Albert Widjaja
asked on
AD domain controller suddenly cannot open DNS console and replication stopped ?
People
Can anyone here please assist me in troubleshooting this AD replication between two domain controllers ?
There are two VM running as domain controllers:
PRODDC01-VM
PRODDC02-VM
AD replication cannot be forced from PRODDC01-VM into PRODDC02-VM, and also I cannot open the DNS console in PRODDC02-VM.
So not sure what is happening here.
Can anyone here please assist me in troubleshooting this AD replication between two domain controllers ?
There are two VM running as domain controllers:
PRODDC01-VM
PRODDC02-VM
AD replication cannot be forced from PRODDC01-VM into PRODDC02-VM, and also I cannot open the DNS console in PRODDC02-VM.
So not sure what is happening here.
ASKER
Yes, they are:
Additional data:
PRODDC01-VM DCDIAG:
PRODDC02-VM DCDIAG:
Additional data:
PRODDC01-VM DCDIAG:
PS C:\> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PRODDC01-VM
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: SYDNEY\PRODDC01-VM
Starting test: Connectivity
......................... PRODDC01-VM passed test Connectivity
Doing primary tests
Testing server: SYDNEY\PRODDC01-VM
Starting test: Advertising
......................... PRODDC01-VM passed test Advertising
Starting test: FrsEvent
......................... PRODDC01-VM passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... PRODDC01-VM failed test DFSREvent
Starting test: SysVolCheck
......................... PRODDC01-VM passed test SysVolCheck
Starting test: KccEvent
......................... PRODDC01-VM passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... PRODDC01-VM passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PRODDC01-VM passed test MachineAccount
Starting test: NCSecDesc
......................... PRODDC01-VM passed test NCSecDesc
Starting test: NetLogons
......................... PRODDC01-VM passed test NetLogons
Starting test: ObjectsReplicated
......................... PRODDC01-VM passed test ObjectsReplicated
Starting test: Replications
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source PRODDC02-VM
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
......................... PRODDC01-VM passed test Replications
Starting test: RidManager
......................... PRODDC01-VM passed test RidManager
Starting test: Services
......................... PRODDC01-VM passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x0000000C
Time Generated: 11/17/2016 20:44:40
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
omputer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0x000727AA
Time Generated: 11/17/2016 20:44:45
Event String:
The WinRM service failed to create the following SPNs: WSMAN/PRODDC01-VM.KTM.COM; WSMAN/PRODDC01-VM.
A warning event occurred. EventID: 0x000003F6
Time Generated: 11/17/2016 20:44:57
Event String:
Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x0000168D
Time Generated: 11/17/2016 20:45:31
Event String:
The following DNS server that is authoritative for the DNS domain controller locator records of this domain controller does not support dynamic DNS updates:
A warning event occurred. EventID: 0x000003F6
Time Generated: 11/17/2016 20:45:31
Event String:
Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 11/17/2016 20:46:02
Event String:
Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00001796
Time Generated: 11/17/2016 20:54:40
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
......................... PRODDC01-VM passed test SystemLog
Starting test: VerifyReferences
......................... PRODDC01-VM passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : KTM
Starting test: CheckSDRefDom
......................... KTM passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... KTM passed test CrossRefValidation
Running enterprise tests on : KTM.COM
Starting test: LocatorCheck
......................... KTM.COM passed test LocatorCheck
Starting test: Intersite
......................... KTM.COM passed test Intersite
PS C:\>
PRODDC02-VM DCDIAG:
PS C:\Users\Administrator.KTM> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PRODDC02-VM
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: SYDNEY\PRODDC02-VM
Starting test: Connectivity
The host 94ddd95e-a625-4e14-987d-fca5ab9fdf59._msdcs.KTM.COM could not be resolved to an IP address. Check the
DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... PRODDC02-VM failed test Connectivity
Doing primary tests
Testing server: SYDNEY\PRODDC02-VM
Skipping all tests, because server PRODDC02-VM is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : KTM
Starting test: CheckSDRefDom
......................... KTM passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... KTM passed test CrossRefValidation
Running enterprise tests on : KTM.COM
Starting test: LocatorCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
......................... KTM.COM failed test LocatorCheck
Starting test: Intersite
......................... KTM.COM passed test Intersite
PS C:\Users\Administrator.KTM>
OK, first steps, have you tried rebooting both servers individually?
Have you checked all services are running as expected?
Have you checked all services are running as expected?
ASKER
Yes already done.
All automatic services are up and running.
All automatic services are up and running.
Also, is the time on both servers correct?
You may want to try the steps listed in the article here if not already tried:
http://searchwindowsserver.techtarget.com/tip/Quick-fix-for-a-non-replicating-DC
You may want to try the steps listed in the article here if not already tried:
http://searchwindowsserver.techtarget.com/tip/Quick-fix-for-a-non-replicating-DC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, both of the time on the DCs are correctly synched as well as my workstation.
The both VM was built manually not from cloned VM.
The both VM was built manually not from cloned VM.
ASKER
I have tried this powershell code:
But so far it is still returning the error:
Import-Module ActiveDirectory
$DCs = (Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ } | select HostName
foreach ($DC in $DCs) {
repadmin /syncall $DC.HostName
}
But so far it is still returning the error:
CALLBACK MESSAGE: The following replication is in progress:
From: 94ddd95e-a625-4e14-987d-fca5ab9fdf59 ._msdcs.KT M.COM
To : f74feed0-f342-44e1-9dd5-96cd86f02736 ._msdcs.KT M.COM
CALLBACK MESSAGE: The following replication completed successfully:
From: 94ddd95e-a625-4e14-987d-fca5ab9fdf59 ._msdcs.KT M.COM
To : f74feed0-f342-44e1-9dd5-96cd86f02736 ._msdcs.KT M.COM
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
CALLBACK MESSAGE: The following replication is in progress:
From: f74feed0-f342-44e1-9dd5-96cd86f02736 ._msdcs.KT M.COM
To : 94ddd95e-a625-4e14-987d-fca5ab9fdf59 ._msdcs.KT M.COM
CALLBACK MESSAGE: Error issuing replication: 5 (0x5):
Access is denied.
From: f74feed0-f342-44e1-9dd5-96cd86f02736 ._msdcs.KT M.COM
To : 94ddd95e-a625-4e14-987d-fca5ab9fdf59 ._msdcs.KT M.COM
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 5 (0x5):
Access is denied.
From: f74feed0-f342-44e1-9dd5-96cd86f02736 ._msdcs.KT M.COM
To : 94ddd95e-a625-4e14-987d-fca5ab9fdf59 ._msdcs.KT M.COM
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It could be a permissions issue from your last output, have you checked this article:
https://support.microsoft.com/en-gb/kb/2002013
It goes through some further steps regarding permissions/security.
https://support.microsoft.com/en-gb/kb/2002013
It goes through some further steps regarding permissions/security.
ASKER
Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
Here it is the setting:
PRODDC01-VM Network IP address details:
Primary DNS: 192.168.1.200 (itself)
Secondary DNS: 192.168.1.1 (Router)
PRODDC02-VM Network IP address details:
Primary DNS: 192.168.1.201 (itself)
Secondary DNS: 192.168.1.1 (Router)
Each VM has just one vNIC so single NIC connection not multiple.
ASKER
Have you tried reinstalling DNS on PRODDC02-VM?
ASKER
How to do that ?
You need to go to the Server Manager so that you can uninstall/install DNS.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I thought this would have been changed, Senior IT, did you change it as per my earlier comment:
Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's correct Senior IT. You can put forwarders into DNS once it's running correctly.
ASKER
As per everyones suggestion, yes I have changed it into that settings to point to each other.
I have not set the forwarders. But for some reason the DNS cannot be opened in PRODDC02-VM?
The AD console is working fine and everytime I created the new AD objects in PRODDC02-VM, it replicated to the othhr D just fine, but not the other way around from PRODDC01-VM to PRODDC02-VM.
I have not set the forwarders. But for some reason the DNS cannot be opened in PRODDC02-VM?
The AD console is working fine and everytime I created the new AD objects in PRODDC02-VM, it replicated to the othhr D just fine, but not the other way around from PRODDC01-VM to PRODDC02-VM.
Tried these steps?
https://support.microsoft. com/en-us/ kb/2001093
https://support.microsoft.
After changes have been post as suggest by other experts, can you please post the latest results from dcdiag /v /e
Also are you able to manage DNS from either servers using powershell commandlet?
Also please upload a screen shot of the error message you are getting when opening the DNS console
Also are you able to manage DNS from either servers using powershell commandlet?
Also please upload a screen shot of the error message you are getting when opening the DNS console
ASKER
Hi All,
Sorry for the late reply.
Here's the result of the DCDIAG /V /E command as requested. Can anyone here please help ?
PRODDC01-VM.txt
PRODDC02-VM.txt
Sorry for the late reply.
Here's the result of the DCDIAG /V /E command as requested. Can anyone here please help ?
PRODDC01-VM.txt
PRODDC02-VM.txt
Your best option may be to demote and rebuild DC02
ASKER
Hi Andy,
If I demote it, how can I ensure that it won't impact any of the existing Exchange server and AD objects ?
If I demote it, how can I ensure that it won't impact any of the existing Exchange server and AD objects ?
One option is to turn off the server for a while and see if anything is affected, if it is, turn it on again, if not you know it's safe.
ASKER
Here's the result from DCDIAG /V /E command:
FYI, the other DC which holds all FSMO role is still up and running, but why PRODDC02-VM is not able to talk to it ?
See the below screenshot from PRODDC01-VM which is working fine:
C:\>dcdiag /v /e
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine PRODDC02-VM, is a Directory Server.
Home Server = PRODDC02-VM
* Connecting to directory service on server PRODDC02-VM.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=KTM,DC=COM,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=SYDNEY,CN=Sites,CN=Configuration,DC=KTM,DC=COM
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=KTM,DC=COM,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=PRODDC01-VM,CN=Servers,CN=SYDNEY,CN=Sites,CN=Configuration,DC=KTM,DC=COM
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=PRODDC02-VM,CN=Servers,CN=SYDNEY,CN=Sites,CN=Configuration,DC=KTM,DC=COM
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
Ldap search capability attribute search failed on server PRODDC01-VM, return value = 81
Got error while checking if the DC is using FRS or DFSR. Error: Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this error.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: SYDNEY\PRODDC01-VM
Starting test: Connectivity
* Active Directory LDAP Services Check
The host f74feed0-f342-44e1-9dd5-96cd86f02736._msdcs.KTM.COM could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc.
Neither the the server name (PRODDC01-VM.KTM.COM) nor the Guid DNS name (f74feed0-f342-44e1-9dd5-96cd86f02736._msdcs.KTM.COM) could be resolved by DNS. Check that the server is up and is registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... PRODDC01-VM failed test Connectivity
Testing server: SYDNEY\PRODDC02-VM
Starting test: Connectivity
* Active Directory LDAP Services Check
The host 94ddd95e-a625-4e14-987d-fca5ab9fdf59._msdcs.KTM.COM could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... PRODDC02-VM failed test Connectivity
Doing primary tests
Testing server: SYDNEY\PRODDC01-VM
Skipping all tests, because server PRODDC01-VM is not responding to directory service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: SYDNEY\PRODDC02-VM
Skipping all tests, because server PRODDC02-VM is not responding to directory service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
For the partition (DC=ForestDnsZones,DC=KTM,DC=COM) we encountered the following error retrieving the cross-ref's (CN=43e0fd13-3e9e-423e-b391-d90da04b6d26,CN=Partitions,CN=Configuration,DC=KTM,DC=COM) information:
LDAP Error 0x3a (58).
......................... ForestDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=ForestDnsZones,DC=KTM,DC=COM) we encountered the following error retrieving the cross-ref's (CN=43e0fd13-3e9e-423e-b391-d90da04b6d26,CN=Partitions,CN=Configuration,DC=KTM,DC=COM) information:
LDAP Error 0x3a (58).
......................... ForestDnsZones failed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
For the partition (DC=DomainDnsZones,DC=KTM,DC=COM) we encountered the following error retrieving the cross-ref's (CN=7c9f5c44-5db6-4ec9-841c-2baba64ec0c9,CN=Partitions,CN=Configuration,DC=KTM,DC=COM) information:
LDAP Error 0x3a (58).
......................... DomainDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=DomainDnsZones,DC=KTM,DC=COM) we encountered the following error retrieving the cross-ref's (CN=7c9f5c44-5db6-4ec9-841c-2baba64ec0c9,CN=Partitions,CN=Configuration,DC=KTM,DC=COM) information:
LDAP Error 0x3a (58).
......................... DomainDnsZones failed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (CN=Schema,CN=Configuration,DC=KTM,DC=COM) we encountered the following error retrieving the cross-ref's (CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=KTM,DC=COM) information:
LDAP Error 0x3a (58).
......................... Schema failed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (CN=Configuration,DC=KTM,DC=COM) we encountered the following error retrieving the cross-ref's (CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=KTM,DC=COM) information:
LDAP Error 0x3a (58).
......................... Configuration failed test CrossRefValidation
Running partition tests on : KTM
Starting test: CheckSDRefDom
......................... KTM passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=KTM,DC=COM) we encountered the following error retrieving the cross-ref's (CN=KTM,CN=Partitions,CN=Configuration,DC=KTM,DC=COM) information:
LDAP Error 0x3a (58).
......................... KTM failed test CrossRefValidation
Running enterprise tests on : KTM.COM
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\PRODDC02-VM.KTM.COM
Locator Flags: 0xe000f1fc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\PRODDC02-VM.KTM.COM
Locator Flags: 0xe000f1fc
Preferred Time Server Name: \\PRODDC02-VM.KTM.COM
Locator Flags: 0xe000f1fc
KDC Name: \\PRODDC02-VM.KTM.COM
Locator Flags: 0xe000f1fc
......................... KTM.COM failed test LocatorCheck
Starting test: Intersite
Skipping site SYDNEY, this site is outside the scope provided by the command line arguments provided.
......................... KTM.COM passed test Intersite
FYI, the other DC which holds all FSMO role is still up and running, but why PRODDC02-VM is not able to talk to it ?
See the below screenshot from PRODDC01-VM which is working fine:
ASKER
Thanks all !
adding the missing DNS entry in the Name Servers tab resolve this problem.
adding the missing DNS entry in the Name Servers tab resolve this problem.
Are the DC's both on the same virtual host?
If not, can you migrate one of them to the same host as the other?