Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I resolve DNS replication errors on child domain " At least on CNAME record for an AD forest GUID was missing from a DNS server"

Posted on 2011-09-14
13
1,777 Views
Last Modified: 2012-05-12
Hello,
I have 3 DCs in the parent domain and 3 DCs in the child domain.  We have been having terrible connectivity problems for the past three weeks.  I have been on another contract and have not had to deal with DNS issues for while.  I ran dcdiag, netdiag, and dnslint.  The DNSlint report for the parent domain generates zero errors, it is as follows:  
Please help!
DNSLint Report

System Date: Wed Sep 14 19:34:51 2011

Command run:

dnslint /ad /s 172.0.1.19

Root of Active Directory Forest:

    embhinc.com

Active Directory Forest Replication GUIDs Found:

DC: EMS-DC2
GUID: d3f7f2a3-0bb3-45a6-874a-b0ed621054de

DC: EMBH-DC2
GUID: 678ae4e2-8514-4578-92ef-669ca71b927c

DC: EMS-DC3
GUID: 8c82f035-18bd-4199-9356-e29bdd554bbc

DC: EMBH-DC3
GUID: f549a8a0-3bc9-49e3-b563-930599da5aa4

DC: EMBH-DC4
GUID: 2d11e07b-97c1-40a2-829d-7915b9e9ff46

DC: EMS-DC4
GUID: dc45fc77-4445-4f04-8d81-d1b0438b4c06


Total GUIDs found: 6

--------------------------------------------------------------------------------

The following 3 DNS servers were checked for records related to AD forest replication:

DNS server: embh-dc3.embhinc.com
IP Address: 172.0.1.19
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: embh-dc3.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
embh-dc2.embhinc.com 172.0.1.21
embh-dc3.embhinc.com 172.0.1.19
embh-dc4.embhinc.com 172.0.1.18




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: d3f7f2a3-0bb3-45a6-874a-b0ed621054de._msdcs.embhinc.com
Alias: ems-dc2.emsolve.embhinc.com
Glue: 172.0.1.23

CNAME: 678ae4e2-8514-4578-92ef-669ca71b927c._msdcs.embhinc.com
Alias: embh-dc2.embhinc.com
Glue: 172.0.1.21

CNAME: 8c82f035-18bd-4199-9356-e29bdd554bbc._msdcs.embhinc.com
Alias: ems-dc3.emsolve.embhinc.com
Glue: 172.0.1.24

CNAME: f549a8a0-3bc9-49e3-b563-930599da5aa4._msdcs.embhinc.com
Alias: embh-dc3.embhinc.com
Glue: 172.0.1.19

CNAME: 2d11e07b-97c1-40a2-829d-7915b9e9ff46._msdcs.embhinc.com
Alias: embh-dc4.embhinc.com
Glue: 172.0.1.18

CNAME: dc45fc77-4445-4f04-8d81-d1b0438b4c06._msdcs.embhinc.com
Alias: ems-dc4.emsolve.embhinc.com
Glue: 172.0.1.25


Total number of CNAME records found on this server: 6

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: embh-dc2.embhinc.com
IP Address: 172.0.1.21
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: embh-dc2.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
embh-dc4.embhinc.com 172.0.1.18
embh-dc2.embhinc.com 172.0.1.21
embh-dc3.embhinc.com 172.0.1.19




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: d3f7f2a3-0bb3-45a6-874a-b0ed621054de._msdcs.embhinc.com
Alias: ems-dc2.emsolve.embhinc.com
Glue: 172.0.1.23

CNAME: 678ae4e2-8514-4578-92ef-669ca71b927c._msdcs.embhinc.com
Alias: embh-dc2.embhinc.com
Glue: 172.0.1.21

CNAME: 8c82f035-18bd-4199-9356-e29bdd554bbc._msdcs.embhinc.com
Alias: ems-dc3.emsolve.embhinc.com
Glue: 172.0.1.24

CNAME: f549a8a0-3bc9-49e3-b563-930599da5aa4._msdcs.embhinc.com
Alias: embh-dc3.embhinc.com
Glue: 172.0.1.19

CNAME: 2d11e07b-97c1-40a2-829d-7915b9e9ff46._msdcs.embhinc.com
Alias: embh-dc4.embhinc.com
Glue: 172.0.1.18

CNAME: dc45fc77-4445-4f04-8d81-d1b0438b4c06._msdcs.embhinc.com
Alias: ems-dc4.emsolve.embhinc.com
Glue: 172.0.1.25


Total number of CNAME records found on this server: 6

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0

EMBH is the parent domain


--------------------------------------------------------------------------------

DNS server: embh-dc4.embhinc.com
IP Address: 172.0.1.18
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: embh-dc4.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
embh-dc4.embhinc.com 172.0.1.18
embh-dc2.embhinc.com 172.0.1.21
embh-dc3.embhinc.com 172.0.1.19




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: d3f7f2a3-0bb3-45a6-874a-b0ed621054de._msdcs.embhinc.com
Alias: ems-dc2.emsolve.embhinc.com
Glue: 172.0.1.23

CNAME: 678ae4e2-8514-4578-92ef-669ca71b927c._msdcs.embhinc.com
Alias: embh-dc2.embhinc.com
Glue: 172.0.1.21

CNAME: 8c82f035-18bd-4199-9356-e29bdd554bbc._msdcs.embhinc.com
Alias: ems-dc3.emsolve.embhinc.com
Glue: 172.0.1.24

CNAME: f549a8a0-3bc9-49e3-b563-930599da5aa4._msdcs.embhinc.com
Alias: embh-dc3.embhinc.com
Glue: 172.0.1.19

CNAME: 2d11e07b-97c1-40a2-829d-7915b9e9ff46._msdcs.embhinc.com
Alias: embh-dc4.embhinc.com
Glue: 172.0.1.18

CNAME: dc45fc77-4445-4f04-8d81-d1b0438b4c06._msdcs.embhinc.com
Alias: ems-dc4.emsolve.embhinc.com
Glue: 172.0.1.25


Total number of CNAME records found on this server: 6

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

Legend: warning, error

DNSLint developed by Tim Rains


When I run dnslint on the child domain I get the following:

EMS is the child domain

DNSLint Report

System Date: Wed Sep 14 19:12:05 2011

Command run:

dnslint /ad /s 172.0.1.23

Root of Active Directory Forest:

    embhinc.com

Active Directory Forest Replication GUIDs Found:

DC: EMS-DC2
GUID: d3f7f2a3-0bb3-45a6-874a-b0ed621054de

DC: EMBH-DC2
GUID: 678ae4e2-8514-4578-92ef-669ca71b927c

DC: EMS-DC3
GUID: 8c82f035-18bd-4199-9356-e29bdd554bbc

DC: EMBH-DC3
GUID: f549a8a0-3bc9-49e3-b563-930599da5aa4

DC: EMBH-DC4
GUID: 2d11e07b-97c1-40a2-829d-7915b9e9ff46

DC: EMS-DC4
GUID: dc45fc77-4445-4f04-8d81-d1b0438b4c06


Total GUIDs found: 6

--------------------------------------------------------------------------------

The following 1 DNS servers were checked for records related to AD forest replication:

DNS server: ems-dc2.emsolve.embhinc.com
IP Address: 172.0.1.23
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown

SOA record data from server:
Authoritative name server: embh-dc3.embhinc.com
Hostmaster: admin
Zone serial number: 13145
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds




Alias (CNAME) and glue (A) records for forest GUIDs from server:



--------------------------------------------------------------------------------

Notes:
One or more DNS servers may not be authoritative for the domain

At least one CNAME record for an AD forest GUID was missing from a DNS server



--------------------------------------------------------------------------------

Legend: warning, error

DNSLint developed by Tim Rains


 
0
Comment
Question by:del511
  • 6
  • 4
  • 3
13 Comments
 
LVL 11

Expert Comment

by:yelbaglf
ID: 36540429
Run and upload the results of the following, and that should give us a good start...:

dcdiag /v /c /e
http://technet.microsoft.com/en-us/library/cc757689(WS.10).aspx

netdiag /v
http://support.microsoft.com/kb/321708
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36540805
The dns setting on the child DC,if the DNS role is installed on the child DC point the DNS setting on the server to itself that is add the ip adress of the server and alternate dns entry should be the parent Domain DNS server ip.
Restart the netlogon and dns service and check .
0
 

Author Comment

by:del511
ID: 36543649
Thank you so much for the responses.  :-)
 Yel, I have attached the output as directed.  I never ran those test with the c switch and this is the first time I saw failed tests.

Sand, I am assuming that you want me to add the parent domain DNS server here:  DNSmgmt ---> DNS server properties ----> Interfaces.  Currently, it is set to listen to DNS queries only  from itself.  Please let me know.

Thanks all!
dcdiag-v-c-e.txt
netdiag-v.txt
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Comment

by:del511
ID: 36545038
Sorry Sand, I'm tired and it took me a minute to catch on to what you were saying.  Yes, The parent DNS servers are referenced on the child domain DNS servers in TCP/IP settings.  :-)
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36555444
The entire output of dcdiag is not attached.
Ran only dcdiag /q and also ran repadmin /replsum and post the log.
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 36556990
Yes, please ensure you run dcdiag /v /c /e and /f:log.txt...which will create the output log file to upload.  Also, in addition to Sandeshdubey's request, please run a netdiag /fix, and post the output or any failures.
0
 

Author Comment

by:del511
ID: 36558005
This is what I have done  so far.  We have an ISA 2006 server that acts as the default gateway.  That is another issue in itself.  I ran dcdiag, netdiag and dnslint test and they came back with the same error s, CNAm missing, forwarders failing, etc.  After that, I performed a dcdiag/ fix and netdiag /fix , ran the dnslint test again and there were no errors... that day.  The next day, I came in to work and everyone was gnashing thier teeth in frustration because they could not access internal resources, Outlook, SharePoint, Deltek (for timesheets), etc.   I ran the tests again and the errors were back.  I did a ipconfig/ registerdns on the child domain DNS servers.  I looked at the event log for errors and boy did I get them.  Now I am getting DCOM, LSASRV, SPNEGO and Usernev 1058, and 1030 (group policy object not applying) errors. The DC's can't get the time and everything is a mess.  UGH!   After chasing down all these errors, I think I have a DNS and replication issue.  Oh, did I tell you that when I did repadmin /showrepl on (all of the DCs using the IP and the name) I got WIN32 error 8419: the DSA object could not be found.  Anyway, this is a very hot issue as it is affecting a lot of users.  Thanks!  The outputs are attached.
netdiagfix9182011.txt
alltest9182011.txt
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36558099
Checked the DNS setting on the Server it should point to itself.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.If 127.0.0.1 is entered as dns remove the same and add ip address of the server add the alnernate DNS server entry.

Chech NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.

After performing the above step restart the dns and netlogon service.Ran ipconfig /flushdns & ipconfig /registerdns.

Ran repadmin /syncall /AdeP to force the replication.Once done ran dcdiag /q for any errors.
Ran repadmin /replsum to check the replication summary.

If the isue still persist post the rpadmin /replsum and dcdiag /q log.
 
0
 

Author Comment

by:del511
ID: 36558149
OK.  I checked the DNS entries in TCP/IP config and none of them has 127.0.1.1 as a DNS entry.  That is the default gateway/ ISA server.  All them point to themsleves as the first DNS entry.  Im in EST so I am home trying to get some sleep.  LOL  I will  check again first thing tomorrow morning and then I will post the results.  
0
 

Author Comment

by:del511
ID: 36564505
Here you go.  There were not any erros and but the DNSlint reports are still reporting that a CNAME record is missing.  This is driving me nuts.  Also users are still experiencing limited connectivity to resources.  What gives? Any help is appreciated.  Thanks!
repadmin-and-dcdiag-24.txt
repadminand-dcdiagq-19.txt
0
 
LVL 11

Accepted Solution

by:
yelbaglf earned 500 total points
ID: 36564574
And we're sure that each DNS server is pointing to itself as the primary DNS server, and then they are pointing to each other as secondary?  Post some screenshots of the DNS settings in TCP/IP properties on these servers, so that we can see what we're working with here.

Also, have there been any network configuration changes that may be blocking replication and causing the following error:

DNS server: ems-dc2.emsolve.embhinc.com
IP Address: 172.0.1.23
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown


Also, please forgive me if this has been stated, but which CNAME record is stated as missing, and is the missing CNAME record supposed to be referencing a currently active DNS server?

Are any of these sitting in a DMZ?

Here's a good post on the 1058 and 1030 errors...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23303356.html

Microsoft KB discussing this as well...
http://support.microsoft.com/kb/887303
0
 

Author Comment

by:del511
ID: 36590996
Thank you yel for helping and responding to my question.  I never had a DNS issue,  I found out that my ISA server config and switch config was causing the replication/connectivity problems hence causing other symptoms with DNS being one of many.  
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 36591018
You're most welcome!  Sometimes these are a bit tricky to track down...


Take Care!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question