G
George
Hi guys,
Well the inevitable has happened. I read many posts how
people were experiencing problems with DNS. Now it has
happened to me as well. I'll briefly fill you in what took
place, and then I will give you my suggestion. I would
appreciate if you could tell me if I am making the right
decision.
Today my security team decided to upgrade our AV software;
we were using NAV 7.5 to 8.1. They tested the upgrade in
our test environment, and it worked. They upgraded the
primary NAV server from 7.6 to 8.1 without any problems,
so it had seemed t first. Then through the MMC they
decided to upgrade all our NAV clients. They did not go to
each workstation and uninstall NAV clients 7.6, instead
the used the MMC and upgraded each client to 8.1.Well, my
DCs are NAV clients as well. Prior to the upgrade I had
asked if they were positive the clients upgrade posed no
risks. Naturally all of them agreed at once, should have
known automatically when all agree at the same time, there
is something wrong with that picture. Any how the upgrade
took place. Both my DCs were now NAV 8.1 clients.
Usually I check my event logs at 6:00 pm. I happened to
come across the following errors.
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 9/24/2003
Time: 6:05:51 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server was unable to open the Active Directory.
This DNS server is configured to use directory service
information and can not operate without access to the
directory. The DNS server will wait for the directory to
start. If the DNS server is started but the appropriate
event has not been logged, then the DNS server is still
waiting for the directory to start.
Data:
0000: f5 25 00 00 õ%..
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 506
Date: 9/24/2003
Time: 6:04:39 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server has invalid or corrupted registry parameter
NotifyServers. To correct the problem, you can delete the
applicable registry value, located under DNS server
parameters in the Windows 2000 registry. You can then
recreate it using the DNS console. For more information,
see the online Help.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4001
Date: 9/24/2003
Time: 6:04:39 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server was unable to open zone 52.16.10.in-
addr.arpa in the Active Directory. This DNS Server is
configured to obtain and use information from the
directory for this zone and is unable to load the zone
without it. Check that the Active Directory is functioning
properly and reload the zone. The event data is the error
code.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 9/24/2003
Time: 6:00:17 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server was unable to open Active Directory. This
DNS server is configured to obtain and use information
from the directory for this zone and is unable to load the
zone without it. Check that the Active Directory is
functioning properly and reload the zone. The event data
is the error code.
Data:
0000: f5 25 00 00 õ%..
Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 9/24/2003
Time: 5:56:23 PM
User: Everyone
Computer: NBJPLDC01
Description:
Unable to establish connection with global catalog.
Event Type: Warning
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1655
Date: 9/24/2003
Time: 5:56:23 PM
User: Everyone
Computer: NBJPLDC01
Description:
The attempt to communicate with global catalog
\\nbjpldc01.poplukina.nbj.sv.gov.yu failed with the
following status:
Access is denied.
The operation in progress might be unable to continue.
The directory service will use the locator to try find an
available global catalog server for the next operation
that requires one.
The record data is the status code.
Data:
0000: 05 00 00 00 ....
Looking at my DNS MMC I was flabbergasted by the fact that
my DNS server had no AD integrated dns zone for our
domain. I quickly checked DC2 to make sure my AD DNS was
there and it was. My next move would be to restore my
backup from last night. I have spread out my AD db across
multiple partitions on the server. Therefore, my question
is as follows, is it okay to restore my system state data
in order to restore my AD integrated DNS from AD prior to
the errors I have outlined above?
I am also including below test results from ADCHECK
DC2 Results
ADcheck ResultsDetail Report
Settings
Test nameTest Replication
Machine nameNBJPLDC02
Domain namepoplukina.nbj.sv.gov.yu
DateWed Sep 24 23:07:44 2003
Elapsed time (in ms)16297 ms
Description
This test scans the entire Active Directory replication
network to make sure
that the setup is valid. In order to minimize impact on
the network, this test
does NOT perform a full replication; instead it analyzes
the replication
topology of the entire network and identifies any
unavailable or unreachable
servers. After verifying the replication topology, this
test will then print
several important statistics about each of the replication
partners that can be
used to diagnose why a particular domain controller is not
getting replication
updates in a timely fashion. If this test is running
slowly, or if Active
Directory is attempting to replicate to a server that has
permanently removed,
you may be able to improve network performance by updating
the network's
replication topology.
Results
Verifying replication topology of entire network...
Detected no timeout errors...
Detected no configuration errors...
Detected no system errors...
Network replication appears to be functioning correctly!
Analyzing direct replication partners...
NBJPLDC01
Last successful replication: Wednesday, September 24,
2003 4:56:08 PM
Last replication attempt: Wednesday, September 24,
2003 10:56:07 PM
Number of recent failures: 6
Status of last attempt: Access is denied. Only
members of the
Administrators group have the authority to run this
operation.
Transport: Intra-site RPC
ADcheck Details
Version1.0
DC1 Results
ADcheck ResultsDetail Report
Settings
Test nameTest Replication
Machine nameNBJPLDC01
Domain namepoplukina.nbj.sv.gov.yu
DateWed Sep 24 23:01:53 2003
Elapsed time (in ms)16375 ms
Description
This test scans the entire Active Directory replication
network to make sure
that the setup is valid. In order to minimize impact on
the network, this test
does NOT perform a full replication; instead it analyzes
the replication
topology of the entire network and identifies any
unavailable or unreachable
servers. After verifying the replication topology, this
test will then print
several important statistics about each of the replication
partners that can be
used to diagnose why a particular domain controller is not
getting replication
updates in a timely fashion. If this test is running
slowly, or if Active
Directory is attempting to replicate to a server that has
permanently removed,
you may be able to improve network performance by updating
the network's
replication topology.
Results
Verifying replication topology of entire network...
Detected no timeout errors...
Detected no configuration errors...
Detected no system errors...
Network replication appears to be functioning correctly!
Analyzing direct replication partners...
NBJPLDC02
Last successful replication: Wednesday, September 24,
2003 10:48:09 PM
Last replication attempt: Wednesday, September 24,
2003 10:48:09 PM
Number of recent failures: 0
Status of last attempt: The operation completed
successfully.
Transport: Intra-site RPC
ADcheck Details
Version1.0
Any input would be greatly appreciated.
George
Well the inevitable has happened. I read many posts how
people were experiencing problems with DNS. Now it has
happened to me as well. I'll briefly fill you in what took
place, and then I will give you my suggestion. I would
appreciate if you could tell me if I am making the right
decision.
Today my security team decided to upgrade our AV software;
we were using NAV 7.5 to 8.1. They tested the upgrade in
our test environment, and it worked. They upgraded the
primary NAV server from 7.6 to 8.1 without any problems,
so it had seemed t first. Then through the MMC they
decided to upgrade all our NAV clients. They did not go to
each workstation and uninstall NAV clients 7.6, instead
the used the MMC and upgraded each client to 8.1.Well, my
DCs are NAV clients as well. Prior to the upgrade I had
asked if they were positive the clients upgrade posed no
risks. Naturally all of them agreed at once, should have
known automatically when all agree at the same time, there
is something wrong with that picture. Any how the upgrade
took place. Both my DCs were now NAV 8.1 clients.
Usually I check my event logs at 6:00 pm. I happened to
come across the following errors.
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 9/24/2003
Time: 6:05:51 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server was unable to open the Active Directory.
This DNS server is configured to use directory service
information and can not operate without access to the
directory. The DNS server will wait for the directory to
start. If the DNS server is started but the appropriate
event has not been logged, then the DNS server is still
waiting for the directory to start.
Data:
0000: f5 25 00 00 õ%..
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 506
Date: 9/24/2003
Time: 6:04:39 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server has invalid or corrupted registry parameter
NotifyServers. To correct the problem, you can delete the
applicable registry value, located under DNS server
parameters in the Windows 2000 registry. You can then
recreate it using the DNS console. For more information,
see the online Help.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4001
Date: 9/24/2003
Time: 6:04:39 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server was unable to open zone 52.16.10.in-
addr.arpa in the Active Directory. This DNS Server is
configured to obtain and use information from the
directory for this zone and is unable to load the zone
without it. Check that the Active Directory is functioning
properly and reload the zone. The event data is the error
code.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 9/24/2003
Time: 6:00:17 PM
User: N/A
Computer: NBJPLDC01
Description:
The DNS server was unable to open Active Directory. This
DNS server is configured to obtain and use information
from the directory for this zone and is unable to load the
zone without it. Check that the Active Directory is
functioning properly and reload the zone. The event data
is the error code.
Data:
0000: f5 25 00 00 õ%..
Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 9/24/2003
Time: 5:56:23 PM
User: Everyone
Computer: NBJPLDC01
Description:
Unable to establish connection with global catalog.
Event Type: Warning
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1655
Date: 9/24/2003
Time: 5:56:23 PM
User: Everyone
Computer: NBJPLDC01
Description:
The attempt to communicate with global catalog
\\nbjpldc01.poplukina.nbj.sv.gov.yu failed with the
following status:
Access is denied.
The operation in progress might be unable to continue.
The directory service will use the locator to try find an
available global catalog server for the next operation
that requires one.
The record data is the status code.
Data:
0000: 05 00 00 00 ....
Looking at my DNS MMC I was flabbergasted by the fact that
my DNS server had no AD integrated dns zone for our
domain. I quickly checked DC2 to make sure my AD DNS was
there and it was. My next move would be to restore my
backup from last night. I have spread out my AD db across
multiple partitions on the server. Therefore, my question
is as follows, is it okay to restore my system state data
in order to restore my AD integrated DNS from AD prior to
the errors I have outlined above?
I am also including below test results from ADCHECK
DC2 Results
ADcheck ResultsDetail Report
Settings
Test nameTest Replication
Machine nameNBJPLDC02
Domain namepoplukina.nbj.sv.gov.yu
DateWed Sep 24 23:07:44 2003
Elapsed time (in ms)16297 ms
Description
This test scans the entire Active Directory replication
network to make sure
that the setup is valid. In order to minimize impact on
the network, this test
does NOT perform a full replication; instead it analyzes
the replication
topology of the entire network and identifies any
unavailable or unreachable
servers. After verifying the replication topology, this
test will then print
several important statistics about each of the replication
partners that can be
used to diagnose why a particular domain controller is not
getting replication
updates in a timely fashion. If this test is running
slowly, or if Active
Directory is attempting to replicate to a server that has
permanently removed,
you may be able to improve network performance by updating
the network's
replication topology.
Results
Verifying replication topology of entire network...
Detected no timeout errors...
Detected no configuration errors...
Detected no system errors...
Network replication appears to be functioning correctly!
Analyzing direct replication partners...
NBJPLDC01
Last successful replication: Wednesday, September 24,
2003 4:56:08 PM
Last replication attempt: Wednesday, September 24,
2003 10:56:07 PM
Number of recent failures: 6
Status of last attempt: Access is denied. Only
members of the
Administrators group have the authority to run this
operation.
Transport: Intra-site RPC
ADcheck Details
Version1.0
DC1 Results
ADcheck ResultsDetail Report
Settings
Test nameTest Replication
Machine nameNBJPLDC01
Domain namepoplukina.nbj.sv.gov.yu
DateWed Sep 24 23:01:53 2003
Elapsed time (in ms)16375 ms
Description
This test scans the entire Active Directory replication
network to make sure
that the setup is valid. In order to minimize impact on
the network, this test
does NOT perform a full replication; instead it analyzes
the replication
topology of the entire network and identifies any
unavailable or unreachable
servers. After verifying the replication topology, this
test will then print
several important statistics about each of the replication
partners that can be
used to diagnose why a particular domain controller is not
getting replication
updates in a timely fashion. If this test is running
slowly, or if Active
Directory is attempting to replicate to a server that has
permanently removed,
you may be able to improve network performance by updating
the network's
replication topology.
Results
Verifying replication topology of entire network...
Detected no timeout errors...
Detected no configuration errors...
Detected no system errors...
Network replication appears to be functioning correctly!
Analyzing direct replication partners...
NBJPLDC02
Last successful replication: Wednesday, September 24,
2003 10:48:09 PM
Last replication attempt: Wednesday, September 24,
2003 10:48:09 PM
Number of recent failures: 0
Status of last attempt: The operation completed
successfully.
Transport: Intra-site RPC
ADcheck Details
Version1.0
Any input would be greatly appreciated.
George