none
Internal event: The LDAP server returned an error.

    Question

  • I am noticing several of these "informational" errors in my primary DC logs.  They come in about every few minutes and list different objects that it can't find.

    I have three Server 2008 R2 DC's.  Two of them were recently added after demoting two Server 2008 servers and promoting some new Server 2008 R2 servers.

    Here is one:
    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
          'CN=System,DC=x,DC=x,DC=x'

    Another one:
    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
          'CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx'

     

    Another one:

    Internal event: The LDAP server returned an error. 

     

    Additional Data 

    Error value:

    8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0

     

    Another one:

    Internal event: The LDAP server returned an error. 

     

    Additional Data 

    Error value:

    0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:

    'CN=Dfs-Configuration,CN=System,DC=xx'


    Different one:

    Internal event: An LDAP client connection was closed because of an error. 
     
    Client IP:
    x
     
    Additional Data 
    Error value:
    1236 The network connection was aborted by the local system. 
    Internal ID:
    c0602f0



    Any ideas as to what may be causing this or how I can troubleshoot it?

    • Edited by zoolanderx Monday, June 07, 2010 5:37 PM
    Monday, June 07, 2010 1:37 AM

All replies

  • It looks like this error says that the domain controller in question can't figure out what site it's in because the configuration partition of AD (which stores the site info) is unable to be located.

     

    This is bad.

     

    When demoting and promoting domain controllers results in problems that I don't normally see, I ask the questions:

    1. Do you still have all 5 FSMOs, and do you have any extra

    2. Are your DNS servers still up and running

    3. Did you ghost your domain controllers, if yes, did you translate the SID for your machines using SYSprep or some SID tool?

     

    Also, for this problem, you might want to use ADSI edit to connect to the configuration partition of AD and examine if the Site information actually does exist, or if it got deleted by something of unknown origin.

     

    Let me know how that goes,


    Aaron Sankey, Avanade
    Monday, June 07, 2010 2:27 AM
  • Hello,

    in addition to Aaron's question please sue the support tools to check for errors:

    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    netdiag /v >c:\netdiag.txt [from each DC, netdiag may work but isn't supported with Windows server 2008 and higher]
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt (if more then one DC exists)
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive. Also the dcdiag scans the complete forest so better run it on COB.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, June 07, 2010 7:52 AM
  • Here are two of them run on the main DC with all 5 roles...

     

    http://cid-843513d1b891e87a.skydrive.live.com/self.aspx/Public/dcdiagC.txt

     

    http://cid-843513d1b891e87a.skydrive.live.com/self.aspx/Public/replC.txt

     

    The only error I notice is:

     

    Starting test: VerifyEnterpriseReferences

     

             The following problems were found while verifying various important DN

     

             references.  Note, that  these problems can be reported because of

     

             latency in replication.  So follow up to resolve the following

     

             problems, only if the same problem is reported on all DCs for a given

     

             domain or if  the problem persists after replication has had

     

             reasonable time to replicate changes. 

                [1] Problem: Missing Expected Value

     

                 Base Object:

     

                CN=dc3,OU=Domain Controllers,DC=xxx,DC=xxx,DC=xxx

     

                 Base Object Description: "DC Account Object"

     

                 Value Object Attribute Name: msDFSR-ComputerReferenceBL

     

                 Value Object Description: "SYSVOL FRS Member Object"

     

                 Recommended Action: See Knowledge Base Article: Q312862

     

     

                [2] Problem: Missing Expected Value

     

                 Base Object:

     

                CN=DC1,OU=Domain Controllers,DC=xxx,DC=xxx,DC=xxx

     

                 Base Object Description: "DC Account Object"

     

                 Value Object Attribute Name: msDFSR-ComputerReferenceBL

     

                 Value Object Description: "SYSVOL FRS Member Object"

     

                 Recommended Action: See Knowledge Base Article: Q312862

     

     

                [3] Problem: Missing Expected Value

     

                 Base Object: CN=DC2,OU=Domain Controllers,DC=xxx,DC=xxx,DC=xxx

     

                 Base Object Description: "DC Account Object"

     

                 Value Object Attribute Name: msDFSR-ComputerReferenceBL

     

                 Value Object Description: "SYSVOL FRS Member Object"

     

                 Recommended Action: See Knowledge Base Article: Q312862

     

     

                LDAP Error 0x20 (32) - No Such Object. 

             ......................... DC2 failed test VerifyEnterpriseReferences

    Monday, June 07, 2010 4:43 PM
  • 1. Yes

    2. Yes there are no issues with them.

    3. No

     

    I only see these errors on the main DC with all five roles.  The other 2 DC's don't show them.

    Monday, June 07, 2010 4:50 PM
  • I used ADSI edit and checked out the configuration for each DC.

     

    They all look fine to me:

     

    http://cid-843513d1b891e87a.skydrive.live.com/self.aspx/Public/config.JPG

     

    It does however have some old servers still in it, but the there is no information under them.

    Monday, June 07, 2010 5:06 PM
  • I transferred all roles without error and confirmed they were transferred.  I checked using the GUI tools and

    netdom query fsmo

    They all show to be assigned to the correct server.
    Monday, June 07, 2010 5:22 PM
  • Is it possible for me to determine what object is being looked up and not found?  I don't see that information in the log anywhere...
    Monday, June 07, 2010 5:33 PM
  • There are configuration requirements associated with having your infrastructure master on a global catalog -- this might be a contributing factor.

     

    The questions about that; do you have all your domain controllers operating as Global Catalogs, and is the infrastructre master domain controller a global catalog.  If the first answer is No, and the second is yes, you need to either make the infrastructure DC a non-global catalog, or you need to make all your DCs global catalogs.

     

    I am looking through your files...


    Aaron Sankey, Avanade
    Monday, June 07, 2010 8:12 PM
  • Hello,

    did you follow http://support.microsoft.com/kb/312862 as suggested in the dcdiag output on ALL 3 DCs as all of them list this error?

    DC2 uses 2 times the loopback ip address 127.0.0.1 on the NIC, use only 1 time the real ip address from itself.

    xxx.xxx.xxx.231 (DC1.xxx.xxx.xxx.) [Valid]
                            127.0.0.1 (DC2.xxx.xxx.xxx.) [Valid]
                            127.0.0.1 (DC2.xxx.xxx.xxx.) [Valid]

    Also you have configured DC1 as a FORWARDER on it, this is not recommended, please remove it from the FORWARDERS tab.

      Recursion is enabled
                      Forwarders Information:
                         xxx.xxx.xxx.231 (DC1.xxx.xxx.xxx.) [Valid]
                         xxx.xxx.xxx.52 (<name unavailable>) [Valid]

    Also on DC1 change the loopback ip address to the real one. Hopefully the x.x.x.52/53 are not some your domain servers configured as the FORWARDERs?

    Are ALTOR, CIPHER and RAHL removed DCs that no longer exist? If yes, did you remove them with dcpromo from the domain or just disconnected them? If dcpromo was used remove all realted entries in DNS zones and Name server tab of the zone properties and also you can delete them in AD sites and services. If the latter run metadata cleanup according to:  http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

     


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, June 07, 2010 8:14 PM
  • All of my DC's are GC's... 
    Monday, June 07, 2010 8:32 PM
  • All the old DC's were properly removed using dcpromo.  I checked dns and there was no entries for them.. I just deleted them from AD sites.

    I fixed the Extra loopback on DC2.

    52/53 are linux DNS servers.  These are the main DNS servers for our environment.

     

    Monday, June 07, 2010 8:52 PM
  • Hello,

    using FORWARDERS  from your own domain isn't recommended, this result in problems. PLease use none domain DNS servers or root hints.

    As said before DON'T use DC1 as forwarder on DC2, please remove it. Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service or reboot.

    What about:

    "did you follow http://support.microsoft.com/kb/312862 as suggested in the dcdiag output on ALL 3 DCs as all of them list this error?"


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, June 07, 2010 9:03 PM
  • I thought you referring to the conditional forwarders.  I fixed the forwarder on DC2 so it doesn't forward to DC1... I don't recall ever adding that so I am sure why that was even there.  That is odd..
    Monday, June 07, 2010 9:43 PM
  • This article is for server 2003.. Does it still apply?

     

    I am also not noticing the replication errors that it describes in the article.

    Monday, June 07, 2010 9:57 PM
  • http://cid-843513d1b891e87a.skydrive.live.com/self.aspx/Public/ntfrsC.txt

     

    Here is the log for the main DC... I don't see any errors in there...

    Monday, June 07, 2010 10:03 PM
  • This article is for server 2003.. Does it still apply?

     

    I am also not noticing the replication errors that it describes in the article.


    Hi zoolanderx,

    Well, that depends on which replication service is running on all the DCs, and if the infrastructure was originally Windows 2003. Do you have FRS or have you upped it to DFS-R?

    It would be helpful to take a look at an ipconfig /all from all three DCs, however looking at how the info you've provided is obsficated, I don't think you will be willing to post them? They are usually extremely helpful because they provide a lot of information for diagnosis, along with the dcdiag.

    Take a look at the following thread for more info on DFS-R and 2008/2008 R2.

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/7b436a64-a786-4952-befe-582df6eb03fc

    I assume that your DCs' are only set to use themselves for DNS (no ISP's DNS, the router, or any other DNS server that doesn't have a copy or reference to the AD zone such as a Stub, conditional forwarder, Secondary, etc). Recopmendation that most agree on is to point to itself as the first entry, and to a partner replica DC preferrably in the same Site/Subnet if one is available, or one in another site or subnet if not.

    As stated earlier, DCs' DNS CANNOT be forwarded to each other. That can cause a forwarding loop essentially reducing a DCs' ability to resolve other DCs to zilch, effecitively nullifying replication. If such an issue has gone past 180 days on a DC, then that specific DC is pretty much useless. However, your dcdiag does not show that, which is a good thing.

    I also assume the DFS, TCP IP Helper, and DHCP Client services are all running on the DCs, as well as none of the DCs are multihomed (more than one unteamed NIC, more than one IP addres, and/or RRAS is installed with routing enabled).

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Tuesday, June 08, 2010 5:37 AM
  • DNS structure if it helps...

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/dns.jpg
    Wednesday, June 09, 2010 6:47 PM
  • Windows IP Configuration

       Host Name . . . . . . . . . . . . : dc1
       Primary Dns Suffix  . . . . . . . : xxx.xxx.edu
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : xxx.xxx.edu

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : x
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : aaa.aaa.aaa.231(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : aaa.aaa.aaa.1
       DNS Servers . . . . . . . . . . . : 127.0.0.1
                                           aaa.aaa.aaa.232
       Primary WINS Server . . . . . . . : aaa.aaa.aaa.100
       NetBIOS over Tcpip. . . . . . . . : Enabled


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : dc2
       Primary Dns Suffix  . . . . . . . : xxx.xxx.xxx
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : xxx.xxx.xxx

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : x
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : aaa.aaa.aaa.232(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : aaa.aaa.aaa.1
       DNS Servers . . . . . . . . . . . : 127.0.0.1
                                           aaa.aaa.aaa.231
       Primary WINS Server . . . . . . . : aaa.aaa.aaa.100
       NetBIOS over Tcpip. . . . . . . . : Enabled


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : dc3
       Primary Dns Suffix  . . . . . . . : aaa.aaa.aaa
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : aaa.aaa.aaa

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : x
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : aaa.aaa.aaa.196(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : aaa.aaa.aaa.1
       DNS Servers . . . . . . . . . . . : aaa.aaa.aaa.231
                                           aaa.aaa.aaa.232
       Primary WINS Server . . . . . . . : aaa.aaa.aaa.100
       NetBIOS over Tcpip. . . . . . . . : Enabled


    Wednesday, June 09, 2010 6:54 PM
  • This is all I see under the Domain->System->MicrosoftDNS in ADSIEdit

    Shouldn't there be more?

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/addns.JPG
    Wednesday, June 09, 2010 7:23 PM
  • This is all I see under the Domain->System->MicrosoftDNS in ADSIEdit

    Shouldn't there be more?

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/addns.JPG

    Hi zoolanderx,

    It looks like you are looking at the DomainNC container, and not the DomainDnsZones application partition.

    From the symptoms you've posted, it sounds like it's clearly a DNS resolution issue. If clients, and DCs themselves can't find other DCs, AD pretty much fails.

    I'm starting to think you may have a duplicate zone issue. Please read my blog on this, how to determine if a dupe actually exists, and how to remove them if they do.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    Regarding your ipconfigs, I would suggest to remove the loopback address (127.0.0.1), make the first DNS entry the server's actual IP, and uncheck IPv6 and disable it in the registry, that is if you do not plan on using IPv6. My blog should be able to assist you in this regards. You may also want to disable the TCP/RSS feature, as well.

    How to Disable RSS TCP Chimney Feature and IPv6
    http://msmvps.com/blogs/acefekay/archive/2010/05/27/how-to-disable-rss-tcp-chimney-feature-and-ipv6.aspx

    In addition, you mentioned you have Linux BIND servers as your main servers, .52 and .53. Can you describe their purpose, how they are setup in regards to if any clients use them, or are they only for Forwarding to resolve outside names? I don't see them referenced in your DC ipconfigs, therefore I am wondering if your clients are using them. If so, how are the BIND servers getting a copy of the AD zone so clients can find the DCs to logon, authenticate, find DCs to apply GPOs, etc?

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Thursday, June 10, 2010 2:54 AM
  • Hello!

     

    Thank you for the assistance.  Your DNS article was very usefull.  I checked all of the zones.  MicrosoftDNS is empty as I showed you earlier.  DomainDNS is also empty.  The only one that has info in it is ForestDNS as I would expect.

    Here is a screenshot

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/dnsforest.JPG

     

    Under the last DC= the longer one... I can see several of the same "records" that are under DC=_udp, _tcp.,_sites... I wasn't sure if that was normal or if its just pointing.  I have never looked at the ADSI DNS so I am not sure what it should look like.

     

    IPV6 is already disabled.

     

    Unfortunately the linux DNS servers are what all the clients use and I don't have control over.  I have gotten them to add this to the linux DNS servers which points to my dns servers.

     

    _udp.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    _tcp.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    _msdcs.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    _sites.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    forestdnszones.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    domaindnszones.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

     

    Thank you again for your help.. I am really looking forward to fixing this odd issue.

    Thursday, June 10, 2010 2:37 PM
  • I should also note that the DC's and clients find each other just fine.  I am actually noticing no issues with my clients connecting with the DC's and the DC's talking to each other.  Everthing appears to be working fine.

     

    I am just noticing these errors in the log and would like to fix whatever the issue is before it breaks something.

    Thursday, June 10, 2010 3:16 PM
  • Hello!

     

    Thank you for the assistance.  Your DNS article was very usefull.  I checked all of the zones.  MicrosoftDNS is empty as I showed you earlier.  DomainDNS is also empty.  The only one that has info in it is ForestDNS as I would expect.

    Here is a screenshot

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/dnsforest.JPG

     

    Under the last DC= the longer one... I can see several of the same "records" that are under DC=_udp, _tcp.,_sites... I wasn't sure if that was normal or if its just pointing.  I have never looked at the ADSI DNS so I am not sure what it should look like.

     

    IPV6 is already disabled.

     

    Unfortunately the linux DNS servers are what all the clients use and I don't have control over.  I have gotten them to add this to the linux DNS servers which points to my dns servers.

     

     

    _udp.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    _tcp.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    _msdcs.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    _sites.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    forestdnszones.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

    domaindnszones.aaa.aaa.aaa. IN NS dc2.aaa.aaa.aaa.

     

     

    Thank you again for your help.. I am really looking forward to fixing this odd issue.


    Hi zoolanderx,

    If the Linux BIND box is what the clients use, and not the DCs, you will actually need much more data in the zone on the BIND machines to support AD clients. The domain and forest's SRV data to be available for all machines.

    Unless I've missed somethin in your posts about all the data being available, I would like to mention that one way to do it is to create a Secondary on the BIND server for the AD zone, and pull it from one of the DC's DNS servers.

    Another method is to manually create the data. One company I've helped in the past with a high security environment and a separate BIND team independent of the directory services team, to configure their BIND servers to support clients in their AD environment. That was to manually craete the data from the netlogon.dns file from *each* DC located in the system32\config folder. They are the actual AD SRV records, and populate that data into the zone in BIND. THe BIND team received the file anytime any of the DCs were changed, which wasn't that often, then they would update the BIND server. This insures that all clients can find the necessary AD resources to authenticate, apply GPOs, etc.

    Anyway, I didn't mean to go off topic with this, but it somewhat concerned me, but like I said I may have misinterpreted it and you already are doing something similar to insure the data is on the BIND servers for the AD clients.

    Back to the issue and LDAP errors. If there are no dupes, then that is a good thing. Since that was cleared up and out of the way, then I'm leaning towards my original thought that it's an FRS/DFS-R configuration or mismatch issue.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Thursday, June 10, 2010 10:18 PM
  • Hello!

     

    Thank you for the assistance.  Your DNS article was very usefull.  I checked all of the zones.  MicrosoftDNS is empty as I showed you earlier.  DomainDNS is also empty.  The only one that has info in it is ForestDNS as I would expect.

    Here is a screenshot

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/dnsforest.JPG

     

     

    Hi zoolanderx,

    Looking at your screenshot again, which I must have missed the first time I looked at it, it appears you do have a conflicting zone. See the entry that has "CNF..." in it under the ForestDnsZones partition? That is a conflicting zone. That's what the "CNF" means.

    You may have missed that part in my blog. Please re-read it to get a better understanding of what's going on and how to remove it. This is a cause of concern and possibly what's causing the whole issue. I've reposted the link for your convenience.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    You can also use Jorge's suggestions to remove it. Either way, it must be removed.

    Please let us know how you make out.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, June 11, 2010 2:20 AM
  • Hello!

     

    Thank you for the assistance.  Your DNS article was very usefull.  I checked all of the zones.  MicrosoftDNS is empty as I showed you earlier.  DomainDNS is also empty.  The only one that has info in it is ForestDNS as I would expect.

    Here is a screenshot

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/dnsforest.JPG

     

     

    Hi zoolanderx,

    Looking at your screenshot again, which I must have missed the first time I looked at it, it appears you do have a conflicting zone. See the entry that has "CNF..." in it under the ForestDnsZones partition? That is a conflicting zone. That's what the "CNF" means.

    You may have missed that part in my blog. Please re-read it to get a better understanding of what's going on and how to remove it. This is a cause of concern and possibly what's causing the whole issue. I've reposted the link for your convenience.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    You can also use Jorge's suggestions to remove it. Either way, it must be removed.

    Please let us know how you make out.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    FYI, I've totally revamped my blog on how to find and delete duplicate zones. I've tried to remove any ambiguity by providing an explanation, possible causes, how to view and determine if there are duplicates, as well as how to delete them.

    I hope you find the re-write much more user friendly and understandable.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, June 11, 2010 4:04 AM
  • I actually re-read your article after my post and did remove that.  Although I still see the errors in my logs.
    Friday, June 11, 2010 2:41 PM
  • What more DNS data do I need?  It seems to be working fine.. All my clients get their policies fine and can login..
    Friday, June 11, 2010 2:43 PM
  • I actually re-read your article after my post and did remove that.  Although I still see the errors in my logs.


    Hi zoolanderx,

    I'm glad to hear you've removed the conflicting zone. Did you simply remove it, or did you follow the steps to change the zone to a non-AD integrated zone, waited for replication, then remove all instances of the zones in ADSI Edit, awaited replication, then turned the zone back to an AD integrated zone?

    Also, since the errors stated there was an issue with FRS, did you look into the DFS-R and FRS information that I mentioned earlier? Does the error still appear? The reason I ask is because Windows 2008 and 2008 R2 support DFS-R, which essentially replaces FRS. For example, if two DCs are setup for DFS-R, and the third is still set to use FRS, it will generate problems and will not properly replicate that data.

    The reason I am asking is because earlier you had posted an error out of a dcdiag ran on DC1 (I assume DC1, since in the original post it was stated that it was run on the server "with all 5 roles). The following was part of the error posted:

            [2] Problem: Missing Expected Value
                Base Object:
                 CN=DC1,OU=Domain Controllers,DC=xxx,DC=xxx,DC=xxx
                  Base Object Description: "DC Account Object"
                  Value Object Attribute Name: msDFSR-ComputerReferenceBL
                  Value Object Description: "SYSVOL FRS Member Object"
                  Recommended Action: See Knowledge Base Article: Q312862

    Since it is looking for an attribute that doesn't exist, that's kind of telling me that the FRS service is still running on DC1, but not on the 2008 R2 servers. Is it possible the others are up to DFS-R? Did you add the DFS-R role on the 2008 R2 servers?

    I think trying to nail this down, we may need additional information. I don't believe it was requested earlier, but can you post any event log errors from any of the DCs, please? If there are any errors in any of the logs on any of the DCs, please post the EventID#, The Source Name, and any IP or machine name it is referencing in the event. You can also copy and paste the full event to your post, so we can see the whole thing. Please check all the logs one each DC.

    What I am starting to think, that when you introduced the two 2008 R2 DCs, that the DFS-R role was added to the machines either prior to or after the demotion, therefore now using DFS-R, but the original DC is still using FRS. It is also possible that I am thinking (taking a guess), that DC1 was introduced as a replica DC into a previous Windows 2003 environment, hence why it is still set to FRS, and possible cause of the problems.

    If you can elaborate on the specific history, that may help, as well as any event log errors.

    More info on DFS-R:

    DFSR Overview:
    http://msdn.microsoft.com/en-us/library/bb540025(VS.85).aspx

    Making it clear with DFSR for WINDOWS 2008
    http://blogs.technet.com/b/janelewis/archive/2009/02/03/making-it-clear-with-dfsr-for-windows-2008.aspx

    DFS Replication: Frequently Asked Questions (FAQ) -
    Applies To: Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2:
    http://technet.microsoft.com/en-us/library/cc773238(WS.10).aspx

    DFS Step-by-Step Guide for Windows Server 2008
    http://technet.microsoft.com/en-us/library/cc732863(WS.10).aspx

     

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    • Edited by Ace Fekay [MCT]MVP Saturday, June 12, 2010 5:21 AM added additional info about the dcdiag error.
    • Marked as answer by Joson ZhouModerator Tuesday, June 15, 2010 1:58 AM
    • Unmarked as answer by zoolanderx Wednesday, June 23, 2010 12:24 AM
    Saturday, June 12, 2010 5:19 AM
  • ALL DC's are now using DFS-R.   I followed the instructions to do that.  None were when I posted the original logs files.

     

    All of the servers are Server 2008 R2 servers.


    Wednesday, June 23, 2010 12:26 AM
  • Here is an event on d1

     

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/dc1Event.JPG

     

    http://cid-843513d1b891e87a.office.live.com/self.aspx/Public/dc1Event2.JPG

    Wednesday, June 23, 2010 12:34 AM
  • Originally this was a Server 2003 Domain.

     

    Then two Server 2008 GC DC's were add and the original 2003 DC was demoted and removed.

     

    A third 2008 R2 GC DC was then added.

     

    Both 2008 DC's were demoted and then two new Server 2008 R2 GC DC's servers were added.

     

    I just migrated to DFSR using the instructions provided.  All of the steps went smoothly.

    Wednesday, June 23, 2010 12:45 AM
  • Originally this was a Server 2003 Domain.

     

    Then two Server 2008 GC DC's were add and the original 2003 DC was demoted and removed.

     

    A third 2008 R2 GC DC was then added.

     

    Both 2008 DC's were demoted and then two new Server 2008 R2 GC DC's servers were added.

     

    I just migrated to DFSR using the instructions provided.  All of the steps went smoothly.


    Zoolander,

    Glad to hear you've migrated/upgraded to DFS-R.

    It's strange that Event ID 1535 is showing up. This KB talks about possible causes for it, but it was for Windows 2003. Since the domain was upgraded, check the registry against what's mentioned in the KB.

    Error message when you run an LDAP script that queries for Active Directory information after you bind to a Windows Server 2003-based domain controller: "Error 3021 No Record Found"
    http://support.microsoft.com/?id=934407

    I can't find much else on this error.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Wednesday, June 23, 2010 5:57 AM