Re: Add a new DC to a new branch
- From: Manoj <Manoj@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 May 2006 06:28:01 -0700
Thanks for your reply. See my questions below - inline.
The new server is an aditional DC for existent domain?
How many domains are and which domain was this DC placed?
Yes, this new server is an additional DC for existing domain, but will be
shipped to a new site.
There is just a single domain and two sites. I placed this new DC on site 1
for configuration and replication. Then I moved it to site 2 in AD Sites and
Services and also physically (in my lab environment).
Does the DC have Dns installed?
Does this DC have any Forward/Reverse Zone installed? Are this zones AD
integrated?
How is the DC dns properties configured (under NIC properties)?
Yes DNS was installed and the Forward/Reverse Zones are AD integrated and
replicated from PDC. Yes, the preferred DNS is itself in NIC properties.
Were this site link connects?There is just a single IP site link that connects site 1 and site 2. Isn't
There are more ipsitelinks?
Are the IPSitelinks transitive (default)?
that just what is needed. Since I do not have more than 2 sites, I figure I
do not need more than 1 site link or a site link bridge. Am I right ? Please
confirm.
Yes there is a Revese lookup zone for the 192.168.2.0 subnet.
Did you created an Reverselookup zone for the 192.168.2.0?
Did you run netdiag /fix?
Did you already rebooted the server after ipchange?
The netdiag /fix did not fix it.
At one point, I did not reboot the server after ipchange.
Assuming that you're talking about network places or browsing by
\\computername , you'll need Wins in both subnets replicating with each
other.
I was trying to browse by \\ip address. I think my WINS in both subnets was
not replicating and that is what I am going to do next.
The event 1311 description at this link says
This error are related with bad Dns config / or / Bad/insufficient
configuration in Active directory sites and services.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=1311&EvtSrc=NTDS%20KCC&LCID=1033
Publish sufficient site connectivity information so that the KCC can
determine a route by which this directory partition can reach this site. This
is the preferred option.
- Add a Connection object to a domain controller that contains the directory
partition in this site from a domain controller that contains the same
directory partition in another site.
I have a site link connecting the two sites. Is there anything more to it ?
I ran portqry -n hostname -e 135 -p tcp from this new server on site 2 and
it did respond with
TCP port 135 (epmap service) FILTERED.
I do not have any firewalls on any server and the 2 routers on each site do
not block any of this tcp port.
When I ran this again just now, it responded with
Total enpoint found:112.
I am not sure what fixed this ? Any thoughts ?
I did reboot my new server last night and after it came up, there are bunch
of errors in event log. The DNS reports event 4000 and 4013, the zones in DNS
have disappeared. As per
http://support.microsoft.com/kb/316685/en-us
the cause is security log overflow. I see my DNS event log had a setting of
"overwrite events older than 7 days" and obviously I had too many in last few
days. I am going to try and see if this resolution works. I guess going one
step forward and 2 step back right now. I will post how it goes after all
these steps.
Thanks a lot.
Manoj
"Jorge Silva" wrote:
Hi.
Inline
I have to add a new DC and move a few workstations to a new branch office.
I
am testing this in a lab by splitting our current internet connection to
get
a new public IP address that I am using for new branch environment.
I started with creating a site-to-site VPN via Cisco routers on each end.
Both the routers are able to ping each other and can ping
workstations/server, so the connectivity and VPN tunnel is working fine.
I installed Windows server 2003 on a new server, updated to SP1 and
promoted
it to a DC while it was in the same network as the main office. Now I have
2
DCs, one with IP 192.168.1.100 (current production) and other
192.168.1.115
(new for branch) and both seem to have replicated the AD and DNS just
fine.
The new server is an aditional DC for existent domain?
How many domains are and which domain was this DC placed?
Does the DC have Dns installed?
Does this DC have any Forward/Reverse Zone installed? Are this zones AD
integrated?
How is the DC dns properties configured (under NIC properties)?
I then created a new site, site link and subnet for new branch, which
replicated on the other server too.
Were this site link connects?
There are more ipsitelinks?
Are the IPSitelinks transitive (default)?
On my new server, I went to Active Directory sites and services, and then
I
moved this new server to new branch site. I changed the TCP/IP settings
and
changed its IP from 192.168.1.115 to 192.168.2.100 (for the branch office
network).
Did you created an Reverselookup zone for the 192.168.2.0?
Did you run netdiag /fix?
Did you already rebooted the server after ipchange?
Now when I take this new server and connect it to branch site (using the
new
public IP address I got for my branch environment), I am not able to
browse
any computer or server on main site from this DC at branch.
Assuming that you're talking about network places or browsing by
\\computername , you'll need Wins in both subnets replicating with each
other.
I see the event log has KCC errors
1566 - All domain controllers in the following site that can replicate the
directory partition over this transport are currently unavailable.
1311 - There is insufficient site connectivity information in Active
Directory Sites and Services for the KCC to create a spanning tree
replication topology. Or, one or more domain controllers with this
directory
partition are unable to replicate the directory partition information.
This
is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following
actions:
- Publish sufficient site connectivity information so that the KCC can
determine a route by which this directory partition can reach this site.
This
is the preferred option.
- Add a Connection object to a domain controller that contains the
directory
partition in this site from a domain controller that contains the same
directory partition in another site.
1865 - The Knowledge Consistency Checker (KCC) was unable to form a
complete
spanning tree network topology. As a result, the following list of sites
cannot be reached from the local site.
This error are related with bad Dns config / or / Bad/insufficient
configuration in Active directory sites and services.
When I use the nslookup tool at branch server, I get the following error
*** Can't Find server name for address 192.168.1.100 Timed out
I read about this and it indicated that there is a reverse lookup problem.
- Create Reverse lookup zones on both subnets.
- Make sure that every domain controller has its DNS properties under NIC
configuration pointing to itself. (If DC IP Address is 10.0.0.1 then Dns
should be 10.0.0.1).
- Make sure that every DNS server can resolve all domains in the forest.
(Use Forwarding, Stub Zones or Secondary Zones).
- Make sure that all clients Only uses the local(s) Dns Server.
How Domain Controllers Are Located in Windows
http://support.microsoft.com/kb/247811/
DNS Conditional Forwarding in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
DNS Stub Zones in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
From the main office DC, I can browse the branch office DC, but not other
way around.
You can also check if any port is being blocked
Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
--
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
- Follow-Ups:
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- References:
- Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Add a new DC to a new branch
- Prev by Date: PC Authenticating to wrong DC - Sites & Services set properly
- Next by Date: Re: User permission to Change their own properties in AD
- Previous by thread: Re: Add a new DC to a new branch
- Next by thread: Re: Add a new DC to a new branch
- Index(es):
Relevant Pages
|
Loading
