Share via

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Question

Wednesday, November 10, 2010 1:35 PM

Hi,

I'm having some seious issues with Replication of Group policies. The event that is filling the system log is as follows :

  Provider
      [ Name] Microsoft-Windows-GroupPolicy
      [ Guid] {aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}
   
  EventID 1006
   
  Version 0
   
  Level 2
   
  Task 0
   
  Opcode 1
   
  Keywords 0x8000000000000000
   
- TimeCreated
      [ SystemTime] 2010-11-10T13:04:08.863Z
   
  EventRecordID 231473
   
- Correlation
      [ ActivityID] {45447968-5E4F-4B47-96C0-D7CD70A6269B}
   
- Execution
      [ ProcessID] 1016
      [ ThreadID] 2612
   
  Channel System
   
  Computer server.domain.local
   
- Security
      [ UserID] S-1-5-18
- EventData
    SupportInfo1 4
    SupportInfo2 2667
    ProcessingMode 0
    ProcessingTimeInMilliseconds 2141
    ErrorCode 82
    ErrorDescription Local Error
    DCName \\server.domain.local

There are a lot of articles regarding similar events, however I have found none referring to error code 82.

RSOP fails with the following error :

Group Policy Infrastructure failed due to the error listed below.

A directory service error has occurred.

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

Gpupdate updates user policies successfully, however it fails when updating computer policy.

I fear that I will have to rebuild the SYSVOL, and I'd rather not if I don't have to. Somebody please assist me here :-)

Other information :

A DCDIAG also returns the following error  (lots of them ):

 An Error Event occurred.  EventID: 0x000003EE
    Time Generated: 11/10/2010   14:24:17
    EvtFormatMessage failed, error 15100 Win32 Error 15100.
    (Event String (event log = System) could not be retrieved, error
    0x3afc)

br

Briggen

 

All replies (31)

Thursday, November 11, 2010 4:55 AM

Hi Briggen,

I couldn't find anything on Error Code 82, either. I guess you've already found this link?

http://eventid.net/display.asp?eventid=1006&eventno=10293&source=Microsoft-Windows-GroupPolicy&phase=1

 

It could be something as simple as a DNS lookup, multihomed DC, wrong DNS address, etc. Let's take a look at some additional information to help diagnose it. Please post the folllowing:

  • How many DCs in the infrastructure?
  • What operating system and service pack level are the DCs?
  • A complete ipconfig /all from your DCs
  • Any additional Event log errors
  • If you have more than one DC, run a repadmin /showrepl
  • To see if anything is in the queue waiting for replication, run repadmin /queue *
  • This switch shows partitions if replicated or not - repadmin /showreps

Also run a dcdiag and netdiag:

  • dcdiag /V /C /D /E /s:DC'sName > c:\dcdiag.log (The /E switch runs diagnostics on all DCs)
  • netdiag /v > c:\netdiag.log (Run this on each DC)

You can also use Paul Bergson's script to run the above utilities, which may be easier: http://www.pbbergs.com/windows/downloads.htm.

Was the KRBTGT account ever restored with an Authorative Restore? Run a repadmin /showmeta. Look at the unicodePwd attribute PVN (the Ver column). If it's 100002, then it means it was restored at one point. If this is the case and it's a Windows 2003 DC, take a look at this KB article:

Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or error message: "No authority could be contacted for authentication" when you use Remote Desktop Connection
http://support.microsoft.com//kb/939820

Regards,
Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

 

 

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Thursday, November 11, 2010 6:11 AM | 1 vote

Hi Briggen,

 

Thanks for posting here.

 

Are you using CNAME records to point to records in your DNS server ? if yes, please change the CNAME (Alias) entries to HOST (A) records in DNS.

Meanwhile, please check the entries in host file make sure there is no incorrect entry for DC name.

 

Please post back the result .

 

Thanks.

 

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thursday, November 11, 2010 1:19 PM

Hi, and thanks for responding:-)

I've tried to include answers to most of your questions, however I do not want to disclose too much about my customer :

 

•How many DCs in the infrastructure?

I’ve got 2 Root DCs in the root domain, and 2 std DC’s in logon domain (sub).  In addition to that, I have 3 RODC’s at branch offices.

** **

** **

** **

•What operating system and service pack level are the DCs?

Windows 2008 X64 up to date – patch

** **

** **

•A complete ipconfig /all from your DCs

DC1…1 :

**   Connection-specific DNS Suffix  . :**

**   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection**

**   Physical Address. . . . . . . . . : 00-50-56-9A-10-22**

**   DHCP Enabled. . . . . . . . . . . : No**

**   Autoconfiguration Enabled . . . . : Yes**

**   IPv4 Address. . . . . . . . . . . : 10.50.20.21(Preferred)**

**   Subnet Mask . . . . . . . . . . . : 255.255.255.0**

**   Default Gateway . . . . . . . . . : 10.50.20.1**

**   DNS Servers . . . . . . . . . . . : 10.50.20.21**

**                                       10.50.20.22**

**                                       10.50.20.12**

**   NetBIOS over Tcpip. . . . . . . . : Enabled**

** **

Tunnel adapter Local Area Connection* 8:

** **

**   Media State . . . . . . . . . . . : Media disconnected**

**   Connection-specific DNS Suffix  . :**

**   Description . . . . . . . . . . . : isatap.{7F85903C-FF49-4535-A19D-9223CB234**

1B1}

**   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0**

**   DHCP Enabled. . . . . . . . . . . : No**

**   Autoconfiguration Enabled . . . . : Yes**

** **

DC1…2 :

** **

** **

**   Connection-specific DNS Suffix  . :**

**   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection**

**   Physical Address. . . . . . . . . : 00-50-56-83-3E-1A**

**   DHCP Enabled. . . . . . . . . . . : No**

**   Autoconfiguration Enabled . . . . : Yes**

**   IPv4 Address. . . . . . . . . . . : 10.50.20.22(Preferred)**

**   Subnet Mask . . . . . . . . . . . : 255.255.255.0**

**   Default Gateway . . . . . . . . . : 10.50.20.1**

**   DNS Servers . . . . . . . . . . . : 10.50.20.22**

**                                       10.50.20.21**

**                                       10.50.20.12**

**   NetBIOS over Tcpip. . . . . . . . : Enabled**

** **

Tunnel adapter Local Area Connection* 8:

** **

**   Media State . . . . . . . . . . . : Media disconnected**

**   Connection-specific DNS Suffix  . :**

**   Description . . . . . . . . . . . : isatap.{7F85903C-FF49-4535-A19D-9223CB234**

1B1}

**   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0**

**   DHCP Enabled. . . . . . . . . . . : No**

**   Autoconfiguration Enabled . . . . : Yes**

** **

DC2…1 (RODC) :

** **

** **

**   Connection-specific DNS Suffix  . :**

**   Description . . . . . . . . . . . : HP Network Team #1**

**   Physical Address. . . . . . . . . : 00-26-55-86-94-F6**

**   DHCP Enabled. . . . . . . . . . . : No**

**   Autoconfiguration Enabled . . . . : Yes**

**   IPv4 Address. . . . . . . . . . . : 10.170.10.22(Preferred)**

**   Subnet Mask . . . . . . . . . . . : 255.255.255.0**

**   Default Gateway . . . . . . . . . : 10.170.10.1**

**   DNS Servers . . . . . . . . . . . : 10.50.20.21**

**                                       10.50.20.22**

**                                       127.0.0.1**

**   NetBIOS over Tcpip. . . . . . . . : Enabled**

** **

Tunnel adapter Local Area Connection* 12:

** **

**   Media State . . . . . . . . . . . : Media disconnected**

**   Connection-specific DNS Suffix  . :**

**   Description . . . . . . . . . . . : isatap.{388649EF-836C-4525-9C0E-25674241E**

EE1}

**   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0**

**   DHCP Enabled. . . . . . . . . . . : No**

**   Autoconfiguration Enabled . . . . : Yes**

** **

The others rodcs are the same, but on their own subnets.

** **

** **

•Any additional Event log errors

Actually I also have some netlogon errors as well :

There are currently no logon servers available to service the logon request.

This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

** **

** **

** **

•If you have more than one DC, run a repadmin /showrepl

** **

All sucessful

** **

•To see if anything is in the queue waiting for replication, run repadmin /queue *

** **

Queue has 0 items

** **

•This switch shows partitions if replicated or not - repadmin /showreps

Also run a dcdiag and netdiag:

** **

Successful

** **

** **

•dcdiag /V /C /D /E /s:DC'sName > c:\dcdiag.log (The /E switch runs diagnostics on all DCs)

Contains a lot of these :

An Error Event occurred.  EventID: 0x000003EE

            Time Generated: 11/11/2010   11:57:55

            EvtFormatMessage failed, error 15100 Win32 Error 15100.

            (Event String (event log = System) could not be retrieved, error

            0x3afc)

** **

** **

•netdiag /v > c:\netdiag.log (Run this on each DC)

Not on 2008 :-)

** **

You can also use Paul Bergson's script to run the above utilities, which may be easier: http://www.pbbergs.com/windows/downloads.htm.

Not with 2008 it seams J

** **

Was the KRBTGT account ever restored with an Authorative Restore? Run a repadmin /showmeta. Look at the unicodePwd attribute PVN (the Ver column). If it's 100002, then it means it was restored at one point. If this is the case and it's a Windows 2003 DC, take a look at this KB article:

no

** **

Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or error message: "No authority could be contacted for authentication" when you use Remote Desktop Connection

** **

Not when using remote desktop, however I have some event regarding this.

Hope this clarifies a bit more :-)

 

Thursday, November 11, 2010 1:32 PM

Hi Tiger Li,

Well, if you are referring to the records under _MSDCS.<rootdomain>.xx, the answer is YES!  Are these the records that I need to change to a records ?

Name Type Data Timestamp
dc   
domains   
gc   
pdc   

Currently it looks like below :

05b9cb72-bcbe-4f84-a2c2-ab4af900ed9d Alias (CNAME) DomRDC10002.rootdomain.xx. 08.11.2010 08:00:00
29c51fbe-913e-4326-b579-ea3d2df5bdd9 Alias (CNAME) domDC10002.logon.rootdomain.xx. 08.11.2010 15:00:00
5030193f-b054-4b45-bdcf-2c6d8706e984 Alias (CNAME) domDC22001.logon.rootdomain.xx. 10.11.2010 03:00:00
55c362ce-753d-4a35-a125-16aa60513945 Alias (CNAME) domDC21001.logon.rootdomain.xx. 09.11.2010 22:00:00
77069a4a-da69-4b7a-84f4-3b2c6f54918e Alias (CNAME) DomRDC10001.rootdomain.xx. 08.11.2010 07:00:00
abc7b2dc-eb73-417b-8fa5-35afe1515626 Alias (CNAME) domDC20001.logon.rootdomain.xx. 04.11.2010 16:00:00
b89faab2-038a-4859-8ef5-240bdeceed49 Alias (CNAME) domDC10001.logon.rootdomain.xx. 08.11.2010 08:00:00
(same as parent folder) Name Server (NS) domDC10001.logon.rootdomain.xx. 08.11.2010 13:00:00
(same as parent folder) Name Server (NS) domDC10002.logon.rootdomain.xx. 08.11.2010 09:00:00
(same as parent folder) Name Server (NS) DomRDC10002.rootdomain.xx. 14.10.2010 03:00:00
(same as parent folder) Name Server (NS) DomRDC10001.rootdomain.xx. 13.10.2010 03:00:00
(same as parent folder) Start of Authority (SOA) [136], domDC10002.logon.rootdomain.xx., hostmaster.rootdomain.xx. static

Thanks for your reply.

Thursday, November 11, 2010 1:42 PM

Btw, I also get this error:

Repadmin can't connect to a "home server", because of the following error.  Try
specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:

    LDAP Error 81(0x51): Server Down
    Server Win32 Error 0(0x0):
    Extended Information:

Thursday, November 11, 2010 3:53 PM

Hi Tiger Li,

Well, if you are referring to the records under _MSDCS.<rootdomain>.xx, the answer is YES!  Are these the records that I need to change to a records ?

Name Type Data Timestamp
dc   
domains   
gc   
pdc   

Currently it looks like below :

05b9cb72-bcbe-4f84-a2c2-ab4af900ed9d Alias (CNAME) DomRDC10002.rootdomain.xx. 08.11.2010 08:00:00
29c51fbe-913e-4326-b579-ea3d2df5bdd9 Alias (CNAME) domDC10002.logon.rootdomain.xx. 08.11.2010 15:00:00
5030193f-b054-4b45-bdcf-2c6d8706e984 Alias (CNAME) domDC22001.logon.rootdomain.xx. 10.11.2010 03:00:00
55c362ce-753d-4a35-a125-16aa60513945 Alias (CNAME) domDC21001.logon.rootdomain.xx. 09.11.2010 22:00:00
77069a4a-da69-4b7a-84f4-3b2c6f54918e Alias (CNAME) DomRDC10001.rootdomain.xx. 08.11.2010 07:00:00
abc7b2dc-eb73-417b-8fa5-35afe1515626 Alias (CNAME) domDC20001.logon.rootdomain.xx. 04.11.2010 16:00:00
b89faab2-038a-4859-8ef5-240bdeceed49 Alias (CNAME) domDC10001.logon.rootdomain.xx. 08.11.2010 08:00:00
(same as parent folder) Name Server (NS) domDC10001.logon.rootdomain.xx. 08.11.2010 13:00:00
(same as parent folder) Name Server (NS) domDC10002.logon.rootdomain.xx. 08.11.2010 09:00:00
(same as parent folder) Name Server (NS) DomRDC10002.rootdomain.xx. 14.10.2010 03:00:00
(same as parent folder) Name Server (NS) DomRDC10001.rootdomain.xx. 13.10.2010 03:00:00
(same as parent folder) Start of Authority (SOA) [136], domDC10002.logon.rootdomain.xx., hostmaster.rootdomain.xx. static

Thanks for your reply.

Hi Briggen,

Those CNAMES are normal and get registered by Netlogon. What Tiger was referring to is if you had manually created any CNAMES for any unknown purpose or reasons.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Thursday, November 11, 2010 4:20 PM | 1 vote

Briggen,

Thanks for responding.

The Remote Desktop in the title can be ignored because it states that's just one of the symptoms. Please re-read the article.

Netdiag doesn't work on 2008, hence what you're seeing. Originally you didn't post what OS it was, so I didn't know you had 2008.

Do you have AD Sites configured?

 

Dcdiags:

Please retry dcdiag with: dcdiag /v > c:\dcdiag.txt on each DC and upload them to Windows Live SkyDrive. It would be helpful to see each one, if possible. You can hide the DC and domain names using notepad's Replace function.

 

DNS Design in a multi-domain forest:

I also didn't realize you have multiple domains in the forest. This introduces another factor with DNS design. Since this is a multi-domain forest, we'll need to know what replication scope the domains rootdomain.com, logon.rootdomain.com, and _msdcs.rootdomain.com are set to in order to understand the relationship with the DNS addresses the DCs are using.

When configuring DNS addresses in a multi-domain forest, it must be carefully designed. Do you have a parent-child DNS delegation with a forwarder from the child DNS set to the parent DNS, and parent DNS forwarder to the ISP, or are all the zones in the ForestDnsZones partition and each have a forwarder to the ISP?

The important thing is that whatever DNS servers are chosen for a DC, that DNS server must hosts the zone and the zone is in the appropriate Replication Scope based on your DNS resolution design in the forest. Read more to understand what I'm talking about:

DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

 

Ipconfigs:

You pulled out the top part of the ipconfigs. They tell us the Primary DNS Suffix, IP routing, WINS proxy settings, etc. It helps in troubleshooting understanding the whole config.

So far what I see with the ipconfigs, are you have 3 DNS addresses set on each one. Actually more than 2 becomes superfluous due to the client-side resolver service time out when it queries DNS and may never get to the 3rd entry. So 2 DNS addresses are sufficient. Rule of thumb for DNS entries: point to itself as the first entry, and choose a nearby replica DC or one across the WAN if one is not in the same location/AD Site as the second entry.

 

Possible duplicate zone issue?

This is always a possible cause of concern and will create issues. To understand what a dupe zone is, how it may have occured, and how to fix it, please read my blog on this condition. Just to eliminate this concern, please follow the instructions on how to use ADSI Edit to just "see" if there are any dupes in any of the partitions.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

 

Summary:

One way to see if there are any issues with DNS is to point all DCs to only one DNS server, run an ipconfig /resgisterdns, and restart the netlogon service. However, this all depends on your DNS design. If there is a delegation configured, then this won't work.

Apparently it appears there may be a DNS lookup issue going on if GPO are not processing. Responses to the info above will be helpful.

 

Thanks!

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Friday, November 12, 2010 4:53 AM | 1 vote

Hi all,

 

Thanks for update.

 

I would suggest you install hotfix 939820 on all windows 2003 based computer in you environment first .

And Ace, thanks for your explain, I mentioned cname because this may be a possible cause of this issue ,and mostly happened in widows server 2003 and 2008 mix environment.

On widows server 2003/XP host ,it will request the domain name no matter what the type of record was in place, however on Vista/2008 this has been changed , it will built the Kerberos ticket request based on the resolved HOST (A) record.

 

Thanks.

 

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Friday, November 12, 2010 10:44 AM

Hi,

Thank you so much for time and patience.  I know I didn’t supply all the information required to analyze in my first post, as I was at first wondering if the error code 82 represented a known error.  Since we are getting down to a more detailed analysis here, I’ll try to me more precise. 

** **

DCdiag:

I’ll try to upload the result to Skydrive soon, and post the link here.  

** **

DNS design in a multi domain forest:

Thank you, I’ll read your blog.

** **

IP-config :

I know about the rule of thumb, and I also noticed the settings on the RODC, however I didn’t want to correct these settings before having posted the information. I thought it might be good to consider all possible factors here.  

 

Possible Dupe:

This might just be the problem. I’ll read through your article regarding dupe zones, and get back to you on this.

 

The infrastructure:

Yes they have sites configured.  Main office (and default first site) 2 root dc’s and 2 DC’s in logon.root.xx (sub to root).   The branch offices are also configured as separate sites, each having one RODC.

The DNS infra is set up as you described in your first example : “parent-child DNS delegation with a forwarder from the child DNS set to the parent DNS, and parent DNS forwarder to the ISP”    

The child DC’s (logon DC’s) forward to the root domain, and the root domain forwards to the ISP.

 

Summary:

I’ll try out some of the methods you have suggested, and I promise to get back with results.  And once again thanks for great feedback.  It is much appreciated.   More coming…… J

Friday, November 12, 2010 10:53 AM

I have a couple of manually created CNAMES, but they are pointing to some internal web-servers. None of these records point to any of the DC's.  would these records still be relevant?

Thanks

 

Friday, November 12, 2010 1:52 PM

You are welcome, Tiger. :-)

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Friday, November 12, 2010 1:54 PM

I have a couple of manually created CNAMES, but they are pointing to some internal web-servers. None of these records point to any of the DC's.  would these records still be relevant?

Thanks

That depends on the names. Could you have created an A record to do the same job? In scenarios such as this and other scenarios as well, I always avoid using CNAMES. Sometimes they can complicate things and cause lookup loops.

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Monday, November 15, 2010 1:30 AM | 1 vote

Hi Briggen,

 

Thanks for update.

 

Based on my knowledge that the patch 939820 is the known hotfix that relate with error code 82  and 1006 issue i know so far.

It’s appreciate that If could provide more information of your environment ,so that  we can give accurate solution for you.

Looking forward to your update.

 

Thanks.

 

Tiger Li

 

TechNet Subscriber Support in forum

If you have any feedback on our support, please contact [email protected]

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Monday, November 15, 2010 2:36 PM

Hi Both (and all others reading this :-) )!

Thank you both for supplying a lot of good information. I will consider the patch, and also ,at least temporary, removing the cname records as well. Anyway, Ace,I read your great article regarding DNS design and parent-child delegation.  When looking closer at the dns server on both parent and child domain, I noticed that the SOA serials on the parent and child domain were far from the same. What has been done here is that the parent zone exists on the parent DCs/dns-servers as well as on the child DCs/dns-servers, however the parent zone exists as two domain wide replicated zones!!

I would very much like to remove that parent zone from the child dc’s, and make it “forest replicated” on the parent dc’s, but I’m a bit worried about how  this will affect Active directory. Any thoughts would be much appreciated. Thanks again. 

 

Tuesday, November 16, 2010 12:15 PM

Hi Briggen,

Thanks for update.

The most advantage with this setting is that it will reduce the network traffic between branch and main office .

Thanks.

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Wednesday, November 17, 2010 2:47 PM

Hi, and thanks for reply...

Can you specify what setting you are referring to ?

 

Thanks.

Wednesday, November 17, 2010 5:26 PM

Hi, and thanks for reply...

Can you specify what setting you are referring to ?

 

Thanks.

Tiger's referring to the delegation. If you change the zone to forest wide, that zone is added to the partition increasing replication traffic content.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Wednesday, November 17, 2010 5:30 PM

Hi Both (and all others reading this :-) )!

Thank you both for supplying a lot of good information. I will consider the patch, and also ,at least temporary, removing the cname records as well. Anyway, Ace,I read your great article regarding DNS design and parent-child delegation.  When looking closer at the dns server on both parent and child domain, I noticed that the SOA serials on the parent and child domain were far from the same. What has been done here is that the parent zone exists on the parent DCs/dns-servers as well as on the child DCs/dns-servers, however the parent zone exists as two domain wide replicated zones!!

I would very much like to remove that parent zone from the child dc’s, and make it “forest replicated” on the parent dc’s, but I’m a bit worried about how  this will affect Active directory. Any thoughts would be much appreciated. Thanks again. 

The parent zone exists at the root domain and the child domain? That will cause problems, and probably a dupe zone scenario. You should really remove the parent zone from the child, because they are in effect two totally separate zones, since you're saying their replication scope is set to only domain-wide.

Assuming you don't want to setup a delegation and you want to make the parent zone forest-wide, you definitely must delete the child version of it.

Curious, how did that child dupe get there? Did someone manually create it?

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Wednesday, November 17, 2010 8:05 PM

Thanks a lot for replying. I'm actually quite curious myself about how this happened. I stumbled across it when looking at the SOA. I also found that the rodcs on the branch offices are replicating the parent zone with all dc's, but it has the SOA from the parent domain. Puuh! Anyway, yes, I know I will have to remove the parent zone from the child DCs however, is there any thing I should think about when doing so ?  Any danger of giving the AD worse problems in the process (considering it must have been like this for a while ? ) Thanks again, Ace.  

Wednesday, November 17, 2010 8:10 PM | 1 vote

The only consideration is doing it after hours.

ALso interesting that the SOA of the root zone on the child DC/DNS indicates it's the parent root.

Before you do anything, run the following to see if there are any dupe zones in the AD database. You haven't indicated whether you did that or not after I posted the link in one of my previous posts, but PLEASE do so:

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Wednesday, November 17, 2010 8:23 PM

Thanks,

Yes I actually did this drill, but didn't find any "In Progress...." or "CNF..."   "CNF..."  "In Progress...."..

However I think I found some long guids. Anyway, I think I'll do the drill once more right away.... update coming in a moment... :-)

Wednesday, November 17, 2010 8:34 PM

Post a screenshot in JPG format of what you see to Windows Live Skydrive.

Thanks

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Wednesday, November 17, 2010 9:20 PM

Ok Ace, I've got some output for you. I've tried to do the 3 steps that you mention in your article  :

view the DomainNC Partition and determine if there are duplicate zones

Only one zone appeared, and it looked normal, but there was no “Domain” in the dropdown box, so I chose default naming context and below (default , the domain that you logged into)

 

view the ForestDnsZones Application Partition:

At the bottom here I got a couple of lines like the following (masked):

** **

DC=32222b72-bcbe-4f84-a2c2-ab4af900ed9d          dnsNode               DC=05b32372-bcbe-4f84-a2c2-ab4af233345d,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

DC=29c51555-913e-4326-b579-ea3d2df5bdd9        dnsNode               DC=29c232be-913e-4326-b579-ea3d2df11119,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

DC=5023343f-b0e4-4b45-bdcf-2c6d8706e984         dnsNode               DC=5032323f-b0e4-4b45-bdcf-2c6d87023214,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

DC=55c224ce-753d-4a35-a125-16aa60513945         dnsNode               DC=55c232ce-753d-4a35-a125-16aa60512125,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

DC=7706934a-da49-4b7a-84f4-3b2c6f54918e          dnsNode               DC=7702324a-da49-4b7a-84f4-3b2c6f55454e,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

DC=abc734dc-eb13-417b-8fa5-35afe1515626          dnsNode               DC=a111b2dc-eb13-417b-8fa5-35afe1554546,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

DC=b8911222-038a-4859-8ef5-240bdeceed49        dnsNode               DC=b233aab2-038a-4859-8ef5-240bdec54549,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

DC=gc    dnsNode               DC=gc,DC=_msdcs.parent.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=parent,DC=no

I’m not really sure how to read this, but there was no In Progress...." or "CNF..." or **"CNF..."**or "In Progress...." .

view the DomainDnsZones Application Partition

This seamed ok.

 What do you think ?

Thanks,

Wednesday, November 17, 2010 11:14 PM | 1 vote

Good that there are no CNF or In Prog entries.

The DC=32222b72-bcbe-4f84-a2c2-ab4af900ed9d is the GUID for the DC that you'll find under _msdcs zone.

So that's good.

And just to verify, go to a parent DC/DNS, and to a child DC/DNS, right click the domain.com zone, properties, what replication scope is it? (Which button)?

Same with the child.domain.com zone.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Thursday, November 18, 2010 9:50 AM

Yep, I have checked the scope, and the parent zone exisist on both child domain DC's as well as Parent DC's. The scope is : "All servers in the domain". So I guess I'm moving on to deleting the parent zone from the child dom. DC's. I guess the the correct order would be first removing that zone and then seccond, extending the scope on the parent DC's to replicate forrest-wide ?

An intructor once told me : " if you have a strange error that doesn't make sence; look to DNS ;-)

Thanks again Ace, 

Friday, November 19, 2010 6:46 PM

Yep, delete it on the child side, wait for replication between DCs in the child (which would be almost immediately if one site, if more than one site, you would have to wait based on the replication schedule), then make it forest-wide at the parent, and just WAIT and the zone will auto-populate at the child.

And you're instructor is right. Most AD errors are DNS based. :-)

Cheers!

Ace 

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Friday, November 19, 2010 10:20 PM

Thank you so much for all the help, man. Actually, I must admit that reading your articles about finding dupes has been educational :-) I'll be doing the change during the weekend I supose (after office hours) and at least this is a big step towards a healthy AD environment. If I may be so bold to ask one more bonus question...hehe.. : As I mentioned, in my child domain, I have 2 RODCs at branch offices (separate sites). On the central "writeable" DC under dns properties, should the RODC also be listed under the name server tab ?

Again, Cheers !

 

Saturday, November 20, 2010 3:41 AM

All DNS servers in the replication scope of a zone, should be in the nameservers tab. So if you're referring to the child DNS servers in the child (RODC or writeable) are in the nameservers tab, but you're removing the zone, then they should be removed. However, since you're changing the scope to forest wide, I guess it wouldn't matter and would need to be there.

You are welcome, Briggen. Glad I was able to help so far.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Saturday, November 20, 2010 10:49 AM

Well, I'm removing the parent zone from the child domain, however I still planned to keep the child domain zone replicated domain-wide on the child DC's/DNS server. To be more specific, the child domain (logon.domain.com or child.parent.com if you will) has RODCs in branch offices. These RODC's all replicate and resolve names from this zone. However I noticed that only the two writeable DC's at default-first-site are listes as name servers for the child zone. I would also like to add the RODC's here since they are aslo dns servers in this zone.  That was probably not expressed very clearly. Did that make sense ? :-)

 Cheeers :-)

Saturday, November 20, 2010 5:00 PM

So you want to keep the child zone at the child domain? Oh, ok, that wasn't clear.

If that's the case, you'll need to create a parent-child DNS delegation. My DNS Design options blog has step by steps to create it.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Saturday, November 20, 2010 6:45 PM

Well the delagation is already there, I can ping servers in the child domain from the parent domain, so that's covered. The forwarder from child to parent and from parent to ISP is also already there.