Solved

2nd DC doesn't sync with PDC (DNS-failure..)

Posted on 2003-11-27
15
6,334 Views
Last Modified: 2012-08-13
When trying to initialise a Active Directory Synchronisation from my 2nd Server
(via Active Directory Replication Manager) to PDC I get the following error:

"The DSA Operation Is Unable to Proceed Because of a DNS Lookup Failure" Error

If you think now: "hehe that's easy - you only need to setup the IP / DNS Name correctly " then do not read on...;-)

Both server's hace 2 Ip's:
PDC:    aserver 192.168.0.1 , 192.168.0.2
2nd DC: bserver 192.168.0.3 , 192.168.0.4
TCP/IP over NetBios is activated on all 4 interfaces.

On both servers DNS client & server is running.
I can ping all 4 Ip's from both servers.
Name resolution works from both servers ( ping aserver -> OK, ping aserver.domain.dnsname.com -> OK)
reverse name resolution works for both servers ( ping -a 192.168.0.1 -> trying [aserver.domain.dnsname.com] -> OK )

In short: DNS works great, beside:

In the event viewer for DNS i get the following error:
*** start
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 6702
Date: 7/23/2003
Time: 10:13:08 PM
User: N/A
Computer: LAUJ
Description:
DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error
should be ignored.

If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.
*** End of error message

The DNS log for startup does'nt show anything unusual.

Using Active Directory Replication Monitor I'm able to see the Replication partners, I'm even able to "Check current USN and unreplicated Objects".
It shows a list of things that have to be updated, but when trying to "Synchronize with this replication partnter" i get the first error message..

pls help - i'm on the verge of getting crazy...

I even tried to manually set up a KCC link using repadmin but still always the old plain errors...

Any help would be appreciated.

thanks Andreas


---
---



0
Comment
Question by:andare
  • 4
  • 4
  • 2
  • +3
15 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9832669
Dear andare,

Have you checked this ?

Active Directory replication fails when a DNS lookup is NOT successful
http://www.jsiinc.com/SUBM/tip6100/rh6117.htm

Thanks,
Sunray
0
 

Author Comment

by:andare
ID: 9832846
No -ping works without errors.. thanx anyway

even: repadmin /showconn
      repadmin /bind
      repadmin /showsig
      repadmin /showreps    all work as expected (list the replic. partner and so on...)

also: nltest /dclist:domain -> shows 2nd server and PDC marked as such...

only repadmin /sync or
     repadmin /syncall (parameters omitted) cause a error message:
** start
C:\WINNT>repadmin /syncall mserver
CALLBACK MESSAGE: Win32 error 1722 contacting server (network error):
    a131528f-d9f3-4dc1-8a00-21edd53fe574._msdcs.studio.xx.com
CALLBACK MESSAGE: Win32 error 1722 contacting server (network error):
    b81ab811-855e-4eeb-bef9-2b72bc9f839a._msdcs.studio.xx.com
 
SyncAll exited with fatal Win32 error 8440:
    Can't retrieve message string 8440 (0x20f8), error 1815.
*** end of errmessage

Seems that the process trys to reach the servers not via GUID._msdcs.domain.com

Any information on that??

0
 

Expert Comment

by:Tomilou
ID: 9833028
Hi there,

I suppose you already had a look at http://support.microsoft.com/?kbid=263624 ?

Regards
0
 

Author Comment

by:andare
ID: 9836447
No - I haven't read this, but:

I tried to configure the 2nd Server to use his own Ip for primary DNS first then IP from PDC -> didn't work, And I tried to use Ip from PDC first, and own Ip 2nd -> didn't work.

On both DNS -Servers zone transfers are allowed to each other.

In the article it says serv-records must be allowed - I don't know about this feature, but I'm using 2 WIN2000-DNS Clients and Server - so this shouldn't be the problem...

BTW - can I add Static "serv-records"?? Then I would try to make a GUID._msdcs.domain.com entry (the "NOT" was a typo in my former posting.... .-(

thx
0
 

Expert Comment

by:Tomilou
ID: 9838496
I don't know this error, but are you sure the DNS is set up correctly ?
Knowinf that AD is so much "nested" with/in DNS, if you get the message "The DSA Operation Is Unable to Proceed Because of a DNS Lookup Failure", there must be a link somewhere to DNS.

If you have 2 servers running DNS, I would configure them as follow:

DC1: forward lookup: master zone for domainname.com
DC1: reveerse lookup:  masterzone for ipaddress

DC2: forward lookup: secondary zone for domainname.com
DC2: reveerse lookup:  secondary for ipaddress

SRV record are supported by W2K so you're fine, but you need to make sure that for the forward lookup zone (at least), the "Allow Dynamic Update" option is checked.
0
 

Author Comment

by:andare
ID: 9849628
Replcation attempt 499 was successful. I dont know why....

I changed the domain controller from 2nd server to PDC and back (to itself), and took over a master role for bserver. This was just for testing if the second server is able to find PDC. (this was friday - since then I did'nt change anything)

Thanks for all posters that tried to help me.

Andreas

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9850126
Hey Andreas...the fact that it just stopped and then magically started working sounds like services are starting in the wrong order.  On all DCs I use this startup order ALWAYS.

<service name>    "->" means dependant upon...  <service name>
DNScache
->DNS
WINS
->DNS
lanmanworkstation
->DNS
lanmanserver
->DNS
browser
->netlogon
netlogon
->lanmansever (or lanmanworkstation; basically all name resolution services need to be running befor netlogon, cept browser)

Providing DDNS is correctly configured and enabled, netlogon should update its netlogon.dns file and dynamically update DNS, again DDNS needs to be configured right.
Just to be sure, clear the cache, ipconfig /flushdns, restart DNS (all above services will restart in order)
ipconfig /registerdns
nbtstat -RR
netdiag /f
dcdiag /f
you may need to fix group policy as incorrect GP design can make a whole lot of nothing happen when things are supposed to
dcgpofix /both

Make sure in networking ID that te connections DNS suffix is the domain name.  I have seen where dcpromo doesn't update that (I now hard set ip befoer hand) and cause a mess that is hard to isolate.  

-Eric
Security and Virus forum moderator:
<edited by YensidMod>
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9894417
Did any of this help?  

Feedback is a good thing.


-Eric
0
 

Author Comment

by:andare
ID: 9902897
Hi,

i think that changing the "Infrastrukturmaster" (infrastructure-master) to the second server was the thing. After changing that I read that this master role should not be on the same server as  the "global catalog".

However the error message is totally misleading as it has not much to do with DNS.....
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 10046446
Another possibility is that the system tombstoned the object for the other DC.  Sysinternals has a tool to restore those object.  May be worth a shot before the "quadruple-bypass".

http://www.sysinternals.com/ntw2k/source/misc.shtml#adrestore

-Eric
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 10067345
no problems here
0
 

Accepted Solution

by:
SpazMODic earned 0 total points
ID: 10087886
PAQed, with points refunded (500)

SpazMODic
EE Moderator
0
 

Expert Comment

by:ANIRBANKAR
ID: 28713108
Good sollution. I had 2 DCs (1 W2K3 and 1 W2K8). during SYNCALL it was giving error, which was due to unnecessary DNS entries. After deleting those Resource Records, I had been successfully able run this syncall command.

Thank you.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hyena v12.2 is now available for downloading and is available in English, French, German and Spanish versions.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now