none
Issue with DNS initial Synchronization RRS feed

  • Question

  • Hi everybody,

    Thank you in advance for taking the time to help me.

    The context:

    We are beginning our IT from scratch (new forest with new DC)

    -          We have 3 DNS servers (that are also Domain Controllers)

    • Primary is installed on subnet 1 (installed in February with no apparent errors)
    • Secondary is installed on subnet 1 (installed in February with no apparent errors)
    • Thrid is installed on subnet 2 routed with the first one (installed today with a an error à “A Delegation for this DNS server cannot be found or does not run Windows DNS server…” 

    -          The error we are having:

    • “The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.”

    -          We manage our DNS addresses with Microsoft’s IPAM

    • Installed in the subnet 1. It do have the connection to all 3 DNS but we have an issue with the _msdcs zone (Zone Status = Error)
    • Do not know if linked…

    I am a bit lost on what to do next… Everything seems fine by me, the replication seems to work fine (maybe a bit slow). However, as we are starting from scratch, I do not want to have some issues on our Infrastructure.

    Thank you in advance,

    Best Regards,

    Jon

    Thursday, July 4, 2019 2:01 PM

Answers

All replies

  • Hello,

    Is it possible to have an output of a dcdiag /e ?

    Do you have any Firewall between subnet 1 and subnet 2 ?

    Best Regards,

    Friday, July 5, 2019 6:24 AM
  • Hello Jon,

    Thank you for posting in this forum.

    I found a post related to this, please check if the reply in that post is useful to you.

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 5, 2019 8:05 AM
  • Hello,

    Is it possible to have an output of a dcdiag /e ?

    Do you have any Firewall between subnet 1 and subnet 2 ?

    Best Regards,

    Sorry about the delays... Have been sick..

    No Firewall between them. They are both "virtually" connected to the same Nexus Switch.

    The DCDiag :

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = VSI-ADDS-P03
       * Identified AD Forest.
       Ldap search capability attribute search failed on server VSI-ADDS-P01, return value = 81
       Got error while checking if the DC is using FRS or DFSR. Error: Win32 Error 81The VerifyReferences, FrsEvent and
       DfsrEvent tests might fail because of this error.
       Ldap search capability attribute search failed on server VSI-ADDS-P02, return value = 81
       Got error while checking if the DC is using FRS or DFSR. Error: Win32 Error 81The VerifyReferences, FrsEvent and
       DfsrEvent tests might fail because of this error.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\VSI-ADDS-P01
          Starting test: Connectivity
             Server VSI-ADDS-P01 resolved to these IP addresses: XXXXXXX, but none of the addresses could be reached
             (pinged). Please check the network.
             Error: 0x2b02 "Error due to lack of resources."
             This error more often means that the targeted server is shutdown or disconnected from the network.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ......................... VSI-ADDS-P01 failed test Connectivity

       Testing server: Default-First-Site-Name\VSI-ADDS-P02
          Starting test: Connectivity
             Server VSI-ADDS-P02 resolved to these IP addresses: XXXXXXX, but none of the addresses could be reached
             (pinged). Please check the network.
             Error: 0x2b02 "Error due to lack of resources."
             This error more often means that the targeted server is shutdown or disconnected from the network.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ......................... VSI-ADDS-P02 failed test Connectivity

       Testing server: Default-First-Site-Name\VSI-ADDS-P03
          Starting test: Connectivity
             ......................... VSI-ADDS-P03 passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\VSI-ADDS-P01
          Skipping all tests, because server VSI-ADDS-P01 is not responding to directory service requests.

       Testing server: Default-First-Site-Name\VSI-ADDS-P02
          Skipping all tests, because server VSI-ADDS-P02 is not responding to directory service requests.

       Testing server: Default-First-Site-Name\VSI-ADDS-P03
          Starting test: Advertising
             Warning: VSI-ADDS-P03 is not advertising as a time server.
             ......................... VSI-ADDS-P03 failed test Advertising
          Starting test: FrsEvent
             ......................... VSI-ADDS-P03 passed test FrsEvent
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
             replication problems may cause Group Policy problems.
             ......................... VSI-ADDS-P03 failed test DFSREvent
          Starting test: SysVolCheck
             ......................... VSI-ADDS-P03 passed test SysVolCheck
          Starting test: KccEvent
             A warning event occurred.  EventID: 0x80000B46
                Time Generated: 07/08/2019   07:44:25
                Event String:
                The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
             An error event occurred.  EventID: 0xC0000827
                Time Generated: 07/08/2019   07:45:26
                Event String:
                Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
             An error event occurred.  EventID: 0xC0000827
                Time Generated: 07/08/2019   07:46:04
                Event String:
                Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
             A warning event occurred.  EventID: 0x8000051C
                Time Generated: 07/08/2019   07:49:25
                Event String:
                The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
             A warning event occurred.  EventID: 0x8000051C
                Time Generated: 07/08/2019   07:49:25
                Event String:
                The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
             ......................... VSI-ADDS-P03 failed test KccEvent
          Starting test: KnowsOfRoleHolders
             [VSI-ADDS-P01] DsBindWithSpnEx() failed with error 1722,
             The RPC server is unavailable..
             Warning: VSI-ADDS-P01 is the Schema Owner, but is not responding to DS RPC Bind.
             Warning: VSI-ADDS-P01 is the Schema Owner, but is not responding to LDAP Bind.
             Warning: VSI-ADDS-P01 is the Domain Owner, but is not responding to DS RPC Bind.
             Warning: VSI-ADDS-P01 is the Domain Owner, but is not responding to LDAP Bind.
             [VSI-ADDS-P02] DsBindWithSpnEx() failed with error 1722,
             The RPC server is unavailable..
             Warning: VSI-ADDS-P02 is the PDC Owner, but is not responding to DS RPC Bind.
             Warning: VSI-ADDS-P02 is the PDC Owner, but is not responding to LDAP Bind.
             Warning: VSI-ADDS-P02 is the Rid Owner, but is not responding to DS RPC Bind.
             Warning: VSI-ADDS-P02 is the Rid Owner, but is not responding to LDAP Bind.
             Warning: VSI-ADDS-P02 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
             Warning: VSI-ADDS-P02 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
             ......................... VSI-ADDS-P03 failed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... VSI-ADDS-P03 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... VSI-ADDS-P03 passed test NCSecDesc
          Starting test: NetLogons
             ......................... VSI-ADDS-P03 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... VSI-ADDS-P03 passed test ObjectsReplicated
          Starting test: Replications
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P02 to VSI-ADDS-P03
                Naming Context: DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:46:58.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P01 to VSI-ADDS-P03
                Naming Context: DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:47:41.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P02 to VSI-ADDS-P03
                Naming Context: DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:46:46.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P01 to VSI-ADDS-P03
                Naming Context: DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:47:29.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P02 to VSI-ADDS-P03
                Naming Context: CN=Schema,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:45:45.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P01 to VSI-ADDS-P03
                Naming Context: CN=Schema,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:46:16.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P02 to VSI-ADDS-P03
                Naming Context: CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:45:26.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P01 to VSI-ADDS-P03
                Naming Context: CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:46:04.
                The last success occurred at 2019-07-07 01:58:07.
                30 failures have occurred since the last success.
                The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P02 to VSI-ADDS-P03
                Naming Context: DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:46:34.
                The last success occurred at 2019-07-07 02:12:34.
                30 failures have occurred since the last success.
                The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             [Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
                From VSI-ADDS-P01 to VSI-ADDS-P03
                Naming Context: DC=XXX,DC=XXXXX,DC=XX
                The replication generated an error (8524):
                The DSA operation is unable to proceed because of a DNS lookup failure.
                The failure occurred at 2019-07-08 07:47:17.
                The last success occurred at 2019-07-07 02:20:00.
                30 failures have occurred since the last success.
                The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
                is not registered on one or more DNS servers.
             ......................... VSI-ADDS-P03 failed test Replications
          Starting test: RidManager
             ......................... VSI-ADDS-P03 failed test RidManager
          Starting test: Services
             ......................... VSI-ADDS-P03 passed test Services
          Starting test: SystemLog
             A warning event occurred.  EventID: 0x000727A5
                Time Generated: 07/08/2019   07:43:51
                Event String: The WinRM service is not listening for WS-Management requests.
             A warning event occurred.  EventID: 0x000003F6
                Time Generated: 07/08/2019   07:44:27
                Event String:
                Name resolution for the name wpad timed out after none of the configured DNS servers responded.
             A warning event occurred.  EventID: 0x00000C18
                Time Generated: 07/08/2019   07:44:39
                Event String: The primary Domain Controller for this domain could not be located.
             An error event occurred.  EventID: 0xC0000428
                Time Generated: 07/08/2019   07:44:39
                Event String:
                The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occured: The specified domain either does not exist or could not be contacted.
             A warning event occurred.  EventID: 0x000727AA
                Time Generated: 07/08/2019   07:44:40
                Event String:
                The WinRM service failed to create the following SPNs: WSMAN/VSI-ADDS-P03.DOMAIN; WSMAN/VSI-ADDS-P03.
             An error event occurred.  EventID: 0x00002710
                Time Generated: 07/08/2019   07:44:40
                Event String: Unable to start a DCOM Server: {9C38ED61-D565-4728-AEEE-C80952F0ECDE}. The error:
             An error event occurred.  EventID: 0x00000469
                Time Generated: 07/08/2019   07:44:41
                Event String:
                The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
             A warning event occurred.  EventID: 0x00000081
                Time Generated: 07/08/2019   07:44:46
                Event String:
                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
             A warning event occurred.  EventID: 0x00000081
                Time Generated: 07/08/2019   07:44:47
                Event String:
                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
             A warning event occurred.  EventID: 0x000003F6
                Time Generated: 07/08/2019   07:44:51
                Event String:
                Name resolution for the name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. timed out after none of the configured DNS servers responded.
             A warning event occurred.  EventID: 0x00001695
                Time Generated: 07/08/2019   07:47:44
                Event String:
                Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DOMAIN.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
             A warning event occurred.  EventID: 0x00001695
                Time Generated: 07/08/2019   07:47:54
                Event String:
                Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DOMAIN.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
             ......................... VSI-ADDS-P03 failed test SystemLog
          Starting test: VerifyReferences
             ......................... VSI-ADDS-P03 passed test VerifyReferences




       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
                For the partition (DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
                retrieving the cross-ref's
                (CN=8ac856f2-bc56-4f63-9905-b59245097f1f,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
                information:
                   LDAP Error 0x3a (58).
             ......................... ForestDnsZones failed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition (DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
                retrieving the cross-ref's
                (CN=8ac856f2-bc56-4f63-9905-b59245097f1f,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
                information:
                   LDAP Error 0x3a (58).
             ......................... ForestDnsZones failed test CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
                For the partition (DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
                retrieving the cross-ref's
                (CN=7078cf43-3f80-437d-8332-5646cf144de4,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
                information:
                   LDAP Error 0x3a (58).
             ......................... DomainDnsZones failed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition (DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
                retrieving the cross-ref's
                (CN=7078cf43-3f80-437d-8332-5646cf144de4,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
                information:
                   LDAP Error 0x3a (58).
             ......................... DomainDnsZones failed test CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition (CN=Schema,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
                retrieving the cross-ref's  (CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
                information:
                   LDAP Error 0x3a (58).
             ......................... Schema failed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition (CN=Configuration,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error retrieving
                the cross-ref's  (CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
                information:
                   LDAP Error 0x3a (58).
             ......................... Configuration failed test CrossRefValidation

       Running partition tests on : corp
          Starting test: CheckSDRefDom
             ......................... corp passed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition (DC=XXX,DC=XXXXX,DC=XX) we encountered the following error retrieving the cross-ref's
                (CN=CORP,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX) information:
                   LDAP Error 0x3a (58).
             ......................... corp failed test CrossRefValidation

       Running enterprise tests on : DOMAIN
          Starting test: LocatorCheck
             Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
             A Primary Domain Controller could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
             A Good Time Server could not be located.
             ......................... DOMAIN failed test LocatorCheck
          Starting test: Intersite
             ......................... DOMAIN passed test Intersite

    For the post from HK.Leon, I will check it right know.

    Thanks for the help guys.

    Jon

    Monday, July 8, 2019 6:10 AM
  • Hello,

    Based on your output it seems that you have a lot of errors regarding network communication between your DCs

    Maybe you should check with a port query that the ports listed in the article are open :

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)

    Best Regards,

    Wednesday, July 10, 2019 5:42 AM
  • Hi,

    Just checking the current situation of your problem.
    Was your issue resolved?

    Best regards,
    Leon

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 17, 2019 9:31 AM
  • Yes, sorry i forgot a bit... Our Network configuration was wrongly done... Used to wrong link between both site... Sorry for the incoveniance
    Monday, July 22, 2019 6:33 AM
  • Thank you for your update.

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 10:21 AM