Gatorbasher
asked on
Active Directory partition-DNS-RPC
Gonna just post the short version of the nightmare.
I had the following configuration.
Server A
Running a Windows 2003 standard server with AD, DNS, File and print sharing on a box that at 8 years 27 days failed.
Server B
Exchange 2003 on Windows 2003 standard on a seperate box.
Server C
Windows 2003 server with what looks like is just portion of AD on it.
When server A failed I logged into server C and seized the FMSO roles.
Domain Naming,
RID,
Infrastructure,
PDC
Schema
When I run dcdiag I get the following
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 3833b0f4-7bd0-438a-aa90-20
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(3833b0f4-7bd0-438a-aa90-2
couldn't be resolved, the server name
(server-2k3.domain.local) resolved to the IP address
(192.168.32.37) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SERVER-2K3 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Skipping all tests, because server SERVER-2K3 is
not responding to directory service requests
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValid
ation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : Osceolacancercenter.local
Starting test: Intersite
......................... domain.local passed test Intersi
te
Starting test: FsmoCheck
......................... domain.local passed test FsmoChe
ck
When I run dcdiag /fix I get similar results and a portion is posted below
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 3833b0f4-7bd0-438a-aa90-20
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(3833b0f4-7bd0-438a-aa90-2
couldn't be resolved, the server name
(server-2k3.domain.local) resolved to the IP address
(192.168.32.37) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SERVER-2K3 failed test Connectivity
When I went into DNS on Server C, I created the forward (ad intregrated) lookup zones. These zones however do not have the sub folders for an AD zone.
When I try to create a Default Application directory Partition I get a error message that one already exists.
Any Ideas?
I had the following configuration.
Server A
Running a Windows 2003 standard server with AD, DNS, File and print sharing on a box that at 8 years 27 days failed.
Server B
Exchange 2003 on Windows 2003 standard on a seperate box.
Server C
Windows 2003 server with what looks like is just portion of AD on it.
When server A failed I logged into server C and seized the FMSO roles.
Domain Naming,
RID,
Infrastructure,
PDC
Schema
When I run dcdiag I get the following
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 3833b0f4-7bd0-438a-aa90-20
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(3833b0f4-7bd0-438a-aa90-2
couldn't be resolved, the server name
(server-2k3.domain.local) resolved to the IP address
(192.168.32.37) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SERVER-2K3 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Skipping all tests, because server SERVER-2K3 is
not responding to directory service requests
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValid
ation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : Osceolacancercenter.local
Starting test: Intersite
......................... domain.local passed test Intersi
te
Starting test: FsmoCheck
......................... domain.local passed test FsmoChe
ck
When I run dcdiag /fix I get similar results and a portion is posted below
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
The host 3833b0f4-7bd0-438a-aa90-20
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(3833b0f4-7bd0-438a-aa90-2
couldn't be resolved, the server name
(server-2k3.domain.local) resolved to the IP address
(192.168.32.37) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SERVER-2K3 failed test Connectivity
When I went into DNS on Server C, I created the forward (ad intregrated) lookup zones. These zones however do not have the sub folders for an AD zone.
When I try to create a Default Application directory Partition I get a error message that one already exists.
Any Ideas?
SERVER-2K3 failed test Connectivity is an indication of DNS misconfiguration or incorrect DNS pointings on the server. I would suggest you to check the DNS configuration in DNS console and NIC properties using below link.
As you've seized roles, how many DCs are there in the domain now? is it 2 DCs or 3 DCs.
As you've seized the roles to Server C, did you made this server as authoritative Time Server for Domain. If not do this on priority.
Authoritative Time Server
DNS Best Practices
As you've seized roles, how many DCs are there in the domain now? is it 2 DCs or 3 DCs.
As you've seized the roles to Server C, did you made this server as authoritative Time Server for Domain. If not do this on priority.
Authoritative Time Server
DNS Best Practices
I will agree with other ensure that correct dns setting is configured on DC and ensure that old server metadata cleanup is also performed.
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
Medatacleanup
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Dont forget to configure authorative time server on the PDC role holder server .http://support.microsoft.com/kb/816042
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
Medatacleanup
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Dont forget to configure authorative time server on the PDC role holder server .http://support.microsoft.com/kb/816042
ASKER
sarang you are correct.
The directory partition is said to already exist but it is not available.
When I create the two forward zones, none of the sub folders for pdc, _msdcs, sites, _tcp, _udp, domaindnszones or forestdnszones are created.
No workstations are able to register in DNS.
When I preform dnsflush and registerdns on the exchange server I get the following in the event viewer.
Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11165
Date: 6/3/2013
Time: 7:15:06 AM
User: N/A
Computer: EXCHANGE
Description:
The system failed to register host (A) resource records (RRs) for network adapter
with settings:
Adapter Name : {1266BC2C-9F75-4F88-9A79-C
Host Name : exchange
Primary Domain Suffix : domain.local
DNS server list :
192.168.32.37
Sent update to server : <?>
IP Address(es) :
192.168.32.36
The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.
To register the DNS host (A) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
Zenvensky
Before I started to worry about the health of the server there was only Server A to serve the AD needs. I brought server C in as a backup to server A. Server B is just running Exchange and the Exchange services are unable to start and the following appears in the exchange servers event log.
Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2104
Date: 6/3/2013
Time: 7:50:26 AM
User: N/A
Computer: EXCHANGE
Description:
Process INETINFO.EXE (PID=1672). All the DS Servers in domain are not responding.
For more information, click http://www.microsoft.com/contentredirect.asp.
The directory partition is said to already exist but it is not available.
When I create the two forward zones, none of the sub folders for pdc, _msdcs, sites, _tcp, _udp, domaindnszones or forestdnszones are created.
No workstations are able to register in DNS.
When I preform dnsflush and registerdns on the exchange server I get the following in the event viewer.
Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11165
Date: 6/3/2013
Time: 7:15:06 AM
User: N/A
Computer: EXCHANGE
Description:
The system failed to register host (A) resource records (RRs) for network adapter
with settings:
Adapter Name : {1266BC2C-9F75-4F88-9A79-C
Host Name : exchange
Primary Domain Suffix : domain.local
DNS server list :
192.168.32.37
Sent update to server : <?>
IP Address(es) :
192.168.32.36
The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.
To register the DNS host (A) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
Zenvensky
Before I started to worry about the health of the server there was only Server A to serve the AD needs. I brought server C in as a backup to server A. Server B is just running Exchange and the Exchange services are unable to start and the following appears in the exchange servers event log.
Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2104
Date: 6/3/2013
Time: 7:50:26 AM
User: N/A
Computer: EXCHANGE
Description:
Process INETINFO.EXE (PID=1672). All the DS Servers in domain are not responding.
For more information, click http://www.microsoft.com/contentredirect.asp.
Have you check are there any duplicate zone which may be causing the issue.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e86a6b6c-720e-4f32-abbf-45d38bb89f1a
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
Also ensure correct dns setting on Dc as mentioned before.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e86a6b6c-720e-4f32-abbf-45d38bb89f1a
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
Also ensure correct dns setting on Dc as mentioned before.
ASKER
DNS servers in both the Exchange & server-2k3 both point to 192.168.32.37 which is the ip of server-2k3.
Have checked does the zone exist or there is duplicate zone once forward lookup zone is created just restart the nelogon and dns service and run ipconfig /flushdns and ipconfig /registerdns the records should register.
So can I assume Server A is removed from AD database, if yes then as mentioned before did you change Time Server settings on PDC emulator. Also as Sandesh mentioned, did you perform metadata cleanup.
Before you proceed any furhter to work on this issue, I would suggest you to cross check DNS settings and Time Server settings. If all the settings are in place then check KDC / Kerberose and Netlogon events in system logs on Exchange server.
Before you proceed any furhter to work on this issue, I would suggest you to cross check DNS settings and Time Server settings. If all the settings are in place then check KDC / Kerberose and Netlogon events in system logs on Exchange server.
ASKER
Yes Zenvenky, Server A has been remove in the metadata and active directory sites and services.
I did not see any KDC / Kerberose or netlogon errors in the exchange event log.
I restarted the netlogon on the exchange server and checked the event log and opserved the following.
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 6/3/2013
Time: 9:53:42 AM
User: N/A
Computer: EXCHANGE
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..
I did not see any KDC / Kerberose or netlogon errors in the exchange event log.
I restarted the netlogon on the exchange server and checked the event log and opserved the following.
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 6/3/2013
Time: 9:53:42 AM
User: N/A
Computer: EXCHANGE
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..
ASKER
Sandeshdubey,
When I attempt to use ADSIEDIT and go under connection settings and connect to
DC=ForestDNSZones, DC=Domain, DC=Local I get, "A referal was returned from the server".
When I accept the Default connection and drill down under,
Domain [server-2k3.domain.local]
CN=System
CN=MicrosoftDNS
DC=domain.local
I find a refenence to the failed DNS server called server.
When I attempt to use ADSIEDIT and go under connection settings and connect to
DC=ForestDNSZones, DC=Domain, DC=Local I get, "A referal was returned from the server".
When I accept the Default connection and drill down under,
Domain [server-2k3.domain.local]
CN=System
CN=MicrosoftDNS
DC=domain.local
I find a refenence to the failed DNS server called server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In this scenario, I would suggest you to check this link.
http://blogs.technet.com/b
http://blogs.technet.com/b
ASKER
Looks like that may have resolved it Sandeshdubey. THANK YOU, THANK YOU, THANK YOU....
ASKER
It worked....
Great...Nice to hear that issue is resolved.
Have a nice day ahead
Have a nice day ahead
However in your case its not..but partition exist (correct me if am wrong)
Please create two forward lookup zone named as domain.local and _msdcs.domain.local
Restart netlogon and DNS services run ipconfig /flushdns & ipconfig /registerdns and try running dcdiag again