Re: active directory replication
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 08:07:14 -0600
"rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:38535E4E-44A1-4EA7-8DC7-641ADF356511@xxxxxxxxxxxxxxxx
> "Herb Martin" wrote:
>> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:3E04C878-B536-4B67-ADE1-70A1DAA41862@xxxxxxxxxxxxxxxx
>> > Herb,
>> > yes, I saw those errors(missing dc names), and I have seen them before.
>> > I
>> > opened a case with Micorsoft support for them before and We were able
>> > to
>> > clear up that problem, but I will look into that again.
>>
>> You don't need to spend time or money on support calls
>> for that type of problem.
>>
>> It's easy to fix and we can help you with that.
>>
>> Keys were in my previous email.
>>
>> You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
>>
>> You make your zone dynamic; you make sure your DCs ONLY use the
>> (dynamic) DNS server (set) on their NIC.
>
> how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
>> You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
>> (And retest with DCDiag/NetDIAG).
>>
>> > DFS and sysvol are definitely a weak spot for me, but I did notice that
>> > in
>> > the sysvol directory, there were two extra folders that seemed to be
>> > copies
>> > of the policies and scripts folders, but with slighly different names.
>> > I
>> > moved them to another directory temporarily.
>>
>> Why?
>
> based on the names of the folders and the modification dates, It looks to
> me
> like they were renamed because they are no longer used.
Hmm... be careful.
>> > The scripts folder was less than
>> > 200 KB, but the policy folder was 15MB, not sure if that is normal or
>> > not.
>>
>> Many people think that I am "pretty good" with AD and I will tell you
>> that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
>> (I know HOW to do it safely but I will not do that.)
>>
>> Even scripts I create by using the GPEdit since it SUGGESTS the right
>> place to put the scripts and associates them together with the GPO
>> object.
>>
>> > I did notice what you said about the dfs replication, I think. I had
>> > created
>> > a script on friday and although I'm not sure how quickly that should
>> > replicate, it did not, even with replmon(but maybe replmon does
>> > replicate
>> > dfs, I am not sure).
>>
>> No. ReplMon is not associated with DFS (to my knowledge.)
>>
>> > There are no local firewalls that would prevent dfs replication, the
>> > only
>> > firewall is for internet traffic and all internet traffic has to go
>> > through
>> > one router at our main office. We have another router that sits under
>> > the
>> > isp
>> > router that takes care of local traffic on our WAN.
>>
>> Are you fully routed? Can you go to each (remote) DC and contact the
>> main DC (probably not) or you wouldn't be having problems -- how about
>> if you use the IP address?
>>
>
> Yes, I can contact maindc from each remote dc and I can contact the remote
> dc's from maindc. I tried just pinging by name first and then I tried
> opening
> a unc path by name, start-run- \\servername\sharename and had success
> either
> way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
>> Can you even ping between them? By name or just by number?
> either way works
>>
>> > Our DNS was a single primary zone when I arrived here and through use
>> > of
>> > folks on this community I switched to AD integrated DNS. I am certain
>> > there
>> > was plenty I missed on setup because of using a community board, so
>> > there
>> > are
>> > more than likely issues there, but I did work with someone from
>> > Microsoft
>> > to
>> > make sure that the network setting for each DC was correct.
>>
>> You would do better telling me WHAT those setting are....
>
> which settings do you mean? The NIC settings or the settings in the dns
> snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
> I'll give you the nic settings. Is there a utulity I can use to pull the
> dns
> snapin settings?
Yes, but they aren't real convenient.
>> I cannot trouble shoot "they are correct" but I might be able to
>> help with they are "set like this..."
>
>
> nic settings are as I described before, primary dns is maindc, and
> secondary
> is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
> This made sense to me when the microsoft engineer told me
> to set it up this way because maindc is at the main office and the main
> office contains the only internet access for the entire company. I guess I
> was thinking it would help with traffic. I can certainly change that
> though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
>> You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
>> pull down on the zone properties -- go check that RIGHT NOW --
>> on the Primary.
>
> yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
>> Later (when we have this all working) you should PROBABLY also
>> switch to AD-Integrated DNS but let's not complicate it (yet.)
>
> I thought I already told you that I switch to ad integrated dns long ago,
> but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
>> > I think you
>> > mean under the dns snapin, if I look at the domain properties, it
>> > should
>> > be
>> > set to dynamic updates? Is that correct?
>>
>> Absolutely. In DNS MMC properties for the Zone that corresponds to
>> the AD Domain.
>>
>> > We just have the one domain at this
>> > point. I will look through your response more deeply now and work
>> > through
>> > everything you mentioned. Is there anything else that I could post here
>> > pertaining to our environment that could be helpful?
>>
>> Pick a remote DC (that is showing an error.)
>>
>> Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
>> DC and for the MainDC (we already saw the mainDC) -- please clearly
>> mark which is which and which goes with each server.
>>
>> Also, let me confirm that you have a SiteLink between EACH Site
>> and the Main one (only, no 'cross-links' between two remote sites)
>> and that each Site link is set to:
>>
>> 1) 24 hours (with some exceptions for DAYTIME only)
>> 2) every 3 hours
>> 3) cost isn't really important if you only have a central hub set
>
> yes, all set this way.
>>
>> 24 hours isn't that big a deal as long as the schedule makes sense;
>> same for 3 hours.
>>
>> But DO MAKE Sure you have AT LEAST the one SiteLink to
>> between Main-EachRemoteSite.
>>
>> Also, do you have any ABANDONED DCs? (DCs that used to
>> exist but have been deleted?)
>
> I have removed a few dc's, but I always run ntdsutil metadata cleanup to
> make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
>> Are you running scavening on the DNS zone -- it's a BAD idea
>> unless you fully understand it -- many people cause more problems
>> with scavening than they solve.
>
> Scavenging is setup for 7 days
There are three settings for scavening:
Refresh, NoRefresh (both on zone), and Scavengin period on Server
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>> > Each DC looks to
>> > our main office dc(maindc) for DNS first and has itself second.
>>
>> That may be best until you problem is solved BUT ultimately that
>> is not the best way for WANS. (And you will hear the naive DNS
>> admins recommend it for both cases.)
>>
>> In fact, if you NEED to put the MainDC first (to get out of a problem)
>> then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
>>
>> You cannot trust WHICH DNS a machine will use when there are
>> more than one, and with WANS it is more likely to use itself anyway.
>>
>> [Once things are working correctly you should put SELF-FIRST, others
>> after.]
>>
>> What happens when you use Ping and NSlookup from a DC to seek
>> one of those problem DCs?
>
> I have no issues from any domain controllers using ping and nslookup.
>>
>> > I honestly
>> > don't know what you mean by dynamic for the zone supporting AD?
>>
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>> >
>> > "Herb Martin" wrote:
>> >
>> >> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:8D8AB409-E88B-425B-91E9-C374A133F194@xxxxxxxxxxxxxxxx
>> >> > netdiag:
>> >>
>> >> You have (at least) problems missing names for DCs
>> >> and with FRS (file replication service) for SysVol and
>> >> since you are also using DFS you may have other problems
>> >> with DFS based on FRS.
>> >>
>> >> If you run DCDiag on each of the other (especially) problem
>> >> DCs you should see further errors (due to their inability to
>> >> register themselves.
>> >>
>> >> You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
>> >> those but likely you will first need to repair your DNS configuration.
>> >> (see below for hints).
>> >>
>> >> [I am not quite sure why your DNS is not showing MORE errors
>> >> in DCDiag though. ]
>> >>
>> >> Quick try on FRS: Do you have firewalls that might be preventing
>> >> this replication? Otherwise this may clear up when the DNS problems
>> >> are fixed.
>> >>
>> >> Most common reasons for DNS issue (which might also affect the
>> >> FRS) are EITHER:
>> >>
>> >> 1) Zone (primary etc) is not DYNAMIC
>> >> 2) DCs are NOT set STRICTLY to use INTERNAL DNS
>> >> (on their NIC properties)
>> >> 3) DCs cannot find or cannot contact the Primary/Master
>> >> (routing, firewalls, etc) to perform the registration
>> >> 4) Multiple Masters (AD Integrated) are NOT replicating,
>> >> OR Secondaries cannot copy records from their Master
>> >>
>> >> Tell us about your DNS? AD Integrated? Single Primary?
>> >> Dynamic for the zone that corresponds to your AD Domain?
>> >> (See below for Hints.)
>> >>
>> >> Hints on DNS for AD
>> >> 1) Dynamic for the zone supporting AD
>> >> 2) All internal DNS clients NIC\IP properties must specify SOLELY
>> >> that internal, dynamic DNS server (set.)
>> >> 3) DCs and even DNS servers are DNS clients too -- see #2
>> >> 4) If you have more than one Domain, every DNS server must
>> >> be able to resolve ALL domains (either directly or
>> >> indirectly)
>> >>
>> >> netdiag /fix
>> >>
>> >> ....or maybe:
>> >>
>> >> dcdiag /fix
>> >>
>> >> (Win2003 can do this from Support tools):
>> >> nltest /dsregdns /server:DC-ServerNameGoesHere
>> >> http://support.microsoft.com/kb/q260371/
>> >>
>> >> Ensure that DNS zones/domains are fully replicated to all DNS
>> >> servers for that (internal) zone/domain.
>> >>
>> >> Also useful may be running DCDiag on each DC, sending the
>> >> output to a text file, and searching for FAIL, ERROR, WARN.
>> >>
>> >> --
>> >> Herb Martin
>> >>
>> >> >
>> >> >
>> >> > Gathering IPX configuration information.
>> >> > Opening \Device\NwlnkIpx failed
>> >> > Querying status of the Netcard drivers... Passed
>> >> > Testing IpConfig - pinging the Primary WINS server... Passed
>> >> > Testing Domain membership... Passed
>> >> > Gathering NetBT configuration information.
>> >> > Testing for autoconfiguration... Passed
>> >> > Testing IP loopback ping... Passed
>> >> > Testing default gateways... Passed
>> >> > Enumerating local and remote NetBT name cache... Passed
>> >> > Testing the WINS server
>> >> > Local Area Connection 2
>> >> > Sending name query to primary WINS server 10.0.8.80 -
>> >> > querying name MAINDC on server 10.0.8.80
>> >> > bytes sent 50
>> >> > Passed
>> >> > There is no secondary WINS server defined for this
>> >> > adapter.
>> >> > Gathering Winsock information.
>> >> > Testing DNS
>> >> > PASS - All the DNS entries for DC are registered on DNS server
>> >> > '10.0.8.45' and other DCs also have some of the names registered.
>> >> > Testing redirector and browser... Passed
>> >> > Testing DC discovery.
>> >> > Looking for a DC
>> >> > Looking for a PDC emulator
>> >> > Looking for a Windows 2000 DC
>> >> > Gathering the list of Domain Controllers for domain 'FUNC'
>> >> > DC list for domain FUNC:
>> >> > hagerstown.func.com [DS] Site: Hagerstown
>> >> > Cannot get information for DC hagerstown.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > FROSTBURG.FUNC.COM [DS] Site: Frostburg
>> >> > Cannot get information for DC FROSTBURG.FUNC.COM.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > GRANTSVILLE.func.com [DS] Site: Grantsville
>> >> > Cannot get information for DC GRANTSVILLE.func.com.
>> >> > [NERR_ServerNotStarted] Assume it is down.
>> >> > FRIENDSVILLE.func.com [DS] Site: Friendsville
>> >> > Cannot get information for DC FRIENDSVILLE.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > RIVERSIDE.func.com [DS] Site: Riverside
>> >> > Cannot get information for DC RIVERSIDE.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > BALLENGER.func.com [DS] Site: Ballenger
>> >> > Cannot get information for DC BALLENGER.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > smithsburg.func.com [DS] Site: Smithsburg
>> >> > Lake.func.com [DS] Site: Lake
>> >> > whiteoaks.func.com [DS] Site: Whiteoaks
>> >> > Cannot get information for DC whiteoaks.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > centercity.func.com [DS] Site: Centercity
>> >> > Cannot get information for DC centercity.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > Moorefield.func.com [DS] Site: Moorefield
>> >> > Cannot get information for DC Moorefield.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > Tritowns.func.com [DS] Site: Tritowns
>> >> > Cannot get information for DC Tritowns.func.com.
>> >> > [ERROR_NETNAME_DELETED]
>> >> > Assume it is down.
>> >> > Belair.func.com [DS] Site: Belair
>> >> > BARTON.func.com [DS] Site: Barton
>> >> > martinsburg.func.com [DS] Site: Martinsburg
>> >> > Cannot get information for DC martinsburg.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > sberkeley.func.com [DS] Site: SBerkeley
>> >> > Cannot get information for DC sberkeley.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > sfoxcroft.func.com [DS] Site: SFoxcroft
>> >> > Cannot get information for DC sfoxcroft.func.com.
>> >> > [ERROR_NETNAME_DELETED] Assume it is down.
>> >> > EdwinMiller.func.com [DS] Site: EdwinMiller
>> >> > Cannot get information for DC EdwinMiller.func.com.
>> >> > [NERR_ServerNotStarted] Assume it is down.
>> >> > midtowns.func.com [DS] Site: Main
.
- Follow-Ups:
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: rodge
- Re: active directory replication
- References:
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- Prev by Date: Re: Web Resolution / Likely DNS?
- Next by Date: Re: MSDTC error when mocing FSMO ROLES
- Previous by thread: Re: active directory replication
- Next by thread: Re: active directory replication
- Index(es):
Relevant Pages
|
