Solved

_MSDCS Problem on 2008 R2

Posted on 2014-01-26
8
449 Views
Last Modified: 2014-01-26
We upgraded our 2003 Enterprise server to a new 2008 R2 Enterprise server several years ago.  The old 2003 server is still a backup DC, but serves no other purpose.

During the December holidays, there were several Microsoft updates and software updates to Symantec Backup Exec 2012.  I think I may have also turned off IPv6 at our primary NIC.  (We have a second NIC that is primarily used for external access.  IPv6 is still active on that NIC.)  I also did some other maintenance on the server.

The Primary NIC's address is the address of our internal DNS server and includes a loopback as the second address.  We also have WINS active.  The second NIC uses the primary NIC as its DNS server.

We had replication issues from the beginning.  Some of those were related to our Exchange server being moved to the new 2008 R2 server and deactivated on the old server.  I worked with Microsoft tech support to get everything working properly when we created the new 2008 R2 server.

It should be pointed out that we are a small office.  Our server does everything including file server, web server, FTP server, Exchange Server.  We have always operated that way and it has always done a great job.  I know it is not the recommended configuration, but it does not make sense for us to pay for multiple servers.  It keeps everything simple including our ability to backup the entire system to tape.

After the updates during the holidays, we noticed that the server was not as responsive as it had been.  It was typically as fast as always, but there would sometimes be delays when you tried to do something as simple as open a directory.  I also noted that when I was working on the server, it was not as responsive as it had been.

Interestingly, we do not get many error messages once the server has been booted up.

I believe the problem is in DNS.  I have tried several things to solve the problem.  One site suggested fixing _MSDCS by recreating _MSDCS in a new zone.  That worked ok.  _MSDCS is now greyed out under the domain name in dns and a new zone was created above the domain name.

However, that has created a few other problems.  SRV is not being found by the client computers.  All of the shares are available and very responsive.  Outlook on my client computer works, but now has a security window that pops up that says connecting to ...  However, Outlook is still connected and working properly.

Mobile devices are all connecting and working as well as always.

I tried to reconnect my username and computer under Advanced System Settings.  I get the error message "An Active Directory Domain Controller (AD DC) for the domain *** could not be contacted.  Sometimes if I enter the domain name as the NETBIOS name, it will work, other times I get the same error message.

I believe this is a simple fix, but I have not found it.  Plus I want to avoid creating a bigger problem.  Any help would be appreciated.
0
Comment
Question by:ArchitectChuck
  • 5
  • 3
8 Comments
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
Comment Utility
The only time it's OK to have Exchange on a DC is with SBS, otherwise I say no way.  Another problem is with having more than one active NIC on a DC.  See this link for information, and if you must keep the 2nd NIC verify that you have disabled its ability to register in DNS, NetBIOS, etc.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

I think it's likely that you have multiple problems from your description.  Make sure that in your _msdcs zone there aren't any records which point to the 2nd NIC.  Also make sure that there aren't any for it under under the forward lookup zone for your internal domain which correspond with "same as parent".  Make sure to run dcdiag /v and dcdiag /v /test:dns on both DCs to check for issues.  The Outlook issue may be due to autodiscover.  If you're noticing slowness when just connected to the console, that seems like it may be unrelated, but may depend on what operation you were doing.
0
 

Author Comment

by:ArchitectChuck
Comment Utility
Thank you footech.

The dcdiag /v /test:dns completed with no errors.

 Summary of DNS test results:

         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: ***.com

               Srv1d                        PASS PASS PASS PASS PASS PASS n/a  
         
         ......................... ***.com passed test DNS

      Test omitted by user request: LocatorCheck

      Test omitted by user request: Intersite

I am reviewing the results for dcdiag /v
0
 

Author Comment

by:ArchitectChuck
Comment Utility
DCDIAG Summary:

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

SRV1D failed test NCSecDesc   -  Seems to be related to failed relication of directory

SRV1D failed test Replications

These were the only errors, all pointing to the replication failure to the old server.  

Directions are given in the first error to fix the replication problem.  Should I proceed with making those corrections.  It basically asked to make a registry entry to force the replication to the other server.
0
 

Author Comment

by:ArchitectChuck
Comment Utility
The FRSEvent fix is to change the registry entry:

 Expand HKEY_LOCAL_MACHINE.

            Click down the key path:

               "System\CurrentControlSet\Services\NtFrs\Parameters"

            Double click on the value name

               "Enable Journal Wrap Automatic Restore"

            and update the value.

             

            If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

It does not say what DC to do this on.  I have confidence in Srv1d.  I do not have confidence in the older server Srv1c.  Does it make a difference which server I make this registry entry on?
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 39

Expert Comment

by:footech
Comment Utility
Unfortunately the advice in the event is outdated, and really should not be applied except in cases where you only have a single DC.  It's best to try a non-authoritative restore first, and if that doesn't work, then an authoritative restore.  See these links for more info.
http://support.microsoft.com/kb/290762
http://adfordummiez.com/?p=61

Failing the NCSecDesc is expected if you haven't run adprep /rodcprep.
http://support.microsoft.com/kb/967482
0
 

Author Comment

by:ArchitectChuck
Comment Utility
I proceeded with the Registry modification, and the replication was successful.

I then say you note above, and tried the adprep /forestprep from a copy of the installation DVD on the I drive on the server and received the following error message:
The procedure entry point I_netpathtype could not be located in the dynamic link library NETAPI32.dll

I believe that the relocation of _MSDCS in DNS has made it difficult for process to find the correct path to _MSDCS.  Does that make sense?
0
 

Author Comment

by:ArchitectChuck
Comment Utility
I have since removed IPv6.  That seems to have solved many problems.  I  am still working on this.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
Comment Utility
I believe that the relocation of _MSDCS in DNS has made it difficult for process to find the correct path to _MSDCS. Does that make sense?
No, having _msdcs as a zone is perfectly normal and is the default for a new domain installed with server 2003+, and it poses no problem to convert between having it as a separate zone or a subdomain.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now