guid based dns name not registered

Discussion in 'Active Directory' started by aks, Feb 17, 2005.

  1. aks

    aks Guest

    Could anyone help me with this, I need help urgently -

    I have 1 forest, with 3 DC's (serv1.apple.com, serv2.orange.com,
    serv3.banana.com respectively), each DC pointing to its own DNS. The first
    DC(serv1.apple.com) has forward lookup zones set up to point to DC2 and DC3.
    The replication is failing from DC1 to DC2, however is working fine from DC1
    to DC3. On DC2, dcdiag gives the msg below:

    Domain Controller Diagnosis

    Performing initial setup:
    * Verifying that the local machine serv2, is a DC.
    * Connecting to directory service on server serv2.
    * Collecting site info.
    * Identifying all servers.
    * Found 3 DC(s). Testing 1 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\SERV2
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... SERV2 passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\SERV2
    Starting test: Replications
    * Replications Check
    [Replications Check,SERV2] A recent replication attempt failed:
    From SERV1 to SERV2
    Naming Context: CN=Configuration,DC=apple,DC=com
    The replication generated an error (8524):
    The DSA operation is unable to proceed because of a DNS lookup
    failure.
    The failure occurred at 2005-02-17 09:58.14.
    The last success occurred at 2005-02-15 13:55.36.
    46 failures have occurred since the last success.
    The guid-based DNS name
    344ed7dc-ae42-4299-af89-5aa4f50923e0._msdcs.apple.com
    is not registered on one or more DNS servers.
    [SERV1] DsBind() failed with error 1722,
    The RPC server is unavailable..
    [Replications Check,SERV2] A recent replication attempt failed:
    From SERV1 to SERV2
    Naming Context: CN=Schema,CN=Configuration,DC=apple,DC=com
    The replication generated an error (8524):
    The DSA operation is unable to proceed because of a DNS lookup
    failure.
    The failure occurred at 2005-02-17 10:58.45.
    The last success occurred at 2005-02-15 13:55.36.
    47 failures have occurred since the last success.
    The guid-based DNS name
    344ed7dc-ae42-4299-af89-5aa4f50923e0._msdcs.apple.com
    is not registered on one or more DNS servers.
    [Replications Check,SERV2] A recent replication attempt failed:
    From SERV1 to SERV2
    Naming Context: DC=ForestDnsZones,DC=apple,DC=com
    The replication generated an error (8524):
    The DSA operation is unable to proceed because of a DNS lookup
    failure.
    The failure occurred at 2005-02-17 02:50.07.
    The last success occurred at 2005-02-15 13:55.36.
    14 failures have occurred since the last success.
    The guid-based DNS name
    344ed7dc-ae42-4299-af89-5aa4f50923e0._msdcs.apple.com
    is not registered on one or more DNS servers.
    ......................... SERV2 passed test Replications
    Test omitted by user request: Topology
    Test omitted by user request: CutoffServers
    Starting test: NCSecDesc
    * Security Permissions Check for
    DC=orange,DC=com
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=apple,DC=com
    * Security Permissions Check for
    CN=Configuration,DC=apple,DC=com
    ......................... SERV2 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    ......................... SERV2 passed test NetLogons
    Starting test: Advertising
    The DC SERV2 is advertising itself as a DC and having a DS.
    The DC SERV2 is advertising as an LDAP server
    The DC SERV2 is advertising as having a writeable directory
    The DC SERV2 is advertising as a Key Distribution Center
    Warning: SERV2 is not advertising as a time server.
    ......................... SERV2 failed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS
    Settings,CN=SERV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
    on,DC=apple,DC=com
    Warning: SERV1 is the Schema Owner, but is not responding to DS RPC
    Bind.
    [SERV1] LDAP connection failed with error 58,
    The specified server cannot perform the requested operation..
    Warning: SERV1 is the Schema Owner, but is not responding to LDAP
    Bind.
    Role Domain Owner = CN=NTDS
    Settings,CN=SERV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
    on,DC=apple,DC=com
    Warning: SERV1 is the Domain Owner, but is not responding to DS RPC
    Bind.
    Warning: SERV1 is the Domain Owner, but is not responding to LDAP
    Bind.
    Role PDC Owner = CN=NTDS
    Settings,CN=SERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
    DC=apple,DC=com
    Role Rid Owner = CN=NTDS
    Settings,CN=SERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
    DC=apple,DC=com
    Role Infrastructure Update Owner = CN=NTDS
    Settings,CN=SERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites
    ,CN=Configuration,DC=apple,DC=com
    ......................... SERV2 failed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 1607 to 1073741823
    * serv2.orange.com is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 1107 to 1606
    * rIDPreviousAllocationPool is 1107 to 1606
    * rIDNextRID: 1110
     
    aks, Feb 17, 2005
    #1
    1. Advertisements

  2. aks

    ptwilliams Guest

    So you've got three domains, with one DC per domain? Are all three DCs
    running Win2003?

    Each DC should point to itself for DNS. As you have three single-domain
    trees, each will require a DNS zone. You should replicate the DNS zones
    forest wide, so all three DCs hold a copy of each zone.

    You should also configure the DNS resolver (client) with all three domain
    name suffixes. You do this by manually editing the DNS settings in the
    Advanced TCP/IP properties - all three should be added to the suffix search
    list. The local domain name should be first.

    For good measure then you should restart netlogon on all three DCs, and
    initiate replication.

    The problem you are now faced is 'seeing' the SRV records in the other
    namespaces. You may need to configure a secondary copy of the forest root's
    DNS just to be able to resolve it to make the initial replication possible.
    Although I assume that you have adequate information in the configuration
    container not to need this, as you've already replicated at least once...


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    Could anyone help me with this, I need help urgently -

    I have 1 forest, with 3 DC's (serv1.apple.com, serv2.orange.com,
    serv3.banana.com respectively), each DC pointing to its own DNS. The first
    DC(serv1.apple.com) has forward lookup zones set up to point to DC2 and DC3.
    The replication is failing from DC1 to DC2, however is working fine from DC1
    to DC3. On DC2, dcdiag gives the msg below:

    Domain Controller Diagnosis

    Performing initial setup:
    * Verifying that the local machine serv2, is a DC.
    * Connecting to directory service on server serv2.
    * Collecting site info.
    * Identifying all servers.
    * Found 3 DC(s). Testing 1 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\SERV2
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... SERV2 passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\SERV2
    Starting test: Replications
    * Replications Check
    [Replications Check,SERV2] A recent replication attempt failed:
    From SERV1 to SERV2
    Naming Context: CN=Configuration,DC=apple,DC=com
    The replication generated an error (8524):
    The DSA operation is unable to proceed because of a DNS lookup
    failure.
    The failure occurred at 2005-02-17 09:58.14.
    The last success occurred at 2005-02-15 13:55.36.
    46 failures have occurred since the last success.
    The guid-based DNS name
    344ed7dc-ae42-4299-af89-5aa4f50923e0._msdcs.apple.com
    is not registered on one or more DNS servers.
    [SERV1] DsBind() failed with error 1722,
    The RPC server is unavailable..
    [Replications Check,SERV2] A recent replication attempt failed:
    From SERV1 to SERV2
    Naming Context: CN=Schema,CN=Configuration,DC=apple,DC=com
    The replication generated an error (8524):
    The DSA operation is unable to proceed because of a DNS lookup
    failure.
    The failure occurred at 2005-02-17 10:58.45.
    The last success occurred at 2005-02-15 13:55.36.
    47 failures have occurred since the last success.
    The guid-based DNS name
    344ed7dc-ae42-4299-af89-5aa4f50923e0._msdcs.apple.com
    is not registered on one or more DNS servers.
    [Replications Check,SERV2] A recent replication attempt failed:
    From SERV1 to SERV2
    Naming Context: DC=ForestDnsZones,DC=apple,DC=com
    The replication generated an error (8524):
    The DSA operation is unable to proceed because of a DNS lookup
    failure.
    The failure occurred at 2005-02-17 02:50.07.
    The last success occurred at 2005-02-15 13:55.36.
    14 failures have occurred since the last success.
    The guid-based DNS name
    344ed7dc-ae42-4299-af89-5aa4f50923e0._msdcs.apple.com
    is not registered on one or more DNS servers.
    ......................... SERV2 passed test Replications
    Test omitted by user request: Topology
    Test omitted by user request: CutoffServers
    Starting test: NCSecDesc
    * Security Permissions Check for
    DC=orange,DC=com
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=apple,DC=com
    * Security Permissions Check for
    CN=Configuration,DC=apple,DC=com
    ......................... SERV2 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    ......................... SERV2 passed test NetLogons
    Starting test: Advertising
    The DC SERV2 is advertising itself as a DC and having a DS.
    The DC SERV2 is advertising as an LDAP server
    The DC SERV2 is advertising as having a writeable directory
    The DC SERV2 is advertising as a Key Distribution Center
    Warning: SERV2 is not advertising as a time server.
    ......................... SERV2 failed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS
    Settings,CN=SERV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
    on,DC=apple,DC=com
    Warning: SERV1 is the Schema Owner, but is not responding to DS RPC
    Bind.
    [SERV1] LDAP connection failed with error 58,
    The specified server cannot perform the requested operation..
    Warning: SERV1 is the Schema Owner, but is not responding to LDAP
    Bind.
    Role Domain Owner = CN=NTDS
    Settings,CN=SERV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
    on,DC=apple,DC=com
    Warning: SERV1 is the Domain Owner, but is not responding to DS RPC
    Bind.
    Warning: SERV1 is the Domain Owner, but is not responding to LDAP
    Bind.
    Role PDC Owner = CN=NTDS
    Settings,CN=SERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
    DC=apple,DC=com
    Role Rid Owner = CN=NTDS
    Settings,CN=SERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
    DC=apple,DC=com
    Role Infrastructure Update Owner = CN=NTDS
    Settings,CN=SERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites
    ,CN=Configuration,DC=apple,DC=com
    ......................... SERV2 failed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 1607 to 1073741823
    * serv2.orange.com is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 1107 to 1606
    * rIDPreviousAllocationPool is 1107 to 1606
    * rIDNextRID: 1110
     
    ptwilliams, Feb 17, 2005
    #2
    1. Advertisements

  3. aks

    aks Guest

    Hi Paul:

    Thanks for the quick response. Greatly appreciate your help. Please see my
    comments below preceding with "aks>>" as I have some questions.

    aks>> Yes, have 3 domains, one DC per domain, each running win2003
    aks>> Yes, each DC already points to itself for DNS. Each DNS zone is
    already configured forest wide. All three DC's have AD intregrated DNS. All
    three DC's have Forward lookup zones configured (each one looks different
    unfortunately) and no DC has Reverse lookup zone configured yet.

    On Forward Lookup Zone Config, could you help me more on this:

    My first DC(apple.com), it shows:
    + _msdcs.apple.com
    + apple.com
    + DomainDnsZones
    + ForestDnsZones
    + sites (lists 3 SRVs, one for each DC in forest)
    + tcp (lists 3 SRVs, one for each DC)

    My second DC(orange.com), shows:
    + _msdcs.apple.com
    + orange.com
    (DomainDnsZones and ForestDnsZone data is completely missing)

    My third DC(banana.com) shows:
    + _msdcs.apple.com
    + banana.com
    + apple.com
    + DomainDnsZones
    + ForestDnsZones
    + sites (lists 3 SRVs, one for each DC in forest)
    + tcp (lists 3 SRVs, one for each DC)

    aks>> Could you point out what's the problem above - what needs to be
    removed/added for each DC?
    aks>> In each DC, I have added the following as per your suggestion. In my
    TcpIP/Advanced config, this is what I have enabled:

    - Append these DNS suffixes (in order)
    - banana.com (the first entry is for the local domain, followed by other
    two)
    - apple.com
    - orange.com
    - Register this connection's address in DNS

    aks>> Are the above two settings ok or do I need a change?

    aks>> I will restart netlogon once you confirm my new config. as stated
    above. Also, could you help me know how to "force/initiate replication" ?
     
    aks, Feb 17, 2005
    #3
  4. aks

    ptwilliams Guest

    Yikes!! It's as I thought. Each DNS domain knows its own stuff, but not
    enough of everyone else's. The issue here now is getting replication to
    work, that will then populate everything properly.

    Orange hasn't fully replicated, and really needs to. Banana looks OK - just
    needs to replicate with Orange. Surprisingly the root isn't as well
    populated as I would have liked.

    I've not been in this scenario yet, but I'll be getting to it soon. So this
    advice might be a little convoluted...

    Restart netlogon on each DC.
    On each domain zone, e.g. the fruit, configure zone transfers and add the IP
    addresses of the other two DCs.
    On each DC, configure a secondary zone for the other two domains.
    Restart the DNS server service on all three (for good measure ;-)

    Now we should be able to force replication. You can do this in a number of
    ways, but when things have gone wrong or I want to make sure things happen I
    like to use replmon - Active Directory Replication monitor. This is
    installed as part of the support tools.

    Install the support tools if you've not already done so, and run replmon.
    Add the DC that you are logged onto as a DC to monitor, right-click the
    object and choose replicate partitions. In the resultant box, firstly go to
    the cache tab and flush it; then go to the general tab and choose push,
    cross site boundaries. Then click OK or replicate now -whatever it is.

    Repeat this on all three domain controllers.

    You need to ensure that you replicate all partitions -not just the domain
    partition. These DNS zones are stored in application partitions.

    Once everything has replicated both ways, you can remove the secondary zones
    and restart the DNS service - this will then load all zones from AD.

    You seem to have managed to get into the island problem -something which is
    quite difficult to do in 2003 ;-)

    Like I said, there may be a better way of doing this, but I've not yet come
    across it as almost all of our customers are still running 2k and/ or NT.
    We're only just starting to roll 2003 and haven't had a good play with the
    new DNS stuff...


    Basically, what you need to do is ensure that all DCs can resolve the other
    DCs through _ldap._tcp.dc._msdcs.domain-name.com calls, etc. But in order
    to do this, they need to see this portion of the DNS domain.

    I suppose another way would be to point all three DCs at the forest root for
    DNS. This may get things replicating quicker. Once you've fully replicated
    the enterprise partitions, you can then point them back to themselves.

    Hope this helps,


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    Hi Paul:

    Thanks for the quick response. Greatly appreciate your help. Please see my
    comments below preceding with "aks>>" as I have some questions.

    aks>> Yes, have 3 domains, one DC per domain, each running win2003
    aks>> Yes, each DC already points to itself for DNS. Each DNS zone is
    already configured forest wide. All three DC's have AD intregrated DNS. All
    three DC's have Forward lookup zones configured (each one looks different
    unfortunately) and no DC has Reverse lookup zone configured yet.

    On Forward Lookup Zone Config, could you help me more on this:

    My first DC(apple.com), it shows:
    + _msdcs.apple.com
    + apple.com
    + DomainDnsZones
    + ForestDnsZones
    + sites (lists 3 SRVs, one for each DC in forest)
    + tcp (lists 3 SRVs, one for each DC)

    My second DC(orange.com), shows:
    + _msdcs.apple.com
    + orange.com
    (DomainDnsZones and ForestDnsZone data is completely missing)

    My third DC(banana.com) shows:
    + _msdcs.apple.com
    + banana.com
    + apple.com
    + DomainDnsZones
    + ForestDnsZones
    + sites (lists 3 SRVs, one for each DC in forest)
    + tcp (lists 3 SRVs, one for each DC)

    aks>> Could you point out what's the problem above - what needs to be
    removed/added for each DC?
    aks>> In each DC, I have added the following as per your suggestion. In my
    TcpIP/Advanced config, this is what I have enabled:

    - Append these DNS suffixes (in order)
    - banana.com (the first entry is for the local domain, followed by other
    two)
    - apple.com
    - orange.com
    - Register this connection's address in DNS

    aks>> Are the above two settings ok or do I need a change?

    aks>> I will restart netlogon once you confirm my new config. as stated
    above. Also, could you help me know how to "force/initiate replication" ?
     
    ptwilliams, Feb 17, 2005
    #4
  5. aks

    aks Guest

    Thanks again for all your suggestions and timely responses. Looks like this
    is a messy problem, hence want to go slow on this, with confirmations from
    your side. Hopefully we can get over it soon.

    Please see below for my comments and questions preceded with "aks".

    aks>> restarted netlogon on each DC (net stop netlogon and start)
    aks>> by "zone transfers" do you mean "zone forwarders". I'm unable to find
    "zone transfers". If its zone forwarders, this is what I see:

    DNS
    -Serv1 (its apple.com)
    - Cached lookups
    - Forward Lookup zones
    - Reverse Lookup zones
    - Event viewer
    Upon right-clicking, Serv1 -> Properties -> Forwarders ->
    Here I have added orange.com, banana.com with their respective IP's

    DNS
    -Serv2 (its orange.com)
    - Forward Lookup zones
    - Reverse Lookup zones
    - Event viewer
    Upon right-clicking, Serv2 -> Properties -> Forwarders ->
    Here I have added apple.com, banana.com with their respective IP's

    DNS
    -Serv3 (its banana.com)
    - Forward Lookup zones
    - Reverse Lookup zones
    - Event viewer
    Upon right-clicking, Serv3 -> Properties -> Forwarders ->
    Here I already have orange.com and its IP. When I try to add apple.com and
    its IP, click on "apply" I get this error msg - "The server forwarders cannot
    be updated. The zone already exists". However I do not see apple.com
    anywhere on that screeen.
    aks>> please help !
    aks>> how is this done, please give some pointers. Is it done by right
    clicking "serv1" or "serv2" in the above screen, and selecting "configure new
    zone" or is there some other way.
    aks>> please suggest what is the best way to restart DNS server.

    aks>> will try the below once I implement the above correctly. Appreciate
    your help.
     
    aks, Feb 17, 2005
    #5
  6. aks

    aks Guest

    I just needed to add, that if the DC's seem to have ended up in a bizaare
    place, I would like to re-start the process of AD installation. My test
    servers are new systems, with no old data in place. My goal is to get a clean
    system ready for AD population and synchronization in the upcoming weeks.

     
    aks, Feb 18, 2005
    #6
  7. aks

    ptwilliams Guest

    No, I mean forwarders ;-)

    I'm not in front of a 2003 box now...but over the weekend I'll fire one up
    and answer your questions...

    Don't rebuild yet. Fixing this will be *fun* and helpful in the future...


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    I just needed to add, that if the DC's seem to have ended up in a bizaare
    place, I would like to re-start the process of AD installation. My test
    servers are new systems, with no old data in place. My goal is to get a
    clean
    system ready for AD population and synchronization in the upcoming weeks.

     
    ptwilliams, Feb 18, 2005
    #7
  8. aks

    aks Guest

    Hi Paul,

    Nice to hear back from you. I'm too consumed with this problem as my time is
    running out on this... Appreciate your 'divine' help.

    Per your suggestions so far, I have tried few more things on the system.
    Would like to update you so we both are on the same page -

    1. Biggest question:
    From day one, nslookup <hostname or IP> on each DC is giving an error. For
    e.g - On serv1, when running: nslookup serv2, i get this error
    "dns request timed out, time out was 2 secs. Can't find server name for
    address 1.2.3.0: timed out"
    server: unknown
    address: 1.2.3.0 (is correct IP of serv1)
    name: serv2.orange.com (is correct)
    address: 1.2.3.1 (is correct IP of serv2)
    I get results back, however see an error msg also. Is something wrong
    somewhere?

    2. On each DC, I removed the "forwarders" that I had configured as mentioned
    in my last msg, and added 2 more PRIMARY zones to force each DC to list all
    the domains under Forward Lookup Zones(FLZ). By doing so, each DC, under FLZ
    now lists the names of all 3 domains - one local domain, 2 non-local domains.
    Not sure if on each DC, other 2 zones representing 2 non-local domains have
    to be added as primary or secondary ?

    3. I configured "zone transfers" for each domain listed under FLZ, and
    enabled "allow zone transfer" and added domain name and IP addr of the other
    two domains in the forest. So total I have 6 entries (3 domains times 2 zone
    transfer entries for each domain , 3 x2 = 6). This is also done on each DC.

    4. Installed system tools on each DC. Using replmon, replication topology
    displays a GUI with each DC pointing to two other DC's in the forest only if
    I select 'intra site topology'(right click DC). I do not see this when I
    select 'inter-site topology'. I think my goal is to set up one site per
    domain, so the above seems incorrect. Please advise. Also in replmon, need
    some pointers on what to select to force 'replication of applicatioon
    partitions' - there are too many options, don't see 'replicate now'
    anywhere....

    5. upon executing dcdiag /v on each DC the errors have reduced
    significantly, but these are still there:
    a) on both serv1(apple.com) and serv3(banana.com), I get this:
    - Replication test: Serv2 (its orange.com): DS Bind() failed with error
    1722. RPC
    server is unavailable

    b) on all DC's, see Netlogon failure. For e.g on serv3, i see this:
    Starting test: NetLogons
    * Network Logons Privileges Check
    ......................... SERV3 passed test NetLogons

    Starting test: Services
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    * Checking Service: IsmServ
    * Checking Service: kdc
    * Checking Service: SamSs
    * Checking Service: LanmanServer
    * Checking Service: LanmanWorkstation
    * Checking Service: RpcSs
    * Checking Service: RPCLOCATOR
    RPCLOCATOR Service is stopped on [SERV3]
    * Checking Service: w32time
    * Checking Service: TrkWks
    TrkWks Service is stopped on [SERV3]
    * Checking Service: TrkSvr
    TrkSvr Service is stopped on [SERV3]
    * Checking Service: NETLOGON
    ......................... SERV3 failed test Services
    Please advise.

    c) using dcdiag /v, on all DC's, I donot see mention of other two
    (non-local) domains, not even in the 'Intersite test' section - Is this
    expected ?

    Much thanks in advance. If you would like to take this offline at this
    point/work thru the weekend, please let me know. I'll pass my email id to you.

    aks
     
    aks, Feb 18, 2005
    #8
  9. aks

    ptwilliams Guest

    I've been thinking about this, and we may be able to do this quicker by
    simply pointing all three DCs at the forest root for DNS. If you do this,
    and then restart netlogon all three will register records in DNS on orange;
    they will then be able to see each other and replicate this info. to each
    other. Once they've successfully replicated, they can be changed back to
    point to themselves.

    Try this first. Let me know what happens.

    However, for completion's sake, I've answered all your questions too.
    Answers inline...


    p.s. in my last post I meant to say "no I don't mean forwarders; I mean zone
    transfers".

    My apologies.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    Hi Paul,

    Nice to hear back from you. I'm too consumed with this problem as my time is
    running out on this... Appreciate your 'divine' help.


    Per your suggestions so far, I have tried few more things on the system.
    Would like to update you so we both are on the same page -

    1. Biggest question:
    From day one, nslookup <hostname or IP> on each DC is giving an error. For
    e.g - On serv1, when running: nslookup serv2, i get this error
    "dns request timed out, time out was 2 secs. Can't find server name for
    address 1.2.3.0: timed out"
    server: unknown
    address: 1.2.3.0 (is correct IP of serv1)
    name: serv2.orange.com (is correct)
    address: 1.2.3.1 (is correct IP of serv2)
    I get results back, however see an error msg also. Is something wrong
    somewhere?


    2. On each DC, I removed the "forwarders" that I had configured as mentioned
    in my last msg, and added 2 more PRIMARY zones to force each DC to list all
    the domains under Forward Lookup Zones(FLZ). By doing so, each DC, under FLZ
    now lists the names of all 3 domains - one local domain, 2 non-local
    domains.
    Not sure if on each DC, other 2 zones representing 2 non-local domains have
    to be added as primary or secondary ?

    I assume that you mean that each DC stores it's own domain zone and a
    secondary copy of the other two? If not, that's how it should be.
    Otherwise we're going to confuse things even more...


    3. I configured "zone transfers" for each domain listed under FLZ, and
    enabled "allow zone transfer" and added domain name and IP addr of the other
    two domains in the forest. So total I have 6 entries (3 domains times 2 zone
    transfer entries for each domain , 3 x2 = 6). This is also done on each DC.

    However, try my suggestion above first. This is a very convoluted way about
    this. I didn't have a 2003 DNS server in front of me when I first answered
    your post and was in Win2000 mode!


    4. Installed system tools on each DC. Using replmon, replication topology
    displays a GUI with each DC pointing to two other DC's in the forest only if
    I select 'intra site topology'(right click DC). I do not see this when I
    select 'inter-site topology'. I think my goal is to set up one site per
    domain, so the above seems incorrect. Please advise. Also in replmon, need
    some pointers on what to select to force 'replication of applicatioon
    partitions' - there are too many options, don't see 'replicate now'
    anywhere....

    As for replmon...

    When you add a monitored server, the default view is fine. This shows all
    direct replication partners for each partition. You can enable viewing of
    transitive replication partners through View\ Options\ Show transitive
    replication partners and extended data. Although this won't be necessary as
    you don't have enough DCs for a mesh and all three are in the same site.

    You force replication by right-clicking on a partition (or the server to
    replicate all partitions) and choosing Synchronise each directory partition
    with all replication partners. In the resultant box, select push mode and
    OK. If these were spread across multiple sites you would also choose cross
    site boundaries



    5. upon executing dcdiag /v on each DC the errors have reduced
    significantly, but these are still there:
    a) on both serv1(apple.com) and serv3(banana.com), I get this:
    - Replication test: Serv2 (its orange.com): DS Bind() failed with error
    1722. RPC
    server is unavailable

    b) on all DC's, see Netlogon failure. For e.g on serv3, i see this:
    Starting test: NetLogons
    * Network Logons Privileges Check
    ......................... SERV3 passed test NetLogons

    Starting test: Services
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    * Checking Service: IsmServ
    * Checking Service: kdc
    * Checking Service: SamSs
    * Checking Service: LanmanServer
    * Checking Service: LanmanWorkstation
    * Checking Service: RpcSs
    * Checking Service: RPCLOCATOR
    RPCLOCATOR Service is stopped on [SERV3]
    * Checking Service: w32time
    * Checking Service: TrkWks
    TrkWks Service is stopped on [SERV3]
    * Checking Service: TrkSvr
    TrkSvr Service is stopped on [SERV3]
    * Checking Service: NETLOGON
    ......................... SERV3 failed test Services
    Please advise.

    c) using dcdiag /v, on all DC's, I donot see mention of other two
    (non-local) domains, not even in the 'Intersite test' section - Is this
    expected ?

    dcdiag /v is a verbose test on the local DC. If you want to test all DCs in
    the enterprise, with a complete set to tests run dcdiag /v /c /e.


    Much thanks in advance.


    If you would like to take this offline at this point/work thru the weekend,
    please let me know. I'll pass my email id to you.


    aks
     
    ptwilliams, Feb 19, 2005
    #9
  10. aks

    aks Guest

    Hi Paul:

    Please see comments & questions below. Thanks.

    aks>> I changed the two DC's to point to DNS on root DC.aks>> on the root DC, when I try to configure Reverse Lookup Zone (RLZ), it
    asks me to enter network ID (it is the portion of the IP address that belongs
    to this zone), am not sure what to enter here ? Also, am trying to configure
    this RLZ as Primary. Is that ok ?aks>> I tried deleting the adding the non-local domains as "Secondary"
    zones. This was successful only on orange.com (root DC).

    Summary:
    serv1 (orange.com), FLZ shows this:
    - _mscds.orange.com
    - orange.com (running as Primary zone, connection ok)
    - apple.com (running as Sec zone, connection ok)
    - banana.com (sec zone, connection ok)
    Still missing Reverse lookup zone config,as recommended by you.

    On serv2, and serv3 there are problems.

    serv2(apple.com), FLZ shows:
    - _mscds.orange.com ( is this required here? )
    - apple.com (running as Primary zone, connection ok)
    - banana.com (running as sec zone, no connection - DNS unable to load zone )
    - orange.com (still running as Primary zone, as I get "unable to delete,
    access denied error when I try to delete this zone so i can reconfigure it as
    'secondary' zone. Am running as Administrator, not sure what more permissions
    I need, and how to get them? )

    serv3(banana.com), FLZ shows:
    - _mscds.orange.com ( is this required here? )
    - banana.com (running as primary zone, connection ok)
    - apple.com (running as sec zone, connection ok)
    - orange.com (still running as Primary zone, as I get "unable to delete,
    access denied error when I try to delete this zone so i can reconfigure it as
    'secondary' zone. Am running as Administrator, not sure what more permissions
    I need, and how to get them? )

    aks>> As you can see above, each DC has a problem in the config. Please let
    me know what DC's each FLZ should enlist.
    aks>> I have not configured any zone transfers yet.aks>> My subnet mask as seen under DNS config is 255.255.255.0 for all three
    DC's. Does this mean I can configure only 1 site. As you know, I have 3 DC's,
    each representing a unique domain. Is there a way to make them each act as a
    seperate site ?

    aks>> I have restarted nelogon on each DC. Since there is an obvious
    configuration issue with each DC, I am not moving any further. I would like
    your help on the above first, and then move on. Please advise.

    As expected dcdiag /v is still giving errors. Look forward to your reply.
     
    aks, Feb 22, 2005
    #10
  11. aks

    ptwilliams Guest

    There's a lot going on here now, so lets take a step back and do things one
    step at a time...

    Reverse Lookup Zone:

    Create it as Primary if you want. I would make it AD-Integrated.

    If you're IP address range is, for example, 192.168.0.0/24 (192.168.0.0 -
    192.168.0.255) then you add this in when it asks for your network address.
    Your network address is 192.168.0. It will create a zone called
    0.168.192.in-addr.arpa.


    Forget about the secondary zones for now. That's a convoluted solution that
    I'm having doubts about.

    Good. Now restart netlogon.

    After restarting netlogon, run replmon and follow the instructions on
    forcing replication in my earlier post.

    Only once you've replicated should you again run dcdiag and netdiag.
    Although you might want to try netdiag /test:dns after restarting netlogon.


    The reason you can't delete the AD-I zones is probably because you are using
    the (non-forest root) domain admin - this won't have permissions on the
    enterprise partitions by default. If you do want to delete those domains
    (you don't) make your user account a member of Enterprise Admins.

    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    Hi Paul:

    Please see comments & questions below. Thanks.

    aks>> I changed the two DC's to point to DNS on root DC.aks>> on the root DC, when I try to configure Reverse Lookup Zone (RLZ), it
    asks me to enter network ID (it is the portion of the IP address that
    belongs
    to this zone), am not sure what to enter here ? Also, am trying to
    configure
    this RLZ as Primary. Is that ok ?aks>> I tried deleting the adding the non-local domains as "Secondary"
    zones. This was successful only on orange.com (root DC).

    Summary:
    serv1 (orange.com), FLZ shows this:
    - _mscds.orange.com
    - orange.com (running as Primary zone, connection ok)
    - apple.com (running as Sec zone, connection ok)
    - banana.com (sec zone, connection ok)
    Still missing Reverse lookup zone config,as recommended by you.

    On serv2, and serv3 there are problems.

    serv2(apple.com), FLZ shows:
    - _mscds.orange.com ( is this required here? )
    - apple.com (running as Primary zone, connection ok)
    - banana.com (running as sec zone, no connection - DNS unable to load zone )
    - orange.com (still running as Primary zone, as I get "unable to delete,
    access denied error when I try to delete this zone so i can reconfigure it
    as
    'secondary' zone. Am running as Administrator, not sure what more
    permissions
    I need, and how to get them? )

    serv3(banana.com), FLZ shows:
    - _mscds.orange.com ( is this required here? )
    - banana.com (running as primary zone, connection ok)
    - apple.com (running as sec zone, connection ok)
    - orange.com (still running as Primary zone, as I get "unable to delete,
    access denied error when I try to delete this zone so i can reconfigure it
    as
    'secondary' zone. Am running as Administrator, not sure what more
    permissions
    I need, and how to get them? )

    aks>> As you can see above, each DC has a problem in the config. Please let
    me know what DC's each FLZ should enlist.
    aks>> I have not configured any zone transfers yet.aks>> My subnet mask as seen under DNS config is 255.255.255.0 for all three
    DC's. Does this mean I can configure only 1 site. As you know, I have 3
    DC's,
    each representing a unique domain. Is there a way to make them each act as a
    seperate site ?

    aks>> I have restarted nelogon on each DC. Since there is an obvious
    configuration issue with each DC, I am not moving any further. I would like
    your help on the above first, and then move on. Please advise.

    As expected dcdiag /v is still giving errors. Look forward to your reply.
     
    ptwilliams, Feb 22, 2005
    #11
  12. aks

    aks Guest

    Oh God! upon following your last msg, dcdiag is not giving any more errors -
    looks like replication finally works.

    Please suggest the next step. I still see some errors as mentioned in my
    last post.

    thanks much !
     
    aks, Feb 22, 2005
    #12
  13. aks

    aks Guest

    Quickly want to update you on this:

    - i tried changing permissions on serv2 and serv3 so I could delete
    orange.com from FLZ (it was running as primary). Added orange.com as
    secondary on both.

    - try running netdiag /test:dns, get error "cannot find a primary
    authoritative DNS server for the name 'serv1.orange.com'. Warning: Dns
    entries for this DC cannot be verified right now on dns server 192.1.2.3 (ip
    of serv1, only DNS server running on this IP for the entire forest). Error:
    No dns servers have the dns records for this DC registered".

    - dcdiag /v also giving lots of errors

    - what went wrong, where? My fear is that DNS on the server/s is
    unpredictable. Any standalone checks to monitor the heart beat of DNS
    server/s... If its getting out of control, i would be happy to use and
    dcpromo, and do it in steps this time?
     
    aks, Feb 23, 2005
    #13
  14. aks

    ptwilliams Guest

    Right, now that we've got things replicating, all you need to do is point
    the DCs back at themselves for DNS.

    There's no need to remove the zones and add secondaries. This was a
    fudge...you caught me on one of my days when all my thoughts are extremely
    long winded and convoluted ;-)

    Here's basically what we've done...

    Pointed all DCs at one box and reregistered DNS SRV records. Now, each DC
    can resolve the appropriate records to be able to replicate. So, you can
    change it back to how it was -as they've replicated the correct data, and
    things will work. As long as you don't knock the boxes off for ages, or
    change IP addresses, etc. this shouldn't happen again...

    Before running DCDIAG again, flush the event logs and then wait an hour or
    so.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    Quickly want to update you on this:

    - i tried changing permissions on serv2 and serv3 so I could delete
    orange.com from FLZ (it was running as primary). Added orange.com as
    secondary on both.

    - try running netdiag /test:dns, get error "cannot find a primary
    authoritative DNS server for the name 'serv1.orange.com'. Warning: Dns
    entries for this DC cannot be verified right now on dns server 192.1.2.3 (ip
    of serv1, only DNS server running on this IP for the entire forest). Error:
    No dns servers have the dns records for this DC registered".

    - dcdiag /v also giving lots of errors

    - what went wrong, where? My fear is that DNS on the server/s is
    unpredictable. Any standalone checks to monitor the heart beat of DNS
    server/s... If its getting out of control, i would be happy to use and
    dcpromo, and do it in steps this time?
     
    ptwilliams, Feb 23, 2005
    #14
  15. aks

    aks Guest

    Hi Paul:

    Problems still continue.... As of this morning, I started fresh on my three
    systems as i loaded my OS (win2k3) again - the systems had a long history
    with various groups which I wanted to get rid of... Anyways, there is no AD
    installed on it yet.

    To this point, am just working on serv1. I have configured dns server on
    serv1 using the DNS wizard. I configured one forward zone and one reverse
    lookup zone. Upon executing "nslookup serv1", i get the following error:
    can't find server name for address 192.168.0.1: Non existent domain
    Server: unknown, Address: 192.168.0.1
    Unknown, can't find serv1: server failed

    Event viewer shows these informational msgs, in the order(3 being most
    recent):
    3. DNS server wrote version 1 of zone 0.168.192.in-addr.arpa to file
    0.168.192.in.addr.arpa.dns

    2. The zone orange.com is configured to accept updates but the A record
    for the primary server in the zone's SOA record is not available on this DNS
    server. This may indicate a config problem. If the address of the primary
    server for the zone control cannot be resolved, DNS clients will be unable to
    locate a server to accept updates for this zone. This will cause DNS clients
    to be unable to perform DNS updates. (this is what's been happening all
    along.... )

    1. DNS server wrote version1 of zone orange.com to file orange.com.dns.

    Any pointers? Please advise.
     
    aks, Feb 24, 2005
    #15
  16. aks

    aks Guest

    Also, wanted to add:

    while configuring DNS using the wizard, i get this error:
    "DNS server wizard could not configure root hints. To configure root hints,
    manually or copy them from another server, select server properties, select
    'root hints' tab"

    "The wizard failed to set forwarders, IP address is invalid"

    Its the same IP I have been using all along, would appreciate getting any
    help on this.

    Thanks.
     
    aks, Feb 24, 2005
    #16
  17. aks

    Todd J Heron Guest

    Do you happen to have "." zone listed under your forward lookup zones in the
    DNS console. If so, you will want to delete that.
     
    Todd J Heron, Feb 24, 2005
    #17
  18. aks

    ptwilliams Guest

    Upon executing "nslookup serv1", i get the following error: can't find
    Probably because there's no PTR record for the server. Run ipconfig
    /registerdns on the DC/ DNS server.


    How did you setup DNS this time? Did the Wizard do it? Or did you do it
    manually?

    Remember, if you've not yet promoted this box to a DC it probably doesn't
    have a primary DNS suffix yet (you can set this through the System applet\
    Computer Name)


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    Hi Paul:

    Problems still continue.... As of this morning, I started fresh on my three
    systems as i loaded my OS (win2k3) again - the systems had a long history
    with various groups which I wanted to get rid of... Anyways, there is no AD
    installed on it yet.

    To this point, am just working on serv1. I have configured dns server on
    serv1 using the DNS wizard. I configured one forward zone and one reverse
    lookup zone. Upon executing "nslookup serv1", i get the following error:
    can't find server name for address 192.168.0.1: Non existent domain
    Server: unknown, Address: 192.168.0.1
    Unknown, can't find serv1: server failed

    Event viewer shows these informational msgs, in the order(3 being most
    recent):
    3. DNS server wrote version 1 of zone 0.168.192.in-addr.arpa to file
    0.168.192.in.addr.arpa.dns

    2. The zone orange.com is configured to accept updates but the A record
    for the primary server in the zone's SOA record is not available on this DNS
    server. This may indicate a config problem. If the address of the primary
    server for the zone control cannot be resolved, DNS clients will be unable
    to
    locate a server to accept updates for this zone. This will cause DNS clients
    to be unable to perform DNS updates. (this is what's been happening all
    along.... )

    1. DNS server wrote version1 of zone orange.com to file orange.com.dns.

    Any pointers? Please advise.
     
    ptwilliams, Feb 24, 2005
    #18
  19. aks

    aks Guest

    Hi Todd:

    Thanks for the suggestion. But I do not see any "." zone in FLZ config. This
    is what I see:

    DNS
    +SERV1
    +Forward Lookup Zones
    orange.com (3 records)
    same as parent folder, SOA, (3),serv1. , hostmaster.
    same as parent folder, Name Server, serv1.
    same as parent folder, Host(A) 192.160.0.1 (showed incorrect
    IP, I

    changed it to 192.168.0.1)

    The FQDN computer name is serv1.orange.com (why does it say "serv1." and
    "hostmaster." above ?

    Would appreciate any suggestions.

    Thanks.
     
    aks, Feb 24, 2005
    #19
  20. aks

    ptwilliams Guest

    What do you mean it had the wrong IP? Does this machine have multiple NICs,
    or multiple IP addresses on one NIC?

    If the wizard setup DNS I can't see what can go wrong. You should just
    reboot and be done. Check that the zone is set to accept dynamic updates.
    Also ensure that the DHCP Client Service *IS* running.

    What are you trying to put in the forwarders tab?


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    Hi Todd:

    Thanks for the suggestion. But I do not see any "." zone in FLZ config. This
    is what I see:

    DNS
    +SERV1
    +Forward Lookup Zones
    orange.com (3 records)
    same as parent folder, SOA, (3),serv1. , hostmaster.
    same as parent folder, Name Server, serv1.
    same as parent folder, Host(A) 192.160.0.1 (showed incorrect
    IP, I

    changed it to 192.168.0.1)

    The FQDN computer name is serv1.orange.com (why does it say "serv1." and
    "hostmaster." above ?

    Would appreciate any suggestions.

    Thanks.
     
    ptwilliams, Feb 24, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.