Solved

DNS Entries are not register correctly to the other site domain

Posted on 2006-07-15
49
864 Views
Last Modified: 2007-12-19
Hi Guys,

My problems are i am setting up a child domain from a site2 connecting to site1, from Site2 child domain connecting to site1 parent domain just find, i can view and browse parent domain Directory, and domain controller objects such as users and group.

From Site1, parent domain, i cannot browse and view Site2's child domain's objects, and directory.

Site1 domain name structure
hostname: DC-Site1
Domain name: ParentDom.Local

Site1 contain an additional domain
hostname: ADC-Site1
FQ Host Name: ADC-Site1.ParentDom.Local

Site2 domain name structure
hostname: DC-Site2
Domain name: ChildDom.ParentDom.Local

I check the Trust relationship from Site1 Parent domain Active Directory and try to validate it, or try a new trust, it prompts,

"Windows cannot find the domain controller for the DC-Site2.ParentDom.Local. Verify that a DC is available and try again"

My configuration:
Site1: DNS and ip setting
ip: 192.168.1.2/24
gw: 192.168.1.1
dns:
prefer dns: 192.168.1.2
alter dns: 192.168.2.2
wins: 192.168.1.2, 192.168.2.2
Site1, DNS allow dynamic updates,

Site2 Configuration
Site2: DNS and ip setting
ip: 192.168.2.2/24
gw: 192.168.2.1
dns:
prefer dns: 192.168.2.2
alter dns: 192.168.1.2
wins: 192.168.2.2, 192.168.1.2
DNS: Append these DNS suffixes (in order) are enble with Site1 (Parent Domain) domain name in order to pinged by name:
Site2 DNS allow dynamic updates, and enable forwarder: ip 192.168.1.2

So on, i use netdiag /l /test:dns on site1, the output are

--------------------------------------------------------------------------------------------------
    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.
2' and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.2.2'. Please wait for 30 minutes for DNS server replication.

The command completed successfully
--------------------------------------------------------------------------------------------------

So on, i use netdiag /l /test:dns on site2, the output are

--------------------------------------------------------------------------------------------------
    PASS - All the DNS entries for DC are registered on DNS server '192.168.2.2
'.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.1.2'. Please wait for 30 minutes for DNS server replication.

The command completed successfully
--------------------------------------------------------------------------------------------------

I ran DCDIAG.EXE /v on Site2, the output are

--------------------------------------------------------------------------------------------------
DC Diagnosis

Performing initial setup:
   * Verifing that the local machine DC-Site2, is a DC.
   * Connecting to directory service on server DC-Site2.
   * Collecting site info.
   * Identifying all servers.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: Default-First-Site-Name\DC-Site2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory ParentDom.LocalC Services Check
         ......................... DC-Site2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC-Site2
      Starting test: Replications
         * Replications Check
         [Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
         Replication access was denied..
         [Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
         Replication access was denied..
         ......................... DC-Site2 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           DC=ChildDom,DC=ParentDom.Local
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ParentDom.Local
         * Security Permissions Check for
           CN=Configuration,DC=ParentDom.Local
         ......................... DC-Site2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... DC-Site2 passed test NetLogons
      Starting test: Advertising
         The DC DC-Site2 is advertising itself as a DC and having a DS.
         The DC DC-Site2 is advertising as an LDAP server
         The DC DC-Site2 is advertising as having a writeable directory
         The DC DC-Site2 is advertising as a Key Distribution Center
         The DC DC-Site2 is advertising as a time server
         ......................... DC-Site2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Domain Owner = CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role PDC Owner = CN=NTDS Settings,CN=DC-Site2,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Rid Owner = CN=NTDS Settings,CN=DC-Site2,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-Site2,CN=Se
rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         ......................... DC-Site2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 1603 to 1073741823
         * DC-Site2.ChildDom.ParentDom.Local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1103 to 1602
         * rIDNextRID: 1108
         * rIDPreviousAllocationPool is 1103 to 1602
         ......................... DC-Site2 passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/DC-Site2.ChildDom.ParentDom.Local/ChildDom.ParentDom.Local
         * SPN found :LDAP/DC-Site2.ChildDom.ParentDom.Local
         * SPN found :LDAP/DC-Site2
         * SPN found :LDAP/DC-Site2.ChildDom.ParentDom.Local/ChildDom
         * SPN found :LDAP/e1688926-75af-4442-a9c6-0c67a9d58e16._msdcs.ParentDom.Local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/e1688926-75af-4442-a9
c6-0c67a9d58e16/ChildDom.ParentDom.Local
         * SPN found :HOST/DC-Site2.ChildDom.ParentDom.Local/ChildDom.ParentDom.Local
         * SPN found :HOST/DC-Site2.ChildDom.ParentDom.Local
         * SPN found :HOST/DC-Site2
         * SPN found :HOST/DC-Site2.ChildDom.ParentDom.Local/ChildDom
         * SPN found :GC/DC-Site2.ChildDom.ParentDom.Local/ParentDom.Local
         ......................... DC-Site2 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: ParentDom.LocalcSs
         * Checking Service: ParentDom.LocalCLOCATOR
         * Checking Service: w32time
         * Checking Service: TrkWks
         * Checking Service: TrkSvr
         * Checking Service: NETLOGON
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         ......................... DC-Site2 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DC-Site2 is in domain DC=ChildDom,DC=ParentDom.Local
         Checking for CN=DC-Site2,OU=Domain Controllers,DC=ChildDom,DC=ParentDom.Local in dom
ain DC=ChildDom,DC=ParentDom.Local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC-Site2,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local in domain CN=Configuration,DC=ParentDom.Local on 1
 servers
            Object is up-to-date on all servers.
         ......................... DC-Site2 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service Event log test
         The SYSVOL has been shared, and the AD is no longer
         prevented from starting by the File Replication Service.
         ......................... DC-Site2 passed test frssysvol
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... DC-Site2 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/15/2006   19:09:54
            Event String: Driver Samsung CLP-500 Series required for
printer __ADC-Site1_Samsung CLP-500 Series is unknown.
Contact the administrator to install the driver
before you log in again.
         ......................... DC-Site2 failed test systemlog

   Running enteParentDom.Localrise tests on : ParentDom.Local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... ParentDom.Local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\AD.ParentDom.Local
         Locator Flags: 0xe00003fd
         PDC Name: \\DC-Site2.ChildDom.ParentDom.Local
         Locator Flags: 0xe00001f9
         Time Server Name: \\DC-Site2.ChildDom.ParentDom.Local
         Locator Flags: 0xe00001f9
         Preferred Time Server Name: \\DC-Site2.ChildDom.ParentDom.Local
         Locator Flags: 0xe00001f9
         KDC Name: \\DC-Site2.ChildDom.ParentDom.Local
         Locator Flags: 0xe00001f9
         ......................... ParentDom.Local passed test FsmoCheck
--------------------------------------------------------------------------------------------------

My Question:

Question1

DCDIAG test

   Testing server: Default-First-Site-Name\DC-Site2
      Starting test: Replications
         * Replications Check
         [Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
         Replication access was denied..
         [Replications Check,ADC-Site1] DsReplicaGetInfo(REPSTO) failed with error 845
3,
         Replication access was denied..
         ......................... DC-Site2 passed test Replications

How to fix this?


Question 2

What step do i need to take inorder to make site1 can view site2 child domain objects? and trust?
Site2 can alternatively logon to Site1 (ParentDom.Local) from Site2
But Site1 Cannot logon on ChildDom from Site1

As far that my DNS configuration; I can ping both side by names,
Just the problem is within site1 cannot contact Site2 domain.

Let me know if i can provide any other information


Thanks,,,,, a bunch!
0
Comment
Question by:techguy07
  • 32
  • 17
49 Comments
 

Author Comment

by:techguy07
ID: 17116326
Another question: how to correctly register DNS for this type of error messege?

    PASS - All the DNS entries for DC are registered on DNS server '192.168.2.2
'.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.1.2'. Please wait for 30 minutes for DNS server replication.

The command completed successfully

Do i run NETDIAG /FIX?

I believed i ran this test on ParentDom of Site1, and i think it caused some changed in Active Directory Site and Services. It looks llike it removed the DNSHost name for the Site2 DC-Site2.ChildDom.ParentDom.Local within the DC-Site2 AD Site and Services (default-site) and it caused some problem but i fixed it with ADSIEdit.
0
 

Author Comment

by:techguy07
ID: 17116330
I just ran the DCDIAG /V test on Site1 ParentDom.Local and i get the fail messge for this service. All other Services are Passed

      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 07/15/2006   10:28:07
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C5
            Time Generated: 07/15/2006   10:28:57
            (Event String could not be retrieved)
         ......................... AD failed test frsevent

How to fix it, why it caused it? Is this problem major?
0
 

Author Comment

by:techguy07
ID: 17116347
This is a full DCDiag test on Site1

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine DC-Site1, is a DC.
   * Connecting to directory service on server DC-Site1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC-Site1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
            *** Warning: could not confirm the identity of this server in
               the directory versus the names returned by DNS servers.
               If there are problems accessing this directory server then
               you may need to check that this server is correctly registered
               with DNS
         * Active Directory ParentDom.Local RPC Services Check
         ......................... DC-Site1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC-Site1
      Starting test: Replications
         * Replications Check
         [DC-Site2] DsBindWithSpnEx() failed with error 1722,
         The ParentDom.Local RPC server is unavailable..
         Printing ParentDom.Local RPC Extended Error Info:
         Error Record 1, ProcessID is 1876 (DcDiag)
            System Time is: 7/16/2006 3:6:45:437
            Generating component is 8 (winsock)
            Status is 1722: The ParentDom.Local RPC server is unavailable.
            Detection location is 322
         Error Record 2, ProcessID is 1876 (DcDiag)
            System Time is: 7/16/2006 3:6:45:437
            Generating component is 8 (winsock)
            Status is 11001: No such host is known.
            Detection location is 320
            NumberOfParameters is 1
            Unicode string: e1688926-75af-4442-a9c6-0c67a9d58e16._msdcs.ParentDom.Local
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=ParentDom.Local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
            CN=Configuration,DC=ParentDom.Local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
            DC=ParentDom.Local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
            DC=ChildDom,DC=ParentDom.Local
               Latency information for 1 entries in the vector were ignored.
                  0 were retired Invocations.  1 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
         * Replication Site Latency Check
         ......................... DC-Site1 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC-Site1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ParentDom.Local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=ParentDom.Local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ParentDom.Local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=ParentDom.Local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=ParentDom.Local
            (Domain,Version 2)
         * Security Permissions Check for
           DC=ChildDom,DC=ParentDom.Local
            (Domain,Version 1)
         ......................... DC-Site1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC-Site1\netlogon
         Verified share \\DC-Site1\sysvol
         ......................... DC-Site1 passed test NetLogons
      Starting test: DC-Site1vertising
         The DC DC-Site1 is DC-Site1vertising itself as a DC and having a DS.
         The DC DC-Site1 is DC-Site1vertising as an LDAP server
         The DC DC-Site1 is DC-Site1vertising as having a writeable directory
         The DC DC-Site1 is DC-Site1vertising as a Key Distribution Center
         The DC DC-Site1 is DC-Site1vertising as a time server
         The DS DC-Site1 is DC-Site1vertising as a GC.
         ......................... DC-Site1 passed test DC-Site1vertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Domain Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role PDC Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Sit
e-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Rid Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Sit
e-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN
=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         ......................... DC-Site1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 4603 to 1073741823
         * DC-Site1.ParentDom.Local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1603 to 2102
         * rIDPreviousAllocationPool is 1603 to 2102
         * rIDNextRID: 1788
         ......................... DC-Site1 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DC-Site1 on DC DC-Site1.
         * SPN found :LDAP/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :LDAP/DC-Site1.ParentDom.Local
         * SPN found :LDAP/DC-Site1
         * SPN found :LDAP/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :LDAP/5bbdf621-c1a9-4127-acae-655515f7961e._msdcs.ParentDom.Local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bbdf621-c1a9-4127-ac
ae-655515f7961e/ParentDom.Local
         * SPN found :HOST/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :HOST/DC-Site1.ParentDom.Local
         * SPN found :HOST/DC-Site1
         * SPN found :HOST/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :GC/DC-Site1.ParentDom.Local/ParentDom.Local
         ......................... DC-Site1 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: ParentDom.Local RPCSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC-Site1 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DC-Site1 is in domain DC=ParentDom.Local
         Checking for CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.Local in domain DC=ParentDom.Local on 1 ser
vers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=ParentDom.Local in domain CN=Configuration,DC=ParentDom.Local on 1 servers

            Object is up-to-date on all servers.
         ......................... DC-Site1 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL reDC-Site1y test
         File Replication Service's SYSVOL is reDC-Site1y
         ......................... DC-Site1 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 07/15/2006   10:28:07
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C5
            Time Generated: 07/15/2006   10:28:57
            (Event String could not be retrieved)
         ......................... DC-Site1 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... DC-Site1 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/15/2006   20:02:02
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/15/2006   20:02:03
            (Event String could not be retrieved)
         ......................... DC-Site1 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.Local and backlink on
         CN=DC-Site1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D
C=ParentDom.Local
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.Local
         and backlink on CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.Local are correct.
         The system object reference (serverReferenceBL)
         CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.Local
         and backlink on
         CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=ParentDom.Local
         are correct.
         ......................... DC-Site1 passed test VerifyReferences
      Test omitted by user request: VerifyEnteParentDom.LocalriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : ParentDom.Local
      Starting test: CrossRefValidation
         ......................... ParentDom.Local passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ParentDom.Local passed test CheckSDRefDom

   Running enteParentDom.Localrise tests on : ParentDom.Local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... ParentDom.Local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         PDC Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         Time Server Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         KDC Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         ......................... ParentDom.Local passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
0
 

Author Comment

by:techguy07
ID: 17116352
Please review Site1 DCDIAG log and show me what i need to fix? i believe there are 1 warnings and 2 error on the Repl
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17117605
To set this up  properly, normally the following are done:

1)  Set the root DC (in the parent) to sync with an external timesource.  http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html

2)  Make sure there are absolutely NO ISP DNS addresses on ANY network interface inside your LAN (both main and remote sites).  The only place to put this address is on the Forwarder tab of EACH DNS server you have.

3)  On the parent DNS server, the _msdcs.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the FOREST.

4)  On the parent DNS server, the parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the DOMAIN.

5)  On the Forwarder tab of the parent DNS server, you setup Conditional Forwarding for the child domain.  Point this to the DNS server in the child domain.

6)  On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.

7)  On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.

8)  Point the main site clients and servers to the main site DNS and any secondary you may also have.  NO ISP addresses here.

9)  Point the remote site clients and servers to the remote site's DNS only.  Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.

10)  If any server has 2 NICs, make sure the LAN-side card is at the top of the binding order and both DNS and DHCP (if you run it) are servicing only that interface.

Once all this is correct, restart the Netlogon service on each server then run IPCONFIG /flushdns and IPCONFIG /registerdns from the CMD prompt on each server.

Check DNS carefully now to ensure all SRV records are present in the correct domains.  Remove any entries for servers that are in the wrong zones.

Wait for awhile for KCC to recalculate topology and start FRS working properly.

Let us know.
0
 

Author Comment

by:techguy07
ID: 17117837
2)  Make sure there are absolutely NO ISP DNS addresses on ANY network interface inside your LAN (both main and remote sites).  The only place to put this address is on the Forwarder tab of EACH DNS server you have.

----------------------------------------------

The only place to put this address is on the Forwarder ...

Do you mean ISP DNS if i prefer? or the Internal DNS of each DOMAIN that i am hosting Active Directory Intergrated DNS?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17118875
The ISP DNS.

Do not forward between your domains.  It's needless bandwidth.  Just forward directly from each DNS server to the ISP.  The Conditional Forwarding I mentioned above will take care of the other domains.

0
 

Author Comment

by:techguy07
ID: 17119699
I notice that when if i don't put 192.168.1.2 (site1 DNS) on the ParentDom - properties - DNS Forwarder for the Site2 Domain. then when i do DCDIAG /v i will get the output of CONNECTIVITIES FAILURE. So to make this clear, i should put External DNS in the forwader? i dont user any External DNS...

And if i don't manually put parentdom.local in the Appending these DNS Suffix (In Order) on the Site2 TCP/Ip DNS setting, then it cannot ping by names. Do i really have to put the parentdom.local as DNS Suffix?


6)  On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.
(I checked on the child.parentdom.local zone, there is AD integrated and secure updates only, but no replicate to all DNS servers in the Domain, i am running windows 2000 advanced server in Site2 child domain.
----------------------------------------------------
8)  Point the main site clients and servers to the main site DNS and any secondary you may also have.  NO ISP addresses here.

9)  Point the remote site clients and servers to the remote site's DNS only.  Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.

i don't get #8 and #9
do you mean, from the TCP/IP DNS Properties? i don't put the DNS ip of each server? Just the DNS ip of the server domain itself?
Let say from Site1 DNS properties, i put 192.168.1.2 and not 192.168.2.2?
same thing to site2 DNS properties, i put 192.168.2.2 and not 192.168.1.1?
----------------------------------------------------
How about the Appending these DNS Suffix (In Order)?
0
 

Author Comment

by:techguy07
ID: 17119762
i forgot to mention that we have IP TABLE (NETFILTER) firewall proxy running... i dont know if this effect the settings... somehow site2 can access  and logon parentdom.local
but from site1 cannot logon to child.parentdom.local...
0
 

Author Comment

by:techguy07
ID: 17119795
The only thing is that, when i view the Security properties of an object from Site1 parentdom.local,
such as:
DNS - Site1-DC - Forward Look Up Zone - _msdc.parentdom.local - properties, security
i can see the correct name for the child domain group ex; Site2-DC$(CHILDDOM\SITE2-DC$)
and/or
 when i go to
Active Directory Sites and Services
Sites
Default-First-Site-Name
Servers
ChildDom
NTDS Settings
<Automatic Generated> Site1-DC Default-First-Site-name
Properties - Security - Domain admins (ChildDom\Domain admins)

When i click add and browse for location, parentdom.local - ChildDom.Local
i cannot view the directory and either find the names or group

I dont understand why it can show the (ChildDom\Domain admins) group but cannot find the domain
0
 

Author Comment

by:techguy07
ID: 17119813
so i can use any ISP DNS or do i have to use my ISP dns?
0
 

Author Comment

by:techguy07
ID: 17119822
5)  On the Forwarder tab of the parent DNS server, you setup Conditional Forwarding for the child domain.  Point this to the DNS server in the child domain
     Does this means, from the PAReNT DNS SERVER, i put the DNS forwarder of 192.168.2.2?
7)  On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.
     And from Child DOMAIN DNS, i put 192.168.1.2?

so i can put ISP DNS in these forwarder?
0
 

Author Comment

by:techguy07
ID: 17119838
I get it, on the Site1 parentdom.local DNS server properties, FORWARDER TAP... NEW DNS DOMAIN -
type - CHILDDOM.PARENTDOM.LOCAL -> hightlight childom.parentdom.local
and enter the ip ex: 192.168.2.2 ?

On the Site2 ChildDom.ParentDom.Local (widows 2000 base) DNS Server properties doesnt have DNS DOmain like windows 2003 in site1


0
 

Author Comment

by:techguy07
ID: 17119845
From Site2-DC TCP/IP properties, DNS settings, i took off DC-Site1 DNS 192.168.1.2 and the APPEND THESE DNS SUFFIX (IN ORDER) i cannot ping Site2-DC by name....
0
 

Author Comment

by:techguy07
ID: 17119848
I forgot to mention that, i am using a single label domain, ex; parentdom, not parent.local, can this be a problem?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17121009
Absolutely if makes a huge difference.

You need to configure DNS to allow registering single-label names.

http://support.microsoft.com/kb/300684/en-us
0
 

Author Comment

by:techguy07
ID: 17123234
Sorry, could you give me a clearer instruction what should i do with the dns registering single-lable name?

Currently, on my Site1-DC windows 2003 i had enable GP to allow top level domain update . but my windows xp client did not successfully register with windows 2003 DNS in the forward lookup zone.

as far the modification i dont understand this part.. where on which computer base should i do this step?
on a windows 2003/2000 base server? or the windows xp/2000/ client base?

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. In the right pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, follow these steps:a.  On the Edit menu, point to New, and then click DWORD Value.
b.  Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.
 
4. Double-click the AllowSingleLabelDnsDomain entry.
5. In the Value data box, type 1, and then click OK
6. Quit Registry Editor.
0
 

Author Comment

by:techguy07
ID: 17123782
My ChildDom is a windows 2000 base, so i should work with single label.. right
0
 

Author Comment

by:techguy07
ID: 17124100
Sorry, Now i want to demote my childdom. but i cannot demote child domain
it say,
" The operation failed because:
The directory service failed to replicate off changes made locally.

The DSA operation is unable to proceed becaused of DNS lookup failure."

What step and how do i manually demote so i can reinstall active directory?

and how to completely remove child domain from ParentDom? and any related file in parentdom?


Thanks for trying to help!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17125458
Point it back to the parent DNS server.

0
 

Author Comment

by:techguy07
ID: 17125584
point what back to the parernt DNS? can you give me a clearer instruction?

Thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17125944
The child domain controller should have the Primary DNS server set to the parent's DNS server for the last DC in that domain to be able to be demoted.

0
 

Author Comment

by:techguy07
ID: 17126808
i did set the child domain to the parentdom primary DNS server. but somehow i cannot demote it... it kept saying DNS lookup failure

How do i manuall demote child..? or do i just follow this page then i can remove it?

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17126832
Run DCPROMO /forceremoval.

Then follow this guide to remove all traces of the old domain and domain controllers:

http://support.microsoft.com/kb/216498/en-us
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:techguy07
ID: 17126890
nvm, it was simple, i just remove the forwarder from the child dom DNS
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17126898
Why would that make a difference?  If the primary was set to the parent DNS it should never have been looking to the Forwarder.  Where was it pointing?

0
 

Author Comment

by:techguy07
ID: 17126900
To all this point, i guess my DNS configuration was not right....
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17126929
OK.

0
 

Author Comment

by:techguy07
ID: 17126958
i dont know why, but if i don't put the parentdom IP address in the CHILD DOM DNS FORWARDER, then i will get CONNECTIVITY FAILURE in the DCDIAG.EXE /v test
so i have to put it there somehow.

Ok... here is my detail configuration: Please tell me what i'm doing wrong ok? I really appreaciate your professional service and time.

Scenerio:
Site1
hostname: DC-Site1
domain: ParentDom
TCP/IP Configuration:
IP: 192.168.1.2/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
Alternate DNS: 192.168.1.3
Alternate DNS: 192.168.2.2 (DC-Site2  DNS)

DNS: allow zone transfer to 192.168.1.3
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
----------------------------
Additional Domain Controller (Backup DC)
hostname: ADC-Site1
domain: ParentDom
TCP/IP Configuration
IP: 192.168.1.3/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
alternate DNS: 192.168.1.3
alternate DNS: 192.168.2.2 (DC-Site2 DNS)
DNS: contained a secondary backup DNS of site1
----------------------------

Site2
hostname: DC-Site2
domain: ChildDom.ParentDom
TCP/IP Configuration:
IP: 192.168.2.2/24
gw: 192.168.2.1
prefered DNS: 192.168.2.2
Alternate DNS: 192.168.1.2  (DC-Site1  DNS)
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
----------------------------

I ran DCPROMO,
Domain Controller for a new domain -> Create a child domain in Existing Domain Tree and so on...
It ask for DNS --> i choose Install and Configure DNS automatically

Thats it?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17127014
This isn't necessary:

DNS: allow zone transfer to 192.168.1.3

On Site one DNS since all zones should be AD Integrated.

I think part of the reason we're having issues is that the child domain DNS is Windows 2000.  The Zones are not the same at all.  Replication to all zones in the Forest is a function of 2003 DNS only.

In order to make this work (the easiest way) would be to use a 2003 DNS server in the child domain.

Other than that, Forwarding to the parent or making ALL zones Primary (non-AD Integrated) on the parent and creating Secondary zones on the child (and vise-versa) would be the only other method since 2000 and 2003 DNS use different methods to configure the way you need to.

0
 

Author Comment

by:techguy07
ID: 17127962
Oh, Thanks,

I just demoted it, and promote as a new domain - new domain tree in an existing forest? will thise work better or the same?

Thanks Netman66 for the info...
0
 

Author Comment

by:techguy07
ID: 17127969
Or should i create a new forest of domain tree?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17130175
It will probably work the same.

No, don't create a new Forest, that opens up a whole new set of problems.

On the parent domain, change the _msdcs.parentdomain.local zone to Primary (non-AD Integrated).
On the child domain, create a new Secondary zone the same as the parent _msdcs zone.
Accept zone transfers from the parent DNS server.
Go back to the parent DNS server and allow zone transfers to the child.

This should take care of the _msdcs zone.

You can add a Delegation record on the child DNS for the parentdomain.local domain then point it to the parent DNS server.

You can also add a Delegation record on the parent DNS server for the child domain and point it to the child DNS server.

This should get the zones in order.

You may need to do the same for the Reverse Zone also.

NM
0
 

Author Comment

by:techguy07
ID: 17130910
Thanks for the update, I'll give it a try and i'll let you know
0
 

Author Comment

by:techguy07
ID: 17132188
Alternatively,
Can i promote active directory on site2 to be
Additional domain controller for an existing domain
And hosting GC there? and everyone from site2 logon using DC-Site2 domain controller?
will it help the bandwidth?

and placing an exchange server in site2 on the additional domain controller?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 17132215
Yes, you can certainly do that.  All those are good options.

As long as the domain and forest for the parent are in Windows 2000 Native mode or lower, you can join the 2000 server as a DC without the issues you are seeing now.

0
 

Author Comment

by:techguy07
ID: 17132225
so, that means it replicate within site2? and using less bandwidth right?
0
 

Author Comment

by:techguy07
ID: 17132268
and for exchange, what step do i install exchange on site2 as an secondary exchange server, and replicate (and hold) only a certain user and mailbox in site2, that it doesn't replicate the entire mailbox from site1
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132292
Not necessarily.  After you initially join the server it will use up some bandwidth to replicate, but it should drop down to nearly nothing after a short period.

You should make it a GC and also install DNS.  Make sure all zones (except the _msdcs zone) are AD Integrated.  Then simply install DNS on the remote server and do nothing else (install it after a successful DCPROMO).   Replication will create and populate all the zones except the _msdcs zone.

Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.

Since 2003 uses the application partition for the _msdcs zone it will NOT replicate to the 2000 DNS server as it normally is installed by default.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132313
Exchange won't replicate anything.  You can get away with using the main Exchange server for a small amount of users on the remote site.  It may be a lot less complicated.

0
 

Author Comment

by:techguy07
ID: 17132462
Ok thanks,
Right, So i dont need to install exchange on the remote site?
Thats alot less complicated... Thanks...
I gained more experience from this forum...
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132483
I wouldn't think it would be necessary if there aren't too many users.

With the domain being the same now, it'll be much easier to setup and maintain with one Exchange server.

How many user's are in the remote site?
0
 

Author Comment

by:techguy07
ID: 17132499
less than 10
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132551
No issue that I can see.

0
 

Author Comment

by:techguy07
ID: 17132577
what is the user limitation?

and follow up?

Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.

from site2 DNS, i create secondary zone name
_msdcs.parentdom
and allow zone transfer to 192.168.2.2 (remote site)
i cannot transfer from master
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132691
You need to change the zone on the parent to a standard Primary.  Then enable zone transfers from the parent to the child.

User limitation depends on link bandwidth.  Ten users shouldn't be too bad on even a T1.

0
 

Author Comment

by:techguy07
ID: 17132961
Oh, thanks for the info

I just checked my ParentDom, in Active Directory User and Computer
Operation Master ERROR on the first box...
and the second box shows, DC-Site2.ParentDom
RID - PDC - Infrastructure
Operation Master (ERROR)
The current operations master is offline. The role cannot be transferred. CHANGE button
DC-Site2.ParentDom

Should i click change so that Parent Domain holds all the server roles?
0
 

Author Comment

by:techguy07
ID: 17132979
Note that: i install as an additional domain controller in an existing domain... not child domain
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17133682
On the parent domain, if you have the Resource Kit installed on one of the DCs, then run:

dumpfsmos <servername>    <= where <servername> is the name of your DC.

Check for all 5 roles in the output.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now