Solved

How do I resolve DNS replication errors on child domain " At least on CNAME record for an AD forest GUID was missing from a DNS server"

Posted on 2011-09-14
13
1,731 Views
Last Modified: 2012-05-12
Hello,
I have 3 DCs in the parent domain and 3 DCs in the child domain.  We have been having terrible connectivity problems for the past three weeks.  I have been on another contract and have not had to deal with DNS issues for while.  I ran dcdiag, netdiag, and dnslint.  The DNSlint report for the parent domain generates zero errors, it is as follows:  
Please help!
DNSLint Report

System Date: Wed Sep 14 19:34:51 2011

Command run:

dnslint /ad /s 172.0.1.19

Root of Active Directory Forest:

    embhinc.com

Active Directory Forest Replication GUIDs Found:

DC: EMS-DC2
GUID: d3f7f2a3-0bb3-45a6-874a-b0ed621054de

DC: EMBH-DC2
GUID: 678ae4e2-8514-4578-92ef-669ca71b927c

DC: EMS-DC3
GUID: 8c82f035-18bd-4199-9356-e29bdd554bbc

DC: EMBH-DC3
GUID: f549a8a0-3bc9-49e3-b563-930599da5aa4

DC: EMBH-DC4
GUID: 2d11e07b-97c1-40a2-829d-7915b9e9ff46

DC: EMS-DC4
GUID: dc45fc77-4445-4f04-8d81-d1b0438b4c06


Total GUIDs found: 6

--------------------------------------------------------------------------------

The following 3 DNS servers were checked for records related to AD forest replication:

DNS server: embh-dc3.embhinc.com
IP Address: 172.0.1.19
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: embh-dc3.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
embh-dc2.embhinc.com 172.0.1.21
embh-dc3.embhinc.com 172.0.1.19
embh-dc4.embhinc.com 172.0.1.18




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: d3f7f2a3-0bb3-45a6-874a-b0ed621054de._msdcs.embhinc.com
Alias: ems-dc2.emsolve.embhinc.com
Glue: 172.0.1.23

CNAME: 678ae4e2-8514-4578-92ef-669ca71b927c._msdcs.embhinc.com
Alias: embh-dc2.embhinc.com
Glue: 172.0.1.21

CNAME: 8c82f035-18bd-4199-9356-e29bdd554bbc._msdcs.embhinc.com
Alias: ems-dc3.emsolve.embhinc.com
Glue: 172.0.1.24

CNAME: f549a8a0-3bc9-49e3-b563-930599da5aa4._msdcs.embhinc.com
Alias: embh-dc3.embhinc.com
Glue: 172.0.1.19

CNAME: 2d11e07b-97c1-40a2-829d-7915b9e9ff46._msdcs.embhinc.com
Alias: embh-dc4.embhinc.com
Glue: 172.0.1.18

CNAME: dc45fc77-4445-4f04-8d81-d1b0438b4c06._msdcs.embhinc.com
Alias: ems-dc4.emsolve.embhinc.com
Glue: 172.0.1.25


Total number of CNAME records found on this server: 6

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: embh-dc2.embhinc.com
IP Address: 172.0.1.21
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: embh-dc2.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
embh-dc4.embhinc.com 172.0.1.18
embh-dc2.embhinc.com 172.0.1.21
embh-dc3.embhinc.com 172.0.1.19




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: d3f7f2a3-0bb3-45a6-874a-b0ed621054de._msdcs.embhinc.com
Alias: ems-dc2.emsolve.embhinc.com
Glue: 172.0.1.23

CNAME: 678ae4e2-8514-4578-92ef-669ca71b927c._msdcs.embhinc.com
Alias: embh-dc2.embhinc.com
Glue: 172.0.1.21

CNAME: 8c82f035-18bd-4199-9356-e29bdd554bbc._msdcs.embhinc.com
Alias: ems-dc3.emsolve.embhinc.com
Glue: 172.0.1.24

CNAME: f549a8a0-3bc9-49e3-b563-930599da5aa4._msdcs.embhinc.com
Alias: embh-dc3.embhinc.com
Glue: 172.0.1.19

CNAME: 2d11e07b-97c1-40a2-829d-7915b9e9ff46._msdcs.embhinc.com
Alias: embh-dc4.embhinc.com
Glue: 172.0.1.18

CNAME: dc45fc77-4445-4f04-8d81-d1b0438b4c06._msdcs.embhinc.com
Alias: ems-dc4.emsolve.embhinc.com
Glue: 172.0.1.25


Total number of CNAME records found on this server: 6

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0

EMBH is the parent domain


--------------------------------------------------------------------------------

DNS server: embh-dc4.embhinc.com
IP Address: 172.0.1.18
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: embh-dc4.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
embh-dc4.embhinc.com 172.0.1.18
embh-dc2.embhinc.com 172.0.1.21
embh-dc3.embhinc.com 172.0.1.19




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: d3f7f2a3-0bb3-45a6-874a-b0ed621054de._msdcs.embhinc.com
Alias: ems-dc2.emsolve.embhinc.com
Glue: 172.0.1.23

CNAME: 678ae4e2-8514-4578-92ef-669ca71b927c._msdcs.embhinc.com
Alias: embh-dc2.embhinc.com
Glue: 172.0.1.21

CNAME: 8c82f035-18bd-4199-9356-e29bdd554bbc._msdcs.embhinc.com
Alias: ems-dc3.emsolve.embhinc.com
Glue: 172.0.1.24

CNAME: f549a8a0-3bc9-49e3-b563-930599da5aa4._msdcs.embhinc.com
Alias: embh-dc3.embhinc.com
Glue: 172.0.1.19

CNAME: 2d11e07b-97c1-40a2-829d-7915b9e9ff46._msdcs.embhinc.com
Alias: embh-dc4.embhinc.com
Glue: 172.0.1.18

CNAME: dc45fc77-4445-4f04-8d81-d1b0438b4c06._msdcs.embhinc.com
Alias: ems-dc4.emsolve.embhinc.com
Glue: 172.0.1.25


Total number of CNAME records found on this server: 6

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

Legend: warning, error

DNSLint developed by Tim Rains


When I run dnslint on the child domain I get the following:

EMS is the child domain

DNSLint Report

System Date: Wed Sep 14 19:12:05 2011

Command run:

dnslint /ad /s 172.0.1.23

Root of Active Directory Forest:

    embhinc.com

Active Directory Forest Replication GUIDs Found:

DC: EMS-DC2
GUID: d3f7f2a3-0bb3-45a6-874a-b0ed621054de

DC: EMBH-DC2
GUID: 678ae4e2-8514-4578-92ef-669ca71b927c

DC: EMS-DC3
GUID: 8c82f035-18bd-4199-9356-e29bdd554bbc

DC: EMBH-DC3
GUID: f549a8a0-3bc9-49e3-b563-930599da5aa4

DC: EMBH-DC4
GUID: 2d11e07b-97c1-40a2-829d-7915b9e9ff46

DC: EMS-DC4
GUID: dc45fc77-4445-4f04-8d81-d1b0438b4c06


Total GUIDs found: 6

--------------------------------------------------------------------------------

The following 1 DNS servers were checked for records related to AD forest replication:

DNS server: ems-dc2.emsolve.embhinc.com
IP Address: 172.0.1.23
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown

SOA record data from server:
Authoritative name server: embh-dc3.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds




Alias (CNAME) and glue (A) records for forest GUIDs from server:



--------------------------------------------------------------------------------

Notes:
One or more DNS servers may not be authoritative for the domain

At least one CNAME record for an AD forest GUID was missing from a DNS server



--------------------------------------------------------------------------------

Legend: warning, error

DNSLint developed by Tim Rains


 
0
Comment
Question by:del511
  • 6
  • 4
  • 3
13 Comments
 
LVL 11

Expert Comment

by:yelbaglf
Comment Utility
Run and upload the results of the following, and that should give us a good start...:

dcdiag /v /c /e
http://technet.microsoft.com/en-us/library/cc757689(WS.10).aspx

netdiag /v
http://support.microsoft.com/kb/321708
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
The dns setting on the child DC,if the DNS role is installed on the child DC point the DNS setting on the server to itself that is add the ip adress of the server and alternate dns entry should be the parent Domain DNS server ip.
Restart the netlogon and dns service and check .
0
 

Author Comment

by:del511
Comment Utility
Thank you so much for the responses.  :-)
 Yel, I have attached the output as directed.  I never ran those test with the c switch and this is the first time I saw failed tests.

Sand, I am assuming that you want me to add the parent domain DNS server here:  DNSmgmt ---> DNS server properties ----> Interfaces.  Currently, it is set to listen to DNS queries only  from itself.  Please let me know.

Thanks all!
dcdiag-v-c-e.txt
netdiag-v.txt
0
 

Author Comment

by:del511
Comment Utility
Sorry Sand, I'm tired and it took me a minute to catch on to what you were saying.  Yes, The parent DNS servers are referenced on the child domain DNS servers in TCP/IP settings.  :-)
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
The entire output of dcdiag is not attached.
Ran only dcdiag /q and also ran repadmin /replsum and post the log.
0
 
LVL 11

Expert Comment

by:yelbaglf
Comment Utility
Yes, please ensure you run dcdiag /v /c /e and /f:log.txt...which will create the output log file to upload.  Also, in addition to Sandeshdubey's request, please run a netdiag /fix, and post the output or any failures.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:del511
Comment Utility
This is what I have done  so far.  We have an ISA 2006 server that acts as the default gateway.  That is another issue in itself.  I ran dcdiag, netdiag and dnslint test and they came back with the same error s, CNAm missing, forwarders failing, etc.  After that, I performed a dcdiag/ fix and netdiag /fix , ran the dnslint test again and there were no errors... that day.  The next day, I came in to work and everyone was gnashing thier teeth in frustration because they could not access internal resources, Outlook, SharePoint, Deltek (for timesheets), etc.   I ran the tests again and the errors were back.  I did a ipconfig/ registerdns on the child domain DNS servers.  I looked at the event log for errors and boy did I get them.  Now I am getting DCOM, LSASRV, SPNEGO and Usernev 1058, and 1030 (group policy object not applying) errors. The DC's can't get the time and everything is a mess.  UGH!   After chasing down all these errors, I think I have a DNS and replication issue.  Oh, did I tell you that when I did repadmin /showrepl on (all of the DCs using the IP and the name) I got WIN32 error 8419: the DSA object could not be found.  Anyway, this is a very hot issue as it is affecting a lot of users.  Thanks!  The outputs are attached.
netdiagfix9182011.txt
alltest9182011.txt
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Checked the DNS setting on the Server it should point to itself.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.If 127.0.0.1 is entered as dns remove the same and add ip address of the server add the alnernate DNS server entry.

Chech NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.

After performing the above step restart the dns and netlogon service.Ran ipconfig /flushdns & ipconfig /registerdns.

Ran repadmin /syncall /AdeP to force the replication.Once done ran dcdiag /q for any errors.
Ran repadmin /replsum to check the replication summary.

If the isue still persist post the rpadmin /replsum and dcdiag /q log.
 
0
 

Author Comment

by:del511
Comment Utility
OK.  I checked the DNS entries in TCP/IP config and none of them has 127.0.1.1 as a DNS entry.  That is the default gateway/ ISA server.  All them point to themsleves as the first DNS entry.  Im in EST so I am home trying to get some sleep.  LOL  I will  check again first thing tomorrow morning and then I will post the results.  
0
 

Author Comment

by:del511
Comment Utility
Here you go.  There were not any erros and but the DNSlint reports are still reporting that a CNAME record is missing.  This is driving me nuts.  Also users are still experiencing limited connectivity to resources.  What gives? Any help is appreciated.  Thanks!
repadmin-and-dcdiag-24.txt
repadminand-dcdiagq-19.txt
0
 
LVL 11

Accepted Solution

by:
yelbaglf earned 500 total points
Comment Utility
And we're sure that each DNS server is pointing to itself as the primary DNS server, and then they are pointing to each other as secondary?  Post some screenshots of the DNS settings in TCP/IP properties on these servers, so that we can see what we're working with here.

Also, have there been any network configuration changes that may be blocking replication and causing the following error:

DNS server: ems-dc2.emsolve.embhinc.com
IP Address: 172.0.1.23
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown


Also, please forgive me if this has been stated, but which CNAME record is stated as missing, and is the missing CNAME record supposed to be referencing a currently active DNS server?

Are any of these sitting in a DMZ?

Here's a good post on the 1058 and 1030 errors...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23303356.html

Microsoft KB discussing this as well...
http://support.microsoft.com/kb/887303
0
 

Author Comment

by:del511
Comment Utility
Thank you yel for helping and responding to my question.  I never had a DNS issue,  I found out that my ISA server config and switch config was causing the replication/connectivity problems hence causing other symptoms with DNS being one of many.  
0
 
LVL 11

Expert Comment

by:yelbaglf
Comment Utility
You're most welcome!  Sometimes these are a bit tricky to track down...


Take Care!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now