Announcement

Collapse
No announcement yet.

Creating new sites and replication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Creating new sites and replication

    Hi Guys,

    I am a long time reader but this is my first post.

    I have a little problem with my sites and replication.

    My company has decided to open a new office in Phoenix and I have the task of setting up a new site. Having never done this I figured I will need help, however I decided to try it myself first "first mistake". I decided to test site replication before actually trying to do this on live system so I used a spare server, made it a DC and put it into a site. I ran into problems so I am asking for someone to shed some light on what I am doing wrong.

    Current layout

    1 domain spanning 1 site in Seattle

    3 DC's in abc.com domain (abc.com changed to protect the innocent, i.e. dumb admins like me)

    2 DC are assigned to Seattle site. 1 DC moved from Seattle site to Phoenix site

    1 subnet assigned to Seattle site
    1 subnet assigned to Phoenix site

    we have several DNS servers, both DC's are DNS servers but I am sure they are not setup right.

    our primary DNS server is a unix box running BIND 9 "for some reason DDNS does not want to accept updates from our windows 2003 DNS boxes even though they are set to allow both secure and nonsecure updates"

    What I did was.

    1. Created the Phoenix site
    2. Moved a DC from Seattle Site to Phoenix Site
    3. Defined site boundaries for both sites


    No replications is occuring between the sites. I keep getting KCC errors in event viewer:

    All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.

    Site:
    CN=Phoenix,CN=Sites,CN=Configuration,DC=abc,DC=com
    Directory partition:
    CN=Configuration,DC=abc,DC=com
    Transport:
    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=abc,DC=com
    -----------------------------------------------------------------------------------------------------

    The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

    Sites:
    CN=Phoenix,CN=Sites,CN=Configuration,DC=abc,DC=com

    ----------------------------------------------------------------------------------------------------
    The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

    Directory partition:
    DC=DomainDnsZones,DC=internetadvancement,DC=com

    There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

    User Action
    Use Active Directory Sites and Services to perform one of the following actions:
    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.

    If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
    ------------------------------------------------------------------------------------------------
    All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.

    Site:
    CN=Phoenix,CN=Sites,CN=Configuration,DC=internetad vancement,DC=com
    Directory partition:
    DC=DomainDnsZones,DC=internetadvancement,DC=com
    Transport:
    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=internetad vancement,DC=com


    And so on.

    I think this is a DNS issue. When I try to resolve the server that I moved from Seattle site to Phoenix site on the Seattle DC the old IP comes up. I don't know whether I should put in the A record for the Phoenix DC into DNS on Seattle DC, or put it into the Unix DNS server.

    Seattle DC's reside on a their own subnet. Phoenix DC is in its own subnet. There are no firewalls in between. Phoenix DC is pointing to a different DNS server than the DC's in Seattle site. Phoenix DC can successfully resolve both Seattle DC's. Seattle DC's cannot resolve Phoenix DC. They keep getting the old IP that is not pingable.

    I should mention that I am terrible at DNS configuration.


    HELP
    Last edited by lwnemesis; 19th December 2006, 01:09.

  • #2
    Re: Creating new sites and replication

    Originally posted by lwnemesis View Post
    I think this is a DNS issue. When I try to resolve the server that I moved from Seattle site to Phoenix site on the Seattle DC the old IP comes up. I don't know whether I should put in the A record for the Phoenix DC into DNS on Seattle DC, or put it into the Unix DNS server.
    Do you know if your DC's are setup as secondary zones? (go to the properties of the zone see what it says on the General tab. see pic) If so, then you can't add an A record to them.

    It sounds like the Unix DNS server has a primary zone. If it's not accepting dynamic updates and it holds the primary zone then that is probably the problem. See this article about configuring BIND to support Active Directory http://www.microsoft.com/technet/arc....mspx?mfr=true

    Would it be possible to get rid of the BIND DNS and switch to an Active Directory integrated zone?
    Attached Files
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Creating new sites and replication

      both Seattle DC's are AD integrated zones. I set them up with primary zones.

      Comment


      • #4
        Re: Creating new sites and replication

        OK, what type of zone is on the Unix box?
        Are you using DHCP and if so what server(s) are configured?
        Which server is configured as the Phoenix DC's primary DNS server?
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Creating new sites and replication

          the unix box has the primary DNS zone for abc.com

          We are using DHCP, unix dns is configured in DHCP

          an outside (ISP) dns server is configured as the DNS server for Phoenix DC


          I think I should not have setup so many primary zones. Each DC has a primary zone for abc.com and the unix DNS has the primary zone for abc.com. I am not talking about _msdcs zone.
          Last edited by lwnemesis; 19th December 2006, 20:19.

          Comment


          • #6
            Re: Creating new sites and replication

            Originally posted by lwnemesis View Post
            the unix box has the primary DNS zone for abc.com
            You should have only one primary DNS zone unless it's AD integrated then all the DCs effectively have primary zones. You'll need to either switch all the DCs to secondary zones (not recommended) or switch the BIND to a secondary zone. Either way you'll need to configure the primary zone to allow zone transfers to the secondary.

            Is there a reason for the Unix DNS server? Are there entries in BIND that are not on the DCs' zone?

            We are using DHCP, unix dns is configured in DHCP
            Is there a reason you don't want to make the DCs the preferred and secondary DNS servers?

            an outside (ISP) dns server is configured as the DNS server for Phoenix DC
            How is the Phoenix DC connected to the LAN? The DC should be part of your existing AD DNS zone.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Creating new sites and replication

              The unix DNS server is legacy and has been here since I started. it will be phased out when I figure out how to do DNS in Windows.

              I don't trust my setup of DNS on DCs to make them primary and alternate DNS servers.

              Phoenix DC is connected physically on the same network as the Seattle DC's. It just has a different ip and subnet. They are all internal servers, so there is no firewall issues. All DC's can ping each other by IP address. Seattle DC's have themselves as the primary dns servers. They cannot ping Phoenix DC by name only by IP address. Phoenix DC can ping Seattle DC's by name. Should I point the Seattle DC's to Unix DNS?

              Comment


              • #8
                Re: Creating new sites and replication

                Originally posted by lwnemesis View Post
                The unix DNS server is legacy and has been here since I started. it will be phased out when I figure out how to do DNS in Windows.
                Unless there's some records in the BIND zone that are not in the AD-integrated zone then you should be fine to ditch BIND.
                How many workstation do you have?
                How many servers do you have and what OS are they running?

                I don't trust my setup of DNS on DCs to make them primary and alternate DNS servers.
                Active Directory relies heavily on DNS and right now it's not setup properly. I suggest either learning DNS fast or get someone in who can help you.

                Phoenix DC is connected physically on the same network as the Seattle DC's. It just has a different ip and subnet. They are all internal servers, so there is no firewall issues. All DC's can ping each other by IP address.
                Why then is the IPS handling the DNS of your internal server?

                Seattle DC's have themselves as the primary dns servers. They cannot ping Phoenix DC by name only by IP address. Phoenix DC can ping Seattle DC's by name. Should I point the Seattle DC's to Unix DNS?
                Is the Phoenix DC also configured as an AD-integrated DNS server? If not then make its primary DNS server point it to one of the other DCs and run ipconfig /registerdns

                Note: you'll probably want to eventually make the Phoenix DC an AD-integrated DNS server.

                EDIT - For your leaning process...
                http://technet2.microsoft.com/Window....mspx?mfr=true This page has a bunch of links to learning the different aspects of DNS
                http://www.microsoft.com/technet/com...d/tnti-35.mspx This is some video demonstrations. Haven't viewed them but the titles look excellent.

                And apparently Train Signal's training video on DNS is excellent!! http://www.petri.com/dns_training_labs.htm
                Last edited by JeremyW; 20th December 2006, 21:29.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: Creating new sites and replication

                  I appreciate your help in this matter.

                  Thank you.

                  Comment


                  • #10
                    Re: Creating new sites and replication

                    Glad to help but...
                    is the issue gone? If so, how did you resolve it?
                    Did I scare you off with my DNS warning?
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Creating new sites and replication

                      The issue is not resolved this is on the backburner. I was just testing site replication. I have 2 months before the actual deployment and I have other issues that have higher priorities right now. I do however appreciate the links you posted. I think I need to read all of that before I come back to this. UNIX DNS is working so this is not impacting production environment.

                      Comment


                      • #12
                        Re: Creating new sites and replication

                        Thanks for the update. Keep us posted on your progress when you come back to the project. I'm interested to hear how it goes.
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment

                        Working...
                        X