MemxIT
asked on
Multiple DCs and Sites (DNS returning DC IPs not reachable from all sites)
We are experiencing what appears to be DNS issues on our network.
Here's a summary of how everything is configured.
3 store locations (loc01 - loc03)
1 headquarters (hq01)
Domain name: dom.company.com
loc01-loc03:
All have Site Domain controllers with DNS and a global catalog.
hq01
Has Main Domain controller with DNS and global catalog
loc01-loc03 each have a VPN tunnel to hq01 (loc01-loc03 can all see hq01, but cannot see eachother)
Our problem is that for Group Policy replication the DC's try connecting via \\dom.company.com\\SysVol\ dom.compan y.com\Poli cies\{~~GU ID~~}\gpt. ini
From loc01, in nslookup dom.company.com will return the IPs for ALL DCs from ALL locations, but only loc01 and hq01 are reachable via VPN. How can this be corrected so from each location only the local site DC and hq DC IP is returned when resolving dom.company.com ???
We are receiving an error indicating that the gpt.ini file is inaccessible (1058) (Windows cannot access the file gpt.ini for GPO)
- We've concluded this is because DNS resolves our domain name to all DC IPs some of which are not accesible. Therefore we need to have DNS only return the DC IPs that are reachable from said location.
As for Sites, each loc (loc01-loc03) is in a site and set for replication from the Main DC at hq01. This part is working.
Here's a summary of how everything is configured.
3 store locations (loc01 - loc03)
1 headquarters (hq01)
Domain name: dom.company.com
loc01-loc03:
All have Site Domain controllers with DNS and a global catalog.
hq01
Has Main Domain controller with DNS and global catalog
loc01-loc03 each have a VPN tunnel to hq01 (loc01-loc03 can all see hq01, but cannot see eachother)
Our problem is that for Group Policy replication the DC's try connecting via \\dom.company.com\\SysVol\
From loc01, in nslookup dom.company.com will return the IPs for ALL DCs from ALL locations, but only loc01 and hq01 are reachable via VPN. How can this be corrected so from each location only the local site DC and hq DC IP is returned when resolving dom.company.com ???
We are receiving an error indicating that the gpt.ini file is inaccessible (1058) (Windows cannot access the file gpt.ini for GPO)
- We've concluded this is because DNS resolves our domain name to all DC IPs some of which are not accesible. Therefore we need to have DNS only return the DC IPs that are reachable from said location.
As for Sites, each loc (loc01-loc03) is in a site and set for replication from the Main DC at hq01. This part is working.
ASKER
As an additional question to all this.... We currently use dom.company.com as our domain company wide.
Should we have a child domain for each location since all locations cannot see eachother ?? therefore the DNS records for each location would be in seperate zones?
ie. Domain loc01.dom.company.com, DNS loc01.dom.company.com
Domain loc02.dom.company.com, DNS loc02.dom.company.com
Ideally we'd like to maintain the single domain, but get each store location to act completely independant from everywhere else and replicate from the hq01 Domain controller for DNS and AD.
Should we have a child domain for each location since all locations cannot see eachother ?? therefore the DNS records for each location would be in seperate zones?
ie. Domain loc01.dom.company.com, DNS loc01.dom.company.com
Domain loc02.dom.company.com, DNS loc02.dom.company.com
Ideally we'd like to maintain the single domain, but get each store location to act completely independant from everywhere else and replicate from the hq01 Domain controller for DNS and AD.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In AD Sites and Services make sure the subnets are defined for each of your sites
- Already done, all sites have their subnet defined
In AD Sites and Services, under Sites | Inter-Site Transports | right-click the IP container and you'll see a tick box for "Bridge all site links"
- Already disabled, and only links between servers that can see eachother are present
I will try some of the things mboppe suggests when I have a change (today or tomorrow).
Thank you guys. I'm pretty sure it's just DNS related, as doing an nslookup on the domain name resolves to the IP for ALL DCs not just the reachable ones. Under the domain zone in DNS there are A host records for the domain zone (one for each DC), I'm sure this is where it's getting the records from, but if I delete any A record, it'll replicate to all the Site controllers and the site's who's DC A record I delete will not return the IP for it's DC via DNS anymore. I've assumed Microsoft was smart in the sense that even though all IPs are resturned when doing nslookup, because I have sites and subnets defined it will only use the IPs belonging to it's subnet, and if that's not reachable it'll use the other servers that are defined in the replication links (since you can set weight and priority on them etc.)
- Already done, all sites have their subnet defined
In AD Sites and Services, under Sites | Inter-Site Transports | right-click the IP container and you'll see a tick box for "Bridge all site links"
- Already disabled, and only links between servers that can see eachother are present
I will try some of the things mboppe suggests when I have a change (today or tomorrow).
Thank you guys. I'm pretty sure it's just DNS related, as doing an nslookup on the domain name resolves to the IP for ALL DCs not just the reachable ones. Under the domain zone in DNS there are A host records for the domain zone (one for each DC), I'm sure this is where it's getting the records from, but if I delete any A record, it'll replicate to all the Site controllers and the site's who's DC A record I delete will not return the IP for it's DC via DNS anymore. I've assumed Microsoft was smart in the sense that even though all IPs are resturned when doing nslookup, because I have sites and subnets defined it will only use the IPs belonging to it's subnet, and if that's not reachable it'll use the other servers that are defined in the replication links (since you can set weight and priority on them etc.)
ASKER
Create a scheduled task on the client experiencing the problem, which will open an interactive cmd shell (by default will run as Local System account).
- I can't seem to run it as a Local System account, I also can't log in to windows locally either. I only have the domain as an available login option, the local machine name doesn't show up, I assume because the server is a DC and is running Active Directory.
Go over the system variables to determine the DC the client used to logon
- UserDomain and UserDNSDomain both equal dom of course... but this info doesn't help since if it's logged into the domain anywhere it'll say dom (dom.company.com). I don't see any variable that tells what DC it logged into, only what domain.
I'll continue to check the other things you've suggested, thank you
- I can't seem to run it as a Local System account, I also can't log in to windows locally either. I only have the domain as an available login option, the local machine name doesn't show up, I assume because the server is a DC and is running Active Directory.
Go over the system variables to determine the DC the client used to logon
- UserDomain and UserDNSDomain both equal dom of course... but this info doesn't help since if it's logged into the domain anywhere it'll say dom (dom.company.com). I don't see any variable that tells what DC it logged into, only what domain.
I'll continue to check the other things you've suggested, thank you
ASKER
K, my bad.. just reread the environment variables, LOGONSERVER is correct, it's DC for that location.
The GP replication error I have in Event Viewer states that it's replicating from \\dom\SYSVOL\........
The issue is DNS nslookups on dom returns the IPs from all DCs instead of only the DC that's in the current site. There's an A record for all DCs for the dom.company.com zone, which if I delete any of them they'll replicate to all site DNS's and that site will not get the IP for it's local DC returned. Is there any setting that DNS will return records conditionally based on the site you're in?
The GP replication error I have in Event Viewer states that it's replicating from \\dom\SYSVOL\........
The issue is DNS nslookups on dom returns the IPs from all DCs instead of only the DC that's in the current site. There's an A record for all DCs for the dom.company.com zone, which if I delete any of them they'll replicate to all site DNS's and that site will not get the IP for it's local DC returned. Is there any setting that DNS will return records conditionally based on the site you're in?
ASKER
Anybody know why I get all DC IPs for an nslookup on the domain name instead of just the IPs of servers specified in the site ?? how can I correct my DNS to resolve this?
ASKER
Here's the root of my problem I'm trying to resolve... GPO replication errors:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 8/7/2007
Time: 8:57:51 AM
User: NT AUTHORITY\SYSTEM
Computer: ABD0-SRV-DC01
Description:
Windows cannot access the file gpt.ini for GPO CN={02EAC0C9-59FE-43A5-93C 3-A673E863 076F},CN=P olicies,CN =System,DC =MEMXDOM,D C=******,D C=COM. The file must be present at the location <\\MEMXDOM.******.COM\SysV ol\MEMXDOM .******.CO M\Policies \{02EAC0C9 -59FE-43A5 -93C3-A673 E863076F}\ gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I've read this page about how GPO replication works, and have determined my Active Directory replicates no problem, it's the File Replication Service (FRS) that is having issues.
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1206806,00.html
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 8/7/2007
Time: 8:57:51 AM
User: NT AUTHORITY\SYSTEM
Computer: ABD0-SRV-DC01
Description:
Windows cannot access the file gpt.ini for GPO CN={02EAC0C9-59FE-43A5-93C
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I've read this page about how GPO replication works, and have determined my Active Directory replicates no problem, it's the File Replication Service (FRS) that is having issues.
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1206806,00.html
ASKER
"FRS, unlike the Active Directory replication service, does not adhere to site boundaries and is not limited to a schedule. This makes the replication of the GPT fast and efficient between domain controllers."
This could be my issues, since it's trying to replicate from a site DC that isn't reachable from the current site.
This could be my issues, since it's trying to replicate from a site DC that isn't reachable from the current site.
ASKER
I've gotten rid of the GPO replication error, the FRS on our main DC stopped for some reason half a month ago, I restarted it and created a temp folder in \SYSVOL to trip a replication... Now it is working for replicating the SYSVOL tree....
We still have the issue that doing an nslookup of ping of our domain name resolves to all DCs (even ones that are not reacable). What can I change via DNS to correct this?
We still have the issue that doing an nslookup of ping of our domain name resolves to all DCs (even ones that are not reacable). What can I change via DNS to correct this?
ASKER