Problems configuring two Windows 2003 DNS servers on same domain.

Hello everybody.

I have problems configuring a second DNS server on Windows 2003 enviroment, here is the schema:

Server A: First domain controller, Active Directory and first DNS server integrated with AD and dinamic updates allowed (Primary Zones created).

Server B: Second domain controller, Active Directory.

I want to configure a second DNS for fault tolerance in my network, but everytime i try it same errors appears.

I install DNS service on Server B (Add/Remove programs, etc...), when it's installed there are no zones but minutes later they appear replicated from AD or server A DNS service. In that point, the two servers have DNS service installed with the same Primary Zones, integrated on AD and dinamic updates allowed.

Well, i change TCP/IP parameters on both servers in this way:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server B    Server A

Everything is working fine, but if i shut down Server A and then restart Server B, Server B takes 10 minutes to show netlogon screen (in normal conditions this screen is shown in 2 or 3 minutes) and event viewer reports some errors:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: time
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/serverA.domain.local(*). The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

(*) In the other errors this line is changed to ServerB.

Is this normal behavior? Is second DNS server bad installed?

The workstations logon on server B with no errors.

I need some help, thanks!!!



_marcos_Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
do you hane any ISP forwarders set on the dodgy DNS server? nothin else except server a and b in the TCPIP properties??
0
_marcos_Author Commented:
No forwarders has been set on DNS servers (A and B), only internal DNS.

It seems that if server A DNS is not available, the other server takes too much time to start up. After that, everything seems normal, but i need to know if those event errors are normal or not.

0
_marcos_Author Commented:
I don't need Internet access on both servers.

Do I have to create second DNS server as Secondary Zone and activate Zone Transfer on Primary Server?

0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

_marcos_Author Commented:
These are the errors displayed when server B is restarted and server A shut down:

Event Type: Warning
Event Source: NETLOGON
Event Category: none
Event ID: 3096
Date: date
Time: 12:18:10
User: N/A
Computer: ServerB
Description: The Windows domain controller for this domain could not be located. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:24
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/serverB. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:26
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server ldap/ServerB.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: 12:18:47
User: N/A
Computer: ServerB
Description: The Security System detected an authentication error for the server DNS/ServerA.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: c000005e
0
jbattCommented:
It looks like Server A points to itself for DNS. I have heard this can cause the following error....

When a domain Controller comes on-line the Netlogon Service starts before the DNS Service. If the DNS for that DC points to itself, the Netlogon Service cannot located the domain controller so the error appears.

Event Type: Warning
Event Source: NETLOGON
Event Category: none
Event ID: 3096
Date: date
Time: 12:18:10
User: N/A
Computer: ServerB
Description: The Windows domain controller for this domain could not be located. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0
jbattCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CoccoBillCommented:
As jbatt already suggests I believe this is the problem:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server B    Server A

Change that to:

                         Server A:   Server B:

Primary DNS:      Server A    Server B
Secondary DNS:  Server A    Server B
0
_marcos_Author Commented:
I've checked EventID but...

Adding DNS as DependOnService on W32Time, NTFRS, SMTPVC and NETLOGON does not solve the problem.

Adding Forwarders on DNS ServerB does not solve the problem.

Any ideas?

Thanks
0
_marcos_Author Commented:
Will it not be the same that leave only Primary DNS configured and Secondary DNS set to blank?
0
CoccoBillCommented:
Not really, both servers would do their updates to the same server (A) reducing replication overhead, server B would not run into problems where netlogon service starts before the directory services causing the error event described above, and when server A goes down, server B reverts to using itself as its DNS server. This was actually a big problem in multi-DNS environments in Windows 2000, called the island issue: http://support.microsoft.com/kb/275278/en-us
0
_marcos_Author Commented:
CoccoBill, do you mean setting primary and secondary DNS to point same server on each server?

Is that right?
0
CoccoBillCommented:
Yes that's right.

As a disclaimer, the "official" Microsoft recommendation for Windows 2003 is to point all DNS servers' DNS clients to themselves, exactly the way you have it now. This, however, can cause the netlogon errors you're having when on bootup the netlogon service starts before the DNS service, which leads to netlogon not being able to contact the DNS service.
0
_marcos_Author Commented:
CoccoBill, I cannot set both primary and secondary DNS pointing to same IP, Windows 2003 says that primary and secondary DNS parameters must be different.



0
CoccoBillCommented:
Oh no I meant:

Server A
Pri: A
Sec: B

Server B
Pri: A
Sec: B

Sorry about that.
0
_marcos_Author Commented:
I've set DNS parameters that way but when Server A is offline and Server B is restarted, it takes 10 minutes and same errors on event viewer. 40960, 3096.

0
CoccoBillCommented:
You mean when both servers are down? Yes, you will most likely have issues similar to that if both/all of your DCs are down at the same time. If you only get those errors during bootup, you can safely ignore them.
0
_marcos_Author Commented:
What I mean is that i have two domain controllers with DNS services installed, integrated with AD and dinamic updates allowed. Both DNS server are Primary Zones.

When SERVER A is shut down and I restart SERVER B then on SERVER B some errors are registered on event viewer (40960 and 3096) and it takes 10 minutes to show Logon screen.

I was thinking that if SERVER B had DNS service installed and replicated from SERVER A, when SERVER B restarts and SERVER A is offline, there will be no errors or delay on start up (the second issue is the problem indeed).

Is there any way to avoid the 10 minutes delay when restarting SERVER B with this configuration when SERVER A is offline or this is the normal behaviour?

Thanks!


0
CoccoBillCommented:
That behaviour is normal, since it's trying to find the other DC/DNS. One of the biggest reasons for having 2 DCs is to have one up at all times, hopefully having one down and having to reboot the other one at the same time is not something that happens often?
0
_marcos_Author Commented:
Of course could not be a normal situation but... if it ocurrs i only want to know if it was normal to wait 10 minutes.

0
_marcos_Author Commented:
One other thing, if i reverse the situation, Server A on-line and Server B is off-line, when Server A is restarted it does NOT take 10 minutes to boot. It starts normally with no errors.

Why?
0
CoccoBillCommented:
Is Server A the first DC in the domain, that is, does it hold all the FSMO roles? Which of the servers are global catalogs?

If server A has all the FSMO roles and is the only GC that could very well be the reason, but without further inspection impossible to tell. If server B is not a global catalog and you're not planning to add child domains to your forest, make it one:

http://www.petri.co.il/configure_a_new_global_catalog.htm
0
TheCleanerCommented:
Wow, this is a long circular conversation.


Marcos,

Like others have said, this behavior is "by design" (not a good design, but still):

In an Active Directory environment, when a domain controller comes online, the Netlogon service starts before the DNS service. If the DNS for that DC is pointed toward itself, the Netlogon service cannot locate the domain controller so we get the error.


ServerA starts normally because, like CoccoBill says, it's the GC.
0
_marcos_Author Commented:
All right TheCleaner

Both servers are configured as Global Catalog servers and Server A holds all FSMO roles.

I'll try to transfer all FSMO roles to Server B and restart it again to see the effect.

I'll post test's results.

Thanks



0
_marcos_Author Commented:
Hello again

I've performed lots of test even a Microsoft's consult has been created.

At the end, Microsoft says that "It SEEMS to be by design" and there is nothing to do with it.

This is not a good answer because 10 minutes delay is there every time i reboot the server B but...

There is a workaround about the delay, in fact after appliying a modification to the registry the server B starts in 45 seconds but warnings 40960/40961 still appears and a security issue is created into Active Directory (which is NOT RECOMMENDED by Microsoft).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Key = Repl Perform Initial Synchronizations
Type = DWORD
Value = 0

Delay is ocurred because DS and NetLogon services get paused until other services are started.

Well, i'll wait until SP2 for Windows 2003 if it's corrected.

Thanks everybody.
0
TheCleanerCommented:
Thanks for the update.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.