Microsoft KB Archive/824449

= Troubleshooting Active Directory replication failures that occur because of DNS lookup failures, event ID 2087, or event ID 2088 =

Article ID: 824449

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



SUMMARY
''This article describes an action plan for administrators and for support professionals to follow when domain controllers that are running Microsoft Windows 2000 or Microsoft Windows Server 2003 cannot replicate Active Directory because of DNS lookup failures. Administrators who are troubleshooting replication or other component failures that occur because of a lack of DNS name resolution should follow this action plan.

This article also discusses two new events, event ID 2087 and event ID 2088, that are logged by destination domain controllers that are running Windows Server 2003 with Service Pack 1 (SP1). These events occur when a lack of DNS name resolution prevents the inbound replication of Active Directory directory service partitions. More significantly, in this problem scenario, Windows Server 2003 SP1-based destination domain controllers will use the source domain controller's fully qualified domain name in DNS or the source domain controller's NetBIOS computer name in Windows Internet Name Service (WINS). The goal of the enhancements in Windows Server 2003 is to minimize the effect of DNS client or DNS server configuration errors on Active Directory replication.''



SYMPTOMS
On a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller, the following event messages may be logged in the Directory Service event log.

Message 1 Type: Error

Source: NTDS Replication

Category: DS RPC Client

Event ID: 2087

User: NT AUTHORITY\ANONYMOUS LOGON

Computer:

Description:

Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

Source domain controller:

Failing DNS host name: ._msdcs.

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing &quot;net view \\

Description:

Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:

Failing DNS host name: ._msdcs.

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing &quot;net view \\ ._msdcs. .  is the GUID of the directory system agent (DSA) object for the domain controller.   is the name of the forest where the domain controller is located. Domain controllers require the CNAME record to locate and to identify their replication partners.

The Net Logon service on the domain controller registers all the SRV records. The DNS Client service on the domain controller registers the DNS host (A) record and the GUID CNAME record.

A domain controller uses the following steps to locate its replication partner:
 * 1) The domain controller uses DNS to look for the CNAME record of its replication partner.
 * 2) If the lookup is unsuccessful, the domain controller looks for the DNS A record of its replication partner. For example, the domain controller looks for dc-03.corp.contoso.com.
 * 3) If the DNS A record lookup is unsuccessful, the domain controller performs a NetBIOS broadcast by using the host name of its replication partner. For example, the domain controller uses dc-03.



Case 1
To remove Active Directory and DNS data that is left behind by a domain controller that is no longer in use, follow the procedure in the following Microsoft Knowledge Base article:

216498 How to remove data in Active Directory after an unsuccessful domain controller demotion

If the domain controller must be online, resolve the blocking issue, and then put the domain controller back online. When you restart the domain controller, you automatically register Active Directory and DNS data that is required for Active Directory replication with the destination domain controller.

If you do not want to restart the domain controller, but you want to reregister its DNS records, go to step 7, &quot;Register Resource Records in DNS.&quot;

Case 2
If replication does not occur because a destination domain controller cannot resolve the DNS name of a replication partner, you must diagnose DNS and network connectivity problems to determine the source of the failure.

To diagnose and to fix DNS support for Active Directory replication, follow these steps:  Gather information.

You must have the following information to diagnose and to fix DNS support for Active Directory replication and other operations that depend on DNS:  The fully qualified domain name (FQDN) and IP address of the source domain controller. The FQDN and IP address of the DNS server that hosts the DNS zone for the Active Directory domain name.

Note Domain controller and DNS server information may be the same if the domain controller is also running the DNS Server service that hosts the DNS zone for the Active Directory domain name. Verify network connection settings.  On the domain controller that is reporting the error, click Network Connections in Control Panel. Right-click the network connection that you want to configure, and then click Properties.</li> On the General tab for a local area connection or on the Networking tab for all other connections, click Internet Protocol (TCP/IP), and then click Properties.</li> In Use the following DNS server addresses, verify that the preferred DNS server or the alternate DNS server have the correct IP address of the DNS server that hosts the DNS zone for the Active Directory domain name.

Note We recommend that the preferred DNS server for the domain controller is located in a hub site that is local or well-connected. If you use such a hub site, you reduce replication latency.</li> If the IP addresses are correct, go to step 3. If the IP address is incorrect, enter the correct address, and then go to step 7.</li></ol> </li> Verify connectivity.

To verify connectivity, use the ping command on the destination domain controller to find the IP addresses of the source domain controller and of the DNS server.

On the destination domain controller, type the following at a command prompt, and then press ENTER after each command:

ping

ping

If either command is unsuccessful, a network connectivity error may exist. Contact the network administrator to diagnose and to fix this error. If both commands are successful, the error exists in DNS.</li> Verify that the DNS Server service is running.

If the destination domain controller is configured to use a local DNS server, verify that the DNS Server service is running. To do this, type net start “DNS Server” at a command prompt, and then press ENTER.

If the DNS Server service is running, a message appears that indicates that the service is running. If the DNS Server service is installed, but the service is not running, the command starts the DNS Server service.

If the DNS Server service is not installed, a message appears that indicates that the server name is not valid. If the destination domain controller is configured to use a remote DNS server, use the DNS console to start the DNS Server service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Open the DNS console.</li> On the Action menu, click Connect To DNS Server.</li> In Connect to DNS Server, click The following computer.</li> To connect to a remote server, specify either the remote server's DNS computer name or its IP address.</li> Click to select the Connect to the specified computer now check box, and then click OK.</li> On the Action menu, point to All Tasks, and then click Start.</li></ol> </li> Verify that the resource record is registered.

The destination domain controller uses the DNS CNAME resource record, ._msdcs. , to locate its source domain controller replication partner. To verify that this resource record is in the DNS zone for the Active Directory domain name, follow these steps: <ol style="list-style-type: lower-alpha;"> Open the DNS console in the console tree. Locate any domain controller that is running the DNS Server service, where the service hosts the DNS zone with the same name as the Active Directory domain name.</li> In the console tree, click the zone that is named _msdcs. .

In Windows 2000 Server DNS, _msdcs. is a subdomain of the DNS zone for the Active Directory domain name. In Windows Server 2003, _msdcs. is a separate zone.</li></ol>

The zone that is named _msdcs. must contain the following:  <li>A CNAME resource record that is named ._msdcs. .</li> <li>A corresponding A resource record for the name of the DNS server that is identified as the target host in the CNAME record.</li></ul>

If the resource records do not exist, go to step 6 to diagnose why the Net Logon service did not register the resource records automatically.</li> <li>Verify that the DNS Server service that hosts the zone for the Active Directory domain name is configured to accept dynamic updates. <ol style="list-style-type: lower-alpha;"> <li>In the DNS console, right-click the applicable zone, and then click Properties.</li> <li>On the General tab, verify that the zone type is Active Directory–integrated.</li> <li>In Dynamic Updates, click secure only. (In Windows 2000 Server, the secure dynamic update option is named Only secure updates.)</li></ol> </li> <li>Register DNS resource records in DNS.

The Net Logon service on a domain controller registers the DNS resource records that are required for the domain controller to be located in the network. To manually initiate this registration on the source domain controller, type the following at a command prompt, and then press ENTER after each command:

net stop &quot;net logon&quot;

net start &quot;net logon&quot;

The DNS Client service registers the host (A) resource record that the CNAME record points to. To initiate this registration on the source domain controller, type ipconfig /registerdns at a command prompt, and then press ENTER.</li> <li>Verify resource record registration.

To verify that the records were registered successfully, go to step 5, “Verify that the resource record is registered.&quot;</li> <li>Force replication on the source and destination domain controllers. <ol style="list-style-type: lower-alpha;"> <li>On the destination domain controller, open Active Directory Sites and Services.</li> <li>In the console tree, click NTDS Settings for the domain controller that you want to force replication on.</li> <li>In the details pane, right-click the connection that you want to use to replicate directory information, and then click Replicate Now.</li></ol>

You can also use the repadmin and replmon command-line tools. These tools are available on your Windows Server 2003 installation CD. (The repadmin command is repadmin /syncall /d /e /P .)</li> <li>Investigate other problems.

If the previous steps do not resolve the errors, a domain controller may not be able to dynamically register its DNS resource records because the DNS servers that the domain controller uses for name resolution cannot find a primary authoritative zone for these resource records. In this case, there are two possible causes: <ul> <li>The preferred or alternate DNS servers that are used by the destination domain controller for name resolution contain incorrect root hints. For information about updating the root hints, visit the following Microsoft Web sites:

http://technet2.microsoft.com/windowsserver/en/library/7b69b6f9-f25e-4594-a04b-f08f3effa2031033.mspx

http://technet2.microsoft.com/windowsserver/en/library/3e3d2262-518f-4e97-a5cb-737ed52d2cd91033.mspx

</li> <li>There are incorrect delegations in the DNS zones. These delegations start at the root and descend to the zone with the same name as the Active Directory domain name. For information about verifying the zone delegations, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/977fa8ed-ec71-4d39-9f9e-9facd5a613641033.mspx

.</li></ul> </li></ol>

<div class="moreinformation_section">

MORE INFORMATION
You can also use the Netdiag.exe and Dcdiag.exe command-line tools to troubleshoot DNS and Active Directory infrastructure issues. Both tools are available online or on the Windows Server 2003 installation CD. To download these tools, visit the Windows Server 2003 Resource Kit Tools Web page:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

Keywords: kbdirservices kbprb KB824449

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.