tcinfo
asked on
2nd domain controller dns records
We have 2 Windows 2008 server dc's in 2 AD sites. When I ping the 2nd dc (from my pc)it resolves the address of dc1. I noticed this yesterday and in the dns mmc on dc1 I manually entered the correct ip address of dc2 in the forward lookup zone: _msdcs.domain.local, also have a host A record for dc2 in domain.local with the wrong IP (auto updated itself) this morning. Why is this occurring? Dcdiag has errors, (failed test Kccevent) and DS event log is full of 1311 and 1566 id's.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I meant A record you manually created under _msdcs.domain.local also remove A record in domain.local if it is static.
If the records are not automatically created by any of the above method, post any DNS related errors logged by dcdiag/netdiag.
Check this link also
http://technet.microsoft.com/en-us/library/bb727055.aspx
If the records are not automatically created by any of the above method, post any DNS related errors logged by dcdiag/netdiag.
Check this link also
http://technet.microsoft.com/en-us/library/bb727055.aspx
ASKER
I did not create an A record in _msdcs.domain.local but modified the ip address of the 2nd dc in the NS record in that zone. I left that as is.
I deleted the host A record in domain.local for the 2nd dc, (it was showing the wrong IP) and then restarted netlogon on both dc's and ran ipconfig /registerdns on both.
Seen a new host record (A) was created for dc2 with the correct ip and after ipconfig /flushdns on my pc - pinging the the 2nd dc resolves the correct ip. So that is better thanks.
Dcdiag still has errors, related to KCC and Group Policy (cause for concern)? - attaching relevant snippet.
I deleted the host A record in domain.local for the 2nd dc, (it was showing the wrong IP) and then restarted netlogon on both dc's and ran ipconfig /registerdns on both.
Seen a new host record (A) was created for dc2 with the correct ip and after ipconfig /flushdns on my pc - pinging the the 2nd dc resolves the correct ip. So that is better thanks.
Dcdiag still has errors, related to KCC and Group Policy (cause for concern)? - attaching relevant snippet.
We do not find any file attached. You have did right process now.
For the DCDIAG error, i belive it should be fixed in certain replication interval.
If not paste the error you receive?
Thanks,
Prem
For the DCDIAG error, i belive it should be fixed in certain replication interval.
If not paste the error you receive?
Thanks,
Prem
ASKER
Dcdiag reports failed system log test and kcc errors, dns seems fine,
Directory-Server-Diagnosis.docx
Directory-Server-Diagnosis.docx
Can you post detailed error messages from event viewer? The error can be caused by replication issue between domain controllers either due to Antivirus or firewall or corruption on domain controller.
Does both domain controller have same errors? If firewall or AV is not the issue and this is showing only one domain controller, try transferring FSMO roles to healthy domain controller, demote DC having issues, remove from domain, cleanup NTDS, rejoin to domain and promote it again.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b9cf67b3-d9a0-4d7c-9456-ba23e3dcaf35/kerberos-and-frs-errors-after-upgrading-win2k3-dc-to-windows-2008?forum=winserverDS
Does both domain controller have same errors? If firewall or AV is not the issue and this is showing only one domain controller, try transferring FSMO roles to healthy domain controller, demote DC having issues, remove from domain, cleanup NTDS, rejoin to domain and promote it again.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b9cf67b3-d9a0-4d7c-9456-ba23e3dcaf35/kerberos-and-frs-errors-after-upgrading-win2k3-dc-to-windows-2008?forum=winserverDS
ASKER
Event viewer better today, yesterday though:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi
Date: 4/1/2014 4:10:57 PM
Event ID: 1311
Task Category: Knowledge Consistency Checker
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SOMDC01.domain.LOCAL
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=domain
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ac
<EventID Qualifiers="49152">1311</E
<Version>0</Version>
<Level>2</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2014-04-01T20:
<EventRecordID>19797</Even
<Correlation />
<Execution ProcessID="616" ThreadID="1860" />
<Channel>Directory Service</Channel>
<Computer>SOMDC01.domainLO
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>CN=Configuration,DC=
</EventData>
</Event>
It's only on one DC.
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi
Date: 4/1/2014 4:10:57 PM
Event ID: 1311
Task Category: Knowledge Consistency Checker
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SOMDC01.domain.LOCAL
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=domain
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ac
<EventID Qualifiers="49152">1311</E
<Version>0</Version>
<Level>2</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2014-04-01T20:
<EventRecordID>19797</Even
<Correlation />
<Execution ProcessID="616" ThreadID="1860" />
<Channel>Directory Service</Channel>
<Computer>SOMDC01.domainLO
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>CN=Configuration,DC=
</EventData>
</Event>
It's only on one DC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The last technet link seems helpful (but applies to Win2008 server?) - I still have a Kcc error, but may open a separate question for it.
ASKER
Are you saying remove the A records for the 2 servers in domain.local? OR
In _msdcs.domain.local there are static NS entries; there are also static entries in userconnect.com and userconnect.com/bd/portal
Thank you.