none
Can't replicate between PDC and ADC

    Question

  • Hi All,

    network environment: PDC(Windows 2008 SP1), ADC(Windows 2003 sp2)

    I have one question to consult: I have two DCs(PDC and ADC), Now I find that PDC is abnormal, I can't ping PDC's full netbios name, it can't return IP:

    At the same time, I can't operate replication on PDC:

     

    the nslookup operation is also abnormal:

     

    Note:

    1.  I had added PDC's host record to its DNS, I can't "ping -a PDC's IP", it will return its full netbios name, so the reverse lookup zone is fine.

    2. All are normal on ADC above three operations.

    3. I had disabled their firewalls.


    • Edited by 网工 Tuesday, December 27, 2011 3:57 AM
    Tuesday, December 27, 2011 3:50 AM

Answers

  • Assuming that you have done the above registry setting and rebooted the server.Can you run below command and wait for replication to happen.

    Also configure authorative time server as mentioned before.

    net stop netlogon
    ipconfig /flushdns
    ipconfig /registerdns
    net start netlogon
    net stop dns
    net start dns
    net stop ntfrs
    net start ntfrs
    gpupdate /force
    repadmin /syncall /AdeP

    Wait for sometime and again run dcdiag /q and check.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Wednesday, December 28, 2011 4:15 AM
  • It shows as below after I add this:

    • In DNS, under _msdcs.XINYISOFT
    • Right click, Choose NEW ALIAS (CNAME) called 7f616b2f-ff93-45c3-ba17-be0e8bf8111f
    • Enter ndqa.XINYISOFT

    To my surprise, I can replicate one on ndqa.qa.xinyisoft, but another is still abnormal.

     

     

    Let's set the first DNS address on ndqa to xyqa's IP address, then re-run the dcdiag.

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 28, 2011 4:42 AM
  • Hi All,

    Thanks for your reply.

    At present, the most important problem is: All clients(Their IP is 192.168.10.* or 192.168.0.*)  can't logon to QA domain with domain user after shutdowning XYQA(192.168.10.254). At the same time, all clients can't be add to QA domain. But they are all fine if I start XYQA(192.168.10.254).  To my surprise, these clients' DNS is 192.168.10.24, not 192.168.10.254, why will XYQA affect?

    one of clients's IP configuration:

     

    On these parent domain clients(computername.xinyisoft), can't ping ndqa.qa.xinyisoft, but can ping xyqa.qa.xinyisoft(can return right IP)

     

    So I think this is the why clients can't logon to QA domain or can't be added to QA.

     

    If noone can logon after XYQA(192.168.10.254)  is shut down, it's indicating it's either the only GC that exists, or the only GC that's responding.

    There are two main issues going on.

    1. I do not believe the DNS resolving infrastructure is not designed properly for a multi-domain forest. But I may be wrong, since we haven't asked how you have it designed, nor has it been offered.
    2. The forest root domain is a Single Label Name.

    I believe the above two issues need to be addressed, and I also believe the IPv6 is not relevent to the above issue. I would suggest instead of using Ping to resolve names, to use Nslookup. NSlookup is helpful with resolution problems. At least with ping, even if it responds with the IPv6 address, I don't think this is a problem, because the response at least indicates resolution is working. Use nslookup for lookups.

     

    To fix #1:

    We need to first uderstand how DNS is currently setup for the forest. Is there a Parent-Child DNS delegation, or is the zone set to forest wide?

    If not sure about the above question, please try to answer the following questions:

    • Both NDQA and ZYQA have a Primary DNS Suffix called QA.XINYISOFT. This tells me both of these DCs are part of the same domain. Is this correct?
    • If so, what DCs exist in the parent XINYISOFT domain? Can we see an ipconfig /all of them, too, please?

    Also...

    • What replication scope is the xinysoft zone set to? See picture below and let us know which button it's set to.
    • What replication scope is the qa.xinysoft zone set to? See picture below and let us know whic button it's set to.
    • Is there a forwarder from the child DC DNS to the forest root DNS?
    • Does a zone called _msdcs.xinysoft or _msdcs.qa.xinysoft exist? If so, what replication scope are they set to?
    • Post a current ipconfig /all of both DCs.
    • Post a current ipconfig /all of a sample workstation from each domain. If you can translate the ipconfig to English, that would be appreciated and helpful. (Trick: example - you can run ipconfig /all > c:\zqyaipconfig.txt, then open zqyaipconfig.txt, copy and paste the data to your reply).

     

    To Fix #2 (Single Label Name) (Late Addition to this post):

    Active Directory DNS Domain Name Single Label Names  
    http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

     

    Curious, how many users is this problem affecting?

    If you feel this is not helpful, or feel this needs to be resolved sooner to get your users productive, especially if this is a production infrastructure, and users are being affected that they can't perform their job, I would highly suggest as this time to consider contacting Microsoft Support to get this fixed for you. It's a one time charge to fix everything, no matter how long it takes. The US charge is USD $259.00 plus tax. I'm not sure what that is equal to in your locale. If you choose this option, here's the link to get you started. Choose your locale in the dropdown box.
    http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;select&target=assistance

     

    Regards,
    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 29, 2011 5:06 AM
  • I also agree with above comments IPv6 is not the issue.As it is not recommend to disable the same on Windows 2008/7.This issue could be Single Label Domai Name.

    I would also recommend to open a case with MS for the same since its two long and it could lead major impact on the production env if not resolved sooner.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, December 29, 2011 5:51 AM

All replies

  • You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

    Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above and reboot the server for setting to take effect. Check the network connectivity and latency.
    http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

    It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic.

    Active Directory and Active Directory Domain Services Port Requirements
    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    It could be also due to dns misconfig.Ensure the following on DC:
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.
    6.Also make sure the IPv6 is configured to dynamic (Automatically) if it is win2008 DC.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.



    Tuesday, December 27, 2011 4:06 AM
  • Thanks for your reply. But this link I had read ago. It is useless when I did it according to this contents.
    This two DCs are in the same network segment(LAN) and their ports are opened fully, not port restrict.
    • Edited by 网工 Tuesday, December 27, 2011 5:11 AM
    Tuesday, December 27, 2011 4:52 AM
  • Have you check the DNS setting as mentioned above?

    Create reverse lookup zone for the subnets if it is not created.

    Disable windows firewall as below.
    http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    It seems that  IPv6 is not configured to dynamic (Automatically).Refer below for the same.




    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.


    Tuesday, December 27, 2011 5:25 AM
  • Thanks.

    The firewall had been off

     and I didn't set IPV6 as dynamica ago, I set it now. But the issue still exist.

    Create reverse lookup zone for the subnets if it is not created----I doubted that the reason is that PDC's forward DNS has issue, because it can't return IP when I ping its full netbios name, but it can return full netbios name when I use ping -a PDC's IP.

    Tuesday, December 27, 2011 5:51 AM
  • After disabling the firewall have you rebooted the server?

    Also disable the firewall portion of Windows Firewall with Advanced Security by using the Windows Firewall with Advanced Security MMC snap-in
    1. Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.

    2. In the navigation pane, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.

      On each of the Domain Profile, Private Profile, and Public Profile tabs, change the Firewall state option to Off (not recommended).

    3. Click OK to save your changes.


    After rebooting the server if the issue persist.Post the dcdiag /q and repadmin /replsum output.

    Also post the ipconfig /all ouput of the server.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, December 27, 2011 6:00 AM
  • I did did it according to your suggestions for disabling firewall.

    PDC's IP is 192.168.10.24, its full name is: ndqa.qa.xinyisoft. ADC's IP is 192.168.10.254, its full name is xyqa.qa.

    xinyisoft.

    I can ping PDC and operate AD replicate on ADC, they are all fine.



    • Edited by 网工 Tuesday, December 27, 2011 6:18 AM
    Tuesday, December 27, 2011 6:11 AM
  • From the ouput there is no replication issue betwen the DC's.

    Since IPv6 is enabled it will not return IP address while pinging.

    If you want to still see what their IPv4 address is then simply use the command below:

    ping hostname -4

    Also are you getting now RPC unavailable error while replication from Active Directory sites and service?

    What is nslookup result?

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, December 27, 2011 6:28 AM
  • Thanks a lot for your reply.

    It seems that nslookup is fine now, maybe the reason is that I had set IPV6 as dynamic accordint to your suggestions.

    But I still can't replicate now, and why must I add -4 when PING? is there some ways to resolve it? Maybe they are all fine if resolve this issue, it is only my doubt.

    Tuesday, December 27, 2011 7:39 AM
  • Hello,

    First of all, don't disable IPv6 as it is not recommended to do that. More: http://msmvps.com/blogs/acefekay/archive/2010/05/27/how-to-disable-rss-tcp-chimney-feature-and-ipv6.aspx

    To configure IPv4 as default over IPv6, refer to Paul's article: http://blogs.dirteam.com/blogs/paulbergson/archive/2011/06/30/configuring-ipv4-as-default-over-ipv6.aspx

    To solve a DNS update / resolution problem, you can proceed like that:

    • Make sure that each DC has one IP address and one NIC card enabled
    • Choose a DC / DNS server
    • Make sure that each DC points to the chosen DC as primary DNS server
    • Make sure that each DC / DNS server points to its private IP address as secondary DNS and 127.0.0.1 as third one

    Once done, run ipconfig /registerdns and restart netlogon on each DC you have.

    Once done, run repadmin /syncall and check results.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Tuesday, December 27, 2011 7:40 AM
  • Don't disable IPv6, let it be default as many of the services utilize in the newer OS like Direct access, exchange 2010 etc.Windows 2008 R2/7 uses IPv6.

    http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx



    What error are you getting while replicating?

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.




    Tuesday, December 27, 2011 7:49 AM
  • Tuesday, December 27, 2011 8:23 AM
  • Otherwise, I don't want to disable IPV6, I only want to use "ping ndqa.qa.xinyisoft" ,not "-4" after it. I have other Windows 2008 OS, I can ping them not -4, why must this server  use -4???

    Tuesday, December 27, 2011 8:27 AM
  • Also ensure that windows firewall service is disable on win2003 DC and correct dns setting is entred as mentioned above reboot 2003 DC as well and see.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, December 27, 2011 8:29 AM
  • win2003 DC‘s Firewall had been disabled ago.
    Tuesday, December 27, 2011 8:38 AM
  • win2003 DC‘s Firewall had been disabled ago.

    Please use Microsoft Skydrive to upload the output of these commands on all DCs you have:

    • ipconfig /all > c:\ipconfig.txt
    • dcdiag > c:\dcdiag.txt

    Once done, post a link here.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Tuesday, December 27, 2011 8:42 AM

  • Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = NDQA

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\NDQA

          Starting test: Connectivity

             The host 7f616b2f-ff93-45c3-ba17-be0e8bf8111f._msdcs.XINYISOFT could

             not be resolved to an IP address. Check the DNS server, DHCP, server

             name, etc.

             ......................... NDQA failed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\NDQA

          Skipping all tests, because server NDQA is not responding to directory

          service requests.

      
      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : QA

          Starting test: CheckSDRefDom

             ......................... QA passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... QA passed test CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running enterprise tests on : XINYISOFT

          Starting test: LocatorCheck

             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

             A Global Catalog Server could not be located - All GC's are down.

             ......................... XINYISOFT failed test LocatorCheck

          Starting test: Intersite

             ......................... XINYISOFT passed test Intersite


    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Default-First-Site-Name\XYQA
          Starting test: Connectivity
             ......................... XYQA passed test Connectivity

    Doing primary tests
      
       Testing server: Default-First-Site-Name\XYQA
          Starting test: Replications
             ......................... XYQA passed test Replications
          Starting test: NCSecDesc
             ......................... XYQA passed test NCSecDesc
          Starting test: NetLogons
             ......................... XYQA passed test NetLogons
          Starting test: Advertising
             Warning: XYQA is not advertising as a time server.
             Warning: XYQA has not finished promoting to be a GC.
             Check the event log for domains that cannot be replicated.
             Warning: XYQA is not advertising as a global catalog.
             Check that server finished GC promotion.
             Check the event log on server that enough source replicas for the GC are available.
             ......................... XYQA failed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... XYQA passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... XYQA passed test RidManager
          Starting test: MachineAccount
             ......................... XYQA passed test MachineAccount
          Starting test: Services
                w32time Service is stopped on [XYQA]
             ......................... XYQA failed test Services
          Starting test: ObjectsReplicated
             ......................... XYQA passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... XYQA passed test frssysvol
          Starting test: frsevent
             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             ......................... XYQA failed test frsevent
          Starting test: kccevent
             An Information Event occured.  EventID: 0x40000617
                Time Generated: 12/27/2011   16:34:04
                (Event String could not be retrieved)
             An Information Event occured.  EventID: 0x40000617
                Time Generated: 12/27/2011   16:34:04
                (Event String could not be retrieved)
             An Information Event occured.  EventID: 0x4000062A
                Time Generated: 12/27/2011   16:34:04
                (Event String could not be retrieved)
             An Information Event occured.  EventID: 0x40000456
                Time Generated: 12/27/2011   16:34:04
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0xC00006A3
                Time Generated: 12/27/2011   16:36:54
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0xC00006A3
                Time Generated: 12/27/2011   16:38:34
                (Event String could not be retrieved)
             ......................... XYQA failed test kccevent
          Starting test: systemlog
             An Error Event occured.  EventID: 0xC000001B
                Time Generated: 12/27/2011   16:10:10
                Event String: While processing a TGS request for the target

             An Error Event occured.  EventID: 0x00000457
                Time Generated: 12/27/2011   16:19:05
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 12/27/2011   16:19:05
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 12/27/2011   16:19:05
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 12/27/2011   16:19:05
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 12/27/2011   16:19:06
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 12/27/2011   16:19:07
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 12/27/2011   16:19:07
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0xC000001B
                Time Generated: 12/27/2011   16:19:15
                Event String: While processing a TGS request for the target

             An Error Event occured.  EventID: 0xC000001B
                Time Generated: 12/27/2011   16:34:50
                Event String: While processing a TGS request for the target

             ......................... XYQA failed test systemlog
          Starting test: VerifyReferences
             ......................... XYQA passed test VerifyReferences
      
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
      
       Running partition tests on : QA
          Starting test: CrossRefValidation
             ......................... QA passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... QA passed test CheckSDRefDom
      
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
      
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
      
       Running enterprise tests on : XINYISOFT
          Starting test: Intersite
             ......................... XINYISOFT passed test Intersite
          Starting test: FsmoCheck
             ......................... XINYISOFT passed test FsmoCheck

    Tuesday, December 27, 2011 8:51 AM
  • The DNS quid registration failed on 2008 DC.

    Remove IP address 192.168.10.15 & 192.168.0.15 from dns setting and restart the netlogon and dns service.

    Also IP address 192.168.10.15 & 192.168.0.15  is entered as wins setting on the server.If winserver is not present then remove the same.

    Run ipconfig /flushdns & ipconfig /registerdns.

    Run dcdiag /q and repadmin /syncall /AdeP and check for any errors or warning.

    Also configure authorative time server on the PDC role holder server below is the KB article for the same.
    http://support.microsoft.com/kb/816042

    Make sure that below parameters are set correctly on PDC Server.
    1.Change the server type to NTP
    2.Set AnnounceFlags to 5
    3.Enable NTPServer
    4.Specify the time sources.eg time.windows.com,0x1
    5Configure other paratmeters as well.

    Restart the windows time service.Ran w32tm /resync /rediscover command.

    Check the system log you will get event id 35 and 37 related to time sync.

    Also point the other DC to point to PDC server for time sync.
    Server type to NT5DS
    Set Ntpserver -->PDCservername,0x1 eg DC,0x1
    Set AnnounceFlags to 10 by default it is 10
    Restart the windows time service.Ran w32tm /resync /rediscover command

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, December 27, 2011 9:01 AM
  • In fact ,192.168.10.15 and 192.168.0.15  are Parent Domain(0.15 is PDC,10.15 is ADC), and WINS are installed on them. 10.24 and 10.254 are child domain, not WINS. Are you sure I can remove them?

    • Edited by 网工 Tuesday, December 27, 2011 9:16 AM
    Tuesday, December 27, 2011 9:15 AM
  • You should not have to - WINS entries should have no bearing on the DNS name resolution as long as your domain controllers are configured with default settings.

    However, you seem to imply that you have a multidomain forest (since you mentioned the Parent Domain) - while according to the screenshot of Sites and Services snap-in, you have only two domain controllers in the forest (and apparently both of them are in the same domain. Which one is it?

    If you want to be able to use IPv4 as the default addressing scheme, then you should follow http://blogs.dirteam.com/blogs/paulbergson/archive/2011/06/30/configuring-ipv4-as-default-over-ipv6.aspx - as advised earlier.

    hth
    Marcin

    Tuesday, December 27, 2011 4:54 PM
  • What I noticed in the dcdiag results is this:

    Testing server: Default-First-Site-Name\NDQA
    Starting test: Connectivity
    The host 7f616b2f-ff93-45c3-ba17-be0e8bf8111f._msdcs.XINYISOFT could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc.
    ......................... NDQA failed test Connectivity

     

    It shows the domain name as XINYISOFT (without the 'qa' in it), however, according to the ipconfig /all of the two DCs, the domain name is qa.XINYISOFT.

     

    To me, this looks like there are one of two things going on, or possibly both (not able to determine yet until we get more information)

    1. There is a Disjointed Namespace issue
    2. There is a single label name issue.

     

    Normally I would suggest to manually create the missing GUID in DNS, such as doing:

    • In DNS, under _msdcs.XINYISOFT
    • Create an ALIAS (CNAME) called 7f616b2f-ff93-45c3-ba17-be0e8bf8111f
    • Proivde ndqa.._msdcs.qa.XINYISOFT

     

    However, let's not do that just yet, because I am confused on what exactly your AD DNS domain name is supposed to be, and what zones exist in DNS, based on the discrepanices in what you've provided so far (ipconfigs, dcdiag, etc, and screenshots).

     

    Please provide the following information to allow us to better understand your AD configuration, AD DNS name, etc. Based on the information, it may be either a simple fix (creating the necessary zone and registering the records automatically), or a complicated fix (domain rename). Let's hope for the simple fix:

    • Screenshot of your Active Directory Users and Computers  so we can see the domain name in the upper left navigation pane.
    • Also expand the Domain Controllers OU so we can see what DCs are listed in the right window pane.

     

    In DNS, do you have a zone called XINYISOFT or qa.XINYISOFT?

    If you have one, or the other, or both, please provide a screenshot of DNS for us

    • If exists, click on _msdcs.XINYISOFT - So we can see the records inn the right pane.
    • If exists, click  on _msdcs.qa.XINYISOFT - So we can see the records inn the right pane.
    • If exists, click on qa.XINYISOFT - So we can see the records inn the right pane.
    • If exists, click on XINYISOFT -So we can see the records inn the right pane.
    • Check the zone properties of each zone you have and let us know if Updates are allowed

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, December 27, 2011 6:42 PM
  • Thanks for your reply.

    XINYISOFT is parent domain, there are two DCs in this domain, the PDC is 192.168.0.15, ADC is 192.168.0.15. But I think it is not the reason to current issue. After all, current issue is in child domain( PDC is 192.168.10.24, ADC is 192.168.10.254)

    Otherwise, how do I set  the DisabledComponents 's value In this link(http://blogs.dirteam.com/blogs/paulbergson/archive/2011/06/30/configuring-ipv4-as-default-over-ipv6.aspx)  if I only want to set "ping ndqa.qa.xinyisoft" not -4, it can also return IP(192.168.10.24)????

    • Edited by 网工 Wednesday, December 28, 2011 1:51 AM
    Wednesday, December 28, 2011 1:25 AM
  • On server(IPAdresss-192.168.10.24) as mentioned in the previous post is obtain an IPv6 adress automatically selected.It seems that Use the following IPv6 address is selected change the same.

    Point the dns setting of the server as below.

    Preferred dns-192.168.10.24
    Secondary dns-192.168.0.15 

    Restart the netlogon and dns service.

    Run ipconfig /flushdns & ipconfig /registerdns.

    Again run dcdiag /q to check if the dns quid is registered.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Wednesday, December 28, 2011 2:30 AM
  • Thanks for your reply.

    XINYISOFT is parent domain, there are two DCs in this domain, the PDC is 192.168.0.15, ADC is 192.168.0.15. But I think it is not the reason to current issue. After all, current issue is in child domain( PDC is 192.168.10.24, ADC is 192.168.10.254)

     

    Actually, DNS does not play well with single label name DNS domain names. THis is because DNS is based on a hierarchal structure that requires a minimum of two levels, such as xinysoft.com, xinysoft.local, xinysoft.corp, etc. Otherwise, if a single label name such as "xinysoft," DNS is not sure how to handle it. This is because DNS thinks the domain name is a TLD (Top Level Domain name). Therefore, anytime there is a query, it will try to nail the Root Hints with unecessary traffic trying to resolve the name, BEFORE it even looks at the zones that the DNS server is hosting.

    Therefore, the ability to resolve zone data in a single label zone has been disabled with Windows 2000 SP4 and all newer operating systems.

    There's a bandaid to enable resolution in the following link, but Microsoft highly suggests to not do this. If you feel this is necessary, you will have to run this registry entry on all your domain machines.

    Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
    http://support.microsoft.com/?id=300684

     

     

    The following is from Alan Woods, Microsoft regarding Single Label Names:

    ================================
    ================================
    Original Message -----
    From: "Alan Wood" [MSFT]
    Newsgroups: microsoft.public.win2000.dns
    Sent: Wednesday, January 07, 2004 1:25 PM
    Subject: Re: Single label DNS

    Hi Roger,

    We really would prefer to use FQDN over Single labled. There are
    alot of other issues that you can run into when using a Single labeled
    domain name with other AD integrated products. Exchange would be a great
    example. Also note that the DNR (DNS RESOLVER) was and is designed to
    Devolve DNS requests to the LAST 2 names.

    Example: Single Labeled domain .domainA
    then, you add additional domains on the forest.
    child1.domainA
    Child2.child1.domainA

    If a client in the domain Child2 wants to resolve a name in domainA
    Example. Host.DomainA and uses the following to connect to a share
    \\host then it is not going to resolve. WHY, because the resolver is
    first going to query for first for Host.Child2.child1.domainA, then it
    next try HOST.Child1.domainA at that point the Devolution process is
    DONE. We only go to the LAST 2 Domain Names.

    Also note that if you have a single labeled domain name it causes excess
    DNS traffic on the ROOT HINTS servers and being all Good Internet Community
    users we definitely do not want to do that. NOTE that in Windows 2003,
    you get a big Pop UP Error Message when trying to create a single labeled
    name telling you DON'T DO IT. It will still allow you to do it, but you
    will still be required to make the registry changes, which is really not
    fun.

    Microsoft is seriously asking you to NOT do this. We will support you but
    it the end results could be limiting as an end results depending on the
    services you are using.

    Thank you,

    Alan Wood[MSFT]
    ==============================
    ================================

     

    Please read the following link with more information about Single Label Names:

    Active Directory DNS Domain Name Single Label Names
    http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

     

     

    Otherwise, how do I set  the DisabledComponents 's value In this link(http://blogs.dirteam.com/blogs/paulbergson/archive/2011/06/30/configuring-ipv4-as-default-over-ipv6.aspx)  if I only want to set "ping ndqa.qa.xinyisoft" not -4, it can also return IP(192.168.10.24)????

     

    To set it so it doesn't use IPv6 as a DNS or respond to IPv6, run the following:

    You can delete the "::1" IPv6 loopback address by the following method.

    • Run an ipconfig /all. Determine the "Local Area Connection" name.

    In the example below, I used "Local Area Connection" for the interface name:

    • netsh interface ipv6 delete dnsserver "Local Area Connection" ::1

    You can add it back in, if you like:

    • netsh interface ipv6 add dnsserver "Local Area Connection" ::1

     

    Or you can try and set your IPv6 NIC properties to the following:

     

     

    I would suggest, recommend and consider a domain rename. More info on renames:

    Domain Rename With or Without Exchange - Are you sure you want to perform a rename? Are you absolutely sure?
    http://msmvps.com/blogs/acefekay/archive/2009/08/19/domain-rename-with-or-without-exchange.aspx
     
    How Domain Rename Works
    http://technet.microsoft.com/en-us/library/cc738208(WS.10).aspx

    Rename a Domain Controller Using Netdom
    http://technet.microsoft.com/en-us/library/cc816601(WS.10).aspx

     

    Regards,
    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 28, 2011 2:43 AM
  • I had set like your

    But I still can't ping njdqa.qa.xinyisoft, it can't still return its IP.

    Note: I dont' think that it is related with single label domain.
    • Edited by 网工 Wednesday, December 28, 2011 3:18 AM
    Wednesday, December 28, 2011 3:15 AM
  • Did you try the netsh option?

    Any comment on the implications of a single label DNS name?

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 28, 2011 3:22 AM
  • It still fail via your suggestions.

    Otherwise, It can't return IP when I ping. Could you tell me how to repair it?

    Wednesday, December 28, 2011 3:22 AM
  • I see you edited your post about single label names before I posted.

    I believe this is a major concern not to be taken lightly. Please read the link I provided for more specifics to understand the implications of a single label name, why Microsoft disabled DNS resolution with single label names, why it causes problems, and your options to fix it.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 28, 2011 3:26 AM
  • It still fail via your suggestions.

    Otherwise, It can't return IP when I ping. Could you tell me how to repair it?



    It still fail via your suggestions.


    Otherwise, It can't return IP when I ping. Could you tell me how to repair it?

     

    Did you try this suggestion in my previous post? Here's a repost:

    •Run an ipconfig /all. Determine the "Local Area Connection" name.
    •Then use the interface name in the following command (as an example, I used "Local Area Connection" for the interface name):
    •netsh interface ipv6 delete dnsserver "Local Area Connection" ::1

     

    The dcdiag is failing due to DNS lookups. The error message says it can't resolve 7f616b2f-ff93-45c3-ba17-be0e8bf8111f._msdcs.XINYISOF.

    You can try by manually creating creating the missing record in the error message:

    • In DNS, under _msdcs.XINYISOFT
    • Right click, Choose NEW ALIAS (CNAME) called 7f616b2f-ff93-45c3-ba17-be0e8bf8111f
    • Enter ndqa.XINYISOFT

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 28, 2011 3:35 AM
  • If exchange role is not installed on the server refer below link to disable the IPv6.Once the registry setting is done reboot the server and check.

    http://www.windowsreference.com/networking/disable-ipv6-in-windows-server-20008-full-core-installation/
    http://geekswithblogs.net/cajunmcse/archive/2010/02/05/quick-way-to-disable-ipv6-in-windows-2008-server.aspx

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.


    Wednesday, December 28, 2011 3:46 AM
  • Thanks for your reply. The following is ipconfig/all, which is  "Local Area Connection" name.

    I didn't know which is right, so I use the following command.

    Wednesday, December 28, 2011 3:51 AM
  • Can you diable the IPv6 and check as mentioned in the above post.



    Wednesday, December 28, 2011 3:57 AM
  • It shows as below after I add this:

    • In DNS, under _msdcs.XINYISOFT
    • Right click, Choose NEW ALIAS (CNAME) called 7f616b2f-ff93-45c3-ba17-be0e8bf8111f
    • Enter ndqa.XINYISOFT

    To my surprise, I can replicate one on ndqa.qa.xinyisoft, but another is still abnormal.

     

    Wednesday, December 28, 2011 4:08 AM
  • I had done it ago.
    Wednesday, December 28, 2011 4:09 AM
  • Assuming that you have done the above registry setting and rebooted the server.Can you run below command and wait for replication to happen.

    Also configure authorative time server as mentioned before.

    net stop netlogon
    ipconfig /flushdns
    ipconfig /registerdns
    net start netlogon
    net stop dns
    net start dns
    net stop ntfrs
    net start ntfrs
    gpupdate /force
    repadmin /syncall /AdeP

    Wait for sometime and again run dcdiag /q and check.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Wednesday, December 28, 2011 4:15 AM
  • It shows as below after I add this:

    • In DNS, under _msdcs.XINYISOFT
    • Right click, Choose NEW ALIAS (CNAME) called 7f616b2f-ff93-45c3-ba17-be0e8bf8111f
    • Enter ndqa.XINYISOFT

    To my surprise, I can replicate one on ndqa.qa.xinyisoft, but another is still abnormal.

     

     

    Let's set the first DNS address on ndqa to xyqa's IP address, then re-run the dcdiag.

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 28, 2011 4:42 AM
  •  

    Wednesday, December 28, 2011 5:12 AM
  • Thanks. Yes, I did it, and now it is fine. The two replication are ok.

    But NDQA(192.168.10.24) are primary DC and DNS, why do I set 192.168.10.254 as primary DNS on it?

    I will downgrade this DC(192.168.10.254) after several days ago.  Will it have some issues for it?

    Now, I can't still ping NDQA(not ruturn IP, must add -4) and run dcdiag /q normally.

    Wednesday, December 28, 2011 5:19 AM
  • Nice to hear that replication issue is fixed.

    You can remove the IP address 192.168.10.254 after you remove the server from n/w .It will not cause any issue.

    Are you not able to ping child domain or root domain FQDN what message are you geting while pinging?

    If IPv6 is enable it will not return IP address as mentioned before you need to add -4 to get the IP address.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Wednesday, December 28, 2011 5:41 AM
  • It seems to be unstable for replication, that is, sometimes it is fine, and sometimes it is not fine.

    For ping,  how do I set  the DisabledComponents 's value In this link(http://blogs.dirteam.com/blogs/paulbergson/archive/2011/06/30/configuring-ipv4-as-default-over-ipv6.aspx)  if I only want to set "ping ndqa.qa.xinyisoft" not -4, it can also return IP(192.168.10.24)????

     

    Wednesday, December 28, 2011 6:13 AM

  • Just removing the check mark from TCPIP will not remove IPv6.

    If exchange role is not installed on the server refer below link to disable the IPv6.Once the registry setting is done reboot the server and check.

    http://www.windowsreference.com/networking/disable-ipv6-in-windows-server-20008-full-core-installation/
    http://geekswithblogs.net/cajunmcse/archive/2010/02/05/quick-way-to-disable-ipv6-in-windows-2008-server.aspx

    Also in DNS console Right--Click on DNS--In interface tab only IP address 192.168.10.24 should be listed.Remove fe80:34b...

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.



    Wednesday, December 28, 2011 6:23 AM
  • Also in DNS console Right--Click on DNS--In interface tab only IP address 192.168.10.24 should be listed.Remove fe80:34b...----------------Please tell me the details, thanks.
    Wednesday, December 28, 2011 6:44 AM
  • I find that all clients can't logon to QA domain with domain user after shutdowning XYQA(192.168.10.254). Why? What should I do?

    At the same time, all clients can't be add to QA domain.

    Note: All clients' DNS are 192.168.10.24.
    • Edited by 网工 Wednesday, December 28, 2011 7:46 AM
    Wednesday, December 28, 2011 7:17 AM
  • Have you pointed the dns setting of client PC to (192.168.10.24) as preffered dns setting?

    -->> IP configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of client/member server.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Wednesday, December 28, 2011 8:00 AM
  • all client's IP configuration:

    All clients can't logon to QA domain with domain user after shutdowning XYQA(192.168.10.254). At the same time, all clients can't be add to QA domain. They are fine if I start XYQA.

    Wednesday, December 28, 2011 9:16 AM
  • Can you please disable the IPV6
    Nirmal Singh IT Administrator
    Wednesday, December 28, 2011 9:26 AM
  • You should not have to disable IPv6 - in general this is not recommended - as long as you follow earlier recommendations.

    However, in this case, for the purpose of troubleshooting, you might want to try it first and determine whether this resolves your AD replication issue. Once that's resolved, we can collectively look into re-enabling IPv6.

    hth
    Marcin

    Wednesday, December 28, 2011 9:48 AM
  • Thanks for your reply. The following is ipconfig/all, which is  "Local Area Connection" name.

     

    I didn't know which is right, so I use the following command.


    Element not found means it's not finding the interface or object. Try this:

    1. First run: netsh interface ipv6 show interfaces
    2. Once you've identified the IDX# for that interface after you run the above, then put that IDX# in the next command:
    3. netsh interface ipv6 delete dnsserver name="IDX#" address=::1

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 28, 2011 3:52 PM
  • Refere below link to disable IPv6 on Client PC.

    http://www.addictivetips.com/windows-tips/how-to-disable-ipv6-in-windows-7/
    http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/windows-7-tcpipv4-and-tcpipv6-settings/5a1e05d7-c39a-4b53-8a48-05a75c746388



    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, December 29, 2011 12:54 AM
  • Hi All,

    Thanks for your reply.

    At present, the most important problem is: All clients(Their IP is 192.168.10.* or 192.168.0.*)  can't logon to QA domain with domain user after shutdowning XYQA(192.168.10.254). At the same time, all clients can't be add to QA domain. But they are all fine if I start XYQA(192.168.10.254).  To my surprise, these clients' DNS is 192.168.10.24, not 192.168.10.254, why will XYQA affect?

    one of clients's IP configuration:

    On these parent domain clients(computername.xinyisoft), can't ping ndqa.qa.xinyisoft, but can ping xyqa.qa.xinyisoft(can return right IP)

    So I think this is the why clients can't logon to QA domain or can't be added to QA.

    • Edited by 网工 Thursday, December 29, 2011 1:30 AM
    Thursday, December 29, 2011 1:25 AM
  • Hi All,

    Thanks for your reply.

    At present, the most important problem is: All clients(Their IP is 192.168.10.* or 192.168.0.*)  can't logon to QA domain with domain user after shutdowning XYQA(192.168.10.254). At the same time, all clients can't be add to QA domain. But they are all fine if I start XYQA(192.168.10.254).  To my surprise, these clients' DNS is 192.168.10.24, not 192.168.10.254, why will XYQA affect?

    one of clients's IP configuration:

     

    On these parent domain clients(computername.xinyisoft), can't ping ndqa.qa.xinyisoft, but can ping xyqa.qa.xinyisoft(can return right IP)

     

    So I think this is the why clients can't logon to QA domain or can't be added to QA.

     

    If noone can logon after XYQA(192.168.10.254)  is shut down, it's indicating it's either the only GC that exists, or the only GC that's responding.

    There are two main issues going on.

    1. I do not believe the DNS resolving infrastructure is not designed properly for a multi-domain forest. But I may be wrong, since we haven't asked how you have it designed, nor has it been offered.
    2. The forest root domain is a Single Label Name.

    I believe the above two issues need to be addressed, and I also believe the IPv6 is not relevent to the above issue. I would suggest instead of using Ping to resolve names, to use Nslookup. NSlookup is helpful with resolution problems. At least with ping, even if it responds with the IPv6 address, I don't think this is a problem, because the response at least indicates resolution is working. Use nslookup for lookups.

     

    To fix #1:

    We need to first uderstand how DNS is currently setup for the forest. Is there a Parent-Child DNS delegation, or is the zone set to forest wide?

    If not sure about the above question, please try to answer the following questions:

    • Both NDQA and ZYQA have a Primary DNS Suffix called QA.XINYISOFT. This tells me both of these DCs are part of the same domain. Is this correct?
    • If so, what DCs exist in the parent XINYISOFT domain? Can we see an ipconfig /all of them, too, please?

    Also...

    • What replication scope is the xinysoft zone set to? See picture below and let us know which button it's set to.
    • What replication scope is the qa.xinysoft zone set to? See picture below and let us know whic button it's set to.
    • Is there a forwarder from the child DC DNS to the forest root DNS?
    • Does a zone called _msdcs.xinysoft or _msdcs.qa.xinysoft exist? If so, what replication scope are they set to?
    • Post a current ipconfig /all of both DCs.
    • Post a current ipconfig /all of a sample workstation from each domain. If you can translate the ipconfig to English, that would be appreciated and helpful. (Trick: example - you can run ipconfig /all > c:\zqyaipconfig.txt, then open zqyaipconfig.txt, copy and paste the data to your reply).

     

    To Fix #2 (Single Label Name) (Late Addition to this post):

    Active Directory DNS Domain Name Single Label Names  
    http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

     

    Curious, how many users is this problem affecting?

    If you feel this is not helpful, or feel this needs to be resolved sooner to get your users productive, especially if this is a production infrastructure, and users are being affected that they can't perform their job, I would highly suggest as this time to consider contacting Microsoft Support to get this fixed for you. It's a one time charge to fix everything, no matter how long it takes. The US charge is USD $259.00 plus tax. I'm not sure what that is equal to in your locale. If you choose this option, here's the link to get you started. Choose your locale in the dropdown box.
    http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;select&target=assistance

     

    Regards,
    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 29, 2011 5:06 AM
  • I also agree with above comments IPv6 is not the issue.As it is not recommend to disable the same on Windows 2008/7.This issue could be Single Label Domai Name.

    I would also recommend to open a case with MS for the same since its two long and it could lead major impact on the production env if not resolved sooner.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, December 29, 2011 5:51 AM