Solved

Domain controller issues

Posted on 2008-10-02
31
620 Views
Last Modified: 2013-12-05
Ok here we go!  Thanks in advanced for anyone that takes the time to look at this post.

I came into a network admin position where the active directory was set up in a complete mess.  There are two Domain controllers DC1(Abox) (pdc)win2000 and  DC2 (Bbox)win2k3.  the old IT admin was a complete idiot and rebuilt DC2 (Xbox) but did not demote all of the roles properly and just ended up renaming the DC (Xbox)to make (Bbox) work and then kept the schema master as the old offline DC (Xbox)that was rebuilt, which has totally snowballed.  It look like he kept the same ip address of the rebuilt DC (Xbox)and just changed the name cause he could not get it to work because he did not demote the roles and transfer them.  

DC1 (Abox)seems to have obtained most of the roles except for the Schema that states it is offline. I seized this role but it with metadata cleanup but did not transfer the role to anyone of the DCs.  It now says on the Active Directory Schema for operations manager Current Focus DC1(Abox) but current is Error.

 DC1(Abox) is not showing any errors in the event logs and is only showing one error in the dcdiag output with a Warning: CN="NTDS Settings in Knowsofroleholder for the schema, which is the old DC(Xbox) that is offline. see attached file.  DC2(Bbox) and DC1(Abox) are not replicating at all but they have before because they both have the same information in them, they are able to ping each other and the DNS is set up as standard primary on DC1 and secondary on DC2 and these seem to be transferring fine.  When I try and run Netdom query Fsmo on DC1(Abox) I get Rpc server unavailable.  I am getting a lot of errors on DC2(Bbox) in system, applications, and Directory service.  see attached file errors.txt 

One of the errors on this that have have researched  is a Kerberos event ID 4 See below.
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/Bbox.domainname.com.  The target name used was cifs/Bbox.domainname.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (domainname.com), and the client realm.   Please contact your system administrator.  


 I have used Ldp.exe to try and find a duplicate SPN but it is only finding 1 result and in the Active Directory User and computers there are not any indications of a duplicate computer or user any where.  I have checked the DNS and took out all of the old (xbox) records in the DNS and in Active Directory user and compters.  The test come back fine from the dnslint and other dns test that I have ran.  When I try to manage dhcp remotely there seem to be showing two DCHPs with the same scope on DC2(Bbox) one with the name bbox.domainname.com and domainname.com with two separate ips addresss but when I am logged onto that box I only show one.  Could this be my bad apple?

I have search all of the tech sites for Microsoft and tried everything that I felt safe doing.  I have not demoted the DC2(Bbox) and try to premote it back can I do this without causing issues on the network.  I did power it down and our users starting having trouble getting around on the network and I believe this was due to them having DC2 in their DNS as the primary server. So I have fixed the DHCP to give out the Dns for DC1(Abox). But havent tried to take it down again and will try that this coming weekend. This last admin has really made my life hell with this network.   There was an NTDS server for (xbox) that after seizing the role I was able to take out.  But it looks like this (xbox) is still lingering in the network somewhere.  

I want to prevent myself from rebuilding this box.  This is a very old network and With the last admins in experience there is a lot of things that effect one another and there is no redundancy,  so I want to be able to find the issue so it is not around any longer then I can start building the network over the right way.  

I have attached some files that should help.  One is the Event errors from DC2(bbox) and the other are the Dcdiag from DC1 and DC2.

DC2-errors.txt
DC1-dcdiag.txt
dcdiag-DC2.txt
0
Comment
Question by:geo502
  • 16
  • 15
31 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22626270
See if this below link will show the like SPNs which might be causing the issue. Are you getting any 13508 errors? Make sure the server's TCP\IP settings have the local DNS server's IP address listed only. Have you seized the schema master yet? Did you seize it to DC1? When you demoted then promoted did you recieve any errors on DC2?

http://planetmagpie.com/ITConsulting/TechNotes.aspx?ItemId=47807b9e-1170-4b8d-8f82-1a1aa87d0d11
0
 
LVL 1

Author Comment

by:geo502
ID: 22636685
thanks Dariusq,
I after looking for the duplicate SPN's there is no upn that show as duplicates, I think it is because this DC2 is just hosed.  I was able to seize the schema role and now the DC1 holds all 5 roles.  My question is now would it be ok for me to demote DC2 and promote it and let it replicate from DC1 with out causing any issues on the network.  I mean the DC2 is so messed up from the old settings that I dont see any good it is doing at this moment any ways.  Is this something i can do with everyone running on the network.  It states that DC1 holds all 5 roles now.  is demoteing it kinda of like an on and off switch, if that makes any sense
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22636734
When you demote the server I would do a metadata cleanup on AD just in case there any lingering objects. Also, make sure you clients don't point to the server for DNS when you demote. Make sure DNS is cleaned out of the old DCs objects. The dcpromo is like removing a program from the server but you will have to restart the server so if there is any other services running they will go down a couple of times. Also, I would recommend changing the server's name if you can because of the errors you were getting to make sure you are starting clean.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 1

Author Comment

by:geo502
ID: 22637633
and another question.  Since DC2 has a DHCP server attached to it that hands out ips and is not working right now. but it still is giving out IPS.  DC1 is also a DHCP server , can i take the scope from DC2 and add it to the scope on DC1.  DC2 has .40 - .79 and DC1 has .80 - to 120 . Can i expand the scope on the DC1 with DC2's dchp server and not mess anything up in AD.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22637648
Yes, you can do that.
0
 
LVL 1

Author Comment

by:geo502
ID: 22685797
Ok here is an update,  I tried demoting DC2 Bbox using dcpromo.  I am getting the error "the operation failed because: managing the session with <server2>.rohnlaw.com failed.  logon failure:  the target account name is incorrect.".  I have worried about doing a /forceremoval and lnot being able to bring that domain controller back up with the same name and IP.   It looks like if I was able to get the replication fixed then all of my issues would resolve themselves.   The errors that i am getting in event viewer are
"Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this."
and
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com. The file must be present at the location <\\domain.com\sysvol\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Logon Failure: The target account name is incorrect. ). Group Policy processing aborted.

I have taken DC1 Abox that holds all of the roles, down to see what is effected and I seem to be able to login to the network and what not.   Also my question about moving the dhcp server over to one server (Abox). I took the scope from bbox and extended this scope on abox but it doesnt seem to be leasing out any ips in that extended scope from this server.  did i not do something right there, if it is intergrated in the AD, is there any other settings besides the DHCP mmc that you need to adjust when combining the two.

one more thing, I had a website of domain.com and it doesnt seem to be working on one of my webservers, i could ping that domain but it was bringing up page not found, iisreset and reboot server and still nothing,  there are other sites on the network that are subdomains of xxxx.domain.com and they seem to work just fine,  I am not sure if there is some sort of snow ball affect with the Directory Service that is starting to catch up to me or not, nothing else has been tinkered with or changed.  I moved that domain to a backup webserver with the ip of the existing webserver and all seems  to be working fine.  Strange things are happening and I really need some guidance on how to take control of this asap.

Thanks for your help,
GEO


0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22686332
0
 
LVL 1

Author Comment

by:geo502
ID: 22702867
I seem to be getting alot of these errors on my network now.  I have decommised the DC2 bbox and am going to rebuild this week.  alot of my windows server boxs are getting these following errors .

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com. The file must be present at the location <\\domain.com\sysvol\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Logon Failure: The target account name is incorrect. ). Group Policy processing aborted.

\\
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

some of my sites that connect to the DB server and causing timeouts.  So as i am troubleshooting I see the above errors and not sure if I should relate these timeouts to this or not.  when i try to access the domain controller threw the run box from one of those servers getting the errors  \\Abox\E$ -  the target acct name is incorrect.  But i can ping Abox and nslookup returns ok.     When i try to access \\Abox\E$ from my person xp machine i get threw fine.

I need some suggestions on what to do here..   dcdiag and netdiag are not returning any obvious errors.

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22702973
Does any of the machines have this server's IP listed for DNS?
0
 
LVL 1

Author Comment

by:geo502
ID: 22703272
the dns server is still running on that machine.  and yes some of them to have it set as the secondary dns.  is it ok to just have one dns server setup for these servers.  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22703526
That is fine. Did you look in DNS to see if there are SRV records still for the old DC? Make sure to do a metadata cleanup. Once you promote the server the errors should go away.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22703533
Change the DNS settings to only list the one DNS server until you promote.
0
 
LVL 1

Author Comment

by:geo502
ID: 22703618
Yeah i just tried that.. Something really wierd is going on ..  here is what I have found in the last few min's while troubleshooting.   When i ping Abox from one of the servers getting the errors I get replys.  When i do an nslookup Abox  from the server it is looking at my outside dns server 208.29 ip when it should be looking for a 192.   My workstation finds sees the 192 when i do a nslookup Abox fine.  SO i went into the DNS settings and I cant find anything with abox.domain.com associated with that outside address.  Every Server that is having problems connecting to the GP is having the same issues finding this in a nslookup.  I have wins setup on the ABOX but it is reading the right ips.  These outside DNS's should not be associated with anything on the internal network.  

When doing an nslookup where does it try to query the results from.  The dns setting is set to the ABOX so is it trying to query it there.  Somewhere there seems to be a duplicate ABOX that is causing issues. with kerboses tickets and everything.  There are no duplicate entrys in the AD active users and computers.  

thanks for your time on this dari
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22703684
Do a netdiag /fix on the system tp update the DNS records. Then get on one of the computers having trouble then do a ipconfig /registerdns then ipconfig /flushdns.
0
 
LVL 1

Author Comment

by:geo502
ID: 22704874
Steps i have taken ,
ran netdiag /fix on the DC1 to update dns records, came back passed.  
went into one of the servers not able to read the DC1 and ran ipconfig/registerdns and ipconfig/flushdns

still same issues.
here are the results for nslookup on workstation vs server
wordstaion PC with dns settings in the tcp/ip of 192.168.0.7 DC1 Abox - active directory intergrated
C:\>nslookup
Default Server:  Abox.domain.com
Address:  192.168.0.7

> Abox
Server:  abox.domain.com
Address:  192.168.0.7

Name:    abox.domain.com
Address:  192.168.0.7

The servers with the GP errors,  Tcp/ip settings have the dns 192.168.0.7 as the primary dns server. but it is querying for  a dns server out the outside 208.xx.xxx

C:\nslookup Abox
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 208.29.xx.xx: Timed out  '<--- this is my outside dns server --WTF
Server:  UnKnown
Address:  208.29.xx.xx  <--- this is my outside dns server .. this should not be queryed

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22705474
What results do you get when you ping your domain from the other servers?
0
 
LVL 1

Author Comment

by:geo502
ID: 22706243
I am able to ping Abox,  also Abox.domain.com and 192.168.0.7.  So Dns seems to be doing part of its job.  It seems like there is something placed in the AD policy or somewhere,  the last Systems admin had stuff every where and when i transferred all of the roles to DC1 Abox I may have pulled in something then.  But it seems odd that the servers stopped finding the GP in the sysvol over the weekend.  and what is really odd is the 208.xx ip address that it is trying to query when it is not told that on the tcp/ip settings.  
another error that is coming up in all of the servers logs that is having these problems is

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server Abox$.  The target name used was cifs/Abox.domainname.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (domainname.com), and the client realm.   Please contact your system administrator.

I have searched on the domain controller with Ldp.exe for any duplicate service principal names and there were only 1 match no dups.   so this is driving me crazy.  I restarted the DC1 Abox just a few mins ago to see if that may have helped.  

so there may be many issues going on or there may be one that will resolve them all.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22706318
Did you do the metadata cleanup?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22706322
Can you post the exact Event IDs?
0
 
LVL 1

Author Comment

by:geo502
ID: 22741765
Ok here is an update of things,  

I now have both domains replicating and Dcdiag on both DC's look good.  But I seems to be having intermittant connectivity to the internet, Dns seems to be resolving sometimes and not others.  This seems to be issues with outbound and inbound traffic.  when surfing out goole.com will come up and then sometimes it doesnt I will refresh my browser and it will then come up.  When running pings with the -t It will timeout in patterns through out the ping.  20 pings good then 3 timeouts and 20 more pings good then 3-4 timeouts.  I have some clients that are calling up that say they cant get to the site.  Some of them I have called up and they are now able to get to the site and a couple can not.

My set up is like this.   I have an ns.xxxxx.com and ns2.xxxx.com setting outside of our pix and then i have a DNS server on both of the Domain controllers.  DC1 DNS was changed from AD intergrated to primary when i was having the AD problems and I have since changed it back just in the past couple of days.  DC1 dns is pointing to itself and DC2 dns is pointing to DC1.  There are no error logs except information events that state zone tranfers have been made.  Netdiag shows everything passing.  But there is clearly an issue some where.  When i look up zones on DC2 it states that they are secondary of the DC1 and I am not sure if I need to change something there are if it is ok since it is replicating fine there.  Should i change DC1 back to a Primary and not AD intergrated.  

Nslookups seem to be resolving ok
C:\dig>nslookup google.com
Server: DC1.domain.com
Address:  192.168.0.7

Non-authoritative answer:
Name:    google.com
Addresses:  64.233.187.99, 209.85.171.99, 72.14.207.99

When i lookup our domain name to the website from the outside It is coming back with the correct address of the webserver.  The 2 DNS servers on the outside ns and ns2 have not been touched during this whole Active directory mess,  ns is pointing to itself and ns2 for secondary and Ns2 is pointing to DC1 and ns. for its secondary..is this correct?    

I have read on the net about intermittant DNS issues and (.) root servers, I am not an advanced DNS guy so I am not sure what this is all about. It seems that the DC1 does have a (.) under cached lookups.

during this mess i have changed some settings in the network connections on the DC1 and DC2 but have since put those to where they once where I think.  i am not sure what the LMhost lookup and other settings need to be but have gone and looked at other servers to see what they were set at.  Another thing that i have touched was the DHCP and have put those back to where they were.   I also need to mention that there are Wins servers on both of these DC1 and DC2 controllers.

any troubleshooting steps that someone can recommend for me to resolve these issues would be greatly appreciated.



Reply from 209.85.171.99: bytes=32 time=131ms TTL=242
Reply from 209.85.171.99: bytes=32 time=121ms TTL=242
Reply from 209.85.171.99: bytes=32 time=76ms TTL=242
Reply from 209.85.171.99: bytes=32 time=104ms TTL=242
Reply from 209.85.171.99: bytes=32 time=83ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=137ms TTL=242
Reply from 209.85.171.99: bytes=32 time=107ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=129ms TTL=242
Reply from 209.85.171.99: bytes=32 time=120ms TTL=242
Reply from 209.85.171.99: bytes=32 time=86ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=106ms TTL=242
Reply from 209.85.171.99: bytes=32 time=117ms TTL=242
Request timed out.
Reply from 209.85.171.99: bytes=32 time=68ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=75ms TTL=242
Reply from 209.85.171.99: bytes=32 time=69ms TTL=242
Reply from 209.85.171.99: bytes=32 time=72ms TTL=242
Reply from 209.85.171.99: bytes=32 time=70ms TTL=242
Reply from 209.85.171.99: bytes=32 time=106ms TTL=242
Reply from 209.85.171.99: bytes=32 time=93ms TTL=242
Reply from 209.85.171.99: bytes=32 time=70ms TTL=242
Reply from 209.85.171.99: bytes=32 time=79ms TTL=242
Reply from 209.85.171.99: bytes=32 time=69ms TTL=242
Reply from 209.85.171.99: bytes=32 time=68ms TTL=242
Reply from 209.85.171.99: bytes=32 time=88ms TTL=242
Reply from 209.85.171.99: bytes=32 time=90ms TTL=242
Reply from 209.85.171.99: bytes=32 time=97ms TTL=242
Reply from 209.85.171.99: bytes=32 time=68ms TTL=242
Reply from 209.85.171.99: bytes=32 time=79ms TTL=242
Reply from 209.85.171.99: bytes=32 time=104ms TTL=242
Reply from 209.85.171.99: bytes=32 time=80ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=69ms TTL=242
Reply from 209.85.171.99: bytes=32 time=131ms TTL=242
Reply from 209.85.171.99: bytes=32 time=101ms TTL=242
Reply from 209.85.171.99: bytes=32 time=123ms TTL=242
Reply from 209.85.171.99: bytes=32 time=134ms TTL=242
Reply from 209.85.171.99: bytes=32 time=78ms TTL=242
Reply from 209.85.171.99: bytes=32 time=77ms TTL=242
Reply from 209.85.171.99: bytes=32 time=72ms TTL=242
Reply from 209.85.171.99: bytes=32 time=89ms TTL=242
Reply from 209.85.171.99: bytes=32 time=73ms TTL=242
Reply from 209.85.171.99: bytes=32 time=69ms TTL=242
Reply from 209.85.171.99: bytes=32 time=72ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 209.85.171.99: bytes=32 time=72ms TTL=242
Reply from 209.85.171.99: bytes=32 time=73ms TTL=242
Reply from 209.85.171.99: bytes=32 time=80ms TTL=242
Reply from 209.85.171.99: bytes=32 time=85ms TTL=242
Reply from 209.85.171.99: bytes=32 time=90ms TTL=242
Reply from 209.85.171.99: bytes=32 time=363ms TTL=242
Reply from 209.85.171.99: bytes=32 time=113ms TTL=242
Reply from 209.85.171.99: bytes=32 time=106ms TTL=242
Reply from 209.85.171.99: bytes=32 time=107ms TTL=242
Request timed out.
Reply from 209.85.171.99: bytes=32 time=70ms TTL=242
Reply from 209.85.171.99: bytes=32 time=69ms TTL=242
Reply from 209.85.171.99: bytes=32 time=73ms TTL=242
Reply from 209.85.171.99: bytes=32 time=251ms TTL=242
Reply from 209.85.171.99: bytes=32 time=89ms TTL=242
Reply from 209.85.171.99: bytes=32 time=129ms TTL=242
Reply from 209.85.171.99: bytes=32 time=101ms TTL=242
Reply from 209.85.171.99: bytes=32 time=97ms TTL=242
Reply from 209.85.171.99: bytes=32 time=107ms TTL=242
Reply from 209.85.171.99: bytes=32 time=70ms TTL=242
Reply from 209.85.171.99: bytes=32 time=94ms TTL=242
Reply from 209.85.171.99: bytes=32 time=154ms TTL=242
Reply from 209.85.171.99: bytes=32 time=115ms TTL=242
Reply from 209.85.171.99: bytes=32 time=136ms TTL=242
Reply from 209.85.171.99: bytes=32 time=102ms TTL=242
Reply from 209.85.171.99: bytes=32 time=98ms TTL=242
Reply from 209.85.171.99: bytes=32 time=113ms TTL=242
Reply from 209.85.171.99: bytes=32 time=193ms TTL=242
Reply from 209.85.171.99: bytes=32 time=150ms TTL=242
Reply from 209.85.171.99: bytes=32 time=169ms TTL=242
Reply from 209.85.171.99: bytes=32 time=80ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=103ms TTL=242
Reply from 209.85.171.99: bytes=32 time=68ms TTL=242
Reply from 209.85.171.99: bytes=32 time=68ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=73ms TTL=242
Reply from 209.85.171.99: bytes=32 time=75ms TTL=242
Reply from 209.85.171.99: bytes=32 time=79ms TTL=242
Reply from 209.85.171.99: bytes=32 time=74ms TTL=242
Reply from 209.85.171.99: bytes=32 time=77ms TTL=242
Reply from 209.85.171.99: bytes=32 time=110ms TTL=242
Reply from 209.85.171.99: bytes=32 time=168ms TTL=242
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 209.85.171.99: bytes=32 time=73ms TTL=242
Reply from 209.85.171.99: bytes=32 time=84ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=71ms TTL=242
Reply from 209.85.171.99: bytes=32 time=70ms TTL=242
Reply from 209.85.171.99: bytes=32 time=73ms TTL=242
Reply from 209.85.171.99: bytes=32 time=70ms TTL=242
Reply from 209.85.171.99: bytes=32 time=83ms TTL=242

when these pings timeout I still seem to be able to do an nslookup on gogle

Global results:

DC1> netdiag /q  <-- secondary dns

DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.7
 and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.1
5' and other DCs also have some of the names registered.

IP Security test . . . . . . . . . : Passed

DC2>netdiag/q

Global results:


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.7
 and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.1
5' and other DCs also have some of the names registered.

IP Security test . . . . . . . . . : Passed

0
 
LVL 1

Author Comment

by:geo502
ID: 22741833
i guess i should mention how traffic comes into the webserver that clients are unable to get to sometimes..  intermittently

we have a pix set up that does static (inside,outside) public to private   our Dns server ns. xxxx.com and ns2.xxxx.com have the public ips 208.xx.xx set up in the zones and the DC1 DNS have the private ips 192.xxx set up to the website for internal use.  

you can surf to the site my name or ip, i have it set up in IIS to accept either.  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22742201
Make sure you have up to date Forwarders in your local internal DNS servers that are provider by your ISP. You can also use root hints but there can be a security risk using those so I recommend getting forwarders from your ISP to place them within that setting in your local DNS servers settings.
0
 
LVL 1

Author Comment

by:geo502
ID: 22742212
Here are attached netdiag /v of DC-1 and DC-2


I did get a timout on an nslookup

C:\Documents and Settings\geoff>nslookup google.com
Server:  backup.ganoffice.globalair.com
Address:  192.168.0.7

DNS request timed out.
    timeout was 2 seconds.
*** Request to backup.ganoffice.globalair.com timed-out

NetDiag10-17.log
NetDiag10-17DC-1.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22742336
0
 
LVL 1

Author Comment

by:geo502
ID: 22743681
What a great article describing forwarder lookups,  but i have check all over this and there is forwarders set up on all four of the DNS servers, this is all existing stuff that was already set up,  not sure if that is a good thing or not.  

It looks like one of my DNS servers are not resolving stuff at times and i cant seem to find where it is or which one it is.

I am still looking into it and running test,   any recommendations.

Thanks for all your help


0
 
LVL 1

Author Comment

by:geo502
ID: 22744000
I ran a test on the outside DNS ns.xxx and ns2.xxx,   the primary dns server ns.xxx  looks fine and in the network connections it is pointing to itself and ns2.xxx for secondary.    Now ns2 is pointing to DC1 and ns1 for the secondary,  where should that point to.  

when i run a recursive test on NS2 it fails,  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22745467
Is NS2 a local internal DNS server? Forwarders expire sometimes when ISP change their DNS servers. What address is the Forwarders pointing too? In WIndows 2000 the DCs should point to one central DC for DNS then have there IP address as secondary. Now in 2003 this has been fixed an DCs should point to themselves for DNS and any other DNS servers has secondary.
0
 
LVL 1

Author Comment

by:geo502
ID: 22885283
updated resolution to this mess.  
the fix for the error Windows cannot access the file gpt.ini for GPO, was done by reseting the SPN password on the Domain controller Abox.  That seem to fix alot with why the Abox was unable to pass updates to the Bbox  It fixed The kerberos client received a KRB_AP_ERR_MODIFIED error.  and fixed the replications between the two boxes.

I then started to focus on why i was losing packets.   I ended up resetting the pix and the switch to free up something that was causing a blackhole somewhere.  This was the hardest thing to troubleshoot and pinpoint.  

Everything is running much smoother now, but still getting the following errors in the DC Bbox,  Do I need to turn this off in AD sites and services or do i need to have it set up and what does it do.

Event ID 1409
The Intersite Messaging service could not send a SMTP message because the SMTP service is not installed.

Event id 1373

The Intersite Messaging service could not receive any messages for the following service through the following transport. The query for messages failed.

Event 1468
The Intersite Messaging service using the SMTP transport failed to register the event sink DLL (Ismsink.dll) with SMTP.
 The event sink notifies the messaging service that new mail has arrived. New mail will accumulate in the drop folder until this problem is corrected.
 User Action
Verify that Internet Information Services (IIS) is fully installed. The installation relies on proper registration of the IIS DLL (Seo.dll).

After i fix this issue I am going to award some points to Dariusq for his day to day advice.  Im not sure if it was the accepted solution but time and advice on some of the other questions was very apprecitated and will be rewarded.
Thanks Dariusq
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 22886184
Thanks and I'm glad it is figured out.
0
 
LVL 1

Author Comment

by:geo502
ID: 25359161
Roslving this issue was a number of things.  After researching I have ran the SRV command for password change on the domain controllers to reset the kerbose password to match on both controllers.
0
 
LVL 1

Author Closing Comment

by:geo502
ID: 31502434
Great help from this expert,  

Thanks,
0

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now