DNS not syncing between PDC and BDC

  • Thread starter Thread starter usenet.lloydgm
  • Start date Start date
U

usenet.lloydgm

Hello, if anyone could help I'd be most appreciative. I'll try to make
this simple.

ISSUE: PDC and BDC are not synchronizing their Active Directory user
accounts.

DATA: The PDC, a Windows 2000 SP4 server, which primarily acts as a
data and print server had not received any updates in 1.5 years.
Someone decided to update the server which included all of these
updates. On reboot the computer hung on "Perparing network
connections...". A repair installation (overtop) was installed and now
the server allows you to log in. The BDC (Also WIN 2000 SP4 Server)
gives error messages regarding it's inability to find the GC (Global
Catalog). The BDC is primarily a Terminal Server and a software
package that resides on the Terminal Server which requires users having
at least Power User rights will not work unless you are logged in as
the administrator on the Terminal Server. If you try to add any groups
of users or individual users to Administrators you receive messages
regarding the the inability to find the Global Catalog.


IDEAS: Can I demote the PDC (which was the one that received the
updates), effectively turning the BDC into the new PDC?

Thanks in advance!
 
A little update: The PDC that had to be rebuilt was not upgraded back
to SP4 until after my original post. As a result the BDC no longer
complains about the Global Catalog.

What event in the event view would show synchronization?

Thanks!
 
In
A little update: The PDC that had to be rebuilt was not upgraded back
to SP4 until after my original post. As a result the BDC no longer
complains about the Global Catalog.

What event in the event view would show synchronization?

Thanks!
Click to expand...

The NTFRS event log will show if you have any problems with replication but
not necessarily if replication is working, but only after there was a
problem would it state that replication has been established between the
problem DCs. ALso, all DCs should be of the same SP level due to variances.

But first, just an FYI, there is no such thing as a PDC or BDC in Active
Directory. One server may hold a PDC Emulator FSMO Role that performs
certain functions, but nothing like what a PDC did in NT4. The way your post
was written sounds like you have an NT4 domain. All domain controllers are
equal entities in AD. They are all master replicas, not like NT4 where one
is the master where all data is created and altered and the BDCs just
receive copies of the database. In AD you can change anything anywhere at
anytime and only the changes get replicated around.

The FSMO roles can be transferred dynamically between DCs. But you need a
really good reason to transfer them. There are few reasons, many are design
based reasons and service reasons because one FSMO cannot work with a GC.
Keep in mind, a GC is NOT a FSMO, but rather a service that runs on a DC. If
you lose a DC, depending on what FSMO role it held, we need to determine if
we can transfer that role or not to another DC. Some roles cannot be just
transferred and moved back if the original DC holding the role is back up
online. Some roles you can. If a DC is damaged beyond repair, then depending
on which role(s) it held, we can need to force or "seize" the role and move
it to another DC but depending on which FSMO role it is, the original one
may not be ever allowed to come back up online or serious issues can result.

Here's more info on FSMO Roles below, but keep in mind, it is nothing like
NT4.

197132 - Windows 2000 Active Directory FSMO Roles:
http://support.microsoft.com/?id=197132

255690 - HOW TO View and Transfer FSMO Roles in the Graphical User
Interface:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690

That said, re-reading your original post, the issues you describe tells me
you may have a possible DNS misconfiguration. I've seen this with many NT4
administrators who have upgraded to Active Directory. DNS is the focal point
of AD. DNS stores all of AD's service locations. Whenever any machine in an
AD environment is "looking" for an AD service or function (such as logging
in, booting up, authentication requests, etc), it queries DNS asking it
where to find the DC that will handle that appropriate service. GCs are
found by asking DNS. If you are using an ISP's DNS address in any machines'
IP properties (this includes DCs, member servers and clients), then the
ISP's DNS does not have that answer. Even if you mix up internal DNS and
ISP's DNS addresses, the resolver algorithm can still have trouble asking
the correct DNS server.

So first the best way to determine how to help is to view your current
configuration of your DCs and one of your clients. If you can post some of
this info, one of the many MVPs and engineers in the newsgroup will be more
than happy to point out where the problem is:

1. Unedited ipconfig /all from a client and from your DC(s)
2. The actual DNS domain name of AD (found in ADUC)
3. The zonename spelling in your Forward Lookup Zones in DNS for your AD
zone.
4. If updates are set to allow under the zone's properties
5. If thany of the DCs have more than one NIC
6. Do you have a firewall? If so, what brand? (not needed here)
7. Is/are forwarder(s) configured?
8. Do the SRV records exist under your zone name?
9. dcdiag /v /fix (post the results please)
10. netdiag /v /fix (post the results please)
11. dnscmd /enumzones yourADdomainname.com (post results please)
12. net start (post results please)

Thanks!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
 
A little update: The PDC that had to be rebuilt was not
upgraded back
to SP4 until after my original post. As a result the BDC no
longer
complains about the Global Catalog.

What event in the event view would show synchronization?

Thanks!
Click to expand...

are there any event id errors in the event logs?

What does DCDIAG /V say on each DC?
 
In
Hello, if anyone could help I'd be most appreciative. I'll try to
make this simple.

ISSUE: PDC and BDC are not synchronizing their Active Directory user
accounts.

DATA: The PDC, a Windows 2000 SP4 server, which primarily acts as a
data and print server had not received any updates in 1.5 years.
Click to expand...


Am I reading this right, it has been 1.5 years since the last successful
replication between these servers?
 
In
Kevin D. Goodknecht Sr. said:
In


Am I reading this right, it has been 1.5 years since the last
successful replication between these servers?
Click to expand...

The way I read it, I don't believe it's replication, but rather Windows
updates from Microsoft's site. If it was an AD issue, there would have been
more problems due to the 60 day tombstone.

Ace
 
In
Ace Fekay said:
The way I read it, I don't believe it's replication, but rather
Windows updates from Microsoft's site. If it was an AD issue, there
would have been more problems due to the 60 day tombstone.
Click to expand...

That's why I had to ask. Because that part was not clear, because of this
statement:
"ISSUE: PDC and BDC are not synchronizing their Active Directory user
accounts."
 
Thanks all for the ideas. I finally got it resolved. I'm sorry if I
didn't explain things well enough as AD and how Windows Server uses DNS
is still new to me. The two things that fixed my problem were this:

1. Updated rebuilt server to SP4 (per previous post)
2. DNS server was set to 4.2.2.2 instead of pointing to itself.

The DNS server was set to 4.2.2.2 in it's own Network Settings due to
an MS article that I apparently misinterpreted. I thought it noted
that the DNS server should be set to something other than itself. So,
it was changed to 4.2.2.2.

I appreciate everyone's efforts!
 
Ace - thanks for the info, I've looked over that information and now
have a better understanding of AD. I assumed the PDC/BDC model stuck
in AD which explains the confusion of my original post.

Thanks for the enlightenment!
 
In
Thanks all for the ideas. I finally got it resolved. I'm sorry if I
didn't explain things well enough as AD and how Windows Server uses
DNS is still new to me. The two things that fixed my problem were
this:

1. Updated rebuilt server to SP4 (per previous post)
2. DNS server was set to 4.2.2.2 instead of pointing to itself.

The DNS server was set to 4.2.2.2 in it's own Network Settings due to
an MS article that I apparently misinterpreted. I thought it noted
that the DNS server should be set to something other than itself. So,
it was changed to 4.2.2.2.

I appreciate everyone's efforts!
Click to expand...

DNS misconfig will do it all the time.

The 4.2.2.2 server should ONLY be configured as a forwarder in the DNS
server's properties (do it individually on all DNS servers), and all
machines point only to the internal DNS server.

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
http://support.microsoft.com/?id=323380

Ace
 
Back
Top