Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Error creating host record on second DC

Posted on 2009-12-29
72
Medium Priority
?
6,683 Views
Last Modified: 2012-06-21
I have two domain controllers, both running Windows Server 2008 R2 Standard.  One is physical, running as a Core install, the other is virtual, running as a Full install.

The core install was the first new DC added to have R2, it was a fresh install.  The previous box had Server 2008 x64 SP2.  Once this server was promoted that box was demoted and removed from operations.

Then I demoted the old VM running Server 2008 x64 SP2 and rebuilt it using R2 Full and promoted it to a DC as well.

The VM running R2 Full experiences an error when attempting to add hosts to DNS.  The error is identical to this one I found online: http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/1e68cd26-6874-4be3-9a48-23e55a5aeb87

I have no problems using the core server and adding DNS entries.

Unfortunately a reboot does nothing to help the issue as it did in the case of the above example.  I also tried the one other piece of advice in that link and it was already setup that way.
0
Comment
Question by:tamco
  • 42
  • 26
  • 4
72 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26141626
The permissions thing would have been a long shot, as you already indicated that on your Core server you can update with no errors.  In an integrated zone, that would mean permissions are correct... Have you checked you replication health (both AD and DNS) and made sure that everything is OK on those fronts?

Justin
0
 
LVL 24

Expert Comment

by:Awinish
ID: 26144803
You need to be member of dnsadmin to edit/create/modify the dns settings.
 
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26145212
Awinish, I assumed he was, as he can perform the updates on the Core server.

Justin
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:tamco
ID: 26145308
DrUltima,
First, for simplicity's sake I'll start referring to the Core install as DC1 and the Full install as DC2.
Running DCDiag on DC2 returned the following:

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
 
Doing primary tests
   
   Testing server: Default-First-Site-Name\DC2
      Starting test: Advertising
         ......................... DC2 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC2 passed test Replications
      Starting test: RidManager
         ......................... DC2 passed test RidManager
      Starting test: Services
         ......................... DC2 passed test Services
      Starting test: SystemLog
         ......................... DC2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC2 passed test VerifyReferences
   
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : tamcocorp
      Starting test: CheckSDRefDom
         ......................... tamcocorp passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... tamcocorp passed test CrossRefValidation
   
   Running enterprise tests on : tamcocorp.com
      Starting test: LocatorCheck
         ......................... tamcocorp.com passed test LocatorCheck
      Starting test: Intersite
         ......................... tamcocorp.com passed test Intersite
 
0
 
LVL 1

Author Comment

by:tamco
ID: 26145319
The warnings in the event log are:

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
And:
 
Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
DC1
Failing DNS host name:
1333e39f-2b58-49cf-aa24-37e2b843e2a5._msdcs.tamcocorp.com

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 

dcdiag /test:dns

4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449 

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
0
 
LVL 1

Author Comment

by:tamco
ID: 26145322
I think that second error may be the issue.
0
 
LVL 1

Author Comment

by:tamco
ID: 26145378
Running dcdiag /test:dns on DC2 returned the following:

Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC2 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : tamcocorp
   Running enterprise tests on : DOMAIN
      Starting test: DNS
         ......................... DOMAIN passed test DNS
 
Running it on DC1 returned an error:
 
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         Message 0x621 not found.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... DC1 failed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC1
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC1 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : tamcocorp
   Running enterprise tests on : DOMAIN
      Starting test: DNS
         Test results for domain controllers:
            DC: DC1.DOMAIN
            Domain: DOMAIN

               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  No host records (A or AAAA) were found for this DC
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network
               adapters
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: DOMAIN
               DC1                     PASS FAIL PASS PASS PASS FAIL n/a
         ......................... DOMAIN failed test DNS
0
 
LVL 1

Author Comment

by:tamco
ID: 26145479
Looking into it further, I found the following two links:
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/d5bebedd-bc3a-4b91-a053-7c04c78c2ec1
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/f7d65883-9114-465e-9351-64b2902d253d
I do have teaming enabled on DC1.  I see that it would cause the error I see when running dcdiag /test:dns; however, I don't know if that would have anything to do with DC2 not being able to create host records.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26145562
If DC1 holds your FSMO roles, an error on it would cause DC2 to experience errors, too.

Let's go with the obvious, first.  DC1 doesn't have a firewall turned on, does it?  Also, on DC1, do you need teaming on 2 NICs?  What are you using it for?

Justin


0
 
LVL 1

Author Comment

by:tamco
ID: 26145640
Justin,
I just transferred all FSMO roles to DC2 to eliminate that portion of the problem.
Yes, DC1 does have the default Windows firewall turned on, as does DC2. The reason for teaming was simply so that I have one IP address assigned to the DC and failover becomes available if one of the NICs fail.
Dan
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26145722
For the moment, let's disable the firewall on your two DCs and see if the DNS error goes away.  If it does, we can isolate your firewall setting that is causing the problem.  If it doesn't we can know that is not the issue.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26145758
Disabled firewall, same exact error.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26145853
OK, Dan... Again, I tend to be a "small step" kind of troubleshooter.  Could you, at least for the moment, break the teaming on your NICS and disable one of them?  I can understand if you need to wait until after business hours to do this.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26145867
I'll look for the documentation to break the teaming, unfortunately it's a bit more difficult on server core.  I'll post up once this is complete.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26145958
Most vendors now have utilities to enable or disable teaming on Core...  What is your NIC make and model?

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26146021
Broadcom BCM5708C, I have to do everything with a config file.  It's a Dell PE 1950.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26146079
Ick... I am sorry.  If it were my system, it is what I would do.  Obviously you have to decide if you want to do that.... If you are happy with only adding DNS entries from your DC1 and letting them replicate to DC2, they you could leave it alone.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26146130
Definitely not happy with it.  I think it is the cause of another problem I am having.

Log Name:      System
Source:        DnsApi
Date:          12/30/2009 10:38:46 AM
Event ID:      11163
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     SQL.DOMAIN.COM
Description:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:
   Adapter Name : {3A6ED011-D113-4F28-8E42-D7629DE6D240}
   Host Name : SQL
   Primary Domain Suffix : DOMAIN.COM
   DNS server list :
      x.x.x.39, x.x.x.42
   Sent update to server : x.x.x.39:53 - This is DC1
   IP Address(es) :
     x.x.x.32
 The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.
 You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="DnsApi" />
    <EventID Qualifiers="32768">11163</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-12-30T15:38:46.000000000Z" />
    <EventRecordID>71214</EventRecordID>
    <Channel>System</Channel>
    <Computer>SRVR-SQL2.tamcocorp.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>{3A6ED011-D113-4F28-8E42-D7629DE6D240}</Data>
    <Data>SQL</Data>
    <Data>DOMAIN.COM</Data>
    <Data> x.x.x.39, x.x.x.42</Data>
    <Data>x.x.x.39:53</Data>
    <Data>x.x.x.32</Data>
    <Data>
    </Data>
    <Binary>2D230000</Binary>
  </EventData>
</Event>
0
 
LVL 1

Author Comment

by:tamco
ID: 26146138
I forgot to add that happens when I run ipconfig /registerdns on my SQL server.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26146271
Yeah...  I hate to suggest you break the teaming, because I know what a pain it is to reestablish.  At the same time, the more variables that can be eliminated the easier replication issues are to resolve.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26146412
New error in event viewer.  I didn't notice it until a reboot when DNS stopped working altogether on DC1.  It's been happening since 2:40PM yesterday.

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.
0
 
LVL 1

Author Comment

by:tamco
ID: 26146448
Correction -
The error above appears on DC2 and DNS seems to have just taken a few minutes to start working again on DC1 after the reboot.  It is resolving host names now.
0
 
LVL 1

Author Comment

by:tamco
ID: 26146466
I still intend to remove the team, I'm working on making sure it won't affect operations so I can do it sooner rather than later.
0
 
LVL 1

Author Comment

by:tamco
ID: 26147973
OK, teaming has been removed.  I no longer receive an error when registering DNS on the SQL server.  I also don't receive an error when running dcdiag /test:dns on DC1 anymore.  I still can't create records on DC2 and now I do receive an error on DC2 when I run dcdiag /test:dns.


Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC2 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : tamcocorp
   Running enterprise tests on : DOMAIN
      Starting test: DNS
         Test results for domain controllers:
            DC: DC2.DOMAIN
            Domain: DOMAIN

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000007] Microsoft Virtual Machine Bus Network Adapter:
                     Warning:
                     Missing SRV record at DNS server x.x.x.42:
                     _ldap._tcp.gc._msdcs.DOMAIN
                     Warning:
                     Missing A record at DNS server x.x.x.42:
                     gc._msdcs.DOMAIN
               Error: Record registrations cannot be found for all the network
               adapters
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: DOMAIN
               DC2                     PASS PASS PASS PASS PASS FAIL n/a
         ......................... DOMAIN failed test DNS
 
Should I just manually create the SRV record? My only issue with doing that is it is more of a workaround than a solution as it should be created automatically.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 26148048
Run below command,it will fix the srv records issue.

dcdiag /v /fix
netdiag /v /fix

nltest /dsregdns

ipconfig /flushdns
 net stop netlogon
 browse the system32 folder ,rename the netlogon.dns and netlogon dnd files
 net start netlogon
 ipconfig /flushdns
 ipconfig /registerdns

In test RReg is failed as you have not enabled secure update into dns.

Right click the zone in dns admin console,select secure update & this test will also pass.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26148090
Awinish gave the right steps in the right order.  Once that is done, your DNS issue should be fixed, too.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26148121
Awinish -
I ran those commands, one didn't work:
netdiag /v /fix - netdiag not found
For anyone viewing this in the future: netlogon.dns and netlogon.dnb are in %systemroot%\system32\config
Secure update was enabled, maybe that part errored out because the DC had just rebooted.
I re-ran dcdiag /test:dns and there are no longer any errors, but I still can't add a host.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26148287
NETDIAG is part of the Resource Tool Kit.  You can find it here:

http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Let's start over on DC2.  What errors do you get (if any) when you try to add a host to DNS?

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26148466
First, I've read somewhere that installing 2003 Resource Kit tools on 2008 isn't a good idea.  Should I worry about the netdiag portion considering the diagnostic is no longer failing?
Second, when I click Add Host a message box comes up that says: The host record TEST.DOMAIN.COM cannot be created. Refused.
The event viewer shows this:
Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/30/2009 2:57:18 PM
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC2.DOMAIN.COM
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
 0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
    <EventID Qualifiers="49152">4015</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-12-30T19:57:18.000000000Z" />
    <EventRecordID>37</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>DNS Server</Channel>
    <Computer>DC2.DOMAIN.COM</Computer>
    <Security />
  </System>
  <EventData Name="DNS_EVENT_DS_INTERFACE_ERROR">
    <Data Name="param1">0000051B: AtrErr: DSID-030F1F8D, #1:
 0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)</Data>
    <Binary>13000000</Binary>
  </EventData>
</Event>
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26148535
Sorry... I forgot for a moment we were on 2008.  You are correct. NETDIAG was deprecated for the 2008 platform.  Don't install the 2003 tool kit on an 08 server.  DCDIAD /fix does most of the same things, so don't worry about it.

For the sake of clarification, DC2 isn't a Read-Only Domain Controller, is it?

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26148624
I'm 99.99999% certain it is not an RODC, but is there some place I can look to make that 100%?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26148746
Sadly, I don't know, and I cannot find anything to tell me.  I don't have any deployed, so I can't tell you what difference to look for.  If I was to guess, I would think it would show up in the Roles area, but I could be wrong about that.  The reason I ask is that AD integrated DNS needs to write to the AD database, which it can't do from an RODC.  So, if it is an RODC, it has to know about an NS record pointing back to the writable DC.  On searching on your error, the most common item I ran across was RODC related.  Here is an example:

http://www.mskbarticles.com/index.php?kb=969488

Here is what led me there:

http://eventid.net/display.asp?eventid=4015&eventno=10480&source=Microsoft-Windows-DNS-Server-Service&phase=1

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26148759
It doesn't log the event with an frequency, instead it occurs at the moment I attempt to manually create a record.
I installed the DC a few weeks ago and I'm pretty certain I didn't check the box for RODC, so I suppose we should move ahead based on that.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26148773
I would still be curious if you created an NS record (in DC1 and let it replicate) pointing back to DC1 as the authority if the problem would go away.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26148784
Right now I have two name servers listed: DC1 and DC2.  Are you suggesting I remove DC2?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26148805
Temporarily, yes.
0
 
LVL 1

Author Comment

by:tamco
ID: 26149010
OK, I removed DC2 as a name server from DC1 and DC2 and still it does not allow me to add a host record.  I've already re-added it.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26149081
I am about to leave for the day and won't be able to come back to this until tomorrow.  I didn't want you to think I was ignoring you or abandoning the question.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26149093
Same here, I'm in Florida so I'm about to head home in 2 minutes.
0
 
LVL 1

Author Comment

by:tamco
ID: 26154177
Justin -
I was successful in determining if the DC is an RODC, it is not.  Here is the site that helped: http://steverosa.wordpress.com/2007/07/04/windows-server-2008-read-only-domain-controller-administration-and-misc/
0
 
LVL 1

Author Comment

by:tamco
ID: 26154201
BTW - When viewing that dialog box it says that DC1 is Unavailable under the Status when viewing it from DC2.
When viewing it from my machine both are available and Online.  That is even the case if I am using the Server Manager snap-in for DC1 and DC2.
I can't view it directly from DC1 since it is a core machine and doesn't support MMC's.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26154214
Very good info... I bookmarked it for future reference.  Thank you for that.  So, for clarification, we are now back to DC1 behaving properly with no errors on DCDIAG or REPADMIN.  DC2 shows no errors in DCDIAG or REPADMIN, but get a "Refused" response when trying to add a DNS entry.  You have verified that DC2 is not an RODC.  

On DC2, what is the primary DNS server in its IP stack?

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26154425
::1 and 127.0.0.1
Attached are the files for DC1 and DC2 running repadmin and from running dcdiag.  Note that I was able to run repadmin from my local machine without errors, but if I tried running dcdiag using the /s switch to denote which server to run against on my local machine I received lots of errors.  Those errors did not present themselves if running the command directly on the DCs.

repadmin-DC1.csv
repadmin-DC2.csv
dc1diag.log
dc2diag.log
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26154547
OK... Because each DC is also a DNS Server, each one needs to point to its own IP address (which is better practice than using the loopback address).  If DC1 has an IP of 10.0.0.2, then 10.0.0.2 should be its primary DNS server.  If DC2, in this scenario, has an IP address of 10.0.0.3, then 10.0.0.3 should be its primary DNS server.  Your setup would look like this:

DC1:
Primary DNS: 10.0.0.2
Secondary DNS 10.0.0.3

DC2:
Primary DNS: 10.0.0.3
Secondary DNS: 10.0.0.2

Make sure that both DC1 and DC2 have the correct host records in DNS, in both forward lookup zone and in reverse look up zone.  Look for any other machines that might be hijacking the IP address of your DCs and also look for errant IP entries for your DCs.

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26154598
In the case of DC1, should I list both of it's IP addresses now that it doesn't have teaming enabled?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26154619
No.... Just list the NIC that is enabled.  The second NIC should currently be disabled.
0
 
LVL 1

Author Comment

by:tamco
ID: 26154642
currently both are enabled, one of the links I posted about the problem said you would get those errors from disabling the other NIC as well.  I haven't followed the cable to see what port it is connected to, so it is also connected to the switch.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26154703
If the NICs were teamed, I am assuming they were publishing one IP to DNS.  You will need to check DNS and make sure that the IP for the team is not in there.  I would remove any reference to the second NIC from DNS as well.  Use the primary adapter as the ip for primary server on DC1 and secondary server on DC2.
0
 
LVL 1

Author Comment

by:tamco
ID: 26155155
OK, I disabled the port on the switch that the second NIC is connected to.  Now the NIC is enabled but the media is effectively disconnected.  No reference to the second NIC's old IP address appears in DNS and the entries for DC1 and DC2 are correctly entered.
Unfortunately, the problem persists.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26155222
Does DC2 still hold your FSMO roles, or have you moved those back to DC1?
0
 
LVL 1

Author Comment

by:tamco
ID: 26155265
DC2 still holds all five FSMO roles.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26155285
Now that you have changed NIC info and DNS entries, let's go through Awinish's steps again:
  • dcdiag /v /fix
  • nltest /dsregdns
  • ipconfig /flushdns
  • net stop netlogon
  • browse the system32 folder ,rename the netlogon.dns and netlogon dnd files
  • net start netlogon
  • ipconfig /flushdns
  • ipconfig /registerdns
0
 
LVL 1

Author Comment

by:tamco
ID: 26155290
On DC1, DC2 or both?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26155312
DC2 for sure, wouldn't hurt to do both.
0
 
LVL 1

Author Comment

by:tamco
ID: 26155353
Did it for both, no joy.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26155381
And you are still getting the 4015 in your event viewer?
0
 
LVL 1

Author Comment

by:tamco
ID: 26155393
Yes, still getting 4015 error.
0
 
LVL 1

Author Comment

by:tamco
ID: 26155442
"BTW - When viewing that dialog box it says that DC1 is Unavailable under the Status when viewing it from DC2."
This issue has been resolved by what we did.  Now DC1 shows as online from DC2.
0
 
LVL 1

Author Comment

by:tamco
ID: 26155486
Oh, and FYI, I can delete records from DC2, just not add them.
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 750 total points
ID: 26155567
Everything I am seeing is pointing to a corrupt AD.  If it were my system, I would:

NTDSUTIL
semantic database analysis (or sem d a)
go

Check for errors.  If some are found, fix them.  If none are found, as a last ditch effort, I would:

1) Move the FSMO roles back to DC1.
2) Demote DC2 back to a member server (remove AD and DNS roles)
3) Clean up the metadata
4) Promote DC2 back to an AD server (re-add AD and DNS roles)

Before you go that route, though, Awinish may have other suggestions...

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26155589
What do I set the active instance to?
0
 
LVL 1

Author Comment

by:tamco
ID: 26155606
Also, this was happening when DC2 was also a core install.  Since there is a bug in R2 Core that doesn't use ISATAP and I am trying to get DirectAccess working, I demoted DC2 and reinstalled using a full install of R2 then repromoted. I need my DNS server to have an IPv6 address or DirectAccess won't function.
This did not happen when both were running 2008 (not R2).
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26155616
Depends... Normally instance1, but here is the "How To"

http://technet.microsoft.com/en-us/library/cc770715%28WS.10%29.aspx

Justin
0
 
LVL 1

Author Comment

by:tamco
ID: 26155640
Well, we are closing early today so I am leaving for the weekend.  Happy New Year and I'll either login remotely at some point to give it a try or come back to this on Monday.
0
 
LVL 1

Author Comment

by:tamco
ID: 26156049
Output:

C:\Windows\System32>ntdsutil
ntdsutil: ac in instance1
AD LDS Instance "instance1" not found on this machine.
No active instance set.
ntdsutil: ac in ntds
Active instance set to "ntds".
ntdsutil: sem d a
semantic checker: go
Fixup mode is turned off
......Done.

Writing summary into log file dsdit.dmp.0
SDs scanned:            481
Records scanned:      13602
Processing records..Done. Elapsed time 3 seconds.
Is there something here that indicates if there is an error or do I need to view the log file?
0
 
LVL 1

Author Comment

by:tamco
ID: 26156072
Here is the file.  I ran it again using go fix as well.

dsdit.dmp.1.txt
0
 
LVL 1

Author Comment

by:tamco
ID: 26156108
The above was from running on DC1.  I also ran it on DC2 and obtained the following:

C:\Users\Administrator.TAMCOCORP>NTDSUTIL
NTDSUTIL: ac in ntds
Active instance set to "ntds".
NTDSUTIL: sem d a
semantic checker: go
Fixup mode is turned off
......Done.

Writing summary into log file dsdit.dmp.0
SDs scanned:            491
Records scanned:      13602
Processing records..Done. Elapsed time 4 seconds.
 
I notice there are 10 more SDs on DC2.  There was no change after running go fix on either server.

dsdit.dmp.2.txt
0
 
LVL 1

Author Closing Comment

by:tamco
ID: 31670930
I ended up calling MS and using a support ticket.  We spent about 6 hours on this and they fixed even more things in AD using ADSI Edit (Hence the B and not A grade).  Ultimately, however, they demoted and promoted the DC to solve the manual creation of entries in AD on DC2 and that did the trick.  I don't know if the other steps were necessary as well, but they spent a great deal of time getting there.

They also said that they will work on adding a KB about this on their site.

In addition, the auto entry of records that was causing an error on my member servers was resolved by deleting the offending entry and trying again.  Secure updates was blocking the update of the DNS record.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26184602
Comment from the author:

I ended up calling MS and using a support ticket. We spent about 6 hours on this and they fixed even more things in AD using ADSI Edit (Hence the B and not A grade). Ultimately, however, they demoted and promoted the DC to solve the manual creation of entries in AD on DC2 and that did the trick. I don't know if the other steps were necessary as well, but they spent a great deal of time getting there.

They also said that they will work on adding a KB about this on their site.

In addition, the auto entry of records that was causing an error on my member servers was resolved by deleting the offending entry and trying again. Secure updates was blocking the update of the DNS record.
0
 
LVL 1

Author Comment

by:tamco
ID: 26323590
Final report from MS with exact issues and final resolution:

It was my pleasure to assist you during your ”DNS ” issue.  I hope that you were delighted with the service provided to you.  I am providing you the key points of the case for your records. If you have any questions please feel free to call me. You can reach me using the contact information below and referencing the case ID XXXX.
PROBLEM: Not able to create DNS host A record. We get the following Error message “The host record test5.DOMAIN.com cannot be created. Refused”
CAUSE: Default Domain Policy is enforced, the "Manage auditing and security log" user right setting is getting applied from the Default Domain Policy.
RESOLUTION: Removed "Enforced" setting from the Default Domain Policy.
Case Summary:
===========
Two Domain Controllers - DC1 & DC2.
Both these DCs are Windows 2008 R2.
We were facing issue with the DC DC2 while creating a Host A DNS record.
Also noted that once we change the Dynamic Update from "Secure Only" to "Nonsecure and secure", were able to create the records in the zone.
We checked whether "Administrators" group is added in the User Right "Manage auditing and security log".
Found that "Manage auditing and security log" user right setting was getting applied from Default Domain policy.
Noted that "administrators" group is missing in the user right "Manage auditing and security log".
Since Default Domain Policy is enforced, the "Manage auditing and security log" user right setting is getting applied from the Default Domain Policy.
Checked with cx why the Default Domain Policy is enforced, cx mentioned that it was enforced for testing.
Removed "Enforced" setting from the Default Domain Policy.
Ran Gpupdate/force on the DC2. Found that "Manage auditing and security log" setting is getting applied from the Default Domain Controllers policy.
We Restarted the DNS service on DC2.
Tried creating the record in the zone DOMAIN.com and found that it was successful.
We also checked dynamic update and found its working fine.
 
0
 
LVL 24

Expert Comment

by:Awinish
ID: 26323735
Tamco, I appreciate for making experts known the real cause along with solution & its going to help all...Thanks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question