Re: DNS Access Denied
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Thu, 29 Dec 2005 20:17:48 -0600
"Helme" <Helme@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BD2954D6-3DDB-416D-A8D0-7D7135AD96F8@xxxxxxxxxxxxxxxx
> Hi Herb, thanks for your input.
>
> After read your explaination, now I got some idea what is going on with
> the
> server/s
> I ran the dcdiag /fix from ILSAS2. ( I can't install it at ILSAS1 - going
> crazy ). I believed that the replications are not happening from this both
> DC. For your information ILSAS1 is Master role. I've tried to transfer the
> role to ILSAS2, but failed.
>
> There are some errors and warnings
You cannot expect AD replication to work unless DNS works;
and given that you cannot reach ILSAS1, neither to add it to the
DNS console nor to put/run DCDiag there it sounds like you
have an IP (routing etc) or DNS (server or client) problem.
Remember that DCs (even DNS servers) are DNS clients too.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>
> Testing server: Default-First-Site-Name\ILSAS2
> Starting test: Replications
> [Replications Check,ILSAS2] A recent replication attempt failed:
> From ILSAS1 to ILSAS2
> Naming Context: N=Schema,CN=Configuration,DC=ilsas,DC=uniten,DC=edu,DC=my
> The replication generated an error (1753):
> There are no more endpoints available from the endpoint mapper.
> The failure occurred at 2005-12-28 00:53.16.
> The last success occurred at 2005-09-18 16:57.02.
> 2328 failures have occurred since the last success.
> The directory on ILSAS1 is in the process.
> of starting up or shutting down, and is not available.
> Verify machine is not hung during boot.
> [ILSAS1] DsBind() failed with error -2146893022,
> The target principal name is incorrect..
>
> The Warnings :
>
> Warning: ILSAS1 is the Schema Owner, but is not responding to DS RPC Bind.
> [ILSAS1] LDAP bind failed with error 31,
> A device attached to the system is not functioning..
> Warning: ILSAS1 is the Schema Owner, but is not responding to LDAP
> Bind.
> Warning: ILSAS1 is the Domain Owner, but is not responding to DS
> RPC Bind.
> Warning: ILSAS1 is the Domain Owner, but is not responding to LDAP
> Bind.
> Warning: ILSAS1 is the PDC Owner, but is not responding to DS RPC
> Bind.
> Warning: ILSAS1 is the PDC Owner, but is not responding to LDAP
> Bind.
> Warning: ILSAS1 is the Rid Owner, but is not responding to DS RPC
> Bind.
> Warning: ILSAS1 is the Rid Owner, but is not responding to LDAP
> Bind.
> Warning: ILSAS1 is the Infrastructure Update Owner, but is not
> responding to DS RPC Bind.
> Warning: ILSAS1 is the Infrastructure Update Owner, but is not
> responding to LDAP Bind.
>
> I tried to replicate from AD sites and services - access denied.
>
> Really need help how to solve this problem.
>
>
>
> "Herb Martin" wrote:
>
>> "Helme" <Helme@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:1265A4C9-50F1-43CB-B51E-32EE512CF510@xxxxxxxxxxxxxxxx
>> > Hi, I've posted similiar question under AD ( sorry for my ignorance )
>>
>> It's best to CROSS-post a single message then you only have
>> to look one place for the answers, and anyone interested in
>> following the discussion or helping you can read all of the
>> responses on one place.
>>
>> No big deal, but try to do it that way next time: Cross post
>> to a (reasonable) set of groups that are appropriately related
>> to your question's topic.
>>
>> > I've two DC named ILSAS1 and ILSAS2. I found that ILSAS1 got problem
>> > when
>> > user complaining that they take some time to login to domain named
>> > ILSAS.
>>
>> You're probably on the right track in looking to DNS for the
>> source of the problems -- most AD replication and authentication
>> problems have their origin in DNS issues.
>>
>> > I found that ILSAS2's DNS unable to connect to ILSAS1's DNS by using
>> > name,
>>
>> What precisely does the above mean? Names are NOT used
>> to connect to THE DNS -- DNS clients use the DNS servers
>> IP for that.
>>
>> > the error message is "Access was denied..Would you like to add
>> > anyway?".
>>
>> Oh, you mean the MMC cannot add the other DNS server.
>>
>> Use the IP address then. It will work if the server is
>> reachable. And yes, this is another sign your have DNS
>> problems.
>>
>> > If I put ip add it can, but i'm not sure whether it will solve the
>> > problem.
>>
>> No, it won't 'solve' the problem but it will let you manage
>> the server.
>>
>> > for ILSAS1 I've tried to install DNS fix application but the server
>> > failed
>> > to respon. Also failed to start / stop DNS services ( no respond ). I'm
>> > not
>> > sure whether its server itself problem or DNS problem.
>>
>> Check my guide to DNS for AD (appended below) then we can
>> work from there.
>>
>> DCDiag is your friend -- run it on EVERY DC and save the
>> output (see below.)
>>
>> > Really appreciate any input / help from someone. Thank you in advance
>>
>>
>> DNS for AD
>> 1) Dynamic for the zone supporting AD
>> 2) All internal DNS clients NIC\IP properties must specify SOLELY
>> that internal, dynamic DNS server (set.)
>> 3) DCs and even DNS servers are DNS clients too -- see #2
>> 4) If you have more than one Domain, every DNS server must
>> be able to resolve ALL domains (either directly or
>> indirectly)
>>
>> netdiag /fix
>>
>> ....or maybe:
>>
>> dcdiag /fix
>>
>> (Win2003 can do this from Support tools):
>> nltest /dsregdns /server:DC-ServerNameGoesHere
>> http://support.microsoft.com/kb/q260371/
>>
>> Ensure that DNS zones/domains are fully replicated to all DNS
>> servers for that (internal) zone/domain.
>>
>> Also useful may be running DCDiag on each DC, sending the
>> output to a text file, and searching for FAIL, ERROR, WARN.
>>
>> Single Label domain zone names are a problem Google:
>> [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>>
.
- References:
- Re: DNS Access Denied
- From: Herb Martin
- Re: DNS Access Denied
- From: Helme
- Re: DNS Access Denied
- Prev by Date: Re: Windows 2003 Name Server
- Next by Date: Re: Multiple NIC's in DNS server causes invalid IP in DomainDNSZones
- Previous by thread: Re: DNS Access Denied
- Next by thread: Forwarder
- Index(es):
Relevant Pages
|
