Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Problems configuring two Windows 2003 DNS servers on same domain.

Posted on 2006-03-23
25
Medium Priority
?
1,206 Views
Last Modified: 2012-06-21
Hello everybody.

I have problems configuring a second DNS server on Windows 2003 enviroment, here is the schema:

Server A: First domain controller, Active Directory and first DNS server integrated with AD and dinamic updates allowed (Primary Zones created).

Server B: Second domain controller, Active Directory.

I want to configure a second DNS for fault tolerance in my network, but everytime i try it same errors appears.

I install DNS service on Server B (Add/Remove programs, etc...), when it's installed there are no zones but minutes later they appear replicated from AD or server A DNS service. In that point, the two servers have DNS service installed with the same Primary Zones, integrated on AD and dinamic updates allowed.

Well, i change TCP/IP parameters on both servers in this way:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server B    Server A

Everything is working fine, but if i shut down Server A and then restart Server B, Server B takes 10 minutes to show netlogon screen (in normal conditions this screen is shown in 2 or 3 minutes) and event viewer reports some errors:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: time
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/serverA.domain.local(*). The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

(*) In the other errors this line is changed to ServerB.

Is this normal behavior? Is second DNS server bad installed?

The workstations logon on server B with no errors.

I need some help, thanks!!!



0
Comment
Question by:_marcos_
  • 13
  • 7
  • 2
  • +2
25 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16277955
do you hane any ISP forwarders set on the dodgy DNS server? nothin else except server a and b in the TCPIP properties??
0
 

Author Comment

by:_marcos_
ID: 16278021
No forwarders has been set on DNS servers (A and B), only internal DNS.

It seems that if server A DNS is not available, the other server takes too much time to start up. After that, everything seems normal, but i need to know if those event errors are normal or not.

0
 

Author Comment

by:_marcos_
ID: 16278033
I don't need Internet access on both servers.

Do I have to create second DNS server as Secondary Zone and activate Zone Transfer on Primary Server?

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:_marcos_
ID: 16278335
These are the errors displayed when server B is restarted and server A shut down:

Event Type: Warning
Event Source: NETLOGON
Event Category: none
Event ID: 3096
Date: date
Time: 12:18:10
User: N/A
Computer: ServerB
Description: The Windows domain controller for this domain could not be located. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:24
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/serverB. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:26
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/ServerB.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:47
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server DNS/ServerA.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e
0
 
LVL 3

Expert Comment

by:jbatt
ID: 16278425
It looks like Server A points to itself for DNS. I have heard this can cause the following error....

When a domain Controller comes on-line the Netlogon Service starts before the DNS Service. If the DNS for that DC points to itself, the Netlogon Service cannot located the domain controller so the error appears.

Event Type: Warning
Event Source: NETLOGON
Event Category: none
Event ID: 3096
Date: date
Time: 12:18:10
User: N/A
Computer: ServerB
Description: The Windows domain controller for this domain could not be located. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0
 
LVL 3

Accepted Solution

by:
jbatt earned 750 total points
ID: 16278430
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 16278873
As jbatt already suggests I believe this is the problem:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server B    Server A

Change that to:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server A    Server B
0
 

Author Comment

by:_marcos_
ID: 16278898
I've checked EventID but...

Adding DNS as DependOnService on W32Time, NTFRS, SMTPVC and NETLOGON does not solve the problem.

Adding Forwarders on DNS ServerB does not solve the problem.

Any ideas?

Thanks
0
 

Author Comment

by:_marcos_
ID: 16278928
Will it not be the same that leave only Primary DNS configured and Secondary DNS set to blank?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 16278972
Not really, both servers would do their updates to the same server (A) reducing replication overhead, server B would not run into problems where netlogon service starts before the directory services causing the error event described above, and when server A goes down, server B reverts to using itself as its DNS server. This was actually a big problem in multi-DNS environments in Windows 2000, called the island issue: http://support.microsoft.com/kb/275278/en-us
0
 

Author Comment

by:_marcos_
ID: 16278996
CoccoBill, do you mean setting primary and secondary DNS to point same server on each server?

Is that right?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 16279039
Yes that's right.

As a disclaimer, the "official" Microsoft recommendation for Windows 2003 is to point all DNS servers' DNS clients to themselves, exactly the way you have it now. This, however, can cause the netlogon errors you're having when on bootup the netlogon service starts before the DNS service, which leads to netlogon not being able to contact the DNS service.
0
 

Author Comment

by:_marcos_
ID: 16279306
CoccoBill, I cannot set both primary and secondary DNS pointing to same IP, Windows 2003 says that primary and secondary DNS parameters must be different.



0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 16279323
Oh no I meant:

Server A
Pri: A
Sec: B

Server B
Pri: A
Sec: B

Sorry about that.
0
 

Author Comment

by:_marcos_
ID: 16279488
I've set DNS parameters that way but when Server A is offline and Server B is restarted, it takes 10 minutes and same errors on event viewer. 40960, 3096.

0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 16279528
You mean when both servers are down? Yes, you will most likely have issues similar to that if both/all of your DCs are down at the same time. If you only get those errors during bootup, you can safely ignore them.
0
 

Author Comment

by:_marcos_
ID: 16279614
What I mean is that i have two domain controllers with DNS services installed, integrated with AD and dinamic updates allowed. Both DNS server are Primary Zones.

When SERVER A is shut down and I restart SERVER B then on SERVER B some errors are registered on event viewer (40960 and 3096) and it takes 10 minutes to show Logon screen.

I was thinking that if SERVER B had DNS service installed and replicated from SERVER A, when SERVER B restarts and SERVER A is offline, there will be no errors or delay on start up (the second issue is the problem indeed).

Is there any way to avoid the 10 minutes delay when restarting SERVER B with this configuration when SERVER A is offline or this is the normal behaviour?

Thanks!


0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 750 total points
ID: 16279788
That behaviour is normal, since it's trying to find the other DC/DNS. One of the biggest reasons for having 2 DCs is to have one up at all times, hopefully having one down and having to reboot the other one at the same time is not something that happens often?
0
 

Author Comment

by:_marcos_
ID: 16279882
Of course could not be a normal situation but... if it ocurrs i only want to know if it was normal to wait 10 minutes.

0
 

Author Comment

by:_marcos_
ID: 16279904
One other thing, if i reverse the situation, Server A on-line and Server B is off-line, when Server A is restarted it does NOT take 10 minutes to boot. It starts normally with no errors.

Why?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 16279987
Is Server A the first DC in the domain, that is, does it hold all the FSMO roles? Which of the servers are global catalogs?

If server A has all the FSMO roles and is the only GC that could very well be the reason, but without further inspection impossible to tell. If server B is not a global catalog and you're not planning to add child domains to your forest, make it one:

http://www.petri.co.il/configure_a_new_global_catalog.htm
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16280498
Wow, this is a long circular conversation.


Marcos,

Like others have said, this behavior is "by design" (not a good design, but still):

In an Active Directory environment, when a domain controller comes online, the Netlogon service starts before the DNS service. If the DNS for that DC is pointed toward itself, the Netlogon service cannot locate the domain controller so we get the error.


ServerA starts normally because, like CoccoBill says, it's the GC.
0
 

Author Comment

by:_marcos_
ID: 16281423
All right TheCleaner

Both servers are configured as Global Catalog servers and Server A holds all FSMO roles.

I'll try to transfer all FSMO roles to Server B and restart it again to see the effect.

I'll post test's results.

Thanks



0
 

Author Comment

by:_marcos_
ID: 16408007
Hello again

I've performed lots of test even a Microsoft's consult has been created.

At the end, Microsoft says that "It SEEMS to be by design" and there is nothing to do with it.

This is not a good answer because 10 minutes delay is there every time i reboot the server B but...

There is a workaround about the delay, in fact after appliying a modification to the registry the server B starts in 45 seconds but warnings 40960/40961 still appears and a security issue is created into Active Directory (which is NOT RECOMMENDED by Microsoft).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Key = Repl Perform Initial Synchronizations
Type = DWORD
Value = 0

Delay is ocurred because DS and NetLogon services get paused until other services are started.

Well, i'll wait until SP2 for Windows 2003 if it's corrected.

Thanks everybody.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16413557
Thanks for the update.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question