I've got a domain running server 2003 and currently two domain controllers, When one of them reboots, both show errors in the logs and some connectivity is lost on the network. This is a doozy so let me give you a backstory.
We took over for an IT person who had 3 Windows 2000 and 2 windows 2003 computers on a domain all acting as domain controllers. At this point in time I've removed all domain controllers and DNS servers except for the following: sss02 (DC, GC, all roles) SSS03 (DC) TMFAX(DNS only, not a DC) Because of how the network was setup we left TMFAX a DNS server, but it just forwards everything to SSS02. The domain is Windows server 2003 fuctional level, and the Forest is Server 2003 fuctional level as well. DNS on SSS03 is setup to point to sss02 and then itself, and DNS on sss02 is setup to point to sss03 and then itself. Both SSS03 and SSS02 forward to the ISP for anything they can't answer.
The problems are sparadic and sometimes seem to be gone, only to creep back again. These are a few of the problems- Sometimes users cannot authenticate when SSS02 is rebooting, When either DC reboots they complain that they cannot find AD, There are DNS and Replication warning and errors in the logs quite often. Recently while trying to install virtual server 2005 on SSS02 I got the following message:
"An error has occured during the creation of Service Connection points for Virtual Server in Active Directory. Either a domain controller is not available to complete the operation or there is a security problem accessing the domain. This operation will be retried the next time the service starts. Error 0x80070005 - Access is denied. "
DNS errors are to the tune of :
"DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it. "
"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."
"The DNS server was unable to complete directory service enumeration of zone southstream.com. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error."
Directory Service Errors to the tune of:
"Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
SSS03
Failing DNS host name:
6c77ba58-0246-40e5-9afa-f1
857b00f2eb
._msdcs.so
uthstream.
com
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all "
"Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
Alternate server name:
SSS03
Failing DNS host name:
6c77ba58-0246-40e5-9afa-f1
857b00f2eb
._msdcs.so
uthstream.
com
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
Set\Servic
es\NTDS\Di
agnostics\
22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns dcdiag /test:dns
4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449 Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found. "
The netdig and dcdiag reports come back Passed on everything but the system log on both DCs, DNS seems to be setup properly and all the records appear to be correct. I'm at a loss as to why these guys are not playing nice with each other, any ideas guys?
Thanks,
Sean
