Fubschuk
asked on
Active directory domain sevice could not use DNS to reslove IP address
We recently lost one of our DC’s (#11) but seem to have recovered most of the domain functionality. I ma seeing WARNING messages on our PDC (#8) in the event log for ActiveDirectory_DomainServ
The Metadata has been cleaned and have tried running dcdiag /test:dns on both DC's (#8, #13) and they both pass.
Event ID:2088
Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
Alternate server name:
Winserver13.Diplomat.local
Failing DNS host name:
27bbedad-a6e5-47b0-9271-80
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
Event ID: 2092
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=Diplomat,DC=local
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
The Metadata has been cleaned and have tried running dcdiag /test:dns on both DC's (#8, #13) and they both pass.
Event ID:2088
Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
Alternate server name:
Winserver13.Diplomat.local
Failing DNS host name:
27bbedad-a6e5-47b0-9271-80
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
Event ID: 2092
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=Diplomat,DC=local
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
ASKER
Roles for Winserver8 as follows:
Server "winserver8" knows about 5 roles
Schema - CN=NTDS Settings,CN=WINSERVER8,CN=
=Sites,CN=Configuration,DC
Naming Master - CN=NTDS Settings,CN=WINSERVER8,CN=
Name,CN=Sites,CN=Configura
PDC - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
Same run in Winserver13:
Server "winserver13" knows about 5 roles
Schema - CN=NTDS Settings,CN=WINSERVER8,CN=
=Sites,CN=Configuration,DC
Domain - CN=NTDS Settings,CN=WINSERVER8,CN=
=Sites,CN=Configuration,DC
PDC - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
RID - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
Infrastructure - CN=NTDS Settings,CN=WINSERVER8,CN=
-Name,CN=Sites,CN=Configur
select operation target:
RID - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
Infrastructure - CN=NTDS Settings,CN=WINSERVER8,CN=
-Name,CN=Sites,CN=Configur
Server "winserver8" knows about 5 roles
Schema - CN=NTDS Settings,CN=WINSERVER8,CN=
=Sites,CN=Configuration,DC
Naming Master - CN=NTDS Settings,CN=WINSERVER8,CN=
Name,CN=Sites,CN=Configura
PDC - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
Same run in Winserver13:
Server "winserver13" knows about 5 roles
Schema - CN=NTDS Settings,CN=WINSERVER8,CN=
=Sites,CN=Configuration,DC
Domain - CN=NTDS Settings,CN=WINSERVER8,CN=
=Sites,CN=Configuration,DC
PDC - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
RID - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
Infrastructure - CN=NTDS Settings,CN=WINSERVER8,CN=
-Name,CN=Sites,CN=Configur
select operation target:
RID - CN=NTDS Settings,CN=WINSERVER8,CN=
tes,CN=Configuration,DC=Di
Infrastructure - CN=NTDS Settings,CN=WINSERVER8,CN=
-Name,CN=Sites,CN=Configur
ASKER
Have run a DCDIAG /e /v on both #13 and #8 most test passed on #8 apart from the one below, #13 had a few more erros see attache dcdiag output
From WINSERVER8:
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0xC0002719
Time Generated: 12/10/2010 13:03:39
Event String:
The value returned by this database operation has been truncated.
......................... WINSERVER13 failed test SystemLog
From WINSERVER13:
dcdiag.txt
From WINSERVER8:
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0xC0002719
Time Generated: 12/10/2010 13:03:39
Event String:
The value returned by this database operation has been truncated.
......................... WINSERVER13 failed test SystemLog
From WINSERVER13:
dcdiag.txt
It seems you have at least DNS and FRS related issues. May be FRS cause is DNS.
What errors do you have on System event ?
Alos, post here the "netdiag /fix" of the DCs, please.
What errors do you have on System event ?
Alos, post here the "netdiag /fix" of the DCs, please.
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ok, hope you solved the issue.
ASKER
The erros seem to have stoped since reseting the MACHINE password. I found this answer was related to another question I had open.
https://www.experts-exchange.com/questions/26670670/Group-policy-errors-1058-after-recoverd-domain-from-lost-DC.html
https://www.experts-exchange.com/questions/26670670/Group-policy-errors-1058-after-recoverd-domain-from-lost-DC.html
Then you could start troubleshooting from here: http://technet.microsoft.com/en-us/library/cc949127(WS.10).aspx Although the event discussed is 2087, is also applied to 2088.