Issue with DNS initial Synchronization

2019-07-04

Question

_{Thursday, July 4, 2019 2:01 PM}

Hi everybody,

Thank you in advance for taking the time to help me.

The context:

We are beginning our IT from scratch (new forest with new DC)

- We have 3 DNS servers (that are also Domain Controllers)

Primary is installed on subnet 1 (installed in February with no apparent errors)
Secondary is installed on subnet 1 (installed in February with no apparent errors)
Thrid is installed on subnet 2 routed with the first one (installed today with a an error à “A Delegation for this DNS server cannot be found or does not run Windows DNS server…”

- The error we are having:

“The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.”

- We manage our DNS addresses with Microsoft’s IPAM

Installed in the subnet 1. It do have the connection to all 3 DNS but we have an issue with the _msdcs zone (Zone Status = Error)
Do not know if linked…

I am a bit lost on what to do next… Everything seems fine by me, the replication seems to work fine (maybe a bit slow). However, as we are starting from scratch, I do not want to have some issues on our Infrastructure.

Thank you in advance,

Best Regards,

Jon

All replies (7)

_{Friday, July 5, 2019 8:05 AM ✅Answered}

Hello Jon,

Thank you for posting in this forum.

I found a post related to this, please check if the reply in that post is useful to you.

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial

Best Regards,

Leon

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Friday, July 5, 2019 6:24 AM}

Hello,

Is it possible to have an output of a dcdiag /e ?

Do you have any Firewall between subnet 1 and subnet 2 ?

Best Regards,

_{Monday, July 8, 2019 6:10 AM}

Hello,

Is it possible to have an output of a dcdiag /e ?

Do you have any Firewall between subnet 1 and subnet 2 ?

Best Regards,

Sorry about the delays... Have been sick..

No Firewall between them. They are both "virtually" connected to the same Nexus Switch.

The DCDiag :

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = VSI-ADDS-P03
* Identified AD Forest.
Ldap search capability attribute search failed on server VSI-ADDS-P01, return value = 81
Got error while checking if the DC is using FRS or DFSR. Error: Win32 Error 81The VerifyReferences, FrsEvent and
DfsrEvent tests might fail because of this error.
Ldap search capability attribute search failed on server VSI-ADDS-P02, return value = 81
Got error while checking if the DC is using FRS or DFSR. Error: Win32 Error 81The VerifyReferences, FrsEvent and
DfsrEvent tests might fail because of this error.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\VSI-ADDS-P01
Starting test: Connectivity
Server VSI-ADDS-P01 resolved to these IP addresses: XXXXXXX, but none of the addresses could be reached
(pinged). Please check the network.
Error: 0x2b02 "Error due to lack of resources."
This error more often means that the targeted server is shutdown or disconnected from the network.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... VSI-ADDS-P01 failed test Connectivity

Testing server: Default-First-Site-Name\VSI-ADDS-P02
Starting test: Connectivity
Server VSI-ADDS-P02 resolved to these IP addresses: XXXXXXX, but none of the addresses could be reached
(pinged). Please check the network.
Error: 0x2b02 "Error due to lack of resources."
This error more often means that the targeted server is shutdown or disconnected from the network.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... VSI-ADDS-P02 failed test Connectivity

Testing server: Default-First-Site-Name\VSI-ADDS-P03
Starting test: Connectivity
......................... VSI-ADDS-P03 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\VSI-ADDS-P01
Skipping all tests, because server VSI-ADDS-P01 is not responding to directory service requests.

Testing server: Default-First-Site-Name\VSI-ADDS-P02
Skipping all tests, because server VSI-ADDS-P02 is not responding to directory service requests.

Testing server: Default-First-Site-Name\VSI-ADDS-P03
Starting test: Advertising
Warning: VSI-ADDS-P03 is not advertising as a time server.
......................... VSI-ADDS-P03 failed test Advertising
Starting test: FrsEvent
......................... VSI-ADDS-P03 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... VSI-ADDS-P03 failed test DFSREvent
Starting test: SysVolCheck
......................... VSI-ADDS-P03 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 07/08/2019 07:44:25
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
An error event occurred. EventID: 0xC0000827
Time Generated: 07/08/2019 07:45:26
Event String:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
An error event occurred. EventID: 0xC0000827
Time Generated: 07/08/2019 07:46:04
Event String:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
A warning event occurred. EventID: 0x8000051C
Time Generated: 07/08/2019 07:49:25
Event String:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
A warning event occurred. EventID: 0x8000051C
Time Generated: 07/08/2019 07:49:25
Event String:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
......................... VSI-ADDS-P03 failed test KccEvent
Starting test: KnowsOfRoleHolders
[VSI-ADDS-P01] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Warning: VSI-ADDS-P01 is the Schema Owner, but is not responding to DS RPC Bind.
Warning: VSI-ADDS-P01 is the Schema Owner, but is not responding to LDAP Bind.
Warning: VSI-ADDS-P01 is the Domain Owner, but is not responding to DS RPC Bind.
Warning: VSI-ADDS-P01 is the Domain Owner, but is not responding to LDAP Bind.
[VSI-ADDS-P02] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Warning: VSI-ADDS-P02 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: VSI-ADDS-P02 is the PDC Owner, but is not responding to LDAP Bind.
Warning: VSI-ADDS-P02 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: VSI-ADDS-P02 is the Rid Owner, but is not responding to LDAP Bind.
Warning: VSI-ADDS-P02 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
Warning: VSI-ADDS-P02 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
......................... VSI-ADDS-P03 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... VSI-ADDS-P03 passed test MachineAccount
Starting test: NCSecDesc
......................... VSI-ADDS-P03 passed test NCSecDesc
Starting test: NetLogons
......................... VSI-ADDS-P03 passed test NetLogons
Starting test: ObjectsReplicated
......................... VSI-ADDS-P03 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P02 to VSI-ADDS-P03
Naming Context: DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:46:58.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P01 to VSI-ADDS-P03
Naming Context: DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:47:41.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P02 to VSI-ADDS-P03
Naming Context: DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:46:46.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P01 to VSI-ADDS-P03
Naming Context: DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:47:29.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P02 to VSI-ADDS-P03
Naming Context: CN=Schema,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:45:45.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P01 to VSI-ADDS-P03
Naming Context: CN=Schema,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:46:16.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P02 to VSI-ADDS-P03
Naming Context: CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:45:26.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P01 to VSI-ADDS-P03
Naming Context: CN=Configuration,DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:46:04.
The last success occurred at 2019-07-07 01:58:07.
30 failures have occurred since the last success.
The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P02 to VSI-ADDS-P03
Naming Context: DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:46:34.
The last success occurred at 2019-07-07 02:12:34.
30 failures have occurred since the last success.
The guid-based DNS name bd985dfe-412d-4587-b8b1-965adb3a812c._msdcs.DOMAIN
is not registered on one or more DNS servers.
[Replications Check,VSI-ADDS-P03] A recent replication attempt failed:
From VSI-ADDS-P01 to VSI-ADDS-P03
Naming Context: DC=XXX,DC=XXXXX,DC=XX
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2019-07-08 07:47:17.
The last success occurred at 2019-07-07 02:20:00.
30 failures have occurred since the last success.
The guid-based DNS name afcc3f8a-12f9-48af-9b86-0de2e72b77bf._msdcs.DOMAIN
is not registered on one or more DNS servers.
......................... VSI-ADDS-P03 failed test Replications
Starting test: RidManager
......................... VSI-ADDS-P03 failed test RidManager
Starting test: Services
......................... VSI-ADDS-P03 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 07/08/2019 07:43:51
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/08/2019 07:44:27
Event String:
Name resolution for the name wpad timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00000C18
Time Generated: 07/08/2019 07:44:39
Event String: The primary Domain Controller for this domain could not be located.
An error event occurred. EventID: 0xC0000428
Time Generated: 07/08/2019 07:44:39
Event String:
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occured: The specified domain either does not exist or could not be contacted.
A warning event occurred. EventID: 0x000727AA
Time Generated: 07/08/2019 07:44:40
Event String:
The WinRM service failed to create the following SPNs: WSMAN/VSI-ADDS-P03.DOMAIN; WSMAN/VSI-ADDS-P03.
An error event occurred. EventID: 0x00002710
Time Generated: 07/08/2019 07:44:40
Event String: Unable to start a DCOM Server: {9C38ED61-D565-4728-AEEE-C80952F0ECDE}. The error:
An error event occurred. EventID: 0x00000469
Time Generated: 07/08/2019 07:44:41
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
A warning event occurred. EventID: 0x00000081
Time Generated: 07/08/2019 07:44:46
Event String:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
A warning event occurred. EventID: 0x00000081
Time Generated: 07/08/2019 07:44:47
Event String:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/08/2019 07:44:51
Event String:
Name resolution for the name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00001695
Time Generated: 07/08/2019 07:47:44
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DOMAIN.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 07/08/2019 07:47:54
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DOMAIN.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
......................... VSI-ADDS-P03 failed test SystemLog
Starting test: VerifyReferences
......................... VSI-ADDS-P03 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
For the partition (DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
retrieving the cross-ref's
(CN=8ac856f2-bc56-4f63-9905-b59245097f1f,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
information:
LDAP Error 0x3a (58).
......................... ForestDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=ForestDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
retrieving the cross-ref's
(CN=8ac856f2-bc56-4f63-9905-b59245097f1f,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
information:
LDAP Error 0x3a (58).
......................... ForestDnsZones failed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
For the partition (DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
retrieving the cross-ref's
(CN=7078cf43-3f80-437d-8332-5646cf144de4,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
information:
LDAP Error 0x3a (58).
......................... DomainDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=DomainDnsZones,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
retrieving the cross-ref's
(CN=7078cf43-3f80-437d-8332-5646cf144de4,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
information:
LDAP Error 0x3a (58).
......................... DomainDnsZones failed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (CN=Schema,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error
retrieving the cross-ref's (CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
information:
LDAP Error 0x3a (58).
......................... Schema failed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (CN=Configuration,DC=XXX,DC=XXXXX,DC=XX) we encountered the following error retrieving
the cross-ref's (CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX)
information:
LDAP Error 0x3a (58).
......................... Configuration failed test CrossRefValidation

Running partition tests on : corp
Starting test: CheckSDRefDom
......................... corp passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=XXX,DC=XXXXX,DC=XX) we encountered the following error retrieving the cross-ref's
(CN=CORP,CN=Partitions,CN=Configuration,DC=XXX,DC=XXXXX,DC=XX) information:
LDAP Error 0x3a (58).
......................... corp failed test CrossRefValidation

Running enterprise tests on : DOMAIN
Starting test: LocatorCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
......................... DOMAIN failed test LocatorCheck
Starting test: Intersite
......................... DOMAIN passed test Intersite

For the post from HK.Leon, I will check it right know.

Thanks for the help guys.

Jon

_{Wednesday, July 10, 2019 5:42 AM}

Hello,

Based on your output it seems that you have a lot of errors regarding network communication between your DCs

Maybe you should check with a port query that the ports listed in the article are open :

/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)

Best Regards,

_{Wednesday, July 17, 2019 9:31 AM}

Hi,

Just checking the current situation of your problem.
Was your issue resolved?

Best regards,
Leon

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, July 22, 2019 6:33 AM}

Yes, sorry i forgot a bit... Our Network configuration was wrongly done... Used to wrong link between both site... Sorry for the incoveniance

_{Monday, July 22, 2019 10:21 AM}

Thank you for your update.

I am glad to hear that your issue was successfully resolved.

If there is anything else we can do for you, please feel free to post in the forum.

Best Regards,

Leon

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

Share via

Issue with DNS initial Synchronization

Question

All replies (7)

Additional resources