Solved

HELP: installed addl DC, now have DNS problem with Exchange

Posted on 2010-09-18
19
840 Views
Last Modified: 2012-08-14
Recently I installed an Add'l DC on the company network.  The original DC is a Windows 2008 SBS and the second DC is a Windows 2008 R2.  The SBS server is also the Exchange server and the R2 DC is just a "backup."  All was going well until I had to reboot the SBS server last night for a software update.  

On boot up, now i get errors about the certificate authority and dns.  Can anyone help?
0
Comment
Question by:JLEmlet
  • 11
  • 8
19 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33707942
Check firstly that the SBS server is using it's own IP address in the DNS configuration of the network card.

The new server should also be using the SBS servers IP address.

If you have to change this reboot both servers just to be sure then let's see where we are.
0
 

Author Comment

by:JLEmlet
ID: 33708333
I've confirmed the SBS server is using its own IP address as well as the R2 server.  However the R2 server is also using 127.0.0.1 as a secondary DNS server. Should I remove or change that?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708341
Have you installed DNS on the new server?
0
 

Author Comment

by:JLEmlet
ID: 33708347
Yes - I did that months ago.  It is a DC (the second in the domain).  I'm getting this error message on the SBS server (also exchange server).  The refernece to Bandit is the R2 server:

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2148). Exchange Active Directory Provider failed to obtain an IP address for DS server BANDIT.dc.integral, error 11001 (WSAHOST_NOT_FOUND (Host was not found)).  This host will not be used as a DS server by Exchange Active Directory Provider.  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708396
0
 

Author Comment

by:JLEmlet
ID: 33708458
There wasn't anything in that group policy, so I added the domain\exchange servers and it is rebooting now.
0
 

Author Comment

by:JLEmlet
ID: 33708482
but something must be wrong with the setup of my second DC because i cannot communicate within the domain when the SBS server is rebooting.  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708489
You mean from the client machines? If so have you set the second DC in the DNS properties of DHCP so that the client machines receive both servers as DNS servers?

Did you make the new DC a global catalog server?
0
 

Author Comment

by:JLEmlet
ID: 33708491
On reboot I still have the same issue
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708498
The topology discovery error?

OK, can you run DCDIAG on both servers and post the results please?
0
 

Author Comment

by:JLEmlet
ID: 33708518
Here are the results.  Simon is the SBS and Bandit is the Windows 2008 r2.
banditdcdiag.txt
simondcdiag.txt
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708572
First thing, can you uninstall symantec endpoint then reboot.

Can you also post IPCONFIG /ALL from both servers.
0
 

Author Comment

by:JLEmlet
ID: 33711468
I uninstalled symantec, but now I cannot log onto the SBS server.  i get the log in screen, but when I log in, nothing I just get a black screen.  i can view the logs of the SBS server from the other DC and there are lots of DNS errors.  I'm attaching the system event log in xml format.
0
 

Author Comment

by:JLEmlet
ID: 33711486
I couldn't upload the event logs, but here are the two main errors that continue to appear in the system log:

The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object CN={DA24C723-6A3A-40F9-9FD4-7471AE151F53},CN=POLICIES,CN=SYSTEM,DC=DC,DC=INTEGRAL. This could be caused by RSOP being disabled  or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.


The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.


And then in the DNS log I'm getting:

DNS server has updated its own host (A) records.  In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
 
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
 
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

I've confirmed in the SBS DNS and the R2 DNS that the IP addresses are correct.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33711524
Did you change the SBs servers IP address recently?

Can you configure both servers robust only the new server for DNS then restart.

If you cannot login to the SBS server can you boot in to safe mode?
0
 

Author Comment

by:JLEmlet
ID: 33711551
What does robust only mean.  Rebooting the sbs server now and have the other dc shutdown.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 33711566
Sorry not sure how that got in there.

It was supposed to say set both servers to use the new server for DNS then reboot them.
0
 

Author Comment

by:JLEmlet
ID: 33712305
So I rebooted the server with the R2 DC turned off.  I had started this process before I saw your post.  Now exchange is working again, but I cannot get the VPN to work.  When I try to start the service Routing And Remote Access, I get an error.

The Remote Access Connection Manager service terminated with the following error:
The specified module could not be found.

Then I get

Point to Point Protocol engine was unable to load the C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SymRasMan64.dll module. The specified module could not be found.

Then I get

The Control Protocol EAP in the Point to Point Protocol module C:\Windows\System32\rasppp.dll returned an error while initializing. The specified module could not be found.

And finally I get

Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.

Thoughts?  Since symantec is referenced, so I just reinstall Endpoint.
0
 

Author Closing Comment

by:JLEmlet
ID: 33720028
Thank you for your help.  I was able to get everything back online.  I think I still have an issue with my other DC, but will post a separate question for that.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now