We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Problems configuring two Windows 2003 DNS servers on same domain.

_marcos_
_marcos_ asked
on
Medium Priority
1,224 Views
Last Modified: 2012-06-21
Hello everybody.

I have problems configuring a second DNS server on Windows 2003 enviroment, here is the schema:

Server A: First domain controller, Active Directory and first DNS server integrated with AD and dinamic updates allowed (Primary Zones created).

Server B: Second domain controller, Active Directory.

I want to configure a second DNS for fault tolerance in my network, but everytime i try it same errors appears.

I install DNS service on Server B (Add/Remove programs, etc...), when it's installed there are no zones but minutes later they appear replicated from AD or server A DNS service. In that point, the two servers have DNS service installed with the same Primary Zones, integrated on AD and dinamic updates allowed.

Well, i change TCP/IP parameters on both servers in this way:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server B    Server A

Everything is working fine, but if i shut down Server A and then restart Server B, Server B takes 10 minutes to show netlogon screen (in normal conditions this screen is shown in 2 or 3 minutes) and event viewer reports some errors:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: time
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/serverA.domain.local(*). The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

(*) In the other errors this line is changed to ServerB.

Is this normal behavior? Is second DNS server bad installed?

The workstations logon on server B with no errors.

I need some help, thanks!!!



Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2006

Commented:
do you hane any ISP forwarders set on the dodgy DNS server? nothin else except server a and b in the TCPIP properties??

Author

Commented:
No forwarders has been set on DNS servers (A and B), only internal DNS.

It seems that if server A DNS is not available, the other server takes too much time to start up. After that, everything seems normal, but i need to know if those event errors are normal or not.

Author

Commented:
I don't need Internet access on both servers.

Do I have to create second DNS server as Secondary Zone and activate Zone Transfer on Primary Server?

Author

Commented:
These are the errors displayed when server B is restarted and server A shut down:

Event Type: Warning
Event Source: NETLOGON
Event Category: none
Event ID: 3096
Date: date
Time: 12:18:10
User: N/A
Computer: ServerB
Description: The Windows domain controller for this domain could not be located. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:24
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/serverB. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:26
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/ServerB.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:47
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server DNS/ServerA.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

Commented:
It looks like Server A points to itself for DNS. I have heard this can cause the following error....

When a domain Controller comes on-line the Netlogon Service starts before the DNS Service. If the DNS for that DC points to itself, the Netlogon Service cannot located the domain controller so the error appears.

Event Type: Warning
Event Source: NETLOGON
Event Category: none
Event ID: 3096
Date: date
Time: 12:18:10
User: N/A
Computer: ServerB
Description: The Windows domain controller for this domain could not be located. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
As jbatt already suggests I believe this is the problem:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server B    Server A

Change that to:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server A    Server B

Author

Commented:
I've checked EventID but...

Adding DNS as DependOnService on W32Time, NTFRS, SMTPVC and NETLOGON does not solve the problem.

Adding Forwarders on DNS ServerB does not solve the problem.

Any ideas?

Thanks

Author

Commented:
Will it not be the same that leave only Primary DNS configured and Secondary DNS set to blank?
Not really, both servers would do their updates to the same server (A) reducing replication overhead, server B would not run into problems where netlogon service starts before the directory services causing the error event described above, and when server A goes down, server B reverts to using itself as its DNS server. This was actually a big problem in multi-DNS environments in Windows 2000, called the island issue: http://support.microsoft.com/kb/275278/en-us

Author

Commented:
CoccoBill, do you mean setting primary and secondary DNS to point same server on each server?

Is that right?
Yes that's right.

As a disclaimer, the "official" Microsoft recommendation for Windows 2003 is to point all DNS servers' DNS clients to themselves, exactly the way you have it now. This, however, can cause the netlogon errors you're having when on bootup the netlogon service starts before the DNS service, which leads to netlogon not being able to contact the DNS service.

Author

Commented:
CoccoBill, I cannot set both primary and secondary DNS pointing to same IP, Windows 2003 says that primary and secondary DNS parameters must be different.



Oh no I meant:

Server A
Pri: A
Sec: B

Server B
Pri: A
Sec: B

Sorry about that.

Author

Commented:
I've set DNS parameters that way but when Server A is offline and Server B is restarted, it takes 10 minutes and same errors on event viewer. 40960, 3096.

You mean when both servers are down? Yes, you will most likely have issues similar to that if both/all of your DCs are down at the same time. If you only get those errors during bootup, you can safely ignore them.

Author

Commented:
What I mean is that i have two domain controllers with DNS services installed, integrated with AD and dinamic updates allowed. Both DNS server are Primary Zones.

When SERVER A is shut down and I restart SERVER B then on SERVER B some errors are registered on event viewer (40960 and 3096) and it takes 10 minutes to show Logon screen.

I was thinking that if SERVER B had DNS service installed and replicated from SERVER A, when SERVER B restarts and SERVER A is offline, there will be no errors or delay on start up (the second issue is the problem indeed).

Is there any way to avoid the 10 minutes delay when restarting SERVER B with this configuration when SERVER A is offline or this is the normal behaviour?

Thanks!


That behaviour is normal, since it's trying to find the other DC/DNS. One of the biggest reasons for having 2 DCs is to have one up at all times, hopefully having one down and having to reboot the other one at the same time is not something that happens often?

Author

Commented:
Of course could not be a normal situation but... if it ocurrs i only want to know if it was normal to wait 10 minutes.

Author

Commented:
One other thing, if i reverse the situation, Server A on-line and Server B is off-line, when Server A is restarted it does NOT take 10 minutes to boot. It starts normally with no errors.

Why?
Is Server A the first DC in the domain, that is, does it hold all the FSMO roles? Which of the servers are global catalogs?

If server A has all the FSMO roles and is the only GC that could very well be the reason, but without further inspection impossible to tell. If server B is not a global catalog and you're not planning to add child domains to your forest, make it one:

http://www.petri.co.il/configure_a_new_global_catalog.htm
Wow, this is a long circular conversation.


Marcos,

Like others have said, this behavior is "by design" (not a good design, but still):

In an Active Directory environment, when a domain controller comes online, the Netlogon service starts before the DNS service. If the DNS for that DC is pointed toward itself, the Netlogon service cannot locate the domain controller so we get the error.


ServerA starts normally because, like CoccoBill says, it's the GC.

Author

Commented:
All right TheCleaner

Both servers are configured as Global Catalog servers and Server A holds all FSMO roles.

I'll try to transfer all FSMO roles to Server B and restart it again to see the effect.

I'll post test's results.

Thanks



Author

Commented:
Hello again

I've performed lots of test even a Microsoft's consult has been created.

At the end, Microsoft says that "It SEEMS to be by design" and there is nothing to do with it.

This is not a good answer because 10 minutes delay is there every time i reboot the server B but...

There is a workaround about the delay, in fact after appliying a modification to the registry the server B starts in 45 seconds but warnings 40960/40961 still appears and a security issue is created into Active Directory (which is NOT RECOMMENDED by Microsoft).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Key = Repl Perform Initial Synchronizations
Type = DWORD
Value = 0

Delay is ocurred because DS and NetLogon services get paused until other services are started.

Well, i'll wait until SP2 for Windows 2003 if it's corrected.

Thanks everybody.
Thanks for the update.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.