Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 963
  • Last Modified:

ad dns replication issues on w2k8 r2 sp1

dear gurus

we have 4 sites where we have domain atmc.com.sa and we have master server ip 10.0.1.30 and others domain controller(additional) are 10.0.6.30,10.0.2.11,10.0.3.11 etc

now the issue, they cant replicate each other, user create to master ad cant replicate to others.

v check firewall network cabling ping dns test ad dns config but none of them resolve issue.

we conduct some test and attached results

can someone assist us, how we can resolve it. even on same network say 10.0.1.0/24 the server cant replication permission of ad users, say a folder on another file server so we want to give, we create user and it seen not in list of ad on file server to assign permission

this network work 3 months fine we have not change anything anywhere

master server is on physical machine hp, where rest all on vmware vsphwere as vms working mostly

kindly assist us
tmsa
0
tmsa12
Asked:
tmsa12
1 Solution
 
tmsa12Author Commented:
0
 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

I just had a look at the logs, it seems to be the servers are missing few DNS records. I would suggest you to restart the "netlogon" service on the DC's. Usually the missing SRV records gets create once you restart the netlogon service.

Cheers
0
 
Peter HutchisonSenior Network Systems SpecialistCommented:
A few things to check:
IS your DNS in DNS Integrated or Master/Slave mode?
In DNS does each DNS server have a NS (Name Server) record?
Which DCs have Global Catalog service enabled? One, two or all?
Make sure GC and Ldap SRV records exist for each DC with it enabled.

Restarting Netlogon, DNS services may help. Running ipconfig /registerdns will refresh settings on each server.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
ADforyouCommented:
it is seem like lingeringobjects. Please check the health server and run below command or Please fellow the microsoft link which is mention below.


c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID>

http://support.microsoft.com/kb/2028495
0
 
JaihuntCommented:
Hi

You have DNS issue and Lingering object issues. Check your physical DC date  time and virtual DC date time are in sync. Fix the DNS issues point all virtual DC primary DNS to your physical DC then perform ipconfig /registerdns or netlogon service re start.  Which is your physical DC ATMCSRVR10 ? If you cant fix the issue remove the 30days OLD DC. perform Metadata cleanup and promote it as DC.        

ATMCSRVR12        36d.06h:43m:29s
ATMCSRVR14        27d.23h:07m:38s
ATMCDR1           27d.22h:53m:41s

 ATMCSRVR10        07d.02h:30m:56s

Thanks
  Jai
0
 
SandeshdubeySenior Server EngineerCommented:
From below error you have lot o work to do.

Destination DSA     largest delta    fails/total %%   error
 ATMCDR1           27d.22h:53m:41s   13 /  28   46  (1722) The RPC server is una
vailable.
 ATMCSRVR10        07d.02h:30m:56s    3 /  15   20  (8606) Insufficient attribut
es were given to create an object. This object may not exist because it may have
 been deleted and already garbage collected.
 ATMCSRVR12        36d.06h:43m:29s   17 /  28   60  (1753) There are no more end
points available from the endpoint mapper.
 ATMCSRVR14        27d.23h:07m:38s   10 /  25   40  (1722) The RPC server is una
vailable.
 ATMCSRVR15        10d.10h:30m:14s    4 /  15   26  (2148074274) The target prin
cipal name is incorrect.
 ATMCSRVR17        11d.00h:35m:25s    5 /  10   50  (2148074274) The target prin
cipal name is incorrect.

From the log it is clear there are multiple issue like secure channel between the DC is broken and hence you are getting target principle name incorrect, Insufficient attribut
es were given to create an object indicates you have lingering object issue and you are also getting RPC service unavailable.


You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.
http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx


From the log it is clear that secure channel between the DC are broken.Hence you are getting the error target principal name is incorrect.

Refer below link:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

If you have multiple DC in the network you can demote & re-promote the DC containing lingering object.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads int the domain then its more difficult to tackle them. Demote & promote is the best solution.

For removal of lingering object see this:http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Hope this helps
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now