• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

Mulitple 2003 Server AD and DNS Issues

after moving all 5 FSMO roles from SERVER1 to SERVER2 after a successfull promotion, I am unable to then promote SERVER3, getting the following error:

"The operation failed because:

This Active Directory installation requires domain configuration changes, but whether these changes have been made on the domain controller xxxx is undetermined. The installation process has quit.  

"The parameter is incorrect." "

When I open up dsa.dsc > operations masters whist connected to SERVER2 everything seems fine, however doing th same from SERVER1 or any of the other 4 DC's I get 'Error' , I'm unable to transfer roles back as the role holder appears offline, I don't want to seize the roles either as all servers need to stay in use and cannot be permanantly removed as per MS KB's.

SERVER 1 and SERVER2 are both runnning AD DNS.. As far as I can tell there are no new CNAME records etc for SERVER2, hoping this is a simple DNS issue.

Any thoughts?
Thanks
0
premierpc
Asked:
premierpc
  • 16
  • 13
  • 3
2 Solutions
 
Jay_Jay70Commented:
Hi premierpc,

did you tranfer the roles using ntdsutil or windows mmc's?

have you rebooted the servers since?

Cheers!
0
 
premierpcAuthor Commented:
Hi,

All 5 roles transferred via mmc as per
http://support.microsoft.com/kb/324801
Reported as successfull


Servers rebooted afterwards

Thanks
0
 
Jay_Jay70Commented:
have you created those DNS records as yet that you mentioned above?

are you able to completely resolve the servers from each other?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
premierpcAuthor Commented:
I can resolved between each, A host records present, however within _msdcs there is no CNAME alias, I dont know how to create the record as the Alias has a non friendly name, example for SERVER1 its bd0aa105-f82e-4b78-9caf-ec6b23864623, assume this is created by AD, and its absence for SERVER2 is causing the problem?

0
 
Jay_Jay70Commented:
hmm drilling that deep into dns starts getting complex, is the record been update on any of your servers

what does dcdiag say?
0
 
premierpcAuthor Commented:
The record has not been updated on any of the DNS servers, there are also no SRV records for SERVER2..


I'll just run dcdiag now and post results
0
 
Jay_Jay70Commented:
hmm messy ...hopefully dcdiag can provde at least some insite
0
 
premierpcAuthor Commented:
*********************************
basic dcdiag test results:                            
*********************************


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         SERVER2's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (SERVER2.xxxxx.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2
      Skipping all tests, because server SERVER2 is
      not responding to directory service requests

   Running enterprise tests on : xxxxx.local
      Starting test: Intersite
         ......................... xxxxx.local passed test Intersite
      Starting test: FsmoCheck
         ......................... xxxxx.local passed test FsmoCheck



*********************************
results of dcdiag /test:connectivity
*********************************
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         SERVER2's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (srvfile01.broxapltd.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2

   Running enterprise tests on : xxxxx.local

*************************

Any thoughts on the best way forward
0
 
Jay_Jay70Commented:
both server 1 and 2 are registering to the same IP address    nasty

try simple steps to start

ipconfig /flushdns on both servers

ipconfig /registerdns and see if that helps
0
 
premierpcAuthor Commented:
JayJay,

I have already flushed & registered, what do you think about deleting the AD zones and starting again?, let everything rebuild!..
0
 
Jay_Jay70Commented:
i have never taken the step of deleting AD zones completely

let me trial for you on a test syetem now ill post in sec
0
 
Jay_Jay70Commented:
i just deleted the zone off my 2003 trial system and then recreated it and let it re-populate and it was fine

clients started turning up after a flush and register
0
 
Jay_Jay70Commented:
when you do an nslookup on that 10.0.5.12 address   which server does it resolve
0
 
premierpcAuthor Commented:
last time I did it I deleted the zones then,
net stop netlogon
dns flush
net start netlogon

Ran above on all DC/DNS servers, just concerned that on a live system it may make the problem worse, if the records did'nt create first time round will the secound time?!
0
 
premierpcAuthor Commented:
nslookup resolves correctly on both servers 10.0.5.12 to SERVER2
0
 
Jay_Jay70Commented:
i am not sure why they wouldnt have created the first time     recreating the zones will search through the domain an reregister everything though so you would assume it would fine the correct name this time...
0
 
Netman66Commented:
Try something simple before you get drastic.

DCDIAG /FIX

NETDIAG /FIX


Also, the original error sounds like an error produced when adprep /forestprep has been run BUT /domainprep has not been run - and you are attempting to add a 2003 server as a DC.


Just some thoughts.
0
 
premierpcAuthor Commented:
just checking the event log on SERVER2



Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2088
Date:            20/04/2006
Time:            08:43:57
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER2
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 
Alternate server name:
 SERVER1.broxapltd.local
Failing DNS host name:
 ce2baaf5-e529-430e-9074-8771db45736f._msdcs.xxxxx.local
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************

I noticed this morning SERVER2 primary DNS is pointing at SERVER1, secondary DNS at itself, dont want to change as may lose network connectivity.
0
 
Jay_Jay70Commented:
and welcome ones..... I havent come across this and am way to unsure to advice deleting entire zones.....
0
 
premierpcAuthor Commented:
Netman66,

Original DC SERVER1 is 2003, SERVER2 also 2003, was meant to be a simple role transfer!

output of DCDIAG /FIX

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         SERVER2's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (SERVER2.xxxxx.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2
      Skipping all tests, because server SERVER2 is
      not responding to directory service requests

   Running enterprise tests on : xxxxx.local
      Starting test: Intersite
         ......................... xxxxx.local passed test Intersite
      Starting test: FsmoCheck

0
 
Jay_Jay70Commented:
i always have my DC's pointing to themselves primarily and then the next one in line as secondary
0
 
premierpcAuthor Commented:
Output of netdiag /fix

The procedure entry point DNSGetPrimaryDomainName_UTF8 could not be located in the dynamic link library DNSAPI.DLL
0
 
premierpcAuthor Commented:
JayJay,
Yes that is normally how I would do set it up
0
 
premierpcAuthor Commented:
I'm just running dcdiag enhanced version..

dcdiag /test:dns
I will post results once complete

Thanks
0
 
Jay_Jay70Commented:
did you change your pointers?
0
 
premierpcAuthor Commented:
JayJay,

No I did'nt change ptr's

Here is the output:
************************************************

C:\Program Files\Support Tools>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         The host 9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local co
uld not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (SERVER2.xxxxx.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : xxxxx

   Running enterprise tests on : xxxxx.local
      Starting test: DNS
         Test results for domain controllers:

            DC: SERVER2.xxxxx.local
            Domain: xxxxx.local


               TEST: Basic (Basc)
                  Error: No LDAP connectivity

               TEST: Records registration (RReg)
                  Network Adapter [00000001] Intel(R) PRO/1000 T Server Adapter:

                     Error: Missing CNAME record at DNS server 10.0.5.10 :
                     9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local


                     Warning: Missing DC SRV record at DNS server 10.0.5.10 :
                     _ldap._tcp.dc._msdcs.xxxxx.local
                     (Ignore the error if DNSAvoidRegisterRecord registry key or
 its Group Policy
                     has been configured to prevent registration of this Record.
)

                     Error: Missing PDC SRV record at DNS server 10.0.5.10 :
                     _ldap._tcp.pdc._msdcs.xxxxx.local

                     Error: Missing CNAME record at DNS server 10.0.5.12 :
                     9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local


                     Warning: Missing DC SRV record at DNS server 10.0.5.12 :
                     _ldap._tcp.dc._msdcs.xxxxx.local
                     (Ignore the error if DNSAvoidRegisterRecord registry key or
 its Group Policy
                     has been configured to prevent registration of this Record.
)

                     Error: Missing PDC SRV record at DNS server 10.0.5.12 :
                     _ldap._tcp.pdc._msdcs.xxxxx.local

               Error: Record registrations cannot be found for all the network a
dapters

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: xxxxx.local
               srvfile01                    PASS FAIL PASS PASS PASS FAIL n/a

         ......................... xxxxx.local failed test DNS

*******************************************
0
 
Netman66Commented:
Can this GUID: 9973935a-c915-41b9-81d9-fb04ead640d7
 
be found in _msdcs.domain.local?


0
 
premierpcAuthor Commented:
Netman66,

Hi have checked all servers, 9973935a-c915-41b9-81d9-fb04ead640d7 does'nt appear!

Thanks
0
 
Netman66Commented:
You can manually register this entry in _msdcs for now.  I understand that you shouldn't have to, but this should fix the error for now.

Open DNS console.
Expand the domain.
Expand Forward Lookup Zones.
Expand _msdcs.domain.local (or whatever yours is)
Right-click _msdcs.domain.local and select New Alias (CNAME).
For the Alias name use: 9973935a-c915-41b9-81d9-fb04ead640d7
For the Fully Qualified Domain Name use:  SERVER2.xxxxx.local (replace the Xes).

This should replicate and your errors should stop.


0
 
premierpcAuthor Commented:
Netman66,

Thnaks for the info, I will try this morning, do I need to create the missing SRV records to or just the CNAME alias
Thanks
0
 
premierpcAuthor Commented:
Ok this is basically what I did to get the DC's talking again and get rid of the 'error' within operations masters

***********************************************************************************
Added
Forward Lookup:

CNAME (Alias) Records
Name: 9973935a-c915-41b9-81d9-fb04ead640d7 (host found using DCDIAG enhanced version only, command syntax dcdiag /test:dns)

Changed
SOA Records:
Server changed from SERVER1.xxxxx.local to SERVER2.xxxxx.local
Serial incremented.

Added
SRV Records:
Added SERVER2.xxxxx.local for following services:
_ldap
_kpasswd (service name needs to be created manually)
_kerberos

Setup all records for the following protocols:
_tcp
_udp

Reverse Lookup:
SOA changed as above to SERVER2.xxxxx.local, again serial incremented.

Notes
Weight should be set to 100, default is 0 when creating records
As SERVER2 is not a GC it will not be found within zone _msdcs\\gc etc
***********************************************************************************

Information may be usefull to someone else in the future, I'm sure just by deleting the AD zone and recreating it would of done the same, but as it's a live system, I decided to be cautious!

DCDIAG tests all pass, Thanks for everyones assistance :) points given
0
 
Jay_Jay70Commented:
good stuff

thankyou!
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 16
  • 13
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now