Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, March 7, 2011 9:20 PM
Good Day
Currently I have 3 sites in AD sites and services, But my DNS only list two with the DC for the third site sitting in the root _sites _tcp folder. Of course this is giving me all kinds of events on my DC monitoring software such as "The domain controller is not advertising itself as a Global Catalog. The following SRV record was not found for orlndwiprod001.equitymethods.com: _ldap._tcp.Orlando-DR._sites.gc._msdcs.equitymethods.com." Can anyone give me some info on how I get the integration to work properly and match up
the Orlando-Dr site is the one not showing
Scott Cummins
All replies (12)
Friday, March 25, 2011 11:52 PM ✅Answered
Hi Scott,
Thanks for posting the ipconfigs.
I see some issues that I would like to point out.
Make all DCs Global Catalogs:
I would suggest to make all DCs GCs, which is now the accepted engineering standpoint by many engineers, incliding Microsoft, unless there is a compelling reason for PHXEMWIPROD004 - 30.13.9.81 not being one. MOre info on this subject here:
Infrastructure Master Education:''Global catalog and infrastructure master role conflicts only when there are more than one Domain in the Frost. We don’t need to worry about single Domain situation.'' - Mervyn Zhang, MSFT
http://social.answers.microsoft.com/Forums/en-US/winservergen/thread/d238de68-3423-40cd-9bf1-8416bd1d4591
Global Catalog vs. Infrastructure Master ''If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx
**IP Routing and WINS Proxy configured on your DCs:
**There are a few DCs that have IP routing enabled, as well as WINS Proxy enabled. I don't know why they are enabled, and on a DC should be disabled. Reasoning is they can cause issues, especially IP routing enabled, with the routing table, which may and will affect AD communications between DCs and client machines. To disable IP routing, simple go into RRAS, and disable it. If they are Windows 2008 or newer, remove the NPS role.
To disable WINS proxy and info on IP routing, take a look at the following:
======
How to disable WINS Proxy:
How to Disable NetBT Proxy on Incoming Connections (How to disable WINS Proxy):
http://support.microsoft.com/kb/319848
How to disable IP Routing:
Click on Start, Administrative Tools, click on "Routing and Remote Access"
Right click Servername, choose Disable.
Once you've disabled it, or even if Routing and Remote Access is already disabled, please navigate to the following registry location:
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Change value of IPEnableRouter from 1 to 0 Reboot
Do not manually create SRV records:
I also concur with Rick Tan, that you do not want to manually create any of the SRV records. They are auto-created by the Netlogon service by the service compiling what it finds in AD database, assembles a file called the system32\config\netlogon.dns file, then attempts to send the data into the file to DNS zone that matches the name of the Primary DNS Suffix of the machine. That is the basis. If anything is wrong with DNS, zone name doesn't match the Primary DNS suffix or the zone is not allowing updates, or worse, specifying a DNS address in NIC properties that does not host the zone name (such as some IT folks will enter an ISP's DNS or their router as a DNS thinking that will help internet access, but doesn't), things will not work.
NAT or Routed??
As for the differences in the IP subnets I'm seeing, where I see a private range 172.16.x.x and a public range 30.x.x.x, that is kind of indicating, and not sure how you have communications set between these subnets, that you have NAT running. AD communications fails across a NAT and can't be configured to communicate, UNLESS, you have a VPN tunnel across the NAT between the public and private subnets. This is because NAT cant' translate the encrypted RPC and LDAP packets.
You earlier asked about firewall ports, and I provided some links, however if there is a NAT between the subnets and not Routed, it won't work unless you create a tunnel between them.
DNS Entries on each DC:
Also, the accepted solution regarding DNS entries on each DC, is to point the first address to itself, and choose a replica DC as the second entry. I don't see that has been done in this case. If DNS is not on a DC, you can point the first entry to a replica DC in the same AD Site or subnet, however if the first entry is at another location across a WAN, router, etc, it would really be beneficial to simply install DNS on that DC and point the first entry to itself. If it is pointing to a DNS across a NAT, well, that will surely complicate matters and may just not work, as explained above.
NIC Teaming is not surrported nor recommended by Microsoft:
Lastly, but as a minor issue, is NIC Teaming. Teaming is not supported by Microsoft, and can cause issues that go unfounded and make you pull your hair out. THis is due to drivers. Matter of fact, if you call in support with issues and they see NIC teaming, one of the first suggestions they make is to unteam them before moving forward. Besides, with the super fast NICs these days, and super fast switches, there is no real reason to team. Just unteam, disagble the additional NIC, and leave it there just in case an issue occurs. I'm not saying you should unteam them, I'm just relaying the latest info on teaming, and you can make the decision on whether to leave the teams or not. Here's more info on this subject for your reading:
==================================================================
How does a switch know what port to send an NLB or teamed NIC based on the MAC?
From what I understand, the switch doesn't know because it is a virtual MAC address. See if this helps:
NLB Unicast vs. Multicast - Original Posted Feb 21, 2005 by Russ Kaufman
http://msmvps.com/blogs/clusterhelp/archive/2005/08/05/nlb-unicast-vs-multicast-original-posted-feb-21-2005.aspx
Fire and Water: Firewalls and Network Load BalancingH
ow can each NIC register a different bogus MAC address on each switch port and still listen on a common NLB array MAC address? ...
www.cramsession.com/articles/get-article.asp?aid=236
To relate an old story, about 3 years ago, I teamed two NICs on a Dell 1550 connected to an older SuperStack 3Com switch and the switch went haywire broadcasting on all ports. It just didn't know waht to do with the traffic.
Newer switches know how to handle it, and can even be setup based on forcing ports to a MAC. Check with your switch docs. Other than that, never really dwelved into this any deeper.
BTW - Microsoft does not recommend nor support machines with teamed NICs.
Teamed network cards for domain controllers? (Thread Answered by a great write-up by Jared Crandall, former Microsoft Support Engineer)
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/f5dea401-5a3b-4ddb-8bb8-8d2b2e2db55b
Using teaming adapters with network load balancing may cause network problems
http://support.microsoft.com/kb/278431
however did you know Nic teaming NICs on a DC, or any other Windows box is not a good idea, http://tinyurl.com/4pbpnfp
==================================================================
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, March 7, 2011 9:40 PM
run below and post unedited info here
dcdiag /c /v
ipconfig /all
post full error message that appeared here
With kind regards
Krystian Zieja
http://www.projectnenvision.com
Follow me on twitter
My Blog
Monday, March 7, 2011 9:56 PM
DCDIAG /C /V
Performing initial setup:
* Verifying that the local machine phxemwiprod001, is a DC.
* Connecting to directory service on server phxemwiprod001.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 5 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Tempe-COLO\PHXEMWIPROD001
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHXEMWIPROD001 passed test Connectivity
Doing primary tests
Testing server: Tempe-COLO\PHXEMWIPROD001
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=equitymethods,DC=com
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=equitymethods,DC=com
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=equitymethods,DC=com
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=equitymethods,DC=com
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=equitymethods,DC=com
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... PHXEMWIPROD001 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... PHXEMWIPROD001 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=equitymethods,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... PHXEMWIPROD001 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
DC=ForestDnsZones,DC=equitymethods,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=equitymethods,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=equitymethods,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=equitymethods,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=equitymethods,DC=com
(Domain,Version 2)
......................... PHXEMWIPROD001 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... PHXEMWIPROD001 passed test NetLogons
Starting test: Advertising
The DC PHXEMWIPROD001 is advertising itself as a DC and having a DS.
The DC PHXEMWIPROD001 is advertising as an LDAP server
The DC PHXEMWIPROD001 is advertising as having a writeable directory
The DC PHXEMWIPROD001 is advertising as a Key Distribution Center
The DC PHXEMWIPROD001 is advertising as a time server
The DS PHXEMWIPROD001 is advertising as a GC.
......................... PHXEMWIPROD001 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=PHXEMWIPROD002,CN=Servers,CN=Scottsdale-Kierland,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Role Domain Owner = CN=NTDS Settings,CN=PHXEMWIPROD002,CN=Servers,CN=Scottsdale-Kierland,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Role PDC Owner = CN=NTDS Settings,CN=PHXEMWIPROD004,CN=Servers,CN=Scottsdale-Kierland,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Role Rid Owner = CN=NTDS Settings,CN=PHXEMWIPROD004,CN=Servers,CN=Scottsdale-Kierland,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=PHXEMWIPROD002,CN=Servers,CN=Scottsdale-Kierland,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
......................... PHXEMWIPROD001 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 8103 to 1073741823
* PHXEMWIPROD004.equitymethods.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 5103 to 5602
* rIDPreviousAllocationPool is 5103 to 5602
* rIDNextRID: 5126
......................... PHXEMWIPROD001 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/phxemwiprod001.equitymethods.com/equitymethods.com
* SPN found :LDAP/phxemwiprod001.equitymethods.com
* SPN found :LDAP/PHXEMWIPROD001
* SPN found :LDAP/phxemwiprod001.equitymethods.com/EQUITYMETHODS
* SPN found :LDAP/651cc5c8-b246-44c9-ae93-1eb88dc8b756._msdcs.equitymethods.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/651cc5c8-b246-44c9-ae93-1eb88dc8b756/equitymethods.com
* SPN found :HOST/phxemwiprod001.equitymethods.com/equitymethods.com
* SPN found :HOST/phxemwiprod001.equitymethods.com
* SPN found :HOST/PHXEMWIPROD001
* SPN found :HOST/phxemwiprod001.equitymethods.com/EQUITYMETHODS
* SPN found :GC/phxemwiprod001.equitymethods.com/equitymethods.com
......................... PHXEMWIPROD001 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... PHXEMWIPROD001 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... PHXEMWIPROD001 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
PHXEMWIPROD001 is in domain DC=equitymethods,DC=com
Checking for CN=PHXEMWIPROD001,OU=Domain Controllers,DC=equitymethods,DC=com in domain DC=equitymethods,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=PHXEMWIPROD001,CN=Servers,CN=Tempe-COLO,CN=Sites,CN=Configuration,DC=equitymethods,DC=com in domain CN=Configuration,DC=equitymethods,DC=com on 1 servers
Object is up-to-date on all servers.
......................... PHXEMWIPROD001 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... PHXEMWIPROD001 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... PHXEMWIPROD001 passed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/07/2011 14:40:57
Event String: All domain controllers in the following site that
can replicate the directory partition over this
transport are currently unavailable.
Site:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Directory partition:
DC=equitymethods,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) has
detected problems with the following directory
partition.
Directory partition:
DC=equitymethods,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) was
unable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/07/2011 14:40:57
Event String: All domain controllers in the following site that
can replicate the directory partition over this
transport are currently unavailable.
Site:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Directory partition:
DC=ForestDnsZones,DC=equitymethods,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) has
detected problems with the following directory
partition.
Directory partition:
DC=ForestDnsZones,DC=equitymethods,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) was
unable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/07/2011 14:40:57
Event String: All domain controllers in the following site that
can replicate the directory partition over this
transport are currently unavailable.
Site:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Directory partition:
DC=DomainDnsZones,DC=equitymethods,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) has
detected problems with the following directory
partition.
Directory partition:
DC=DomainDnsZones,DC=equitymethods,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) was
unable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/07/2011 14:40:57
Event String: All domain controllers in the following site that
can replicate the directory partition over this
transport are currently unavailable.
Site:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
Directory partition:
CN=Configuration,DC=equitymethods,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) has
detected problems with the following directory
partition.
Directory partition:
CN=Configuration,DC=equitymethods,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/07/2011 14:40:57
Event String: The Knowledge Consistency Checker (KCC) was
unable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=Orlando-DR,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
......................... PHXEMWIPROD001 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40011006
Time Generated: 03/07/2011 14:16:05
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 03/07/2011 14:32:36
(Event String could not be retrieved)
......................... PHXEMWIPROD001 failed test systemlog
Starting test: VerifyReplicas
......................... PHXEMWIPROD001 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=PHXEMWIPROD001,OU=Domain Controllers,DC=equitymethods,DC=com and
backlink on
CN=PHXEMWIPROD001,CN=Servers,CN=Tempe-COLO,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
are correct.
The system object reference (frsComputerReferenceBL)
CN=PHXEMWIPROD001,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=equitymethods,DC=com
and backlink on
CN=PHXEMWIPROD001,OU=Domain Controllers,DC=equitymethods,DC=com are
correct.
The system object reference (serverReferenceBL)
CN=PHXEMWIPROD001,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=equitymethods,DC=com
and backlink on
CN=NTDS Settings,CN=PHXEMWIPROD001,CN=Servers,CN=Tempe-COLO,CN=Sites,CN=Configuration,DC=equitymethods,DC=com
are correct.
......................... PHXEMWIPROD001 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=TMPEMWIPROD001,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=equitymethods,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: frsComputerReference
Value Object Description: "DC Account Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs SYSVOL FRS Member Object. Also see Knowledge
Base Article: Q312862
[2] Problem: Missing Expected Value
Base Object:
CN=TMPEMWIPROD001,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=equitymethods,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: serverReference
Value Object Description: "DSA Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs SYSVOL FRS Member Object. Also see Knowledge
Base Article Q312862
......................... PHXEMWIPROD001 failed test VerifyEnterpriseReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : equitymethods
Starting test: CrossRefValidation
......................... equitymethods passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... equitymethods passed test CheckSDRefDom
Running enterprise tests on : equitymethods.com
Starting test: Intersite
Skipping site Scottsdale-Kierland, this site is outside the scope
provided by the command line arguments provided.
Skipping site Tempe-COLO, this site is outside the scope provided by
the command line arguments provided.
Skipping site Orlando-DR, this site is outside the scope provided by
the command line arguments provided.
......................... equitymethods.com passed test Intersite
Starting test: FsmoCheck
GC Name: \phxemwiprod001.equitymethods.com
Locator Flags: 0xe00003fc
PDC Name: \PHXEMWIPROD004.equitymethods.com
Locator Flags: 0xe0000379
Time Server Name: \phxemwiprod001.equitymethods.com
Locator Flags: 0xe00003fc
Preferred Time Server Name: \phxemwiprod001.equitymethods.com
Locator Flags: 0xe00003fc
KDC Name: \phxemwiprod001.equitymethods.com
Locator Flags: 0xe00003fc
......................... equitymethods.com passed test FsmoCheck
Windows IP Configuration
Host Name . . . . . . . . . . . . : phxemwiprod001
Primary Dns Suffix . . . . . . . : equitymethods.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : equitymethods.com
Ethernet adapter Team 1:
Connection-specific DNS Suffix . : equitymethods.com
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-14-22-7C-A7-12
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.100.32
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.100.1
DNS Servers . . . . . . . . . . . : 172.16.200.32
Scott Cummins
Monday, March 7, 2011 10:03 PM
Krystian
Thanks for the help,
Scott Cummins
Tuesday, March 8, 2011 4:37 AM
Scott,
Thanks for posting the info Krystian requested. To get a better understanding of your infrastructure, please post an ipconfig /all of all your DCs, and also list out which AD Sites exist, if all DCs are supposed to be GCs, and the IP Subnet Objects associated to each of them.
Also, if possible, can you post a screenshot of AD Sites and Services to get a better idea of what you are seeing, please? Please expand all nodes beforehand and post it to WIndows Skydrive, unless you have another choice of photo storage services.
Thanks,
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, March 8, 2011 3:49 PM
Windows IP Configuration
Host Name . . . . . . . . . . . . : PHXEMWIPROD004
Primary Dns Suffix . . . . . . . : equitymethods.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : equitymethods.com
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC532i Dual Port 10GbE Multifunction B
L-c Adapter
Physical Address. . . . . . . . . : F4-CE-46-B3-AE-50
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 30.13.9.81
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 30.13.9.124
DNS Servers . . . . . . . . . . . : 30.13.9.81
172.16.100.32
Windows IP Configuration
Host Name . . . . . . . . . . . . : phxemwiprod001
Primary Dns Suffix . . . . . . . : equitymethods.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : equitymethods.com
Ethernet adapter Team 1:
Connection-specific DNS Suffix . : equitymethods.com
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-14-22-7C-A7-12
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.100.32
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.100.1
DNS Servers . . . . . . . . . . . : 30.13.9.83
172.16.200.32
Windows IP Configuration
Host Name . . . . . . . . . . . . : TMPEMWIBofA001
Primary Dns Suffix . . . . . . . : equitymethods.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : equitymethods.com
Ethernet adapter Public Team:
Connection-specific DNS Suffix . : equitymethods.com
Description . . . . . . . . . . . : TEAM : Public Team #1
Physical Address. . . . . . . . . : 00-13-72-51-91-92
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.125.32
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.125.1
DNS Servers . . . . . . . . . . . : 30.13.9.83
172.16.100.32
Windows IP Configuration
Host Name . . . . . . . . . . . . : orlndwiprod001
Primary Dns Suffix . . . . . . . : equitymethods.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : equitymethods.com
Ethernet adapter Team 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-0B-DB-96-0D-B1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.200.32
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.200.1
DNS Servers . . . . . . . . . . . : 30.13.9.83
172.16.100.32
Windows IP Configuration
Host Name . . . . . . . . . . . . : phxemwiprod002
Primary Dns Suffix . . . . . . . : equitymethods.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : equitymethods.com
Ethernet adapter Team 1:
Connection-specific DNS Suffix . : equitymethods.com
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-14-22-7C-96-E2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 30.13.9.83
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 30.13.9.124
DNS Servers . . . . . . . . . . . : 30.13.9.81
172.16.100.32
All DC's are GC's except PHXEMWIPROD004 - 30.13.9.81
Scott Cummins
Tuesday, March 8, 2011 6:39 PM
Thanks, Scott.
I suggest to make all DCs GCs. But let's fix the current problem first before making PHXEMWIPROD004 a GC.
From glancing through the dcdiag, and seeing that it think TMPEMWIPROD001 ia not in the infrastructure, it's saying to me there are communications issues between this DC and the others. The errors I see are typical of firewalls ports blocking necessary AD ports (either Windows, VPN or perimeter firewall between subnets).
Since two of your DCs are on a public IP, 30.x.x.x range, how are the DCs or that subnet connected to the internal 172.x.x.x range? Going through NAT or is there a VPN with wide open, no firewalls ports?
Also, please use PortQRY to verify AD ports communications between all DCs. Please run it on all. Let us know if anything is blocked or not listening.
Download details: PortQry Command Line Port Scanner Version 2.0 Download PortQryV2.exe, a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows ...
http://www.microsoft.com/downloads/en/details.aspx?familyid=89811747-c74b-4638-a2d5-ac828bdc6983&displaylang=en
Understanding portqry and the command's output:
New features and functionality in PortQry version 2.0
http://support.microsoft.com/kb/832919
Portqry Remarks
http://technet.microsoft.com/en-us/library/cc759580(WS.10).aspx
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, March 8, 2011 9:58 PM
Ace
Besides, 53, 389 and a few others, are there any specific ports I need to look for?
Scott Cummins
Wednesday, March 9, 2011 5:01 AM
Hi Scott,
Actually there are actually 29 ports, not including the emepheral ports (Windows XP/2003 = UDP 1024 to 5000 and Vista, 7, 2008 and newer = UDP 49,152 to 65535). Closing any one of these ports will cause issues with AD communications.
Also, I'm not sure if you are NATing traffic through with port translation from the external 30.x.x.x range to the internal 172.x.x.x range (which I'm kind of assuming based on the IPs you provided), but I can say that port translating across a NAT for AD won't work because NAT can't translate the encrypted RPC/LDAP traffic. You'll need a VPN from the outside servers to the internal network.
Here's more information:
==================================================================
Active Directory Firewall ports
Active Directory Replication over Firewalls, Jan 31, 2006. Active Directory relies on remote procedure call (RPC)
http://technet.microsoft.com/en-us/library/bb727063.aspx
How to configure a firewall for domains and trusts
http://support.microsoft.com/?id=179442
Configuring an Intranet Firewall, Apr 14, 2006. Protocol ports required for the intranet firewall.
Ports required for Active Directory and Kerberos communications
http://technet.microsoft.com/en-us/library/bb125069.aspx
Active Directory and Firewall Ports - I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls. ...
http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx
Note: Windows 2008, 2008 R2, Vista and Windows 7 use Different Ephermeral Ports Have Changed. Default ephemeral (Random service ports) are UDP 1024 - 65535 (See KB179442 below), but for Vista and Windows 2008 it's different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).
Quoted from KB929851 (link posted below): "To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000."
Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports) The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008 http://support.microsoft.com/?kbid=929851
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, March 9, 2011 9:41 AM
Hi Scottcummins,
Try the following steps,
1. In DC site, Check if select "Global Catalog" checkbox on NTDS Settings Properties dialog box under Orlandwiprod001,
2. Run <netstat –an| find ”3268”> to check if server Orlandwiprod001 listening port 3268,
3. In DC site, Find/Set DC replication partner, force replicate,
4. Please refer to below articles to further investigate.
Advertising as a Global Catalog Server
http://technet.microsoft.com/en-us/library/cc961811.aspx
Global Catalog Tools and Settings
http://technet.microsoft.com/en-us/library/cc737102(WS.10).aspx
Regards, Rick Tan
Wednesday, March 23, 2011 7:19 PM
Rick this is the result
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING
TCP 172.16.200.32:3268 172.16.200.32:1700 TIME_WAIT
I still don't see any site for 'Orlando-DR" showing up anywhere
It is funny I create the site in 'Sites and Services" yet the DNS never configures for it
Scott Cummins
Friday, March 25, 2011 6:27 AM
Hi Scott,
Please do not create the SRV record by manual and make all available DCs as GC. Meanwhile, please ensure the orlndwiprod001 has connectivity with phxemwiprod001, then restart netlogon service on orlndwiprod001, and post any system event log to us. You could take tests following the below articles.
SRV Records Missing After Implementing Active Directory and Domain Name System
http://support.microsoft.com/kb/241505
AD DS: This domain controller must advertise as a global catalog server for the forest in its local site
http://technet.microsoft.com/en-us/library/dd378919(WS.10).aspx
AD DS: This domain controller must advertise as the global catalog server for the forest
http://technet.microsoft.com/en-us/library/dd391960(WS.10).aspx
Regards, Rick Tan