Discussion:
active directory replication
(too old to reply)
rodge
2006-01-17 17:31:04 UTC
Permalink
We are using a mix of windows 2000 and 2003 servers for domain controllers.
We have 25 remote sites on a fully meshed network. I am hearing complaints
about slowness throughout the day from all remote sites. I have been able to
determine that this is being caused by replication. I believe I have 2
solutions, but want to make sure of any issues before I attempt to implement.
The way our sites were set up has 25 sites in sites and services. I believe
it may be more advantageous to combine some of the sites into regions and
appoint ip bridgehead servers for the new sites(regions). This should cut
down on a great deal of traffic. Currently all sites do not have equal
bandwidths, but by year end, all sites will have 512 connectivity to the main
office. Does this sound like a valid solution? Also, I noticed in reading
that it is common to have scheduled replication during non-peak hours. We
have very little activity at night, so I was wondering what sort of issues I
would run into if I scheduled replication to occur only at night? I am also
not sure how to go about this.
Herb Martin
2006-01-17 18:02:35 UTC
Permalink
Post by rodge
We are using a mix of windows 2000 and 2003 servers for domain
controllers.
We have 25 remote sites on a fully meshed network. I am hearing complaints
about slowness throughout the day from all remote sites.
Reports "about slowness" are seldom a reason to take
drastic action, BUT they are a reason for investigation
perhaps....
Post by rodge
I have been able to
determine that this is being caused by replication.
How? When? What are the actual symptoms?

What do your sites and SITE LINKS look like?
Post by rodge
I believe I have 2
solutions, but want to make sure of any issues before I attempt to implement.
The way our sites were set up has 25 sites in sites and services. I believe
it may be more advantageous to combine some of the sites into regions and
appoint ip bridgehead servers for the new sites(regions).
On the face of it, neither of these changes will change the
AMOUNT of replication to each site. Certainly not "picking"
the bridgehead server which will just make the replication
less reliable, although it MIGHT reduce the load on THAT
bridgehead DC (but this only makes sense if you are doing a
LOT of replication.)
Post by rodge
This should cut down on a great deal of traffic.
Why and how do you think this will happen?
Post by rodge
Currently all sites do not have equal
bandwidths, but by year end, all sites will have 512 connectivity to the main
office. Does this sound like a valid solution?
No, since you didn't describe the network except to say "full mesh"
which IMPLIES that all sites have the same bandwidth to each
other but doesn't really state that.

What do your SITE LINKS look like? (Which Sites and
Cost, Schedule, Frequency?)

In general, you site links should follow your PHYSICAL
connections, and use only your "best" physical connections
OR use costs to PREFER those "best" WANS.

How many users/computers do you have? How much
(available) bandwidth?

If you aren't changing a LOT of users, why is replication
hurting you?

Are you using DFS (across the WANS)?
Post by rodge
Also, I noticed in reading
that it is common to have scheduled replication during non-peak hours.
THAT might make more sense if you truly have a replication
problem...
Post by rodge
We
have very little activity at night, so I was wondering what sort of issues I
would run into if I scheduled replication to occur only at night?
Delays when you create new accounts (computers and users), or
the (increased) need to 'reach across the WAN when resetting
remote user passwords etc.'.

(That is, delays in replication will mean that such changes don't
immediately propagate from wherever they are done to where
they may be needed.)
Post by rodge
I am also not sure how to go about this.
This implies you don't have a strong grasp of SiteLinks and
replication so first tell us about your Site and ESPECIALLY
your Subnets, SiteLinks including your Costs, Schedule, and
Frequency settings.

You should also run DCDiag on each DC (and capture the
output to a test file where you search for FAIL, WARN,
and ERROR.)

Correct or report here all problems you find with DCDiag.

IF you have setup your Sites and Site Links correctly then
most replication issues are DNS based.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
rodge
2006-01-21 02:50:02 UTC
Permalink
I'm sure you have every opportunity to gain the knowledge needed for
everything you do, but in my situation, our network admin was fired and I was
put into the position having very little knowledge or experience with active
directory. I also have not been given any opportunity to get the training I
need other than a very helpful technet subscription, part of which pays for
me to ask you questions.

Now given that info, I am going to try and respond to your comments one by
one.

"Reports "about slowness" are seldom a reason to take
drastic action, BUT they are a reason for investigation
perhaps...."

I have actually been to every one of these sites many times over the past 6
months and there is definitely a slowness issue and it is not slow all of the
time, the slowness seems to recover after 2 hours. Ironically(and possibly
unrelated) that's how often each site is setup to replicate. I am not sure
how to determine when replication will time out if not succeeding, i.e. if
something is causing packets to continually drop and no response is sent back
to the main site, but I'm going to guess it may be 2 hours.

I have been able to determine that this is being caused by replication.
"How? When? What are the actual symptoms?"

Based on the times the slowness hits and lasts until, and the following
eventids in the event viewer of the main office domain controller, the
primary holder of all 5 fsmo roles: 1566, 1311, 1865, and 13508.

"What do your sites and SITE LINKS look like?"

what do they look like? Could you be a little more specific? They are
"setup" with a site for each branch office, i.e. Ballenger is site one and
contains the domain controller called ballenger. This site has it's own
subnet and is connected by a cisco 2600 router over our WAN. Each site has a
site link to the main office domain controller, maindc.

"On the face of it, neither of these changes will change the
AMOUNT of replication to each site. Certainly not "picking"
the bridgehead server which will just make the replication
less reliable, although it MIGHT reduce the load on THAT
bridgehead DC (but this only makes sense if you are doing a
LOT of replication.)

Not sure what you mean by on the face of it, but I think that there are two
main types of replication we are dealing with here, scheduled replication and
immediate(security) replication. While I am not even claiming to be an
expert, it appears to me that the replication I am having issues with is the
scheduled replication. If I am right, then the solution of making regions
into sites would certainly cut down on replication across the WAN to the main
site because instead of the maindc replicating with each dc on the WAN, he
would only replicate with the bridgehead servers I appoint for each region.
Those bridgehead servers would then replicate changes to the other dc's in
thier site. I also believe that the same would be true of immediate(security)
related replication as well.

"No, since you didn't describe the network except to say "full mesh"
which IMPLIES that all sites have the same bandwidth to each
other but doesn't really state that."

Actually, fully meshed network simply means that every node has a direct
connection to every other node, it doesn't mean bandwidth is the same. Our
slowest sites(10 of them) connect at 256K, we also have 384K and 512K sites.
All sites need to get to the internet through the main office. Each site has
a dc that runs ad integrated DNS, maindc provides dns for everyone. Each dc
lists maindc as primary dns and itself as secondary.

"What do your SITE LINKS look like? (Which Sites and
Cost, Schedule, Frequency?)"

All sites are setup the same, they all link to maindc, cost = 100,
replication interval = 180. I've never looked at the schedule before until
just now, but I took a look at the change schedule button of two site links
and noticed that one site has weekdays from 8 AM until 8 PM as replication
not available. Not sure why that is setup that way and not sure what issues
this will cause, but this is a 256K site and a site that has major slowness
during the day.



"In general, you site links should follow your PHYSICAL
connections, and use only your "best" physical connections
OR use costs to PREFER those "best" WANS."

Okay, and that is how it was setup. I wasn't here when it was setup, but I
did have some issues last year and worked with a tech from Microsoft over the
phone over a period of 3 days to clean everything up, so I did get some
valuable insight from him as to how things "should" be setup. I am not real
familiar with costs, my only real exposure to this was one Microsoft webcast
which briefly touched on the fact that for slower WAN links there are ways to
cut down on replication through costs.

"How many users/computers do you have? How much
(available) bandwidth?"

Approximately 300-350 users and computers, excluding servers. I do not know
how to calculate available bandwidth.

"If you aren't changing a LOT of users, why is replication
hurting you?"

if I knew the answer to that question, I would need to post here.


Are you using DFS (across the WANS)?

I believe this is true. I believe the sysvol folder is replicated and it
does contain a huge amount of logon batch files(scripts), which could
possibly be getting changed some, but I wouldn't think enough to have an
effect this great, but I am very unfamiliar with dfs.

Delays when you create new accounts (computers and users), or
the (increased) need to 'reach across the WAN when resetting
remote user passwords etc.'.
(That is, delays in replication will mean that such changes don't
immediately propagate from wherever they are done to where
they may be needed.)

I received a book from Microsoft that states something a little contrary to
what you say here. It says that security related items(unlocking locked
accounts, resetting passwords, etc) are replicated immediately. So, doesn't
that mean that scheduling replication at night would not really affect those
types of things?

"This implies you don't have a strong grasp of SiteLinks and
replication so first tell us about your Site and ESPECIALLY
your Subnets, SiteLinks including your Costs, Schedule, and
Frequency settings."

Honestly, if I had a strong grasp of anything, I wouldn't be here. What
would you like to know about the subnets? The branch sites use class c
subnets, everything is a 10.0.(some number that identifies the site, i.e. 49,
49, etc.).machine ip 255.255.255.0, I've mentioned the other info earlier.

"IF you have setup your Sites and Site Links correctly then
most replication issues are DNS based.

IF I have then how about some help with troubleshooting dns issues, PLEASE.
Post by Herb Martin
Post by rodge
We are using a mix of windows 2000 and 2003 servers for domain controllers.
We have 25 remote sites on a fully meshed network. I am hearing complaints
about slowness throughout the day from all remote sites.
Reports "about slowness" are seldom a reason to take
drastic action, BUT they are a reason for investigation
perhaps....
Post by rodge
I have been able to
determine that this is being caused by replication.
How? When? What are the actual symptoms?
What do your sites and SITE LINKS look like?
Post by rodge
I believe I have 2
solutions, but want to make sure of any issues before I attempt to implement.
The way our sites were set up has 25 sites in sites and services. I believe
it may be more advantageous to combine some of the sites into regions and
appoint ip bridgehead servers for the new sites(regions).
On the face of it, neither of these changes will change the
AMOUNT of replication to each site. Certainly not "picking"
the bridgehead server which will just make the replication
less reliable, although it MIGHT reduce the load on THAT
bridgehead DC (but this only makes sense if you are doing a
LOT of replication.)
Post by rodge
This should cut down on a great deal of traffic.
Why and how do you think this will happen?
Post by rodge
Currently all sites do not have equal
bandwidths, but by year end, all sites will have 512 connectivity to the main
office. Does this sound like a valid solution?
No, since you didn't describe the network except to say "full mesh"
which IMPLIES that all sites have the same bandwidth to each
other but doesn't really state that.
What do your SITE LINKS look like? (Which Sites and
Cost, Schedule, Frequency?)
In general, you site links should follow your PHYSICAL
connections, and use only your "best" physical connections
OR use costs to PREFER those "best" WANS.
How many users/computers do you have? How much
(available) bandwidth?
If you aren't changing a LOT of users, why is replication
hurting you?
Are you using DFS (across the WANS)?
Post by rodge
Also, I noticed in reading
that it is common to have scheduled replication during non-peak hours.
THAT might make more sense if you truly have a replication
problem...
Post by rodge
We
have very little activity at night, so I was wondering what sort of issues I
would run into if I scheduled replication to occur only at night?
Delays when you create new accounts (computers and users), or
the (increased) need to 'reach across the WAN when resetting
remote user passwords etc.'.
(That is, delays in replication will mean that such changes don't
immediately propagate from wherever they are done to where
they may be needed.)
Post by rodge
I am also not sure how to go about this.
This implies you don't have a strong grasp of SiteLinks and
replication so first tell us about your Site and ESPECIALLY
your Subnets, SiteLinks including your Costs, Schedule, and
Frequency settings.
You should also run DCDiag on each DC (and capture the
output to a test file where you search for FAIL, WARN,
and ERROR.)
Correct or report here all problems you find with DCDiag.
IF you have setup your Sites and Site Links correctly then
most replication issues are DNS based.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Herb Martin
2006-01-21 14:45:01 UTC
Permalink
[FYI: You need a better (newsreader OR) quoting mechanism.]
Post by rodge
I'm sure you have every opportunity to gain the knowledge needed for
everything you do, but in my situation, our network admin was fired and I was
put into the position having very little knowledge or experience with active
directory. I also have not been given any opportunity to get the training I
need other than a very helpful technet subscription, part of which pays for
me to ask you questions.
Not sure what the above is about but I am virtually completely
self-taught myself; TechNet is good (I am probably it's prime
evangelist over the years), but the subscription is no longer
essential since the built-in help is so good and the MS web site
has most anything on TechNet CD.
Post by rodge
Now given that info, I am going to try and respond to your comments one by
one.
"Reports "about slowness" are seldom a reason to take
drastic action, BUT they are a reason for investigation
perhaps...."
I have actually been to every one of these sites many times over the past 6
months and there is definitely a slowness issue and it is not slow all of the
time, the slowness seems to recover after 2 hours.
Recover AFTER two hours? Not go bad (briefly) every two hours?

Again, "Slowness" without specifics is IMPOSSIBLE to
fix through any sort of reliable procedure (e.g., you might
get LUCKY by accident if you through money at the problem
but you wouldn't know without trying it.)

Slow in what way? How specifically? Slow in comparison
with what?
Post by rodge
Ironically(and possibly
unrelated) that's how often each site is setup to replicate. I am not sure
how to determine when replication will time out if not succeeding, i.e. if
something is causing packets to continually drop and no response is sent back
to the main site, but I'm going to guess it may be 2 hours.
Monitoring with Netmon will work even if it isn't optimum.
Post by rodge
I have been able to determine that this is being caused by replication.
"How? When? What are the actual symptoms?"
Based on the times the slowness hits and lasts until, and the following
eventids in the event viewer of the main office domain controller, the
primary holder of all 5 fsmo roles: 1566, 1311, 1865, and 13508.
No, you haven't even come close to determining the cause.

Example: Replication every two hours would cause a problem
for a (limited) interval every two hours, not a problem that LASTED
two hours.

Unless the problem were continuous, in which case you wouldn't
see a two hour period, just trouble all of the time.
Post by rodge
"What do your sites and SITE LINKS look like?"
what do they look like? Could you be a little more specific? They are
"setup" with a site for each branch office, i.e. Ballenger is site one and
contains the domain controller called ballenger. This site has it's own
subnet and is connected by a cisco 2600 router over our WAN. Each site has a
site link to the main office domain controller, maindc.
What are the Schedule (24 hours/7 days?) and the Frequency (2 hours)?
Post by rodge
"On the face of it, neither of these changes will change the
AMOUNT of replication to each site. Certainly not "picking"
the bridgehead server which will just make the replication
less reliable, although it MIGHT reduce the load on THAT
bridgehead DC (but this only makes sense if you are doing a
LOT of replication.)
Not sure what you mean by on the face of it, but I think that there are two
main types of replication we are dealing with here, scheduled replication and
immediate(security) replication.
But changing the things you mentioned (Bridgehead DC) will
NOT affect the amount of replication ("on the face of it" meant
there is NO reason to expect to see that.)

Immediate replication is almost NIL for reasonable size domains;
but you still haven't given us the size of the domain, the bandwidth
on these lines (you did indicate they were LESS than 512 Kbps),
nor the AVAILABLE bandwidth.....
Post by rodge
While I am not even claiming to be an
expert, it appears to me that the replication I am having issues with is the
scheduled replication.
IF replication is an issue which is possible but pretty much a
random guess so far...
Post by rodge
If I am right, then the solution of making regions
into sites would certainly cut down on replication across the WAN to the main
site because instead of the maindc replicating with each dc on the WAN, he
would only replicate with the bridgehead servers I appoint for each region.
There are no "regions" in AD, you would have to join sites or set
your own CONNECTIONS (not Bridgehead servers).

You do NOT want a Site to span a (slow) WAN line.
[In fact, you almost never want a Site to span a fast WAN line either.]

Are these Sites joined better to EACH other than to the Main Site?

If so, your SiteLinks are wrong. (You have described a Central-HUB
type SiteLink topology which SHOULD be used for a comparable
PHYSICAL WAN topology.)

By replicating to other Sites (than Main) you might overcome SOME
types of bottlenecks into the MainSite, but you don't seem to have a
problem with MAIN, but rather with the branch sites/locations.

Eventually, all of those changes have to replicate with Main anyway.
Generally you SiteLinks should follow your physical WAN links but
you claimed some (unspecified) type of Full Mesh. What specifically?
Post by rodge
Those bridgehead servers would then replicate changes to the other dc's in
thier site. I also believe that the same would be true of
immediate(security)
related replication as well.
"No, since you didn't describe the network except to say "full mesh"
which IMPLIES that all sites have the same bandwidth to each
other but doesn't really state that."
Actually, fully meshed network simply means that every node has a direct
connection to every other node, it doesn't mean bandwidth is the same.
So there is a physical WAN link between EACH pair of sites?
Doubtful. (That would be SUM of 1...24 or 300 WAN links.)

My guess is you have some sort of FrameRelay but even then you
probably don't have 300 virtual circuits (enabled.)
Post by rodge
Our
slowest sites(10 of them) connect at 256K, we also have 384K and 512K sites.
All sites need to get to the internet through the main office.
You are far more likely to be experiencing some sort of
problem which the Internet usage is causing.

That doesn't explain the "2 hour duration" but it is far more likely.

Have you even considered monitoring the traffic to see if bandwidth
usage is EVEN AN ISSUE (it probably is but you don't know until
you measure) and WHAT traffic that is? (It might be AD replication
but you don't have any evidence of that YET.)
Post by rodge
Each site has
a dc that runs ad integrated DNS, maindc provides dns for everyone. Each dc
lists maindc as primary dns and itself as secondary.
How many Users and Computers (roughly)? Hundreds, thousands,
etc?

Are you registering and de-registering thousands of portables
in DNS FREQUENTLY?
Post by rodge
"What do your SITE LINKS look like? (Which Sites and
Cost, Schedule, Frequency?)"
All sites are setup the same, they all link to maindc, cost = 100,
replication interval = 180.
Then you aren't even replicating every 2 hours, but RATHER
every THREE HOURS.
Post by rodge
I've never looked at the schedule before until
just now, but I took a look at the change schedule button of two site links
and noticed that one site has weekdays from 8 AM until 8 PM as replication
not available.
So it won't replicate DAYS and it will TEND to show a replication
SPIKE after 8 PM.
Post by rodge
Not sure why that is setup that way and not sure what issues
this will cause, but this is a 256K site and a site that has major slowness
during the day.
And so replication is NOT the problem for that daytime
"slowness" since this SiteLink doesn't replicate days.
Post by rodge
"In general, you site links should follow your PHYSICAL
connections, and use only your "best" physical connections
OR use costs to PREFER those "best" WANS."
Okay, and that is how it was setup. I wasn't here when it was setup, but I
did have some issues last year and worked with a tech from Microsoft over the
phone over a period of 3 days to clean everything up, so I did get some
valuable insight from him as to how things "should" be setup. I am not real
familiar with costs,
Costs are pretty irrelevant with Hub and Spoke since there wouldn't
be "multiple paths" -- you use Costs to get the KCC to prefer one
SiteLink over another when there is more than one choice.

If every site links ONLY to Main then they are going to replicate there
anyway (as long as MainDC is available.)
Post by rodge
my only real exposure to this was one Microsoft webcast
which briefly touched on the fact that for slower WAN links there are ways to
cut down on replication through costs.
Not really. It doesn't "cut down" but rather PREFERS one WAN
over another when there are multiple choices (for complete
replication.)

When it REPLICATES over a line, you get pretty much the
same traffic no matter the costs (the costs just ENCOURAGES
the KCC to use one SiteLink rather than another.)
Post by rodge
"How many users/computers do you have? How much
(available) bandwidth?"
Approximately 300-350 users and computers, excluding servers. I do not know
how to calculate available bandwidth.
You cannot "calculate" available bandwidth (in most real world
cases); you must rather MEASURE it.

Use a NetMon or other traffic monitor.
Post by rodge
"If you aren't changing a LOT of users, why is replication
hurting you?"
if I knew the answer to that question, I would need to post here.
It's not a replication problem MOST LIKELY.

300 hundred users to replicate the ENTIRE AD and you
probably wouldn't see must problem. (300 user x 4000KB
is about 1.2 MB or 12 Mbits; which would take about
12000/250kbs == 50 SECONDS -- double it for computers
which is a big overestimate, double it again "just because"
and you still get the WHOLE database in about 5 minutes.)

And of course AD doesn't replicate an entire account (4k),
but rather (some few hundred bytes of) the CHANGED portion.

Only a DC promotion would replicate the entire AD -- and
that should still come from another LOCAL DC unless it
were the first DC in the Site.
Post by rodge
Are you using DFS (across the WANS)?
I believe this is true. I believe the sysvol folder is replicated and it
does contain a huge amount of logon batch files(scripts), which could
possibly be getting changed some, but I wouldn't think enough to have an
effect this great, but I am very unfamiliar with dfs.
DFS is MUCH more likely your problem.

Look at this: If you have multi-Megabyte files and a user changes
one that is DFS replicated then you would have VASTLY more
replication from this than from AD.
Post by rodge
Delays when you create new accounts (computers and users), or
the (increased) need to 'reach across the WAN when resetting
remote user passwords etc.'.
(That is, delays in replication will mean that such changes don't
immediately propagate from wherever they are done to where
they may be needed.)
I received a book from Microsoft that states something a little contrary to
what you say here. It says that security related items(unlocking locked
accounts, resetting passwords, etc) are replicated immediately. So, doesn't
that mean that scheduling replication at night would not really affect those
types of things?
Mostly "urgent replication" is for NOTIFICATION (based)
replication which means "Same Site" -- unless you setup
urgent replication between sites (advanced registry change.)

Password changes DO try to replicate to the PDC Emulator
EVEN across sites without regard to schedule but then they
replicate FROM there normally so it isn't domain wide.

Even if all 300 users changed there password EVERY DAY
this would probably go unnoticed.
Post by rodge
"This implies you don't have a strong grasp of SiteLinks and
replication so first tell us about your Site and ESPECIALLY
your Subnets, SiteLinks including your Costs, Schedule, and
Frequency settings."
Honestly, if I had a strong grasp of anything, I wouldn't be here. What
would you like to know about the subnets? The branch sites use class c
subnets, everything is a 10.0.(some number that identifies the site, i.e. 49,
49, etc.).machine ip 255.255.255.0, I've mentioned the other info earlier.
Numbers don't matter (except for examples) -- you gave me
most of what I wanted above (frequency and schedule) and
you said you had a subnet for each Site, but seeing that would
be the only "numbers" that really matter AND ONLY if you
had made some weird mistake in setting up the Site<-->Subnets.
Post by rodge
"IF you have setup your Sites and Site Links correctly then
most replication issues are DNS based.
IF I have then how about some help with troubleshooting dns issues, PLEASE.
YOU IGNORED that from my previous message:

You should also run DCDiag on each DC (and capture the
output to a test file where you search for FAIL, WARN,
and ERROR.)

Correct or report here all problems you find with DCDiag.

That will (largely) TROUBLESHOOT DNS and AD replication.

You probably don't have a DNS issue, and most likely not an
AD replication PERFORMANCE problem -- at least not based
on your reports so far.

If you want to learn the MOST IMPORTANT skill in troubleshooting
it is to be VERY SPECIFIC.

If you don't think you are "getting your question answered" on
this 'issue' then read this again CAREFULLY, and note that
most of the problem in helping you is NOT your "technical
knowledge of AD/Microsoft etc" but the lack of SPECIFICITY
in the report.

And for performance problems that means MEASURE, as
well as INSPECT the traffic (if it's a net issue). (Netmon or
something similar.)

No one can fix, "It's slow...". Not even if they are standing there
next to you.

They would first have to figure out what "It's slow" means.

Then isolate the components to see which one is causing or
can improve the situation.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
We are using a mix of windows 2000 and 2003 servers for domain controllers.
We have 25 remote sites on a fully meshed network. I am hearing complaints
about slowness throughout the day from all remote sites.
Reports "about slowness" are seldom a reason to take
drastic action, BUT they are a reason for investigation
perhaps....
Post by rodge
I have been able to
determine that this is being caused by replication.
How? When? What are the actual symptoms?
What do your sites and SITE LINKS look like?
Post by rodge
I believe I have 2
solutions, but want to make sure of any issues before I attempt to implement.
The way our sites were set up has 25 sites in sites and services. I believe
it may be more advantageous to combine some of the sites into regions and
appoint ip bridgehead servers for the new sites(regions).
On the face of it, neither of these changes will change the
AMOUNT of replication to each site. Certainly not "picking"
the bridgehead server which will just make the replication
less reliable, although it MIGHT reduce the load on THAT
bridgehead DC (but this only makes sense if you are doing a
LOT of replication.)
Post by rodge
This should cut down on a great deal of traffic.
Why and how do you think this will happen?
Post by rodge
Currently all sites do not have equal
bandwidths, but by year end, all sites will have 512 connectivity to
the
main
office. Does this sound like a valid solution?
No, since you didn't describe the network except to say "full mesh"
which IMPLIES that all sites have the same bandwidth to each
other but doesn't really state that.
What do your SITE LINKS look like? (Which Sites and
Cost, Schedule, Frequency?)
In general, you site links should follow your PHYSICAL
connections, and use only your "best" physical connections
OR use costs to PREFER those "best" WANS.
How many users/computers do you have? How much
(available) bandwidth?
If you aren't changing a LOT of users, why is replication
hurting you?
Are you using DFS (across the WANS)?
Post by rodge
Also, I noticed in reading
that it is common to have scheduled replication during non-peak hours.
THAT might make more sense if you truly have a replication
problem...
Post by rodge
We
have very little activity at night, so I was wondering what sort of
issues
I
would run into if I scheduled replication to occur only at night?
Delays when you create new accounts (computers and users), or
the (increased) need to 'reach across the WAN when resetting
remote user passwords etc.'.
(That is, delays in replication will mean that such changes don't
immediately propagate from wherever they are done to where
they may be needed.)
Post by rodge
I am also not sure how to go about this.
This implies you don't have a strong grasp of SiteLinks and
replication so first tell us about your Site and ESPECIALLY
your Subnets, SiteLinks including your Costs, Schedule, and
Frequency settings.
You should also run DCDiag on each DC (and capture the
output to a test file where you search for FAIL, WARN,
and ERROR.)
Correct or report here all problems you find with DCDiag.
IF you have setup your Sites and Site Links correctly then
most replication issues are DNS based.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
rodge
2006-01-21 15:24:21 UTC
Permalink
Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine maindc, is a DC.
* Connecting to directory service on server maindc.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 29 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Main\MAINDC
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MAINDC passed test Connectivity

Doing primary tests

Testing server: Main\MAINDC
Starting test: Replications
* Replications Check
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
MAINDC: Current time is 2006-01-21 10:04:41.
CN=Schema,CN=Configuration,DC=func,DC=com
Last replication recieved from SMITHSBURG at 2006-01-20
05:59:09.
Latency information for 31 entries in the vector were ignored.
31 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=func,DC=com
Last replication recieved from SMITHSBURG at 2006-01-20
05:59:05.
Latency information for 31 entries in the vector were ignored.
31 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=func,DC=com
Last replication recieved from SMITHSBURG at 2006-01-20
05:59:12.
Latency information for 29 entries in the vector were ignored.
29 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=ForestDnsZones,DC=func,DC=com
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=func,DC=com
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
REPLICATION-RECEIVED LATENCY WARNING

Source site:

CN=NTDS Site
Settings,CN=Smithsburg,CN=Sites,CN=Configuration,DC=func,DC=com

Current time: 2006-01-21 10:04:41

Last update time: 2006-01-20 05:52:02

Check if source site has an elected ISTG running.

Check replication from source site to this server.
......................... MAINDC passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
DC=ForestDnsZones,DC=func,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=func,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=func,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=func,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=func,DC=com
(Domain,Version 2)
......................... MAINDC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... MAINDC passed test NetLogons
Starting test: Advertising
The DC MAINDC is advertising itself as a DC and having a DS.
The DC MAINDC is advertising as an LDAP server
The DC MAINDC is advertising as having a writeable directory
The DC MAINDC is advertising as a Key Distribution Center
The DC MAINDC is advertising as a time server
......................... MAINDC passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com
......................... MAINDC passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 35105 to 1073741823
* maindc.func.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 33605 to 34104
* rIDPreviousAllocationPool is 33605 to 34104
* rIDNextRID: 33615
......................... MAINDC passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/maindc.func.com/func.com
* SPN found :LDAP/maindc.func.com
* SPN found :LDAP/MAINDC
* SPN found :LDAP/maindc.func.com/FUNC
* SPN found
:LDAP/5079dbb1-ebb0-4c86-acef-839d2b0813f9._msdcs.func.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/5079dbb1-ebb0-4c86-acef-839d2b0813f9/func.com
* SPN found :HOST/maindc.func.com/func.com
* SPN found :HOST/maindc.func.com
* SPN found :HOST/MAINDC
* SPN found :HOST/maindc.func.com/FUNC
* SPN found :GC/maindc.func.com/func.com
......................... MAINDC passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MAINDC passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
MAINDC is in domain DC=func,DC=com
Checking for CN=MAINDC,OU=Domain Controllers,DC=func,DC=com in
domain DC=func,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com in domain CN=Configuration,DC=func,DC=com on 1 servers
Object is up-to-date on all servers.
......................... MAINDC passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MAINDC passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 01/21/2006 01:03:40
(Event String could not be retrieved)
......................... MAINDC failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 01/21/2006 09:51:57
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=Smithsburg,CN=Sites,CN=Configuration,DC=func,DC=com



Directory partition:

DC=func,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=func,DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 01/21/2006 09:51:57
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

DC=func,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 01/21/2006 09:51:57
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=Smithsburg,CN=Sites,CN=Configuration,DC=func,DC=com
















An Warning Event occured. EventID: 0x8000061E
Time Generated: 01/21/2006 09:51:57
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=Smithsburg,CN=Sites,CN=Configuration,DC=func,DC=com



Directory partition:

CN=Configuration,DC=func,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=func,DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 01/21/2006 09:51:57
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

CN=Configuration,DC=func,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 01/21/2006 09:51:57
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=Smithsburg,CN=Sites,CN=Configuration,DC=func,DC=com
















An Warning Event occured. EventID: 0x80000785
Time Generated: 01/21/2006 09:52:18
Event String: The attempt to establish a replication link for

the following writable directory partition

failed.



Directory partition:

DC=func,DC=com

Source domain controller:

CN=NTDS
Settings,CN=SMITHSBURG,CN=Servers,CN=Smithsburg,CN=Sites,CN=Configuration,DC=func,DC=com



Source domain controller address:

cc1015f9-6a43-4453-87f7-ca841faec694._msdcs.func.com



Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=func,DC=com





This domain controller will be unable to

replicate with the source domain controller until

this problem is corrected.



User Action

Verify if the source domain controller is

accessible or network connectivity is available.



Additional Data

Error value:

1722 The RPC server is unavailable.
......................... MAINDC failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... MAINDC passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=MAINDC,OU=Domain Controllers,DC=func,DC=com and backlink on

CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com

are correct.
The system object reference (frsComputerReferenceBL)

CN=MAINDC,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=func,DC=com

and backlink on CN=MAINDC,OU=Domain Controllers,DC=func,DC=com are

correct.
The system object reference (serverReferenceBL)

CN=MAINDC,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=func,DC=com

and backlink on

CN=NTDS
Settings,CN=MAINDC,CN=Servers,CN=Main,CN=Sites,CN=Configuration,DC=func,DC=com

are correct.
......................... MAINDC passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : func
Starting test: CrossRefValidation
......................... func passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... func passed test CheckSDRefDom

Running enterprise tests on : func.com
Starting test: Intersite
Skipping site Belair, this site is outside the scope provided by the

command line arguments provided.
Skipping site Moorefield, this site is outside the scope provided by

the command line arguments provided.
Skipping site EdwinMiller, this site is outside the scope provided by

the command line arguments provided.
Skipping site Tritowns, this site is outside the scope provided by
the

command line arguments provided.
Skipping site Centercity, this site is outside the scope provided by

the command line arguments provided.
Skipping site Hagoakfirst, this site is outside the scope provided by

the command line arguments provided.
Skipping site Barton, this site is outside the scope provided by the

command line arguments provided.
Skipping site SBerkeley, this site is outside the scope provided by

the command line arguments provided.
Skipping site MBurgOakFirst, this site is outside the scope provided

by the command line arguments provided.
Skipping site Sabraton, this site is outside the scope provided by
the

command line arguments provided.
Skipping site SFoxcroft, this site is outside the scope provided by

the command line arguments provided.
Skipping site Starcity, this site is outside the scope provided by
the

command line arguments provided.
Skipping site Martinsburg, this site is outside the scope provided by

the command line arguments provided.
Skipping site Potomac, this site is outside the scope provided by the

command line arguments provided.
Skipping site Littman, this site is outside the scope provided by the

command line arguments provided.
Skipping site Keyser, this site is outside the scope provided by the

command line arguments provided.
Skipping site Lake, this site is outside the scope provided by the

command line arguments provided.
Skipping site Grantsville, this site is outside the scope provided by

the command line arguments provided.
Skipping site Friendsville, this site is outside the scope provided
by

the command line arguments provided.
Skipping site Frostburg, this site is outside the scope provided by

the command line arguments provided.
Skipping site Whiteoaks, this site is outside the scope provided by

the command line arguments provided.
Skipping site Hagerstown, this site is outside the scope provided by

the command line arguments provided.
Skipping site Smithsburg, this site is outside the scope provided by

the command line arguments provided.
Skipping site Ballenger, this site is outside the scope provided by

the command line arguments provided.
Skipping site Riverside, this site is outside the scope provided by

the command line arguments provided.
Skipping site Myersville, this site is outside the scope provided by

the command line arguments provided.
Skipping site Main, this site is outside the scope provided by the

command line arguments provided.
......................... func.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\midtowns.func.com
Locator Flags: 0xe00001fc
PDC Name: \\maindc.func.com
Locator Flags: 0xe00003f9
Time Server Name: \\maindc.func.com
Locator Flags: 0xe00003f9
Preferred Time Server Name: \\maindc.func.com
Locator Flags: 0xe00003f9
KDC Name: \\maindc.func.com
Locator Flags: 0xe00003f9
......................... func.com passed test FsmoCheck
rodge
2006-01-21 15:51:02 UTC
Permalink
netdiag:


Gathering IPX configuration information.
Opening \Device\NwlnkIpx failed
Querying status of the Netcard drivers... Passed
Testing IpConfig - pinging the Primary WINS server... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection 2
Sending name query to primary WINS server 10.0.8.80 -
querying name MAINDC on server 10.0.8.80
bytes sent 50
Passed
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'10.0.8.45' and other DCs also have some of the names registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'FUNC'
DC list for domain FUNC:
hagerstown.func.com [DS] Site: Hagerstown
Cannot get information for DC hagerstown.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
FROSTBURG.FUNC.COM [DS] Site: Frostburg
Cannot get information for DC FROSTBURG.FUNC.COM.
[ERROR_NETNAME_DELETED] Assume it is down.
GRANTSVILLE.func.com [DS] Site: Grantsville
Cannot get information for DC GRANTSVILLE.func.com.
[NERR_ServerNotStarted] Assume it is down.
FRIENDSVILLE.func.com [DS] Site: Friendsville
Cannot get information for DC FRIENDSVILLE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
RIVERSIDE.func.com [DS] Site: Riverside
Cannot get information for DC RIVERSIDE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
BALLENGER.func.com [DS] Site: Ballenger
Cannot get information for DC BALLENGER.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
smithsburg.func.com [DS] Site: Smithsburg
Lake.func.com [DS] Site: Lake
whiteoaks.func.com [DS] Site: Whiteoaks
Cannot get information for DC whiteoaks.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
centercity.func.com [DS] Site: Centercity
Cannot get information for DC centercity.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Moorefield.func.com [DS] Site: Moorefield
Cannot get information for DC Moorefield.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Tritowns.func.com [DS] Site: Tritowns
Cannot get information for DC Tritowns.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Belair.func.com [DS] Site: Belair
BARTON.func.com [DS] Site: Barton
martinsburg.func.com [DS] Site: Martinsburg
Cannot get information for DC martinsburg.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sberkeley.func.com [DS] Site: SBerkeley
Cannot get information for DC sberkeley.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sfoxcroft.func.com [DS] Site: SFoxcroft
Cannot get information for DC sfoxcroft.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
EdwinMiller.func.com [DS] Site: EdwinMiller
Cannot get information for DC EdwinMiller.func.com.
[NERR_ServerNotStarted] Assume it is down.
midtowns.func.com [DS] Site: Main
sabraton.func.com [DS] Site: Sabraton
Cannot get information for DC sabraton.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
mburgoakfirst.func.com [DS] Site: MBurgOakFirst
Cannot get information for DC mburgoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
hagoakfirst.func.com [DS] Site: Hagoakfirst
Cannot get information for DC hagoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
starcity.func.com [DS] Site: Starcity
Cannot get information for DC starcity.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
myersvilledc.func.com [DS] Site: Myersville
Cannot get information for DC myersvilledc.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
tsdc.func.com [DS] Site: Main
keyserdc.func.com [DS] Site: Keyser
Cannot get information for DC keyserdc.func.com. [NERR_ServerNotStarted]
Assume it is down.
lattmandc.func.com [DS] Site: Littman
maindc.func.com [PDC emulator] [DS] Site: Main
potomacdc.func.com [DS] Site: Potomac
Cannot get information for DC potomacdc.func.com.
[NERR_ServerNotStarted] Assume it is down.
Cannot get information for DC BARTON.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Belair.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Lake.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Testing trust relationships... Skipped
Testing Kerberos authentication... Passed
Testing LDAP servers in Domain FUNC ...
Gathering routing information
Gathering configuration of bindings.
Gathering RAS connection information
Gathering Modem information
Gathering Netware information
Gathering IP Security information

Tests complete.


Computer Name: MAINDC
DNS Host Name: maindc.func.com
DNS Domain Name: func.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
Hotfixes :
Installed? Name
Yes KB890046
Yes KB893756
Yes KB896358
Yes KB896422
Yes KB896424
Yes KB896428
Yes KB896688
Yes KB898715
Yes KB899587
Yes KB899588
Yes KB899589
Yes KB899591
Yes KB900725
Yes KB901017
Yes KB901214
Yes KB902400
Yes KB904706
Yes KB905414
Yes KB905915
Yes KB908519
Yes KB910437
Yes KB912919
Yes Q147222


Netcard queries test . . . . . . . : Passed
Herb Martin
2006-01-22 12:35:36 UTC
Permalink
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.

If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.

You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS configuration.
(see below for hints).

[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]

Quick try on FRS: Do you have firewalls that might be preventing
this replication? Otherwise this may clear up when the DNS problems
are fixed.

Most common reasons for DNS issue (which might also affect the
FRS) are EITHER:

1) Zone (primary etc) is not DYNAMIC
2) DCs are NOT set STRICTLY to use INTERNAL DNS
(on their NIC properties)
3) DCs cannot find or cannot contact the Primary/Master
(routing, firewalls, etc) to perform the registration
4) Multiple Masters (AD Integrated) are NOT replicating,
OR Secondaries cannot copy records from their Master

Tell us about your DNS? AD Integrated? Single Primary?
Dynamic for the zone that corresponds to your AD Domain?
(See below for Hints.)

Hints on DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
--
Herb Martin
Post by rodge
Gathering IPX configuration information.
Opening \Device\NwlnkIpx failed
Querying status of the Netcard drivers... Passed
Testing IpConfig - pinging the Primary WINS server... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection 2
Sending name query to primary WINS server 10.0.8.80 -
querying name MAINDC on server 10.0.8.80
bytes sent 50
Passed
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'10.0.8.45' and other DCs also have some of the names registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'FUNC'
hagerstown.func.com [DS] Site: Hagerstown
Cannot get information for DC hagerstown.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
FROSTBURG.FUNC.COM [DS] Site: Frostburg
Cannot get information for DC FROSTBURG.FUNC.COM.
[ERROR_NETNAME_DELETED] Assume it is down.
GRANTSVILLE.func.com [DS] Site: Grantsville
Cannot get information for DC GRANTSVILLE.func.com.
[NERR_ServerNotStarted] Assume it is down.
FRIENDSVILLE.func.com [DS] Site: Friendsville
Cannot get information for DC FRIENDSVILLE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
RIVERSIDE.func.com [DS] Site: Riverside
Cannot get information for DC RIVERSIDE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
BALLENGER.func.com [DS] Site: Ballenger
Cannot get information for DC BALLENGER.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
smithsburg.func.com [DS] Site: Smithsburg
Lake.func.com [DS] Site: Lake
whiteoaks.func.com [DS] Site: Whiteoaks
Cannot get information for DC whiteoaks.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
centercity.func.com [DS] Site: Centercity
Cannot get information for DC centercity.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Moorefield.func.com [DS] Site: Moorefield
Cannot get information for DC Moorefield.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Tritowns.func.com [DS] Site: Tritowns
Cannot get information for DC Tritowns.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
Belair.func.com [DS] Site: Belair
BARTON.func.com [DS] Site: Barton
martinsburg.func.com [DS] Site: Martinsburg
Cannot get information for DC martinsburg.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sberkeley.func.com [DS] Site: SBerkeley
Cannot get information for DC sberkeley.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sfoxcroft.func.com [DS] Site: SFoxcroft
Cannot get information for DC sfoxcroft.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
EdwinMiller.func.com [DS] Site: EdwinMiller
Cannot get information for DC EdwinMiller.func.com.
[NERR_ServerNotStarted] Assume it is down.
midtowns.func.com [DS] Site: Main
sabraton.func.com [DS] Site: Sabraton
Cannot get information for DC sabraton.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
mburgoakfirst.func.com [DS] Site: MBurgOakFirst
Cannot get information for DC mburgoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
hagoakfirst.func.com [DS] Site: Hagoakfirst
Cannot get information for DC hagoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
starcity.func.com [DS] Site: Starcity
Cannot get information for DC starcity.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
myersvilledc.func.com [DS] Site: Myersville
Cannot get information for DC myersvilledc.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
tsdc.func.com [DS] Site: Main
keyserdc.func.com [DS] Site: Keyser
Cannot get information for DC keyserdc.func.com.
[NERR_ServerNotStarted]
Assume it is down.
lattmandc.func.com [DS] Site: Littman
maindc.func.com [PDC emulator] [DS] Site: Main
potomacdc.func.com [DS] Site: Potomac
Cannot get information for DC potomacdc.func.com.
[NERR_ServerNotStarted] Assume it is down.
Cannot get information for DC BARTON.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Belair.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Lake.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Testing trust relationships... Skipped
Testing Kerberos authentication... Passed
Testing LDAP servers in Domain FUNC ...
Gathering routing information
Gathering configuration of bindings.
Gathering RAS connection information
Gathering Modem information
Gathering Netware information
Gathering IP Security information
Tests complete.
Computer Name: MAINDC
DNS Host Name: maindc.func.com
DNS Domain Name: func.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
Installed? Name
Yes KB890046
Yes KB893756
Yes KB896358
Yes KB896422
Yes KB896424
Yes KB896428
Yes KB896688
Yes KB898715
Yes KB899587
Yes KB899588
Yes KB899589
Yes KB899591
Yes KB900725
Yes KB901017
Yes KB901214
Yes KB902400
Yes KB904706
Yes KB905414
Yes KB905915
Yes KB908519
Yes KB910437
Yes KB912919
Yes Q147222
Netcard queries test . . . . . . . : Passed
rodge
2006-01-23 17:37:02 UTC
Permalink
Herb,

yes, I saw those errors(missing dc names), and I have seen them before. I
opened a case with Micorsoft support for them before and We were able to
clear up that problem, but I will look into that again.
DFS and sysvol are definitely a weak spot for me, but I did notice that in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different names. I
moved them to another directory temporarily. The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal or not.

I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).

There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under the isp
router that takes care of local traffic on our WAN.

Our DNS was a single primary zone when I arrived here and through use of
folks on this community I switched to AD integrated DNS. I am certain there
was plenty I missed on setup because of using a community board, so there are
more than likely issues there, but I did work with someone from Microsoft to
make sure that the network setting for each DC was correct. Each DC looks to
our main office dc(maindc) for DNS first and has itself second. I honestly
don't know what you mean by dynamic for the zone supporting AD? I think you
mean under the dns snapin, if I look at the domain properties, it should be
set to dynamic updates? Is that correct? We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
Quick try on FRS: Do you have firewalls that might be preventing
this replication? Otherwise this may clear up when the DNS problems
are fixed.
Most common reasons for DNS issue (which might also affect the
1) Zone (primary etc) is not DYNAMIC
2) DCs are NOT set STRICTLY to use INTERNAL DNS
(on their NIC properties)
3) DCs cannot find or cannot contact the Primary/Master
(routing, firewalls, etc) to perform the registration
4) Multiple Masters (AD Integrated) are NOT replicating,
OR Secondaries cannot copy records from their Master
Tell us about your DNS? AD Integrated? Single Primary?
Dynamic for the zone that corresponds to your AD Domain?
(See below for Hints.)
Hints on DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
dcdiag /fix
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
--
Herb Martin
Post by rodge
Gathering IPX configuration information.
Opening \Device\NwlnkIpx failed
Querying status of the Netcard drivers... Passed
Testing IpConfig - pinging the Primary WINS server... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection 2
Sending name query to primary WINS server 10.0.8.80 -
querying name MAINDC on server 10.0.8.80
bytes sent 50
Passed
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'10.0.8.45' and other DCs also have some of the names registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'FUNC'
hagerstown.func.com [DS] Site: Hagerstown
Cannot get information for DC hagerstown.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
FROSTBURG.FUNC.COM [DS] Site: Frostburg
Cannot get information for DC FROSTBURG.FUNC.COM.
[ERROR_NETNAME_DELETED] Assume it is down.
GRANTSVILLE.func.com [DS] Site: Grantsville
Cannot get information for DC GRANTSVILLE.func.com.
[NERR_ServerNotStarted] Assume it is down.
FRIENDSVILLE.func.com [DS] Site: Friendsville
Cannot get information for DC FRIENDSVILLE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
RIVERSIDE.func.com [DS] Site: Riverside
Cannot get information for DC RIVERSIDE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
BALLENGER.func.com [DS] Site: Ballenger
Cannot get information for DC BALLENGER.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
smithsburg.func.com [DS] Site: Smithsburg
Lake.func.com [DS] Site: Lake
whiteoaks.func.com [DS] Site: Whiteoaks
Cannot get information for DC whiteoaks.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
centercity.func.com [DS] Site: Centercity
Cannot get information for DC centercity.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Moorefield.func.com [DS] Site: Moorefield
Cannot get information for DC Moorefield.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Tritowns.func.com [DS] Site: Tritowns
Cannot get information for DC Tritowns.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
Belair.func.com [DS] Site: Belair
BARTON.func.com [DS] Site: Barton
martinsburg.func.com [DS] Site: Martinsburg
Cannot get information for DC martinsburg.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sberkeley.func.com [DS] Site: SBerkeley
Cannot get information for DC sberkeley.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sfoxcroft.func.com [DS] Site: SFoxcroft
Cannot get information for DC sfoxcroft.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
EdwinMiller.func.com [DS] Site: EdwinMiller
Cannot get information for DC EdwinMiller.func.com.
[NERR_ServerNotStarted] Assume it is down.
midtowns.func.com [DS] Site: Main
sabraton.func.com [DS] Site: Sabraton
Cannot get information for DC sabraton.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
mburgoakfirst.func.com [DS] Site: MBurgOakFirst
Cannot get information for DC mburgoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
hagoakfirst.func.com [DS] Site: Hagoakfirst
Cannot get information for DC hagoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
starcity.func.com [DS] Site: Starcity
Cannot get information for DC starcity.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
myersvilledc.func.com [DS] Site: Myersville
Cannot get information for DC myersvilledc.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
tsdc.func.com [DS] Site: Main
keyserdc.func.com [DS] Site: Keyser
Cannot get information for DC keyserdc.func.com.
[NERR_ServerNotStarted]
Assume it is down.
lattmandc.func.com [DS] Site: Littman
maindc.func.com [PDC emulator] [DS] Site: Main
potomacdc.func.com [DS] Site: Potomac
Cannot get information for DC potomacdc.func.com.
[NERR_ServerNotStarted] Assume it is down.
Cannot get information for DC BARTON.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Belair.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Lake.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Testing trust relationships... Skipped
Testing Kerberos authentication... Passed
Testing LDAP servers in Domain FUNC ...
Gathering routing information
Gathering configuration of bindings.
Gathering RAS connection information
Gathering Modem information
Gathering Netware information
Gathering IP Security information
Tests complete.
Computer Name: MAINDC
DNS Host Name: maindc.func.com
DNS Domain Name: func.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
Installed? Name
Yes KB890046
Yes KB893756
Yes KB896358
Yes KB896422
Yes KB896424
Yes KB896428
Yes KB896688
Yes KB898715
Yes KB899587
Yes KB899588
Yes KB899589
Yes KB899591
Yes KB900725
Yes KB901017
Yes KB901214
Yes KB902400
Yes KB904706
Yes KB905414
Yes KB905915
Yes KB908519
Yes KB910437
Yes KB912919
Yes Q147222
Netcard queries test . . . . . . . : Passed
Herb Martin
2006-01-23 22:22:31 UTC
Permalink
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them before. I
opened a case with Micorsoft support for them before and We were able to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.

It's easy to fix and we can help you with that.

Keys were in my previous email.

You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.

You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.

You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice that in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different names. I
moved them to another directory temporarily.
Why?
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal or not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)

Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under the isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?

Can you even ping between them? By name or just by number?
Post by rodge
Our DNS was a single primary zone when I arrived here and through use of
folks on this community I switched to AD integrated DNS. I am certain there
was plenty I missed on setup because of using a community board, so there are
more than likely issues there, but I did work with someone from Microsoft to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....

I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
Post by rodge
Each DC looks to
our main office dc(maindc) for DNS first and has itself second.
That may be best until you problem is solved BUT ultimately that
is not the best way for WANS. (And you will hear the naive DNS
admins recommend it for both cases.)

In fact, if you NEED to put the MainDC first (to get out of a problem)
then you NEED to TEMPORARILY REMOVE the other DNS (itself.)

You cannot trust WHICH DNS a machine will use when there are
more than one, and with WANS it is more likely to use itself anyway.

[Once things are working correctly you should put SELF-FIRST, others
after.]

What happens when you use Ping and NSlookup from a DC to seek
one of those problem DCs?
Post by rodge
I honestly
don't know what you mean by dynamic for the zone supporting AD?
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.

Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it should be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)

Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.

Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
and that each Site link is set to:

1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set

24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.

But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.

Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)

Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
Quick try on FRS: Do you have firewalls that might be preventing
this replication? Otherwise this may clear up when the DNS problems
are fixed.
Most common reasons for DNS issue (which might also affect the
1) Zone (primary etc) is not DYNAMIC
2) DCs are NOT set STRICTLY to use INTERNAL DNS
(on their NIC properties)
3) DCs cannot find or cannot contact the Primary/Master
(routing, firewalls, etc) to perform the registration
4) Multiple Masters (AD Integrated) are NOT replicating,
OR Secondaries cannot copy records from their Master
Tell us about your DNS? AD Integrated? Single Primary?
Dynamic for the zone that corresponds to your AD Domain?
(See below for Hints.)
Hints on DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
dcdiag /fix
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
--
Herb Martin
Post by rodge
Gathering IPX configuration information.
Opening \Device\NwlnkIpx failed
Querying status of the Netcard drivers... Passed
Testing IpConfig - pinging the Primary WINS server... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection 2
Sending name query to primary WINS server 10.0.8.80 -
querying name MAINDC on server 10.0.8.80
bytes sent 50
Passed
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'10.0.8.45' and other DCs also have some of the names registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'FUNC'
hagerstown.func.com [DS] Site: Hagerstown
Cannot get information for DC hagerstown.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
FROSTBURG.FUNC.COM [DS] Site: Frostburg
Cannot get information for DC FROSTBURG.FUNC.COM.
[ERROR_NETNAME_DELETED] Assume it is down.
GRANTSVILLE.func.com [DS] Site: Grantsville
Cannot get information for DC GRANTSVILLE.func.com.
[NERR_ServerNotStarted] Assume it is down.
FRIENDSVILLE.func.com [DS] Site: Friendsville
Cannot get information for DC FRIENDSVILLE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
RIVERSIDE.func.com [DS] Site: Riverside
Cannot get information for DC RIVERSIDE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
BALLENGER.func.com [DS] Site: Ballenger
Cannot get information for DC BALLENGER.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
smithsburg.func.com [DS] Site: Smithsburg
Lake.func.com [DS] Site: Lake
whiteoaks.func.com [DS] Site: Whiteoaks
Cannot get information for DC whiteoaks.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
centercity.func.com [DS] Site: Centercity
Cannot get information for DC centercity.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Moorefield.func.com [DS] Site: Moorefield
Cannot get information for DC Moorefield.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Tritowns.func.com [DS] Site: Tritowns
Cannot get information for DC Tritowns.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
Belair.func.com [DS] Site: Belair
BARTON.func.com [DS] Site: Barton
martinsburg.func.com [DS] Site: Martinsburg
Cannot get information for DC martinsburg.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sberkeley.func.com [DS] Site: SBerkeley
Cannot get information for DC sberkeley.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sfoxcroft.func.com [DS] Site: SFoxcroft
Cannot get information for DC sfoxcroft.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
EdwinMiller.func.com [DS] Site: EdwinMiller
Cannot get information for DC EdwinMiller.func.com.
[NERR_ServerNotStarted] Assume it is down.
midtowns.func.com [DS] Site: Main
sabraton.func.com [DS] Site: Sabraton
Cannot get information for DC sabraton.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
mburgoakfirst.func.com [DS] Site: MBurgOakFirst
Cannot get information for DC mburgoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
hagoakfirst.func.com [DS] Site: Hagoakfirst
Cannot get information for DC hagoakfirst.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
starcity.func.com [DS] Site: Starcity
Cannot get information for DC starcity.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
myersvilledc.func.com [DS] Site: Myersville
Cannot get information for DC myersvilledc.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
tsdc.func.com [DS] Site: Main
keyserdc.func.com [DS] Site: Keyser
Cannot get information for DC keyserdc.func.com.
[NERR_ServerNotStarted]
Assume it is down.
lattmandc.func.com [DS] Site: Littman
maindc.func.com [PDC emulator] [DS] Site: Main
potomacdc.func.com [DS] Site: Potomac
Cannot get information for DC potomacdc.func.com.
[NERR_ServerNotStarted] Assume it is down.
Cannot get information for DC BARTON.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Belair.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
Cannot get information for DC Lake.func.com. [ERROR_NETNAME_DELETED]
Assume it is down.
Testing trust relationships... Skipped
Testing Kerberos authentication... Passed
Testing LDAP servers in Domain FUNC ...
Gathering routing information
Gathering configuration of bindings.
Gathering RAS connection information
Gathering Modem information
Gathering Netware information
Gathering IP Security information
Tests complete.
Computer Name: MAINDC
DNS Host Name: maindc.func.com
DNS Domain Name: func.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
Installed? Name
Yes KB890046
Yes KB893756
Yes KB896358
Yes KB896422
Yes KB896424
Yes KB896428
Yes KB896688
Yes KB898715
Yes KB899587
Yes KB899588
Yes KB899589
Yes KB899591
Yes KB900725
Yes KB901017
Yes KB901214
Yes KB902400
Yes KB904706
Yes KB905414
Yes KB905915
Yes KB908519
Yes KB910437
Yes KB912919
Yes Q147222
Netcard queries test . . . . . . . : Passed
rodge
2006-01-24 03:57:03 UTC
Permalink
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them before. I
opened a case with Micorsoft support for them before and We were able to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice that in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different names. I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks to me
like they were renamed because they are no longer used.
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal or not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under the isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through use of
folks on this community I switched to AD integrated DNS. I am certain there
was plenty I missed on setup because of using a community board, so there are
more than likely issues there, but I did work with someone from Microsoft to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
I'll give you the nic settings. Is there a utulity I can use to pull the dns
snapin settings?
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself. This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Post by Herb Martin
Post by rodge
Each DC looks to
our main office dc(maindc) for DNS first and has itself second.
That may be best until you problem is solved BUT ultimately that
is not the best way for WANS. (And you will hear the naive DNS
admins recommend it for both cases.)
In fact, if you NEED to put the MainDC first (to get out of a problem)
then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
You cannot trust WHICH DNS a machine will use when there are
more than one, and with WANS it is more likely to use itself anyway.
[Once things are working correctly you should put SELF-FIRST, others
after.]
What happens when you use Ping and NSlookup from a DC to seek
one of those problem DCs?
I have no issues from any domain controllers using ping and nslookup.
Post by Herb Martin
Post by rodge
I honestly
don't know what you mean by dynamic for the zone supporting AD?
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it should be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
Post by Herb Martin
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
Quick try on FRS: Do you have firewalls that might be preventing
this replication? Otherwise this may clear up when the DNS problems
are fixed.
Most common reasons for DNS issue (which might also affect the
1) Zone (primary etc) is not DYNAMIC
2) DCs are NOT set STRICTLY to use INTERNAL DNS
(on their NIC properties)
3) DCs cannot find or cannot contact the Primary/Master
(routing, firewalls, etc) to perform the registration
4) Multiple Masters (AD Integrated) are NOT replicating,
OR Secondaries cannot copy records from their Master
Tell us about your DNS? AD Integrated? Single Primary?
Dynamic for the zone that corresponds to your AD Domain?
(See below for Hints.)
Hints on DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
dcdiag /fix
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
--
Herb Martin
Post by rodge
Gathering IPX configuration information.
Opening \Device\NwlnkIpx failed
Querying status of the Netcard drivers... Passed
Testing IpConfig - pinging the Primary WINS server... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection 2
Sending name query to primary WINS server 10.0.8.80 -
querying name MAINDC on server 10.0.8.80
bytes sent 50
Passed
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'10.0.8.45' and other DCs also have some of the names registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'FUNC'
hagerstown.func.com [DS] Site: Hagerstown
Cannot get information for DC hagerstown.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
FROSTBURG.FUNC.COM [DS] Site: Frostburg
Cannot get information for DC FROSTBURG.FUNC.COM.
[ERROR_NETNAME_DELETED] Assume it is down.
GRANTSVILLE.func.com [DS] Site: Grantsville
Cannot get information for DC GRANTSVILLE.func.com.
[NERR_ServerNotStarted] Assume it is down.
FRIENDSVILLE.func.com [DS] Site: Friendsville
Cannot get information for DC FRIENDSVILLE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
RIVERSIDE.func.com [DS] Site: Riverside
Cannot get information for DC RIVERSIDE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
BALLENGER.func.com [DS] Site: Ballenger
Cannot get information for DC BALLENGER.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
smithsburg.func.com [DS] Site: Smithsburg
Lake.func.com [DS] Site: Lake
whiteoaks.func.com [DS] Site: Whiteoaks
Cannot get information for DC whiteoaks.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
centercity.func.com [DS] Site: Centercity
Cannot get information for DC centercity.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Moorefield.func.com [DS] Site: Moorefield
Cannot get information for DC Moorefield.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Tritowns.func.com [DS] Site: Tritowns
Cannot get information for DC Tritowns.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
Belair.func.com [DS] Site: Belair
BARTON.func.com [DS] Site: Barton
martinsburg.func.com [DS] Site: Martinsburg
Cannot get information for DC martinsburg.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sberkeley.func.com [DS] Site: SBerkeley
Cannot get information for DC sberkeley.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sfoxcroft.func.com [DS] Site: SFoxcroft
Cannot get information for DC sfoxcroft.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
EdwinMiller.func.com [DS] Site: EdwinMiller
Cannot get information for DC EdwinMiller.func.com.
[NERR_ServerNotStarted] Assume it is down.
midtowns.func.com [DS] Site: Main
Herb Martin
2006-01-24 14:07:14 UTC
Permalink
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them before. I
opened a case with Micorsoft support for them before and We were able to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice that in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different names. I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks to me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal or not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)

!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)

You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through use of
folks on this community I switched to AD integrated DNS. I am certain there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.

Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull the dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".

By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.

It will just be more efficient to let the server resolve locally
(from itself).

BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.

Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
There are three settings for scavening:

Refresh, NoRefresh (both on zone), and Scavengin period on Server
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Each DC looks to
our main office dc(maindc) for DNS first and has itself second.
That may be best until you problem is solved BUT ultimately that
is not the best way for WANS. (And you will hear the naive DNS
admins recommend it for both cases.)
In fact, if you NEED to put the MainDC first (to get out of a problem)
then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
You cannot trust WHICH DNS a machine will use when there are
more than one, and with WANS it is more likely to use itself anyway.
[Once things are working correctly you should put SELF-FIRST, others
after.]
What happens when you use Ping and NSlookup from a DC to seek
one of those problem DCs?
I have no issues from any domain controllers using ping and nslookup.
Post by Herb Martin
Post by rodge
I honestly
don't know what you mean by dynamic for the zone supporting AD?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
Quick try on FRS: Do you have firewalls that might be preventing
this replication? Otherwise this may clear up when the DNS problems
are fixed.
Most common reasons for DNS issue (which might also affect the
1) Zone (primary etc) is not DYNAMIC
2) DCs are NOT set STRICTLY to use INTERNAL DNS
(on their NIC properties)
3) DCs cannot find or cannot contact the Primary/Master
(routing, firewalls, etc) to perform the registration
4) Multiple Masters (AD Integrated) are NOT replicating,
OR Secondaries cannot copy records from their Master
Tell us about your DNS? AD Integrated? Single Primary?
Dynamic for the zone that corresponds to your AD Domain?
(See below for Hints.)
Hints on DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
dcdiag /fix
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
--
Herb Martin
Post by rodge
Gathering IPX configuration information.
Opening \Device\NwlnkIpx failed
Querying status of the Netcard drivers... Passed
Testing IpConfig - pinging the Primary WINS server... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection 2
Sending name query to primary WINS server 10.0.8.80 -
querying name MAINDC on server 10.0.8.80
bytes sent 50
Passed
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'10.0.8.45' and other DCs also have some of the names registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'FUNC'
hagerstown.func.com [DS] Site: Hagerstown
Cannot get information for DC hagerstown.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
FROSTBURG.FUNC.COM [DS] Site: Frostburg
Cannot get information for DC FROSTBURG.FUNC.COM.
[ERROR_NETNAME_DELETED] Assume it is down.
GRANTSVILLE.func.com [DS] Site: Grantsville
Cannot get information for DC GRANTSVILLE.func.com.
[NERR_ServerNotStarted] Assume it is down.
FRIENDSVILLE.func.com [DS] Site: Friendsville
Cannot get information for DC FRIENDSVILLE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
RIVERSIDE.func.com [DS] Site: Riverside
Cannot get information for DC RIVERSIDE.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
BALLENGER.func.com [DS] Site: Ballenger
Cannot get information for DC BALLENGER.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
smithsburg.func.com [DS] Site: Smithsburg
Lake.func.com [DS] Site: Lake
whiteoaks.func.com [DS] Site: Whiteoaks
Cannot get information for DC whiteoaks.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
centercity.func.com [DS] Site: Centercity
Cannot get information for DC centercity.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Moorefield.func.com [DS] Site: Moorefield
Cannot get information for DC Moorefield.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
Tritowns.func.com [DS] Site: Tritowns
Cannot get information for DC Tritowns.func.com.
[ERROR_NETNAME_DELETED]
Assume it is down.
Belair.func.com [DS] Site: Belair
BARTON.func.com [DS] Site: Barton
martinsburg.func.com [DS] Site: Martinsburg
Cannot get information for DC martinsburg.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sberkeley.func.com [DS] Site: SBerkeley
Cannot get information for DC sberkeley.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
sfoxcroft.func.com [DS] Site: SFoxcroft
Cannot get information for DC sfoxcroft.func.com.
[ERROR_NETNAME_DELETED] Assume it is down.
EdwinMiller.func.com [DS] Site: EdwinMiller
Cannot get information for DC EdwinMiller.func.com.
[NERR_ServerNotStarted] Assume it is down.
midtowns.func.com [DS] Site: Main
rodge
2006-01-24 19:17:19 UTC
Permalink
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them before. I
opened a case with Micorsoft support for them before and We were able to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice that in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different names. I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks to me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal or not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through use of
folks on this community I switched to AD integrated DNS. I am certain there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
that was simply the nic settings, the issue I opened at that time was not a
dns issue and the engineer had actually helped me with many other things, but
not dns setup as far as the console goes. He did ask me to go to each dc and
set maindc as preferred dns server and list the dc itself as alternate. so,
10.0.8.45 for preferred, 10.0.some number based on the site.2 for alternate.
Those are the only settings we discussed. They were not set that way before
we started. This was a long time ago, and not long after I started in this
position. Before that we were not using ad integrated dns.
Post by Herb Martin
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull the dns
snapin settings?
Yes, but they aren't real convenient.
if we're only concerned with nic settings, then I guess it won't matter
anyway.
Post by Herb Martin
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
by change I meant remove maindc from the remote dc's nic settings as
preferred, isn't that what you said to do???
What if my firewall through my isp doesn't allow the dns port for the
subnets other than the main office.
Post by Herb Martin
It will just be more efficient to let the server resolve locally
(from itself).
Okay, this may be something I was not fully understanding about dns, I
forget that with ad integrated the db is local and I guess that means that
the remote servers can get the dns info they need locally, until they can't
find the info, then they look to forwarders? So, should maindc be set up as a
forwarder for all remote dc's? Another thing get confused on is whether to
make changes to the zone in the console or to the dc in the console.
Post by Herb Martin
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
so how do I make sure it is being replicated correctly, just replmon?
Post by Herb Martin
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
yes on every dc.Every dc is running dns and every dc is using ad integrated
dns, isn't that the way it is supposed to be setup; i.e. best practice?
Post by Herb Martin
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
we have 25 - 30 dc's at this point, I couldn't even get half of the netdiag
result pasted here from maindc. You are asking me to post the info here,
right? How?
Post by Herb Martin
Post by rodge
Post by Herb Martin
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
exactly, that is what I said.
Post by Herb Martin
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
that was a suggestion from the same engineer from MS. I didn't realize until
recently that that can cause problems, I read it somewhere else in the past
week or so.
Post by Herb Martin
Post by rodge
Scavenging is setup for 7 days
Refresh, NoRefresh (both on zone), and Scavengin period on Server
yes, I can see that, I wasn't able to find recommended settings anywhere
though.
Post by Herb Martin
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Each DC looks to
our main office dc(maindc) for DNS first and has itself second.
That may be best until you problem is solved BUT ultimately that
is not the best way for WANS. (And you will hear the naive DNS
admins recommend it for both cases.)
In fact, if you NEED to put the MainDC first (to get out of a problem)
then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
You cannot trust WHICH DNS a machine will use when there are
more than one, and with WANS it is more likely to use itself anyway.
[Once things are working correctly you should put SELF-FIRST, others
after.]
What happens when you use Ping and NSlookup from a DC to seek
one of those problem DCs?
I have no issues from any domain controllers using ping and nslookup.
Post by Herb Martin
Post by rodge
I honestly
don't know what you mean by dynamic for the zone supporting AD?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
Herb Martin
2006-01-25 06:10:21 UTC
Permalink
Post by rodge
What if my firewall through my isp doesn't allow the dns port for the
subnets other than the main office.
YES. But you told me earlier there were no firewalls preventing
any traffic. Sometimes you can use the (free download) utility
Netcat (nc.exe) to check odd protocols (especially UDP) but Telnet
can check most TCP based protocols for minimal functionality.
Post by rodge
by change I meant remove maindc from the remote dc's nic settings as
preferred, isn't that what you said to do???
NO, that is not what I said. I said several things about it but the main
one was it was NOT causing your problem.

It should be changed (not removed) to ALTERNATE, once the problem
is fixed. For now, leave the main where it is so that you won't make
the problem worse.

In fact, down below, I am going to recommend you remove ALL BUT
the "main" TEMPORARILY. Get it replicating; then put back the local
as PRIMARY (with main as Alternate) BUT only after it is working.
Post by rodge
Post by Herb Martin
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
that was simply the nic settings, the issue I opened at that time was not a
dns issue and the engineer had actually helped me with many other things,
Yes. My point is that you must say WHAT you set, not that they "are
correct".
Post by rodge
not dns setup as far as the console goes. He did ask me to go to each dc and
set maindc as preferred dns server and list the dc itself as alternate. so,
Then he was an amateur -- impersonating a professional.

In the cases where it is critical to use the "main DC" as preferred
then the OTHER DNS needs to be REMOVED to ensure it will
actually use the one you hope.

(Usually due to failure to replicate AD DNS over a period of time,
and perhaps with scavening removing the opposite DCs from each
AD-DNS.)
Post by rodge
if we're only concerned with nic settings, then I guess it won't matter
anyway.
Well, you also need to make sure that DNS is accepting the
dynamic registrations -- it should be the same on every AD
DNS but make sure by looking (a failure to replicate could
leave them inconsistent.)
Post by rodge
by change I meant remove maindc from the remote dc's nic settings as
preferred, isn't that what you said to do???
What if my firewall through my isp doesn't allow the dns port for the
subnets other than the main office.
Post by Herb Martin
It will just be more efficient to let the server resolve locally
(from itself).
Okay, this may be something I was not fully understanding about dns, I
forget that with ad integrated the db is local
The above is ture for ALL DNS (except stub) Zones whether on a
Primary, AD-Integrated, or even Secondary: The database is local
to that DNS server.
Post by rodge
and I guess that means that
the remote servers can get the dns info they need locally, until they can't
find the info, then they look to forwarders?
Yes, but forwarders should (practically) never be the issue for resolving
the SAME DOMAIN.

The local NIC settings (on DCs and clients) should point the computer
to the MOST EFFICIENT (e.g., local) DNS* as preferred and others
for fault tolerance as Alternates.

* BUT when we say local, we mean a DNS server that can resolve
EVERY NAME the client will EVER need. Clients assume that EVERY
DNS server "knows the same things" and that EVERY DNS server is
absolutely correct.
Post by rodge
So, should maindc be set up as a
forwarder for all remote dc's?
In general: No.

In specific: It depends on what OUTSIDE (e.g., the Internet) names
the "maindc" can assist to resolve -- and the shape of your WAN lines.

This is NOT the issue for INTERNAL (same Domain) resolution.
Post by rodge
Another thing get confused on is whether to
make changes to the zone in the console or to the dc in the console.
"the console" versus "the dc in the console" ????

What are the difference you intend? You make the changes to Preferred
and Alternate on the NIC->IP settings.

You make changes to the DNS service in the DNS MMC for the
particular server OR zone you are changing.
Post by rodge
Post by Herb Martin
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
so how do I make sure it is being replicated correctly, just replmon?
Maybe -- since it is AD integrated but I would also do it by just going
and LOOKING. Check the main entries for a DC in several sample
sites, including in the _MSDCS zone/domain and in the _SITES
subdomains.

If it were a secondary then I would also try doing a manual "copy from
master."
Post by rodge
Post by Herb Martin
Post by rodge
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Another DNS server might be set as a Secondary and would be
unaffected by changes to the AD-integrated DC.

This is especially true if the DC were already a Secondary before
you made the change of the Primary to AD-DNS.

If no one told the Secondary to change it is STILL a Secondary.
Post by rodge
yes on every dc.Every dc is running dns and every dc is using ad integrated
dns, isn't that the way it is supposed to be setup; i.e. best practice?
Best practice: Probably (I would do it that way the vast majority of the
time.)

BUT it is NOT automatic. Someone has to do that.

And notice if you had an AD Replication issue WHEN you made
this change, your AD might fail to replicate, but now DNS is based
on AD which will cause DNS replication to FAIL ALSO.

Now (in that case) you would have both AD and DNS screwed up.

The trick to fix this is to (temporarily) go back to using JUST ONE
("MainDC") as your ONLY DNS server on the other DCs NICs.

That is, pretend the other DNS servers don't exist -- remove them
from the NIC as "alternate". Restart each DC, or use NetDIAG /fix
or DCDiag /fix (or restart NetLogon service.)

You get the ONE MAIN DNS right. Get AD to replicate.

THEN you can make all of the other DNS server use themselves FIRST,
and the main as alternate.

Do you see the relationship here? Don't just "take my word for it" but
make sure you understand HOW this happens and how to fix it.....

Otherwise it just seems like the same thing that tech told you to
do (possibly incorrectly) and there is MUCH ROOM for you
to do it wrong through misunderstanding.
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
we have 25 - 30 dc's at this point, I couldn't even get half of the netdiag
result pasted here from maindc. You are asking me to post the info here,
right? How?
I didn't say to post it for ALL of them. Just the problem DC and main
(or a sample since you have many problem DCs.)

How? Send the output to a file, paste the file in or attach it.
Use TEXT don't use pictures. Attached file is usually best since
it doesn't mess up the line length.

Netdiag > computername.txt
DCDiag /f:DCname.txt
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
that was a suggestion from the same engineer from MS. I didn't realize until
recently that that can cause problems, I read it somewhere else in the past
week or so.
It's fine if you replicate reliably and don't make the settings too
short. The defaults of 7 + 7 + 7 days are about the shortest I
will recommend without a specific reason.
Post by rodge
Post by Herb Martin
Post by rodge
Scavenging is setup for 7 days
Refresh, NoRefresh (both on zone), and Scavengin period on Server
yes, I can see that, I wasn't able to find recommended settings anywhere
though.
Use the defaults unless you find a positive REASON for going
shorter.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
that was simply the nic settings, the issue I opened at that time was not a
dns issue and the engineer had actually helped me with many other things, but
not dns setup as far as the console goes. He did ask me to go to each dc and
set maindc as preferred dns server and list the dc itself as alternate. so,
10.0.8.45 for preferred, 10.0.some number based on the site.2 for alternate.
Those are the only settings we discussed. They were not set that way before
we started. This was a long time ago, and not long after I started in this
position. Before that we were not using ad integrated dns.
Post by Herb Martin
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
if we're only concerned with nic settings, then I guess it won't matter
anyway.
Post by Herb Martin
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
by change I meant remove maindc from the remote dc's nic settings as
preferred, isn't that what you said to do???
What if my firewall through my isp doesn't allow the dns port for the
subnets other than the main office.
Post by Herb Martin
It will just be more efficient to let the server resolve locally
(from itself).
Okay, this may be something I was not fully understanding about dns, I
forget that with ad integrated the db is local and I guess that means that
the remote servers can get the dns info they need locally, until they can't
find the info, then they look to forwarders? So, should maindc be set up as a
forwarder for all remote dc's? Another thing get confused on is whether to
make changes to the zone in the console or to the dc in the console.
Post by Herb Martin
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
so how do I make sure it is being replicated correctly, just replmon?
Post by Herb Martin
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
yes on every dc.Every dc is running dns and every dc is using ad integrated
dns, isn't that the way it is supposed to be setup; i.e. best practice?
Post by Herb Martin
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
we have 25 - 30 dc's at this point, I couldn't even get half of the netdiag
result pasted here from maindc. You are asking me to post the info here,
right? How?
Post by Herb Martin
Post by rodge
Post by Herb Martin
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
exactly, that is what I said.
Post by Herb Martin
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
that was a suggestion from the same engineer from MS. I didn't realize until
recently that that can cause problems, I read it somewhere else in the past
week or so.
Post by Herb Martin
Post by rodge
Scavenging is setup for 7 days
Refresh, NoRefresh (both on zone), and Scavengin period on Server
yes, I can see that, I wasn't able to find recommended settings anywhere
though.
Post by Herb Martin
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Each DC looks to
our main office dc(maindc) for DNS first and has itself second.
That may be best until you problem is solved BUT ultimately that
is not the best way for WANS. (And you will hear the naive DNS
admins recommend it for both cases.)
In fact, if you NEED to put the MainDC first (to get out of a problem)
then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
You cannot trust WHICH DNS a machine will use when there are
more than one, and with WANS it is more likely to use itself anyway.
[Once things are working correctly you should put SELF-FIRST, others
after.]
What happens when you use Ping and NSlookup from a DC to seek
one of those problem DCs?
I have no issues from any domain controllers using ping and nslookup.
Post by Herb Martin
Post by rodge
I honestly
don't know what you mean by dynamic for the zone supporting AD?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS
configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
rodge
2006-01-24 20:40:02 UTC
Permalink
Herb,

here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc. Did some checking and got no
real answers, so I connected to maindc. When I opened the dns console, the
server was listed as frostburg, which is a dc at another remote site. Closed
the dns console, opened again, same deal. Opened ip address management and
the dns snapin there was showing the local server as maindc as it should. So,
I restarted maindc, but now it's hung at applying computer settings. Tried to
connect to it from another dc at the same site as maindc and I get an error
message that maindc is not on the network??
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them before. I
opened a case with Micorsoft support for them before and We were able to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice that in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different names. I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks to me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal or not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through use of
folks on this community I switched to AD integrated DNS. I am certain there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull the dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
Refresh, NoRefresh (both on zone), and Scavengin period on Server
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Each DC looks to
our main office dc(maindc) for DNS first and has itself second.
That may be best until you problem is solved BUT ultimately that
is not the best way for WANS. (And you will hear the naive DNS
admins recommend it for both cases.)
In fact, if you NEED to put the MainDC first (to get out of a problem)
then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
You cannot trust WHICH DNS a machine will use when there are
more than one, and with WANS it is more likely to use itself anyway.
[Once things are working correctly you should put SELF-FIRST, others
after.]
What happens when you use Ping and NSlookup from a DC to seek
one of those problem DCs?
I have no issues from any domain controllers using ping and nslookup.
Post by Herb Martin
Post by rodge
I honestly
don't know what you mean by dynamic for the zone supporting AD?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
Herb Martin
2006-01-25 06:13:48 UTC
Permalink
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.

At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns console, the
server was listed as frostburg, which is a dc at another remote site. Closed
the dns console, opened again, same deal. Opened ip address management and
the dns snapin there was showing the local server as maindc as it should. So,
I restarted maindc, but now it's hung at applying computer settings. Tried to
connect to it from another dc at the same site as maindc and I get an error
message that maindc is not on the network??
You're saying that MainDC won't boot now?

First, if you have a way to make a backup -- DO SO.

You can try booting it in SAFE MODE (F8).

Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
Refresh, NoRefresh (both on zone), and Scavengin period on Server
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Each DC looks to
our main office dc(maindc) for DNS first and has itself second.
That may be best until you problem is solved BUT ultimately that
is not the best way for WANS. (And you will hear the naive DNS
admins recommend it for both cases.)
In fact, if you NEED to put the MainDC first (to get out of a problem)
then you NEED to TEMPORARILY REMOVE the other DNS (itself.)
You cannot trust WHICH DNS a machine will use when there are
more than one, and with WANS it is more likely to use itself anyway.
[Once things are working correctly you should put SELF-FIRST, others
after.]
What happens when you use Ping and NSlookup from a DC to seek
one of those problem DCs?
I have no issues from any domain controllers using ping and nslookup.
Post by Herb Martin
Post by rodge
I honestly
don't know what you mean by dynamic for the zone supporting AD?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
You have (at least) problems missing names for DCs
and with FRS (file replication service) for SysVol and
since you are also using DFS you may have other problems
with DFS based on FRS.
If you run DCDiag on each of the other (especially) problem
DCs you should see further errors (due to their inability to
register themselves.
You might try, "DCDiag /fix" (or "NetDiag /fix") on each of
those but likely you will first need to repair your DNS
configuration.
(see below for hints).
[I am not quite sure why your DNS is not showing MORE errors
in DCDiag though. ]
rodge
2006-01-25 14:02:04 UTC
Permalink
Herb,

didn't get a chance to update you. I was finally able to get maindc to
completely boot. I had to go to another server 2003 dc, open computer
management and switch to maindc, I stopped the dns server service and the
netlogon service and maindc booted immediately. I had this issue before and
rememberred stopping one of those two services to get it to boot then, but
couldn't remember which service it was, so I stopped both of them. Once it
was up, I started both services with no issues. I am not sure why, but I
couldn't find anything in the event viewer to indicate what the problem was.

even stranger now is the fact that when I open the dns console on maindc it
defaults to a remote server, frostburg. When I say that, I mean that it lists
the dns server as frostburg in the dns console, not maindc as it should. Just
out of curiousity, I tried unistalling dns from add/remove programs and
re-install, but without a reboot, but this had no effect. Then I opened ip
address management and it has the correct server listed in dns, so I'm not at
all sure what is going on.

when I mentioned the old host record on a remote server yesterday, the
server was smithsburg and the point I was trying to make was that scavenging
doesn't seem to be working, because I saw the same thing on maindc. I deleted
the record and at least now it doesn't resolve using nslookup to the wrong
computername. We're having a pretty bad snowstorm today, so I am not sure if
I'll be able to make it to the main office, but if I do, I will do a repair.
Do you think this issue is related to the problems we have been having?
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns console, the
server was listed as frostburg, which is a dc at another remote site. Closed
the dns console, opened again, same deal. Opened ip address management and
the dns snapin there was showing the local server as maindc as it should. So,
I restarted maindc, but now it's hung at applying computer settings. Tried to
connect to it from another dc at the same site as maindc and I get an error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had
created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
rodge
2006-01-25 14:05:03 UTC
Permalink
sorry, forgot to mention one other thing. I changed the view in the dns
console to advanced on 2 dc's, maindc and smithsburg and noticed that under
cached lookups it lists a folder called . and the type is standard primary.
Is that normal?
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns console, the
server was listed as frostburg, which is a dc at another remote site. Closed
the dns console, opened again, same deal. Opened ip address management and
the dns snapin there was showing the local server as maindc as it should. So,
I restarted maindc, but now it's hung at applying computer settings. Tried to
connect to it from another dc at the same site as maindc and I get an error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had
created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
Herb Martin
2006-01-25 15:11:18 UTC
Permalink
Post by rodge
sorry, forgot to mention one other thing. I changed the view in the dns
console to advanced on 2 dc's, maindc and smithsburg and noticed that under
cached lookups it lists a folder called . and the type is standard primary.
Is that normal?
Absolutely normal. It is caching the results of lookups
it does (to other DNS servers.)

And the MMC showing particular servers is strictly
an administrator's customization.

And yes (your third message) it seems you DNS is
replicating (to at least some of) your other DNS servers.

Notice that deleting the computer account is ALWAYS
a separate admin job.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns console, the
server was listed as frostburg, which is a dc at another remote site. Closed
the dns console, opened again, same deal. Opened ip address management and
the dns snapin there was showing the local server as maindc as it
should.
So,
I restarted maindc, but now it's hung at applying computer settings.
Tried
to
connect to it from another dc at the same site as maindc and I get an error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using
DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to
be
copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had
created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication,
the
only
firewall is for internet traffic and all internet traffic has to
go
through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I
tried
opening
a unc path by name, start-run- \\servername\sharename and had
success
either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could
post
here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata
cleanup
to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
rodge
2006-01-25 16:02:06 UTC
Permalink
I understand what you are saying about the dns console having a different dc
name, but I don't have the ability to put maindc in there where it should be
and If I try to open frostburg on maindc as it is, i get an error that there
is no zone created. Also, on the computer account, it should have been
removed and the account would have been disabled, but it wasn't.
Post by Herb Martin
Post by rodge
sorry, forgot to mention one other thing. I changed the view in the dns
console to advanced on 2 dc's, maindc and smithsburg and noticed that under
cached lookups it lists a folder called . and the type is standard primary.
Is that normal?
Absolutely normal. It is caching the results of lookups
it does (to other DNS servers.)
And the MMC showing particular servers is strictly
an administrator's customization.
And yes (your third message) it seems you DNS is
replicating (to at least some of) your other DNS servers.
Notice that deleting the computer account is ALWAYS
a separate admin job.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns console, the
server was listed as frostburg, which is a dc at another remote site. Closed
the dns console, opened again, same deal. Opened ip address management and
the dns snapin there was showing the local server as maindc as it
should.
So,
I restarted maindc, but now it's hung at applying computer settings.
Tried
to
connect to it from another dc at the same site as maindc and I get an error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using
DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to
be
copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO
object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had
created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does
replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication,
the
only
firewall is for internet traffic and all internet traffic has to
go
through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I
tried
opening
a unc path by name, start-run- \\servername\sharename and had
success
either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and
secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that
though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
Herb Martin
2006-01-25 22:26:14 UTC
Permalink
Post by rodge
I understand what you are saying about the dns console having a different dc
name, but I don't have the ability to put maindc in there where it should be
and If I try to open frostburg on maindc as it is, i get an error that there
is no zone created. Also, on the computer account, it should have been
removed and the account would have been disabled, but it wasn't.
Use the IP for maindc.

If that won't work, you have either a network problem
OR maindc is not running the DNS server (or perhaps
and RPC issue since the MMC uses RPCs.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
sorry, forgot to mention one other thing. I changed the view in the dns
console to advanced on 2 dc's, maindc and smithsburg and noticed that under
cached lookups it lists a folder called . and the type is standard primary.
Is that normal?
Absolutely normal. It is caching the results of lookups
it does (to other DNS servers.)
And the MMC showing particular servers is strictly
an administrator's customization.
And yes (your third message) it seems you DNS is
replicating (to at least some of) your other DNS servers.
Notice that deleting the computer account is ALWAYS
a separate admin job.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns
console,
the
server was listed as frostburg, which is a dc at another remote
site.
Closed
the dns console, opened again, same deal. Opened ip address
management
and
the dns snapin there was showing the local server as maindc as it
should.
So,
I restarted maindc, but now it's hung at applying computer settings.
Tried
to
connect to it from another dc at the same site as maindc and I get
an
error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using
DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to
be
copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will
tell
you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO
object.
Post by rodge
I did notice what you said about the dfs replication, I think.
I
had
created
a script on friday and although I'm not sure how quickly that
should
replicate, it did not, even with replmon(but maybe replmon does
replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication,
the
only
firewall is for internet traffic and all internet traffic has to
go
through
one router at our main office. We have another router that
sits
under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and
contact
the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact
the
remote
dc's from maindc. I tried just pinging by name first and then I
tried
opening
a unc path by name, start-run- \\servername\sharename and had
success
either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community
board,
so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in
the
dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and
secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and
the
main
office contains the only internet access for the entire company.
I
guess I
was thinking it would help with traffic. I can certainly change that
though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns
long
ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
rodge
2006-01-27 12:44:02 UTC
Permalink
okay, I haven't tried to restart maindc yet, but I did get the console
straightened out. I ran the directory services utility on all of my dc's and
I only get errors on maindc.

I'll be working on those issues over the weekend, but can you point me
somewhere that I can get a feel for which settings in the dns console will
work best for my environment?
Post by Herb Martin
Post by rodge
I understand what you are saying about the dns console having a different dc
name, but I don't have the ability to put maindc in there where it should be
and If I try to open frostburg on maindc as it is, i get an error that there
is no zone created. Also, on the computer account, it should have been
removed and the account would have been disabled, but it wasn't.
Use the IP for maindc.
If that won't work, you have either a network problem
OR maindc is not running the DNS server (or perhaps
and RPC issue since the MMC uses RPCs.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
sorry, forgot to mention one other thing. I changed the view in the dns
console to advanced on 2 dc's, maindc and smithsburg and noticed that under
cached lookups it lists a folder called . and the type is standard primary.
Is that normal?
Absolutely normal. It is caching the results of lookups
it does (to other DNS servers.)
And the MMC showing particular servers is strictly
an administrator's customization.
And yes (your third message) it seems you DNS is
replicating (to at least some of) your other DNS servers.
Notice that deleting the computer account is ALWAYS
a separate admin job.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns
console,
the
server was listed as frostburg, which is a dc at another remote
site.
Closed
the dns console, opened again, same deal. Opened ip address
management
and
the dns snapin there was showing the local server as maindc as it
should.
So,
I restarted maindc, but now it's hung at applying computer settings.
Tried
to
connect to it from another dc at the same site as maindc and I get
an
error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We
were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using
DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is
corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did
notice
that
in
the sysvol directory, there were two extra folders that seemed
to
be
copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It
looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is
normal
or
not.
Many people think that I am "pretty good" with AD and I will
tell
you
that I NEVER MESS with SysVol nor with the scripts or GPOs
directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the
right
place to put the scripts and associates them together with the GPO
object.
Post by rodge
I did notice what you said about the dfs replication, I think.
I
had
created
a script on friday and although I'm not sure how quickly that
should
replicate, it did not, even with replmon(but maybe replmon does
replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs
replication,
the
only
firewall is for internet traffic and all internet traffic has
to
go
through
one router at our main office. We have another router that
sits
under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and
contact
the
main DC (probably not) or you wouldn't be having problems -- how
about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact
the
remote
dc's from maindc. I tried just pinging by name first and then I
tried
opening
a unc path by name, start-run- \\servername\sharename and had
success
either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and
through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community
board,
so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in
the
dns
snapin?
Explicity I meant the settings you claimed "work with someone from
Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and
Herb Martin
2006-01-27 13:48:49 UTC
Permalink
Post by rodge
okay, I haven't tried to restart maindc yet, but I did get the console
straightened out. I ran the directory services utility on all of my dc's and
I only get errors on maindc.
You shouldn't NEED to restart the DC; I gave you several methods
that SHOULD work.
Post by rodge
I'll be working on those issues over the weekend, but can you point me
somewhere that I can get a feel for which settings in the dns console will
work best for my environment?
Don't start changing things randomly yet.

Focus on getting it working -- main thing is that the zone
must be DYNAMIC (and should be Secure Dynamic if it's
running as AD Integrated.)

Make minimal changes; check with DCDiag/NetDiag until you
get it working.

Perhaps you need to focus all of the DCs STRICTLY on the
MainDC-DNS using their NIC->IP properties (with no alternate)
UNTIL you can get it all registered in DNS and replicate AD.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
I understand what you are saying about the dns console having a
different
dc
name, but I don't have the ability to put maindc in there where it
should
be
and If I try to open frostburg on maindc as it is, i get an error that there
is no zone created. Also, on the computer account, it should have been
removed and the account would have been disabled, but it wasn't.
Use the IP for maindc.
If that won't work, you have either a network problem
OR maindc is not running the DNS server (or perhaps
and RPC issue since the MMC uses RPCs.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
sorry, forgot to mention one other thing. I changed the view in the dns
console to advanced on 2 dc's, maindc and smithsburg and noticed
that
under
cached lookups it lists a folder called . and the type is standard primary.
Is that normal?
Absolutely normal. It is caching the results of lookups
it does (to other DNS servers.)
And the MMC showing particular servers is strictly
an administrator's customization.
And yes (your third message) it seems you DNS is
replicating (to at least some of) your other DNS servers.
Notice that deleting the computer account is ALWAYS
a separate admin job.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an
old
a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns
console,
the
server was listed as frostburg, which is a dc at another remote
site.
Closed
the dns console, opened again, same deal. Opened ip address
management
and
the dns snapin there was showing the local server as maindc as it
should.
So,
I restarted maindc, but now it's hung at applying computer settings.
Tried
to
connect to it from another dc at the same site as maindc and I get
an
error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen
them
before.
I
opened a case with Micorsoft support for them before and We
were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using
DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is
corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did
notice
that
in
the sysvol directory, there were two extra folders that
seemed
to
be
copies
of the policies and scripts folders, but with slighly
different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It
looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is
normal
or
not.
Many people think that I am "pretty good" with AD and I will
tell
you
that I NEVER MESS with SysVol nor with the scripts or GPOs
directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the
right
place to put the scripts and associates them together with
the
GPO
object.
Post by rodge
I did notice what you said about the dfs replication, I
think.
I
had
created
a script on friday and although I'm not sure how quickly that
should
replicate, it did not, even with replmon(but maybe replmon
does
replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs
replication,
the
only
firewall is for internet traffic and all internet traffic has
to
go
through
one router at our main office. We have another router that
sits
under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and
contact
the
main DC (probably not) or you wouldn't be having problems -- how
about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact
the
remote
dc's from maindc. I tried just pinging by name first and then I
tried
opening
a unc path by name, start-run- \\servername\sharename and had
success
either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and
through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community
board,
so
there
are
more than likely issues there, but I did work with someone
from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in
the
dns
snapin?
Explicity I meant the settings you claimed "work with someone from
Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use
to
pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and
rodge
2006-01-27 19:12:27 UTC
Permalink
I shouldn't NEED to restart DC? I've been around long enough to know that NO
operating system works better without a restart. I will remind you that
maindc wouldn't boot up without have the dns server service stopped, so that
is why I would be thinking about a restart to make sure things are back to
normal, especially since this is a brand new server with a nice fresh install
of server 2003 ent ed with sp1.

What were these methods you gave me, you told me to do a windows repair,
right? Well, this is something that would need to be done after hours, not
something easily accomplished.

changiong things randomly??? You're the one with the experience, I was
asking you how it SHOULD be setup on each dc in my environment.

Again, as I have told you EVERY DC does have dynamic setup. And again, dns
is replicating. maindc is the only server that shows any errors running the
utilities.

Which MINIMAL changes are you talking about???

Yes, I can point everything to maindc, but since maindc is the only dc
getting errors, is that really wise??

Do you think it would be possible to either check my replies more often or
give me an email address to reach you? After all, you were the one who said
this was not something to call microsoft tech support for, yet, if I had, I
would have cleared things up by now.
Post by Herb Martin
Post by rodge
okay, I haven't tried to restart maindc yet, but I did get the console
straightened out. I ran the directory services utility on all of my dc's and
I only get errors on maindc.
You shouldn't NEED to restart the DC; I gave you several methods
that SHOULD work.
Post by rodge
I'll be working on those issues over the weekend, but can you point me
somewhere that I can get a feel for which settings in the dns console will
work best for my environment?
Don't start changing things randomly yet.
Focus on getting it working -- main thing is that the zone
must be DYNAMIC (and should be Secure Dynamic if it's
running as AD Integrated.)
Make minimal changes; check with DCDiag/NetDiag until you
get it working.
Perhaps you need to focus all of the DCs STRICTLY on the
MainDC-DNS using their NIC->IP properties (with no alternate)
UNTIL you can get it all registered in DNS and replicate AD.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
I understand what you are saying about the dns console having a
different
dc
name, but I don't have the ability to put maindc in there where it
should
be
and If I try to open frostburg on maindc as it is, i get an error that there
is no zone created. Also, on the computer account, it should have been
removed and the account would have been disabled, but it wasn't.
Use the IP for maindc.
If that won't work, you have either a network problem
OR maindc is not running the DNS server (or perhaps
and RPC issue since the MMC uses RPCs.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
sorry, forgot to mention one other thing. I changed the view in the dns
console to advanced on 2 dc's, maindc and smithsburg and noticed
that
under
cached lookups it lists a folder called . and the type is standard primary.
Is that normal?
Absolutely normal. It is caching the results of lookups
it does (to other DNS servers.)
And the MMC showing particular servers is strictly
an administrator's customization.
And yes (your third message) it seems you DNS is
replicating (to at least some of) your other DNS servers.
Notice that deleting the computer account is ALWAYS
a separate admin job.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an
old
a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns
console,
the
server was listed as frostburg, which is a dc at another remote
site.
Closed
the dns console, opened again, same deal. Opened ip address
management
and
the dns snapin there was showing the local server as maindc as it
should.
So,
I restarted maindc, but now it's hung at applying computer settings.
Tried
to
connect to it from another dc at the same site as maindc and I get
an
error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen
them
before.
I
opened a case with Micorsoft support for them before and We
were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using
DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use
the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is
corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did
notice
that
in
the sysvol directory, there were two extra folders that
seemed
to
be
copies
of the policies and scripts folders, but with slighly
different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates,
It
looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is
normal
or
not.
Many people think that I am "pretty good" with AD and I will
tell
you
that I NEVER MESS with SysVol nor with the scripts or GPOs
directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS
the
right
place to put the scripts and associates them together with
the
GPO
object.
Post by rodge
I did notice what you said about the dfs replication, I
think.
I
had
created
a script on friday and although I'm not sure how quickly
that
should
replicate, it did not, even with replmon(but maybe replmon
does
replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs
replication,
the
only
firewall is for internet traffic and all internet traffic
has
to
go
through
one router at our main office. We have another router that
sits
under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and
contact
the
main DC (probably not) or you wouldn't be having problems --
how
about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact
the
remote
dc's from maindc. I tried just pinging by name first and then I
tried
opening
a unc path by name, start-run- \\servername\sharename and had
success
either
way.
Ok, so you have general name resolution and you have (at least
some)
general connectivity. (And you said there is no restrictive
firewalls
between them.)
Herb Martin
2006-01-27 19:51:24 UTC
Permalink
Post by rodge
I shouldn't NEED to restart DC? I've been around long enough to know that NO
operating system works better without a restart.
Superstitious rebooting doesn't really solve problems.

Finding the problem and fixing it is usually best -- I
practically never reboot a PC "just because" -- almost
always it is due to an upgrade.
Post by rodge
I will remind you that
maindc wouldn't boot up without have the dns server service stopped, so that
is why I would be thinking about a restart to make sure things are back to
normal,
As a test of your repairs that is perhaps wise but it has
nothing to do with "making things work" which is my
focus in answering your questions.

Notice I said you should not "NEED"; in no way does this imply
that you aren't free to do it anyway.
Post by rodge
especially since this is a brand new server with a nice fresh install
of server 2003 ent ed with sp1.
What were these methods you gave me, you told me to do a windows repair,
right? Well, this is something that would need to be done after hours, not
something easily accomplished.
The methods I gave you to REGISTER a DC with DNS (XXXdiag /fix
and restart NetLogon service; also reboot.)
Post by rodge
changiong things randomly??? You're the one with the experience, I was
asking you how it SHOULD be setup on each dc in my environment.
And if there was something critical we would already be dealing
with it.
Post by rodge
Again, as I have told you EVERY DC does have dynamic setup. And again, dns
is replicating. maindc is the only server that shows any errors running the
utilities.
That's pretty much the only setting that is critical -- my
point was if you have that then we need to get it to REPLICATE.
Post by rodge
Which MINIMAL changes are you talking about???
Nothing that doesn't address the problem -- anything
beyond that is NOT MINIMAL.
Post by rodge
Yes, I can point everything to maindc, but since maindc is the only dc
getting errors, is that really wise??
Yes. As long as the only errors you are getting are the ones
you described from the DIAG where it could NOT FIND the
other DCs.

The idea is to get EVERY DC registered in a single DNS
database -- get DNS working (that way) so that AD will
replicate.

You have described a LIKELY issue where you have DNS
in AD, but AD is not replicating due to DNS problems.

It's a vicious circle -- you have to break it by FIRST getting
DNS correct.

I also said that you should UNDERSTAND it and not just
blindly do this.
Post by rodge
Do you think it would be possible to either check my replies more often or
give me an email address to reach you? After all, you were the one who said
this was not something to call microsoft tech support for, yet, if I had, I
would have cleared things up by now.
I check them several times (at didn't hours of the day); and if
you would just read EVERY ONE of my messages carefully
you would see (or have seen) that you could always have done
that.

My email is real; and my phone info has been on EVERY message
<grin>

I am one of the very few people who leaves this as an open
invitation when giving free support.

Just email me if you wish....
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
rodge
2006-01-27 20:31:27 UTC
Permalink
are you serious? you wouldn't recommend restarting to solve a problem, but
you would recommend an Operating system repair?????

Superstitious??? Trust me, not a superstitious bone in my body.


An upgrade? Need I remind you ONCE AGAIN, this is a new install from a cd
labeled Windows Server 2003 Enterprise Edition with Servvice Pack 1...where's
the upgrade?


And when did I ever say that I wanted to reboot maindc to fix everything???
I may not be an expert, but I'm not an idiot.

You say we need to get it to replicate, but I see that it is replicating. I
delete a record on a remote dc and then check maindc and the record is gone.
Sure it's not much of a test, but it definitely says something.

I don't quite understand, just run dcdiag /fix and netdiag /fix and this
will take care of the problems on maindc. And if it doesn't? Just keep
running those two commands?


"I also said that you should UNDERSTAND it and not just
blindly do this."

Then please, by all means help me to understand!!!!!!!! You are the wealth
of knowledge here, so please help.


I check them several times (at didn't hours of the day); and if
Post by Herb Martin
you would just read EVERY ONE of my messages carefully
you would see (or have seen) that you could always have done
that.
that's totally not true, you said that this was not something that would
require a call to support.
Post by Herb Martin
Post by rodge
I shouldn't NEED to restart DC? I've been around long enough to know that NO
operating system works better without a restart.
Superstitious rebooting doesn't really solve problems.
Finding the problem and fixing it is usually best -- I
practically never reboot a PC "just because" -- almost
always it is due to an upgrade.
Post by rodge
I will remind you that
maindc wouldn't boot up without have the dns server service stopped, so that
is why I would be thinking about a restart to make sure things are back to
normal,
As a test of your repairs that is perhaps wise but it has
nothing to do with "making things work" which is my
focus in answering your questions.
Notice I said you should not "NEED"; in no way does this imply
that you aren't free to do it anyway.
Post by rodge
especially since this is a brand new server with a nice fresh install
of server 2003 ent ed with sp1.
What were these methods you gave me, you told me to do a windows repair,
right? Well, this is something that would need to be done after hours, not
something easily accomplished.
The methods I gave you to REGISTER a DC with DNS (XXXdiag /fix
and restart NetLogon service; also reboot.)
Post by rodge
changiong things randomly??? You're the one with the experience, I was
asking you how it SHOULD be setup on each dc in my environment.
And if there was something critical we would already be dealing
with it.
Post by rodge
Again, as I have told you EVERY DC does have dynamic setup. And again, dns
is replicating. maindc is the only server that shows any errors running the
utilities.
That's pretty much the only setting that is critical -- my
point was if you have that then we need to get it to REPLICATE.
Post by rodge
Which MINIMAL changes are you talking about???
Nothing that doesn't address the problem -- anything
beyond that is NOT MINIMAL.
Post by rodge
Yes, I can point everything to maindc, but since maindc is the only dc
getting errors, is that really wise??
Yes. As long as the only errors you are getting are the ones
you described from the DIAG where it could NOT FIND the
other DCs.
The idea is to get EVERY DC registered in a single DNS
database -- get DNS working (that way) so that AD will
replicate.
You have described a LIKELY issue where you have DNS
in AD, but AD is not replicating due to DNS problems.
It's a vicious circle -- you have to break it by FIRST getting
DNS correct.
I also said that you should UNDERSTAND it and not just
blindly do this.
Post by rodge
Do you think it would be possible to either check my replies more often or
give me an email address to reach you? After all, you were the one who said
this was not something to call microsoft tech support for, yet, if I had, I
would have cleared things up by now.
I check them several times (at didn't hours of the day); and if
you would just read EVERY ONE of my messages carefully
you would see (or have seen) that you could always have done
that.
My email is real; and my phone info has been on EVERY message
<grin>
I am one of the very few people who leaves this as an open
invitation when giving free support.
Just email me if you wish....
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Herb Martin
2006-01-27 23:21:49 UTC
Permalink
Post by rodge
are you serious? you wouldn't recommend restarting to solve a problem, but
you would recommend an Operating system repair?????
If the system is determined to be broken. I don't recommend
these "just because" either.
Post by rodge
Superstitious??? Trust me, not a superstitious bone in my body.
If you are human then the above is almost certainly untrue. <grin>
Post by rodge
An upgrade? Need I remind you ONCE AGAIN, this is a new install from a cd
labeled Windows Server 2003 Enterprise Edition with Servvice Pack 1...where's
the upgrade?
Where did you get "upgrade" from? You don't quote me, and
I cannot recall suggesting any such thing.
Post by rodge
And when did I ever say that I wanted to reboot maindc to fix
everything???
I may not be an expert, but I'm not an idiot.
Methinks thou doth protest too much....
Post by rodge
You say we need to get it to replicate, but I see that it is replicating. I
delete a record on a remote dc and then check maindc and the record is gone.
Sure it's not much of a test, but it definitely says something.
Then run DCDiag on each (affected) DC and prove it.

Or use RepAdmin if you prefer.
Post by rodge
I don't quite understand, just run dcdiag /fix and netdiag /fix and this
will take care of the problems on maindc. And if it doesn't? Just keep
running those two commands?
It won't unless the problem is fairly trivial (like failure
to register with DNS and then only after you have fixed that.)
Post by rodge
"I also said that you should UNDERSTAND it and not just
blindly do this."
Then please, by all means help me to understand!!!!!!!! You are the wealth
of knowledge here, so please help.
You have to first either FOLLOW my instructions OR
ask a specific questions and not wander off to something
else.

Everything you need to fix your problem is (ALMOST CERTAINLY)
included in the thread already. Go back to the earlier messages and
re-read them and follow the given advice.
Post by rodge
I check them several times (at didn't hours of the day); and if
Post by Herb Martin
you would just read EVERY ONE of my messages carefully
you would see (or have seen) that you could always have done
that.
that's totally not true,
Now you have either failed to read ANY of my messages
(accurately) OR you are calling me a liar by implication.
Post by rodge
you said that this was not something that would
require a call to support.
A paid call. I never meant you shouldn't use the phone to
"phone a friend."
--
Herb Martin
rodge
2006-01-25 14:15:02 UTC
Permalink
sorry about the flurry of messages, but want to let you know as much as
possible. I checked a few dc's and they all received the info that I deleted
the old record for a machine called net_man. I am not sure about what
happened to this computer, but I do know that it is no longer around. Once I
saw that the other dc's knew the record was gone, I checked in ad users and
computers and sure enough, there was still a computer account. It looks to me
like someone just shut the computer down and either disposed of it or
recycled it with a new o/s, but never removed it from the domain, which would
explain the problem because the ip address was re-used. I'm assuming though
that there is some dns replication going on.
Post by Herb Martin
Post by rodge
Herb,
here's some screwey stuff. I was at a remote site and noticed an old a
record in the dns console from the local dc.
The DNS Console (MMC) names are largely cosmetic.
At most they are a sign that the machine running the console
doesn't have the correct DNS resolution for some server.
Post by rodge
Did some checking and got no
real answers, so I connected to maindc. When I opened the dns console, the
server was listed as frostburg, which is a dc at another remote site. Closed
the dns console, opened again, same deal. Opened ip address management and
the dns snapin there was showing the local server as maindc as it should. So,
I restarted maindc, but now it's hung at applying computer settings. Tried to
connect to it from another dc at the same site as maindc and I get an error
message that maindc is not on the network??
You're saying that MainDC won't boot now?
First, if you have a way to make a backup -- DO SO.
You can try booting it in SAFE MODE (F8).
Second: Usually you can fix a DC through a REPAIR INSTALL.
(original CDROM, install, choose same directory as current OS,
MAKE SURE you are asked and you CONFIRM that you wish
to REPAIR the current installation.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Post by rodge
Post by Herb Martin
Post by rodge
Post by Herb Martin
Post by rodge
Herb,
yes, I saw those errors(missing dc names), and I have seen them
before.
I
opened a case with Micorsoft support for them before and We were
able
to
clear up that problem, but I will look into that again.
You don't need to spend time or money on support calls
for that type of problem.
It's easy to fix and we can help you with that.
Keys were in my previous email.
You find the (DNS) problem by inspection or by using DCDiag/NetDIAG.
You make your zone dynamic; you make sure your DCs ONLY use the
(dynamic) DNS server (set) on their NIC.
how do you make the zone dynamic?
Zone properties in the MCC (right click->Properties->General Tab->)
Post by rodge
Post by Herb Martin
You re-register (DCDiag/NetDIAG) the DCs once all that is corrected.
(And retest with DCDiag/NetDIAG).
Post by rodge
DFS and sysvol are definitely a weak spot for me, but I did notice
that
in
the sysvol directory, there were two extra folders that seemed to be copies
of the policies and scripts folders, but with slighly different
names.
I
moved them to another directory temporarily.
Why?
based on the names of the folders and the modification dates, It looks
to
me
like they were renamed because they are no longer used.
Hmm... be careful.
Post by rodge
Post by Herb Martin
Post by rodge
The scripts folder was less than
200 KB, but the policy folder was 15MB, not sure if that is normal
or
not.
Many people think that I am "pretty good" with AD and I will tell you
that I NEVER MESS with SysVol nor with the scripts or GPOs directly.
(I know HOW to do it safely but I will not do that.)
Even scripts I create by using the GPEdit since it SUGGESTS the right
place to put the scripts and associates them together with the GPO object.
Post by rodge
I did notice what you said about the dfs replication, I think. I had
created
a script on friday and although I'm not sure how quickly that should
replicate, it did not, even with replmon(but maybe replmon does replicate
dfs, I am not sure).
No. ReplMon is not associated with DFS (to my knowledge.)
Post by rodge
There are no local firewalls that would prevent dfs replication, the only
firewall is for internet traffic and all internet traffic has to go through
one router at our main office. We have another router that sits under
the
isp
router that takes care of local traffic on our WAN.
Are you fully routed? Can you go to each (remote) DC and contact the
main DC (probably not) or you wouldn't be having problems -- how about
if you use the IP address?
Yes, I can contact maindc from each remote dc and I can contact the remote
dc's from maindc. I tried just pinging by name first and then I tried opening
a unc path by name, start-run- \\servername\sharename and had success either
way.
Ok, so you have general name resolution and you have (at least some)
general connectivity. (And you said there is no restrictive firewalls
between them.)
!!! Also watch out that no one turned on a personal firewall on any
of the DCs (XP type on the NIC, Basic in RRAS, or third party.)
You might still have DNS issue for the DC resource records; almost
certainly true if you find the zone is NOT dynamic.
Post by rodge
Post by Herb Martin
Can you even ping between them? By name or just by number?
either way works
Post by Herb Martin
Post by rodge
Our DNS was a single primary zone when I arrived here and through
use
of
folks on this community I switched to AD integrated DNS. I am
certain
there
was plenty I missed on setup because of using a community board, so
there
are
more than likely issues there, but I did work with someone from
Microsoft
to
make sure that the network setting for each DC was correct.
You would do better telling me WHAT those setting are....
which settings do you mean? The NIC settings or the settings in the dns
snapin?
Explicity I meant the settings you claimed "work with someone from Microsoft
to make sure that the network setting for each DC was correct", i.e.,
whatever settings you think you got correct.
Better to tell me the settings you are referencing than to say they
"are correct."
Post by rodge
I'll give you the nic settings. Is there a utulity I can use to pull
the
dns
snapin settings?
Yes, but they aren't real convenient.
Post by rodge
Post by Herb Martin
I cannot trouble shoot "they are correct" but I might be able to
help with they are "set like this..."
nic settings are as I described before, primary dns is maindc, and secondary
is the dc itself.
Better to do this through "ipconfig/all".
By the way: There is no such thing as "Primary" or "Secondary"
on the NIC (those are SERVER side technical terms.) It's
Preferred and Alternate.
Post by rodge
This made sense to me when the microsoft engineer told me
to set it up this way because maindc is at the main office and the main
office contains the only internet access for the entire company. I guess I
was thinking it would help with traffic. I can certainly change that though.
Don't think it is going to make it work if you change this --
whether the computer uses Preferred or Alternate is ALWAYS
SOMEWHAT random.
It will just be more efficient to let the server resolve locally
(from itself).
BUT this also implies that the "local DNS" MUST BE CORRECT
(correctly replicated) from the Master (main)
Post by rodge
Post by Herb Martin
You DNS zone MUST ACCEPT DYNAMIC registrations -- it's a
pull down on the zone properties -- go check that RIGHT NOW --
on the Primary.
yes, they are all set for secure updates.
Then they are set for DYNAMIC updates. (Secure is a form of
dynamic.)
Post by rodge
Post by Herb Martin
Later (when we have this all working) you should PROBABLY also
switch to AD-Integrated DNS but let's not complicate it (yet.)
I thought I already told you that I switch to ad integrated dns long ago,
but wasn't sure if I had set it up correctly.
On every DNS-DC? I thought you just did that on the MainDC.
Each DNS-DC can be set separately. But you get the most
advantages when they are all AD-integrated BUT you must
make sure you have FULL AD replication before you make
that switch on more than one of them (e.g., main.)
Post by rodge
Post by Herb Martin
Post by rodge
I think you
mean under the dns snapin, if I look at the domain properties, it
should
be
set to dynamic updates? Is that correct?
Absolutely. In DNS MMC properties for the Zone that corresponds to
the AD Domain.
Post by rodge
We just have the one domain at this
point. I will look through your response more deeply now and work through
everything you mentioned. Is there anything else that I could post here
pertaining to our environment that could be helpful?
Pick a remote DC (that is showing an error.)
Do the DCDiag, NetDiag, and "IPConfig /all" for both the problem
DC and for the MainDC (we already saw the mainDC) -- please clearly
mark which is which and which goes with each server.
Also, let me confirm that you have a SiteLink between EACH Site
and the Main one (only, no 'cross-links' between two remote sites)
1) 24 hours (with some exceptions for DAYTIME only)
2) every 3 hours
3) cost isn't really important if you only have a central hub set
yes, all set this way.
Post by Herb Martin
24 hours isn't that big a deal as long as the schedule makes sense;
same for 3 hours.
But DO MAKE Sure you have AT LEAST the one SiteLink to
between Main-EachRemoteSite.
Also, do you have any ABANDONED DCs? (DCs that used to
exist but have been deleted?)
I have removed a few dc's, but I always run ntdsutil metadata cleanup to
make sure dcpromo ran correctly
Ok, but if you use DCPromo the NTDSutil is merely a double check.
Post by rodge
Post by Herb Martin
Are you running scavening on the DNS zone -- it's a BAD idea
unless you fully understand it -- many people cause more problems
with scavening than they solve.
Scavenging is setup for 7 days
Continue reading on narkive:
Loading...