Block Based replication of Domain Controllers to DR site
I have to bring up a business critical application at a DR site using the same hostname and IP address as in production site. For this purpose, I plan to use a block replication software to replicate data from production servers to a SAN at the DR site.
For DR invocation or testing, I am planning to take a snapshot from the SAN, create virtual disks and attach them to newly created VM's at the DR site.
This application depends on Active Directory and hence I need to have a domain controller at the DR site. If I create a new domain controller for the DR site, as it will be in a separate IP subnet, it will have to be in a separate AD site and the application
servers will not be able to use this domain controllers, as they will look for domain controllers in their AD site (which is from the production site). If I put the domain controller in the same IP subnet as the application servers, the same IP subnet has
user workstations and hence user authentication requests from production site will start coming to the DR site across the WAN.
In this scenario, I am proposing to replicate the domain controllers also from the production site to the DR site, like the application servers. But I am not sure if block replication of production DC's to DR site and then when required for testing/invocation,
can we create a new VM and attaching virtual hard disks with the replicated data, will bring these VM's up as domain controllers in the DR site or will they have any negative effects ? Would this be a supported solution ? Any response will be highly appreciated.
Thanks in advance.
You don't want to run any type of duplicated software to clone the DC, that is a bad idea. You could end up with lingering objects and/or Directory Service corruption.
If you want the DC's to exist in the same subnet then you are in a quandry. You can start to modify srv records so the DC won't authenticate clients (BUt you will have to manually change that at DR time).
I have a Blog that talks about lag site replication that blocks clients from ever attempting to authenticate to the DC, you should be able to use this same logic.
http://blogs.dirteam.com/blogs/paulbergson/archive/2013/05/14/how-to-build-an-ad-replication-delay-lag-site.aspx
You will want to create yourself a group policy that prevents the DC in the DR site from registering records that will advertise itself as an authenticating DC. If you need to use the DR site, you will need to remove the gpo and either reboot the DC
or run a gpupdate and restart NetLogon on the DC so it will register the records so the clients can then use this DC.
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.
Similar Messages
-
IFolder is a block base replication tool ?
as per Novell iFolder for Replication - TechStop
"iFolder is an open source product developed initially by Novell. It gives you a folder that will do block level synchronization over the Internet"
And as per Cool Solutions: Setting Up Novell iFolder
"When the user updates a file on any of the client workstations, the changed information is periodically updated to the Novell iFolder server. Data is mapped in 4KB blocks and only the changed blocks are transmitted"
i.e in short by quoting the two references above, it seems that iFolder is a block based replication tool.
is it really a block based replication tool, or iFolder is a File base replication tool.
Please reply/commentsOn 1/4/2012 6:56 AM, needee wrote:
>
> as per 'Novell iFolder for Replication - TechStop'
> (http://itknowledgeexchange.techtarge...r-replication/)
> "iFolder is an open source product developed initially by Novell. It
> gives you a folder that will do block level synchronization over the
> Internet"
>
> And as per 'Cool Solutions: Setting Up Novell iFolder'
> (http://www.novell.com/coolsolutions/feature/1382.html)
> "When the user updates a file on any of the client workstations, the
> changed information is periodically updated to the Novell iFolder
> server. Data is mapped in 4KB blocks and only the changed blocks are
> transmitted"
>
> i.e in short by quoting the two references above, it seems that iFolder
> is a block based replication tool.
>
> is it really a block based replication tool, or iFolder is a File base
> replication tool.
It focusses on files, and then if a file is edited, it does a block
level replication.
However things that rename the file. work on a temp one, delete the old
one, then rename tmp to the original name, may look like a block change,
but are really a file level change. -
Replication and AD Domain sevices errors between 2 Domain Controllers
Hi,
I've a 2 Domain Controllers (NJ-DC1-2K8 and NJ-DC2-2K8) setup in VMware Workstation 10. Recently, I've run into different errors in regards to Replication, DNS and AD Domain services. Both of my DC are setup with static IP pointing to each other for fault
tolerance. Initially, One of my DC had a lingering object error which I was able to fix after spending some time. The next day, when I tried to replicate 2 DC, the number of errors grew. Ran dcdiag, it produced a list of crazy errors that I never saw before.
I'm a newbie to the server environment, trying to gain knowledge so I can't get those errors sort out even I tried a lot. I read a lot of online articles on different forums like here Microsoft TechNet trying to overcome this problem but didn't work. I even
removed DNS role and re-added it but same problem. I guess removing the DNS role doesn't remove everything related to DNS. I'm going to upload pictures here of the different errors through the commands I got. I would appreciate if someone can help me to get
it fixed.
Other than that, I also would like to know what is the best way to remove DNS, AD Domain Services and then reinstall them without demoting the server. What are some of the things I would have to keep in mind before doing that. How can I make sure that doing
this wouldn't impact in AD data loss like user account, GP Policies, Computer account and etc....?
Errors are as follows:
1) C:\Users\Administrator>repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
CALLBACK MESSAGE: Error issuing replication: 8451 (0x2103):
The replication operation encountered a database error.
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 8451 (0x2103):
The replication operation encountered a database error.
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
2) C:\Users\Administrator>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
NewJersey\NJ-DC1-2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 16:16:49.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
29 consecutive failure(s).
Last success @ 2014-07-06 16:06:25.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
19 consecutive failure(s).
Last success @ 2014-07-06 16:10:47.
Source: NewJersey\NJ-DC2-2K8
******* 30 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
3) C:\Users\Administrator>dcdiag /replsum
Invalid Syntax: Invalid option /replsum. Use dcdiag.exe /h for help.
C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2014-07-06 21:03:28
Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
NJ-DC1-2K8 09d.22h:06m:34s 5 / 5 100 (8457) The destination server is currently rejecting replication requests.
NJ-DC2-2K8 05h:13m:34s 5 / 5 100 (8456) The source server is currently rejecting replication requests.
Destination DSA largest delta fails/total %% error
NJ-DC1-2K8 05h:13m:34s 5 / 5 100 (8456) The source server is currently rejecting replication requests.
NJ-DC2-2K8 09d.22h:06m:34s 5 / 5 100 (8457) The destination server is currently rejecting replication requests.
4) C:\Users\Administrator>dcdiag /test:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NJ-DC1-2K8
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Connectivity
......................... NJ-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... NJ-DC1-2K8 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : Fleet
Running enterprise tests on : Fleet.local
Starting test: DNS
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
......................... Fleet.local passed test DNS
5) C:\Users\Administrator>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NJ-DC1-2K8
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Connectivity
......................... NJ-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Advertising
......................... NJ-DC1-2K8 passed test Advertising
Starting test: FrsEvent
......................... NJ-DC1-2K8 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... NJ-DC1-2K8 failed test DFSREvent
Starting test: SysVolCheck
......................... NJ-DC1-2K8 passed test SysVolCheck
Starting test: KccEvent
......................... NJ-DC1-2K8 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... NJ-DC1-2K8 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... NJ-DC1-2K8 passed test MachineAccount
Starting test: NCSecDesc
......................... NJ-DC1-2K8 passed test NCSecDesc
Starting test: NetLogons
......................... NJ-DC1-2K8 passed test NetLogons
Starting test: ObjectsReplicated
......................... NJ-DC1-2K8 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=ForestDnsZones,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:10:47.
19 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=DomainDnsZones,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 21:04:16.
The last success occurred at 2014-07-06 15:49:54.
31 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: CN=Schema,CN=Configuration,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 15:49:54.
10 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: CN=Configuration,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:06:25.
29 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:16:49.
30 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
......................... NJ-DC1-2K8 failed test Replications
Starting test: RidManager
......................... NJ-DC1-2K8 passed test RidManager
Starting test: Services
......................... NJ-DC1-2K8 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/06/2014 20:17:29
Event String: Name resolution for the name 2.5.16.172.in-addr.arpa timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000168E
Time Generated: 07/06/2014 20:18:05
Event String:
The dynamic registration of the DNS record '9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local. 600 IN CNAME NJ-DC1-2K8.Fleet.local.'
failed on the following DNS server:
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/06/2014 21:04:01
Event String: Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.
......................... NJ-DC1-2K8 failed test SystemLog
Starting test: VerifyReferences
......................... NJ-DC1-2K8 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Fleet
Starting test: CheckSDRefDom
......................... Fleet passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Fleet passed test CrossRefValidation
Running enterprise tests on : Fleet.local
Starting test: LocatorCheck
......................... Fleet.local passed test LocatorCheck
Starting test: Intersite
......................... Fleet.local passed test Intersite
6) C:\Users\Administrator>repadmin /showrepl NJ-DC1-2K8
NewJersey\NJ-DC1-2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 16:16:49.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
29 consecutive failure(s).
Last success @ 2014-07-06 16:06:25.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 21:04:16 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
31 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
19 consecutive failure(s).
Last success @ 2014-07-06 16:10:47.
Source: NewJersey\NJ-DC2-2K8
******* 31 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
7) C:\Users\Administrator>repadmin /showrepl NJ-DC2-2K8
NewJersey\NJ-DC2-2K8
DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
Site Options: (none)
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
DSA invocationID: 3e8ee380-a165-4cef-b311-dadcf30f8406
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 21:04:22 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
53 consecutive failure(s).
Last success @ 2014-06-26 23:01:29.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-06-26 22:56:54.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
7 consecutive failure(s).
Last success @ 2014-06-26 22:56:56.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
7 consecutive failure(s).
Last success @ 2014-06-26 22:57:01.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
23 consecutive failure(s).
Last success @ 2014-06-26 22:57:03.
Source: NewJersey\NJ-DC1-2K8
******* 53 CONSECUTIVE FAILURES since 2014-06-26 23:01:29
Last error: 8457 (0x2109):
The destination server is currently rejecting replication requests.
Please someone go through these different errors and walk me through exactly what I got to do to fix them.
ThanksHi,
Actually, I made copies of those VMs to my external usb 3.0 hdd, so I can load up some of the VMs from it than from my internal hdd since it would freeze on my internal one sometimes. Copied ones worked fine for few days until recently when I started having
these different issues. I did look at USN rollback and applied the fix, didn't work. For the past few days, I been spending endless hours on fixing them but it doesn't look like they are going to be fixed. It's driving me crazy and the bad news is that I've
no backup of my data. I got 2 DC and both have these issues.
Building new domain controllers in VMs won't be a problem for me but I'm worried about losing my AD database in both DCs which includes user and computer accounts and a bunch GPOs.
I'm a newbie to the server environment. Can you please walk me through on exactly how can I save AD database if possible before I start doing the cleanup process on both of my DCs. I read some articles online which provide instructions on how can I cleanup
the AD with Metadata and take both DCs offline but it's all confusing to me. They don't explain anything about saving AD database rather demoting bad DCs. If you know a fix for my DCs that I can apply, so I won't have do it all over and save time. Please let
me know step by step process or whatever you could help me to bring those 2 DCs backup.
Thanks -
Upgrade to Server 2012 R2 domain controllers from 2003
I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine WGDDC01, is a Directory Server.
Home Server = WGDDC01
* Connecting to directory service on server WGDDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WGDDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WGDDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WGDDC01
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... WGDDC01 failed test DNS
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : wgd
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : wgd.inet
Starting test: DNS
Test results for domain controllers:
DC: WGDDC01.wgd.inet
Domain: wgd.inet
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
MAC address is B0:83:FE:C1:98:07
IP Address is static
IP address: 10.240.1.23
DNS servers:
10.240.1.23 (WGDDC01) [Valid]
10.240.1.24 (WGDDC02) [Valid]
127.0.0.1 (WGDDC01) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
[Error details: 5 (Type: Win32 - Description: Access is denied
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.240.1.23 (WGDDC01)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
DNS server: 10.240.1.24 (WGDDC02)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: wgd.inet
WGDDC01 PASS WARN n/a n/a n/a
n/a n/a
......................... wgd.inet passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC02
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.24
10.240.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe> -
Active Directory Integrated DNS Zones, replicate only to specific domain controllers
I have a customer with a fairly large Active Directory forest with many domains that they are trying to consolidate into a single domain which likely take 18 to 24 months according to their timeline. During this time, they would like all DNS zones
to be serviced directly from the new domain controllers, meaning, domain A would have replicas of domain B, C, D, E, etc. Because the environment is complex and some domain controllers in domains other than A are in a very sad state and replication problems
abound, they would like to avoid replicating all zones forest wide.
I've never done this before, or even considered it necessary, is it even possible? I don't have a ton of time for trial and error, but based on this there seems to be some hope:
https://technet.microsoft.com/en-us/library/cc753801.aspx?f=255&MSPPError=-2147217396
Is this telling me how to do what I want to do?
Thanks
J
Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise AdministratorHe actually didn't specify much about dynamic updates requirements for old domains, if they don't need secure dynamic updates then a primary zone would work:
The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load
either a standard primary or directory-integrated zone.
REF: Understanding Dynamic updates
This post is provided AS IS with no warranties or guarantees, and confers no rights.
~~~
Questo post non fornisce garanzie e non conferisce diritti -
I need to find domain controllers that have been removed but never demoted.
Here's the story...
I came on an Active Directory administrator for an organization which has 600+ domain controllers, most running Server 2003, but I have some Server 2008R2. Throughout all this time the organization has had DCs that have stopped working, crashed or failed
for some reason and all the IT department has done is created another domain controller name it the same thing with an (A), (B) appended to the name and then never removed any of the failed controllers from the directory.
Thing is this has been going on for quite some time, don’t know for sure how long as I am still trying to clean up DNS replication problems and have been having to go around and reset machine passwords for the forest. What I need to be able to do is to script
something that will return all the failed DCs so that I can go into the directory and use NTDUTIL to clean the machines. I don’t want to go into the directory and remove a machine that’s still out there. No one in the organization has a list or record of failed
machines.
You can see this may be a gargantuan task, but I need to be able to make it easier on
myself by finding the machines first and cleaning out DNS, cleaning the DCs out of the “Sites” and cleaning them out of the directory.
Appreciate any help I can get…Hi,
Thanks for posting in the forum.
Regarding your question, maybe we should remove these orphaned DC from AD, please try to refer to the following articles to perform the cleanup task.
How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846
Complete Step by Step to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
Metadata Cleanup of a Domain controller
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
Here is a similar thread as reference, hope it helps.
Remove References of a Failed DC/Domain
http://social.technet.microsoft.com/Forums/windowsserver/en-US/87516188-731a-4b7f-a4cc-06ce4ad27b19/remove-references-of-a-failed-dcdomain
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
Audit/Log GPO changes and Logging of new addition of Domain Controllers in the Event Log
Hi all,
We am trying to log the following items in the event log for Windows 2012. This applies to a domain controller.
1) Audit any changes made to the Group Policy
2) Log the addition of new domain controllers added to the system.
We need the windows event log to record the above events for security purposes. Can anyone advise if this is doable? If yes what are the steps.
Thank youHi,
>>1) Audit any changes made to the Group Policy
We can enable audit for directory service object access and configure specific SACL for group policy files to do this.
Regarding how to step-to-step guide for auditing changes of group policy, the following two blogs can be referred to for more information.
Monitoring Group Policy Changes with Windows Auditing
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
Auditing Group Policy changes
http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
>>2) Log the addition of new domain controllers added to the system.
Based on my knowledge, when a server is successfully promoted to be domain controller, event ID 29223 will be logged in the System log.
Regarding this point, the following thread can be referred to for more information.
Is an Event ID for a completed Domain Controller promotion logged on the PDC?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/11b18816-7db0-49e2-9a65-3de0e7a9645e/is-an-event-id-for-a-completed-domain-controller-promotion-logged-on-the-pdc?forum=winserverDS
Best regards,
Frank Shen -
Hi, we are looking to retire 2 out of our 5 2008 r2 domain controllers. There are no FMSO roles on these 2 controllers. The only other role is DNS. All devices and workstations are now pointing to other DNS servers besides these two.
My question is that I want to simply shutdown these 2 servers for a week or so and see if anything screams. If it does I can simply bring the controllers back up and figure out what went wrong. If nothing screams I can then safely demote them from being
a domain controller
Is the act of shutting them down for a bit a valid way of testing? This will be done off hours but what can the end users or application servers expect if the DC they were using is no longer there, will they get error messages on the screen or
will it silently go to another DC in the background?
Any thoughts would be appreciated.
ThanksIs the act of shutting them down for a bit a valid way of testing? This will be done off hours but what can the end users or application servers expect if the DC they were using is no longer there, will they get error messages on the screen or
will it silently go to another DC in the background?
Greetings!
No it is not. When they are offline the replication for sure will occur and you may get replication problems due to tombstone and lingering objects may appear. If you are concerned about the drawbacks of demotion, just do them one by one and check replication
and go for the other one. But from a technical view it is OK to demote them if they are holding no FSMO roles.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Restoration of Domain controllers
Hi All,
I have 2 RWDCs domain controllers in headquarters and a few RODCs in branch offices.I have some question on the restoration of the domain controllers and what is required to be done on the RODCs after the restoration of RWDC.
Example:
All my RWDCs are down site but all other RODCs site are still working properly. I recover one RWDC that hold all the FSMO roles by using non-autoritative restore (restore from image). After the restoration, do i need to do anything else? Do i need
to rebuild the RODCs?
I try to search all over the internet for this scenario but couldn't find anythnig.
Please advise.
Thanks, ALoyHello,
the RODCs will still get the updates from the RWDCs as long as replication works after the restore.
But with 2 RWDCs you could also seize FSMO roles on the other RWDC, in case the broken RWDC NEVER comes back, run metadata cleanup and then install a new RWDC into the domain AFTER the cleanup is also replicated to the RODCs.
http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/
Cleanup also require to remove references from AD sites and services, DNS zones and DNS server lists.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Dfs R Service Stopping before backup on Domain Controllers
HI,
I have a weird issue where the DFS replication service is stopping when a DC backup starts.
Setup: Forest with 5 child domains. Only one of the domains is having a problem. this domain has DCs in the US and UK. all four DCs experience the same issue. All DC’s are Server 2008 r2. DFS
R is used for AD replication.
Issue: DFS replication service stops when a backup starts.
The DFS Replication service is stopping communication with partner P1USDC01 for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Additional Information:
Error: 9036 (Paused for backup or restore)
About 30 minutes later when the backup completed, DFS replication resumes.
As mentioned this happens to all 4 domain controllers in the domains, but no other domains are affected. AD replication stops during this time.
Every time this happens the AD DB is rebuilt.
lsass (548) A database location change was detected from 'D:\Active Directory\Windows\NTDS\DB\ntds.dit' to '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy168\Active Directory\Windows\NTDS\DB\ntds.dit'.
I thinks this is more due to the VSS provider than an issue with the DB.
Some ‘Googling/Binging’ shows that that error can be ignored as it resumes after. But im not so sure. Why are my other domains not effected. They use the same backup procedure,
same hardware, same OS, same patch revision (always 3 months behind current release).
Any suggestions would be great!You can ignore it as long as it restarts. You can also create a scheduled task that will check the service and start it if it is not running.
I would recommend starting by installing latest Windows Updates (Especially those ones: http://support.microsoft.com/kb/968429) and make sure that your backup solution is up-to-date too.
If none helped then I would recommend contacting your backup solution developers technical support for assistance.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
is not available.
Help please!Hi,
As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC.
If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
are different site then check the ports are open on firewall.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
If issue reoccurs, post dcdiag /q result.
NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
Active Directory Metadata Cleanup
http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights. -
Domain Controllers that are DNS servers DNS Client settings
[Copying verbatim from a mail by Joe ]
So I have been pinged by a few folks recently on configuration of client DNS settings on Domain Controllers that are also functioning as DNS Servers. Lots of debate. I understand there has been long time debate within MSFT as well.
From http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx there
is the quote
"3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address."
From http://www.microsoft.com/en-us/download/confirmation.aspx?id=9166 (Windows
Server 2008 R2 Core Network Guide)
"9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the
local computer.
10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of
the local computer."
From http://technet.microsoft.com/en-us/library/dd378900(v=ws.10).aspx (DNS:
DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers)
"The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to
itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should
be configured only as a secondary or tertiary DNS server on a domain controller...
Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
ESPECIALLY "For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary
DNS server on a domain controller." and "Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
Why shouldn't loopback not be first, the justification is why you shouldn't only use loopback, not why it shouldn't be first.
From http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx (DNS:
DNS servers on <adapter name> should include the loopback address, but not as the first entry)
"If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.
The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself,
or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only
as a secondary or tertiary DNS server on a domain controller."
This also seems like justification against only using loopback versus using it first.
Are there any actual real documented issues for using loopback first and a remote DNS server second and perhaps third? If the local DNS server service isn't working yet (or at all), I would expect the DNS Client process
to try to connect to it, fail, and then failover to the secondary just like I would expect it to failover if the remote DNS server was secondary and it was unavailable and it failed back to the loopback. Am I making a bad assumption?
And by documented I don't mean random responses to questions on the internet or other such items. I mean a KB article or technet article or properly researched and tested other web article from a reliable resource.
thanks,
joeAs I understand it, the scenario whereby a DC could become an 'island' if it points only to itself, or to itself first, was repaired in the Windows Server 2003 product cycle. See
http://support.microsoft.com/kb/275278 for information about this scenario.
However, there is still a known problem of slow boot times that can occur. See
http://support.microsoft.com/kb/2001093 for information about this. The scenario that is discussed assumes there is a power failure and servers shut down due to overheating while on backup power. When
multiple servers come online simultaneously after power is restored, there can be a significant delay.
The recommended configuration is one that avoids a single point of failure, but also tries to optimize the speed of resource record registration, so that Active Directory can properly synchronize.
-Greg -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
DNS issues with replaced domain controllers
I have slight issue I hope some one can help with.
We recently replaced some domain controllers in our 2 core sites the process we followed is as below:-
moved FSMO roles to different already working servers
demoted the old domain controllers and decommissioned.
built virtual machine replacements with the same names.
depromo'd the servers
ran all the tests and it reported everything was fine.
moved the fsmo roles to the new servers.
repeated this for the remaining servers.
this was our 2003 domain to free up physical space but our new 2013 domain what will exist separately until all our applications our tested.
however the problem we now have is that non domain controllers have issues registering against the new servers despite being able to do look-ups against them all (replication testing looks fine). one of our regional DC's seems to have taken over as the primary
replica. as changes made else where disappeared but changes made there got replicated out perfectly.
I have managed to resolve this particular issue by added the domain controllers back into several locations in DNS manually (maining forward lookup zones>my domain>_tcp )but we still experience the odd issue with servers not registering in DNS properly
(although it's a lot better since the I did the above)
so basically does any one have a idea on what could have caused this issue and how I can resolve?should the demotion not automatically remove it from sites and services automatically (it could well be this if not) the question then becomes how do we resolve the issues we have now.
Hello,
NO, as you can demote a DC and it still may run site-aware services like DFS and for this reason a DC is NOT automatically removed from AD sites and services during demotionprocess.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that
have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials.
I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed. This update adds support for both Azure
Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server.
For more information, please go to
http://support.microsoft.com/kb/2974308Hi JoeBeck,
Thanks for the comment. Could you please tell which link you clicked to download?
Please go to PinPoint check details and start download
http://pinpoint.microsoft.com/en-US/applications/Dynamics-CRM-Online-Add-in-12884966386
Thanks,
Shanghai Wicresoft
Maybe you are looking for
-
Vendor Payment Advice - idoc PEXR2002
Dear guru, My customer would like to receive a payment advice from the bank regarding the vendor payments done. It means that after processing the F110 and sent the payments to the bank, we will receive an acknowledgement idoc from the bank in order
-
How do I disable Firefox from opening at login
I unclick the option that tells firefox to NOT open at login, but when I log back on, it opens again and shows the 'open at login' option as 'clicked' How do I disable? thx
-
Abap TO CONVERT SPECIAL CHARACTERS TO SPACE
I have a field in BI "zpustreg" which has values with - and # which is not allowing me to load the data to cube so I am writing this code in transformation to convert any special character to space. but it is having error if you can help me fix the c
-
Connect bluetoothspeakers to mac air, Mountain Lion
Mac Air cant detect a logitec bluetoothspeaker. Iphone finds it and connects fast and easy. Any idea?
-
How to use a PID in a CRIO-9102 FPGA
Hello My name is Francisco, and I'm a student of mechanical engineering in Portugal (FEUP). I'm working on a project that involves the use of a CRIO-9102 to control a servo hydraulic cylinder. For this purpose I have to implement a PID controller in