Windows 2008 DNS / DHCP problems
Experts,
I have recently run a storage replacement (direct copy bit-by-bit). This operation should be invisible to all the VMs (all servers are virtual) and I've only swapped the storage box for another identical one.
Since then my DC (Windows 2008 SP2 running also DNS and DHCP) is showing errors in Event Viewer: 4007, 4013, 6702, 2088.
Symptoms:
workstations with static IPs can use the network as before (Exchange, printing, SQL, network drives - everything works)
workstations with IPs from DHCP cannot do anything - no Exchange, network drives, printing, Internet. Users cannot login - the domain is not available.
DHCP does not seem to be assigning addresses to any workstations. Once I manually remove client in DHCP console it will not get the address again. I cannot ping any hosts listed on DHCP console. I can ping names and IPs of all the machines with static IPs on the network.
We also had a time change last week, but the time on DC seems to be OK.
I've tried restarting the server and DHCP and DNS services number of times.
I have both .com and .local domains in the registry (HKEY_LOCAL_MACHINE\SOFTWA
I've attached screenshots from our DNS configuration and DHCP usage stats. Nothing has changed in configuration. If I delete a host manually in DHCP it does not get the address again. No errors in DHCP logs, just event ID 1056 warnings (Credentials for Dynamic DNS registrations).
Here are the errors from Event Viewer along with event IDs.
event ID 4007:
"The DNS server was unable to open zone _msdcs.company.com in the Active Directory from the application directory partition ForestDnsZones.company.com
DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and reload the zone. The event data is the error code."
and
"The DNS server was unable to open zone company.com in the Active Directory from the application directory partition DomainDnsZones.company.com
server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory
is functioning properly and reload the zone. The event data is the error code."
event ID 4013:
"The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed."
event ID 6702:
"DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.
"
event ID 2088: ("print" is my secondary DC)
"Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of
Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory
Domain Services forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using
DNS.
Alternate server name:
print
Failing DNS host name:
031ecbc0-1980-4b47-8690-77
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure
events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object
GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC
name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME
record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on
the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11001 No such host is known."
Other servers in the network: secondary DC (print), Exchange 2007, SQL, file server - all Windows 2008 SP2.
Any ideas?
I'm completely stuck.
Thanks!
DHCP-stats.jpg
DNS-screenshot-1.jpg
I have recently run a storage replacement (direct copy bit-by-bit). This operation should be invisible to all the VMs (all servers are virtual) and I've only swapped the storage box for another identical one.
Since then my DC (Windows 2008 SP2 running also DNS and DHCP) is showing errors in Event Viewer: 4007, 4013, 6702, 2088.
Symptoms:
workstations with static IPs can use the network as before (Exchange, printing, SQL, network drives - everything works)
workstations with IPs from DHCP cannot do anything - no Exchange, network drives, printing, Internet. Users cannot login - the domain is not available.
DHCP does not seem to be assigning addresses to any workstations. Once I manually remove client in DHCP console it will not get the address again. I cannot ping any hosts listed on DHCP console. I can ping names and IPs of all the machines with static IPs on the network.
We also had a time change last week, but the time on DC seems to be OK.
I've tried restarting the server and DHCP and DNS services number of times.
I have both .com and .local domains in the registry (HKEY_LOCAL_MACHINE\SOFTWA
I've attached screenshots from our DNS configuration and DHCP usage stats. Nothing has changed in configuration. If I delete a host manually in DHCP it does not get the address again. No errors in DHCP logs, just event ID 1056 warnings (Credentials for Dynamic DNS registrations).
Here are the errors from Event Viewer along with event IDs.
event ID 4007:
"The DNS server was unable to open zone _msdcs.company.com in the Active Directory from the application directory partition ForestDnsZones.company.com
DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and reload the zone. The event data is the error code."
and
"The DNS server was unable to open zone company.com in the Active Directory from the application directory partition DomainDnsZones.company.com
server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory
is functioning properly and reload the zone. The event data is the error code."
event ID 4013:
"The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed."
event ID 6702:
"DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.
"
event ID 2088: ("print" is my secondary DC)
"Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of
Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory
Domain Services forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using
DNS.
Alternate server name:
Failing DNS host name:
031ecbc0-1980-4b47-8690-77
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure
events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object
GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC
name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME
record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on
the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11001 No such host is known."
Other servers in the network: secondary DC (print), Exchange 2007, SQL, file server - all Windows 2008 SP2.
Any ideas?
I'm completely stuck.
Thanks!
DHCP-stats.jpg
DNS-screenshot-1.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER