none
DNS error

    Question

  • Hi,

    Just a bit of back ground info.. Recently I decommissioned a 2012r2 DC and replaced it with a fresh copy 2019 Server (virtual). Kept same name/IP etc. I have DFS "trustshared" running across all sites, total of 5 DCs.  The one i replaced was the operations master and looked after the following roles "RID, Infrastructure and PDC" I did swap these roles to another DC 1 week prior to me DC promoting the older server off and building the new one. One week after everything had settled down i moved all the roles back. Everything seems to be fine apart from I'm now getting loads of errors saying the DNS server has entered a critical state. Event ID 4015 : The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

    Not sure if its related but im also getting a DFS error Event ID: 5008 The DFS Replication service failed to communicate with partner WELLGPDC1 for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server. 

    The error seems to be moaning about the same server so i look in DNS at the forward lookup zones and noticed wellgpdc1 wasn't  resolved (see Pic) so i resolved it and now it has [::1] after it. is this normal? I have read that the error can be caused by the virtual servers being backed up due to system state pauses etc, which i do use Windows Server backup to backup all my virtual servers at 19:00. the Final DNS entry always seems to be The DFS Replication service successfully established an inbound connection with partner WELLGPDC1 for replication group Domain System Volume.  Which confuses me! because i don't get any events relating to the other DCs.

    All the other DCs are 2012r2 

    DXDIAG results

    C:\Windows\system32>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = HOYLSPDC1
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Springwood\HOYLSPDC1
          Starting test: Connectivity
             ......................... HOYLSPDC1 passed test Connectivity

    Doing primary tests

       Testing server: Springwood\HOYLSPDC1
          Starting test: Advertising
             ......................... HOYLSPDC1 passed test Advertising
          Starting test: FrsEvent
             ......................... HOYLSPDC1 passed test FrsEvent
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
             replication problems may cause Group Policy problems.
             ......................... HOYLSPDC1 failed test DFSREvent
          Starting test: SysVolCheck
             ......................... HOYLSPDC1 passed test SysVolCheck
          Starting test: KccEvent
             ......................... HOYLSPDC1 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... HOYLSPDC1 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... HOYLSPDC1 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... HOYLSPDC1 passed test NCSecDesc
          Starting test: NetLogons
             ......................... HOYLSPDC1 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... HOYLSPDC1 passed test ObjectsReplicated
          Starting test: Replications
             ......................... HOYLSPDC1 passed test Replications
          Starting test: RidManager
             ......................... HOYLSPDC1 passed test RidManager
          Starting test: Services
             ......................... HOYLSPDC1 passed test Services
          Starting test: SystemLog
             ......................... HOYLSPDC1 passed test SystemLog
          Starting test: VerifyReferences
             ......................... HOYLSPDC1 passed test VerifyReferences


       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : ECMTrust
          Starting test: CheckSDRefDom
             ......................... ECMTrust passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ECMTrust passed test CrossRefValidation

       Running enterprise tests on : ECMTrust.local
          Starting test: LocatorCheck
             ......................... ECMTrust.local passed test LocatorCheck
          Starting test: Intersite
             ......................... ECMTrust.local passed test Intersite

    C:\Windows\system32>

    Any Help is resolving this would be really appreciated.

    Cheers

    Mick


    Mikehawo

    Friday, May 17, 2019 1:50 PM

All replies

  • If you're still getting the 5008 error you can follow along here.
    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

    and the 4015 event here.

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349575(v=ws.10)

    if problems persist then please run;

    • Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log
      (please replace DCName with your domain controller's netbios name)
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt
    • -------------
    • ipconfig /all > C:\dc5.txt

    then put unzipped text files up on OneDrive and share a link.

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.




    Friday, May 17, 2019 1:59 PM
  • Hi Thanks for the reply!

    Im not sure what to do here https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

    Do i put this in connection point..? its not clear! 

    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<hoylspdc1>,OU=Domain Controllers,DC=<ECMtrust.local>

    its says How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL 

    but i want all my DCs to have the authority.

    Cheers


    Mikehawo



    • Edited by Mikehawo Friday, May 17, 2019 2:34 PM
    Friday, May 17, 2019 2:32 PM
  • Another method which basically will accomplish same result is to demote the problematic one, then promote it again.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, May 17, 2019 2:35 PM
  • Hi Dave, Cant really DC promo off and back on again whilst in school term. Holidays maybe. Isn't there anything else i can do please?

    I have created the log files for you.

    https://1drv.ms/u/s!Amj9np3HKtBHgfQM6crdataaiQ5Ayg

    cheers

    Mick


    Mikehawo

    Monday, May 20, 2019 8:25 AM
  • Hi, What does the [::1] mean after the IP on the Name Servers please? Is it normal. Anther post says its a Glue record or loop back A record. It wasnt there before if upgraded one of my DC to Server 2019. Is the a compatibility issue?

    Thanks


    Mikehawo


    • Edited by Mikehawo Monday, May 20, 2019 10:36 AM
    Monday, May 20, 2019 10:35 AM
  • Hi Dave, Cant really DC promo off and back on again whilst in school term. Holidays maybe. Isn't there anything else i can do please?

    I have created the log files for you.

    https://1drv.ms/u/s!Amj9np3HKtBHgfQM6crdataaiQ5Ayg

    cheers

    Mick


    Mikehawo

    Please do not zip the test files.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, May 20, 2019 12:16 PM
  • https://1drv.ms/f/s!Amj9np3HKtBHgfQVmueW3e3KH7JQVw

    Sorry about that..

    Cheers

    Mick


    Mikehawo

    Monday, May 20, 2019 12:50 PM
  • The ipconfig /all 's are all identical (copies? or all ran on same server?) so who knows there. I'd check the system event logs for more details on replication errors. Looks like there may also be time server sync issues which could contribute or at least be problematic. Also "no more end points" is usually symptomatic of port exhaustion which could be a result of the replication start / stop attempts. A reboot may temporarily help. Probably back to working through these two.

    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

    and the 4015 event here.

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349575(v=ws.10)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Monday, May 20, 2019 1:08 PM
  • Hi

    Right I've though this https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo and completed step by step. . All went as planned with no errors. 

    I actually followed this guide which was much easier to follow..

    https://www.youtube.com/watch?v=ja53C2Mz1EQ

    However when i run the DFS health check i'm still getting 2 of my DCs which say the DFS Replication Service is restarting frequently.

    The last error i had was a 5002 error. 

    Is there a command to establish which is the DFSR master? its should be the one is selected in the process above but i don't know the command to confirm this.

    Oh and ive fixed the Time issue. Id moved all the operation master roles to another server and forgot to modify the registry to make the new DC the Time syc master. 

    Thanks


    Mikehawo


    • Edited by Mikehawo Monday, May 20, 2019 3:04 PM
    Monday, May 20, 2019 3:02 PM
  • I'd also work through this one for the 5002 error.

    https://support.microsoft.com/en-us/help/2089874/active-directory-replication-error-1753-there-are-no-more-endpoints-av

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, May 20, 2019 3:08 PM
  • I'd demote the problematic one, then put up a new set of files. (please do not post logs in forums)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, May 23, 2019 3:06 PM
  • How do i know which is the problematic one as its complaining about 2 DCs in the health check.

    Are you suggesting that i just demote the last server i built restart then promote it again?

    Cheers


    Mikehawo

    Friday, May 24, 2019 12:05 PM
  • It sounds like the problems started with the addition of the 2019 DC? If so I'd demote it, then put up a new set of files.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, May 24, 2019 12:57 PM
  • Hi, what do you mean by a new set of files please. Do you mean demote the server and the promote again?

    Cheers


    Mikehawo

    Thursday, May 30, 2019 8:45 AM
  • Hi, what do you mean by a new set of files please. Do you mean demote the server and the promote again?

    Cheers


    Mikehawo


    I was suggesting to demote the problematic one then put up some new files;
    • Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log
      (please replace DCName with your domain controller's netbios name)
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt
    • -------------
    • ipconfig /all > C:\dc5.txt

    then put unzipped text files up on OneDrive and share a link.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, May 30, 2019 12:28 PM
  • OK, for info i did demote the server 2019 and then promote it again. I'm still getting the 5008 error. Im also getting the odd 4015 error now under DNS server. 

    I will have to wait until the next holidays until i perform your request as the school will need the DC up and running. For now the only issue i seem to be getting because of these errors is that our Trustshared mapped drive (via group policy) intermittently doesn't mapping properly for users who are based at that school with the server  2019 install. As a workaround ive just used GPO to put a shortcut on the desktop of all users.

    As I said anyway will have to pick this up again in the summer holidays.

    Cheers for your help.

    Mick


    Mikehawo

    Monday, June 3, 2019 7:12 AM