techguy07
asked on
DNS Entries are not register correctly to the other site domain
Hi Guys,
My problems are i am setting up a child domain from a site2 connecting to site1, from Site2 child domain connecting to site1 parent domain just find, i can view and browse parent domain Directory, and domain controller objects such as users and group.
From Site1, parent domain, i cannot browse and view Site2's child domain's objects, and directory.
Site1 domain name structure
hostname: DC-Site1
Domain name: ParentDom.Local
Site1 contain an additional domain
hostname: ADC-Site1
FQ Host Name: ADC-Site1.ParentDom.Local
Site2 domain name structure
hostname: DC-Site2
Domain name: ChildDom.ParentDom.Local
I check the Trust relationship from Site1 Parent domain Active Directory and try to validate it, or try a new trust, it prompts,
"Windows cannot find the domain controller for the DC-Site2.ParentDom.Local. Verify that a DC is available and try again"
My configuration:
Site1: DNS and ip setting
ip: 192.168.1.2/24
gw: 192.168.1.1
dns:
prefer dns: 192.168.1.2
alter dns: 192.168.2.2
wins: 192.168.1.2, 192.168.2.2
Site1, DNS allow dynamic updates,
Site2 Configuration
Site2: DNS and ip setting
ip: 192.168.2.2/24
gw: 192.168.2.1
dns:
prefer dns: 192.168.2.2
alter dns: 192.168.1.2
wins: 192.168.2.2, 192.168.1.2
DNS: Append these DNS suffixes (in order) are enble with Site1 (Parent Domain) domain name in order to pinged by name:
Site2 DNS allow dynamic updates, and enable forwarder: ip 192.168.1.2
So on, i use netdiag /l /test:dns on site1, the output are
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.
2' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.2.2'. Please wait for 30 minutes for DNS server replication.
The command completed successfully
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
So on, i use netdiag /l /test:dns on site2, the output are
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
PASS - All the DNS entries for DC are registered on DNS server '192.168.2.2
'.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.1.2'. Please wait for 30 minutes for DNS server replication.
The command completed successfully
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
I ran DCDIAG.EXE /v on Site2, the output are
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
DC Diagnosis
Performing initial setup:
* Verifing that the local machine DC-Site2, is a DC.
* Connecting to directory service on server DC-Site2.
* Collecting site info.
* Identifying all servers.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Default-First-Site-Name\DC -Site2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory ParentDom.LocalC Services Check
......................... DC-Site2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC -Site2
Starting test: Replications
* Replications Check
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
......................... DC-Site2 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
DC=ChildDom,DC=ParentDom.L ocal
* Security Permissions Check for
CN=Schema,CN=Configuration ,DC=Parent Dom.Local
* Security Permissions Check for
CN=Configuration,DC=Parent Dom.Local
......................... DC-Site2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... DC-Site2 passed test NetLogons
Starting test: Advertising
The DC DC-Site2 is advertising itself as a DC and having a DS.
The DC DC-Site2 is advertising as an LDAP server
The DC DC-Site2 is advertising as having a writeable directory
The DC DC-Site2 is advertising as a Key Distribution Center
The DC DC-Site2 is advertising as a time server
......................... DC-Site2 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=AD,CN=Servers, CN=Default -First-
Site-Name,CN=Sites,CN=Conf iguration, DC=ParentD om.Local
Role Domain Owner = CN=NTDS Settings,CN=AD,CN=Servers, CN=Default -First-
Site-Name,CN=Sites,CN=Conf iguration, DC=ParentD om.Local
Role PDC Owner = CN=NTDS Settings,CN=DC-Site2,CN=Se rvers,CN=D efault-F
irst-Site-Name,CN=Sites,CN =Configura tion,DC=Pa rentDom.Lo cal
Role Rid Owner = CN=NTDS Settings,CN=DC-Site2,CN=Se rvers,CN=D efault-F
irst-Site-Name,CN=Sites,CN =Configura tion,DC=Pa rentDom.Lo cal
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-Site2,CN=Se
rvers,CN=Default-First-Sit e-Name,CN= Sites,CN=C onfigurati on,DC=Pare ntDom.Loca l
......................... DC-Site2 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 1603 to 1073741823
* DC-Site2.ChildDom.ParentDo m.Local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1103 to 1602
* rIDNextRID: 1108
* rIDPreviousAllocationPool is 1103 to 1602
......................... DC-Site2 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/DC-Site2.ChildDom.Pa rentDom.Lo cal/ChildD om.ParentD om.Local
* SPN found :LDAP/DC-Site2.ChildDom.Pa rentDom.Lo cal
* SPN found :LDAP/DC-Site2
* SPN found :LDAP/DC-Site2.ChildDom.Pa rentDom.Lo cal/ChildD om
* SPN found :LDAP/e1688926-75af-4442-a 9c6-0c67a9 d58e16._ms dcs.Parent Dom.Local
* SPN found :E3514235-4B06-11D1-AB04-0 0C04FC2DCD 2/e1688926 -75af-4442 -a9
c6-0c67a9d58e16/ChildDom.P arentDom.L ocal
* SPN found :HOST/DC-Site2.ChildDom.Pa rentDom.Lo cal/ChildD om.ParentD om.Local
* SPN found :HOST/DC-Site2.ChildDom.Pa rentDom.Lo cal
* SPN found :HOST/DC-Site2
* SPN found :HOST/DC-Site2.ChildDom.Pa rentDom.Lo cal/ChildD om
* SPN found :GC/DC-Site2.ChildDom.Pare ntDom.Loca l/ParentDo m.Local
......................... DC-Site2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: ParentDom.LocalcSs
* Checking Service: ParentDom.LocalCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... DC-Site2 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC-Site2 is in domain DC=ChildDom,DC=ParentDom.L ocal
Checking for CN=DC-Site2,OU=Domain Controllers,DC=ChildDom,DC =ParentDom .Local in dom
ain DC=ChildDom,DC=ParentDom.L ocal on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC-Site2,CN=Se rvers,CN=D efault-Fir st
-Site-Name,CN=Sites,CN=Con figuration ,DC=Parent Dom.Local in domain CN=Configuration,DC=Parent Dom.Local on 1
servers
Object is up-to-date on all servers.
......................... DC-Site2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... DC-Site2 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minut
es.
......................... DC-Site2 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 07/15/2006 19:09:54
Event String: Driver Samsung CLP-500 Series required for
printer __ADC-Site1_Samsung CLP-500 Series is unknown.
Contact the administrator to install the driver
before you log in again.
......................... DC-Site2 failed test systemlog
Running enteParentDom.Localrise tests on : ParentDom.Local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... ParentDom.Local passed test Intersite
Starting test: FsmoCheck
GC Name: \\AD.ParentDom.Local
Locator Flags: 0xe00003fd
PDC Name: \\DC-Site2.ChildDom.Parent Dom.Local
Locator Flags: 0xe00001f9
Time Server Name: \\DC-Site2.ChildDom.Parent Dom.Local
Locator Flags: 0xe00001f9
Preferred Time Server Name: \\DC-Site2.ChildDom.Parent Dom.Local
Locator Flags: 0xe00001f9
KDC Name: \\DC-Site2.ChildDom.Parent Dom.Local
Locator Flags: 0xe00001f9
......................... ParentDom.Local passed test FsmoCheck
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
My Question:
Question1
DCDIAG test
Testing server: Default-First-Site-Name\DC -Site2
Starting test: Replications
* Replications Check
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
......................... DC-Site2 passed test Replications
How to fix this?
Question 2
What step do i need to take inorder to make site1 can view site2 child domain objects? and trust?
Site2 can alternatively logon to Site1 (ParentDom.Local) from Site2
But Site1 Cannot logon on ChildDom from Site1
As far that my DNS configuration; I can ping both side by names,
Just the problem is within site1 cannot contact Site2 domain.
Let me know if i can provide any other information
Thanks,,,,, a bunch!
My problems are i am setting up a child domain from a site2 connecting to site1, from Site2 child domain connecting to site1 parent domain just find, i can view and browse parent domain Directory, and domain controller objects such as users and group.
From Site1, parent domain, i cannot browse and view Site2's child domain's objects, and directory.
Site1 domain name structure
hostname: DC-Site1
Domain name: ParentDom.Local
Site1 contain an additional domain
hostname: ADC-Site1
FQ Host Name: ADC-Site1.ParentDom.Local
Site2 domain name structure
hostname: DC-Site2
Domain name: ChildDom.ParentDom.Local
I check the Trust relationship from Site1 Parent domain Active Directory and try to validate it, or try a new trust, it prompts,
"Windows cannot find the domain controller for the DC-Site2.ParentDom.Local. Verify that a DC is available and try again"
My configuration:
Site1: DNS and ip setting
ip: 192.168.1.2/24
gw: 192.168.1.1
dns:
prefer dns: 192.168.1.2
alter dns: 192.168.2.2
wins: 192.168.1.2, 192.168.2.2
Site1, DNS allow dynamic updates,
Site2 Configuration
Site2: DNS and ip setting
ip: 192.168.2.2/24
gw: 192.168.2.1
dns:
prefer dns: 192.168.2.2
alter dns: 192.168.1.2
wins: 192.168.2.2, 192.168.1.2
DNS: Append these DNS suffixes (in order) are enble with Site1 (Parent Domain) domain name in order to pinged by name:
Site2 DNS allow dynamic updates, and enable forwarder: ip 192.168.1.2
So on, i use netdiag /l /test:dns on site1, the output are
--------------------------
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.
2' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.2.2'. Please wait for 30 minutes for DNS server replication.
The command completed successfully
--------------------------
So on, i use netdiag /l /test:dns on site2, the output are
--------------------------
PASS - All the DNS entries for DC are registered on DNS server '192.168.2.2
'.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.1.2'. Please wait for 30 minutes for DNS server replication.
The command completed successfully
--------------------------
I ran DCDIAG.EXE /v on Site2, the output are
--------------------------
DC Diagnosis
Performing initial setup:
* Verifing that the local machine DC-Site2, is a DC.
* Connecting to directory service on server DC-Site2.
* Collecting site info.
* Identifying all servers.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory ParentDom.LocalC Services Check
......................... DC-Site2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC
Starting test: Replications
* Replications Check
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
......................... DC-Site2 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
DC=ChildDom,DC=ParentDom.L
* Security Permissions Check for
CN=Schema,CN=Configuration
* Security Permissions Check for
CN=Configuration,DC=Parent
......................... DC-Site2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... DC-Site2 passed test NetLogons
Starting test: Advertising
The DC DC-Site2 is advertising itself as a DC and having a DS.
The DC DC-Site2 is advertising as an LDAP server
The DC DC-Site2 is advertising as having a writeable directory
The DC DC-Site2 is advertising as a Key Distribution Center
The DC DC-Site2 is advertising as a time server
......................... DC-Site2 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=AD,CN=Servers,
Site-Name,CN=Sites,CN=Conf
Role Domain Owner = CN=NTDS Settings,CN=AD,CN=Servers,
Site-Name,CN=Sites,CN=Conf
Role PDC Owner = CN=NTDS Settings,CN=DC-Site2,CN=Se
irst-Site-Name,CN=Sites,CN
Role Rid Owner = CN=NTDS Settings,CN=DC-Site2,CN=Se
irst-Site-Name,CN=Sites,CN
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-Site2,CN=Se
rvers,CN=Default-First-Sit
......................... DC-Site2 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 1603 to 1073741823
* DC-Site2.ChildDom.ParentDo
* DsBind with RID Master was successful
* rIDAllocationPool is 1103 to 1602
* rIDNextRID: 1108
* rIDPreviousAllocationPool is 1103 to 1602
......................... DC-Site2 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/DC-Site2.ChildDom.Pa
* SPN found :LDAP/DC-Site2.ChildDom.Pa
* SPN found :LDAP/DC-Site2
* SPN found :LDAP/DC-Site2.ChildDom.Pa
* SPN found :LDAP/e1688926-75af-4442-a
* SPN found :E3514235-4B06-11D1-AB04-0
c6-0c67a9d58e16/ChildDom.P
* SPN found :HOST/DC-Site2.ChildDom.Pa
* SPN found :HOST/DC-Site2.ChildDom.Pa
* SPN found :HOST/DC-Site2
* SPN found :HOST/DC-Site2.ChildDom.Pa
* SPN found :GC/DC-Site2.ChildDom.Pare
......................... DC-Site2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: ParentDom.LocalcSs
* Checking Service: ParentDom.LocalCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... DC-Site2 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC-Site2 is in domain DC=ChildDom,DC=ParentDom.L
Checking for CN=DC-Site2,OU=Domain Controllers,DC=ChildDom,DC
ain DC=ChildDom,DC=ParentDom.L
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC-Site2,CN=Se
-Site-Name,CN=Sites,CN=Con
servers
Object is up-to-date on all servers.
......................... DC-Site2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... DC-Site2 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minut
es.
......................... DC-Site2 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 07/15/2006 19:09:54
Event String: Driver Samsung CLP-500 Series required for
printer __ADC-Site1_Samsung CLP-500 Series is unknown.
Contact the administrator to install the driver
before you log in again.
......................... DC-Site2 failed test systemlog
Running enteParentDom.Localrise tests on : ParentDom.Local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... ParentDom.Local passed test Intersite
Starting test: FsmoCheck
GC Name: \\AD.ParentDom.Local
Locator Flags: 0xe00003fd
PDC Name: \\DC-Site2.ChildDom.Parent
Locator Flags: 0xe00001f9
Time Server Name: \\DC-Site2.ChildDom.Parent
Locator Flags: 0xe00001f9
Preferred Time Server Name: \\DC-Site2.ChildDom.Parent
Locator Flags: 0xe00001f9
KDC Name: \\DC-Site2.ChildDom.Parent
Locator Flags: 0xe00001f9
......................... ParentDom.Local passed test FsmoCheck
--------------------------
My Question:
Question1
DCDIAG test
Testing server: Default-First-Site-Name\DC
Starting test: Replications
* Replications Check
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
[Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
Replication access was denied..
......................... DC-Site2 passed test Replications
How to fix this?
Question 2
What step do i need to take inorder to make site1 can view site2 child domain objects? and trust?
Site2 can alternatively logon to Site1 (ParentDom.Local) from Site2
But Site1 Cannot logon on ChildDom from Site1
As far that my DNS configuration; I can ping both side by names,
Just the problem is within site1 cannot contact Site2 domain.
Let me know if i can provide any other information
Thanks,,,,, a bunch!
ASKER
I just ran the DCDIAG /V test on Site1 ParentDom.Local and i get the fail messge for this service. All other Services are Passed
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/15/2006 10:28:07
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C5
Time Generated: 07/15/2006 10:28:57
(Event String could not be retrieved)
......................... AD failed test frsevent
How to fix it, why it caused it? Is this problem major?
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/15/2006 10:28:07
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C5
Time Generated: 07/15/2006 10:28:57
(Event String could not be retrieved)
......................... AD failed test frsevent
How to fix it, why it caused it? Is this problem major?
ASKER
This is a full DCDiag test on Site1
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine DC-Site1, is a DC.
* Connecting to directory service on server DC-Site1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC -Site1
Starting test: Connectivity
* Active Directory LDAP Services Check
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
* Active Directory ParentDom.Local RPC Services Check
......................... DC-Site1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC -Site1
Starting test: Replications
* Replications Check
[DC-Site2] DsBindWithSpnEx() failed with error 1722,
The ParentDom.Local RPC server is unavailable..
Printing ParentDom.Local RPC Extended Error Info:
Error Record 1, ProcessID is 1876 (DcDiag)
System Time is: 7/16/2006 3:6:45:437
Generating component is 8 (winsock)
Status is 1722: The ParentDom.Local RPC server is unavailable.
Detection location is 322
Error Record 2, ProcessID is 1876 (DcDiag)
System Time is: 7/16/2006 3:6:45:437
Generating component is 8 (winsock)
Status is 11001: No such host is known.
Detection location is 320
NumberOfParameters is 1
Unicode string: e1688926-75af-4442-a9c6-0c 67a9d58e16 ._msdcs.Pa rentDom.Lo cal
* Replication Latency Check
CN=Schema,CN=Configuration ,DC=Parent Dom.Local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
CN=Configuration,DC=Parent Dom.Local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
DC=ParentDom.Local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
DC=ChildDom,DC=ParentDom.L ocal
Latency information for 1 entries in the vector were ignored.
0 were retired Invocations. 1 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
* Replication Site Latency Check
......................... DC-Site1 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC-Site1.
* Security Permissions Check for
DC=ForestDnsZones,DC=Paren tDom.Local
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=Paren tDom.Local
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration ,DC=Parent Dom.Local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=Parent Dom.Local
(Configuration,Version 2)
* Security Permissions Check for
DC=ParentDom.Local
(Domain,Version 2)
* Security Permissions Check for
DC=ChildDom,DC=ParentDom.L ocal
(Domain,Version 1)
......................... DC-Site1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC-Site1\netlogon
Verified share \\DC-Site1\sysvol
......................... DC-Site1 passed test NetLogons
Starting test: DC-Site1vertising
The DC DC-Site1 is DC-Site1vertising itself as a DC and having a DS.
The DC DC-Site1 is DC-Site1vertising as an LDAP server
The DC DC-Site1 is DC-Site1vertising as having a writeable directory
The DC DC-Site1 is DC-Site1vertising as a Key Distribution Center
The DC DC-Site1 is DC-Site1vertising as a time server
The DS DC-Site1 is DC-Site1vertising as a GC.
......................... DC-Site1 passed test DC-Site1vertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se rvers,CN=D efault-Fir st-
Site-Name,CN=Sites,CN=Conf iguration, DC=ParentD om.Local
Role Domain Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se rvers,CN=D efault-Fir st-
Site-Name,CN=Sites,CN=Conf iguration, DC=ParentD om.Local
Role PDC Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se rvers,CN=D efault-Fir st-Sit
e-Name,CN=Sites,CN=Configu ration,DC= ParentDom. Local
Role Rid Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se rvers,CN=D efault-Fir st-Sit
e-Name,CN=Sites,CN=Configu ration,DC= ParentDom. Local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se rvers,CN
=Default-First-Site-Name,C N=Sites,CN =Configura tion,DC=Pa rentDom.Lo cal
......................... DC-Site1 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4603 to 1073741823
* DC-Site1.ParentDom.Local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1603 to 2102
* rIDPreviousAllocationPool is 1603 to 2102
* rIDNextRID: 1788
......................... DC-Site1 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC DC-Site1 on DC DC-Site1.
* SPN found :LDAP/DC-Site1.ParentDom.L ocal/Paren tDom.Local
* SPN found :LDAP/DC-Site1.ParentDom.L ocal
* SPN found :LDAP/DC-Site1
* SPN found :LDAP/DC-Site1.ParentDom.L ocal/Paren tDom.Local
* SPN found :LDAP/5bbdf621-c1a9-4127-a cae-655515 f7961e._ms dcs.Parent Dom.Local
* SPN found :E3514235-4B06-11D1-AB04-0 0C04FC2DCD 2/5bbdf621 -c1a9-4127 -ac
ae-655515f7961e/ParentDom. Local
* SPN found :HOST/DC-Site1.ParentDom.L ocal/Paren tDom.Local
* SPN found :HOST/DC-Site1.ParentDom.L ocal
* SPN found :HOST/DC-Site1
* SPN found :HOST/DC-Site1.ParentDom.L ocal/Paren tDom.Local
* SPN found :GC/DC-Site1.ParentDom.Loc al/ParentD om.Local
......................... DC-Site1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: ParentDom.Local RPCSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC-Site1 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC-Site1 is in domain DC=ParentDom.Local
Checking for CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.L ocal in domain DC=ParentDom.Local on 1 ser
vers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC-Site1,CN=Se rvers,CN=D efault-Fir st-Site-Na
me,CN=Sites,CN=Configurati on,DC=Pare ntDom.Loca l in domain CN=Configuration,DC=Parent Dom.Local on 1 servers
Object is up-to-date on all servers.
......................... DC-Site1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL reDC-Site1y test
File Replication Service's SYSVOL is reDC-Site1y
......................... DC-Site1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/15/2006 10:28:07
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C5
Time Generated: 07/15/2006 10:28:57
(Event String could not be retrieved)
......................... DC-Site1 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minut
es.
......................... DC-Site1 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 07/15/2006 20:02:02
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/15/2006 20:02:03
(Event String could not be retrieved)
......................... DC-Site1 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.L ocal and backlink on
CN=DC-Site1,CN=Servers,CN= Default-Fi rst-Site-N ame,CN=Sit es,CN=Conf iguration, D
C=ParentDom.Local
are correct.
The system object reference (frsComputerReferenceBL)
CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.L ocal
and backlink on CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.L ocal are correct.
The system object reference (serverReferenceBL)
CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.L ocal
and backlink on
CN=NTDS Settings,CN=DC-Site1,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,C
N=Configuration,DC=ParentD om.Local
are correct.
......................... DC-Site1 passed test VerifyReferences
Test omitted by user request: VerifyEnteParentDom.Localr iseReferen ces
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : ParentDom.Local
Starting test: CrossRefValidation
......................... ParentDom.Local passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ParentDom.Local passed test CheckSDRefDom
Running enteParentDom.Localrise tests on : ParentDom.Local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... ParentDom.Local passed test Intersite
Starting test: FsmoCheck
GC Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
PDC Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
Time Server Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
KDC Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
......................... ParentDom.Local passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine DC-Site1, is a DC.
* Connecting to directory service on server DC-Site1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
* Active Directory LDAP Services Check
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
* Active Directory ParentDom.Local RPC Services Check
......................... DC-Site1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC
Starting test: Replications
* Replications Check
[DC-Site2] DsBindWithSpnEx() failed with error 1722,
The ParentDom.Local RPC server is unavailable..
Printing ParentDom.Local RPC Extended Error Info:
Error Record 1, ProcessID is 1876 (DcDiag)
System Time is: 7/16/2006 3:6:45:437
Generating component is 8 (winsock)
Status is 1722: The ParentDom.Local RPC server is unavailable.
Detection location is 322
Error Record 2, ProcessID is 1876 (DcDiag)
System Time is: 7/16/2006 3:6:45:437
Generating component is 8 (winsock)
Status is 11001: No such host is known.
Detection location is 320
NumberOfParameters is 1
Unicode string: e1688926-75af-4442-a9c6-0c
* Replication Latency Check
CN=Schema,CN=Configuration
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
CN=Configuration,DC=Parent
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
DC=ParentDom.Local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
DC=ChildDom,DC=ParentDom.L
Latency information for 1 entries in the vector were ignored.
0 were retired Invocations. 1 were either: reDC-Site1-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 hDC-Site1 no
latency information (Win2K DC).
* Replication Site Latency Check
......................... DC-Site1 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC-Site1.
* Security Permissions Check for
DC=ForestDnsZones,DC=Paren
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=Paren
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=Parent
(Configuration,Version 2)
* Security Permissions Check for
DC=ParentDom.Local
(Domain,Version 2)
* Security Permissions Check for
DC=ChildDom,DC=ParentDom.L
(Domain,Version 1)
......................... DC-Site1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC-Site1\netlogon
Verified share \\DC-Site1\sysvol
......................... DC-Site1 passed test NetLogons
Starting test: DC-Site1vertising
The DC DC-Site1 is DC-Site1vertising itself as a DC and having a DS.
The DC DC-Site1 is DC-Site1vertising as an LDAP server
The DC DC-Site1 is DC-Site1vertising as having a writeable directory
The DC DC-Site1 is DC-Site1vertising as a Key Distribution Center
The DC DC-Site1 is DC-Site1vertising as a time server
The DS DC-Site1 is DC-Site1vertising as a GC.
......................... DC-Site1 passed test DC-Site1vertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se
Site-Name,CN=Sites,CN=Conf
Role Domain Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se
Site-Name,CN=Sites,CN=Conf
Role PDC Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se
e-Name,CN=Sites,CN=Configu
Role Rid Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se
e-Name,CN=Sites,CN=Configu
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-Site1,CN=Se
=Default-First-Site-Name,C
......................... DC-Site1 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4603 to 1073741823
* DC-Site1.ParentDom.Local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1603 to 2102
* rIDPreviousAllocationPool is 1603 to 2102
* rIDNextRID: 1788
......................... DC-Site1 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC DC-Site1 on DC DC-Site1.
* SPN found :LDAP/DC-Site1.ParentDom.L
* SPN found :LDAP/DC-Site1.ParentDom.L
* SPN found :LDAP/DC-Site1
* SPN found :LDAP/DC-Site1.ParentDom.L
* SPN found :LDAP/5bbdf621-c1a9-4127-a
* SPN found :E3514235-4B06-11D1-AB04-0
ae-655515f7961e/ParentDom.
* SPN found :HOST/DC-Site1.ParentDom.L
* SPN found :HOST/DC-Site1.ParentDom.L
* SPN found :HOST/DC-Site1
* SPN found :HOST/DC-Site1.ParentDom.L
* SPN found :GC/DC-Site1.ParentDom.Loc
......................... DC-Site1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: ParentDom.Local RPCSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC-Site1 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC-Site1 is in domain DC=ParentDom.Local
Checking for CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.L
vers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC-Site1,CN=Se
me,CN=Sites,CN=Configurati
Object is up-to-date on all servers.
......................... DC-Site1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL reDC-Site1y test
File Replication Service's SYSVOL is reDC-Site1y
......................... DC-Site1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/15/2006 10:28:07
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C5
Time Generated: 07/15/2006 10:28:57
(Event String could not be retrieved)
......................... DC-Site1 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minut
es.
......................... DC-Site1 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 07/15/2006 20:02:02
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/15/2006 20:02:03
(Event String could not be retrieved)
......................... DC-Site1 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.L
CN=DC-Site1,CN=Servers,CN=
C=ParentDom.Local
are correct.
The system object reference (frsComputerReferenceBL)
CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.L
and backlink on CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.L
The system object reference (serverReferenceBL)
CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.L
and backlink on
CN=NTDS Settings,CN=DC-Site1,CN=Se
N=Configuration,DC=ParentD
are correct.
......................... DC-Site1 passed test VerifyReferences
Test omitted by user request: VerifyEnteParentDom.Localr
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : ParentDom.Local
Starting test: CrossRefValidation
......................... ParentDom.Local passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ParentDom.Local passed test CheckSDRefDom
Running enteParentDom.Localrise tests on : ParentDom.Local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... ParentDom.Local passed test Intersite
Starting test: FsmoCheck
GC Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
PDC Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
Time Server Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
KDC Name: \\DC-Site1.ParentDom.Local
Locator Flags: 0xe00003fd
......................... ParentDom.Local passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
ASKER
Please review Site1 DCDIAG log and show me what i need to fix? i believe there are 1 warnings and 2 error on the Repl
To set this up properly, normally the following are done:
1) Set the root DC (in the parent) to sync with an external timesource. http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
2) Make sure there are absolutely NO ISP DNS addresses on ANY network interface inside your LAN (both main and remote sites). The only place to put this address is on the Forwarder tab of EACH DNS server you have.
3) On the parent DNS server, the _msdcs.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the FOREST.
4) On the parent DNS server, the parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the DOMAIN.
5) On the Forwarder tab of the parent DNS server, you setup Conditional Forwarding for the child domain. Point this to the DNS server in the child domain.
6) On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.
7) On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.
8) Point the main site clients and servers to the main site DNS and any secondary you may also have. NO ISP addresses here.
9) Point the remote site clients and servers to the remote site's DNS only. Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.
10) If any server has 2 NICs, make sure the LAN-side card is at the top of the binding order and both DNS and DHCP (if you run it) are servicing only that interface.
Once all this is correct, restart the Netlogon service on each server then run IPCONFIG /flushdns and IPCONFIG /registerdns from the CMD prompt on each server.
Check DNS carefully now to ensure all SRV records are present in the correct domains. Remove any entries for servers that are in the wrong zones.
Wait for awhile for KCC to recalculate topology and start FRS working properly.
Let us know.
1) Set the root DC (in the parent) to sync with an external timesource. http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
2) Make sure there are absolutely NO ISP DNS addresses on ANY network interface inside your LAN (both main and remote sites). The only place to put this address is on the Forwarder tab of EACH DNS server you have.
3) On the parent DNS server, the _msdcs.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the FOREST.
4) On the parent DNS server, the parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the DOMAIN.
5) On the Forwarder tab of the parent DNS server, you setup Conditional Forwarding for the child domain. Point this to the DNS server in the child domain.
6) On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.
7) On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.
8) Point the main site clients and servers to the main site DNS and any secondary you may also have. NO ISP addresses here.
9) Point the remote site clients and servers to the remote site's DNS only. Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.
10) If any server has 2 NICs, make sure the LAN-side card is at the top of the binding order and both DNS and DHCP (if you run it) are servicing only that interface.
Once all this is correct, restart the Netlogon service on each server then run IPCONFIG /flushdns and IPCONFIG /registerdns from the CMD prompt on each server.
Check DNS carefully now to ensure all SRV records are present in the correct domains. Remove any entries for servers that are in the wrong zones.
Wait for awhile for KCC to recalculate topology and start FRS working properly.
Let us know.
ASKER
2) Make sure there are absolutely NO ISP DNS addresses on ANY network interface inside your LAN (both main and remote sites). The only place to put this address is on the Forwarder tab of EACH DNS server you have.
-------------------------- ---------- ----------
The only place to put this address is on the Forwarder ...
Do you mean ISP DNS if i prefer? or the Internal DNS of each DOMAIN that i am hosting Active Directory Intergrated DNS?
--------------------------
The only place to put this address is on the Forwarder ...
Do you mean ISP DNS if i prefer? or the Internal DNS of each DOMAIN that i am hosting Active Directory Intergrated DNS?
The ISP DNS.
Do not forward between your domains. It's needless bandwidth. Just forward directly from each DNS server to the ISP. The Conditional Forwarding I mentioned above will take care of the other domains.
Do not forward between your domains. It's needless bandwidth. Just forward directly from each DNS server to the ISP. The Conditional Forwarding I mentioned above will take care of the other domains.
ASKER
I notice that when if i don't put 192.168.1.2 (site1 DNS) on the ParentDom - properties - DNS Forwarder for the Site2 Domain. then when i do DCDIAG /v i will get the output of CONNECTIVITIES FAILURE. So to make this clear, i should put External DNS in the forwader? i dont user any External DNS...
And if i don't manually put parentdom.local in the Appending these DNS Suffix (In Order) on the Site2 TCP/Ip DNS setting, then it cannot ping by names. Do i really have to put the parentdom.local as DNS Suffix?
6) On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.
(I checked on the child.parentdom.local zone, there is AD integrated and secure updates only, but no replicate to all DNS servers in the Domain, i am running windows 2000 advanced server in Site2 child domain.
-------------------------- ---------- ---------- ------
8) Point the main site clients and servers to the main site DNS and any secondary you may also have. NO ISP addresses here.
9) Point the remote site clients and servers to the remote site's DNS only. Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.
i don't get #8 and #9
do you mean, from the TCP/IP DNS Properties? i don't put the DNS ip of each server? Just the DNS ip of the server domain itself?
Let say from Site1 DNS properties, i put 192.168.1.2 and not 192.168.2.2?
same thing to site2 DNS properties, i put 192.168.2.2 and not 192.168.1.1?
-------------------------- ---------- ---------- ------
How about the Appending these DNS Suffix (In Order)?
And if i don't manually put parentdom.local in the Appending these DNS Suffix (In Order) on the Site2 TCP/Ip DNS setting, then it cannot ping by names. Do i really have to put the parentdom.local as DNS Suffix?
6) On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.
(I checked on the child.parentdom.local zone, there is AD integrated and secure updates only, but no replicate to all DNS servers in the Domain, i am running windows 2000 advanced server in Site2 child domain.
--------------------------
8) Point the main site clients and servers to the main site DNS and any secondary you may also have. NO ISP addresses here.
9) Point the remote site clients and servers to the remote site's DNS only. Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.
i don't get #8 and #9
do you mean, from the TCP/IP DNS Properties? i don't put the DNS ip of each server? Just the DNS ip of the server domain itself?
Let say from Site1 DNS properties, i put 192.168.1.2 and not 192.168.2.2?
same thing to site2 DNS properties, i put 192.168.2.2 and not 192.168.1.1?
--------------------------
How about the Appending these DNS Suffix (In Order)?
ASKER
i forgot to mention that we have IP TABLE (NETFILTER) firewall proxy running... i dont know if this effect the settings... somehow site2 can access and logon parentdom.local
but from site1 cannot logon to child.parentdom.local...
but from site1 cannot logon to child.parentdom.local...
ASKER
The only thing is that, when i view the Security properties of an object from Site1 parentdom.local,
such as:
DNS - Site1-DC - Forward Look Up Zone - _msdc.parentdom.local - properties, security
i can see the correct name for the child domain group ex; Site2-DC$(CHILDDOM\SITE2-D C$)
and/or
when i go to
Active Directory Sites and Services
Sites
Default-First-Site-Name
Servers
ChildDom
NTDS Settings
<Automatic Generated> Site1-DC Default-First-Site-name
Properties - Security - Domain admins (ChildDom\Domain admins)
When i click add and browse for location, parentdom.local - ChildDom.Local
i cannot view the directory and either find the names or group
I dont understand why it can show the (ChildDom\Domain admins) group but cannot find the domain
such as:
DNS - Site1-DC - Forward Look Up Zone - _msdc.parentdom.local - properties, security
i can see the correct name for the child domain group ex; Site2-DC$(CHILDDOM\SITE2-D
and/or
when i go to
Active Directory Sites and Services
Sites
Default-First-Site-Name
Servers
ChildDom
NTDS Settings
<Automatic Generated> Site1-DC Default-First-Site-name
Properties - Security - Domain admins (ChildDom\Domain admins)
When i click add and browse for location, parentdom.local - ChildDom.Local
i cannot view the directory and either find the names or group
I dont understand why it can show the (ChildDom\Domain admins) group but cannot find the domain
ASKER
so i can use any ISP DNS or do i have to use my ISP dns?
ASKER
5) On the Forwarder tab of the parent DNS server, you setup Conditional Forwarding for the child domain. Point this to the DNS server in the child domain
Does this means, from the PAReNT DNS SERVER, i put the DNS forwarder of 192.168.2.2?
7) On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.
And from Child DOMAIN DNS, i put 192.168.1.2?
so i can put ISP DNS in these forwarder?
Does this means, from the PAReNT DNS SERVER, i put the DNS forwarder of 192.168.2.2?
7) On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.
And from Child DOMAIN DNS, i put 192.168.1.2?
so i can put ISP DNS in these forwarder?
ASKER
I get it, on the Site1 parentdom.local DNS server properties, FORWARDER TAP... NEW DNS DOMAIN -
type - CHILDDOM.PARENTDOM.LOCAL -> hightlight childom.parentdom.local
and enter the ip ex: 192.168.2.2 ?
On the Site2 ChildDom.ParentDom.Local (widows 2000 base) DNS Server properties doesnt have DNS DOmain like windows 2003 in site1
type - CHILDDOM.PARENTDOM.LOCAL -> hightlight childom.parentdom.local
and enter the ip ex: 192.168.2.2 ?
On the Site2 ChildDom.ParentDom.Local (widows 2000 base) DNS Server properties doesnt have DNS DOmain like windows 2003 in site1
ASKER
From Site2-DC TCP/IP properties, DNS settings, i took off DC-Site1 DNS 192.168.1.2 and the APPEND THESE DNS SUFFIX (IN ORDER) i cannot ping Site2-DC by name....
ASKER
I forgot to mention that, i am using a single label domain, ex; parentdom, not parent.local, can this be a problem?
Absolutely if makes a huge difference.
You need to configure DNS to allow registering single-label names.
http://support.microsoft.com/kb/300684/en-us
You need to configure DNS to allow registering single-label names.
http://support.microsoft.com/kb/300684/en-us
ASKER
Sorry, could you give me a clearer instruction what should i do with the dns registering single-lable name?
Currently, on my Site1-DC windows 2003 i had enable GP to allow top level domain update . but my windows xp client did not successfully register with windows 2003 DNS in the forward lookup zone.
as far the modification i dont understand this part.. where on which computer base should i do this step?
on a windows 2003/2000 base server? or the windows xp/2000/ client base?
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\Net logon\Para meters
3. In the right pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, follow these steps:a. On the Edit menu, point to New, and then click DWORD Value.
b. Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.
4. Double-click the AllowSingleLabelDnsDomain entry.
5. In the Value data box, type 1, and then click OK
6. Quit Registry Editor.
Currently, on my Site1-DC windows 2003 i had enable GP to allow top level domain update . but my windows xp client did not successfully register with windows 2003 DNS in the forward lookup zone.
as far the modification i dont understand this part.. where on which computer base should i do this step?
on a windows 2003/2000 base server? or the windows xp/2000/ client base?
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
3. In the right pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, follow these steps:a. On the Edit menu, point to New, and then click DWORD Value.
b. Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.
4. Double-click the AllowSingleLabelDnsDomain entry.
5. In the Value data box, type 1, and then click OK
6. Quit Registry Editor.
ASKER
My ChildDom is a windows 2000 base, so i should work with single label.. right
ASKER
Sorry, Now i want to demote my childdom. but i cannot demote child domain
it say,
" The operation failed because:
The directory service failed to replicate off changes made locally.
The DSA operation is unable to proceed becaused of DNS lookup failure."
What step and how do i manually demote so i can reinstall active directory?
and how to completely remove child domain from ParentDom? and any related file in parentdom?
Thanks for trying to help!
it say,
" The operation failed because:
The directory service failed to replicate off changes made locally.
The DSA operation is unable to proceed becaused of DNS lookup failure."
What step and how do i manually demote so i can reinstall active directory?
and how to completely remove child domain from ParentDom? and any related file in parentdom?
Thanks for trying to help!
Point it back to the parent DNS server.
ASKER
point what back to the parernt DNS? can you give me a clearer instruction?
Thanks
Thanks
The child domain controller should have the Primary DNS server set to the parent's DNS server for the last DC in that domain to be able to be demoted.
ASKER
i did set the child domain to the parentdom primary DNS server. but somehow i cannot demote it... it kept saying DNS lookup failure
How do i manuall demote child..? or do i just follow this page then i can remove it?
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
How do i manuall demote child..? or do i just follow this page then i can remove it?
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Run DCPROMO /forceremoval.
Then follow this guide to remove all traces of the old domain and domain controllers:
http://support.microsoft.com/kb/216498/en-us
Then follow this guide to remove all traces of the old domain and domain controllers:
http://support.microsoft.com/kb/216498/en-us
ASKER
nvm, it was simple, i just remove the forwarder from the child dom DNS
Why would that make a difference? If the primary was set to the parent DNS it should never have been looking to the Forwarder. Where was it pointing?
ASKER
To all this point, i guess my DNS configuration was not right....
OK.
ASKER
i dont know why, but if i don't put the parentdom IP address in the CHILD DOM DNS FORWARDER, then i will get CONNECTIVITY FAILURE in the DCDIAG.EXE /v test
so i have to put it there somehow.
Ok... here is my detail configuration: Please tell me what i'm doing wrong ok? I really appreaciate your professional service and time.
Scenerio:
Site1
hostname: DC-Site1
domain: ParentDom
TCP/IP Configuration:
IP: 192.168.1.2/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
Alternate DNS: 192.168.1.3
Alternate DNS: 192.168.2.2 (DC-Site2 DNS)
DNS: allow zone transfer to 192.168.1.3
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
-------------------------- --
Additional Domain Controller (Backup DC)
hostname: ADC-Site1
domain: ParentDom
TCP/IP Configuration
IP: 192.168.1.3/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
alternate DNS: 192.168.1.3
alternate DNS: 192.168.2.2 (DC-Site2 DNS)
DNS: contained a secondary backup DNS of site1
-------------------------- --
Site2
hostname: DC-Site2
domain: ChildDom.ParentDom
TCP/IP Configuration:
IP: 192.168.2.2/24
gw: 192.168.2.1
prefered DNS: 192.168.2.2
Alternate DNS: 192.168.1.2 (DC-Site1 DNS)
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
-------------------------- --
I ran DCPROMO,
Domain Controller for a new domain -> Create a child domain in Existing Domain Tree and so on...
It ask for DNS --> i choose Install and Configure DNS automatically
Thats it?
so i have to put it there somehow.
Ok... here is my detail configuration: Please tell me what i'm doing wrong ok? I really appreaciate your professional service and time.
Scenerio:
Site1
hostname: DC-Site1
domain: ParentDom
TCP/IP Configuration:
IP: 192.168.1.2/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
Alternate DNS: 192.168.1.3
Alternate DNS: 192.168.2.2 (DC-Site2 DNS)
DNS: allow zone transfer to 192.168.1.3
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
--------------------------
Additional Domain Controller (Backup DC)
hostname: ADC-Site1
domain: ParentDom
TCP/IP Configuration
IP: 192.168.1.3/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
alternate DNS: 192.168.1.3
alternate DNS: 192.168.2.2 (DC-Site2 DNS)
DNS: contained a secondary backup DNS of site1
--------------------------
Site2
hostname: DC-Site2
domain: ChildDom.ParentDom
TCP/IP Configuration:
IP: 192.168.2.2/24
gw: 192.168.2.1
prefered DNS: 192.168.2.2
Alternate DNS: 192.168.1.2 (DC-Site1 DNS)
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
--------------------------
I ran DCPROMO,
Domain Controller for a new domain -> Create a child domain in Existing Domain Tree and so on...
It ask for DNS --> i choose Install and Configure DNS automatically
Thats it?
This isn't necessary:
DNS: allow zone transfer to 192.168.1.3
On Site one DNS since all zones should be AD Integrated.
I think part of the reason we're having issues is that the child domain DNS is Windows 2000. The Zones are not the same at all. Replication to all zones in the Forest is a function of 2003 DNS only.
In order to make this work (the easiest way) would be to use a 2003 DNS server in the child domain.
Other than that, Forwarding to the parent or making ALL zones Primary (non-AD Integrated) on the parent and creating Secondary zones on the child (and vise-versa) would be the only other method since 2000 and 2003 DNS use different methods to configure the way you need to.
DNS: allow zone transfer to 192.168.1.3
On Site one DNS since all zones should be AD Integrated.
I think part of the reason we're having issues is that the child domain DNS is Windows 2000. The Zones are not the same at all. Replication to all zones in the Forest is a function of 2003 DNS only.
In order to make this work (the easiest way) would be to use a 2003 DNS server in the child domain.
Other than that, Forwarding to the parent or making ALL zones Primary (non-AD Integrated) on the parent and creating Secondary zones on the child (and vise-versa) would be the only other method since 2000 and 2003 DNS use different methods to configure the way you need to.
ASKER
Oh, Thanks,
I just demoted it, and promote as a new domain - new domain tree in an existing forest? will thise work better or the same?
Thanks Netman66 for the info...
I just demoted it, and promote as a new domain - new domain tree in an existing forest? will thise work better or the same?
Thanks Netman66 for the info...
ASKER
Or should i create a new forest of domain tree?
It will probably work the same.
No, don't create a new Forest, that opens up a whole new set of problems.
On the parent domain, change the _msdcs.parentdomain.local zone to Primary (non-AD Integrated).
On the child domain, create a new Secondary zone the same as the parent _msdcs zone.
Accept zone transfers from the parent DNS server.
Go back to the parent DNS server and allow zone transfers to the child.
This should take care of the _msdcs zone.
You can add a Delegation record on the child DNS for the parentdomain.local domain then point it to the parent DNS server.
You can also add a Delegation record on the parent DNS server for the child domain and point it to the child DNS server.
This should get the zones in order.
You may need to do the same for the Reverse Zone also.
NM
No, don't create a new Forest, that opens up a whole new set of problems.
On the parent domain, change the _msdcs.parentdomain.local zone to Primary (non-AD Integrated).
On the child domain, create a new Secondary zone the same as the parent _msdcs zone.
Accept zone transfers from the parent DNS server.
Go back to the parent DNS server and allow zone transfers to the child.
This should take care of the _msdcs zone.
You can add a Delegation record on the child DNS for the parentdomain.local domain then point it to the parent DNS server.
You can also add a Delegation record on the parent DNS server for the child domain and point it to the child DNS server.
This should get the zones in order.
You may need to do the same for the Reverse Zone also.
NM
ASKER
Thanks for the update, I'll give it a try and i'll let you know
ASKER
Alternatively,
Can i promote active directory on site2 to be
Additional domain controller for an existing domain
And hosting GC there? and everyone from site2 logon using DC-Site2 domain controller?
will it help the bandwidth?
and placing an exchange server in site2 on the additional domain controller?
Can i promote active directory on site2 to be
Additional domain controller for an existing domain
And hosting GC there? and everyone from site2 logon using DC-Site2 domain controller?
will it help the bandwidth?
and placing an exchange server in site2 on the additional domain controller?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so, that means it replicate within site2? and using less bandwidth right?
ASKER
and for exchange, what step do i install exchange on site2 as an secondary exchange server, and replicate (and hold) only a certain user and mailbox in site2, that it doesn't replicate the entire mailbox from site1
Not necessarily. After you initially join the server it will use up some bandwidth to replicate, but it should drop down to nearly nothing after a short period.
You should make it a GC and also install DNS. Make sure all zones (except the _msdcs zone) are AD Integrated. Then simply install DNS on the remote server and do nothing else (install it after a successful DCPROMO). Replication will create and populate all the zones except the _msdcs zone.
Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.
Since 2003 uses the application partition for the _msdcs zone it will NOT replicate to the 2000 DNS server as it normally is installed by default.
You should make it a GC and also install DNS. Make sure all zones (except the _msdcs zone) are AD Integrated. Then simply install DNS on the remote server and do nothing else (install it after a successful DCPROMO). Replication will create and populate all the zones except the _msdcs zone.
Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.
Since 2003 uses the application partition for the _msdcs zone it will NOT replicate to the 2000 DNS server as it normally is installed by default.
Exchange won't replicate anything. You can get away with using the main Exchange server for a small amount of users on the remote site. It may be a lot less complicated.
ASKER
Ok thanks,
Right, So i dont need to install exchange on the remote site?
Thats alot less complicated... Thanks...
I gained more experience from this forum...
Right, So i dont need to install exchange on the remote site?
Thats alot less complicated... Thanks...
I gained more experience from this forum...
I wouldn't think it would be necessary if there aren't too many users.
With the domain being the same now, it'll be much easier to setup and maintain with one Exchange server.
How many user's are in the remote site?
With the domain being the same now, it'll be much easier to setup and maintain with one Exchange server.
How many user's are in the remote site?
ASKER
less than 10
No issue that I can see.
ASKER
what is the user limitation?
and follow up?
Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.
from site2 DNS, i create secondary zone name
_msdcs.parentdom
and allow zone transfer to 192.168.2.2 (remote site)
i cannot transfer from master
and follow up?
Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.
from site2 DNS, i create secondary zone name
_msdcs.parentdom
and allow zone transfer to 192.168.2.2 (remote site)
i cannot transfer from master
You need to change the zone on the parent to a standard Primary. Then enable zone transfers from the parent to the child.
User limitation depends on link bandwidth. Ten users shouldn't be too bad on even a T1.
User limitation depends on link bandwidth. Ten users shouldn't be too bad on even a T1.
ASKER
Oh, thanks for the info
I just checked my ParentDom, in Active Directory User and Computer
Operation Master ERROR on the first box...
and the second box shows, DC-Site2.ParentDom
RID - PDC - Infrastructure
Operation Master (ERROR)
The current operations master is offline. The role cannot be transferred. CHANGE button
DC-Site2.ParentDom
Should i click change so that Parent Domain holds all the server roles?
I just checked my ParentDom, in Active Directory User and Computer
Operation Master ERROR on the first box...
and the second box shows, DC-Site2.ParentDom
RID - PDC - Infrastructure
Operation Master (ERROR)
The current operations master is offline. The role cannot be transferred. CHANGE button
DC-Site2.ParentDom
Should i click change so that Parent Domain holds all the server roles?
ASKER
Note that: i install as an additional domain controller in an existing domain... not child domain
On the parent domain, if you have the Resource Kit installed on one of the DCs, then run:
dumpfsmos <servername> <= where <servername> is the name of your DC.
Check for all 5 roles in the output.
dumpfsmos <servername> <= where <servername> is the name of your DC.
Check for all 5 roles in the output.
ASKER
PASS - All the DNS entries for DC are registered on DNS server '192.168.2.2
'.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.1.2'. Please wait for 30 minutes for DNS server replication.
The command completed successfully
Do i run NETDIAG /FIX?
I believed i ran this test on ParentDom of Site1, and i think it caused some changed in Active Directory Site and Services. It looks llike it removed the DNSHost name for the Site2 DC-Site2.ChildDom.ParentDo