Solved

ad dns replication issues on w2k8 r2 sp1

Posted on 2013-06-16
6
921 Views
Last Modified: 2013-06-30
dear gurus

we have 4 sites where we have domain atmc.com.sa and we have master server ip 10.0.1.30 and others domain controller(additional) are 10.0.6.30,10.0.2.11,10.0.3.11 etc

now the issue, they cant replicate each other, user create to master ad cant replicate to others.

v check firewall network cabling ping dns test ad dns config but none of them resolve issue.

we conduct some test and attached results

can someone assist us, how we can resolve it. even on same network say 10.0.1.0/24 the server cant replication permission of ad users, say a folder on another file server so we want to give, we create user and it seen not in list of ad on file server to assign permission

this network work 3 months fine we have not change anything anywhere

master server is on physical machine hp, where rest all on vmware vsphwere as vms working mostly

kindly assist us
tmsa
0
Comment
Question by:tmsa12
6 Comments
 

Author Comment

by:tmsa12
ID: 39251211
0
 
LVL 20

Expert Comment

by:Radhakrishnan Rajayyan
ID: 39251439
Hi,

I just had a look at the logs, it seems to be the servers are missing few DNS records. I would suggest you to restart the "netlogon" service on the DC's. Usually the missing SRV records gets create once you restart the netlogon service.

Cheers
0
 
LVL 18

Expert Comment

by:Peter Hutchison
ID: 39251513
A few things to check:
IS your DNS in DNS Integrated or Master/Slave mode?
In DNS does each DNS server have a NS (Name Server) record?
Which DCs have Global Catalog service enabled? One, two or all?
Make sure GC and Ldap SRV records exist for each DC with it enabled.

Restarting Netlogon, DNS services may help. Running ipconfig /registerdns will refresh settings on each server.
0
 
LVL 1

Expert Comment

by:ADforyou
ID: 39252105
it is seem like lingeringobjects. Please check the health server and run below command or Please fellow the microsoft link which is mention below.


c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID>

http://support.microsoft.com/kb/2028495
0
 
LVL 13

Expert Comment

by:Jaihunt
ID: 39252452
Hi

You have DNS issue and Lingering object issues. Check your physical DC date  time and virtual DC date time are in sync. Fix the DNS issues point all virtual DC primary DNS to your physical DC then perform ipconfig /registerdns or netlogon service re start.  Which is your physical DC ATMCSRVR10 ? If you cant fix the issue remove the 30days OLD DC. perform Metadata cleanup and promote it as DC.        

ATMCSRVR12        36d.06h:43m:29s
ATMCSRVR14        27d.23h:07m:38s
ATMCDR1           27d.22h:53m:41s

 ATMCSRVR10        07d.02h:30m:56s

Thanks
  Jai
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39256527
From below error you have lot o work to do.

Destination DSA     largest delta    fails/total %%   error
 ATMCDR1           27d.22h:53m:41s   13 /  28   46  (1722) The RPC server is una
vailable.
 ATMCSRVR10        07d.02h:30m:56s    3 /  15   20  (8606) Insufficient attribut
es were given to create an object. This object may not exist because it may have
 been deleted and already garbage collected.
 ATMCSRVR12        36d.06h:43m:29s   17 /  28   60  (1753) There are no more end
points available from the endpoint mapper.
 ATMCSRVR14        27d.23h:07m:38s   10 /  25   40  (1722) The RPC server is una
vailable.
 ATMCSRVR15        10d.10h:30m:14s    4 /  15   26  (2148074274) The target prin
cipal name is incorrect.
 ATMCSRVR17        11d.00h:35m:25s    5 /  10   50  (2148074274) The target prin
cipal name is incorrect.

From the log it is clear there are multiple issue like secure channel between the DC is broken and hence you are getting target principle name incorrect, Insufficient attribut
es were given to create an object indicates you have lingering object issue and you are also getting RPC service unavailable.


You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.
http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx


From the log it is clear that secure channel between the DC are broken.Hence you are getting the error target principal name is incorrect.

Refer below link:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

If you have multiple DC in the network you can demote & re-promote the DC containing lingering object.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads int the domain then its more difficult to tackle them. Demote & promote is the best solution.

For removal of lingering object see this:http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Hope this helps
0

Join & Write a Comment

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now