Domain tree in Existing forest..
-
dimanche 25 mars 2012 18:13
I have set up new domain tree in existing forest of windows server 2003. Root domain Dns name is abc.local & new domain tree dns name is xyz.local. Both zones are AD integrated so available to all servers. Both servers at Forest Root domain abc.local & Domain Tree root xyz.local are GC.
abc.local DNZ zone is showing record for both GC servers & xyz.local shows no record for GC server. BOTH server belongs to different sites & different subnet.
Event ID: 1126 appearing again & again on xyz.local server for "Active Directory was unable to establish a connection with the global catalog. "
i try by deleting all records in xyz.local zone & then by restarting netlogon service but no use...
nslookup gc._msdcs.%USERDNSDOMAIN% command shows GC server for ABC.local zone but not for xyz.local zone
Please help to solve this problem...
Toutes les réponses
-
dimanche 25 mars 2012 19:12
This issue may occur if there is DNS misconfig issue,DC is multihomed ,replication issue between the DC due to required port not open for AD replication,etc.
IP configuration best practice on DC :
-->>MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.
------------------------------------
1. Domain Controllers should not be multi-homed
2. Being a VPN Server and even simply running RRAS makes it multi-homed.
3. DNS even just all by itself, is better on a single homed machine.
4. Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611-->> IP configuration on domain controller:
------------------------------------------
1. Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
2. Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
3. If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
4. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
Once you are done with above, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS server and NETLOGON service on each DC.
Active Directory Firewall Ports -
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspxSee the below link.
http://technet.microsoft.com/en-us/library/cc756476(WS.10).aspx
http://eventid.net/display.asp?eventid=1126&eventno=656&source=NTDS%20General&phase=1
http://www.eventid.net/display.asp?eventid=1126&sourcehttp://www.eventid.net/display.asp?eventid=1655&eventno=968&source=NTDS%20General&phase=1
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/344353e7-81dd-4cf2-995a-e7f7971c6553/
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
set- Modifié Sandesh DubeyMicrosoft Community Contributor dimanche 25 mars 2012 19:52
- Marqué comme réponse Yan Li_Microsoft Contingent Staff, Moderator mercredi 28 mars 2012 01:26
- Non marqué comme réponse rrohela vendredi 30 mars 2012 17:11
-
lundi 26 mars 2012 04:15Modérateur
Nowadays, it is more preferred using single forest/domain architecture but any reason you moved to multiple domain architecture. Single forest/domain is best model to work from troubleshooting and administration point and until n unless there is strong business requirement i would not go for multiple domain. You can almost achieve everything in single forest/domain with windows 2008/above comparing to windows 2003.
Did you verify the network connectivity and necessary ports are being allowed on the firewall? Also, to me it looks to be either Domain name resoltuion issue or connectivity due to firewall or network. For ports, see this http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
Can you verify sysvol/netlogon shares are appearing on the DC and time is in sync. First start with connectivity(network latency/antivirus block the communication) and then you can also download and run portquery tool from the MS site and see if port block is not the issue.
Event ID 1126 — Global catalog verification http://technet.microsoft.com/en-us/library/cc756476%28v=ws.10%29.aspx
You can also use ddiag utility to check what is the health status of the domain to estimate running issues in the domain.
What does DCDIAG actually… do?
http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Proposé comme réponse Meinolf WeberMVP lundi 26 mars 2012 07:52
- Marqué comme réponse Yan Li_Microsoft Contingent Staff, Moderator mercredi 28 mars 2012 01:26
- Non marqué comme réponse rrohela vendredi 30 mars 2012 17:11
-
lundi 26 mars 2012 05:39
hi,
this seems a problem with dns configuration ........telnet GCs of both site on port 3268 from the domain controller of xyz. If you can telnet then check your DNS zone...........
recommended configuration is to have GCs records in _msdcs.domainname zone with replication scope "TO ALL DNS SERVERS IN FOREST"
Regards..
Himanshu Rana
MCTS|MCSE|MCSA:Messaging|CCNA If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer".
- Modifié himanshu.rana lundi 26 mars 2012 05:40
- Marqué comme réponse Yan Li_Microsoft Contingent Staff, Moderator mercredi 28 mars 2012 01:26
- Non marqué comme réponse rrohela vendredi 30 mars 2012 17:10
- Marqué comme réponse rrohela vendredi 30 mars 2012 17:10
.png)
