none
AD / DNS problems whilst adding Server 2008 to existing 2003 Domain

    Question

  • Hi all,

     

    Having major problems here.

     

     

    Currently have 2 Windows 2003 DC’s and I need to replace one of these with a new Win 2008 R2 machine.

     

    What’s bugging me the most is this is the 4<sup>th</sup> time I’ve started from scratch with this new server – the first time the DCPROMO seemed to run ok and it was only when I was configuring IIS that this screwed it all up and I had to start again.  It screwed it so bad infact that I’d already transferred the FSMO roles across to it (http://support.microsoft.com/kb/324801) and was unable to run DCPROMO again to remove the server from the AD Config.

     

     

    So I transferred the FSMO roles back on the primary server.  I then ran these procedures to remove all old traces of the server: http://support.microsoft.com/?id=216498.

     

     

    I can confirm that 10.61.15.5, Server1, has control of all 5 roles, and both it and the other DC (10.16.15.6) are running fine, as they always have done.

     

     

    Then started all over again with the new server, from a clean format.  I’ve installed

    DHCP, and copied across the config from one of the other two machines, as per here:

    http://support.microsoft.com/kb/962355

     

     

    Then installed the ADDS role, and then ran DCPROMO again.  For the longest time I was continually getting an error stating that I had DHCP configured on the Network Adapter, but I’ve now (I think) disable IPv6 completely and disabled all other network adapters (server has 4).  The last time I ran DCPROMO I didn’t get the error.

     

    DCPROMO runs and the machine gets a restart.  The IP properties are set up so the new server has an ip of 10.61.15.4 (the others are 10.61.15.5 and .6 respectively).  Subnet is set to 255.255.555.0 and default gateway 10.61.15.1.

     

    The DNS was set, before running DCPROMO, to look at 10.61.15.5 as otherwise I was unable to run DCPROMO as it told me it couldn’t find a domain controller.

     

    I then restart and get  Event ID 4013 errors on boot up, and dcdiag gives me the following:

     

     

    4013 ERROR:

    Source DNS

    EVENT ID 4013

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

    DCDIAG RESULTS:

    Directory Server Diagnosis

    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.

       Done gathering initial info.

    Doing initial required tests

      

       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

        Starting test: Connectivity

         ......................... SLGC-LRI-SVR-01 passed test Connectivity

    Doing primary tests

      

       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

        Starting test: Advertising

         ......................... SLGC-LRI-SVR-01 passed test Advertising

        Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.

         ......................... SLGC-LRI-SVR-01 passed test FrsEvent

        Starting test: DFSREvent

         ......................... SLGC-LRI-SVR-01 passed test DFSREvent

        Starting test: SysVolCheck

         ......................... SLGC-LRI-SVR-01 passed test SysVolCheck

        Starting test: KccEvent

         A warning event occurred.  EventID: 0x80000B46

            Time Generated: 07/14/2010   13:21:37

            Event String:

            The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

         ......................... SLGC-LRI-SVR-01 passed test KccEvent

        Starting test: KnowsOfRoleHolders

         ......................... SLGC-LRI-SVR-01 passed test

         KnowsOfRoleHolders

        Starting test: MachineAccount

         ......................... SLGC-LRI-SVR-01 passed test MachineAccount

        Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set

         access rights for the naming context:

         DC=ForestDnsZones,DC=leicester,DC=serco,DC=com

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set

         access rights for the naming context:

         DC=DomainDnsZones,DC=leicester,DC=serco,DC=com

         ......................... SLGC-LRI-SVR-01 failed test NCSecDesc

        Starting test: NetLogons

         ......................... SLGC-LRI-SVR-01 passed test NetLogons

        Starting test: ObjectsReplicated

         ......................... SLGC-LRI-SVR-01 passed test

         ObjectsReplicated

        Starting test: Replications

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source SERVER1

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source SERVER1

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source SERVER1

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source SERVER1

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         ......................... SLGC-LRI-SVR-01 passed test Replications

        Starting test: RidManager

         ......................... SLGC-LRI-SVR-01 passed test RidManager

        Starting test: Services

         ......................... SLGC-LRI-SVR-01 passed test Services

        Starting test: SystemLog

         An error event occurred.  EventID: 0x0000040B

            Time Generated: 07/14/2010   12:29:20

            Event String:

            The DHCP service was unable to create or lookup the DHCP Users local group on this computer.  The error code is in the data.

         An error event occurred.  EventID: 0x0000040C

            Time Generated: 07/14/2010   12:29:20

            Event String:

            The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer.  The error code is in the data.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 07/14/2010   12:29:25

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

           A warning event occurred.  EventID: 0x00000081

            Time Generated: 07/14/2010   12:39:54

            Event String:

            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

         A warning event occurred.  EventID: 0x00000081

            Time Generated: 07/14/2010   12:39:55

            Event String:

            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

           A warning event occurred.  EventID: 0x00000081

            Time Generated: 07/14/2010   12:40:11

            Event String:

            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 07/14/2010   12:40:32

            Event String:

            Name resolution for the name slgc-lri-svr-01.leicester.serco.com timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x00000081

            Time Generated: 07/14/2010   12:51:00

            Event String:

            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

         A warning event occurred.  EventID: 0x00000081

            Time Generated: 07/14/2010   12:51:01

            Event String:

            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

         A warning event occurred.  EventID: 0x00000081

            Time Generated: 07/14/2010   12:51:19

            Event String:

            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

         An error event occurred.  EventID: 0x00000456

            Time Generated: 07/14/2010   13:05:40

            Event String:

            The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 07/14/2010   13:08:39

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 07/14/2010   13:08:50

            Event String:

            Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x00000420

            Time Generated: 07/14/2010   13:16:01

            Event String:

            The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 07/14/2010   13:16:05

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         A warning event occurred.  EventID: 0x00000420

            Time Generated: 07/14/2010   13:16:47

            Event String:

            The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 07/14/2010   13:16:51

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         A warning event occurred.  EventID: 0x00000420

            Time Generated: 07/14/2010   13:17:31

            Event String:

            The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 07/14/2010   13:17:35

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         A warning event occurred.  EventID: 0x00000420

            Time Generated: 07/14/2010   13:18:01

            Event String:

            The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 07/14/2010   13:18:05

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         A warning event occurred.  EventID: 0x80000431

            Time Generated: 07/14/2010   13:18:32

            Event String:

            The attempt by user LEICESTER\administrator to restart/shutdown computer SLGC-LRI-SVR-01 failed

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 07/14/2010   13:21:30

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 07/14/2010   13:21:41

            Event String:

            Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 07/14/2010   13:22:03

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 07/14/2010   13:24:09

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

         ......................... SLGC-LRI-SVR-01 failed test SystemLog

        Starting test: VerifyReferences

           ......................... SLGC-LRI-SVR-01 passed test VerifyReferences

      

      

       Running partition tests on : ForestDnsZones

        Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

        Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

      

       Running partition tests on : DomainDnsZones

        Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

        Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

      

       Running partition tests on : Schema

        Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

        Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

      

       Running partition tests on : Configuration

        Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

        Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

      

       Running partition tests on : leicester

        Starting test: CheckSDRefDom

         ......................... leicester passed test CheckSDRefDom

        Starting test: CrossRefValidation

         ......................... leicester passed test CrossRefValidation

      

       Running enterprise tests on : leicester.serco.com

        Starting test: LocatorCheck

         ......................... leicester.serco.com passed test LocatorCheck

        Starting test: Intersite

         ......................... leicester.serco.com passed test Intersite

     

    I can see the AD has replicated across as I can browse users and computers etc, but I don’t want the DNS setup this way as it’s not set like this on the other servers.  So I go into IP properties and see that the system has auto added the alternate DNS of 127.0.0.1.  The preferred is still set to 10.61.15.5, which now needs changing to that of this new server, and the 127.0.0.0 removed.

     

     

    It takes 20 minutes to get past the Apply computer setting dialog too even when set to look at 10.61.15.5.

     

    Once I change these settings it cannot replicate, connect to the internet, and the problem then is the network adapter reports it cannot connect to a network (unidentified network) and the server has no access to the DC to replicate at all then.

     

     

     

    I feel like I’m missing something here, I’ve spent 4 days trying to get this working and I’ve tried all sorts of stuff – too much to list.  I’m open to any suggestions and will try anything.  I’m not sure if the problem lies with the DNS settings somewhere, the AD config or the IP settings on the new server.

     

    I’m sort of assuming the problem may lie somewhere with AD as like I say at the very beginning I believe I got it all working in the first place.  The new server was most certainly pointing to itself for DNS at the very least, however I can’t confirm whether I got the 4013 errors or dcdiag errors as being totally honest this my first server migration and I wasn’t aware of the tools available – it’s only since I’ve had problems that I’m truly learning all about AD/DNS.

     

    I’m really stuck – help me?!

     

    Wednesday, July 14, 2010 2:11 PM

Answers

  • Update:

    Firmware was already at latest, drivers are now up to do date.  When i first took delivery of the server i had updated all of the firmware so on an off chance i decided to downgrade the NIC firmware back to what it came with.  This seems to have made a difference.  Instead of the NIC display searching or cannot connect it EVENTUALLY connects to the domain and internet.  So i changed the DNS to point to itself (10.61.15.4) and rebooted.

    The startup time is now down to around 5 minutes and once i was logged in the NIC icon in the corner had the hourglass / blue circle icon spinning for a good 2 minutes.  After this is connected to the domain and internet and it seemed to be working.  After subsequent restarts the NIC doesn't do this at all.

    So i perform all of the following:

     

    Repadmin /syncall

     

    Net share (checks SYSVOL)

     

    Dcdiag

     

    Nslookup (on all 3 servers in DNS snap-in)

    Dcdiag still gave me errors they are mainly related to the other 3 NICs being down (of course they are) and a few DNS related issues, but after leaving it for some time rerunning this gives no errors at all.  All the other tests report full replication and functionality.

    I still have the 4013 errors in the DNS Event log, but reading up on this other people seem to experience this issue too with Win2k8R2:

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/ff936f70-780d-486e-a808-35d9e7fc0ddb - Infact this is the now the exact problem i'm having.

     

     

    http://forums.techarena.in/active-directory/1019600.htm

     

    http://www.winvistatips.com/server-2008-r2-slow-boot-t774152.html

     

    So it seems the issue lay with the NIC firmware or drivers, and the DNS issues i experience on  boot up are the same as everybody else gets with win2k8r2 in a similar configuration.

     

    I've also configured the secondary DNS to point to my backup server, 10.61.15.6, and will use this for DNS resolution at bootup to aid speed the process and minimise these bootup errors.

     

    I'm hopeful this is now resolved (of sorts).

     

    Marcin, send me an email: andy.woodier@serco.com and i'll make sure i thank you properly.  You've been an invaluable resource in what has been a very stressful week for me.

    Friday, July 16, 2010 10:37 AM

All replies

  • Is the server pointing to itself for primary DNS or another DC/DNS server.  If pointing to itself try pointing it to another box.  Looks like you are running into a race condition (4013 error) where DNS and AD have issues during startup "race to startup".    

    4015 is another indication of that, do you have any of those events.  That was also discussed here   http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4f0e9ce3-5d2d-4d88-8ff9-1731f66cf331

     

    Thanks

    Mike


    http://adisfun.blogspot.com;
    Wednesday, July 14, 2010 2:20 PM
  • Hi Mike,

     

    Thanks for your reply.  Apologies for the massive waffle above.  Yes it's currently pointing to itself for primary DNS, which is also how the other two servers are also configured.

    As you can see above though the first dcdiag was done with the server pointing to my main DC, 10.61.15.5.

    I don't have any 4015 errors, just the 4013.

    Thanks.

    Wednesday, July 14, 2010 2:32 PM
  • As an update i reconfigured as follows:


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : slgc-lri-svr-01
       Primary Dns Suffix  . . . . . . . : leicester.serco.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : leicester.serco.com

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC382i DP Multifunction Gigabit Server Adapter
       Physical Address. . . . . . . . . : 18-A9-05-66-8C-B4
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.61.15.4(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.61.15.1
       DNS Servers . . . . . . . . . . . : 10.61.15.5
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    You'll see i've put the primary DC IP address of 10.61.15.5 in as a primary DNS, and the loopback as a secondary DNS.

    I've also configured DHCP as follows:

    DNS Servers, 10.61.15.4, 10.61.15.5, 10.61.15.6 in this order.

    After  a reboot i get the following dcdiag (and still get the 4013 error but not the 20 minute delay in logging in):


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Connectivity

             ......................... SLGC-LRI-SVR-01 passed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Advertising

             ......................... SLGC-LRI-SVR-01 passed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             ......................... SLGC-LRI-SVR-01 passed test FrsEvent

          Starting test: DFSREvent

             ......................... SLGC-LRI-SVR-01 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... SLGC-LRI-SVR-01 passed test SysVolCheck

          Starting test: KccEvent

             A warning event occurred.  EventID: 0x80000B46

                Time Generated: 07/14/2010   15:45:51

                Event String:

                The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.


             ......................... SLGC-LRI-SVR-01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... SLGC-LRI-SVR-01 passed test

             KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SLGC-LRI-SVR-01 passed test MachineAccount

          Starting test: NCSecDesc

             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

             DC=ForestDnsZones,DC=leicester,DC=serco,DC=com
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

             DC=DomainDnsZones,DC=leicester,DC=serco,DC=com
             ......................... SLGC-LRI-SVR-01 failed test NCSecDesc

          Starting test: NetLogons

             ......................... SLGC-LRI-SVR-01 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SLGC-LRI-SVR-01 passed test

             ObjectsReplicated

          Starting test: Replications

             ......................... SLGC-LRI-SVR-01 passed test Replications

          Starting test: RidManager

             ......................... SLGC-LRI-SVR-01 passed test RidManager

          Starting test: Services

             ......................... SLGC-LRI-SVR-01 passed test Services

          Starting test: SystemLog

             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/14/2010   15:04:42

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x00000C18

                Time Generated: 07/14/2010   15:04:52

                Event String:

                The primary Domain Controller for this domain could not be located.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:05:11

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   15:05:10

                Event String:

                Name resolution for the name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.LEICESTER.SERCO.COM timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/14/2010   15:05:14

                Event String:

                This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   15:05:31

                Event String:

                Name resolution for the name leicester.serco.com timed out after none of the configured DNS servers responded.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:05:38

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0x00000423

                Time Generated: 07/14/2010   15:05:38

                Event String:

                The DHCP service failed to see a directory server for authorization.

             An error event occurred.  EventID: 0x00000423

                Time Generated: 07/14/2010   15:05:51

                Event String:

                The DHCP service failed to see a directory server for authorization.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:06:05

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             A warning event occurred.  EventID: 0x00000081

                Time Generated: 07/14/2010   15:06:10

                Event String:

                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

             A warning event occurred.  EventID: 0x00000081

                Time Generated: 07/14/2010   15:06:11

                Event String:

                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:06:32

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:06:59

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:07:26

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:07:54

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             A warning event occurred.  EventID: 0x000727AA

                Time Generated: 07/14/2010   15:08:11

                Event String:

                The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.


             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:08:21

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:08:48

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:09:15

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/14/2010   15:09:42

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0x00000469

                Time Generated: 07/14/2010   15:10:20

                Event String:

                The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

             A warning event occurred.  EventID: 0x00001695

                Time Generated: 07/14/2010   15:10:45

                Event String:

                Dynamic registration or deletion of one or more DNS records associated with DNS domain 'leicester.serco.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 


             An error event occurred.  EventID: 0x00000469

                Time Generated: 07/14/2010   15:14:25

                Event String:

                The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

             A warning event occurred.  EventID: 0x00001695

                Time Generated: 07/14/2010   15:21:02

                Event String:

                Dynamic registration or deletion of one or more DNS records associated with DNS domain 'leicester.serco.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 


             A warning event occurred.  EventID: 0x00001695

                Time Generated: 07/14/2010   15:21:02

                Event String:

                Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.leicester.serco.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 


             A warning event occurred.  EventID: 0x00001695

                Time Generated: 07/14/2010   15:21:02

                Event String:

                Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.leicester.serco.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 


             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/14/2010   15:32:22

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   15:32:33

                Event String:

                Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/14/2010   15:32:55

                Event String:

                This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

             A warning event occurred.  EventID: 0x000727AA

                Time Generated: 07/14/2010   15:35:02

                Event String:

                The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.


             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/14/2010   15:45:45

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   15:45:56

                Event String:

                Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/14/2010   15:46:17

                Event String:

                This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

             ......................... SLGC-LRI-SVR-01 failed test SystemLog

          Starting test: VerifyReferences

             ......................... SLGC-LRI-SVR-01 passed test VerifyReferences

      
      
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running partition tests on : leicester

          Starting test: CheckSDRefDom

             ......................... leicester passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... leicester passed test CrossRefValidation

      
       Running enterprise tests on : leicester.serco.com

          Starting test: LocatorCheck

             ......................... leicester.serco.com passed test LocatorCheck

          Starting test: Intersite

             ......................... leicester.serco.com passed test Intersite

     

    I'm properly stumped, something has gone wrong somewhere...??

     

    Wednesday, July 14, 2010 2:52 PM
  • Andy - are you using AD integrated DNS? If so, where are the DNS zones stored - in the domain naming context or in the application partitions (DomainDNSZones and ForestDNSZones)? What's the output of dnscmd /DirectoryPartitionInfo on each of them?

    Create relevant directory partitions (dnscmd /createdirectorypartition) if needed, point all DCs to one of them (e.g. 10.61.15.5), restart Netlogon on each of them, and rerun dcdiag /v /c again...

    hth
    Marcin

     

    Wednesday, July 14, 2010 3:10 PM
  • Hi Marcin, Thanks for your reply.

    Yes, Integrated AD DNS.  I'm going to sound thick here but how can i find out where the DNS zones are stored, in the Domain or Forest?  Do you have any links to any procedures to follow for these things as i'm still on a steep learning curve, i must admit.

    I've been reading this again:

    http://support.microsoft.com/kb/825036/en-gb

    And i believe i didn't help the situation much by not leaving the DNS configuration pointing to the current server long enough.  I can confirm that having DCPROMO'd the new server again (removing it as a DC and then adding again) the dcdiag gave more positive results immediately after a reboot.  However after 10 minutes the results then changed to this:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Connectivity

             ......................... SLGC-LRI-SVR-01 passed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Advertising

             ......................... SLGC-LRI-SVR-01 passed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             ......................... SLGC-LRI-SVR-01 passed test FrsEvent

          Starting test: DFSREvent

             ......................... SLGC-LRI-SVR-01 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... SLGC-LRI-SVR-01 passed test SysVolCheck

          Starting test: KccEvent

             A warning event occurred.  EventID: 0x00000266

                Time Generated: 07/14/2010   16:27:53

                Event String:

                NTDS (524) NTDSA: Database 'C:\Windows\NTDS\ntds.dit': The secondary index 'PDNT_index' of table 'datatable' may be corrupt. If there is no later event showing the index being rebuilt, then please defragment the database to rebuild the index.

             A warning event occurred.  EventID: 0x800005B7

                Time Generated: 07/14/2010   16:27:53

                Event String:

                Active Directory Domain Services has detected and deleted some possibly corrupted indices as part of initialization.


             A warning event occurred.  EventID: 0x80000B46

                Time Generated: 07/14/2010   16:31:26

                Event String:

                The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.


             ......................... SLGC-LRI-SVR-01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... SLGC-LRI-SVR-01 passed test

             KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SLGC-LRI-SVR-01 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... SLGC-LRI-SVR-01 passed test NCSecDesc

          Starting test: NetLogons

             ......................... SLGC-LRI-SVR-01 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SLGC-LRI-SVR-01 passed test

             ObjectsReplicated

          Starting test: Replications

             REPLICATION LATENCY WARNING

             ERROR: Expected notification link is missing.

             Source SERVER1-BACKUP

             Replication of new changes along this path will be delayed.

             This problem should self-correct on the next periodic sync.

             REPLICATION LATENCY WARNING

             ERROR: Expected notification link is missing.

             Source SERVER1-BACKUP

             Replication of new changes along this path will be delayed.

             This problem should self-correct on the next periodic sync.

             REPLICATION LATENCY WARNING

             ERROR: Expected notification link is missing.

             Source SERVER1-BACKUP

             Replication of new changes along this path will be delayed.

             This problem should self-correct on the next periodic sync.

             REPLICATION LATENCY WARNING

             ERROR: Expected notification link is missing.

             Source SERVER1-BACKUP

             Replication of new changes along this path will be delayed.

             This problem should self-correct on the next periodic sync.

             ......................... SLGC-LRI-SVR-01 passed test Replications

          Starting test: RidManager

             ......................... SLGC-LRI-SVR-01 passed test RidManager

          Starting test: Services

             ......................... SLGC-LRI-SVR-01 passed test Services

          Starting test: SystemLog

             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/14/2010   15:45:45

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   15:45:56

                Event String:

                Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/14/2010   15:46:17

                Event String:

                This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

             A warning event occurred.  EventID: 0x000727AA

                Time Generated: 07/14/2010   15:48:23

                Event String:

                The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.


             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/14/2010   16:10:56

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   16:11:07

                Event String:

                Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/14/2010   16:11:28

                Event String:

                This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

             A warning event occurred.  EventID: 0x000727AA

                Time Generated: 07/14/2010   16:13:34

                Event String:

                The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.


             An error event occurred.  EventID: 0xC0001B7E

                Time Generated: 07/14/2010   16:17:30

                Event String:

                The sppuinotify service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:


             An error event occurred.  EventID: 0xC0001B58

                Time Generated: 07/14/2010   16:17:30

                Event String:

                The SPP Notification Service service failed to start due to the following error:


             A warning event occurred.  EventID: 0x00000018

                Time Generated: 07/14/2010   16:19:35

                Event String:

                Time Provider NtpClient: No valid response has been received from domain controller server1.leicester.serco.com after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: The client fails authenticating a response with netlogon failure.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   16:24:45

                Event String:

                Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             An error event occurred.  EventID: 0x0000040B

                Time Generated: 07/14/2010   16:24:50

                Event String:

                The DHCP service was unable to create or lookup the DHCP Users local group on this computer.  The error code is in the data.

             An error event occurred.  EventID: 0x0000040C

                Time Generated: 07/14/2010   16:24:50

                Event String:

                The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer.  The error code is in the data.

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/14/2010   16:24:55

                Event String:

                This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

             A warning event occurred.  EventID: 0x00000081

                Time Generated: 07/14/2010   16:24:55

                Event String:

                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

             A warning event occurred.  EventID: 0x00000081

                Time Generated: 07/14/2010   16:24:56

                Event String:

                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/14/2010   16:31:20

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/14/2010   16:31:31

                Event String:

                Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/14/2010   16:31:47

                Event String:

                This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

             A warning event occurred.  EventID: 0x000727AA

                Time Generated: 07/14/2010   16:33:57

                Event String:

                The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.


             ......................... SLGC-LRI-SVR-01 failed test SystemLog

          Starting test: VerifyReferences

             ......................... SLGC-LRI-SVR-01 passed test VerifyReferences

      
      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running partition tests on : leicester

          Starting test: CheckSDRefDom

             ......................... leicester passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... leicester passed test CrossRefValidation

      
       Running enterprise tests on : leicester.serco.com

          Starting test: LocatorCheck

             ......................... leicester.serco.com passed test LocatorCheck

          Starting test: Intersite

             ......................... leicester.serco.com passed test Intersite

     

    I'm at least going to leave it overnight to see if it does a full replication or not, but i wont be holding my breath, and then i'll try your suggestions first thing in the morning.

    Thanks for all the replies so far I knew you guys would be helpful.

    Wednesday, July 14, 2010 3:44 PM
  • Also just ran a dcdiag /test:DNS, with the configuration as directly above, and got the following:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Connectivity

             ......................... SLGC-LRI-SVR-01 passed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

      
          Starting test: DNS

            

             DNS Tests are running and not hung. Please wait a few minutes...

             ......................... SLGC-LRI-SVR-01 passed test DNS

      
       Running partition tests on : DomainDnsZones

      
       Running partition tests on : ForestDnsZones

      
       Running partition tests on : Schema

      
       Running partition tests on : Configuration

      
       Running partition tests on : leicester

      
       Running enterprise tests on : leicester.serco.com

          Starting test: DNS

             Test results for domain controllers:

               
                DC: slgc-lri-svr-01.leicester.serco.com

                Domain: leicester.serco.com

                                  
                   TEST: Dynamic update (Dyn)
                      Warning: Failed to delete the test record dcdiag-test-record in zone leicester.serco.com
            
             Summary of test results for DNS servers used by the above domain

             controllers:

            

                DNS server: 192.165.0.9 (<name unavailable>)

                   1 test failure on this DNS server

                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.165.0.9               
                   slgc-lri-svr-01              PASS PASS PASS PASS WARN PASS n/a 
             ......................... leicester.serco.com passed test DNS

     

    If there's ANY information you guys need to help with this let me know, i'll post it all here.

    Wednesday, July 14, 2010 3:58 PM
  • Morning all,

    I left the servers overnight and ran a Dddiag first thing on the new one and got the following:

     


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Connectivity

             ......................... SLGC-LRI-SVR-01 passed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Advertising

             ......................... SLGC-LRI-SVR-01 passed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             ......................... SLGC-LRI-SVR-01 passed test FrsEvent

          Starting test: DFSREvent

             ......................... SLGC-LRI-SVR-01 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... SLGC-LRI-SVR-01 passed test SysVolCheck

          Starting test: KccEvent

             ......................... SLGC-LRI-SVR-01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... SLGC-LRI-SVR-01 passed test

             KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SLGC-LRI-SVR-01 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... SLGC-LRI-SVR-01 passed test NCSecDesc

          Starting test: NetLogons

             ......................... SLGC-LRI-SVR-01 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SLGC-LRI-SVR-01 passed test

             ObjectsReplicated

          Starting test: Replications

             ......................... SLGC-LRI-SVR-01 passed test Replications

          Starting test: RidManager

             ......................... SLGC-LRI-SVR-01 passed test RidManager

          Starting test: Services

             ......................... SLGC-LRI-SVR-01 passed test Services

          Starting test: SystemLog

             ......................... SLGC-LRI-SVR-01 passed test SystemLog

          Starting test: VerifyReferences

             ......................... SLGC-LRI-SVR-01 passed test VerifyReferences

      
      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running partition tests on : leicester

          Starting test: CheckSDRefDom

             ......................... leicester passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... leicester passed test CrossRefValidation

      
       Running enterprise tests on : leicester.serco.com

          Starting test: LocatorCheck

             ......................... leicester.serco.com passed test LocatorCheck

          Starting test: Intersite

             ......................... leicester.serco.com passed test Intersite

     

    Looks like it's working.  This is with the current "main" server setup as the primary DNS.  Should i now change this to point to the new server, ie itself? Are there any further checks worth doing at this point?  I'm not confident it will work should i touch this setting now.

     

    Thanks.

    Thursday, July 15, 2010 7:57 AM
  • Further to this, i did a dcdiag /test:DNS and got the following:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Connectivity

             ......................... SLGC-LRI-SVR-01 passed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

      
          Starting test: DNS

            

             DNS Tests are running and not hung. Please wait a few minutes...

             ......................... SLGC-LRI-SVR-01 passed test DNS

      
       Running partition tests on : DomainDnsZones

      
       Running partition tests on : ForestDnsZones

      
       Running partition tests on : Schema

      
       Running partition tests on : Configuration

      
       Running partition tests on : leicester

      
       Running enterprise tests on : leicester.serco.com

          Starting test: DNS

             Test results for domain controllers:

               
                DC: slgc-lri-svr-01.leicester.serco.com

                Domain: leicester.serco.com

               

                     
                   TEST: Dynamic update (Dyn)
                      Warning: Failed to delete the test record dcdiag-test-record in zone leicester.serco.com
            
             Summary of test results for DNS servers used by the above domain

             controllers:

            

                DNS server: 192.165.0.9 (<name unavailable>)

                   1 test failure on this DNS server

                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.165.0.9               
                   slgc-lri-svr-01              PASS PASS PASS PASS WARN PASS n/a 
             ......................... leicester.serco.com passed test DNS

     

    Which gives these errors in the System Event Log and running dcdiag again:

    Starting test: SystemLog

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/15/2010   08:58:47

                Event String:

                Name resolution for the name www.microsoft.com timed out after none of the configured DNS servers responded.

             An error event occurred.  EventID: 0xC0002719

                Time Generated: 07/15/2010   08:59:08

                Event String:

                DCOM was unable to communicate with the computer 192.168.0.2 using any of the configured protocols.

             An error event occurred.  EventID: 0xC0002719

                Time Generated: 07/15/2010   08:59:29

                Event String:

                DCOM was unable to communicate with the computer 192.168.0.5 using any of the configured protocols.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/15/2010   09:09:23

                Event String:

                Name resolution for the name www.microsoft.com timed out after none of the configured DNS servers responded.

             An error event occurred.  EventID: 0xC0002719

                Time Generated: 07/15/2010   09:09:44

                Event String:

                DCOM was unable to communicate with the computer 192.168.0.2 using any of the configured protocols.

             An error event occurred.  EventID: 0xC0002719

                Time Generated: 07/15/2010   09:10:05

                Event String:

                DCOM was unable to communicate with the computer 192.168.0.5 using any of the configured protocols.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/15/2010   09:10:36

                Event String:

                Name resolution for the name www.microsoft.com timed out after none of the configured DNS servers responded.

             An error event occurred.  EventID: 0xC0002719

                Time Generated: 07/15/2010   09:10:57

                Event String:

                DCOM was unable to communicate with the computer 192.168.0.2 using any of the configured protocols.

             An error event occurred.  EventID: 0xC0002719

                Time Generated: 07/15/2010   09:11:18

                Event String:

                DCOM was unable to communicate with the computer 192.168.0.5 using any of the configured protocols.

             ......................... SLGC-LRI-SVR-01 failed test SystemLog

    So i then change the DNS in IP settings to point to itself and i get no change, tests give exact same results. The server is still up and i'm getting none of the reported cannot connect errors.

    After a reboot however it's back to square one - took an age to log in and "apply user settings", is still logging the 4013 errors in the DNS Event log, the network connection reports that it no longer has internet access (and it's no longer connecting to the domain) and running dcdiag again naturally displays a whole host of problems, mainly to do with replication and unable to connect etc.

    This is most definately a DNS related issue!

    I hope this is all relevant information and i'm not waffling on and barking up the wrong tree.  Anyone ANY ideas?

    Thursday, July 15, 2010 8:33 AM
  • Further test results (with new server DNS set to look at old server, 10.61.15.5):

    DNSLint /ad result:

    DNSLint Report

    System Date: Thu Jul 15 11:57:51 2010

    Command run:

    dnslint /ad /s 10.61.15.5

    Root of Active Directory Forest:

        leicester.serco.com

    Active Directory Forest Replication GUIDs Found:

    DC: SERVER1
    GUID: f92fa7df-b878-4211-b1a8-48d0b64f7176

    DC: SERVER1-BACKUP
    GUID: 3448aa10-f9dd-4c86-abe7-4a52156df5d7

    DC: SLGC-LRI-SVR-01
    GUID: 181a239e-37b3-41eb-a626-ea5d87e3719b


    Total GUIDs found: 3


    The following 3 DNS servers were checked for records related to AD forest replication:

    DNS server: server1.leicester.serco.com
    IP Address: 10.61.15.5
    UDP port 53 responding to queries: YES
    TCP port 53 responding to queries: Not tested
    Answering authoritatively for domain: YES

    SOA record data from server:
    Authoritative name server: server1.leicester.serco.com
    Hostmaster: hostmaster.leicester.serco.com
    Zone serial number: 888
    Zone expires in: 1.00 day(s)
    Refresh period: 900 seconds
    Retry delay: 600 seconds
    Default (minimum) TTL: 3600 seconds

    Additional authoritative (NS) records from server:
    slgc-lri-svr-01.leicester.serco.com 10.61.15.4
    server1.leicester.serco.com 10.61.15.5
    server1-backup.leicester.serco.com 10.61.15.6

    Alias (CNAME) and glue (A) records for forest GUIDs from server:
    CNAME: f92fa7df-b878-4211-b1a8-48d0b64f7176._msdcs.leicester.serco.com
    Alias: server1.leicester.serco.com
    Glue: 10.61.15.5


    CNAME: 3448aa10-f9dd-4c86-abe7-4a52156df5d7._msdcs.leicester.serco.com
    Alias: server1-backup.leicester.serco.com
    Glue: 10.61.15.6


    CNAME: 181a239e-37b3-41eb-a626-ea5d87e3719b._msdcs.leicester.serco.com
    Alias: slgc-lri-svr-01.leicester.serco.com
    Glue: 10.61.15.4



    Total number of CNAME records found on this server: 3

    Total number of CNAME records missing on this server: 0

    Total number of glue (A) records this server could not find: 0


    DNS server: slgc-lri-svr-01.leicester.serco.com
    IP Address: 10.61.15.4
    UDP port 53 responding to queries: YES
    TCP port 53 responding to queries: Not tested
    Answering authoritatively for domain: YES

    SOA record data from server:
    Authoritative name server: slgc-lri-svr-01.leicester.serco.com
    Hostmaster: hostmaster.leicester.serco.com
    Zone serial number: 888
    Zone expires in: 1.00 day(s)
    Refresh period: 900 seconds
    Retry delay: 600 seconds
    Default (minimum) TTL: 3600 seconds

    Additional authoritative (NS) records from server:
    server1.leicester.serco.com 10.61.15.5
    server1-backup.leicester.serco.com 10.61.15.6
    slgc-lri-svr-01.leicester.serco.com 10.61.15.4

    Alias (CNAME) and glue (A) records for forest GUIDs from server:
    CNAME: f92fa7df-b878-4211-b1a8-48d0b64f7176._msdcs.leicester.serco.com
    Alias: server1.leicester.serco.com
    Glue: 10.61.15.5


    CNAME: 3448aa10-f9dd-4c86-abe7-4a52156df5d7._msdcs.leicester.serco.com
    Alias: server1-backup.leicester.serco.com
    Glue: 10.61.15.6


    CNAME: 181a239e-37b3-41eb-a626-ea5d87e3719b._msdcs.leicester.serco.com
    Alias: slgc-lri-svr-01.leicester.serco.com
    Glue: 10.61.15.4



    Total number of CNAME records found on this server: 3

    Total number of CNAME records missing on this server: 0

    Total number of glue (A) records this server could not find: 0


    DNS server: server1-backup.leicester.serco.com
    IP Address: 10.61.15.6
    UDP port 53 responding to queries: YES
    TCP port 53 responding to queries: Not tested
    Answering authoritatively for domain: YES

    SOA record data from server:
    Authoritative name server: server1-backup.leicester.serco.com
    Hostmaster: hostmaster.leicester.serco.com
    Zone serial number: 888
    Zone expires in: 1.00 day(s)
    Refresh period: 900 seconds
    Retry delay: 600 seconds
    Default (minimum) TTL: 3600 seconds

    Additional authoritative (NS) records from server:
    server1-backup.leicester.serco.com 10.61.15.6
    slgc-lri-svr-01.leicester.serco.com 10.61.15.4
    server1.leicester.serco.com 10.61.15.5

    Alias (CNAME) and glue (A) records for forest GUIDs from server:
    CNAME: f92fa7df-b878-4211-b1a8-48d0b64f7176._msdcs.leicester.serco.com
    Alias: server1.leicester.serco.com
    Glue: 10.61.15.5


    CNAME: 3448aa10-f9dd-4c86-abe7-4a52156df5d7._msdcs.leicester.serco.com
    Alias: server1-backup.leicester.serco.com
    Glue: 10.61.15.6


    CNAME: 181a239e-37b3-41eb-a626-ea5d87e3719b._msdcs.leicester.serco.com
    Alias: slgc-lri-svr-01.leicester.serco.com
    Glue: 10.61.15.4



    Total number of CNAME records found on this server: 3

    Total number of CNAME records missing on this server: 0

    Total number of glue (A) records this server could not find: 0

    Thursday, July 15, 2010 11:06 AM
  • Andy,

    Let's back up a bit - point all three DCs to 10.61.15.5 as their primary and only DNS server and reboot each of them (one at a time though - starting with 10.61.15.5 and ending with the Windows Server 2008 R2-based one). Let us know if you are seeing any errors at that point

    If not, then check the replication between them by running repadmin /showrepl on each and let us know if you are seing any errors.

    hth
    Marcin

    Thursday, July 15, 2010 11:36 AM
  • Hi Marcin,

    Right, done that - all three servers set to look at Primary DNS 10.61.15.5.  Restarted .5, then .6, then .4 (new one).

    Then dcdiag on each:

    10.61.15.5: No errors at all

    10.61.15.6: EVENT ID 24:

    Time Provider NtpClient: No valid response has been received from domain controller server1.leicester.serco.com after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize.

    10.61.15.4 (new server): dcdiag:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Connectivity

             ......................... SLGC-LRI-SVR-01 passed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Advertising

             ......................... SLGC-LRI-SVR-01 passed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             ......................... SLGC-LRI-SVR-01 passed test FrsEvent

          Starting test: DFSREvent

             ......................... SLGC-LRI-SVR-01 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... SLGC-LRI-SVR-01 passed test SysVolCheck

          Starting test: KccEvent

             A warning event occurred.  EventID: 0x80000B46

                Time Generated: 07/15/2010   13:57:34

                Event String:

                The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.


             ......................... SLGC-LRI-SVR-01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... SLGC-LRI-SVR-01 passed test

             KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SLGC-LRI-SVR-01 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... SLGC-LRI-SVR-01 passed test NCSecDesc

          Starting test: NetLogons

             ......................... SLGC-LRI-SVR-01 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SLGC-LRI-SVR-01 passed test

             ObjectsReplicated

          Starting test: Replications

             ......................... SLGC-LRI-SVR-01 passed test Replications

          Starting test: RidManager

             ......................... SLGC-LRI-SVR-01 passed test RidManager

          Starting test: Services

             ......................... SLGC-LRI-SVR-01 passed test Services

          Starting test: SystemLog

             A warning event occurred.  EventID: 0x00002724

                Time Generated: 07/15/2010   13:33:40

                EvtOpenPublisherMetaData failed, publisher = Microsoft-Windows-DHCP-Server, error 2 The system cannot find the file specified..
                (Event String (event log = System) could not be retrieved, error

                0x2)

             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/15/2010   13:37:27

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x00000C18

                Time Generated: 07/15/2010   13:37:37

                Event String:

                The primary Domain Controller for this domain could not be located.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:37:55

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/15/2010   13:37:54

                Event String:

                Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/15/2010   13:38:15

                Event String:

                Name resolution for the name leicester.serco.com timed out after none of the configured DNS servers responded.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:38:22

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:38:49

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             A warning event occurred.  EventID: 0x00000081

                Time Generated: 07/15/2010   13:38:59

                Event String:

                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

             A warning event occurred.  EventID: 0x00000081

                Time Generated: 07/15/2010   13:39:00

                Event String:

                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:39:16

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:39:43

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:40:10

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:40:38

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             A warning event occurred.  EventID: 0x000727AA

                Time Generated: 07/15/2010   13:41:00

                Event String:

                The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.


             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:41:05

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:41:32

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:41:59

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 07/15/2010   13:42:26

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             A warning event occurred.  EventID: 0x00001695

                Time Generated: 07/15/2010   13:43:29

                Event String:

                Dynamic registration or deletion of one or more DNS records associated with DNS domain 'leicester.serco.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 07/15/2010   13:52:41

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\leicester.serco.com\sysvol\leicester.serco.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:


             A warning event occurred.  EventID: 0x8000001D

                Time Generated: 07/15/2010   13:57:27

                Event String:

                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 07/15/2010   13:57:39

                Event String:

                Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

             A warning event occurred.  EventID: 0x000727AA

                Time Generated: 07/15/2010   14:00:04

                Event String:

                The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.


             ......................... SLGC-LRI-SVR-01 failed test SystemLog

          Starting test: VerifyReferences

             ......................... SLGC-LRI-SVR-01 passed test VerifyReferences

      
      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running partition tests on : leicester

          Starting test: CheckSDRefDom

             ......................... leicester passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... leicester passed test CrossRefValidation

      
       Running enterprise tests on : leicester.serco.com

          Starting test: LocatorCheck

             ......................... leicester.serco.com passed test LocatorCheck

          Starting test: Intersite

             ......................... leicester.serco.com passed test Intersite

    Then ran repadmin/ showrepl on each:

    10.61.15.6: ALL SUCCESSFUL

    10.61.15.5: ALL SUCCESSFUL

    10.61.15.4 (new server): ALL SUCCESSFUL

     

    Yep, i'm confused!

    Thursday, July 15, 2010 1:09 PM
  • In regard to 10.61.15.6, follow http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/603d275c-01fe-4a64-9b3b-3c69f67e7c72

    As far as 10.61.15.4 is concerned, post the output of:

    nslookup
    set type=SRV
    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.leicester.serco.com 
    _ldap._tcp.dc._msdcs.leicester.serco.com

    hth
    Marcin

     

    Thursday, July 15, 2010 1:38 PM
  • Hi again Marcin,

    the time sync issue sorted itself on 10.61.15.6, i had this problem some time ago on a different system and never did fix it, that link is very helpful.

    Result of nslookup on 10.61.15.4 as requested:

    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.leicester.serco.com

    server: server1.leicester.serco.com

    Address 10.61.15.5

    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.leicester.serco.com SRV service location:

    priority = 0

    weight = 100

    port = 389

    svr hostname = slgc-lri-svr-01.leicester.serco.com

    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.leicester.serco.com SRV service location:

    priority = 0

    weight = 100

    port = 389

    svr hostname = server1-backup.leicester.serco.com

    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.leicester.serco.com SRV service location:

    priority = 0

    weight = 100

    port = 389

    svr hostname = server1.leicester.serco.com

    slgc-lri-svr-01.leicester.serco.com internet address = 10.61.15.4

    server1-backup.leicester.serco.com internet address = 10.61.15.6

    server1.leicester.serco.com internet address = 10.61.15.5

     

     

    _ldap._tcp.dc._msdcs.leicester.serco.com SRV service location:

    server: server1.leicester.serco.com

    Address 10.61.15.5

    _ldap._tcp.dc._msdcs.leicester.serco.com SRV service location:

    priority = 0

    weight = 100

    port = 389

    svr hostname = slgc-lri-svr-01.leicester.serco.com

    _ldap._tcp.dc._msdcs.leicester.serco.com SRV service location:

    priority = 0

    weight = 100

    port = 389

    svr hostname = server1-backup.leicester.serco.com

    _ldap._tcp.dc._msdcs.leicester.serco.com SRV service location:

    priority = 0

    weight = 100

    port = 389

    svr hostname = server1.leicester.serco.com

    slgc-lri-svr-01.leicester.serco.com internet address = 10.61.15.4

    server1-backup.leicester.serco.com internet address = 10.61.15.6

    server1.leicester.serco.com internet address = 10.61.15.5

     

     

    Thursday, July 15, 2010 2:46 PM
  • Is 10.61.16.4 processing group policies at this point? If so, the issues you are running into seem to be transient and limited to the initial startup. Have you verfied network components (both in terms of switches and network adapters on that DC) are operating correctly? Are you using teaming by any chance?

    hth
    Marcin

    Thursday, July 15, 2010 3:59 PM
  • Hi Marcin,

    It's funny you should suggest this, as i too was verging on going down the NIC route after i realized that if i disabled the NIC and then re-enable it i'm immediately unable to reconnect to the domain - it simply states searching... and the NIC shows a yellow exclamation.

    So last night i left the server overnight with a dcdiag full of errors and this morning without touching a thing (it's still pointing at 10.61.15.5 for DNS mind you) i get this:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = slgc-lri-svr-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Connectivity

             ......................... SLGC-LRI-SVR-01 passed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

          Starting test: Advertising

             ......................... SLGC-LRI-SVR-01 passed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             ......................... SLGC-LRI-SVR-01 passed test FrsEvent

          Starting test: DFSREvent

             ......................... SLGC-LRI-SVR-01 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... SLGC-LRI-SVR-01 passed test SysVolCheck

          Starting test: KccEvent

             ......................... SLGC-LRI-SVR-01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... SLGC-LRI-SVR-01 passed test

             KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SLGC-LRI-SVR-01 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... SLGC-LRI-SVR-01 passed test NCSecDesc

          Starting test: NetLogons

             ......................... SLGC-LRI-SVR-01 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SLGC-LRI-SVR-01 passed test

             ObjectsReplicated

          Starting test: Replications

             ......................... SLGC-LRI-SVR-01 passed test Replications

          Starting test: RidManager

             ......................... SLGC-LRI-SVR-01 passed test RidManager

          Starting test: Services

             ......................... SLGC-LRI-SVR-01 passed test Services

          Starting test: SystemLog

             ......................... SLGC-LRI-SVR-01 passed test SystemLog

          Starting test: VerifyReferences

             ......................... SLGC-LRI-SVR-01 passed test VerifyReferences

      
      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running partition tests on : leicester

          Starting test: CheckSDRefDom

             ......................... leicester passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... leicester passed test CrossRefValidation

      
       Running enterprise tests on : leicester.serco.com

          Starting test: LocatorCheck

             ......................... leicester.serco.com passed test LocatorCheck

          Starting test: Intersite

             ......................... leicester.serco.com passed test Intersite

    Last night i downloaded the latest firmware and driver package so i've installed both this morning.  It seems the problem still remains after a boot up - the dcdiag is immediately full of errors and the 4013 error is still appearing in the DNS Event log (but of note is that it only ever appears once after a boot up, it then nevers comes up again, meaning that initial sync does complete, albeit not when it's supposed to do).

    What do you think?  Something at startup clearly isn't right.

    The server is a HP Proliant DL380 G6, using what i believe are Broadcom NIC's but with HP NC382i DP Gigabit drivers (version 5.2.14.0).

    I'll be Googlin' this one for sure...

    Thanks for your all help so far Marcin, i can't begin to show my appreciation for your efforts, getting this system working is my biggest priority as without it the whole site doesn't get to use their new server and the old one will slowly die!

    Friday, July 16, 2010 8:13 AM
  • Update:

    Firmware was already at latest, drivers are now up to do date.  When i first took delivery of the server i had updated all of the firmware so on an off chance i decided to downgrade the NIC firmware back to what it came with.  This seems to have made a difference.  Instead of the NIC display searching or cannot connect it EVENTUALLY connects to the domain and internet.  So i changed the DNS to point to itself (10.61.15.4) and rebooted.

    The startup time is now down to around 5 minutes and once i was logged in the NIC icon in the corner had the hourglass / blue circle icon spinning for a good 2 minutes.  After this is connected to the domain and internet and it seemed to be working.  After subsequent restarts the NIC doesn't do this at all.

    So i perform all of the following:

     

    Repadmin /syncall

     

    Net share (checks SYSVOL)

     

    Dcdiag

     

    Nslookup (on all 3 servers in DNS snap-in)

    Dcdiag still gave me errors they are mainly related to the other 3 NICs being down (of course they are) and a few DNS related issues, but after leaving it for some time rerunning this gives no errors at all.  All the other tests report full replication and functionality.

    I still have the 4013 errors in the DNS Event log, but reading up on this other people seem to experience this issue too with Win2k8R2:

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/ff936f70-780d-486e-a808-35d9e7fc0ddb - Infact this is the now the exact problem i'm having.

     

     

    http://forums.techarena.in/active-directory/1019600.htm

     

    http://www.winvistatips.com/server-2008-r2-slow-boot-t774152.html

     

    So it seems the issue lay with the NIC firmware or drivers, and the DNS issues i experience on  boot up are the same as everybody else gets with win2k8r2 in a similar configuration.

     

    I've also configured the secondary DNS to point to my backup server, 10.61.15.6, and will use this for DNS resolution at bootup to aid speed the process and minimise these bootup errors.

     

    I'm hopeful this is now resolved (of sorts).

     

    Marcin, send me an email: andy.woodier@serco.com and i'll make sure i thank you properly.  You've been an invaluable resource in what has been a very stressful week for me.

    Friday, July 16, 2010 10:37 AM
  • Andy - I'm glad you managed to get this resolved (of sorts ;)...

    cheers,
    Marcin

    Friday, July 16, 2010 11:43 AM
  • Well it appears this issue isn't resolved after all.  I had left the new server configured so that it's primary DNS is set to itself, 10.61.15.4, and the secondary DNS 10.61.15.6, which is my backup server.

    I configured a client PC to point to just 10.61.15.4 for it's DNS and it never resolves - i get no internet, no connection to the outside world.  I can connect to the intranet site running on 10.61.15.4, and see the network shares, but that's it.

    So i've changed the DNS on the server so that it only points to itself and i get the following information about the NIC status in the system tray:

    Currently connected to leicester.serco.com, No Internet access (with yellow exclamation).

    Where do i start here as the only errors i'm getting related to DNS in the Event logs are the 4013 errors as before.

    Any help appreciated as always.

    Tuesday, July 27, 2010 9:00 AM
  • I'm confident this fix may help others with a similar problem (I found several on the net)

    Now it appears the issue is resolved, properly!

    Maybe someone in the know could clarify this, but it appears that the Forwarders in the Properties Dialog box for the selected server were not copied across when the DNS was.  So in effect whilst the DNS that is integrated within AD and gets pushed out to any new DC that joins it these Forwarders are not.  Very strange.  Anyone know why this may be?

    So to fix go into DNS snap-in, right click on the server, click Properties then the Forwarders tab. 

    So it's working now using it's own IP as the primary DNS, and will resolve DNS to the clients to.

    Phew...

    Tuesday, July 27, 2010 1:27 PM