Re: active directory replication
- From: "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 11:17:19 -0800
"Herb Martin" wrote:
> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:38535E4E-44A1-4EA7-8DC7-641ADF356511@xxxxxxxxxxxxxxxx
> > "Herb Martin" wrote:
> >> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:3E04C878-B536-4B67-ADE1-70A1DAA41862@xxxxxxxxxxxxxxxx
> >> > Herb,
> >> > yes, I saw those errors(missing dc names), and I have seen them before.
> >> > I
> >> > opened a case with Micorsoft support for them before and We were able
> >> > to
> >> > clear up that problem, but I will look into that again.
> >>
> >> You don't need to spend time or money on support calls
> >> for that type of problem.
> >>
> >> It's easy to fix and we can help you with that.
> >>
> >> Keys were in my previous email.
> >>
> >> You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
> >>
> >> You make your zone dynamic; you make sure your DCs ONLY use the
> >> (dynamic) DNS server (set) on their NIC.
> >
> > how do you make the zone dynamic?
>
> Zone properties in the MCC (right click->Properties->General Tab->)
>
> >> You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
> >> (And retest with DCDiag/NetDIAG).
> >>
> >> > DFS and sysvol are definitely a weak spot for me, but I did notice that
> >> > in
> >> > the sysvol directory, there were two extra folders that seemed to be
> >> > copies
> >> > of the policies and scripts folders, but with slighly different names.
> >> > I
> >> > moved them to another directory temporarily.
> >>
> >> Why?
> >
> > based on the names of the folders and the modification dates, It looks to
> > me
> > like they were renamed because they are no longer used.
>
> Hmm... be careful.
>
> >> > The scripts folder was less than
> >> > 200 KB, but the policy folder was 15MB, not sure if that is normal or
> >> > not.
> >>
> >> Many people think that I am "pretty good" with AD and I will tell you
> >> that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
> >> (I know HOW to do it safely but I will not do that.)
> >>
> >> Even scripts I create by using the GPEdit since it SUGGESTS the right
> >> place to put the scripts and associates them together with the GPO
> >> object.
> >>
> >> > I did notice what you said about the dfs replication, I think. I had
> >> > created
> >> > a script on friday and although I'm not sure how quickly that should
> >> > replicate, it did not, even with replmon(but maybe replmon does
> >> > replicate
> >> > dfs, I am not sure).
> >>
> >> No. ReplMon is not associated with DFS (to my knowledge.)
> >>
> >> > There are no local firewalls that would prevent dfs replication, the
> >> > only
> >> > firewall is for internet traffic and all internet traffic has to go
> >> > through
> >> > one router at our main office. We have another router that sits under
> >> > the
> >> > isp
> >> > router that takes care of local traffic on our WAN.
> >>
> >> Are you fully routed? Can you go to each (remote) DC and contact the
> >> main DC (probably not) or you wouldn't be having problems -- how about
> >> if you use the IP address?
> >>
> >
> > Yes, I can contact maindc from each remote dc and I can contact the remote
> > dc's from maindc. I tried just pinging by name first and then I tried
> > opening
> > a unc path by name, start-run- \\servername\sharename and had success
> > either
> > way.
>
> Ok, so you have general name resolution and you have (at least some)
> general connectivity. (And you said there is no restrictive firewalls
> between them.)
>
> !!! Also watch out that no one turned on a personal firewall on any
> of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
>
> You might still have DNS issue for the DC resource records; almost
> certainly true if you find the zone is NOT dynamic.
>
> >> Can you even ping between them? By name or just by number?
> > either way works
> >>
> >> > Our DNS was a single primary zone when I arrived here and through use
> >> > of
> >> > folks on this community I switched to AD integrated DNS. I am certain
> >> > there
> >> > was plenty I missed on setup because of using a community board, so
> >> > there
> >> > are
> >> > more than likely issues there, but I did work with someone from
> >> > Microsoft
> >> > to
> >> > make sure that the network setting for each DC was correct.
> >>
> >> You would do better telling me WHAT those setting are....
> >
> > which settings do you mean? The NIC settings or the settings in the dns
> > snapin?
>
> Explicity I meant the settings you claimed "work with someone from Microsoft
> to make sure that the network setting for each DC was correct", i.e.,
> whatever settings you think you got correct.
that was simply the nic settings, the issue I opened at that time was not a
dns issue and the engineer had actually helped me with many other things, but
not dns setup as far as the console goes. He did ask me to go to each dc and
set maindc as preferred dns server and list the dc itself as alternate. so,
10.0.8.45 for preferred, 10.0.some number based on the site.2 for alternate.
Those are the only settings we discussed. They were not set that way before
we started. This was a long time ago, and not long after I started in this
position. Before that we were not using ad integrated dns.
>
> Better to tell me the settings you are referencing than to say they
> "are correct."
>
> > I'll give you the nic settings. Is there a utulity I can use to pull the
> > dns
> > snapin settings?
>
> Yes, but they aren't real convenient.
if we're only concerned with nic settings, then I guess it won't matter
anyway.
>
> >> I cannot trouble shoot "they are correct" but I might be able to
> >> help with they are "set like this..."
> >
> >
> > nic settings are as I described before, primary dns is maindc, and
> > secondary
> > is the dc itself.
>
> Better to do this through "ipconfig/all".
>
> By the way: There is no such thing as "Primary" or "Secondary"
> on the NIC (those are SERVER side technical terms.) It's
> Preferred and Alternate.
>
> > This made sense to me when the microsoft engineer told me
> > to set it up this way because maindc is at the main office and the main
> > office contains the only internet access for the entire company. I guess I
> > was thinking it would help with traffic. I can certainly change that
> > though.
>
> Don't think it is going to make it work if you change this --
> whether the computer uses Preferred or Alternate is ALWAYS
> SOMEWHAT random.
by change I meant remove maindc from the remote dc's nic settings as
preferred, isn't that what you said to do???
What if my firewall through my isp doesn't allow the dns port for the
subnets other than the main office.
>
> It will just be more efficient to let the server resolve locally
> (from itself).
Okay, this may be something I was not fully understanding about dns, I
forget that with ad integrated the db is local and I guess that means that
the remote servers can get the dns info they need locally, until they can't
find the info, then they look to forwarders? So, should maindc be set up as a
forwarder for all remote dc's? Another thing get confused on is whether to
make changes to the zone in the console or to the dc in the console.
>
> BUT this also implies that the "local DNS" MUST BE CORRECT
> (correctly replicated) from the Master (main)
so how do I make sure it is being replicated correctly, just replmon?
>
> >> You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
> >> pull down on the zone properties -- go check that RIGHT NOW --
> >> on the Primary.
> >
> > yes, they are all set for secure updates.
>
> Then they are set for DYNAMIC updates. (Secure is a form of
> dynamic.)
>
> >> Later (when we have this all working) you should PROBABLY also
> >> switch to AD-Integrated DNS but let's not complicate it (yet.)
> >
> > I thought I already told you that I switch to ad integrated dns long ago,
> > but wasn't sure if I had set it up correctly.
>
> On every DNS-DC? I thought you just did that on the MainDC.
yes on every dc.Every dc is running dns and every dc is using ad integrated
dns, isn't that the way it is supposed to be setup; i.e. best practice?
>
> Each DNS-DC can be set separately. But you get the most
> advantages when they are all AD-integrated BUT you must
> make sure you have FULL AD replication before you make
> that switch on more than one of them (e.g., main.)
>
>
> >> > I think you
> >> > mean under the dns snapin, if I look at the domain properties, it
> >> > should
> >> > be
> >> > set to dynamic updates? Is that correct?
> >>
> >> Absolutely. In DNS MMC properties for the Zone that corresponds to
> >> the AD Domain.
> >>
> >> > We just have the one domain at this
> >> > point. I will look through your response more deeply now and work
> >> > through
> >> > everything you mentioned. Is there anything else that I could post here
> >> > pertaining to our environment that could be helpful?
> >>
> >> Pick a remote DC (that is showing an error.)
> >>
> >> Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
> >> DC and for the MainDC (we already saw the mainDC) -- please clearly
> >> mark which is which and which goes with each server.
we have 25 - 30 dc's at this point, I couldn't even get half of the netdiag
result pasted here from maindc. You are asking me to post the info here,
right? How?
> >>
> >> Also, let me confirm that you have a SiteLink between EACH Site
> >> and the Main one (only, no 'cross-links' between two remote sites)
> >> and that each Site link is set to:
> >>
> >> 1) 24 hours (with some exceptions for DAYTIME only)
> >> 2) every 3 hours
> >> 3) cost isn't really important if you only have a central hub set
> >
> > yes, all set this way.
> >>
> >> 24 hours isn't that big a deal as long as the schedule makes sense;
> >> same for 3 hours.
> >>
> >> But DO MAKE Sure you have AT LEAST the one SiteLink to
> >> between Main-EachRemoteSite.
> >>
> >> Also, do you have any ABANDONED DCs? (DCs that used to
> >> exist but have been deleted?)
> >
> > I have removed a few dc's, but I always run ntdsutil metadata cleanup to
> > make sure dcpromo ran correctly
>
> Ok, but if you use DCPromo the NTDSutil is merely a double check.
exactly, that is what I said.
>
> >> Are you running scavening on the DNS zone -- it's a BAD idea
> >> unless you fully understand it -- many people cause more problems
> >> with scavening than they solve.
that was a suggestion from the same engineer from MS. I didn't realize until
recently that that can cause problems, I read it somewhere else in the past
week or so.
> >
> > Scavenging is setup for 7 days
>
> There are three settings for scavening:
>
> Refresh, NoRefresh (both on zone), and Scavengin period on Server
yes, I can see that, I wasn't able to find recommended settings anywhere
though.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
> >> > Each DC looks to
> >> > our main office dc(maindc) for DNS first and has itself second.
> >>
> >> That may be best until you problem is solved BUT ultimately that
> >> is not the best way for WANS. (And you will hear the naive DNS
> >> admins recommend it for both cases.)
> >>
> >> In fact, if you NEED to put the MainDC first (to get out of a problem)
> >> then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
> >>
> >> You cannot trust WHICH DNS a machine will use when there are
> >> more than one, and with WANS it is more likely to use itself anyway.
> >>
> >> [Once things are working correctly you should put SELF-FIRST, others
> >> after.]
> >>
> >> What happens when you use Ping and NSlookup from a DC to seek
> >> one of those problem DCs?
> >
> > I have no issues from any domain controllers using ping and nslookup.
> >>
> >> > I honestly
> >> > don't know what you mean by dynamic for the zone supporting AD?
> >>
> >>
> >> --
> >> Herb Martin, MCSE, MVP
> >> Accelerated MCSE
> >> http://www.LearnQuick.Com
> >> [phone number on web site]
> >>
> >> >
> >> > "Herb Martin" wrote:
> >> >
> >> >> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:8D8AB409-E88B-425B-91E9-C374A133F194@xxxxxxxxxxxxxxxx
> >> >> > netdiag:
> >> >>
> >> >> You have (at least) problems missing names for DCs
> >> >> and with FRS (file replication service) for SysVol and
> >> >> since you are also using DFS you may have other problems
> >> >> with DFS based on FRS.
> >> >>
> >> >> If you run DCDiag on each of the other (especially) problem
> >> >> DCs you should see further errors (due to their inability to
> >> >> register themselves.
> >> >>
> >> >> You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
> >> >> those but likely you will first need to repair your DNS configuration.
> >> >> (see below for hints).
> >> >>
> >> >> [I am not quite sure why your DNS is not showing MORE errors
> >> >> in DCDiag though. ]
.
- Follow-Ups:
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- References:
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- From: rodge
- Re: active directory replication
- From: Herb Martin
- Re: active directory replication
- Prev by Date: Re: DCs not responding to logon requests
- Next by Date: Re: AD Limits
- Previous by thread: Re: active directory replication
- Next by thread: Re: active directory replication
- Index(es):
Relevant Pages
|
