Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Cannot replicate AD integrated DNS on third Domain Controller

1,435 views
Skip to first unread message

TomKing

unread,
Apr 16, 2008, 3:47:01 AM4/16/08
to
Hi,

I am having trouble to setup AD integrated DNS on the 3rd Domain Controller.
Here are some background information:

Environment:

Single forest, Single domain. Domain name: abc.local (exmaple only :) of
course)

The domain are configured across 2 site. One site is called site-A, the
other is called site-B. Two sites are in different subnet: Site-A
192.168.18.0/24 Site-B 192.168.16.0/24

The three domain controllers are: DC1 (Win 2003 R2 Enterprise), DC2 (Win
2003 R2 Standard), DC3 (Win 2003 R2 Standard).

The network topology is look like this:

Site-A contains DC1

Site-B contains DC2, DC3

DC1 holds all FSMO master roles.

I've configured all three DC as Gobal Catalog server.

DC3 used to be a DC with different name (installed by previous IT guy). It
has the same issue cannot get DNS working. So I demoted it with ntdsutil.
Removed from AD objects. Then completely re-install and promote it again.
Somehow same issue occured.

Issue:

DC1 and DC2 are pre-existing DCs. Both has DNS, DHCP running without any
problem. Recently we decide to add another DC at Site-B to eventually replace
DC2.

As I said DC3 was a DC before (say with name DC-Trouble). It does not work
properly and DNS not installed at all. So I disconnected it from network.
demoted it with ntdsutil (normal demote failed). Remove AD objects and DNS
CNAME records and then re-install the server.


To promote DC3 as DC I've done following:

1. Congfigure static IP on the NIC, point perfered DNS to DC2. in DNS
configure I checked "Append primary...", "Append parent..." and "register
this connection..."

2. Join the server into domain ABC.Install DNS service on the server.

3. dcpromo to promote the server to AD. It finished without any errors.

4. After restart, Active Directory was created and I can see all objects are
replicated. I checked DNS console and there was nothing created under Forward
Lookup Zone. When try to replicate from other DC, get DNS error.

5. Did a DCdiag with /TEST:DNS. Report SRV record is missing on other DCs.

6. I then manually added SRV records onto DC1 and DC2 DNS configurations.

7. After that did a DCdiag /test:dns again. This time it says DNS passed the
test.

8. Go back to DNS console, The Forward lookup zone still contains nothing.

9. So I demoted DC3 and re-promoted it again.

10. Still DNS does not replicate. The event log has a information entry
(Event ID 4514)says:

The DNS server detected that it is not enlisted in the replication scope of
the directory partition ForestDnsZones.ABC.local. This prevents the zones
that should be replicated to all DNS servers in the ABC.local forest from
replicating to this DNS server.


To create or repair the forest-wide DNS directory partition, open the the
DNS console. Right-click the applicable DNS server, and then click 'Create
Default Application Directory Partitions'. Follow the instructions to create
the default DNS application directory partitions. For more information, see
'To create the default DNS application directory partitions' in Help and
Support.


The error was 9002.

I tried to follow the steps here, but it failed with error "There was a
server failure".

11. There is also a error entry (event ID 4015) in DNS event log says:

The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "000020B5: AtrErr: DSID-03152392,
#1:

0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att
9067d (msDS-NC-Replica-Locations)". The event data contains the error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

12. Based on this error, there may be a hotfix for it. I downloaded the
hotfix. But obviously I've already got a newer version installed.

13. Did a DCdiag and the output are:


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Site-B\DC3
Starting test: Connectivity
......................... DC3 passed test Connectivity

Doing primary tests

Testing server: Site-B\DC3
Starting test: Replications
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source DC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source DC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
......................... DC3 passed test Replications
Starting test: NCSecDesc
......................... DC3 passed test NCSecDesc
Starting test: NetLogons
......................... DC3 passed test NetLogons
Starting test: Advertising
......................... DC3 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC3 passed test KnowsOfRoleHolders
Starting test: RidManager
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID
Set\0ADEL:ef1c539d-33e7-4735-aa0b-3af64e5a2983,CN=Deleted
Objects,DC=ABC,DC=local for rid info failed with 2: Win32 Error 2
......................... DC3 failed test RidManager
Starting test: MachineAccount
......................... DC3 passed test MachineAccount
Starting test: Services
......................... DC3 passed test Services
Starting test: ObjectsReplicated
......................... DC3 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC3 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
......................... DC3 failed test frsevent
Starting test: kccevent
......................... DC3 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC00038C2
Time Generated: 04/16/2008 13:48:33
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:31
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:31
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:31
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 13:51:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410B
Time Generated: 04/16/2008 14:08:07
Event String: The request for a new account-identifier pool

An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:11
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:11
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:11
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:11
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:12
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:12
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:12
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:12
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:13
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:13
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:11:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:23
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:23
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:23
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:23
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:24
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:24
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 04/16/2008 14:31:25
(Event String could not be retrieved)
......................... DC3 failed test systemlog
Starting test: VerifyReferences
......................... DC3 passed test VerifyReferences

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : ABC
Starting test: CrossRefValidation
......................... ABC passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ABC passed test CheckSDRefDom

Running enterprise tests on : ABC.local
Starting test: Intersite
......................... ABC.local passed test Intersite
Starting test: FsmoCheck
......................... ABC.local passed test FsmoCheck


From the log, I can see RID Manager is missing for DC3. Googled around seems
like I have to seize it back?! Not sure how to do this. With ntdsutil.exe?

I tried a NetDiag as well. Below are the output of it:


Computer Name: DC3
DNS Host Name: DC3.ABC.local
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 6 Model 15 Stepping 6, GenuineIntel
List of installed hotfixes :
KB924667-v2
KB925398_WMP64
KB925902
KB926122
KB927891
KB929123
KB930178
KB931784
KB932168
KB933729
KB933854
KB935839
KB935840
KB936021
KB936357
KB936782
KB938127
KB941202
KB941568
KB941569
KB941644
KB941693
KB942615-IE7
KB942763
KB943055
KB943460
KB943485
KB944338
KB944533-IE7
KB944653
KB945553
KB946026
KB947864
KB947864-IE7
KB948496
KB948590
KB948881
Q147222


Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : DC3
IP Address . . . . . . . . : 192.168.16.245
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.16.250
Dns Servers. . . . . . . . : 192.168.16.247 (DC2)
192.168.18.248 (DC1)


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{8B3890BC-0345-4B65-905E-2B9B531807B3}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.16.247' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.18.248'. Please wait for 30 minutes for DNS server
replication.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{8B3890BC-0345-4B65-905E-2B9B531807B3}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{8B3890BC-0345-4B65-905E-2B9B531807B3}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
Secure channel for domain 'ABC' is to '\\DC1.ABC.local'.
[FATAL] Cannot set secure channel for domain 'ABC' to PDC emulator.
[ERROR_NO_TRUST_SAM_ACCOUNT]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/DC3.ABC.local' is
missing on DC 'DC1.ABC.local'.
[WARNING] The default SPN registration for 'HOST/DC3' is missing on DC
'DC1.ABC.local'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

No idea what SPN registration is. Maybe caused by DNS issue?

I've been trying to fix this issue last couple of days. Bit lost to be
honest. Any suggestions are welcomed.

Thanks.

Tom

Meinolf Weber

unread,
Apr 16, 2008, 3:58:17 AM4/16/08
to
Hello TomKing,

About the DC3 which you have trouble with. You said you demoted it with ntdsutil,
did you also clenaup AD after the demotion? Not only deleting the name in
AD, also using ntdsutil to remove it completely according to: http://support.microsoft.com/kb/216498

Did you then clenaup DNS witht he old records and check after that that replication
has occured and removes all old entries about this machine BEFORE starting
the new install? Did you choose a new name or the same name as the old one
had?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Jorge Silva

unread,
Apr 16, 2008, 8:09:21 AM4/16/08
to
Hi
Assuming all steps provided by Meinolf, also remove any entries for that
server in DNS and AD. Before repromoting that server, point the DC3 primary
DNS NIC configuration for a existing, functional and valid internal DNS
server. Sometimes the replication may take a long time untill you see the
information. After dcpromo restart the server twice, then force replicaton.
--
I hope that the information above helps you.

Have a Nice day.

Jorge Silva
MVP Directory Services

TomKing

unread,
Apr 16, 2008, 7:29:00 PM4/16/08
to
Thanks for the reply guys.

I did follow the MS article to remove old DNS records and clean up the AD
after use ntdsutil.exe. And I did do a force replication after the demote.
But anyway I am going to try demote the DC again and re-promote it. This time
I will try wait a bit longer before promote it back. Let's see how it goes.

Thanks again for the help.

Tom

Jorge Silva

unread,
Apr 17, 2008, 5:21:32 AM4/17/08
to
good luck
0 new messages