problem with AD dns auto registration and subdomain

  • Thread starter Thread starter Paul Smith
  • Start date Start date
P

Paul Smith

Hello,

I am trying to setup 2 dc's for a child domain, domain1.int.mydomain.com.
The problem is that some of the DC dns records are not getting registered.
The ones like '
3189c2ac-f684-42ab-ae65-939df4bd34c0._msdcs.int.mydomain.com'.

The current setup is this

2 2003 domain controllers in the subdomain domain1.int.mydomain.com. 1 DC
running dns with a forward looking zone domain1.int.mydomain.com that allows
secure dynamic updates. The 1st dc was setup on site in the parent domain
and the DC records are all resolvable as they should be. The 2nd dc was
setup off site at the child domain location. It joined the subdomain fine
but there are replication problems because of the missing dns entries.
netdiag /fix shows lots of entries such as

DNS Error code: ERROR_TIMEOUT (Dns server may be down.)
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.RFH._sites.gc._msdcs.INT.mydomain.com. re-registeration on DNS
server '192.168.0.1' failed.

This only happens with the parent domain records. The local subdomain
entries ending in domain1.int.mydomain.com are all ok on the subdomains dns
server. The server 192.168.0.1 is definately up and running and accepting
dynamic updates for the subdomain.

I have the 2 dns servers of the parent domain as forwarders on my own child
domain dc.

I have tried removing and re-creating the zone on the dns server. The
domain1.int.mydomain.com records are all recreated as they should be but the
dc records for the parent domain are not. I do not have a zone for the
parent domain on the subdomains dns server.

Can anyone suggest what might be wrong?

Thanks.
 
In
Paul Smith said:
Hello,

I am trying to setup 2 dc's for a child domain,
domain1.int.mydomain.com. The problem is that some of the DC dns
records are not getting registered. The ones like '
3189c2ac-f684-42ab-ae65-939df4bd34c0._msdcs.int.mydomain.com'.

The current setup is this

2 2003 domain controllers in the subdomain domain1.int.mydomain.com.
1 DC running dns with a forward looking zone domain1.int.mydomain.com
that allows secure dynamic updates. The 1st dc was setup on site in
the parent domain and the DC records are all resolvable as they
should be. The 2nd dc was setup off site at the child domain
location. It joined the subdomain fine but there are replication
problems because of the missing dns entries. netdiag /fix shows lots
of entries such as
DNS Error code: ERROR_TIMEOUT (Dns server may be down.)
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.RFH._sites.gc._msdcs.INT.mydomain.com. re-registeration on
DNS server '192.168.0.1' failed.

This only happens with the parent domain records. The local subdomain
entries ending in domain1.int.mydomain.com are all ok on the
subdomains dns server. The server 192.168.0.1 is definately up and
running and accepting dynamic updates for the subdomain.

I have the 2 dns servers of the parent domain as forwarders on my own
child domain dc.

I have tried removing and re-creating the zone on the dns server. The
domain1.int.mydomain.com records are all recreated as they should be
but the dc records for the parent domain are not. I do not have a
zone for the parent domain on the subdomains dns server.

Can anyone suggest what might be wrong?

Thanks.
Click to expand...

Is the whole infrastructure Win2003 or is it mixed?

What shows up in the _msdcs zone on the child?

When you created it, did you make the zone AD integrated and set it to
Forest wide replication? If so, and communication and AD replication is
working, then the zone should just pop up.

What errors are you getting in your Event viewer in relation to AD? Are
there firewalls between the locations?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Thanks for the reply.

The AD is all 2003 as far as I am aware. Our child domain certainly is, as
is the main DC's in the parent domain.

In the _msdcs zone on the child on the subdomains dns server I have dc and
pdc folders. No idividual records. In the subfolers of these there are
records of the sites etc.

I've recreated the zone just to make sure. I've told it to replicate to all
dns servers in the active directory forest and left it a while. The first
Dc which was configured at the primary site seems to rebuild all it's
records fine. . AD communication between the first dc and the rest of the
forest seems OK, but communication between the new dc's I added after bring
the first back to the site does'nt seem to work.

Event log messages like this on the dc to the new dc's in the same
site/subnet

Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1925
Date: 05/10/2004
Time: 09:54:44
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: VAZON
Description:
The attempt to establish a replication link for the following writable
directory partition failed.

Directory partition:
DC=domain1,DC=INT,DC=mydomain,DC=com
Source domain controller:
CN=NTDS
Settings,CN=BUTTERCUP,CN=Servers,CN=RFH,CN=Sites,CN=Configuration,DC=INT,DC=mydomain,DC=com
Source domain controller address:
41fa8075-7a1c-4ae6-9713-e35f497c8b67._msdcs.INT.mydomain.com
Intersite transport (if any):


This domain controller will be unable to replicate with the source domain
controller until this problem is corrected.

User Action
Verify if the source domain controller is accessible or network connectivity
is available.

Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


If I check the source address it cannot be resolved with dns. It seems the
source address which is in the parent domain, not the subdomain, is not
being registered in dns.

There is currently no firewall in between the dc's, thought they are routed
on different subnets.




"Ace Fekay [MVP]"
In
Paul Smith said:
Hello,

I am trying to setup 2 dc's for a child domain,
domain1.int.mydomain.com. The problem is that some of the DC dns
records are not getting registered. The ones like '
3189c2ac-f684-42ab-ae65-939df4bd34c0._msdcs.int.mydomain.com'.

The current setup is this

2 2003 domain controllers in the subdomain domain1.int.mydomain.com.
1 DC running dns with a forward looking zone domain1.int.mydomain.com
that allows secure dynamic updates. The 1st dc was setup on site in
the parent domain and the DC records are all resolvable as they
should be. The 2nd dc was setup off site at the child domain
location. It joined the subdomain fine but there are replication
problems because of the missing dns entries. netdiag /fix shows lots
of entries such as
DNS Error code: ERROR_TIMEOUT (Dns server may be down.)
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.RFH._sites.gc._msdcs.INT.mydomain.com. re-registeration on
DNS server '192.168.0.1' failed.

This only happens with the parent domain records. The local subdomain
entries ending in domain1.int.mydomain.com are all ok on the
subdomains dns server. The server 192.168.0.1 is definately up and
running and accepting dynamic updates for the subdomain.

I have the 2 dns servers of the parent domain as forwarders on my own
child domain dc.

I have tried removing and re-creating the zone on the dns server. The
domain1.int.mydomain.com records are all recreated as they should be
but the dc records for the parent domain are not. I do not have a
zone for the parent domain on the subdomains dns server.

Can anyone suggest what might be wrong?

Thanks.
Click to expand...

Is the whole infrastructure Win2003 or is it mixed?

What shows up in the _msdcs zone on the child?

When you created it, did you make the zone AD integrated and set it to
Forest wide replication? If so, and communication and AD replication is
working, then the zone should just pop up.

What errors are you getting in your Event viewer in relation to AD? Are
there firewalls between the locations?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
Click to expand...
 
What I'm not quite sure on is this.

The domain we have (the subdomain) is for example domain1.int.mydomain.com.
The dns records for this domain, as far as I can see, are fine. The DC's
also need to add records for the parent domain int.mydomain.com. It is
these records that seem to be the problem. I only have the zone for
domain1.int.mydomain.com on the main dc in the subdomain. This is
configured for dynamic updates and has forwarders to the 2 dns servers in
the parent domain. The other dc's in the subdomain are configured
(currently) to use the dns server on the main dc in the subdomain.

How do updates get to the parent domain? Its the GUID server names that
don't seem to be pushed upstream and so the rest of the dc's complain they
can't find each other despite the fact all the normal machine names in the
subdomain resolve.
 
More info that might be helpfull

When I run a netdiag /fix it tries to add the missing parent domain entries
but cannot, stating that the dns server (the one in my subdomain) may be
down. It is not, but it doesn't carry a zone for the parent domain domain
anyway, ony it's subdomain?
 
In
Paul said:
What I'm not quite sure on is this.

The domain we have (the subdomain) is for example
domain1.int.mydomain.com. The dns records for this domain, as far as
I can see, are fine. The DC's also need to add records for the
parent domain int.mydomain.com. It is these records that seem to be
the problem. I only have the zone for domain1.int.mydomain.com on
the main dc in the subdomain. This is configured for dynamic updates
and has forwarders to the 2 dns servers in the parent domain. The
other dc's in the subdomain are configured (currently) to use the dns
server on the main dc in the subdomain.
How do updates get to the parent domain? Its the GUID server names
that don't seem to be pushed upstream and so the rest of the dc's
complain they can't find each other despite the fact all the normal
machine names in the subdomain resolve.
Click to expand...

Lots of problems!

You are missing the GC record under the _msdcs zone. Try this:
1. Delete the current _msdcs zone.
2. Create a new one, but make it a secondary. Specify the parent Root DNS
server as the Master.
3. Make sure zone transfers are allowed on the parent Root DNS.

As for your zone, if the child zone is
domain1.int.mydomain.com.
and the parent domain is:
int.mydomain.com.

Then at the DNS servers at the parent DNS, under the int.mydomain.com.,
create a delegation for "domain1", (rt-click int.mydomain.com, new,
delegation), and type in domain1, then specify the IP address of the child
domain's DNS server and its full FQDN.

On the child DNS server, create a zone called domain1.int.mydomain.com and
allow updates.

On the child DNS server, configure a forwarder to the parent DNS server.

In the child domain, tell ALL machines to only use the child DNS server ONLY
in their IP properties. No others, please.

Make sure the int.mydomain.com.zone does not exist on the child DNS server.

Then restart the netlogon service on the DC.

Hope that helps.

Ace
 
Thanks for that.

Do you mean to recreate the domain1.int.mydomain.com as a secondary in the
sub domain? I did try it but cannot as zone transfers are not enabled on
the parent domain dc's. I don't have access to them. I've removed and
recreated the primary again as an ad zone replicated to all dns servers in
the forest. The records in this zone are created dynamically OK. (I
restarted netlogon and ran ipconfig /registerdns on all the servers here)
Its the upstream dns server that I don't have access to that they don't seem
to be created on, i.e. the GUIDS in the parent domain. What Im trying to
clear up is, is this a problem with what I've done or can I go back to them
and say it's their problem?

"Ace Fekay [MVP]"
 
The bit I don't really understand, not having had to setup a child domain
before, is I thought it would be the same as a single domain in that the
GUID records would be created in the zone domain1.int.mydomain.com which I
am hosting. Instead the dc's are trying to create them on the
int.mydomain.com zone via my server. That zone doesn't exist on my server
(but it is forwarded to the parent), only the domain1.int.mydomain.com is
present. Maybe the delegation is messed up on the parent or I don't have
permissions required?

"Ace Fekay [MVP]"
 
I have solved this. Despite having an open router between the main dc and
the rest of the network, the main IT dept had 'tightened' the firewall so
that the new dc's could no longer talk to the roots :(

All open now and working fine.
 
In
Paul said:
I have solved this. Despite having an open router between the main
dc and the rest of the network, the main IT dept had 'tightened' the
firewall so that the new dc's could no longer talk to the roots :(

All open now and working fine.
Click to expand...

That was one of my first questions earlier in this thread. Firewalls are
usually the culprit.
:-)

Glad you got it going!

Ace
 
Back
Top