Re: active directory replication

"rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:22AE1401-6C92-46EC-BC59-6FEB54D0CB3C@xxxxxxxxxxxxxxxx
> Herb,
>
> here's some screwey stuff. I was at a remote site and noticed an old a
> record in the dns console from the local dc.

The DNS Console (MMC) names are largely cosmetic.

At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.

> Did some checking and got no
> real answers, so I connected to maindc. When I opened the dns console, the
> server was listed as frostburg, which is a dc at another remote site.
> Closed
> the dns console, opened again, same deal. Opened ip address management and
> the dns snapin there was showing the local server as maindc as it should.
> So,
> I restarted maindc, but now it's hung at applying computer settings. Tried
> to
> connect to it from another dc at the same site as maindc and I get an
> error
> message that maindc is not on the network??

You're saying that MainDC won't boot now?

First, if you have a way to make a backup -- DO SO.

You can try booting it in SAFE MODE (F8).

Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> "Herb Martin" wrote:
>
>> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:38535E4E-44A1-4EA7-8DC7-641ADF356511@xxxxxxxxxxxxxxxx
>> > "Herb Martin" wrote:
>> >> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:3E04C878-B536-4B67-ADE1-70A1DAA41862@xxxxxxxxxxxxxxxx
>> >> > Herb,
>> >> > yes, I saw those errors(missing dc names), and I have seen them
>> >> > before.
>> >> > I
>> >> > opened a case with Micorsoft support for them before and We were
>> >> > able
>> >> > to
>> >> > clear up that problem, but I will look into that again.
>> >>
>> >> You don't need to spend time or money on support calls
>> >> for that type of problem.
>> >>
>> >> It's easy to fix and we can help you with that.
>> >>
>> >> Keys were in my previous email.
>> >>
>> >> You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
>> >>
>> >> You make your zone dynamic; you make sure your DCs ONLY use the
>> >> (dynamic) DNS server (set) on their NIC.
>> >
>> > how do you make the zone dynamic?
>>
>> Zone properties in the MCC (right click->Properties->General Tab->)
>>
>> >> You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
>> >> (And retest with DCDiag/NetDIAG).
>> >>
>> >> > DFS and sysvol are definitely a weak spot for me, but I did notice
>> >> > that
>> >> > in
>> >> > the sysvol directory, there were two extra folders that seemed to be
>> >> > copies
>> >> > of the policies and scripts folders, but with slighly different
>> >> > names.
>> >> > I
>> >> > moved them to another directory temporarily.
>> >>
>> >> Why?
>> >
>> > based on the names of the folders and the modification dates, It looks
>> > to
>> > me
>> > like they were renamed because they are no longer used.
>>
>> Hmm... be careful.
>>
>> >> > The scripts folder was less than
>> >> > 200 KB, but the policy folder was 15MB, not sure if that is normal
>> >> > or
>> >> > not.
>> >>
>> >> Many people think that I am "pretty good" with AD and I will tell you
>> >> that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
>> >> (I know HOW to do it safely but I will not do that.)
>> >>
>> >> Even scripts I create by using the GPEdit since it SUGGESTS the right
>> >> place to put the scripts and associates them together with the GPO
>> >> object.
>> >>
>> >> > I did notice what you said about the dfs replication, I think. I had
>> >> > created
>> >> > a script on friday and although I'm not sure how quickly that should
>> >> > replicate, it did not, even with replmon(but maybe replmon does
>> >> > replicate
>> >> > dfs, I am not sure).
>> >>
>> >> No. ReplMon is not associated with DFS (to my knowledge.)
>> >>
>> >> > There are no local firewalls that would prevent dfs replication, the
>> >> > only
>> >> > firewall is for internet traffic and all internet traffic has to go
>> >> > through
>> >> > one router at our main office. We have another router that sits
>> >> > under
>> >> > the
>> >> > isp
>> >> > router that takes care of local traffic on our WAN.
>> >>
>> >> Are you fully routed? Can you go to each (remote) DC and contact the
>> >> main DC (probably not) or you wouldn't be having problems -- how about
>> >> if you use the IP address?
>> >>
>> >
>> > Yes, I can contact maindc from each remote dc and I can contact the
>> > remote
>> > dc's from maindc. I tried just pinging by name first and then I tried
>> > opening
>> > a unc path by name, start-run- \\servername\sharename and had success
>> > either
>> > way.
>>
>> Ok, so you have general name resolution and you have (at least some)
>> general connectivity. (And you said there is no restrictive firewalls
>> between them.)
>>
>> !!! Also watch out that no one turned on a personal firewall on any
>> of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
>>
>> You might still have DNS issue for the DC resource records; almost
>> certainly true if you find the zone is NOT dynamic.
>>
>> >> Can you even ping between them? By name or just by number?
>> > either way works
>> >>
>> >> > Our DNS was a single primary zone when I arrived here and through
>> >> > use
>> >> > of
>> >> > folks on this community I switched to AD integrated DNS. I am
>> >> > certain
>> >> > there
>> >> > was plenty I missed on setup because of using a community board, so
>> >> > there
>> >> > are
>> >> > more than likely issues there, but I did work with someone from
>> >> > Microsoft
>> >> > to
>> >> > make sure that the network setting for each DC was correct.
>> >>
>> >> You would do better telling me WHAT those setting are....
>> >
>> > which settings do you mean? The NIC settings or the settings in the dns
>> > snapin?
>>
>> Explicity I meant the settings you claimed "work with someone from
>> Microsoft
>> to make sure that the network setting for each DC was correct", i.e.,
>> whatever settings you think you got correct.
>>
>> Better to tell me the settings you are referencing than to say they
>> "are correct."
>>
>> > I'll give you the nic settings. Is there a utulity I can use to pull
>> > the
>> > dns
>> > snapin settings?
>>
>> Yes, but they aren't real convenient.
>>
>> >> I cannot trouble shoot "they are correct" but I might be able to
>> >> help with they are "set like this..."
>> >
>> >
>> > nic settings are as I described before, primary dns is maindc, and
>> > secondary
>> > is the dc itself.
>>
>> Better to do this through "ipconfig/all".
>>
>> By the way: There is no such thing as "Primary" or "Secondary"
>> on the NIC (those are SERVER side technical terms.) It's
>> Preferred and Alternate.
>>
>> > This made sense to me when the microsoft engineer told me
>> > to set it up this way because maindc is at the main office and the main
>> > office contains the only internet access for the entire company. I
>> > guess I
>> > was thinking it would help with traffic. I can certainly change that
>> > though.
>>
>> Don't think it is going to make it work if you change this --
>> whether the computer uses Preferred or Alternate is ALWAYS
>> SOMEWHAT random.
>>
>> It will just be more efficient to let the server resolve locally
>> (from itself).
>>
>> BUT this also implies that the "local DNS" MUST BE CORRECT
>> (correctly replicated) from the Master (main)
>>
>> >> You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
>> >> pull down on the zone properties -- go check that RIGHT NOW --
>> >> on the Primary.
>> >
>> > yes, they are all set for secure updates.
>>
>> Then they are set for DYNAMIC updates. (Secure is a form of
>> dynamic.)
>>
>> >> Later (when we have this all working) you should PROBABLY also
>> >> switch to AD-Integrated DNS but let's not complicate it (yet.)
>> >
>> > I thought I already told you that I switch to ad integrated dns long
>> > ago,
>> > but wasn't sure if I had set it up correctly.
>>
>> On every DNS-DC? I thought you just did that on the MainDC.
>>
>> Each DNS-DC can be set separately. But you get the most
>> advantages when they are all AD-integrated BUT you must
>> make sure you have FULL AD replication before you make
>> that switch on more than one of them (e.g., main.)
>>
>>
>> >> > I think you
>> >> > mean under the dns snapin, if I look at the domain properties, it
>> >> > should
>> >> > be
>> >> > set to dynamic updates? Is that correct?
>> >>
>> >> Absolutely. In DNS MMC properties for the Zone that corresponds to
>> >> the AD Domain.
>> >>
>> >> > We just have the one domain at this
>> >> > point. I will look through your response more deeply now and work
>> >> > through
>> >> > everything you mentioned. Is there anything else that I could post
>> >> > here
>> >> > pertaining to our environment that could be helpful?
>> >>
>> >> Pick a remote DC (that is showing an error.)
>> >>
>> >> Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
>> >> DC and for the MainDC (we already saw the mainDC) -- please clearly
>> >> mark which is which and which goes with each server.
>> >>
>> >> Also, let me confirm that you have a SiteLink between EACH Site
>> >> and the Main one (only, no 'cross-links' between two remote sites)
>> >> and that each Site link is set to:
>> >>
>> >> 1) 24 hours (with some exceptions for DAYTIME only)
>> >> 2) every 3 hours
>> >> 3) cost isn't really important if you only have a central hub set
>> >
>> > yes, all set this way.
>> >>
>> >> 24 hours isn't that big a deal as long as the schedule makes sense;
>> >> same for 3 hours.
>> >>
>> >> But DO MAKE Sure you have AT LEAST the one SiteLink to
>> >> between Main-EachRemoteSite.
>> >>
>> >> Also, do you have any ABANDONED DCs? (DCs that used to
>> >> exist but have been deleted?)
>> >
>> > I have removed a few dc's, but I always run ntdsutil metadata cleanup
>> > to
>> > make sure dcpromo ran correctly
>>
>> Ok, but if you use DCPromo the NTDSutil is merely a double check.
>>
>> >> Are you running scavening on the DNS zone -- it's a BAD idea
>> >> unless you fully understand it -- many people cause more problems
>> >> with scavening than they solve.
>> >
>> > Scavenging is setup for 7 days
>>
>> There are three settings for scavening:
>>
>> Refresh, NoRefresh (both on zone), and Scavengin period on Server
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>> >> > Each DC looks to
>> >> > our main office dc(maindc) for DNS first and has itself second.
>> >>
>> >> That may be best until you problem is solved BUT ultimately that
>> >> is not the best way for WANS. (And you will hear the naive DNS
>> >> admins recommend it for both cases.)
>> >>
>> >> In fact, if you NEED to put the MainDC first (to get out of a problem)
>> >> then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
>> >>
>> >> You cannot trust WHICH DNS a machine will use when there are
>> >> more than one, and with WANS it is more likely to use itself anyway.
>> >>
>> >> [Once things are working correctly you should put SELF-FIRST, others
>> >> after.]
>> >>
>> >> What happens when you use Ping and NSlookup from a DC to seek
>> >> one of those problem DCs?
>> >
>> > I have no issues from any domain controllers using ping and nslookup.
>> >>
>> >> > I honestly
>> >> > don't know what you mean by dynamic for the zone supporting AD?
>> >>
>> >>
>> >> --
>> >> Herb Martin, MCSE, MVP
>> >> Accelerated MCSE
>> >> http://www.LearnQuick.Com
>> >> [phone number on web site]
>> >>
>> >> >
>> >> > "Herb Martin" wrote:
>> >> >
>> >> >> "rodge" <rodge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:8D8AB409-E88B-425B-91E9-C374A133F194@xxxxxxxxxxxxxxxx
>> >> >> > netdiag:
>> >> >>
>> >> >> You have (at least) problems missing names for DCs
>> >> >> and with FRS (file replication service) for SysVol and
>> >> >> since you are also using DFS you may have other problems
>> >> >> with DFS based on FRS.
>> >> >>
>> >> >> If you run DCDiag on each of the other (especially) problem
>> >> >> DCs you should see further errors (due to their inability to
>> >> >> register themselves.
>> >> >>
>> >> >> You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
>> >> >> those but likely you will first need to repair your DNS
>> >> >> configuration.
>> >> >> (see below for hints).
>> >> >>
>> >> >> [I am not quite sure why your DNS is not showing MORE errors
>> >> >> in DCDiag though. ]


.

Relevant Pages

  • Re: active directory replication
    ... >> dc's from maindc. ... The NIC settings or the settings in the dns ...
    (microsoft.public.windows.server.active_directory)
  • Re: active directory replication
    ... >> You find the (DNS) problem by inspection or by using DCDiag/NetDIAG. ... >> You make your zone dynamic; you make sure your DCs ONLY use the ... > dc's from maindc. ... The NIC settings or the settings in the dns ...
    (microsoft.public.windows.server.active_directory)
  • Re: active directory replication
    ... record in the dns console from the local dc. ... which is a dc at another remote site. ... the dns snapin there was showing the local server as maindc as it should. ... but now it's hung at applying computer settings. ...
    (microsoft.public.windows.server.active_directory)
  • Re: active directory replication
    ... I understand what you are saying about the dns console having a different dc ... but I don't have the ability to put maindc in there where it should be ... >>> Accelerated MCSE ...
    (microsoft.public.windows.server.active_directory)
  • Re: Continual disconnections
    ... Looking at the ipconfig/all info, look at the line that says DNS ... Network Connections> select local area connection right click on it then ... IP addresses from what the ipconfig /all lists beside DNS Servers ... On this page Under the tab IP Settings You can see headings..Ip Addresses ...
    (microsoft.public.windowsxp.network_web)
Loading