• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

Not all DCs will visible in Active Directory Site and Services > NTDS Settings

       I have three sites and four W2K3 R2 Domain Controllers.  Site A has two domain controllers: DC1 and DC2.  Site B contains DC3 and Site C contains DC4.  I have set up DC1, DC3 and DC4 as bridgehead servers.  My problem is that DC1 and DC4 will not see each other in AD Sites and Services.   Replication appears to work be working, as updates to a user account on DC 1one will eventually get to DC4.  Within AD Sites and Services, DC1 <> DC3 appears to be ok, and DC3 <> DC4 appears to be okay.
       I thinkmy problem may be DNS related; I've never setup DNS for different sites/subnets.  Here is the IP config:
DC1: 192.168.101.10/24    \
DC3: 192.168.105.10/24    -  These are VLANS with a helper record.  
DC4: 192.168.108.10/24    /

     On my DNS servers (192.168.101.10 & .11) I have only one reverse DNS Lookup Zone: 101.168.192.in-addr.arpa.  Should I have a reverse DNS Lookup Zones for each subsite also.  And if yes, should I  manually create them, delete the current DNS record for DC3 and DC4 and recreate it with the PTR box checked?

Thanks. Pat

     
0
hemtech
Asked:
hemtech
1 Solution
 
ngmarowaCommented:
Are the DCs in the same domain or same forest

Can you ping using FQDN ie ping DC1.domain.com from the other domains
0
 
Alan Huseyin KayahanCommented:
        Hi Pat
               You do not have to delete the current DNS record. You can create PTR record in reverse lookup zone. And I assume you have to create reverse lookup zones for each VLAN.
               Did you permit traffic between 101.10 - 105.10 - 108.10 with VLAN Access lists?
               Please run dcdiag in dc1 and dc4 then post the results here
               After creating reverse lookups for each VLAN, then creating PTR record for servers in their VLans, please run nslookup in dc4 and type the name of dc1 and lets see it resolves or not.
               If traffic is not alloved between servers, that may cause RPC errors.

Regards
0
 
hemtechAuthor Commented:
- There is only one domain, and all the DCs are in it.
 - Pinging the FQDN between servers works both ways.
 - I created a reverse lookup zone for 192.168.108.x and put a PTR for DC4 in it about 7 hours ago.  This does not apear to have resolved the issue.
- I did not configure the routers, but was told (and am under the impression) that there are no restrictions to the traffic being permitted between VLANs.  DC3 has been in a production environment for a few months now, and users are access resources like Exchange, AV, files and Internet without an issue.  I'd like to rule out as much as possible before contacting our router technician, as he is expensive.
- I've never used dcdiag.  From what I reading now it looks like I'll need the OS CD to install support tools.  I'll do this while I am on site later today and will post the results here then.
- DC1 resolves correctly via NSLOOKUP on DC4, and DC4 resolves correctly via NSLOOKUP on DC1.  That said: I did not create a reverse DNS lookup zone for DC3 (192.168.105.x/24) and it too resolves correctly via NSLOOKUP.  Is it possible this problem is not DNS related?

I'll post the results of the dcdiag in  a little bit.

Thanks,
Pat
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
ocon827679Commented:
I don't think that you have a problem. You don't need PTR records for replication to occur.  You've proved that already.

Use replmon to ensure that replication is not having any issues.  It appears not since you said you can add a user on one DC and the user object eventually ends up on all DC's, as it should.  

Check the file replication event logs on each DC.  Any errors?  If you restart the File Replication Service you should get a 13516 event in the FRS log indicating all is well.  Do this on each DC.

In AD sites and services you see who the DC that you are attached to is replicating with.  If dc1 is replicating with DC3 and DC3 is replicating with DC4, then you are OK.  You don't need to see that DC1 is replicating with 3 and 4, and 3 is replicating with 1 and 4, and 4 is replicating with 1 and 3.  

If you want to see these, then you can manually add a replication connector (I know its not called that, but I can never remember the exact names) using AD sites and services.  But you are not buying yourself anything more than self-satisfaction.

Also, it is best practice to let the KCC do the work of selecting the replication bridgehead.  

One last thing, I hope that I'm not coming across as some pompous twit.  I don't mean to, I just think that in this case you're beating yourself for no reason.
0
 
hemtechAuthor Commented:
Below are the results of the dcdiag on DC4 then DC1.  If I don't have a problem, what will happen if I lose DC3 if replication between DC1 and DC4 rely on it.  

DCDIAG on DC4:

C:\Program Files\Support Tools>dcdiag.exe

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: VictoryBlvd\SIJCCDC4
      Starting test: Connectivity
         ......................... SIJCCDC4 passed test Connectivity

Doing primary tests

   Testing server: VictoryBlvd\SIJCCDC4
      Starting test: Replications
         ......................... SIJCCDC4 passed test Replications
      Starting test: NCSecDesc
         ......................... SIJCCDC4 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SIJCCDC4 passed test NetLogons
      Starting test: Advertising
         ......................... SIJCCDC4 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SIJCCDC4 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SIJCCDC4 passed test RidManager
      Starting test: MachineAccount
         ......................... SIJCCDC4 passed test MachineAccount
      Starting test: Services
         ......................... SIJCCDC4 passed test Services
      Starting test: ObjectsReplicated
         ......................... SIJCCDC4 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SIJCCDC4 passed test frssysvol
      Starting test: frsevent
         ......................... SIJCCDC4 passed test frsevent
      Starting test: kccevent
         ......................... SIJCCDC4 passed test kccevent
      Starting test: systemlog
         ......................... SIJCCDC4 passed test systemlog
      Starting test: VerifyReferences
         ......................... SIJCCDC4 passed test VerifyReferences

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : SIJCC
      Starting test: CrossRefValidation
         ......................... SIJCC passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... SIJCC passed test CheckSDRefDom

   Running enterprise tests on : SIJCC.COM
      Starting test: Intersite
         ......................... SIJCC.COM passed test Intersite
      Starting test: FsmoCheck
         ......................... SIJCC.COM passed test FsmoCheck

C:\Program Files\Support Tools>


DCDIAG on DC1:

C:\Program Files\Support Tools>dcdiag.exe

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: ManorRoad\SIJCCDC1
      Starting test: Connectivity
         ......................... SIJCCDC1 passed test Connectivity

Doing primary tests

   Testing server: ManorRoad\SIJCCDC1
      Starting test: Replications
         ......................... SIJCCDC1 passed test Replications
      Starting test: NCSecDesc
         ......................... SIJCCDC1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SIJCCDC1 passed test NetLogons
      Starting test: Advertising
         ......................... SIJCCDC1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SIJCCDC1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SIJCCDC1 passed test RidManager
      Starting test: MachineAccount
         ......................... SIJCCDC1 passed test MachineAccount
      Starting test: Services
         ......................... SIJCCDC1 passed test Services
      Starting test: ObjectsReplicated
         ......................... SIJCCDC1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SIJCCDC1 passed test frssysvol
      Starting test: frsevent
         ......................... SIJCCDC1 passed test frsevent
      Starting test: kccevent
         ......................... SIJCCDC1 passed test kccevent
      Starting test: systemlog
         ......................... SIJCCDC1 passed test systemlog
      Starting test: VerifyReferences
         ......................... SIJCCDC1 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : SIJCC
      Starting test: CrossRefValidation
         ......................... SIJCC passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... SIJCC passed test CheckSDRefDom

   Running enterprise tests on : SIJCC.COM
      Starting test: Intersite
         ......................... SIJCC.COM passed test Intersite
      Starting test: FsmoCheck
         ......................... SIJCC.COM passed test FsmoCheck

C:\Program Files\Support Tools>
0
 
ocon827679Commented:
The KCC will see that 3 went down and establish a connection directly to 4.  This checking is built into the KCC logic.    
0
 
hemtechAuthor Commented:
So then the consensus is that I don't have an issue here?
0
 
ocon827679Commented:
That's my opinion.
0
 
hemtechAuthor Commented:
ocon827679 - you were right.  We've been running now for several, moving and creating users, doing all sorts of things, without a problem.  Thanks.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now