Error creating host record on second DC

The permissions thing would have been a long shot, as you already indicated that on your Core server you can update with no errors.  In an integrated zone, that would mean permissions are correct... Have you checked you replication health (both AD and DNS) and made sure that everything is OK on those fronts?

Justin

You need to be member of dnsadmin to edit/create/modify the dns settings.
 

Awinish, I assumed he was, as he can perform the updates on the Core server.

Justin

DrUltima,
First, for simplicity's sake I'll start referring to the Core install as DC1 and the Full install as DC2.
Running DCDiag on DC2 returned the following:

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
 
Doing primary tests
   
   Testing server: Default-First-Site-Name\DC2
      Starting test: Advertising
         ......................... DC2 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC2 passed test Replications
      Starting test: RidManager
         ......................... DC2 passed test RidManager
      Starting test: Services
         ......................... DC2 passed test Services
      Starting test: SystemLog
         ......................... DC2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC2 passed test VerifyReferences
   
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : tamcocorp
      Starting test: CheckSDRefDom
         ......................... tamcocorp passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... tamcocorp passed test CrossRefValidation
   
   Running enterprise tests on : tamcocorp.com
      Starting test: LocatorCheck
         ......................... tamcocorp.com passed test LocatorCheck
      Starting test: Intersite
         ......................... tamcocorp.com passed test Intersite
 

The warnings in the event log are:

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
And:
 
Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
DC1
Failing DNS host name:
1333e39f-2b58-49cf-aa24-37e2b843e2a5._msdcs.tamcocorp.com

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 

dcdiag /test:dns

4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449 

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.

I think that second error may be the issue.

Running dcdiag /test:dns on DC2 returned the following:

Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC2 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : tamcocorp
   Running enterprise tests on : DOMAIN
      Starting test: DNS
         ......................... DOMAIN passed test DNS
 
Running it on DC1 returned an error:
 
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         Message 0x621 not found.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... DC1 failed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC1
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC1 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : tamcocorp
   Running enterprise tests on : DOMAIN
      Starting test: DNS
         Test results for domain controllers:
            DC: DC1.DOMAIN
            Domain: DOMAIN

               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  No host records (A or AAAA) were found for this DC
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network
               adapters
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: DOMAIN
               DC1                     PASS FAIL PASS PASS PASS FAIL n/a
         ......................... DOMAIN failed test DNS

Looking into it further, I found the following two links:
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/d5bebedd-bc3a-4b91-a053-7c04c78c2ec1
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/f7d65883-9114-465e-9351-64b2902d253d
I do have teaming enabled on DC1.  I see that it would cause the error I see when running dcdiag /test:dns; however, I don't know if that would have anything to do with DC2 not being able to create host records.

If DC1 holds your FSMO roles, an error on it would cause DC2 to experience errors, too.

Let's go with the obvious, first.  DC1 doesn't have a firewall turned on, does it?  Also, on DC1, do you need teaming on 2 NICs?  What are you using it for?

Justin

Justin,
I just transferred all FSMO roles to DC2 to eliminate that portion of the problem.
Yes, DC1 does have the default Windows firewall turned on, as does DC2. The reason for teaming was simply so that I have one IP address assigned to the DC and failover becomes available if one of the NICs fail.
Dan

For the moment, let's disable the firewall on your two DCs and see if the DNS error goes away.  If it does, we can isolate your firewall setting that is causing the problem.  If it doesn't we can know that is not the issue.

Justin

Disabled firewall, same exact error.

OK, Dan... Again, I tend to be a "small step" kind of troubleshooter.  Could you, at least for the moment, break the teaming on your NICS and disable one of them?  I can understand if you need to wait until after business hours to do this.

Justin

I'll look for the documentation to break the teaming, unfortunately it's a bit more difficult on server core.  I'll post up once this is complete.

Most vendors now have utilities to enable or disable teaming on Core...  What is your NIC make and model?

Justin

Broadcom BCM5708C, I have to do everything with a config file.  It's a Dell PE 1950.

Ick... I am sorry.  If it were my system, it is what I would do.  Obviously you have to decide if you want to do that.... If you are happy with only adding DNS entries from your DC1 and letting them replicate to DC2, they you could leave it alone.

Justin

Definitely not happy with it.  I think it is the cause of another problem I am having.

Log Name:      System
Source:        DnsApi
Date:          12/30/2009 10:38:46 AM
Event ID:      11163
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     SQL.DOMAIN.COM
Description:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:
   Adapter Name : {3A6ED011-D113-4F28-8E42-D7629DE6D240}
   Host Name : SQL
   Primary Domain Suffix : DOMAIN.COM
   DNS server list :
      x.x.x.39, x.x.x.42
   Sent update to server : x.x.x.39:53 - This is DC1
   IP Address(es) :
     x.x.x.32
 The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.
 You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="DnsApi" />
    <EventID Qualifiers="32768">11163</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-12-30T15:38:46.000000000Z" />
    <EventRecordID>71214</EventRecordID>
    <Channel>System</Channel>
    <Computer>SRVR-SQL2.tamcocorp.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>{3A6ED011-D113-4F28-8E42-D7629DE6D240}</Data>
    <Data>SQL</Data>
    <Data>DOMAIN.COM</Data>
    <Data> x.x.x.39, x.x.x.42</Data>
    <Data>x.x.x.39:53</Data>
    <Data>x.x.x.32</Data>
    <Data>
    </Data>
    <Binary>2D230000</Binary>
  </EventData>
</Event>

I forgot to add that happens when I run ipconfig /registerdns on my SQL server.

Yeah...  I hate to suggest you break the teaming, because I know what a pain it is to reestablish.  At the same time, the more variables that can be eliminated the easier replication issues are to resolve.

Justin

New error in event viewer.  I didn't notice it until a reboot when DNS stopped working altogether on DC1.  It's been happening since 2:40PM yesterday.

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.

Correction -
The error above appears on DC2 and DNS seems to have just taken a few minutes to start working again on DC1 after the reboot.  It is resolving host names now.

I still intend to remove the team, I'm working on making sure it won't affect operations so I can do it sooner rather than later.

OK, teaming has been removed.  I no longer receive an error when registering DNS on the SQL server.  I also don't receive an error when running dcdiag /test:dns on DC1 anymore.  I still can't create records on DC2 and now I do receive an error on DC2 when I run dcdiag /test:dns.


Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC2 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : tamcocorp
   Running enterprise tests on : DOMAIN
      Starting test: DNS
         Test results for domain controllers:
            DC: DC2.DOMAIN
            Domain: DOMAIN

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000007] Microsoft Virtual Machine Bus Network Adapter:
                     Warning:
                     Missing SRV record at DNS server x.x.x.42:
                     _ldap._tcp.gc._msdcs.DOMAIN
                     Warning:
                     Missing A record at DNS server x.x.x.42:
                     gc._msdcs.DOMAIN
               Error: Record registrations cannot be found for all the network
               adapters
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: DOMAIN
               DC2                     PASS PASS PASS PASS PASS FAIL n/a
         ......................... DOMAIN failed test DNS
 
Should I just manually create the SRV record? My only issue with doing that is it is more of a workaround than a solution as it should be created automatically.

Run below command,it will fix the srv records issue.

dcdiag /v /fix
netdiag /v /fix

nltest /dsregdns

ipconfig /flushdns
 net stop netlogon
 browse the system32 folder ,rename the netlogon.dns and netlogon dnd files
 net start netlogon
 ipconfig /flushdns
 ipconfig /registerdns

In test RReg is failed as you have not enabled secure update into dns.

Right click the zone in dns admin console,select secure update & this test will also pass.

Refer below link

http://support.microsoft.com/kb/241505

http://www.eggheadcafe.com/software/aspnet/31402910/help-needed--srv-record.aspx

http://support.microsoft.com/?kbid=239897

Awinish gave the right steps in the right order.  Once that is done, your DNS issue should be fixed, too.

Justin

Awinish -
I ran those commands, one didn't work:
netdiag /v /fix - netdiag not found
For anyone viewing this in the future: netlogon.dns and netlogon.dnb are in %systemroot%\system32\config
Secure update was enabled, maybe that part errored out because the DC had just rebooted.
I re-ran dcdiag /test:dns and there are no longer any errors, but I still can't add a host.

NETDIAG is part of the Resource Tool Kit.  You can find it here:

http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Let's start over on DC2.  What errors do you get (if any) when you try to add a host to DNS?

Justin

First, I've read somewhere that installing 2003 Resource Kit tools on 2008 isn't a good idea.  Should I worry about the netdiag portion considering the diagnostic is no longer failing?
Second, when I click Add Host a message box comes up that says: The host record TEST.DOMAIN.COM cannot be created. Refused.
The event viewer shows this:
Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/30/2009 2:57:18 PM
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC2.DOMAIN.COM
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
 0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
    <EventID Qualifiers="49152">4015</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-12-30T19:57:18.000000000Z" />
    <EventRecordID>37</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>DNS Server</Channel>
    <Computer>DC2.DOMAIN.COM</Computer>
    <Security />
  </System>
  <EventData Name="DNS_EVENT_DS_INTERFACE_ERROR">
    <Data Name="param1">0000051B: AtrErr: DSID-030F1F8D, #1:
 0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)</Data>
    <Binary>13000000</Binary>
  </EventData>
</Event>

Sorry... I forgot for a moment we were on 2008.  You are correct. NETDIAG was deprecated for the 2008 platform.  Don't install the 2003 tool kit on an 08 server.  DCDIAD /fix does most of the same things, so don't worry about it.

For the sake of clarification, DC2 isn't a Read-Only Domain Controller, is it?

Justin

I'm 99.99999% certain it is not an RODC, but is there some place I can look to make that 100%?

Sadly, I don't know, and I cannot find anything to tell me.  I don't have any deployed, so I can't tell you what difference to look for.  If I was to guess, I would think it would show up in the Roles area, but I could be wrong about that.  The reason I ask is that AD integrated DNS needs to write to the AD database, which it can't do from an RODC.  So, if it is an RODC, it has to know about an NS record pointing back to the writable DC.  On searching on your error, the most common item I ran across was RODC related.  Here is an example:

http://www.mskbarticles.com/index.php?kb=969488

Here is what led me there:

http://eventid.net/display.asp?eventid=4015&eventno=10480&source=Microsoft-Windows-DNS-Server-Service&phase=1

Justin

It doesn't log the event with an frequency, instead it occurs at the moment I attempt to manually create a record.
I installed the DC a few weeks ago and I'm pretty certain I didn't check the box for RODC, so I suppose we should move ahead based on that.

I would still be curious if you created an NS record (in DC1 and let it replicate) pointing back to DC1 as the authority if the problem would go away.

Justin

Right now I have two name servers listed: DC1 and DC2.  Are you suggesting I remove DC2?

Temporarily, yes.

OK, I removed DC2 as a name server from DC1 and DC2 and still it does not allow me to add a host record.  I've already re-added it.

I am about to leave for the day and won't be able to come back to this until tomorrow.  I didn't want you to think I was ignoring you or abandoning the question.

Justin

Same here, I'm in Florida so I'm about to head home in 2 minutes.

Justin -
I was successful in determining if the DC is an RODC, it is not.  Here is the site that helped: http://steverosa.wordpress.com/2007/07/04/windows-server-2008-read-only-domain-controller-administration-and-misc/

BTW - When viewing that dialog box it says that DC1 is Unavailable under the Status when viewing it from DC2.
When viewing it from my machine both are available and Online.  That is even the case if I am using the Server Manager snap-in for DC1 and DC2.
I can't view it directly from DC1 since it is a core machine and doesn't support MMC's.

Very good info... I bookmarked it for future reference.  Thank you for that.  So, for clarification, we are now back to DC1 behaving properly with no errors on DCDIAG or REPADMIN.  DC2 shows no errors in DCDIAG or REPADMIN, but get a "Refused" response when trying to add a DNS entry.  You have verified that DC2 is not an RODC.  

On DC2, what is the primary DNS server in its IP stack?

Justin

::1 and 127.0.0.1
Attached are the files for DC1 and DC2 running repadmin and from running dcdiag.  Note that I was able to run repadmin from my local machine without errors, but if I tried running dcdiag using the /s switch to denote which server to run against on my local machine I received lots of errors.  Those errors did not present themselves if running the command directly on the DCs.

repadmin-DC1.csv
repadmin-DC2.csv
dc1diag.log
dc2diag.log

OK... Because each DC is also a DNS Server, each one needs to point to its own IP address (which is better practice than using the loopback address).  If DC1 has an IP of 10.0.0.2, then 10.0.0.2 should be its primary DNS server.  If DC2, in this scenario, has an IP address of 10.0.0.3, then 10.0.0.3 should be its primary DNS server.  Your setup would look like this:

DC1:
Primary DNS: 10.0.0.2
Secondary DNS 10.0.0.3

DC2:
Primary DNS: 10.0.0.3
Secondary DNS: 10.0.0.2

Make sure that both DC1 and DC2 have the correct host records in DNS, in both forward lookup zone and in reverse look up zone.  Look for any other machines that might be hijacking the IP address of your DCs and also look for errant IP entries for your DCs.

Justin

In the case of DC1, should I list both of it's IP addresses now that it doesn't have teaming enabled?

No.... Just list the NIC that is enabled.  The second NIC should currently be disabled.

currently both are enabled, one of the links I posted about the problem said you would get those errors from disabling the other NIC as well.  I haven't followed the cable to see what port it is connected to, so it is also connected to the switch.

If the NICs were teamed, I am assuming they were publishing one IP to DNS.  You will need to check DNS and make sure that the IP for the team is not in there.  I would remove any reference to the second NIC from DNS as well.  Use the primary adapter as the ip for primary server on DC1 and secondary server on DC2.

OK, I disabled the port on the switch that the second NIC is connected to.  Now the NIC is enabled but the media is effectively disconnected.  No reference to the second NIC's old IP address appears in DNS and the entries for DC1 and DC2 are correctly entered.
Unfortunately, the problem persists.

Does DC2 still hold your FSMO roles, or have you moved those back to DC1?

DC2 still holds all five FSMO roles.

Now that you have changed NIC info and DNS entries, let's go through Awinish's steps again:

• dcdiag /v /fix
• nltest /dsregdns
• ipconfig /flushdns
• net stop netlogon
• browse the system32 folder ,rename the netlogon.dns and netlogon dnd files
• net start netlogon
• ipconfig /flushdns
• ipconfig /registerdns

On DC1, DC2 or both?

DC2 for sure, wouldn't hurt to do both.

Did it for both, no joy.

And you are still getting the 4015 in your event viewer?

Yes, still getting 4015 error.

"BTW - When viewing that dialog box it says that DC1 is Unavailable under the Status when viewing it from DC2."
This issue has been resolved by what we did.  Now DC1 shows as online from DC2.

Oh, and FYI, I can delete records from DC2, just not add them.

What do I set the active instance to?

Also, this was happening when DC2 was also a core install.  Since there is a bug in R2 Core that doesn't use ISATAP and I am trying to get DirectAccess working, I demoted DC2 and reinstalled using a full install of R2 then repromoted. I need my DNS server to have an IPv6 address or DirectAccess won't function.
This did not happen when both were running 2008 (not R2).

Depends... Normally instance1, but here is the "How To"

http://technet.microsoft.com/en-us/library/cc770715%28WS.10%29.aspx

Justin

Well, we are closing early today so I am leaving for the weekend.  Happy New Year and I'll either login remotely at some point to give it a try or come back to this on Monday.

Output:

C:\Windows\System32>ntdsutil
ntdsutil: ac in instance1
AD LDS Instance "instance1" not found on this machine.
No active instance set.
ntdsutil: ac in ntds
Active instance set to "ntds".
ntdsutil: sem d a
semantic checker: go
Fixup mode is turned off
......Done.

Writing summary into log file dsdit.dmp.0
SDs scanned:            481
Records scanned:      13602
Processing records..Done. Elapsed time 3 seconds.
Is there something here that indicates if there is an error or do I need to view the log file?

Here is the file.  I ran it again using go fix as well.

dsdit.dmp.1.txt

The above was from running on DC1.  I also ran it on DC2 and obtained the following:

C:\Users\Administrator.TAMCOCORP>NTDSUTIL
NTDSUTIL: ac in ntds
Active instance set to "ntds".
NTDSUTIL: sem d a
semantic checker: go
Fixup mode is turned off
......Done.

Writing summary into log file dsdit.dmp.0
SDs scanned:            491
Records scanned:      13602
Processing records..Done. Elapsed time 4 seconds.
 
I notice there are 10 more SDs on DC2.  There was no change after running go fix on either server.

dsdit.dmp.2.txt

I ended up calling MS and using a support ticket.  We spent about 6 hours on this and they fixed even more things in AD using ADSI Edit (Hence the B and not A grade).  Ultimately, however, they demoted and promoted the DC to solve the manual creation of entries in AD on DC2 and that did the trick.  I don't know if the other steps were necessary as well, but they spent a great deal of time getting there.

They also said that they will work on adding a KB about this on their site.

In addition, the auto entry of records that was causing an error on my member servers was resolved by deleting the offending entry and trying again.  Secure updates was blocking the update of the DNS record.

Comment from the author:

I ended up calling MS and using a support ticket. We spent about 6 hours on this and they fixed even more things in AD using ADSI Edit (Hence the B and not A grade). Ultimately, however, they demoted and promoted the DC to solve the manual creation of entries in AD on DC2 and that did the trick. I don't know if the other steps were necessary as well, but they spent a great deal of time getting there.

They also said that they will work on adding a KB about this on their site.

In addition, the auto entry of records that was causing an error on my member servers was resolved by deleting the offending entry and trying again. Secure updates was blocking the update of the DNS record.

Final report from MS with exact issues and final resolution:

It was my pleasure to assist you during your ”DNS ” issue.  I hope that you were delighted with the service provided to you.  I am providing you the key points of the case for your records. If you have any questions please feel free to call me. You can reach me using the contact information below and referencing the case ID XXXX.
PROBLEM: Not able to create DNS host A record. We get the following Error message “The host record test5.DOMAIN.com cannot be created. Refused”
CAUSE: Default Domain Policy is enforced, the "Manage auditing and security log" user right setting is getting applied from the Default Domain Policy.
RESOLUTION: Removed "Enforced" setting from the Default Domain Policy.
Case Summary:
===========
Two Domain Controllers - DC1 & DC2.
Both these DCs are Windows 2008 R2.
We were facing issue with the DC DC2 while creating a Host A DNS record.
Also noted that once we change the Dynamic Update from "Secure Only" to "Nonsecure and secure", were able to create the records in the zone.
We checked whether "Administrators" group is added in the User Right "Manage auditing and security log".
Found that "Manage auditing and security log" user right setting was getting applied from Default Domain policy.
Noted that "administrators" group is missing in the user right "Manage auditing and security log".
Since Default Domain Policy is enforced, the "Manage auditing and security log" user right setting is getting applied from the Default Domain Policy.
Checked with cx why the Default Domain Policy is enforced, cx mentioned that it was enforced for testing.
Removed "Enforced" setting from the Default Domain Policy.
Ran Gpupdate/force on the DC2. Found that "Manage auditing and security log" setting is getting applied from the Default Domain Controllers policy.
We Restarted the DNS service on DC2.
Tried creating the record in the zone DOMAIN.com and found that it was successful.
We also checked dynamic update and found its working fine.
 

Tamco, I appreciate for making experts known the real cause along with solution & its going to help all...Thanks