Event ID 2087 — Discovery of replication partners
Applies To: Windows Server 2008 R2
Domain controllers must be able to communicate with their replication partners to initiate replication. So that domain controllers can communicate properly, the following conditions must be true:
- Domain controller service (SRV) resource records must be registered with the Domain Name System (DNS) server.
- Domain controllers must be able to query and locate the service (SRV) resource records of other domain controllers from the DNS server.
- Domain controllers must be able to establish remote procedure call (RPC) communications with one another.
- Replication partners must be online, accessible, and advertising.
|Product:||Windows Operating System|
|Message:||Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. Source domain controller: dc2 Failing DNS host name: b0069e56-b19c-438a-8a1f-64866374dd6e._msdcs.contoso.com NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1: Registry Path: HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client User Action: 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 2) Confirm that the source domain controller is running Active Directory and is accessible on the network by typing "net view \\source_DC_name" or "ping source_DC_name". 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of Dcdiag.exe available on http://www.microsoft.com/dns dcdiag /test:dns 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of Dcdiag.exe command on the console of the destination domain controller, as follows: dcdiag /test:dns 5) For further analysis of DNS error failures see KB article 824449: http://support.microsoft.com/?kbid=824449 Additional Data Error value: 11004 The requested name is valid, but no data of the requested type was found.|
Correct connectivity issues between domain controllers
If a domain controller (the source domain controller) sends another domain controller (the destination domain controller) an update notification and the destination domain controller is not able to resolve the source domain controller name, the destination domain controller logs two events, Event ID 2087 and Event ID 2088, on destination domain controllers. This is true for domain controllers running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.
- If all lookups fail, Event ID 2087 is logged.
- If lookup succeeds but either the first or second replication attempt fails, Event ID 2088 is logged.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at http://go.microsoft.com/fwlink/?LinkID=150761. Perform these procedures on the domain controller that is logging the event to be resolved.
To ensure that the domain controllers that host the identified directory partition are accessible:
Open a command prompt as an administrator on the domain controller that you need to fix. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
To ensure that there are no stale entries in the local DNS client resolver cache, run the command ipconfig /flushdns.
Run the command dcdiag /test:dns /f:<filename>. Replace <filename>** with a text file name that you want to use for the results. For example, if you are running the command on a computer name CORPDC1, run dcdiag /test:dns /f:corpdc1diag.txt, which delivers the results of the test to a file named corpdc1diag.txt.
To review the results of the test, open the file that you created in step 3 in a text editor. For example, if the resulting file is named corpdc1diag.txt, you can open it in Notepad by running the command notepad corpdc1diag.txt. Dcdiag performs a connectivity test first. If you see that the connectivity test failed, verify physical connectivity to the network and basic IP settings, as described in step 5. Otherwise, continue to review the results of the DNS tests. If you have not configured IP version 6 (IPv6) or if you are not using it, it is normal to see the warning message "Warning: The AAAA record for this DC was not found.” Review the record registration (RReg) test results. Ensure that the test found all the appropriate record registrations. If the test cannot find the record registrations, you see failure messages. If this happens, try running the command dcdiag /fix to register the records. If you have multiple network adapters, you may see the message "Warning: Record registrations not found in some network adapters.” If you see the message, ensure that all your network adapters are configured properly for the networks to which they are connected. If you have network connections that are not connected to network segments to provide directory services or replication, ensure that the Register this connection's address in DNS check box is cleared in the DNS tab of the Advanced TCIP/IP Settings dialog box. For specific instructions about how to do this, see Configure TCP/IP to use DNS (http://go.microsoft.com/fwlink/?LinkId=151427).
Note: For more information about these tests and their results, see Dcdiag (http://go.microsoft.com/fwlink/?LinkID=133110).
To verify physical connectivity and IP settings, run the command ipconfig /all. If the network adapter reports the message "media disconnected," fix the problem with the physical network connection. Otherwise, verify the IP configuration and DNS client settings. Fix any problems that you discover with these settings. For example, if the local domain controller is also a DNS server, ensure that the DNS servers are set to ::1 for IPv6 and 127.0.0.1 for IP version 4 (IPv4). If the local domain controller is not configured as a DNS server, ensure that the correct IP addresses for the DNS servers for the domain are configured for the Preferred DNS server and Alternate DNS server options.
Ensure that any firewall that is configured on the domain controller replication partners or between the domain controller replication partners is not blocking the necessary ports and protocols for replication. For complete details about the ports and protocols that are required for replication, see Active Directory Replication over Firewalls (http://go.microsoft.com/fwlink/?LinkID=123775).
Confirm that the local domain controller has properly registered its DNS records. To do this, run the command nltest /dsgetdc: /force. This command forces the domain controller to refresh the DC Locator cache, and it determines whether a domain controller can be contacted. By default, the command should return the name of the local domain controller.
If the name of the local domain controller is not returned, remove the DNS records by running the command nltest /dsderegdns:<hostname>. Replace <hostname> with the actual computer name of the domain controller. Then, register the DNS records again by running the command nltest /dsregdns. If the registration fails, ensure that DNS communications are working properly. Ensure that any firewall that is configured on the DNS server or between the local domain controller and the DNS server is not blocking UDP port 53, which is used for DNS record registration by default. Review the configuration of the DNS servers to which the local domain controller is pointed in its DNS client settings. Review the Event Viewer logs on the DNS server. For more information, see Troubleshooting Active Directory-Related DNS Problems (http://go.microsoft.com/fwlink/?LinkID=130597).
Run the command repadmin /showrepl, which produces a list of partitions and domain controller replication partners. Check the other domain controllers in the list by repeating steps 1 through 8 on those domain controllers. If you want to run these commands from the local domain controller, you can add the switch /s:hostname to specify a different target computer for the tests. Replace hostname with the actual name of the target computer. For example, if you want to run the Dcdiag DNS test on a domain controller named CORPDC2, run the command dcdiag /test:dns /f:corpdc2diag.txt from the local domain controller.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at http://go.microsoft.com/fwlink/?LinkID=150761. Perform this procedure on the computer that is logging the event to be resolved.
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- To ensure that there are no stale entries in the local DNS client resolver cache, run the command ipconfig /flushdns.
- To ensure that a domain controller can communicate with a replication partner, run the command nltest /dsgetdc: /force /avoidself. If the domain controller to which you are connected can locate another domain controller, information for the other domain controller appears and the final output of that command should read as follows: “The command completed successfully.” If the domain controller is unable to locate another domain controller, the message is “Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN”.
- To ensure that you have access to a global catalog server, run the command nltest /dsgetdc: /force /gc. Also, to ensure that the local domain controller has access to a DNS server, run the command nltest /dsgetdc: /force /dns. Both of these commands should complete successfully.
- Confirm that the DNS records are properly registered, and then run the command repadmin /showrepl to view the list of partitions to be replicated and the relative replication partners. Use this list to test replication of each partition from the local domain controller to the replication partner in the following step.
- To ensure that each partition can be replicated, use the command repadmin /replicate destinationhostname sourcehostname partition. For example, if you want to test replication of the domain naming context of corp.cpandl.com from a domain controller named CORPDC1 to a domain controller named CORPDC2, run the command repadmin /replicate corpdc2 corpdc1 dc=corp,dc=cpandl,dc=com.