Solved

The DSA operation is unable to proceed because of a DNS lookup failure.

Posted on 2004-09-07
5
1,351 Views
Last Modified: 2008-01-09
We have a Win2k Domain with 3 sites.  Each site has a DC that acts as an inter-site replication partner.  Replication had been working with both intersite and intrasite replication partners. Recently we started to have intersite replication problems that I am not sure how to resolve.  Here are some of the event errors we are receiving:

------------------------------------------------------------------------------------------

Event Type:      Error
Event Source:      NTDS KCC
Event Category:      (1)
Event ID:      1311
Date:            9/4/2004
Time:            6:51:05 AM
User:            N/A
Computer:      DC-DS1
Description:
The Directory Service consistency checker has determined that either (a)
there is not enough physical connectivity published via the Active Directory
Sites and Services Manager to create a spanning tree connecting all the sites
containing the Partition CN=Configuration,DC=altarum,DC=pri, or (b)
replication cannot be performed with one or more critical servers in order
for changes to propagate across all sites (most often due to the servers
being unreachable).  

For (a), please use the Active Directory Sites and Services Manager to do
one of the following:
1. Publish sufficient site connectivity information such that the system can
infer a route by which this Partition can reach this site.  This option is
preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the
Partition CN=Configuration,DC=altarum,DC=pri in this site from a Domain
Controller that contains the same Partition in another site.  

For (b), please see previous events logged by the NTDS KCC source that
identify the servers that could not be contacted.

----------------------------------------------------------------------------------------------

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      (1)
Event ID:      1265
Date:            9/4/2004
Time:            6:51:05 AM
User:            N/A
Computer:      DC-DS1
Description:
The attempt to establish a replication link with parameters
 
 Partition: DC=altarum,DC=pri
 Source DSA DN: CN=NTDS
Settings,CN=AA-DS3,CN=Servers,CN=AnnArbor,CN=Sites,CN=Configuration,DC=altarum,DC=pri
 Source DSA Address: 48b860a6-2891-4d95-a2ae-83f13bceb6fb._msdcs.altarum.pri
 Inter-site Transport (if any): CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=altarum,DC=pri
 
 failed with the following status:
 
 The DSA operation is unable to proceed because of a DNS lookup failure.
 
 The record data is the status code.  This operation will be retried.
Data:
0000: 4c 21 00 00               L!..    

---------------------------------------------------------------------------------------



In running netdiag /v on the servers:
---------------------------------------------------------------------------------
TX-DC1:
Testing trust relationships... Failed
PASS - All the DNS entries for DC are registered on DNS server
'204.106.25.15'.
Trust relationship test. . . . . . : Failed
    Test to ensure DomainSid of domain 'ALTARUM' is correct.
    Secure channel for domain 'ALTARUM' is to '\\aa-ds1.altarum.pri'.
    [FATAL] Cannot set secure channel for domain 'ALTARUM' to PDC emulator.
[ERROR_NO_LOGON_SERVERS]
    Find PDC emulator in domain 'ALTARUM':
        [WARNING] Cannot find PDC emulator in domain 'ALTARUM'.
[ERROR_NO_SUCH_DOMAIN]

DC-DS1:
Testing trust relationships... Failed
PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1'.
Trust relationship test. . . . . . : Failed
    Test to ensure DomainSid of domain 'ALTARUM' is correct.
    Secure channel for domain 'ALTARUM' is to '\\aa-ds1.altarum.pri'.
    [FATAL] Cannot set secure channel for domain 'ALTARUM' to PDC emulator.
[ERROR_NO_LOGON_SERVERS]
    Find PDC emulator in domain 'ALTARUM':
        [WARNING] Cannot find PDC emulator in domain 'ALTARUM'.
[ERROR_NO_SUCH_DOMAIN]

AA-DS2:
Testing trust relationships... Passed
PASS - All the DNS entries for DC are registered on DNS server '198.108.7.9'
and other DCs also have some of the names registered.
Trust relationship test. . . . . . : Passed
    Test to ensure DomainSid of domain 'ALTARUM' is correct.
    Secure channel for domain 'ALTARUM' is to '\\aa-ds1.altarum.pri'.
    Secure channel for domain 'ALTARUM' was successfully set to PDC emulator
'\\aa-ds1.altarum.pri'.
Find PDC emulator in domain 'ALTARUM':
    Found this PDC emulator in domain 'ALTARUM':
        DC. . . . . . . . . . . : \\aa-ds1.altarum.pri
        Address . . . . . . . . : \\198.108.7.9
        Domain Guid . . . . . . : {2F33C2A8-5E95-493A-A035-1C095E3167EA}
        Domain Name . . . . . . : altarum.pri
        Forest Name . . . . . . : altarum.pri
        DC Site Name. . . . . . : AnnArbor
        Our Site Name . . . . . : AnnArbor
        Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
------------------------------------------------------------------------------------------------


I have verified that all pertinent DNS records are present on all DNS servers.  I have also run ipconfig /flushdns and /registerdns to be sure.  Replication between sites is still down and I'm at a loss as to what to try next.  I have considered deleting all sites from AD Sites and Services and setting them up again to see if this gets replication going, but I wasn't sure if there might be a better approach to take.  I need to get intersite replication up and running as quickly as possible.

Any help you can give would be greatly appreciated!
0
Comment
Question by:Altarum
  • 2
  • 2
5 Comments
 
LVL 15

Assisted Solution

by:Yan_west
Yan_west earned 350 total points
ID: 11996470
Q307593 provides an approach in troubleshooting Event ID 1311 Messages on a Windows 2000 Domain

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307593
0
 
LVL 15

Assisted Solution

by:Yan_west
Yan_west earned 350 total points
ID: 11996483
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 150 total points
ID: 11996739
Here is a KB, on using the Repadmin.exe. This is the Replication Administrator tool. It can be very helpful. As is suggests at the bottom, using the tool to determine the last time each server updated, can usually point you to the root of a problem.

J


http://support.microsoft.com/?kbid=229896
0
 

Author Comment

by:Altarum
ID: 11999097
Thanks for the quick responses!  I'm splitting the points between you all because all suggestions were required for me to come up with the answer.  In order to resolve this, I ran repadmin /showreps and ran dcdiag /test:intersite /e /q.  It then came to me that what I've been seeing in a lot of my tests is that there were missing _msdcs guids.  The solution was found on the eventid.net site Yan recommended.

In the end, I remoted into all intersite replication partner DCs and recreated the _msdcs guid CNAME records for all DCs.  Upon doing this, replication kicked right in.

After resolving this, I have a healthy suspicion as to where our replicating problems started and was wondering if you might have some ideas as to why this happened.  Last week we were testing out some config changes and had tested enabling scavaging of stale resource records.  Would this have for some reason viewed these CNAME records as stale and removed them?

Thanks,
Michelle
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11999420
It is possible, although I have never seen that happen before. I imagine it might be possible if the DNS was not configured properly to begin with. Glad you got it figured out, that was pretty quick. Good Job!

J
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now