all static records (all fwd & rev zones).
  Moved all roles from the VM DC to the hardware DC.
  After a week I tore down the 2nd (& last) nt2003 DC (not VM) and rebuilt it as a 2012 R2 DC w/DNS.  Ran dcdiag/bpa and fixed any issues.  Also ran it on the other DCs.
  Removed the VM 2012 R2 DC from the domain (demote, remove features, remove from domain, power off, delete VM).
  Everything seems to be working fine.  dcdiags look clean, event logs seem good.
  Bump forest/domain to 2012 R2 native.
  Then, a few days later,  it goes bad.  I (after hours) install all accumulated updates on both DCs.  Reboot both.
  Next AM a user calls.  Her thin client cannot connect to the terminal services server.  DNS has deleted its dns record, even though the delete when stale was unchecked.  :|  So I readd the static record and turn off scavenging. 
  Problem solved.
  Next call s from a XP user (we have XP, Win 7, and thin clients).  She cannot print.  Printers show "cannot connect".  Try various things to no avail.  Check Win 7 boxes and they're working fine & printers are connected. 
  Note that the XP & Win7 boxes all pull their DHCP address from the same dhcp server/scope.
  Review error logs and run dcdiag.  There are several somewhat esoteric errors.  After several hours or tail chasing I decide to take a more scorched earth tack.  I demote the 2nd DC and remove AD & DNS from it. After demotion and role
  removal I check AD and it still shows the DC.  I remove the now just a server from the domain.  Clean up DNS & AD removing all traces.  This takes a while as I have to run variuos scripts (tahnk you google) to ensure AD is clean.
  Run dcdiag and resolve issues.  Even a detailed dcdiag comes out clean.  Replication tests show the old server is now forgotten.
  Check XP boxes and they still show printers as "cannot connect".
  Remove a XP PC from the domain.  Try to rejoin and I get a error.  Rename it and still get the error.  I can ping, nslookup, etc and they return the correct IP.
  I've tried the simple change the join a domain in system properties.  That gives a somewht non descript error.  The network identification wizard seemed to find the domain but didn't work.  As it was trying to find the PC in AD, I went ahead
  and added it via AD users& Computer console.  Run the wizard and it tells me it found the record in AD.  It then says "a domain controller for the domain [ourdomain] could not be contacted."  !?  Yet the prior screen it told
  me it had found the record for the PC on the DC.
  nslookup for ourdomain.local as well as dcname.ourdomain.local resolve correctly.  Tried chenging the PC to static - no change.  Rename the old win 2012 R2 dc (now just a server outside the domain), reboot, and the try to rejoin the domain. 
  Works flawlessly.
  BTW - We're running tcpip w/o netbios over tcpip.
  So basically my XP boxes cannot use AD printers and cannot join the domain.  IDK if they're picking up gp updates (I'll check in the AM), but I suspect they're not.
  Short of buying a truckload of Win 7 licenses and reloading OSs, what can I do to fix this?
  Details on the XP box error (fyi - I did a record to record comparison to a Win 2008 domain's SRV records and they look identical (except, fo course, the domain& server names)) :
  The domain name [ourdomain] might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.
  If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
  The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain [ourdomain]:
  The error was: "DNS name does not exist."
  (error code 0x0000232B RCODE_NAME_ERROR)
  The query was for the SRV record for _ldap._tcp.dc._msdcs.[ourdomain]
  Common causes of this error include the following:
  - The DNS SRV record is not registered in DNS.
  - One or more of the following zones do not include delegation to its child zone:
  [ourdomain]
  . (the root zone)
  For information about correcting this problem, click Help.
  dcdiag /test:dns results
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = Domctl1
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\DOMCTL1
        Starting test: Connectivity
           ......................... DOMCTL1 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\DOMCTL1
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           ......................... DOMCTL1 passed test DNS
     Running partition tests on : DomainDnsZones
     Running partition tests on : ForestDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : [ourdomain]
     Running enterprise tests on : [ourdomain].local
        Starting test: DNS
           Test results for domain controllers:
              DC: Domctl1.[ourdomain].local
              Domain: [ourdomain].local
                 TEST: Dynamic update (Dyn)
                    Warning: Failed to delete the test record dcdiag-test-record in zone [ourdomain].local
                 Domctl1                      PASS PASS PASS PASS WARN PASS n/a
           ......................... [ourdomain].local passed test DNS

  I see the following errors:
  "TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing
  connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period
  to elapse between successive connections from a given local endpoint to a given remote endpoint."
  Please read that: http://social.technet.microsoft.com/Forums/windowsserver/en-US/d770e9fd-53a2-4ae9-99b3-2754c4564592/tcpip-connection-issue-on-windows-server-2008-sp2?forum=winserverPN
  "DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID      b70 (C:\Windows\system32\dcdiag.exe)."
  As you can see, it is pointing to 8.8.8.8. You need to make sure that public DNS servers are configured as forwarders and not in IP setting of your DCs. Better if you could use your ISP DNS servers as public ones instead of 8.8.8.8.
  Please read this Wiki article for recommendations about IP settings: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
  "               TEST: Dynamic update (Dyn)
                    Test record dcdiag-test-record added successfully in zone [ourdomain].local
                    Warning: Failed to delete the test record dcdiag-test-record in zone [ourdomain].local
                    [Error details: 9505 (Type: Win32 - Description: Unsecured DNS packet.)]
  Here, you need to make sure that only secure DNS updates are allowed if you would like to secure dynamic updates. This is detailed in here:http://social.technet.microsoft.com/wiki/contents/articles/21984.how-to-secure-dns-updates-on-microsoft-dns-servers.aspx
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password