DNS locator process
HI
I have 2 dcs (DC1 & Dc2) in a site and I want all authentiction traffice should go to DC2.
How can I achieve it?
What I need to made changes in DNS?
Is the SRV records needs to be update in DNS?
==================
what about FSMO RID/PDC master goes down ?
Hi,
You can use AD Sites and Services console(dssite.msc) to create site and subnet objects to force authentication to a specific Domain Controller in a domain.
Checkout the below thread on similar discussion,
http://social.technet.microsoft.com/Forums/windowsserver/en-US/14af04e4-a914-4801-a2a5-93708ccad50b/finding-a-domain-controller
Regards,
Gopi
JiJi
Technologies
Similar Messages
-
DNS server process, high CPU usage
Hello,
I am having a problem with high CPU usage on DNS process. We have 1921 setup in network of about 100 workstations that use it as DNS server. It also performs split view functionality for couple of domains in order to avoid hairpin NAT. I know that a router is not fit for heavy server duty but such setup was unfortunately necessary.
In peak work hours we oftenly have CPU hitting 100% with DNS server process being the root cause,and on several occasions we had DNS process stuck in such state for prolonged periods of time during which other router functions were affected (t's a default gateway, IPsec concentrator etc.). Sometimes shutting the process and restarting it would solve the problem, but once it required a full reload in order to restore functionality (such was the description that engineer on duty reported to me).
Forwarder queue statistics:
Current size = 0
Maximum size = 86
Drops = 0
IOS upgrade did not help, we are currently running 15.2(2)T.
The question is ... is such behaviour (CPU load) to be expected on LAN with 100 workstations due to slow CPU on router or we have bugged IOS DNS server (requiring a TAC case)?
The previous solution seem to do this functionality quite nicely (even though it was also a router), so I am not inclined to think that we are dealing with someone DoS-ing the DNS (WAN access to DNS is of course forbidden)
P.S.
Since we moved servers off the routers DNS, we do not receive complaints, but we had a couple of unresolved messages a day while mail server was using router for DNS. I am suspecting that an old bug where IOS DNS servers occasionaly sends clients back empty DNS replies (properly formatted message but without A record) could be still around?hi,
i have the same problem on UC540 and 2911 on IOS 15.0.1. CPU high, router crashed. Reboot helps but until CPU usage spikes again. the only fix is to remove "ip dns server" from config and use a different DNS server
111 1111 1111111111
999999999900077777777799999777778888000099990000000000
322222111119999900077776666622222111119999000088880000000000
100 ******** ******************
90 ************* ***** **********************
80 *************************** **********************
70 ******************************************************
60 ******************************************************
50 ******************************************************
40 ******************************************************
30 ******************************************************
20 ******************************************************
10 ******************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
after removed IP dns server
111
99999999990007777777779999977777888
33333333332222211111999990007777666662222211111999
100 ********
90 ************* ***** ***
80 *************************** ***
70 ***********************************
60 ***********************************
50 ***********************************
40 ***********************************
30 ***********************************
20 ***********************************
10 ***********************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds) -
When the domain controller locator process happened
HI Guys
I read lots of articles about how domain controller located. And so far i thougth i knew most of the process, but still have some question.
1.when the DC locator happend ,just start during computer boots up ,or started after user press CTRL+ALT+DEL and input username and credential.
2.Based on following Technet article , step 7, what's the difference between "If the client has found a DC in the site in which the DC claims the client is located" and "If the returned domain controller is in the cloest site "
? And step 8, if the domain that is being quried is same as the domain that the computer joined, was the first domain means the domain the user belongs to ? like xxx\username ?Hi Jacky,
I assume that you are talking about this article:
Active Directory: Using Catch-All Subnets in Active Directory
http://technet.microsoft.com/en-us/forefront/2009.06.subnets.aspx
>when the DC locator happend ,just start during computer boots up ,or started after user press CTRL+ALT+DEL and input username and credential.
The DC locator initiates after we input domain credentials and press Enter.
>what's the difference between "If the client has found a DC in the site in which the DC claims the client is located" and "If the returned domain controller is in the closest site "?
“If the client has found a DC in the site in which the DC claims the client is located” means that the client and a DC are located in the same site. “If the returned domain controller is in the closest site” means that a DC which
is located in the closest site is found (based on site link cost).
>if the domain that is being queried is same as the domain that the computer joined, was the first domain means the domain the user belongs to ? like xxx\username ?
Yes you are right that the first domain means the user account which tries to log on belongs to.
More information for you:
Enabling Clients to Locate the Next Closest Domain Controller
http://technet.microsoft.com/en-us/library/cc733142(v=WS.10).aspx
I hope this helps.
Amy -
Afternoon,
Is there a way to create a back-up A record in order to provide redundancy?
I'm currently in the middle of setting up a DR site and looking to find a way to have a set of DNS record pointing at existing servers host name but with different IP addresses so in the event that we require to bring a replicated server up at the DR site
the DNS record would automatic switch over after the TTL has expired on the primary link.
our DNS service runs on a windows server 2012 environment in a cluster of 3 servers for redundancy.
ThanksTo answer/address the question about the same records with different IPs, unfortunately it doesn't work that way with AD. The IPs registered are absolute for the service locations, and they must be consistent across the organization for AD DC to DC communications
including replication, and client to DC communications. If you attempt to alter them, it will cause numerous errors and additional headaches that I'm sure you do not want to deal with.
Just setup two DCs at the DR, do not make them GCs. Just make them GCs in case a down issue occurs. Depending if you have 3 or more sites, this may also require to make individual site links for each site and disable BASL. The reasons are long winded,
but it's technically how AD works. You can design around it, but you can't mess with DNS. And keep in mind, just because they are up, services and client apps may not be so forgiving to "see" the DR servers until they've been restarted.
So there's more to this than it appears.
You can read up in this stuff in the following link:
AD Site Design, DNS & the DC Locator Process, and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
The blogs below discusses:
WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
Client side resolution process chart.
The DNS Client Side Resolver algorithm.
If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
Client side resolution process chart
Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM 1764 1
http://blogs.msmvps.com/acefekay/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm/
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Primary DNS resolution slow if PDC role DC is down
Hello,
In my environment I'm running purely Windows Server 2012 in a two site environment. I run a single domain infrastructure with my main site that has 2 domain controllers (one has all FSMO roles), and a second site which has a single domain controller.
I've been looking all over the forums for a related topic, but haven't read something anything that fits my scenario. Basically what happens is, if the DC that has FSMO roles (specifically PDC) goes offline, or if I were to turn the DNS service
off, all devices would take forever for DNS resolution. Another scenario (which is essentially the same) is if the VPN tunnel between the two sites goes down, all clients at site 2 would take awhile for DNS resolution. If those clients launch their
browser any website they go to takes 5-10 seconds to load. They could reboot their PC, and do ipconfig /flushdns, and even though those clients DNS settings point to the DC at site 2 as primary DNS, it takes awhile. As soon as the PDC server is
restored everything is back to normal. Quite frequently the VPN tunnel will go down leaving very slow responses at site 2. Oddly enough is, if the tunnel were to go down, and I logged into the DC at site 2, if I were to ping various domains the
response would take 5 or so seconds. Is this normal to occur? If not, how could I possibly remedy this? My assumption is that, if the primary DNS were to go down, or in this case the PDC server goes down, one of the secondary servers would
kick in. I appreciate any light you can shed on this issue.
KenI agree with Meinolf. It's not always the DNS or PDC or whatever DC is in question's, fault. A lot of it is due to the client side resolver algorithm. Here's more specifics on how the whole process works - and note that this applies to all operating systems,
Windows, Linux, Unix, BEOS..... because they all follow the RFCs defining how client side resolvers work.
This blog discusses:
WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
Client side resolution process chart.
The DNS Client Side Resolver algorithm.
If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
Client side resolution process chart
Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM 1764 1
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
DNS Clients and Timeouts (Part 1 & Part 2), karammasri [MSFT] Dec 2011 6:18 AM
http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx
DOMAIN NAMES - CONCEPTS AND FACILITIES - Dicusses local resolvers.
http://tools.ietf.org/html/rfc882
=============
To add on how the client resolver picks a nameserver, below is a link to a discussion that points out the following - and please note, the operative point in the first bullet point indicates "equivalent," meaning that all DNS servers you enter into a NIC,
must all reference the same exact data, so you can't mix nameserver with different data and expect the client to try all of them.
•by RFC, all nameservers in a zone's delegation are equivalent
•they are indistinguishable to the client
•clients are allowed to choose the NS to query with whichever policy they wish
•if any picked server fails to respond (e.g. "ns3"), then the next server is picked among the remaining set (e.g. ns1 and ns2) according to the policy
•often clients use sophisticated policies that "score" servers and pick more often the ones that replied faster
•as a by-product, in practice this policy makes caches favor "nearest" servers
That was quoted from:
When is a secondary nameserver hit?
http://serverfault.com/questions/130608/when-is-a-secondary-nameserver-hit
===============
So you have to check when the first DNS goes down, not all directory enabled apps can handle it. opened.
Another issue is the client has bounded to the logon server during the DC Locator process. That's difficult to mess with other than restarting the machine...
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
IPad can no longer find my Current (home) Location.
Ever since returning home to Dubrovnik,Croatia (via Frankfurt Airport) my iPad still thinks Frankfurt is my Current location!
I can see from my Maps that it is centred on the airport there.
How do I re-set my iPad to recognise my real location as it obviously doesn't plan to do it automatically - I've been home over 4 days!
Thank you.Never was very good at "wait & see" so decided to try something!
Disconnected home Router.
Removed all Apps from iPad (not iTunes) calling for Location status.
Disabled Location Services - iPad Settings.
Shut down iPad and restarted.
Re-installed removed Apps from PC (iTunes).
Shut down iPad and restarted.
Re-connected Router.
Enabled Location Services.
Current Location found!!
It is of course entirely possible this operation coincided with the natural re-location process but I have my doubts!
Hope this helps...
Paul. -
hello, does anyone know the max locate size that a SNASw router will set for the locate process ?
For VTAM is 16K, for the Cisco Snasw ?
I can't find this on the doc and I think my "location" problem depends on this.
Many thanks in advance to the people that will reply.
Cheers, AlexHi Alex,
in IOS 12.1 and 12.2 snaswitch is bounded by a locate size of 1K, which means if you have more than 8-10 uplinks defined you may run out of room and encounter less-desireable session paths or outright session failures.
An enhancement was added in IOS 12.2T to make the size 4K. If you want to stay with IOS 12.1 or 12.2 (because they are more stable than 12.2T), you can work around the problem by only configuring uplinks to your primary NNS/DLUS and backup NNS/DLUS, and use connection network for all other uplinks (vnname on port). Then snaswitch would only include 3 tail vectors in each locate (one to the primary, one to the backup, and one to the virtual routing node.)
- Ray -
Domain Controllers that are DNS servers DNS Client settings
[Copying verbatim from a mail by Joe ]
So I have been pinged by a few folks recently on configuration of client DNS settings on Domain Controllers that are also functioning as DNS Servers. Lots of debate. I understand there has been long time debate within MSFT as well.
From http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx there
is the quote
"3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address."
From http://www.microsoft.com/en-us/download/confirmation.aspx?id=9166 (Windows
Server 2008 R2 Core Network Guide)
"9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the
local computer.
10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of
the local computer."
From http://technet.microsoft.com/en-us/library/dd378900(v=ws.10).aspx (DNS:
DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers)
"The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to
itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should
be configured only as a secondary or tertiary DNS server on a domain controller...
Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
ESPECIALLY "For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary
DNS server on a domain controller." and "Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
Why shouldn't loopback not be first, the justification is why you shouldn't only use loopback, not why it shouldn't be first.
From http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx (DNS:
DNS servers on <adapter name> should include the loopback address, but not as the first entry)
"If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.
The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself,
or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only
as a secondary or tertiary DNS server on a domain controller."
This also seems like justification against only using loopback versus using it first.
Are there any actual real documented issues for using loopback first and a remote DNS server second and perhaps third? If the local DNS server service isn't working yet (or at all), I would expect the DNS Client process
to try to connect to it, fail, and then failover to the secondary just like I would expect it to failover if the remote DNS server was secondary and it was unavailable and it failed back to the loopback. Am I making a bad assumption?
And by documented I don't mean random responses to questions on the internet or other such items. I mean a KB article or technet article or properly researched and tested other web article from a reliable resource.
thanks,
joeAs I understand it, the scenario whereby a DC could become an 'island' if it points only to itself, or to itself first, was repaired in the Windows Server 2003 product cycle. See
http://support.microsoft.com/kb/275278 for information about this scenario.
However, there is still a known problem of slow boot times that can occur. See
http://support.microsoft.com/kb/2001093 for information about this. The scenario that is discussed assumes there is a power failure and servers shut down due to overheating while on backup power. When
multiple servers come online simultaneously after power is restored, there can be a significant delay.
The recommended configuration is one that avoids a single point of failure, but also tries to optimize the speed of resource record registration, so that Active Directory can properly synchronize.
-Greg -
Call Bpel process through HTTP get or post method
I need to call BPEL process from Mobile.
In mobile we are using HTTP get or post methods. so can anybody tell me how to invoke BPEL(how to pass input to BPEL) by using HTTP get or post method.
Vivek garg
Edited by: 809104 on Dec 24, 2010 2:36 AMI got the soluntion
we just need to change the binding in WSDL file from Soap to HTTP.
First of all add three namespaces in wsdl file
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
Then change the Request msg from element type to string type like below
<message name="UserLoggOffRequestMessage">
<part name="UserId" type="xsd:string"/> (add this one))
<!--<part name="payload" element="client:UserLoggOffProcessRequest"/>-->(remove this one)
</message>
Then change the binding
<binding name="UserLoggOffBinding" type="client:UserLoggOff">
<http:binding verb="GET"/>
<operation name="process">
<http:operation location="/process"/>
<http:urlEncoded/>
<output>
<mime:mimeString part="Body"/>
</output>
</operation>
</binding>
Then do some changes in service tag . we need to do the changes in location only.
we need to remove orabpel from location and add httpbinding
http://infva04718.vshodc.lntinfotech.com:8888/*orabpel*/MobileApplication/UserLoggOff/1.0
http://infva04718.vshodc.lntinfotech.com:8888/*httpbinding*/MobileApplication/UserLoggOff/1.0
do like following
<service name="UserLoggOff">
<port name="UserLoggOffPort" binding="client:UserLoggOffBinding">
<http:address location="http://infva04718.vshodc.lntinfotech.com:8888/httpbinding/MobileApplication/UserLoggOff/1.0"/>
</port>
</service>
Then deploy the process then u can invoke this
http://infva04718.vshodc.lntinfotech.com:8888/httpbinding/MobileApplication/UserLoggOff/process?UserId=a1
here process is name of process u want to invoke -
Named Error - unable to read locator from NCP
OES 11 SP2 with DSFW
when rcnovell-named loads, the named.run returns :
dns/db : critical : unable to read locator from NCP server
dns/db : critical : Failed to lod RRs of rootserver zone with error -10
ldapsearch -x -b "" objectClass=dNIPlocator returns 0 object
The DNSDHCP locator object is in the tree adn I have checked all it;s
attributes and references
I have tried out most if the TIDS on this
Any help would be appreciated
SteveHere they are :
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn =auth
SASL SSF: 0
dn: cn=DNS_dsfw-2,ou=OESSystemObjects,o=WILLDAV
dNIPServerDN: cn=dsfw-2,ou=OESSystemObjects,o=WILLDAV
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn =auth
SASL SSF: 0
dn: cn=dsfw-2,ou=OESSystemObjects,o=WILLDAV
dNIPLocatorPtr: cn=DNS-DHCP,o=WILLDAV
dNIPDNSServerReference: cn=DNS_dsfw-2,ou=OESSystemObjects,o=WILLDAV
Steve wrote:
> Had to export LDAPCONF first ...
>
> But, my stntax must be wrong as no objexts are found
>
>
> Steve wrote:
>
> > Sorry - BAD syntax in my LDAP statement :
> > Should have been "ldapsearch -x -b "o=willdav"
> > objectClass=dNIPlocator This does return the object :
> >
> > dn: cn=DNS-DHCP,o=willdav
> > objectClass : Rop
> > objectClass: dNIPLocator
> > cn: DNS-DHCP
> > name: DNS-DHCP
> >
> >
> >
> > I'm getting this response for wach query:
> > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > additional info: SASL(-4): no mechanism available:
> >
> > My statemnet syntax is :
> > ldapsearch -Y EXTERNAL -s base -b
> > "cn=DNS_dsfw2,ou=OESSystemObjects,o=willdav" dNIPServerDN -LLL dn:
> > cn=DNS_dsfw-2,ou=OESSystemObjects,o=willdav dNIPServerDN:
> > cn=dsfw-2,ou=OESSystemObjects,o=willdav
> >
> >
> >
> > rkamalesh wrote:
> >
> > >
> > > thhg;2303944 Wrote:
> > > > OES 11 SP2 with DSFW
> > > >
> > > > when rcnovell-named loads, the named.run returns :
> > > >
> > > > dns/db : critical : unable to read locator from NCP server
> > > > dns/db : critical : Failed to lod RRs of rootserver zone with
> > > > error -10
> > > >
> > > >
> > > >
> > > > ldapsearch -x -b "" objectClass=dNIPlocator returns 0 object
> > > >
> > > > The DNSDHCP locator object is in the tree adn I have checked all
> > > > it;s attributes and references
> > > >
> > > >
> > > > I have tried out most if the TIDS on this
> > > >
> > > > Any help would be appreciated
> > > >
> > > > Steve
> > >
> > >
> > > Hi Steve,
> > >
> > > Welcome back!! Could you please attempt the below searches and
> > > copy the output here
> > >
> > > 1. Search for dNIPServerDN for NCP server object on DNS Server
> > > object. frd:~/Desktop/x86_64 # ldapsearch -Y EXTERNAL -s base -b
> > > "cn=DNS_frd,ou=OESSystemObjects,o=novell" dNIPServerDN -LLL
> > > dn: cn=DNS_frd,ou=OESSystemObjects,o=novell
> > > dNIPServerDN: cn=frd,ou=OESSystemObjects,o=novell
> > >
> > > 2. Search for dNIPLocatorPtr attribute on NCP server object that
> > > points to DNS Locator object and ensure all are good.
> > > frd:~/Desktop/x86_64 # ldapsearch -Y EXTERNAL -s base -b
> > > cn=frd,ou=OESSystemObjects,o=novell dNIPDNSServerReference
> > > dNIPLocatorPtr -LLL
> > > dn: cn=frd,ou=OESSystemObjects,o=novell
> > > dNIPLocatorPtr: cn=DNS-DHCP,ou=OESSystemObjects,o=novell
> > > dNIPDNSServerReference: cn=DNS_frd,ou=OESSystemObjects,o=novell
> > >
> > > Based on this search result we will explore further.
> > >
> > > -Kamalesh -
I'm running FW 1.02.01 (23) and I'm having problems with the DNS proxy. I have DNS Proxy enabled for my DHCP server on the router and I have my dns server programmed into the global dns location. I cannot ping any DNS names for my IPSEC VPN tunnel.
Thanks,
Adam De LayHi Adam,
Could I first recommend that you upgrade to version 1.2.4. This is available for free download, just go to www.cisco.com/go/srp500 and look for the link on the right.
If you are still seeing the issue after upgrade, could you please grab the device status file (Administration > Remote Support) and send to me please. [Don't post it here]
Regards,
Andy -
Noticed today that reverse DNS is no longer working for our (10) VMs. It was yesterday and had been for several weeks.
I removed and re-added one of them. Waited for over an hour and still not resolving.
PS C:\Windows\system32> Get-AzureService "emvpodeast2"
ServiceName : EMVPodEast2
Url : https://management.core.windows.net/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/services/hostedservices/EMVPodEast2
Label : EMVPodEast2
Description : emvpodeast2 with Reverse DNS
Location : East US
AffinityGroup :
Status : Created
ExtendedProperties : {[ResourceGroup, EMVPodEast2], [ResourceLocation, East US]}
DateModified : 12/23/2014 10:32:34 AM
DateCreated : 9/2/2014 7:44:55 PM
ReverseDnsFqdn : fathersonholyghosttown.com.
WebWorkerRoleSizes : {}
VirtualMachineRoleSizes : {}
OperationDescription : Get-AzureService
OperationId : xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
OperationStatus : Succeeded
PTR Check:
http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a191.238.18.70&run=toolpageI'm having the exact same issue here.
There were no IP changes. Reverse DNS was working until it wasn't anymore. We noticed it on the 22nd December when about 400 e-mails were refused from our newsletter because there was no reverse DNS.
Tried reconfiguring like SIRob45 but to no avail.
PS C:\> Get-AzureService "assistimo"
ServiceName : assistimo
Url :
https://management.core.windows.net/cac66cff-7d19-41a7-a012-e2197e145d36/services/hostedservi
ces/assistimo
Label : assistimo
Description : S4 reverse DNS
Location : North Europe
AffinityGroup :
Status : Created
ExtendedProperties : {[ResourceGroup, assistimo], [ResourceLocation, North Europe]}
DateModified : 24/12/2014 17:33:26
DateCreated : 14/11/2014 13:50:26
ReverseDnsFqdn : s4.assistimo.pt.
WebWorkerRoleSizes : {}
VirtualMachineRoleSizes : {}
OperationDescription : Get-AzureService
OperationId : 670e5f9b-206d-5b41-a3c7-f5acf5f89fcd
OperationStatus : Succeeded
Results from
http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a191.235.218.152&run=toolpage:
ptr:191.235.218.152
No ptr Records exist
History results:
Type
IP Address
Domain Name
TTL
PTR
191.235.218.152
assistimo.cloudapp.net
1 min
smtp diag
blacklist
port scan
subnet tool
Reported by PRD2.AZUREDNS-CLOUD.NET on 12/1/2014 at 11:15:54 AM (UTC -6),
just for you. (History) Transcript
Session Transcript:
MXTB-PWS3v2 468ms
0 f.in-addr-servers.arpa 193.0.9.1 NON-AUTH 109 ms Received 8 Referrals , rcode=NO_ERROR NS tinnie.arin.net,NS ns-lacnic.nic.mx,NS ns3.afrinic.net,NS ns.lacnic.net,NS
sec1.authdns.ripe.net,NS sec3.apnic.net,NS a.arpa.dns.br,NS ns2.lacnic.net,
1 tinnie.arin.net 199.212.0.53 NON-AUTH 31 ms Received 5 Referrals , rcode=NO_ERROR NS PRD1.AZUREDNS-CLOUD.NET,NS PRD5.AZUREDNS-CLOUD.NET,NS PRD3.AZUREDNS-CLOUD.NET,NS
PRD4.AZUREDNS-CLOUD.NET,NS PRD2.AZUREDNS-CLOUD.NET,
2 PRD2.AZUREDNS-CLOUD.NET 65.55.117.43 AUTH 46 ms Received 1 Answers , rcode=NO_ERROR PTR assistimo.cloudapp.net,
We have no support contract and cannot submit a support request as suggested.
Thank you in advance.
Carlos R. Calado -
I have questions about DNS: Is this a DNS LOOP?
Hi , everyone:
I've read some text about the Domain Name System, And found something I can't understand:
Many Text Say like this:
Suppose the resolver want to get the ip address of the domain: www.example.com, The DNS Query Process looks like
1. The Resolver asks one or more of the ROOT-SERVERS
2. The ROOT-SERVERS answer to the client that www.example.com is managed by the GTLD-SERVERS, and ROOT-SERVERS Gives some additional records to the Resolver about the ip address of those GTLD-SERVERS
3. Resolver asks the GTLD-SERVERS about the domain: www.example.com
4. The GTLD-SERVERS tell the Resolver to ask the IANA-SERVERS again , and again tell the Resolver about the ip address of the Name Server of IANA-SERVERS
5. Now the Resolver go on asking the IANA-SERVERS about the domain: www.example.com , NOW the IANA-SERVERS answers the Resolver about the ip address of www.example.com
My First Question is:
Does Resolver Relay on the ADDITIONAL SECTION?
Now Suppose I have two domains: example.com and example.org
And i have registered my own NameServer: ns.example.com and ns.example.org
Now I go to the registrar and change my DNS as follows:
example.com => ns.example.org
example.org => ns.example.com
Then the resolver asks the www.example.com again, In my opinion , the process my looks like this:
1. Resolver asks the ROOT-SERVERS of the domain www.example.com
2. ROOT-SERVER answers that the Resolver should ask GTLD-SERVERS, and tell it the ip addresses of those GTLD-SERVERS
3. Resolver now asks one or more of the GTLD-SERVERS ,
4. The GTLD-SERVERS answers the Resolver that he should ask ns.example.org , but the GTLD-SERVERS does not know the ip address of ns.example.org , because the ORG domain is not managed by them.
Then the Resolver must know the ip address of ns.example.org first if he want to resolve www.example.com
5. Resolver asks the ROOT-SERVERS of the domain ns.example.org
6. ROOT-SERVERS tell him to ask a0.org.afilias-nst.org. .... and give hime some additional records
7. Resolver asks a0.org.afilias-nst.org
8. a0.org.afilias-nst.org tell him to ask ns.example.com, because as HE Knows , it's the name server of example.org , But HE does not have any additional records about ns.example.com because the COM domain is managed by GTLD-SERVERS..
Then the Resolver must know the ip address of ns.example.com first if he want to resolve ns.example.org ?
9. Resolver asks the ROOT-SERVERS of the domain: ns.example.com
10. ROOT-SERVERS tell hime to ask GTLD-SERVERS
11. Resolver asks the GTLD-SERVERS about the domain: ns.example.com
12. GTLD-SERVERS tell him to ask ns.example.org..
LOOP...
I don't know if my knowledge is right. My Second Question is:
As I have register my own NameServer: ns.example.com , GTLD-SERVERS has the records of ns.example.com in it's database, But when I ask him ns.example.com , Why He tell me to ask ns.example.org ? Why not just answer me that he has the ip address of my NameServer?
Hope some one explain it clearly. ThanksI'm in the same position, the store said they didn't know of any new release, so i bought my macbook pro to find out about mountain lion. I really hope that i'm not going to pay for the upgrade. New to apple, also last month bought my Ipad 3, really thought that Airplay would have been on my book pro, nope, waste of time.........need that update to use it. Back i the box then, get the windows 7 ultimate pro back out until then.
-
Active Directory replication and login errors (Plz HELP !!)
Hi All,
We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).
We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.
Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.
dcdiag from child domain is :
C:\Windows\system32>
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PMA-DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Connectivity
......................... PMA-DC01 passed test Connectivity
Doing primary tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Advertising
Warning: PMA-DC01 is not advertising as a time server.
......................... PMA-DC01 failed test Advertising
Starting test: FrsEvent
......................... PMA-DC01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... PMA-DC01 failed test DFSREvent
Starting test: SysVolCheck
......................... PMA-DC01 passed test SysVolCheck
Starting test: KccEvent
......................... PMA-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
[PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
Bind.
[PMA-DC02] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... PMA-DC01 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PMA-DC01 passed test MachineAccount
Starting test: NCSecDesc
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
......................... PMA-DC01 failed test NCSecDesc
Starting test: NetLogons
......................... PMA-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... PMA-DC01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
[Replications Check,PMA-DC01] Outbound replication is disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
......................... PMA-DC01 failed test Replications
Starting test: RidManager
......................... PMA-DC01 failed test RidManager
Starting test: Services
w32time Service is stopped on [PMA-DC01]
......................... PMA-DC01 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000010
Time Generated: 04/21/2014 19:16:04
Event String:
Unable to Connect: Windows is unable to connect to the automatic upd
ates service and therefore cannot download and install updates according to the
set schedule. Windows will continue to try to establish a connection.
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:42
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
lowing DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
failed on the following DNS server:
An error event occurred. EventID: 0x00000C8A
Time Generated: 04/21/2014 19:44:51
Event String:
This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
indows domain controller for domain XXXX, and therefore this computer might deny
logon requests. This inability to authenticate might be caused by another compu
ter on the same network using the same name or the password for this computer ac
count is not recognized. If this message appears again, contact your system admi
nistrator.
An error event occurred. EventID: 0xC00A0038
Time Generated: 04/21/2014 19:46:02
Event String:
The Terminal Server security layer detected an error in the protocol
stream and has disconnected the client. Client IP: 10.87.193.37.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 19:52:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
counts in these two domains, or use the fully-qualified name to identify the ser
ver.
A warning event occurred. EventID: 0x8000001C
Time Generated: 04/21/2014 19:53:42
Event String:
When generating a cross realm referal from domain XXXX.LOCAL the KDC
was not able to find the suitable key to verify the ticket. The ticket key vers
ion in the request was 25 and the available key version was 22. This most common
reason for this error is a delay in replicating the keys. In order to remove th
is problem try forcing replication or wait for the replication of keys to occur.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
e ticket provided by the client. This can occur when the target server principal
name (SPN) is registered on an account other than the account the target servic
e is using. Please ensure that the target SPN is registered on, and only registe
red on, the account used by the server. This error can also happen when the targ
et service is using a different password for the target service account than wha
t the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to us
e the current password. If the server name is not fully qualified, and the targe
t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
check if there are identically named server accounts in these two domains, or us
e the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
cates that the target server failed to decrypt the ticket provided by the client
. This can occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Please ensure that
the target SPN is registered on, and only registered on, the account used by the
server. This error can also happen when the target service is using a different
password for the target service account than what the Kerberos Key Distribution
Center (KDC) has for the target service account. Please ensure that the service
on the server and the KDC are both updated to use the current password. If the
server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to i
dentify the server.
......................... PMA-DC01 failed test SystemLog
Starting test: VerifyReferences
......................... PMA-DC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : PMA
Starting test: CheckSDRefDom
......................... PMA passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... PMA passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : XXXX.LOCAL
Starting test: LocatorCheck
......................... XXXX.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... XXXX.LOCAL passed test Intersite
C:\Windows\system32>There are a number of things that can cause this, such as:
DNS is misconfigured to support a parent-child-additional tree forest.
Incorrect DNS zone replication scope for the design, which points back to the point #1.
AD Sites are misconfigured for the physical environment. For example if you have a hub and spoke physical environment, you can't use the default settings that bridge all sites (BASL) and must individually configure them.
Incorrect DNS settings on the DCs.
Multi-homed DCs.
Time service is not configured properly and/or syncing from the VM host, which should be configured otherwise (Microsoft, VMware and Citrix have KBs explaining this).
Default security settings at either the parent, child or both domains, have been altered.
Firewalls between DCs, such as perimeter firewalls, or installed antivirus protection features if not excluded on DCs properly, will cause this, too.
That's the short list. If you can describe some of the points above, it may help us pinpoint where the issue may be.
Some links that may help understand some of the bullet points:
AD Site Design, DNS & the DC Locator Process, and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM 3050 1
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Failed to fetch dNIPDNSZones from DNS_LOCATOR_OBJECT
I am unable to provision DSfW after installing it. The Provisioning PreCheck is successful, but the Configure DNS portion fails.
It looks to me as though the installation did not create a DNS Locator object in eDirectory. It seems as though we had some old ones floating around from years past.
We currently do not use Novell DNS for DNS. The zone is hosted on an Active Directory domain controller. After clearing out all of the old DNS objects from eDirectory, I would like to retry provisioning DSfW. However, I cannot seem to reinstall, uninstall, or provision.
Is there a way to manually create the DNS Locator object that DSfW is looking for, or is there a way to remove and reinstall DSfW.
The documentation does not say that I need to be running Novell DNS in eDirectory. Do I have to have an existing Novell DNS installation?
Thank you for any information that you have about this. Here is an excerpt from the log:
2013-07-05 15:38:00,052 INFO - Authentication :Successfully completed the provisioning plugin authentication
2013-07-05 15:38:22,816 INFO - DNS Configuration:DNS Configuration starting
2013-07-05 15:38:22,817 INFO - DNS Configuration:Script to be run is /opt/novell/xad/share/dcinit/provision/provision_dns.pl
2013-07-05 15:38:28 Pre-check of DNS configuration Passed
>>>Creating DNS Zone object
Failed to fetch dNIPDNSZones from DNS_LOCATOR_OBJECT at /opt/novell/xad/lib64/perl/Install/frd_install.pm line 797.
at /opt/novell/xad/lib64/perl/Logger.pm line 120
Logger::_err('Failed to fetch dNIPDNSZones from DNS_LOCATOR_OBJECT at /opt/...') called at /opt/novell/xad/lib64/perl/Logger.pm line 211
Logger::Log(0, 'Failed to fetch dNIPDNSZones from DNS_LOCATOR_OBJECT at /opt/...') called at /opt/novell/xad/lib64/perl/Install/frd_install.pm line 827
frd_install::decide_domain_zones() called at /opt/novell/xad/lib64/perl/Install/frd_install.pm line 329
frd_install::configure_zone_object('frd_install=HA SH(0x793080)') called at /opt/novell/xad/share/dcinit/provision/provision_dns.pl line 45
2013-07-05 15:38:28,451 INFO - DNS Configuration:DNS Configuration returned.
DennisHi Dennis,
We brought in logic to utilize the existing Locator Object based on the customer feedback and DNS restriction.
The DNS Yast page indicates you on which locator context that is being picked, by default it is "ou=OESSystemObjects,<Domain NC>" if there is no pre-existing locator objects. Now if you need locator object in new context, I'm worried, you will have to redo the installation to get a cleaner installation as it is two stage process and many back-end files for DNS configuration are generated at Yast stage.
Originally Posted by deisler
The zone is hosted on an Active Directory domain controller. After clearing out all of the old DNS objects from eDirectory, I would like to retry provisioning DSfW. However, I cannot seem to reinstall, uninstall, or provision.
Dennis
DSFW doesn't support this. It can co-exist with AD only by means of trust and it doesn't support any other means of co-existance like being Child domain to AD domain or Additional Domain controller to AD domain. The zone being hosted on an Active Directory domain controller for DSFW domain is not supported.
Originally Posted by deisler
Is there a way to manually create the DNS Locator object that DSfW is looking for, or is there a way to remove and reinstall DSfW.
Yes you can do it by using dns-maint and make sure you create the locator object in the same old locator context. You can get the old context that DSFW is looking for from following file.
frd:~ # cat /etc/opt/novell/xad/xad.ini | grep DNS_LOCA
DNS_LOCATOR_OBJECT = cn=DNS-DHCP,ou=OESSystemObjects,ou=frd,o=novell
frd:~ #
Make sure you have following objects, and if you notice, the DNSSERVER object is must and it will always exist in ou=OESSystemObjects,<DOMAIN NC>. Hope you have not deleted the DNSSERVER object by mistake.
DNS_LOCATOR_OBJECT = cn=DNS-DHCP,ou=OESSystemObjects,ou=frd,o=novell
DNSDHCP_GROUP = cn=DNSDHCP-GROUP,ou=OESSystemObjects,ou=frd,o=novell
DNSSERVER = cn=DNS_frd,ou=OESSystemObjects,ou=frd,o=novell
Or you can reach out NTS and get access to our domain removal tool and re-attempt from fresh.
Originally Posted by deisler
The documentation does not say that I need to be running Novell DNS in eDirectory.
Please review our Administration Guide, your first domain controller must to be running Novell DNS in eDirectory by default. There is no choice.
Originally Posted by deisler
Do I have to have an existing Novell DNS installation?
There is no need to have an pre-existing Novell DNS for configuring DSFW, DSFW will bring in a DNS server by default.
Hope this helps you resolve your issues. If not, request you to reach to NTS or re-attempt a fresh install. Suggest, not to mix your domain installation with Active Domain Controller and get into issues.
-Kamalesh
Maybe you are looking for
-
Automatic determination of WBS element in MIGO
Dear Friends, I have a requirement as below: When we do reservation for a particular WBS element and do goods issue for a different WBS element, system is not giving any error message. We want to configure automatic determination of WBS element in MI
-
I am working on a project where the user enters a year. The string is then converted into an int and goes through a series of tests to see if it is a leap year or not. The problem I am having is when the user inputs letters when they are supposed to
-
Client Strategy questions with BPS in mind
We are implementing BW and BPS. The system landscape in my project has been planned to have different client numbers and different logical systems for each environment for BW and Source Systems (Dev, Quality and Production). With BPS I am foreseeing
-
"Out of Memory" message from hp color laserjet cp1518ni
While printing an 8.5x11 sheet of bookmarkers (5 on a sheet), the first page prints, the second page comes out blank with a message in the top left hand corner: Out of memory. Turn machine off and then. And It stops printing all together. HELP!!!!!
-
My new Macbook pro don't read CD
hey guys, i have a macbook pro, its new, but don read any CD's, i dont know why, but if you can help me please contac me. thank you xx