• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

Active Directory no longer syncs with other DC

I recently upgraded from Exchange 2000 to Exchange 2003 and everything appears to working okay except that the AD's will not sync. I tried adding a new user to Exchange and it never got pushed over to the other AD. Both boxes are DC's and both are running Windows 2000 Server SP 4. How do I get the 2 DC's to sync with one another?
0
aipla
Asked:
aipla
  • 14
  • 7
  • 6
  • +1
2 Solutions
 
Mad_JasperCommented:
When you say user, do you meant the "user" or the Exchange properties for the user. If the Exchange System Manager is not installed on the DC or computer that access Active Directory User and Computers, Exchhange properites will not appear for that user.

If this is not the case, ensure that the DCs are in the "Domain Controllers" OU and in the same site in "Active Directory Sites and Services".
0
 
aiplaAuthor Commented:
I am referring to the "user" in AD.  I haven't installed the Exchange System Manager on the DC, so when I do add a person I usually have to wait until the 2 servers sync before I can configure that user's email box.
0
 
aiplaAuthor Commented:
Under "AD Sites and Services", sites folder, Default-First-Site-Name, Servers,  I see both of my DC's. I don't see "Domain Controllers" in this view. I do have "Domain Controllers" in AD Users and Computers and both of my DC's are in there as well.
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
Jay_Jay70Commented:
Hi aipla,

under the site links, try forcing replication and see what errors its gets. check your event logs and rund dcdiag for me
0
 
aiplaAuthor Commented:
How do I force replication? I tried doing this in AD Sites and Services, but all I see is "check replication topology" as a choice.
0
 
Jay_Jay70Commented:
under the NTDS settings of the DC, right click on the link and say replicate now
0
 
aiplaAuthor Commented:
Okay, I finally found where to force the replication and received the following error when I tried this.

"The following error occurred during the attempt to synchronize the domain controllers: The DSA operation is unable to proceed because of a DNS lookup failure. The operation will not continue...."
0
 
Jay_Jay70Commented:
ok theres a start, open DNS and make sure there is a record for the other Domain Controller

are you DNS zones AD integrated?
0
 
aiplaAuthor Commented:
Yes, there are two or three entries for both DC's in "forward lookup zones" with different names (eg. exchange, mail, and same as parent folder) for same IP address: 192.168.1.10) and for the other DC (eg. members and (same as parent folder)).  

I don't know if the DNS zones are AD integrated. How can I tell?
0
 
Jay_Jay70Commented:
you can check under your zone properties, just make sure that name resolution is indeed working   tyr nslookup utility

also can you run dcdiag for me
0
 
aiplaAuthor Commented:
Domain Controller Diagnosis

Performing initial setup:
   * Connecting to directory service on server GOMEM.
   * Collecting site info.
   * Identifying all servers.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\GOMEM
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... GOMEM passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\GOMEM
      Starting test: Replications
         * Replications Check
         [Replications Check,GOMEM] A recent replication attempt failed:
            From EXCHANGE to GOMEM
            Naming Context: CN=Schema,CN=Configuration,DC=zzz,DC=zzz
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2006-05-18 10:55.41.
            The last success occurred at 2006-04-13 18:45.28.
            851 failures have occurred since the last success.
            The guid-based DNS name d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz
            is not registered on one or more DNS servers.
         [EXCHANGE] DsBind() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,GOMEM] A recent replication attempt failed:
            From EXCHANGE to GOMEM
            Naming Context: CN=Configuration,DC=zzz,DC=zzz
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2006-05-18 11:23.12.
            The last success occurred at 2006-04-13 19:36.32.
            7589 failures have occurred since the last success.
            The guid-based DNS name d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz
            is not registered on one or more DNS servers.
         [Replications Check,GOMEM] A recent replication attempt failed:
            From EXCHANGE to GOMEM
            Naming Context: DC=zzz,DC=zzz
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2006-05-18 11:20.42.
            The last success occurred at 2006-04-13 19:34.14.
            8474 failures have occurred since the last success.
            The guid-based DNS name d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz
            is not registered on one or more DNS servers.
         ......................... GOMEM passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=zzz,DC=zzz
         * Security Permissions Check for
           CN=Configuration,DC=zzz,DC=zzz
         * Security Permissions Check for
           DC=zzz,DC=zzz
         ......................... GOMEM passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... GOMEM passed test NetLogons
      Starting test: Advertising
         The DC GOMEM is advertising itself as a DC and having a DS.
         The DC GOMEM is advertising as an LDAP server
         The DC GOMEM is advertising as having a writeable directory
         The DC GOMEM is advertising as a Key Distribution Center
         The DC GOMEM is advertising as a time server
         The DS GOMEM is advertising as a GC.
         ......................... GOMEM passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=GOMEM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zzz,DC=zzz
         Role Domain Owner = CN=NTDS Settings,CN=GOMEM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zzz,DC=zzz
         Role PDC Owner = CN=NTDS Settings,CN=GOMEM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zzz,DC=zzz
         Role Rid Owner = CN=NTDS Settings,CN=GOMEM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zzz,DC=zzz
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=GOMEM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zzz,DC=zzz
         ......................... GOMEM passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3765 to 1073741823
         * GOMEM.zzz.zzz is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 2253 to 2752
         * rIDNextRID: 2302
         * rIDPreviousAllocationPool is 2253 to 2752
         ......................... GOMEM passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/GOMEM.zzz.zzz/zzz.zzz
         * SPN found :LDAP/GOMEM.zzz.zzz
         * SPN found :LDAP/GOMEM
         * SPN found :LDAP/GOMEM.zzz.zzz/zzz
         * SPN found :LDAP/ca6e8894-cd01-4667-85f3-0ad230aa49f1.zzz.zzz
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ca6e8894-cd01-4667-85f3-0ad230aa49f1/zzz.zzz
         * SPN found :HOST/GOMEM.zzz.zzz/zzz.zzz
         * SPN found :HOST/GOMEM.zzz.zzz
         * SPN found :HOST/GOMEM
         * SPN found :HOST/GOMEM.zzz.zzz/ZZZZ
         * SPN found :GC/GOMEM.zzz.zzz/zzz.zzz
         ......................... GOMEM passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [GOMEM]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: RPCLOCATOR
            RPCLOCATOR Service is stopped on [GOMEM]
         * Checking Service: w32time
         * Checking Service: TrkWks
         * Checking Service: TrkSvr
            TrkSvr Service is stopped on [GOMEM]
         * Checking Service: NETLOGON
         * Checking Service: Dnscache
            IISADMIN Service is stopped on [GOMEM]
         * Checking Service: NtFrs
            SMTPSVC Service is stopped on [GOMEM]
         ......................... GOMEM failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         GOMEM is in domain DC=zzz,DC=zzz
         Checking for CN=GOMEM,OU=Domain Controllers,DC=zzz,DC=zzz in domain DC=zzz,DC=zzz on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=GOMEM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zzz,DC=zzz in domain CN=Configuration,DC=zzz,DC=zzz on 1 servers
            Object is up-to-date on all servers.
         ......................... GOMEM passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service Event log test
         The SYSVOL has been shared, and the AD is no longer
         prevented from starting by the File Replication Service.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 05/10/2006   22:48:13
            Event String: The File Replication Service is having trouble

enabling replication from EXCHANGE to GOMEM

for g:\winnt\sysvol\domain using the DNS name

EXCHANGE.zzz.zzz. FRS will keep retrying.

 Following are some of the reasons you would see

this warning.

 

 [1] FRS can not correctly resolve the DNS name

EXCHANGE.zzz.zzz from this computer.

 [2] FRS is not running on EXCHANGE.zzz.zzz.

 [3] The topology information in the Active

Directory for this replica has not yet replicated

to all the Domain Controllers.

 

 This event log message will appear once per

connection, After the problem is fixed you will

see another event log message indicating that the

connection has been established.
         An Warning Event occured.  EventID: 0x800034C5
            Time Generated: 05/10/2006   22:58:38
            Event String: The File Replication Service has enabled

replication from EXCHANGE to GOMEM for

g:\winnt\sysvol\domain after repeated retries.
         ......................... GOMEM passed test frssysvol
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... GOMEM passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... GOMEM passed test systemlog
   
   Running enterprise tests on : zzz.zzz
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... zzz.zzz passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GOMEM.zzz.zzz
         Locator Flags: 0xe00001fd
         PDC Name: \\GOMEM.zzz.zzz
         Locator Flags: 0xe00001fd
         Time Server Name: \\GOMEM.zzz.zzz
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\GOMEM.zzz.zzz
         Locator Flags: 0xe00001fd
         KDC Name: \\GOMEM.zzz.zzz
         Locator Flags: 0xe00001fd
         ......................... zzz.zzz passed test FsmoCheck
0
 
aiplaAuthor Commented:
Do you think my AD has some serious problems?
0
 
Jay_Jay70Commented:
i wouldnt say serious problems as yet, however you DO need to start the services that failed under the services snap in

Starting test: Services

         * Checking Service: IsmServ
            IsmServ Service is stopped on [GOMEM]

         * Checking Service: RPCLOCATOR
            RPCLOCATOR Service is stopped on [GOMEM]

         * Checking Service: TrkSvr
            TrkSvr Service is stopped on [GOMEM]

         * Checking Service: Dnscache
            IISADMIN Service is stopped on [GOMEM]

         * Checking Service: NtFrs
            SMTPSVC Service is stopped on [GOMEM]
         ......................... GOMEM failed test Services
0
 
aiplaAuthor Commented:
I started all of the services you mentioned, but I am still getting the same error message when I try to "replicate now." The error message is, "The following error occurred during the attempt to synchronize the domain controllers: The DSA operation is unable to proceed because of a DNS loopup failure...".

Do I need to have these service running on the other DC as well?
0
 
aiplaAuthor Commented:
Here are the results after running dcdiag on the other DC:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\EXCHANGE
      Starting test: Connectivity
         d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz) couldn't be

         resolved, the server name (EXCHANGE.zzz.zzz) resolved to the IP

         address (192.168.1.14) and was pingable.  Check that the IP address is

         registered correctly with the DNS server.
         ......................... EXCHANGE failed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\EXCHANGE
      Skipping all tests, because server EXCHANGE is
      not responding to directory service requests
   
   Running enterprise tests on : zzz.zzz
      Starting test: Intersite
         ......................... zzz.zzz passed test Intersite
      Starting test: FsmoCheck
         ......................... zzz.zzz passed test FsmoCheck
0
 
Jay_Jay70Commented:
start them on both DC's yes
0
 
feptiasCommented:
The unresolved GUID DNS errors must surely be significant. I looked in the EE knowledgebase to see if there were any useful answers for that error and there were a couple of ideas that might be relevant, both from the same question:

"Under the forward lookup zone -> _msdcs folder ensure you have an srv record for the server in question.  In my case I was missing one of my DC.  I got the guid from dcdiag and added the cname record manually.  Replication kicked in right away."

"Delete the DNS "." folder and reboot."

Pasted from <http://www.experts-exchange.com/Networking/Q_20872077.html

Hope this helps.
0
 
aiplaAuthor Commented:
Services on both DC's are now started and I am still getting the same error when I try to "replicate now."
0
 
aiplaAuthor Commented:
Do I add (d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz) to the folder Forward Lookup Zones, zzz.zzz, msdcs, dc, _sites, default-first-site-name, _tcp? And do I add this as a "Host", "other New records"?  Do I need to add this to another folder?

Also, is the folder "." I need to delete under "Cached Lookups"?
0
 
feptiasCommented:
The suggestion about deleting the "." folder would only apply if you had a "." folder in the forward lookup zones, not in the Cached Lookups. (Before you try deleting anything like that, please just look and see if there is a folder with that name in the Forward Lookup Zones on either DC, then report back.)

The other suggestion about manually adding the GUID record is, again, only relevant if you are missing that record in the first place. Windows should add those records itself when you promote the server to be a DC. It is a CNAME record, not a Host record. Based on the records in my own DC it looks like it should be located in:
Forward Lookup Zones, zzz.zzz
0
 
aiplaAuthor Commented:
No, I don't see a "." folder in the forward lookup zones. The only folders I see are: _msdcs, _sites, _tcp, _udp, and internal (with (same as parent folder under "Name", NS under "Type", and gomem.zzz.zzz. under "Data".  I didn't see "d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz" Forward Lookup Zones, zzz.zzz so I added it.

I will wait to hear back from you before I do anything else. Thanks.
0
 
aiplaAuthor Commented:
I just ran "replicate now" and it appears to be working. I will continue to monitor it, and hopefully, barring any major problems, you won't hear back from me on this topic. Many thanks for your assistance!
0
 
feptiasCommented:
In the _msdsc folder, there should be two GUID records, one for each DC. The GUID value (the long number) is different for each DC so you might need to run dcdiag on each of your DC's to get the GUID value. It is a CNAME record so it has to point to a Host (A) record - it cannot point to an IP address. The host record it should point to is the Host (A) record of the DC server. So, one of those GUID records will point to exchange.zzz.zzz. and the other will point to gomem.zzz.zzz.. Please note that they are FQDN's - i.e. they end with a . after the org (use the Browse button in the properties of the CNAME record to navigate to the correct FQDN if you are unsure).

After you add the records manually, run dcdiag again and see if that error message has gone.

Can you please clarify - have you got a DNS server running on each of your DC's or only one?
If more than one, are they configured as a primary and secondary or two primaries or AD-integrated (this info is shown on the General tab of the Properties of the Fwd lookup zone called zzz.zzz).

I may have to go soon and can't guarantee to keep in touch very often over the weekend. Sorry, I was just trying to give some useful pointers - not to get *too* involved. Unfortunately, I would not expect JJ70 to be on-line now either considering what time it is in Australia.
0
 
feptiasCommented:
Our comments crossed in the post!
Great that it appears to be working. Have a good weekend.

John
0
 
aiplaAuthor Commented:
There was only one GUID entry in that folder, so I add the d743f28a-aaaa-aaaa-96bd-ed8d4aa70f60.zzz.zzz and just copied the naming convention from the other one, ran the replicate now and it worked.

Also, will the information I have given you compromise my system should someone wanting to do any maliciousness on my network get a hold of it? if so, is there a way to delete this information or make it anonymous.

Thanks again!
0
 
feptiasCommented:
I don't think so - not if your firewall is sound and your domain security policies for users etc are in order. I'm sure I wouldn't know where to start even if I did want to do mischief using the GUID's, but then hacking has never interested me (other than knowing how to block it).

However, if you are concerned then it would be best to ask the moderators by posting a question in the Community Support topic area (On the Home tab, under "Common Questions" click the "Need Assistance?" link). Give your question a vague title like "Please review/possible delete of question" and then explain your concerns in the body of the question. You must also include a link back to this question or at the very least quote its number.
0
 
Jay_Jay70Commented:
wow i have missed alot while i slept, when did your replication start working again, what did you do?
0
 
feptiasCommented:
Hi Jay_Jay
Re resolution of this question: The question was resolved so I assume aipla is not going to expect points to be refunded. It would seem fair to PAQ and split the points between the main contributors (including yourself) in my opinion.
Regards
John
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 14
  • 7
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now