Paul Fisher
asked on
Active Directory replication topology error
I recently added a secondary domain controller to existing network running windows 2000 server. I am receiving following msg in Active Directory Sites and Services -
"Replication Topology error: The following error occurred during the attempt to contact domain controller: The Active Directory property cannot be found in the cache"
Any ideas?
"Replication Topology error: The following error occurred during the attempt to contact domain controller: The Active Directory property cannot be found in the cache"
Any ideas?
ASKER
DC #1 - AD / DHCP / DNS (o/s: w2ksvr svcpk 4)
DC #2 - AD / DNS
Replication was successful when second DC joined domained. It has copy of all the AD objects. I can create users in one DC and see in other. But when I try and force replication in AD Directory and Sites thats when error appears.
Here are results of repadmin /showreps. I can't get DC #1 to see any INBOUND neighbors -
C:\Documents and Settings\Administrator>REP ADMIN /SHOWREPS
Default-First-Site\NY-SERV 001
DSA Options : IS_GC
objectGuid : e1c4bdcc-b921-4e47-a7f6-c2 7b75ac73dc
invocationID: e1c4bdcc-b921-4e47-a7f6-c2 7b75ac73dc
==== INBOUND NEIGHBORS ========================== ========== ==
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
CN=Schema,CN=Configuration ,DC=NLNS-N Y-Apps,DC= nlns,DC=or g
Default-First-Site\NY-SERV BKUP via RPC
objectGuid: dac681c5-0ed3-4b7a-9912-06 08d534d51a
CN=Configuration,DC=NLNS-N Y-Apps,DC= nlns,DC=or g
Default-First-Site\NY-SERV BKUP via RPC
objectGuid: dac681c5-0ed3-4b7a-9912-06 08d534d51a
DC=NLNS-NY-Apps,DC=nlns,DC =org
Default-First-Site\NY-SERV BKUP via RPC
objectGuid: dac681c5-0ed3-4b7a-9912-06 08d534d51a
DC #2 - AD / DNS
Replication was successful when second DC joined domained. It has copy of all the AD objects. I can create users in one DC and see in other. But when I try and force replication in AD Directory and Sites thats when error appears.
Here are results of repadmin /showreps. I can't get DC #1 to see any INBOUND neighbors -
C:\Documents and Settings\Administrator>REP
Default-First-Site\NY-SERV
DSA Options : IS_GC
objectGuid : e1c4bdcc-b921-4e47-a7f6-c2
invocationID: e1c4bdcc-b921-4e47-a7f6-c2
==== INBOUND NEIGHBORS ==========================
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
CN=Schema,CN=Configuration
Default-First-Site\NY-SERV
objectGuid: dac681c5-0ed3-4b7a-9912-06
CN=Configuration,DC=NLNS-N
Default-First-Site\NY-SERV
objectGuid: dac681c5-0ed3-4b7a-9912-06
DC=NLNS-NY-Apps,DC=nlns,DC
Default-First-Site\NY-SERV
objectGuid: dac681c5-0ed3-4b7a-9912-06
Almost sounds like the KCC didn't kick off, or some problem happened when it tried to run. Any KCC errors in the event log?
Let's try to manually run it:
Use the Check Replication Topology command in Dssites.msc to force KCC to build the automatic connection objects. After you do so, press F5 to refresh the view.
Let's try to manually run it:
Use the Check Replication Topology command in Dssites.msc to force KCC to build the automatic connection objects. After you do so, press F5 to refresh the view.
ASKER
TONS OF FAILURES! WHOA! HELP! WHAT SHOULD I CHECK FIRST?
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration ,DC=NLNS-N Y-Apps,DC= nlns,DC=or g
Source DSA DN: CN=NTDS Settings,CN=NY-SERVBKUP,CN =Servers,C N=Default- First-Site ,CN=Sites, CN=Configu ration,DC= NLNS-NY-Ap ps,DC=nlns ,DC=org
Source DSA Address: dac681c5-0ed3-4b7a-9912-06 08d534d51a ._msdcs.NL NS-NY-Apps .nlns.org
Inter-site Transport (if any):
failed with the following status:
The DSA operation is unable to proceed because of a DNS lookup failure.
The record data is the status code. This operation will be retried.
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration
Source DSA DN: CN=NTDS Settings,CN=NY-SERVBKUP,CN
Source DSA Address: dac681c5-0ed3-4b7a-9912-06
Inter-site Transport (if any):
failed with the following status:
The DSA operation is unable to proceed because of a DNS lookup failure.
The record data is the status code. This operation will be retried.
I would start with DNS. Are there any DNS errors in the Domain Controller event logs? Can you ping the DCs from the other partner? What about reverse DNS? Are we in an AD-integrated DNS mode? Are the Domain Controllers pointing to themselves for DNS resolution?
ASKER
1. Are there any DNS errors in the Domain Controller event logs? Here's a copy of the second to last event in log. The first one just says that the dns service has started.
The DNS server encountered a packet addressed to itself -- IP address 192.168.1.2.
The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.
Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
Example of self-delegation:
-> This DNS server dns1.foo.com is the primary for the zone foo.com.
-> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
(bar.foo.com NS dns1.foo.com)
-> BUT the bar.foo.com zone is NOT on this server.
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.
2. Can you ping the DCs from the other partner? Yep. I can ping with both ip address and FQDN.
3. Reverse DNS? It's been setup but I will recheck for errors.
4. AD-integrated DNS mode? Yes. Is that a problem?
5. Are the Domain Controllers pointing to themselves for DNS resolution? Yes.
I'm in crisis mode. Gotta get this fixed by tomorrow. Thanks for the help!
The DNS server encountered a packet addressed to itself -- IP address 192.168.1.2.
The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.
Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
Example of self-delegation:
-> This DNS server dns1.foo.com is the primary for the zone foo.com.
-> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
(bar.foo.com NS dns1.foo.com)
-> BUT the bar.foo.com zone is NOT on this server.
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.
2. Can you ping the DCs from the other partner? Yep. I can ping with both ip address and FQDN.
3. Reverse DNS? It's been setup but I will recheck for errors.
4. AD-integrated DNS mode? Yes. Is that a problem?
5. Are the Domain Controllers pointing to themselves for DNS resolution? Yes.
I'm in crisis mode. Gotta get this fixed by tomorrow. Thanks for the help!
It definitely sounds like a DNS issue moreso than anything else.
As far as the first error goes, open up DNS Management for both of your domain controllers. Right click on the server itself and select Properties. What is listed in the forwarders tab? Also, click on the Name server tab. What servers are listed in there?
The forwarders area should probably be empty for you. However, the name servers area should have both of your domain controllers listed. If not, make sure that both Domain Controllers are listed in there.
I would also check this document for additional DNS troubleshooting from Microsoft -- http://support.microsoft.com/default.aspx?scid=kb;en-us;235689
Let us know how it goes...
As far as the first error goes, open up DNS Management for both of your domain controllers. Right click on the server itself and select Properties. What is listed in the forwarders tab? Also, click on the Name server tab. What servers are listed in there?
The forwarders area should probably be empty for you. However, the name servers area should have both of your domain controllers listed. If not, make sure that both Domain Controllers are listed in there.
I would also check this document for additional DNS troubleshooting from Microsoft -- http://support.microsoft.com/default.aspx?scid=kb;en-us;235689
Let us know how it goes...
ASKER
1. Are there any DNS errors in the Domain Controller event logs? Here's a copy of the second to last event in log. The first one just says that the dns service has started.
The DNS server encountered a packet addressed to itself -- IP address 192.168.1.2.
The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.
Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
Example of self-delegation:
-> This DNS server dns1.foo.com is the primary for the zone foo.com.
-> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
(bar.foo.com NS dns1.foo.com)
-> BUT the bar.foo.com zone is NOT on this server.
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.
2. Can you ping the DCs from the other partner? Yep. I can ping with both ip address and FQDN.
3. Reverse DNS? It's been setup but I will recheck for errors.
4. AD-integrated DNS mode? Yes. Is that a problem?
5. Are the Domain Controllers pointing to themselves for DNS resolution? Yes.
I'm in crisis mode. Gotta get this fixed by tomorrow. Thanks for the help!
The DNS server encountered a packet addressed to itself -- IP address 192.168.1.2.
The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.
Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
Example of self-delegation:
-> This DNS server dns1.foo.com is the primary for the zone foo.com.
-> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
(bar.foo.com NS dns1.foo.com)
-> BUT the bar.foo.com zone is NOT on this server.
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.
2. Can you ping the DCs from the other partner? Yep. I can ping with both ip address and FQDN.
3. Reverse DNS? It's been setup but I will recheck for errors.
4. AD-integrated DNS mode? Yes. Is that a problem?
5. Are the Domain Controllers pointing to themselves for DNS resolution? Yes.
I'm in crisis mode. Gotta get this fixed by tomorrow. Thanks for the help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In the dns manager under the forward lookup zone\yourdomainname\_msdcs you should find/or not the cname text file they are talking about in the article above (you don't need to run any utilities to find out the ID you should find the good ID in the dns manager "forward lookup zone\yourdomainname\_msdcs " on the working domain), in my case 2 were missing for the 2 propematic dcs, I created an alias for each one (copied the IDs and data from the working dcs to the records I'm creating ) restarted dns and netlogon services on the problematic dc, and all worked fine like magic, thank you rpartington for digging up that article for us..
can we have some background and an outline of how your sites and whatnot are configured
can you check connectivity for me between the two