Timbobaloba
asked on
Domain Controller replication issues
Hi Guys,
Have an issue with domain replication and DNS.
I have 2 DC's. DC1 and DC2.
On DC1;
Hold FSMO roles
Opening DNS gives me, "Access Denied"
Event Log error;
ID 2092 - ActiveDirectory_DomainServ ice
ID 1202 - ADWS
ID 1055 - GroupPolicy
On DC2;
in AD sites and services when i right click on NTDS Settings on either DC1 or DC2 i have DNS Alias as something random : A439058ASD0F98W4095ASD09.D OMAIN.INTE RNAL. not sure if thats right or not.
in AD users and computers when i right click on domain and Operations Masters, the RID and PDC and Infrastructure Operation Master says, "ERROR"
in DNS when i right click on the internal domain zone and properties then Name Servers, i edit DC1 and the IPV4 reports, "The server with this IP address is not authoritative for the required zone, BUT the IPV6 address says, OK.
Event log errors;
ID 4 - Security-Kerbros
ID 1864 - ActiveDirectory_DomainServ ice
ID 2093 - ActiveDirectory_DomainServ ice
ID 5773 - NETLOGON
both servers are 2008 and functional level of domain is 2008.
please help
Have an issue with domain replication and DNS.
I have 2 DC's. DC1 and DC2.
On DC1;
Hold FSMO roles
Opening DNS gives me, "Access Denied"
Event Log error;
ID 2092 - ActiveDirectory_DomainServ
ID 1202 - ADWS
ID 1055 - GroupPolicy
On DC2;
in AD sites and services when i right click on NTDS Settings on either DC1 or DC2 i have DNS Alias as something random : A439058ASD0F98W4095ASD09.D
in AD users and computers when i right click on domain and Operations Masters, the RID and PDC and Infrastructure Operation Master says, "ERROR"
in DNS when i right click on the internal domain zone and properties then Name Servers, i edit DC1 and the IPV4 reports, "The server with this IP address is not authoritative for the required zone, BUT the IPV6 address says, OK.
Event log errors;
ID 4 - Security-Kerbros
ID 1864 - ActiveDirectory_DomainServ
ID 2093 - ActiveDirectory_DomainServ
ID 5773 - NETLOGON
both servers are 2008 and functional level of domain is 2008.
please help
Hi,
Does event ID 2092 state the server considers the FSMO rules invalid?
Does event ID 2092 state the server considers the FSMO rules invalid?
ASKER
correct. i have;
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi rectory_Do mainServic e
Date: 13/12/2013 10:50:34 PM
Event ID: 2092
Task Category: Replication
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: ccs1.internal.ccsale.catho lic.edu.au
Description:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=internal,DC=local
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi
Date: 13/12/2013 10:50:34 PM
Event ID: 2092
Task Category: Replication
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: ccs1.internal.ccsale.catho
Description:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=internal,DC=local
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that makes sense. i will attempt to sieze roles from itself now and report back.
ASKER
that seemed to complete without error but still has not fixed any of the reported issues...
have you logged on with ID having domain admins right ?
Alias you seen in AD sites\Ntds settings are correct.
Just copy those alias for all domain controllers and check if you are able to ping them successfully.Every aliase should resolve to actual domain controller IP address, if not you can restart netlogon service on both domain controllers to correct those alias entries.
Also IPv6 need to be unchecked from network card properties of both DCs
What if you run repadmin /showrepl, can you please post output here
Mahesh
Alias you seen in AD sites\Ntds settings are correct.
Just copy those alias for all domain controllers and check if you are able to ping them successfully.Every aliase should resolve to actual domain controller IP address, if not you can restart netlogon service on both domain controllers to correct those alias entries.
Also IPv6 need to be unchecked from network card properties of both DCs
What if you run repadmin /showrepl, can you please post output here
Mahesh
ASKER
Yes, I am logged on as administrator (domain admin)
from DC2 (primary DNS) i can ping ntds alis of both DC1 and DC2
from DC1 i CANNOT ping DC1 alias but CAN ping DC2
IPV6 IS disabled on both DC.... wierd....
-------------------------- ---
RAN RELADMIN FROM DC1;
C:\Users\Administrator>rep admin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC 1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 726b16ff-c76e-457f-877f-f4 c6d5bb4755
DSA invocationID: 726b16ff-c76e-457f-877f-f4 c6d5bb4755
==== INBOUND NEIGHBORS ========================== ========== ==
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 9c94d255-a583-4462-8e53-d7 410a796b5f
Last attempt @ 2013-12-13 23:50:35 failed, result 5 (0x5):
Access is denied.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 9c94d255-a583-4462-8e53-d7 410a796b5f
Last attempt @ 2013-12-13 23:51:35 failed, result 5 (0x5):
Access is denied.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 9c94d255-a583-4462-8e53-d7 410a796b5f
Last attempt @ 2013-12-13 23:52:35 failed, result 5 (0x5):
Access is denied.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 9c94d255-a583-4462-8e53-d7 410a796b5f
Last attempt @ 2013-12-13 23:50:35 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 9c94d255-a583-4462-8e53-d7 410a796b5f
Last attempt @ 2013-12-13 23:50:35 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
Source: Default-First-Site-Name\DC 2
******* 107 CONSECUTIVE FAILURES since 2013-12-09 13:59:36
Last error: 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
-------------------------- -------
RAN RELADMIN FROM DC2;
C:\Users\Administrator.CCS ALE>repadm in /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC 2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9c94d255-a583-4462-8e53-d7 410a796b5f
DSA invocationID: 16558192-7699-43ab-9851-6f 56961484fe
==== INBOUND NEIGHBORS ========================== ========== ==
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 1 via RPC
DSA object GUID: 726b16ff-c76e-457f-877f-f4 c6d5bb4755
Last attempt @ 2013-12-13 23:16:42 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
35307 consecutive failure(s).
Last success @ 2013-11-15 22:37:19.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 1 via RPC
DSA object GUID: 726b16ff-c76e-457f-877f-f4 c6d5bb4755
Last attempt @ 2013-12-13 23:17:25 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
683 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 1 via RPC
DSA object GUID: 726b16ff-c76e-457f-877f-f4 c6d5bb4755
Last attempt @ 2013-12-13 23:18:23 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
678 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 1 via RPC
DSA object GUID: 726b16ff-c76e-457f-877f-f4 c6d5bb4755
Last attempt @ 2013-12-13 23:18:59 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
1128 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
DC=ForestDnsZones,DC=inter nal,DC=loc al
Default-First-Site-Name\DC 1 via RPC
DSA object GUID: 726b16ff-c76e-457f-877f-f4 c6d5bb4755
Last attempt @ 2013-12-13 23:19:45 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
682 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
Source: Default-First-Site-Name\DC 1
******* 35307 CONSECUTIVE FAILURES since 2013-11-15 22:37:19
Last error: 1908 (0x774):
Could not find the domain controller for this domain.
from DC2 (primary DNS) i can ping ntds alis of both DC1 and DC2
from DC1 i CANNOT ping DC1 alias but CAN ping DC2
IPV6 IS disabled on both DC.... wierd....
--------------------------
RAN RELADMIN FROM DC1;
C:\Users\Administrator>rep
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 726b16ff-c76e-457f-877f-f4
DSA invocationID: 726b16ff-c76e-457f-877f-f4
==== INBOUND NEIGHBORS ==========================
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 9c94d255-a583-4462-8e53-d7
Last attempt @ 2013-12-13 23:50:35 failed, result 5 (0x5):
Access is denied.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 9c94d255-a583-4462-8e53-d7
Last attempt @ 2013-12-13 23:51:35 failed, result 5 (0x5):
Access is denied.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 9c94d255-a583-4462-8e53-d7
Last attempt @ 2013-12-13 23:52:35 failed, result 5 (0x5):
Access is denied.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 9c94d255-a583-4462-8e53-d7
Last attempt @ 2013-12-13 23:50:35 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 9c94d255-a583-4462-8e53-d7
Last attempt @ 2013-12-13 23:50:35 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
107 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.
Source: Default-First-Site-Name\DC
******* 107 CONSECUTIVE FAILURES since 2013-12-09 13:59:36
Last error: 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
--------------------------
RAN RELADMIN FROM DC2;
C:\Users\Administrator.CCS
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9c94d255-a583-4462-8e53-d7
DSA invocationID: 16558192-7699-43ab-9851-6f
==== INBOUND NEIGHBORS ==========================
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 726b16ff-c76e-457f-877f-f4
Last attempt @ 2013-12-13 23:16:42 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
35307 consecutive failure(s).
Last success @ 2013-11-15 22:37:19.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 726b16ff-c76e-457f-877f-f4
Last attempt @ 2013-12-13 23:17:25 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
683 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 726b16ff-c76e-457f-877f-f4
Last attempt @ 2013-12-13 23:18:23 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
678 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 726b16ff-c76e-457f-877f-f4
Last attempt @ 2013-12-13 23:18:59 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
1128 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
DC=ForestDnsZones,DC=inter
Default-First-Site-Name\DC
DSA object GUID: 726b16ff-c76e-457f-877f-f4
Last attempt @ 2013-12-13 23:19:45 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
682 consecutive failure(s).
Last success @ 2013-11-15 21:57:26.
Source: Default-First-Site-Name\DC
******* 35307 CONSECUTIVE FAILURES since 2013-11-15 22:37:19
Last error: 1908 (0x774):
Could not find the domain controller for this domain.
Can you restart netlogon service on DC1 and check if alias is regenerated ?
If not , then please create it manually and also ensute that you have Host(A) and PTR records of both DCs on both server exists
Mahesh
If not , then please create it manually and also ensute that you have Host(A) and PTR records of both DCs on both server exists
Mahesh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
just needed to restart DNS Server service all working now!!!!!!
thanks for your help. will give you some points for your assistance.
thanks for your help. will give you some points for your assistance.
Glad to see you are back up and running.
ASKER
solved
ASKER
DC=internal,DC=local
Default-First-Site-Name\DC
DSA object GUID: 9c94d255-a583-4462-8e53-d7
Last attempt @ 2013-12-13 22:49:34 failed, result 5 (0x5):
Access is denied.
106 consecutive failure(s).
Last success @ 2013-12-09 13:59:36.