DNS SRV Records Question

  • Thread starter Thread starter Phil Teale
  • Start date Start date
P

Phil Teale

Hi There

We lost our main DNS server a couple of weeks ago and have since been
having replication issues. After running dcdiag I am pretty sure that
the culprit is the SRV records in the DNS server pointing to the dead
box: I have looked in all the sub-keys of the _msdcs tree and they
are showing the old DNS server name.

Will I need to go an manually edit all the isntances of this to point
to the new DNS server? I have enabled dynamic updates, but am not
sure if this will update the SRV records on the DNS server.

Any help would be very much appreciated.

Thanks

Phil Teale
 
In
Phil Teale said:
Hi There

We lost our main DNS server a couple of weeks ago and have since been
having replication issues. After running dcdiag I am pretty sure that
the culprit is the SRV records in the DNS server pointing to the dead
box: I have looked in all the sub-keys of the _msdcs tree and they
are showing the old DNS server name.

Will I need to go an manually edit all the isntances of this to point
to the new DNS server? I have enabled dynamic updates, but am not
sure if this will update the SRV records on the DNS server.

Any help would be very much appreciated.

Thanks

Phil Teale
Click to expand...

You shouldn't have to manually do anything. SRVs are auto-created. However,
to make it work, there are a few things that need to be set in place:

1. AD DNS domain name is NOT a single label name (such as "domain" rather
than the required format "domain.com").
2. The zone name in DNS must match the AD DNS name in #1.
3. The Primary DNS Suffix of the machine (found in My Comp properties,
computername tab) MUST match #1 and #2 above.
4. Zone needs updates to be allowed.

If you are not sure where to proceed with this info, please post:

1. Unedited ipconfig /all of the DC
2. AD DNS Domain name
3. The zone name in DNS.
4. OS version and Service Pack level.

Thanks

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Hi Ace

Thanks very much for your reply

Here is the information you requested:

The AD DNS name is ad.farlite.co.nz

The DNS Zone name in the Forward Lookup Zone is ad.farlite.co.nz

Here is the output from the Ipconfig /all command:

Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : dcrep
Primary DNS Suffix . . . . . . . : ad.farlite.co.nz
Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : ad.farlite.co.nz
farlite.co.nz
co.nz

Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink 10/100 PCI For
Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-E0-18-92-4E-5C

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.249

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.8

DNS Servers . . . . . . . . . . . : 192.168.1.250
192.168.0.9

Running Win2k server SP4

I think the problem is related to the fact that a couple of days ago
we lost our main DNS server sited in NZ (I am in Aus). I'm not sure
that the server was demoted correctly, so a lot of information in the
AD is still pointing to that server (farlite). I have built another
DNS server (192.168.0.9) to take the place of it, but dcdiag is
failing on the replication test. (info below)


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: SydneySite\DCREP
Starting test: Connectivity
......................... DCREP passed test Connectivity

Doing primary tests

Testing server: SydneySite\DCREP
Starting test: Replications
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context:
CN=Schema,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.15.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context:
CN=Schema,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.57.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context:
CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.15.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context:
CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.56.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context: DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.14.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context: DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.55.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
......................... DCREP passed test Replications
Starting test: NCSecDesc
......................... DCREP passed test NCSecDesc
Starting test: NetLogons
......................... DCREP passed test NetLogons
Starting test: Advertising
......................... DCREP passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN="NTDS Settings
DEL:d013e16e-8ccf-4c4b-8c32-774f0e7f4fdb",CN="farlite
DEL:7a5ad4ad-5120-43ca-9c9c-83a829c3f2b3",CN=Servers,CN=Auckland,CN=Sites,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
is the Schema Owner, but is deleted.
[DLAPPS] DsBind() failed with error 1722,
The RPC server is unavailable..
Warning: DLAPPS is the Domain Owner, but is not responding to
DS RPC Bind.
[DLAPPS] LDAP connection failed with error 58,
The specified server cannot perform the requested operation..
Warning: DLAPPS is the Domain Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the PDC Owner, but is not responding to DS
RPC Bind.
Warning: DLAPPS is the PDC Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the Rid Owner, but is not responding to DS
RPC Bind.
Warning: DLAPPS is the Rid Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the Infrastructure Update Owner, but is
not responding to DS RPC Bind.
Warning: DLAPPS is the Infrastructure Update Owner, but is
not responding to LDAP Bind.
......................... DCREP failed test
KnowsOfRoleHolders
Starting test: RidManager
[DCREP] DsBindWithCred() failed with error 1722. The RPC
server is unavailable.
......................... DCREP failed test RidManager
Starting test: MachineAccount
......................... DCREP passed test MachineAccount
Starting test: Services
......................... DCREP passed test Services
Starting test: ObjectsReplicated
......................... DCREP passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... DCREP passed test frssysvol
Starting test: kccevent
......................... DCREP passed test kccevent
Starting test: systemlog
......................... DCREP passed test systemlog

Running enterprise tests on : ad.farlite.co.nz
Starting test: Intersite
......................... ad.farlite.co.nz passed test
Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... ad.farlite.co.nz failed test
FsmoCheck

As you can see from this - farlite is still being listed as holding
the fsmo rules and several other important roles.

The strange thing is that this particular DC (dcrep) cannot resolve
the server now holding the FSMO rules (dlapps) whereas all the other
servers can. I can perform a reverse lookup from IP address to
hostname, but a hostname to IP address lookup fails.

I am contemplating promoting a member server to a DC, in the hope that
this will re-sync all the AD information between the DC's and remove
the corruption - would this help?

Sorry for the long post - I hope that this information will help!

Thanks again

Phil
 
In
Phil Teale said:
Hi Ace

Thanks very much for your reply

Here is the information you requested:

The AD DNS name is ad.farlite.co.nz

The DNS Zone name in the Forward Lookup Zone is ad.farlite.co.nz

Here is the output from the Ipconfig /all command:

Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : dcrep
Primary DNS Suffix . . . . . . . : ad.farlite.co.nz
Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : ad.farlite.co.nz
farlite.co.nz
co.nz

Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink 10/100 PCI For
Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-E0-18-92-4E-5C

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.249

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.8

DNS Servers . . . . . . . . . . . : 192.168.1.250
192.168.0.9

Running Win2k server SP4

I think the problem is related to the fact that a couple of days ago
we lost our main DNS server sited in NZ (I am in Aus). I'm not sure
that the server was demoted correctly, so a lot of information in the
AD is still pointing to that server (farlite). I have built another
DNS server (192.168.0.9) to take the place of it, but dcdiag is
failing on the replication test. (info below)


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: SydneySite\DCREP
Starting test: Connectivity
......................... DCREP passed test Connectivity

Doing primary tests

Testing server: SydneySite\DCREP
Starting test: Replications
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context:
CN=Schema,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.15.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context:
CN=Schema,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.57.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context:
CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.15.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context:
CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.56.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context: DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.14.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context: DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.55.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
......................... DCREP passed test Replications
Starting test: NCSecDesc
......................... DCREP passed test NCSecDesc
Starting test: NetLogons
......................... DCREP passed test NetLogons
Starting test: Advertising
......................... DCREP passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN="NTDS Settings
DEL:d013e16e-8ccf-4c4b-8c32-774f0e7f4fdb",CN="farlite
DEL:7a5ad4ad-5120-43ca-9c9c-83a829c3f2b3",CN=Servers,CN=Auckland,CN=Sites,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
is the Schema Owner, but is deleted.
[DLAPPS] DsBind() failed with error 1722,
The RPC server is unavailable..
Warning: DLAPPS is the Domain Owner, but is not responding to
DS RPC Bind.
[DLAPPS] LDAP connection failed with error 58,
The specified server cannot perform the requested operation..
Warning: DLAPPS is the Domain Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the PDC Owner, but is not responding to DS
RPC Bind.
Warning: DLAPPS is the PDC Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the Rid Owner, but is not responding to DS
RPC Bind.
Warning: DLAPPS is the Rid Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the Infrastructure Update Owner, but is
not responding to DS RPC Bind.
Warning: DLAPPS is the Infrastructure Update Owner, but is
not responding to LDAP Bind.
......................... DCREP failed test
KnowsOfRoleHolders
Starting test: RidManager
[DCREP] DsBindWithCred() failed with error 1722. The RPC
server is unavailable.
......................... DCREP failed test RidManager
Click to expand...
As you can see from this - farlite is still being listed as holding
the fsmo rules and several other important roles.

The strange thing is that this particular DC (dcrep) cannot resolve
the server now holding the FSMO rules (dlapps) whereas all the other
servers can. I can perform a reverse lookup from IP address to
hostname, but a hostname to IP address lookup fails.

I am contemplating promoting a member server to a DC, in the hope that
this will re-sync all the AD information between the DC's and remove
the corruption - would this help?

Sorry for the long post - I hope that this information will help!

Thanks again

Phil
Click to expand...

It's trying to replicate from DLAPPS to DCREP and from PILWEB to DCREP

DCREP is this machine, 192.168.1.249.

Is or was DLAPPS or PILWEB 192.168.0.9?
You'll need to get a copy of the zone from the other server that has the
complete copy and make sure 192.168.1.250 has a complete copy.

AS for the demoted or removed DC, which one was it? Was there a problem with
it? Can it be recovered with a restore? If removed improperly, we'll need to
do a metadata cleanup on the domain to remove its reference from AD.

Ace
 
Ace Fekay said:
In
Phil Teale said:
Hi Ace

Thanks very much for your reply

Here is the information you requested:

The AD DNS name is ad.farlite.co.nz

The DNS Zone name in the Forward Lookup Zone is ad.farlite.co.nz

Here is the output from the Ipconfig /all command:

Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : dcrep
Primary DNS Suffix . . . . . . . : ad.farlite.co.nz
Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : ad.farlite.co.nz
farlite.co.nz
co.nz

Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink 10/100 PCI For
Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-E0-18-92-4E-5C

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.249

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.8

DNS Servers . . . . . . . . . . . : 192.168.1.250
192.168.0.9

Running Win2k server SP4

I think the problem is related to the fact that a couple of days ago
we lost our main DNS server sited in NZ (I am in Aus). I'm not sure
that the server was demoted correctly, so a lot of information in the
AD is still pointing to that server (farlite). I have built another
DNS server (192.168.0.9) to take the place of it, but dcdiag is
failing on the replication test. (info below)


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: SydneySite\DCREP
Starting test: Connectivity
......................... DCREP passed test Connectivity

Doing primary tests

Testing server: SydneySite\DCREP
Starting test: Replications
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context:
CN=Schema,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.15.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context:
CN=Schema,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.57.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context:
CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.15.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context:
CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.56.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From DLAPPS to DCREP
Naming Context: DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 08:20.40.
The last success occurred at 2004-10-05 04:53.14.
38 failures have occurred since the last success.
The guid-based DNS name
b19d71b0-cd0f-4a2a-817d-84ee7284385f._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
[Replications Check,DCREP] A recent replication attempt
failed:
From PILWEB to DCREP
Naming Context: DC=ad,DC=farlite,DC=co,DC=nz
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2004-10-06 09:05.39.
The last success occurred at 2004-10-05 13:35.55.
156 failures have occurred since the last success.
The guid-based DNS name
4addc731-c1de-4d53-baf2-3575f90363dd._msdcs.ad.farlite.co.nz
is not registered on one or more DNS servers.
......................... DCREP passed test Replications
Starting test: NCSecDesc
......................... DCREP passed test NCSecDesc
Starting test: NetLogons
......................... DCREP passed test NetLogons
Starting test: Advertising
......................... DCREP passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN="NTDS Settings
DEL:d013e16e-8ccf-4c4b-8c32-774f0e7f4fdb",CN="farlite
DEL:7a5ad4ad-5120-43ca-9c9c-83a829c3f2b3",CN=Servers,CN=Auckland,CN=Sites,CN=Configuration,DC=ad,DC=farlite,DC=co,DC=nz
is the Schema Owner, but is deleted.
[DLAPPS] DsBind() failed with error 1722,
The RPC server is unavailable..
Warning: DLAPPS is the Domain Owner, but is not responding to
DS RPC Bind.
[DLAPPS] LDAP connection failed with error 58,
The specified server cannot perform the requested operation..
Warning: DLAPPS is the Domain Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the PDC Owner, but is not responding to DS
RPC Bind.
Warning: DLAPPS is the PDC Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the Rid Owner, but is not responding to DS
RPC Bind.
Warning: DLAPPS is the Rid Owner, but is not responding to
LDAP Bind.
Warning: DLAPPS is the Infrastructure Update Owner, but is
not responding to DS RPC Bind.
Warning: DLAPPS is the Infrastructure Update Owner, but is
not responding to LDAP Bind.
......................... DCREP failed test
KnowsOfRoleHolders
Starting test: RidManager
[DCREP] DsBindWithCred() failed with error 1722. The RPC
server is unavailable.
......................... DCREP failed test RidManager
Click to expand...
As you can see from this - farlite is still being listed as holding
the fsmo rules and several other important roles.

The strange thing is that this particular DC (dcrep) cannot resolve
the server now holding the FSMO rules (dlapps) whereas all the other
servers can. I can perform a reverse lookup from IP address to
hostname, but a hostname to IP address lookup fails.

I am contemplating promoting a member server to a DC, in the hope that
this will re-sync all the AD information between the DC's and remove
the corruption - would this help?

Sorry for the long post - I hope that this information will help!

Thanks again

Phil
Click to expand...

It's trying to replicate from DLAPPS to DCREP and from PILWEB to DCREP

DCREP is this machine, 192.168.1.249.

Is or was DLAPPS or PILWEB 192.168.0.9?
You'll need to get a copy of the zone from the other server that has the
complete copy and make sure 192.168.1.250 has a complete copy.

AS for the demoted or removed DC, which one was it? Was there a problem with
it? Can it be recovered with a restore? If removed improperly, we'll need to
do a metadata cleanup on the domain to remove its reference from AD.

Ace
Click to expand...

Hi Ace

DCREP is 192.168.1.249

192.168.0.9 is another DNS server called MAXWELL, DLAPPS is the PDC (i
know there is really no such thing in win2k, but it holds all the FSMO
master records) DCREP cannot resolve it's address for some reason. I
think this might be part of the problem.

Should I set 192.168.1.250's alternate DNS server to be PILWEB rather
than MAXWELL? Is it bad practice to have so many DNS servers on the
network?

How to I copy a zone from one server to another?

FARLITE was the crashed DC, it has been rebuilt as a member server,
can I re-promote it into the AD? Would that be easier than removing
all the metadata from the AD? Thanks for all your help so far - as I
said, I am approching the limit of my DNS knowledge.
 
In
Phil Teale said:
Hi Ace

DCREP is 192.168.1.249

192.168.0.9 is another DNS server called MAXWELL, DLAPPS is the PDC (i
know there is really no such thing in win2k, but it holds all the FSMO
master records) DCREP cannot resolve it's address for some reason. I
think this might be part of the problem.

Should I set 192.168.1.250's alternate DNS server to be PILWEB rather
than MAXWELL? Is it bad practice to have so many DNS servers on the
network?

How to I copy a zone from one server to another?

FARLITE was the crashed DC, it has been rebuilt as a member server,
can I re-promote it into the AD? Would that be easier than removing
all the metadata from the AD? Thanks for all your help so far - as I
said, I am approching the limit of my DNS knowledge.
Click to expand...

Well, one thing that simplifies this is this is all one domain.

Is the DNS server Maxwell a DC as well? If all DNS servers are DCs, then the
zone can be made AD Integrated. This way it will replicate to all DCs thus
the zone will available to ALL DNS servers.

If this is failing, try forcing ALL DCs to just use one DNS server, no
matter where it is, just to see if communication and replication will work.
If all DCs use the same exact one DNS server and replication is still NOT
working, then we need to look elsewhere, such as firewalls, rules, NATs,
etc. This depends on your topology, ISP, etc. You'll have to try it and test
it. That is how I would go about troubleshooting it to narrow it down and
eliminate DNS as a factor.

If FARLITE was properly removed, then no problem, you can re-promote it. If
it just "crashed" and wasn't properly removed, you MUST remove its reference
from teh AD database, since other machines will be trying to replicate to
it, since they all still believe its a partner somewhere. But I didn't see
that in the netdiag. If you check Sites and Services, servers, is it in the
list?

See this link below about a Metadata cleanup.Keep in mind, this does not
remove ALL data from a domain, just specifics, such as a failed DC.

216498 - HOW TO Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion:
http://support.microsoft.com/?id=216498.

Ace
 
Ace Fekay said:
In

Well, one thing that simplifies this is this is all one domain.

Is the DNS server Maxwell a DC as well? If all DNS servers are DCs, then the
zone can be made AD Integrated. This way it will replicate to all DCs thus
the zone will available to ALL DNS servers.

If this is failing, try forcing ALL DCs to just use one DNS server, no
matter where it is, just to see if communication and replication will work.
If all DCs use the same exact one DNS server and replication is still NOT
working, then we need to look elsewhere, such as firewalls, rules, NATs,
etc. This depends on your topology, ISP, etc. You'll have to try it and test
it. That is how I would go about troubleshooting it to narrow it down and
eliminate DNS as a factor.

If FARLITE was properly removed, then no problem, you can re-promote it. If
it just "crashed" and wasn't properly removed, you MUST remove its reference
from teh AD database, since other machines will be trying to replicate to
it, since they all still believe its a partner somewhere. But I didn't see
that in the netdiag. If you check Sites and Services, servers, is it in the
list?

See this link below about a Metadata cleanup.Keep in mind, this does not
remove ALL data from a domain, just specifics, such as a failed DC.

216498 - HOW TO Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion:
http://support.microsoft.com/?id=216498.

Ace
Click to expand...

Hi Ace

Thanks again for your help on this - How do I go about making the DNS
AD integrated? I am going to come in at the weekend and force all the
DC's to use PILWEB as a DNS server and see if that makes any
difference. I will post my results here for you.

Thanks again

Cheers

Phil
 
In
Phil Teale said:
Hi Ace

Thanks again for your help on this - How do I go about making the DNS
AD integrated? I am going to come in at the weekend and force all the
DC's to use PILWEB as a DNS server and see if that makes any
difference. I will post my results here for you.

Thanks again

Cheers

Phil
Click to expand...

In DNS, rt-click your zone name,"ad.farlite.co.nz", choose properties. Under
the general tab, towards the top, you will show "Type:" and should presently
read "Primary Zone". Click the 'change' button to the right of it, then
choose it to be Active Directory Integrated. Do this on all DNS servers
(that are DCs). This option is not available on a DNS server that is not a
DC.

Cheers!

Ace
 
Ace Fekay said:
In

In DNS, rt-click your zone name,"ad.farlite.co.nz", choose properties. Under
the general tab, towards the top, you will show "Type:" and should presently
read "Primary Zone". Click the 'change' button to the right of it, then
choose it to be Active Directory Integrated. Do this on all DNS servers
(that are DCs). This option is not available on a DNS server that is not a
DC.

Cheers!

Ace
Click to expand...

Hi Ace

The DNS was already running in integrated mode. But I took your
advice and forced all the DC's to user either of the DNS servers in NZ
as their DNS source. This worked like a treat and the replication went
ahead without any problems. This narrowed it down to the DNS server
on 192.168.1.250 as being the culprit.

I then decided to remove all the SRV records that still pointed to
FARLITE on this server and replace them with pointers to the new DNS
servers. This was quite time consuming because of all the trees off
the forward zone, but seems to have done the trick. I repointed DCREP
to 192.168.1.250 and again, the replication seems to have worked.

Now that a successfull replication has occured, I feel more confident
in following Article 216498 (removing metadata from the AD after an
unsucsessful
demotion (in my case there was no demotion at all!)
I will post back and let you know how that goes.

Thanks so much for all your help in this matter.

Cheers

Phil
 
In
Phil Teale said:
Hi Ace

The DNS was already running in integrated mode. But I took your
advice and forced all the DC's to user either of the DNS servers in NZ
as their DNS source. This worked like a treat and the replication went
ahead without any problems. This narrowed it down to the DNS server
on 192.168.1.250 as being the culprit.

I then decided to remove all the SRV records that still pointed to
FARLITE on this server and replace them with pointers to the new DNS
servers. This was quite time consuming because of all the trees off
the forward zone, but seems to have done the trick. I repointed DCREP
to 192.168.1.250 and again, the replication seems to have worked.

Now that a successfull replication has occured, I feel more confident
in following Article 216498 (removing metadata from the AD after an
unsucsessful
demotion (in my case there was no demotion at all!)
I will post back and let you know how that goes.

Thanks so much for all your help in this matter.

Cheers

Phil
Click to expand...



Hi Phil,

I'm glad I was able to have helped out. Looking forward to an update!

Ace
 
Back
Top