none
The DHCP service failed to see a directory server for authorization.

    Question

  • we usually get this one or two alert messages from any of the DHCP servers. we have around 40 DHCP servers.

    I have check DNS, query DC in  the site where DHCP server is placed , NSlookup, DCdiag and netdiag not showing any error.

    I am assuming if DHCP server is failed to see a directory  it should go to alternative DC for authorization.

    I am also assuming network error for this issue ? Please let me know if my assumptions are correct ?

    Regards,

    Monday, January 10, 2011 9:49 AM

Answers

  • Hello,

    just using another NIC for a different network has nothing to do with the name resolution process on the server. See the previous mentioned article about and how to configure it to prevent problems if multihomed machines must be used.

    If all requried changes are done, the authorization should work. Do not forget after the change to run ipconfig /flushdns and ipconfig /registerdns and restart the netlgon service or reboot.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Tiger Li Friday, February 04, 2011 3:27 AM
    Tuesday, January 11, 2011 12:22 PM
  • Saswati,

    I agree with Meinolf. Whenever a DC is multihomed, it will interfere with network communications by the mere fact the additional NIC is registering into DNS. Therefore, what's going on is the DHCP server (or any other server, client, etc), will possibly get the NetBackup NIC's IP, which then it is not able to communicate to it.

    The key records that's causing this is the LdapIpAddress record (the "same as parent" record under the domain.com zone) and the GcIpAddress record (the _gc_msdcs.ddomain.com records). Simply unchecking 'regisrter this connection' in NIC, IP4, Advanced, DNS tab, will not stop it from registering. THere are other factors registering these items, such as the Netlogon service (which requires registry changes to stop it), and the DNS service (requiring DNS property changes and registry changes).

    The article Meinolf posted provides much more detail why this is occuring, as well as how to configure a multihomed DC to stop it.

    However, IMHO, I recommend to single home the DC(s) and alter the backup strategy instead of making the numerous changes to a DC.

    Ace 

    Late addition - Also, a multihomed DC causes the DC to become part of multiple AD Sites, which also contributes to AD functionality.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Edited by Ace Fekay [MCT]MVP Tuesday, January 11, 2011 7:45 PM See Late Addition above
    • Marked as answer by Tiger Li Friday, February 04, 2011 3:27 AM
    Tuesday, January 11, 2011 7:43 PM

All replies

  • Open Active Directory Sites and Services console. Select root node, From menu choose "View -> Show Services Node" and go to "Services" node in left pane. Expand it and look for "NetServices" node. Select it and in the right pane you will see DHCP servers list. Search that list and check if all of them are there (by IP address and name) . You can remove those "faulty" DHCP servers but firts unauthorize them in DHCP console. After that remove them from NetServices node and authorize them again.

     

    Should help with DHCP authorization problem.


    Regards, Krzysztof
    Monday, January 10, 2011 10:12 AM
  • Hello,

    if i unerstand you correct you are trying to authorize a new DHCP server in the forest? Is there a DC in the site where you are trying it? Is AD sites and services configured according to your topology?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 10, 2011 11:45 AM
  • not a new server. usually it throw 1 or 2 times in a week.
    Monday, January 10, 2011 12:16 PM
  • Hello,

    please post the ocmplete event viewer entry you have.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 10, 2011 12:37 PM
  • here is the event viewer entry

    ************************

    Log Name:      System
    Source:        Microsoft-Windows-DHCP-Server
    Date:          1/10/2011 2:14:38 PM
    Event ID:      1059
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:     FP001.test.com
    Description:
    The DHCP service failed to see a directory server for authorization.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
        <EventID Qualifiers="0">1059</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-01-10T06:14:38.000Z" />
        <EventRecordID>39634</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>FP001.test.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>
        </Data>
        <Data>test.com</Data>
        <Data>0x    203a</Data>
        <Binary>3A200000</Binary>
      </EventData>
    </Event>

    ***************************

    Monday, January 10, 2011 1:03 PM
  • Hello,

    sounds like pure networking: http://technet.microsoft.com/en-us/library/cc774849(WS.10).aspx

    Please post also an unedited ipconfig /all from the DHCP server and the DC/DNS of the same site.

    Any firewall running on the machines? Please answer also the open questions.

     


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 10, 2011 1:35 PM
  •  

    I can see the DHCP server name in "View -> Show Services Node" and go to "Services" node in left pane. Expand it and look for "NetServices" node. "

    firewall not running on the machines.

    ***************

    dhcp server ipconfig

    Ethernet adapter Production:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
     VBD Client)
       Physical Address. . . . . . . . . : 00-26-B9-60-C4-11
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::414d:7893:297a:7518%10(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.152.38.72(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.192
       Default Gateway . . . . . . . . . : 10.152.38.65
       DHCPv6 IAID . . . . . . . . . . . : 167782073
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-61-22-4A-00-26-B9-60-C4-11

       DNS Servers . . . . . . . . . . . : 10.0.2.50
                                           10.0.2.51
       Primary WINS Server . . . . . . . : 10.0.2.18
       Secondary WINS Server . . . . . . : 10.0.2.14
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{D9FAB865-3EF6-4A36-98A8-889784C91
    B59}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 11:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes


    *************************************************
    same site DC ip config - 

     
    Ethernet adapter Production:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC7761 Gigabit Server Adapter
       Physical Address. . . . . . . . . : 00-12-79-3A-05-2F
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.163.8.14
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . : 10.163.8.1
       DNS Servers . . . . . . . . . . . : 10.163.8.14
                                           10.0.2.51
       Primary WINS Server . . . . . . . : 10.30.9.10
       Secondary WINS Server . . . . . . : 10.0.2.18

    Ethernet adapter Netbackup:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC7771 Gigabit Server Adapter
       Physical Address. . . . . . . . . : 00-13-21-E9-69-35
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.251.1.13
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    ******************************************

    Monday, January 10, 2011 2:04 PM
  • Hello,

    your same site DC is in a different subnet located? So the DHCP server doesn't have it's own subnet DC/DNS server?

    Additional the DC is multihomed, more then one ip address used, which is not recommended. If this really is needed see the article from Ace Fekay about the configuration requirements and why you should prevent this:

    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 10, 2011 2:20 PM
  • Hi Saswati,

     

    Thanks for posting here.

     

    Are  there any other events that relate with this issue also be recorded in logs, for example event 1046?

    Meanwhile, Have you changed any system settings since this issue occurred ?

     

    I also agree that multihomed is a possible reason that would cause this issue.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, January 11, 2011 6:26 AM
  • Hi Meinolf & Tiger,

    the Site has multiple Subnets. and the DC is multihomed because the 2nd NIC use for the backup network . the NIC is the part of backup vlan and do not interfere with production VLAN...

    sorry for my little knowledge on the DHCP authorization process, my main question is related with the authorization of dhcp. if dhcp fails to get a DC why its not going to another available (remote site ) DC for authorization?

    thanks for suggestions and help.

    Regards,

    Saswati

    Tuesday, January 11, 2011 11:47 AM
  • Hello,

    just using another NIC for a different network has nothing to do with the name resolution process on the server. See the previous mentioned article about and how to configure it to prevent problems if multihomed machines must be used.

    If all requried changes are done, the authorization should work. Do not forget after the change to run ipconfig /flushdns and ipconfig /registerdns and restart the netlgon service or reboot.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Tiger Li Friday, February 04, 2011 3:27 AM
    Tuesday, January 11, 2011 12:22 PM
  • Saswati,

    I agree with Meinolf. Whenever a DC is multihomed, it will interfere with network communications by the mere fact the additional NIC is registering into DNS. Therefore, what's going on is the DHCP server (or any other server, client, etc), will possibly get the NetBackup NIC's IP, which then it is not able to communicate to it.

    The key records that's causing this is the LdapIpAddress record (the "same as parent" record under the domain.com zone) and the GcIpAddress record (the _gc_msdcs.ddomain.com records). Simply unchecking 'regisrter this connection' in NIC, IP4, Advanced, DNS tab, will not stop it from registering. THere are other factors registering these items, such as the Netlogon service (which requires registry changes to stop it), and the DNS service (requiring DNS property changes and registry changes).

    The article Meinolf posted provides much more detail why this is occuring, as well as how to configure a multihomed DC to stop it.

    However, IMHO, I recommend to single home the DC(s) and alter the backup strategy instead of making the numerous changes to a DC.

    Ace 

    Late addition - Also, a multihomed DC causes the DC to become part of multiple AD Sites, which also contributes to AD functionality.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Edited by Ace Fekay [MCT]MVP Tuesday, January 11, 2011 7:45 PM See Late Addition above
    • Marked as answer by Tiger Li Friday, February 04, 2011 3:27 AM
    Tuesday, January 11, 2011 7:43 PM