TrustAnchors erros on new AD DC/DNS server

All replies

• 

  

  0

  Sign in to vote

  My domain currently has Two DC (both are Windows 2008 R2 Enterprise servers) and 12 RODCs (all are Windows Standard SP2 servers).  We installed a new Windows R2 Standard (SP1) server (which will replace one of the RODCs) and made it a third DC (for offsite DC redundancy).   The new Server - DISTFILESRV - has DS and DNS running.  However, DNS reports the following 4 errors when I run the "Best Practices Analyzer":

  
  Issue 1
  *******************************************************************************
  Issue:
  None of the secondary servers configured for zone TrustAnchors are responding.

  Impact:
  Secondary servers will fail DNS queries for the zone TrustAnchors.

  Resolution:
  Validate secondary servers for zone TrustAnchors.

  *******************************************************************************

  Issue 2
  *******************************************************************************
  Issue:
  The secondary DNS server XXX.XXX.XX.141 does not respond to queries for the zone TrustAnchors.

  Impact:
  DNS queries for the zone TrustAnchors might fail.

  Resolution:
  Verify that the server XXX.XXX.XX.141 is a secondary DNS server that hosts the zone TrustAnchors.
  *******************************************************************************

  Issue 3
  *******************************************************************************
  Issue:
  The secondary DNS server XXX.XXX.XX.203 does not respond to queries for the zone TrustAnchors.

  Impact:
  DNS queries for the zone TrustAnchors might fail.

  Resolution:
  Verify that the server XXX.XXX.XX.203 is a secondary DNS server that hosts the zone TrustAnchors.
  *******************************************************************************

  Issue 4
  *******************************************************************************
  Issue:
  The secondary DNS server XXX.XXX.XX.142 does not respond to queries for the zone TrustAnchors.

  Impact:
  DNS queries for the zone TrustAnchors might fail.

  Resolution:
  Verify that the server XXX.XXX.XX.142 is a secondary DNS server that hosts the zone TrustAnchors.
  *******************************************************************************

  When I run the  "Best Practices Analyzer" on the original DCs, no errors are reported.  Also, when I run this command:

                  dcdiag /v >> "c:\AD Health Check\ad_diag.txt"

  on the new DC, I get this error:

  ******************************************************************************

           ......................... DISTFILESRV passed test Advertising

  Starting test: FrsEvent

           * The File Replication Service Event log test
           There are warning or error events within the last 24 hours after the

           SYSVOL has been shared.  Failing SYSVOL replication problems may cause

           Group Policy problems.
           A warning event occurred.  EventID: 0x800034FA

              Time Generated: 07/11/2012   15:06:39

              Event String:

              Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\ADSecondary.my.domain for FRS replica set configuration information.

               This computer is not part of any valid replica set.

           A warning event occurred.  EventID: 0x800034FD

              Time Generated: 07/11/2012   15:11:19

              Event String:

              File Replication Service is initializing the system volume with data from another domain controller. Computer DISTFILESRV cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

              To check for the SYSVOL share, at the command prompt, type:

              net share

              When File Replication Service completes the initialization process, the SYSVOL share will appear.

              The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.

           A warning event occurred.  EventID: 0x800034C4

              Time Generated: 07/11/2012   15:20:18

              Event String:

              The File Replication Service is having trouble enabling replication from ADMaster to DISTFILESRV for d:\dnsbackup\sysvol\domain using the DNS name ADMaster.my.domain. FRS will keep retrying.

               Following are some of the reasons you would see this warning.

               [1] FRS can not correctly resolve the DNS name ADMaster.my.domain from this computer.

               [2] FRS is not running on ADMaster.my.domain.

               [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

               This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

           ......................... DISTFILESRV passed test FrsEvent

  **********************************************************

  When I run the same command on the PDC, I get this error:

  **********************************************************

  Starting test: FrsEvent

           * The File Replication Service Event log test
           There are warning or error events within the last 24 hours after the

           SYSVOL has been shared.  Failing SYSVOL replication problems may cause

           Group Policy problems.
           A warning event occurred.  EventID: 0x800034C4

              Time Generated: 07/11/2012   15:16:34

              Event String:

              The File Replication Service is having trouble enabling replication from DISTFILESRV to ADMASTER for c:\addomain\sysvol\domain using the DNS name DISTFILESRV.my.domain. FRS will keep retrying.

               Following are some of the reasons you would see this warning.

               [1] FRS can not correctly resolve the DNS name DISTFILESRV.my.domain from this computer.

               [2] FRS is not running on DISTFILESRV.my.domain.

               [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

               This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

           A warning event occurred.  EventID: 0x800034C5

              Time Generated: 07/11/2012   15:19:35

              Event String:

              The File Replication Service has enabled replication from DISTFILESRV to ADMASTER for c:\addomain\sysvol\domain after repeated retries.

           ......................... ADMASTER passed test FrsEvent

  *******************************************************************

  Any ideas on how to resolve this issue.  Also, none of the DCs have the TrustAnchor option checked or configured.

  ---

  Chris Premo

  • Merged by Awinish Monday, July 16, 2012 9:14 AM Similar threads

  Thursday, July 12, 2012 3:44 PM
• 

  

  0

  Sign in to vote

  Hello,

  so you do not use any DNSSecure option http://technet.microsoft.com/en-us/library/ee649277(v=ws.10) http://technet.microsoft.com/en-us/library/ee649280%28WS.10%29.aspx?

  Does each DC have the sysvol/netlogon shares available and can you access them?

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  Thursday, July 12, 2012 6:45 PM
• 

  

  0

  Sign in to vote

  Yes each AD server has a share for

  \\servername\sysvol\DomainName

  And no we don't have DNSSecure option enabled.

  ---

  Chris Premo

  Thursday, July 12, 2012 7:28 PM
• 

  

  0

  Sign in to vote

  I checked my DNS Manager for all my DNS servers and each has these records in our Domain Forward Lookup Zone:

  DomainName

  (same as parent folder) - Host (A) record - with correct IP Address

  (same as parent folder) - Name Server (NS) record - with correct servername.domainname

  Server Name - Host (A) record - with correct IP Address

  msdcs.domainname

  gc - (same as parent folder) - Host (A) record - with correct IP Address

  ---

  Chris Premo

  Friday, July 13, 2012 7:46 PM
• 

  

  0

  Sign in to vote

  Hi,

  Can you verify and confirm the new DC has its own IP address as primary DNS server and any of the other DC's as secondary DNS server? Do you have any forwarders configured in DC's and are they working?

  ---

  Regards, Mohan R Technical Specialist - Server Support

  Monday, July 16, 2012 3:32 AM
• 

  

  0

  Sign in to vote

  
  DNSSec Zone TrustAnchors
  http://ianblythmanagement.wordpress.com/2009/12/18/dnssec-zone-trustanchors/

  DNS TrustAnchors Zone on Server 2008
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/cc118144-907b-4d5d-8ee5-5d6a98cd5c21
  
  Hope this helps

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Monday, July 16, 2012 3:51 AM
• 

  

  0

  Sign in to vote

  Hi Chris,

  Thank you for the post.

  If you are not using TrustAnchors,  you can ignore this error from BPA.

  If there are more inquiries on this issue, please feel free to let us know.
   
  Regards

  ---

  Rick Tan

  TechNet Community Support

  

  
  

  • Edited by Rick Tan Monday, July 16, 2012 7:23 AM

  Monday, July 16, 2012 7:14 AM
• 

  

  0

  Sign in to vote

  Hello,

  please stick to ONE thread for the same problem and do NOT multipost the same problem:

  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/39a63161-d65a-4a0e-9451-d4414b89ee87/#39d75250-11fd-487b-b51a-eab389fbf472

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • Proposed as answer by Sandesh Dubey Monday, July 16, 2012 7:29 AM
  • Marked as answer by Lawrence,Lu Thursday, July 26, 2012 7:22 AM

  Monday, July 16, 2012 7:19 AM
• 

  

  0

  Sign in to vote

  If I move the IP address of this server to be the first IP listed in the DNS Table I get this error:

  *************************************************************************
  Issue:
  The network adapter Local Area Connection 2 does not list the loopback IP address as a DNS server, or it is configured as the first entry.

  Impact:
  If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.

  Resolution:
  Configure adapter settings to add the loopback IP address to the list of DNS servers on all active interfaces, but not as the first server in the list.
  *************************************************************************

  When I put the PDC's IP address as the first IP in the list, the error goes away.

  I did find I have a file called "TrustAnchors.dns" in the "C:\Windows\System32\dns" directory.  I turned off DNS and renamed the file to "TrustAnchors.dns.old" and restarted DNS.  I then re-ran the "Best Practices Analyzer" and continue to get the TrustAnchors errors.

  Do you have any forwarders configured in DC's?

  Yes, I've verified that all three DNS servers have the same three Forwarders and Root Hints configured.

  Are they working?

  As far as I know they are.

  ---

  ---

  Chris Premo

  Monday, July 16, 2012 2:47 PM
• 

  

  0

  Sign in to vote

  When I open the file "TrustAnchors.dns" file this is what I see:

  ******************************************************

  ;
  ;  Database file TrustAnchors.dns for TrustAnchors zone.
  ;      Zone version:  1
  ;

  @                       IN  SOA distfilesrv.my.domain. hostmaster.my.domain. (
                            1            ; serial number
                            900          ; refresh
                            600          ; retry
                            86400        ; expire
                            3600       ) ; default TTL

  ;
  ;  Zone NS records
  ;

  @                       NS distfilesrv.my.domain.

  ;
  ;  Zone records
  ;

  *********************************************

   

  ---

  Chris Premo

  Monday, July 16, 2012 2:52 PM
• 

  

  0

  Sign in to vote

  I get this error when I disable the "EnableDNSSec" option.  That options causes Windows 2008R2 to become unstable and fail recursion if port 53 UDP is left on the public internet for more than a few days.  I suspect there is stack corruption.

  I'm going to go ahead and re-enable this option on Windows 2016 in production, and see if it still becomes unstable...

  To enable, run the following in Powershell:

    $DNS=Get-DnsServerSetting -ALL
    $DNS.EnableDnsSec = $True
    Set-DnsServerSetting $DNS

  
  
  
  

  • Edited by Brain2000 Saturday, May 19, 2018 10:27 PM

  Saturday, May 19, 2018 10:22 PM