Announcement

Collapse
No announcement yet.

Added a new DC and get the PRC server unavailable

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Added a new DC and get the PRC server unavailable

    All,

    I have just added a new DC to our domain. DCPROMO didn't automatically install DNS which I thought it does? anyways after promotion I installed DNS and the loaded the correct zone for out domain.

    When I got tmanually replicate the server I get the PRC server is unavailable. I had to manually create the links to the other servers on the domain when it isually automatically creates the links.

    Anyone any ideas?

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    No, DNS is not installed by default. That only happens for the first DC, and only if you want to. That's a good thing, IMHO. So yes, you need to install DNS explicitly.

    > When I got tmanually replicate the server I get the PRC server is unavailable. I had to manually create the links to the other servers on the domain when it isually automatically creates the links.

    When you are talking about links here, you mean connection objects, right? It is not abnormal that it takes a couple of hours for these to form correctly. If you configure them manually then AD will not automatically reconfigure them, even when this is needed when remote DC's go down. So it is better to remove the manual connection objects, and let the KCC do its work. Leave it overnight, I'd say.

    Pay careful attention to the directory services event log. If there is something badly wrong (like a missing sitelink) it will tell you.

    Comment


    • #3
      Originally posted by wkasdo
      t is not abnormal that it takes a couple of hours for these to form correctly.
      You can speed up the process by forcing the KCC to recalculate the topology and forcing the DCs to sync by running the following on the DCs:
      Code:
      for /l %a in (1,1,25) do repadmin /kcc & repadmin /syncall & repadmin /syncall /P
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Cheers guys,

        I have deleted the connection objects and I will wait and let it replicate.

        I'll let you know how it goes

        Thanks

        Michael

        P.s. what does KCC stand for?
        Michael Armstrong
        www.m80arm.co.uk
        MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          KCC = Knowledge Consistency Checker.

          Yes, that is meaningless. It calculates and creates connection objects from the known network topology. It runs every 15 minutes.

          Comment


          • #6
            Originally posted by wkasdo
            KCC = Knowledge Consistency Checker.

            Yes, that is meaningless. It calculates and creates connection objects from the known network topology. It runs every 15 minutes.
            So in theory my Automatically generated connections should have been generated after 15 minuted??

            Unfortunately it didn't
            Michael Armstrong
            www.m80arm.co.uk
            MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            Comment


            • #7
              yeah, I was afraid of that question. Yes, usually it takes 15 minutes at most. However, there are valid reasons why it may be delayed. Especially a newly promoted DC is too busy to care about the connection objects. But also in normal circumstances it may take more than 15 minutes. Don't ask me why.

              Comment


              • #8
                Originally posted by wkasdo
                yeah, I was afraid of that question. Yes, usually it takes 15 minutes at most. However, there are valid reasons why it may be delayed. Especially a newly promoted DC is too busy to care about the connection objects. But also in normal circumstances it may take more than 15 minutes. Don't ask me why.
                WHY???

                Ok - cheers for the info.

                I'll leave it over the weekend and see what it's like on monday.

                cheers for the info
                Michael Armstrong
                www.m80arm.co.uk
                MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                Comment


                • #9
                  No Joy unfortunately.

                  Getting the following error is the application event log:

                  The attempt to establish a replication link with parameters

                  Partition: DC=elfab,DC=com
                  Source DSA DN: CN=NTDS Settings,CN=ELFAB1FAIL,CN=Servers,CN=ELF,CN=Sites, CN=Configuration,DC=elfab,DC=com
                  Source DSA Address: cbf655f9-8a2f-42f2-a7c4-da07c564e556._msdcs.elfab.com
                  Inter-site Transport (if any):

                  failed with the following status:

                  The DSA operation is unable to proceed because of a DNS lookup failure.

                  The record data is the status code. This operation will be retried.

                  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                  The company doesn't have a reverse DNS zone set-up which I think could be causing the problem. Dont ask me why they dont have it set-up but I dont think they have need. all mail gets fired to a parent companues mail server to deliver.

                  Anyone any other ideas
                  Michael Armstrong
                  www.m80arm.co.uk
                  MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  Comment


                  • #10
                    ok, back to square one: the problem here is DNS.

                    No, reverse lookups are not required. This looks like the DNS on that DC is not working correctly. In order to help you with that you could install the support tools (on the server CD), and run DCDIAG and NETDIAG.

                    What is the current DNS config: which servers run DNS, and where to the TCP/IP settings point?

                    Comment


                    • #11
                      I have just spotted the following error on one of our DNS servers:

                      The DNS server encountered a packet addressed to itself -- IP address 10.18.0.5.

                      The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.

                      Check the following areas for possible self-send configuration errors:
                      1) Forwarders list. (DNS servers should not forward to themselves).
                      2) Master lists of secondary zones.
                      3) Notify lists of primary zones.
                      4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.

                      Example of self-delegation:
                      -> This DNS server dns1.foo.com is the primary for the zone foo.com.
                      -> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
                      (bar.foo.com NS dns1.foo.com)
                      -> BUT the bar.foo.com zone is NOT on this server.

                      Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.

                      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                      But the configuration look ok?

                      DCDIAG results:

                      C:\Program Files\Support Tools>dcdiag

                      Domain Controller Diagnosis

                      Performing initial setup:
                      Done gathering initial info.

                      Doing initial required tests

                      Testing server: ELF\ELFAB1FAIL
                      Starting test: Connectivity
                      cbf655f9-8a2f-42f2-a7c4-da07c564e556._msdcs.elfab.com's server GUID DNS
                      name could not be resolved to an
                      IP address. Check the DNS server, DHCP, server name, etc
                      Although the Guid DNS name
                      (cbf655f9-8a2f-42f2-a7c4-da07c564e556._msdcs.elfab.com) couldn't be
                      resolved, the server name (elfab1fail.elfab.com) resolved to the IP
                      address (10.18.0.4) and was pingable. Check that the IP address is
                      registered correctly with the DNS server.
                      ......................... ELFAB1FAIL failed test Connectivity

                      Doing primary tests

                      Testing server: ELF\ELFAB1FAIL
                      Skipping all tests, because server ELFAB1FAIL is
                      not responding to directory service requests

                      Running enterprise tests on : elfab.com
                      Starting test: Intersite
                      ......................... elfab.com passed test Intersite
                      Starting test: FsmoCheck
                      ......................... elfab.com passed test FsmoCheck

                      NETDIAG results:

                      C:\Program Files\Support Tools>netdiag

                      ......................................

                      Computer Name: ELFAB1FAIL
                      DNS Host Name: elfab1fail.elfab.com
                      System info : Windows 2000 Server (Build 2195)
                      Processor : x86 Family 6 Model 11 Stepping 4, GenuineIntel
                      List of installed hotfixes :
                      KB329115
                      KB814841
                      KB822343
                      KB823182
                      KB823559
                      KB824105
                      KB825119
                      KB826232
                      KB828035
                      KB828749
                      KB832353
                      KB832359
                      KB841356
                      KB842773
                      KB883939-IE6SP1-20050428.125228
                      KB885836
                      KB890046
                      KB893803v2
                      KB894320
                      KB896358
                      KB896422
                      KB897715-OE6SP1-20050503.210336
                      KB901214
                      Q147222
                      Q828026
                      Update Rollup 1


                      Netcard queries test . . . . . . . : Passed



                      Per interface results:

                      Adapter : Intel Pro 1000 XT Gigabit Ethernet Adapter - onboard

                      Netcard queries test . . . : Passed

                      Host Name. . . . . . . . . : elfab1fail
                      IP Address . . . . . . . . : 10.18.0.4
                      Subnet Mask. . . . . . . . : 255.255.255.0
                      Default Gateway. . . . . . : 10.18.0.254
                      Dns Servers. . . . . . . . : 10.18.0.5
                      10.18.0.15


                      AutoConfiguration results. . . . . . : Passed

                      Default gateway test . . . : Passed

                      NetBT name test. . . . . . : Passed

                      WINS service test. . . . . : Skipped
                      There are no WINS servers configured for this interface.


                      Global results:


                      Domain membership test . . . . . . : Failed
                      [WARNING] Ths system volume has not been completely replicated to the local
                      machine. This machine is not working properly as a DC.


                      NetBT transports test. . . . . . . : Passed
                      List of NetBt transports currently configured:
                      NetBT_Tcpip_{779A4131-BE35-4AE2-BE48-494C8E9C9A66}
                      1 NetBt transport currently configured.


                      Autonet address test . . . . . . . : Passed


                      IP loopback ping test. . . . . . . : Passed


                      Default gateway test . . . . . . . : Passed


                      NetBT name test. . . . . . . . . . : Passed


                      Winsock test . . . . . . . . . . . : Passed


                      DNS test . . . . . . . . . . . . . : Failed
                      [WARNING] The DNS entries for this DC are not registered correctly on DNS s
                      rver '10.18.0.5'. Please wait for 30 minutes for DNS server replication.
                      [WARNING] The DNS entries for this DC are not registered correctly on DNS s
                      rver '10.18.0.15'. Please wait for 30 minutes for DNS server replication.
                      [FATAL] No DNS servers have the DNS records for this DC registered.


                      Redir and Browser test . . . . . . : Passed
                      List of NetBt transports currently bound to the Redir
                      NetBT_Tcpip_{779A4131-BE35-4AE2-BE48-494C8E9C9A66}
                      The redir is bound to 1 NetBt transport.

                      List of NetBt transports currently bound to the browser
                      NetBT_Tcpip_{779A4131-BE35-4AE2-BE48-494C8E9C9A66}
                      The browser is bound to 1 NetBt transport.


                      DC discovery test. . . . . . . . . : Passed


                      DC list test . . . . . . . . . . . : Passed


                      Trust relationship test. . . . . . : Passed
                      Secure channel for domain 'ELFAB' is to '\\elfab1.elfab.com'.


                      Kerberos test. . . . . . . . . . . : Passed


                      LDAP test. . . . . . . . . . . . . : Passed


                      Bindings test. . . . . . . . . . . : Passed


                      WAN configuration test . . . . . . : Skipped
                      No active remote access connections.


                      Modem diagnostics test . . . . . . : Passed

                      IP Security test . . . . . . . . . : Passed
                      IPSec policy service is active, but no policy is assigned.


                      The command completed successfully
                      Michael Armstrong
                      www.m80arm.co.uk
                      MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

                      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                      Comment


                      • #12
                        Bad DNS problems allright. The DC has not even been able to do the initial replication.

                        > But the configuration look ok?

                        Perhaps. What are these servers?

                        > Dns Servers. . . . . . . . : 10.18.0.5
                        > 10.18.0.15

                        These should normally be DNS servers of the same domain, in a typical simple setup. Both these servers should be able te resolve your domain.

                        Comment


                        • #13
                          Originally posted by wkasdo
                          Bad DNS problems allright. The DC has not even been able to do the initial replication.

                          > But the configuration look ok?

                          Perhaps. What are these servers?

                          > Dns Servers. . . . . . . . : 10.18.0.5
                          > 10.18.0.15

                          These should normally be DNS servers of the same domain, in a typical simple setup. Both these servers should be able te resolve your domain.
                          10.18.0.5 and 10.18.0.15 are both Active Directory intergrated zones.

                          One problem I have noticed is this in the DNS event log on 10.18.0.5:

                          The DNS server encountered a packet addressed to itself -- IP address 10.18.0.5.

                          The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.

                          Check the following areas for possible self-send configuration errors:
                          1) Forwarders list. (DNS servers should not forward to themselves).
                          2) Master lists of secondary zones.
                          3) Notify lists of primary zones.
                          4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.

                          Example of self-delegation:
                          -> This DNS server dns1.foo.com is the primary for the zone foo.com.
                          -> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
                          (bar.foo.com NS dns1.foo.com)
                          -> BUT the bar.foo.com zone is NOT on this server.

                          Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.

                          For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                          I have checked out the settings and they all look fine. This event is happening every few seconds

                          Both DNS servers are configured exactly the same but the other DNS server is fine.

                          Any ideas?

                          Michael
                          Michael Armstrong
                          www.m80arm.co.uk
                          MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          Comment


                          • #14
                            Bumpety Bump
                            Michael Armstrong
                            www.m80arm.co.uk
                            MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

                            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                            Comment


                            • #15
                              Relax. I have real job too, you know.

                              The funny thing is, your DC is not registering its data with DNS. That is the problem to be solved. However, from here I don't see any trivial mistake. So why is this happening? Is the health of the domain otherwise OK? Replication running fine and all that?

                              It's very unlikely, but is there perhaps a time skew of more than 5 minutes? That could explain the problem.

                              Comment

                              Working...
                              X