Solved

Server 2003 DC Hangs at "Preparing Network Connections" - Many Event Log Errors

Posted on 2009-05-16
10
9,409 Views
Last Modified: 2013-11-25
Below is my domain configuration, and the list of issues that are happening.  Some of this may be normal, but this is my first 2003 domain so I am not entirely sure.  Any help you can provide would be greatly appreciated.  I tried to provide as much info as possible, but if I missed something please let me know.  Thanks.

Configuration:

- Primary and Secondary DC - both Server 2003 R2 with latest patches
- Primary DC holds all FSMO roles
- Both DCs are DHCP servers, DNS servers, and WINS servers (used for certain apps, we need this)
- Each DC points to itself as Primary DNS server in its network config settings, and the other DC as Secondary DNS
- Each DC points to itself as Primary WINS server in its network config settings, and the other DC as Secondary WINS
- Each DC has a static IP address configured in its network settings, and these 2 addresses are excluded in DHCP
- Primary DC is NTP Server, and is configured to use the default time.windows.com.  Secondary DC is set up as an NTP client.
- NICs are teamed on each server, which I read can cause some of these issues, but I have also tried it with teaming disabled (1 NIC only), and various drivers

Issues:

- If the Secondary DC is down and the Primary boots up, it hangs at Preparing Network Connections for approximately 7 minutes.  During this process, all of the errors listed below occur.

- If the Secondary DC is up when the Primary boots up, it does not hang at all.  Also, no errors are shown in the event logs whatsoever.

- If the Primary DC is down and the Secondary is up, clients cannot ping the domain name (ping mydomain.local).  If the Primary DC is up and running, the ping mydomain.local command executes successfully and returns the IP of the Primary DC.  I am not sure if this is normal.

- Dcdiag and netdiag return no errors.

Errors when booting Primary DC without Secondary DC being up:

*************************************************************************

Event ID: 2088
Source: NTDS Replication
Type: Warning
Category: DS RPC Client

Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 
Alternate server name:
 MY SECONDARYS NAME HERE
Failing DNS host name:
 3f497b67-6bb3-47bb-ae0e-3824cfd056b7._msdcs.mydomain.local
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.

*************************************************************************

Event ID: 40960
Source: LSASRV
Type: Warning
Category: SPNEGO (Negotiator)

The Security System detected an authentication error for the server LDAP/MY PRIMARY DC NAME.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)"

*************************************************************************

Event ID: 1059
Source: DHCPServer
Type: Error
Category: None

The DHCP service failed to see a directory server for authorization.

*************************************************************************

Event ID: 17
Source: W32Time
Type: Error
Category: None

Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

*************************************************************************

Event ID: 5781
Source: NETLOGON
Type: Warning
Category: None

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'mydomain.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

USER ACTION  
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

*************************************************************************
This occurs 7 minutes after the first NTDS replication error.  NTDS appears to correct itself.

Event ID: 1394
Source: NTDS General
Type: Information
Category: Service Control

All problems preventing updates to the Active Directory Database have been cleared. New updates to the Active Directory database are succeeding. The Net Logon service has restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*************************************************************************
0
Comment
Question by:mtsi
  • 6
  • 4
10 Comments
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
If these errors don't appear during normal operation or when it boots while the second DC is up, then you can ignore them. Your AD domain zone is probably AD integrated, so during boot without any DNS server with the AD zone around, AD is waiting for DNS, and DNS can't start until AD is up and running, resulting in the delay you're watching.
The one thing you should change: let the WINS servers only point to themselves, and setup replication between the two WINS servers.

The one thing that's strange is that clients can't resolve the domain while DC1 is down and DC2 is up. Are the clients using DC2 as secondary DNS server? Is DC2 a global catalog?
0
 

Author Comment

by:mtsi
Comment Utility
Thanks for the reply!  I will change it so that each WINS server only points to itself.  Replication is already set up and is working properly so that should be good to go.

Yes the domain resolution is weird.  When DC2 is the only one up, clients can log on to the domain fine, they get all policies, scripts, etc..., but for some reason just cannot ping the domain name.  It is resolving to DC1's address, which is obviously offline at the time.  I'm wondering if this has to do with the fact that DC1 holds all the roles, or my DNS on DC2 should have some sort of record that it doesn't currently have.  When comparing DNS on both machines though, it looks identical.  Oh and btw, yes it is AD-integrated, and DC1 and DC2 are both global catalog servers.
0
 

Author Comment

by:mtsi
Comment Utility
Sorry I forgot to answer one more of your questions - yes the clients are all using DC1 as primary DNS and DC2 as secondary.  This is set through DHCP.  But even if I ping the domain name from DC2, it still tries to resolve to DC1, and gets no reply.  Any ideas?
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Can you lookup the name of DC2 with nslookup?
What's the result of
nslookup yourdomain.local
When you start the DNS MMC and go to the forward lookup zone for yourdomain.local, there should be two Host (A) entries with a name of "(Same as parent folder)" and the two IP addresses of your DCs. If DC2 isn't there, open a command prompt and enter
ipconfig /registerdns

You can use dcdiag.exe and netdiag.exe for further troubleshooting:
Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90
0
 

Author Comment

by:mtsi
Comment Utility
Yea I've run dcdiag and netdiag and recieved no errors.

Here are the results of what you asked for, both with DC1 running, and not.

With DC1 Running:

1 - nslookup DC2
Server:  DC1.domainname.local
Address:  192.168.1.2
Name:    DC2.domainname.local
Address:  192.168.1.3

2 - nslookup domainname.local
Server:  DC1.domainname.local
Address:  192.168.1.2
Name:    domainname.local
Addresses:  192.168.1.2, 192.168.1.3

With DC1 Not Running:

1 - nslookup DC2
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 192.168.1.2: Timed out
Server:  DC2.domainname.local
Address:  192.168.1.3
Name:    DC2.domainname.local
Address:  192.168.1.3

2 - nslookup domainname.local
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 192.168.1.2: Timed out
Server:  DC2.domainname.local
Address:  192.168.1.3
Name:    domainname.local
Addresses:  192.168.1.2, 192.168.1.3

Yea I checked the forward lookup zones and they are definitely set up right.  Both A records are there as they should be.  It looks like nslookups work fine, although they time out at first since they are trying to contact the primary.  I wondering now if this is normal, and maybe the only thing that won't work is ping.  During a ping, dns is doing it's job by returning the primary ip.  If ping fails, it's not going to requery dns to get another ip for that domain name.  Why would it?  Once dns returns an address, it's job is done right?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 82

Expert Comment

by:oBdA
Comment Utility
That looks normal. Don't worry about the ping for the name, ping only tries the first address it finds, and your domain name has two entries.
If you run two consecutive nslookup for domainname.local, the output should look about like that (note the reversed order):

Name:    domainname.local
Addresses:  192.168.1.2, 192.168.1.3

Name:    domainname.local
Addresses:  192.168.1.3, 192.168.1.2

The "*** Can't find server name for address 192.168.1.2: Timed out" is harmless as well. Either ignore it, or simply create a reverse lookup zone for 192.168.1.x in DNS. nslookup is just trying to resolve the DNS server's name and can't because the reverse lookup zone is missing. A reverse lookup zone is not required for a correct function of AD, though.
0
 

Author Comment

by:mtsi
Comment Utility
My nslookup's return the same thing every time I run them (as below):

Name:    domainname.local
Addresses:  192.168.1.2, 192.168.1.3

Name:    domainname.local
Addresses:  192.168.1.3, 192.168.1.2

They don't return in reversed order for the ip's - is that a problem?

I will ignore the ping errors and the timeouts when running nslookup.  However, you mention that I could add a reverse lookup zone for 192.168.1.x - the weird thing is that I already have one.  Do I have a problem with my reverse lookup zone then?
0
 

Author Comment

by:mtsi
Comment Utility
Sorry I actually did reverse those addresses cause I copied/pasted from your post.  :)  
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
It doesn't matter that much whether the DNS server rotates the entries; that's mainly done to achieve a bit of load balancing,
Check in the properties of the DNS servers in the Advanced tab whether "Round Robin" is enabled.
As for the reverse lookup zone: check if there are any entries in there at all, and if dynamic updates are allowed.
0
 

Author Comment

by:mtsi
Comment Utility
Yes, all entries are there and correct, and dynamic updates are set to secure only.  Thanks for all of your help.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now