事件 ID 2087: DNS 查詢造成失敗︰ 複寫失敗Event ID 2087: DNS lookup failure caused replication to fail

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

網域名稱系統」(DNS) 無法查詢造成︰ 複寫失敗時通常會發生這個問題。This problem typically occurs when a Domain Name System (DNS) lookup failure causes replication to fail. 當目的地網域控制站收到事件 ID 2087 Directory 服務事件登入時,嘗試全球唯一 (GUID) 中別名 (CNAME) 資源記錄、的完整的網域名稱 (FQDN),以及 NetBIOS 名稱解析來源網域控制站的 IP 位址所有失敗。When a destination domain controller receives Event ID 2087 in the Directory Service event log, attempts to resolve the globally unique identifier (GUID) in the alias (CNAME) resource record, the fully qualified domain name (FQDN), and the NetBIOS name to the IP address of the source domain controller have all failed. 修正這個問題之前,找不到來源複寫合作夥伴會防止複寫與該來源。Failure to locate the source replication partner prevents replication with that source until the problem is fixed. 事件文字的範例如下:The following is an example of the event text: Log Name: Directory Service Source: Microsoft-Windows-ActiveDirectory_DomainService Date: 3/9/2008 11:00:21 AM Event ID: 2087 Task Category: DS RPC Client Level: Error Keywords: Classic User: ANONYMOUS LOGON Computer: DC3.contoso.com Description: Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 來源網域控制站:DC2 失敗 DNS 主機名稱:b0069e56-b19c-438a-8a1f-64866374dd6e._msdcs.contoso.comSource domain controller: DC2 Failing DNS host name: b0069e56-b19c-438a-8a1f-64866374dd6e._msdcs.contoso.com 注意:預設,只是最多 10 DNS 失敗會顯示為任何特定 12 小時,即使發生超過 10 失敗。NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. 登入的所有個人失敗事件,下列診斷登錄將值設定為 1:To log all individual failure events, set the following diagnostics registry value to 1: 登錄路徑:HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC ClientRegistry Path: HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 使用者動作:User Action: 1) 如果不能來源網域控制站運作或的作業系統已使用不同的電腦名稱重新安裝或 NTDSDSA 物件 GUID,移除來源網域控制站中繼資料的 ntdsutil.exe,使用 MSKB 文章 216498 中的步驟。If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 2) 確認來源網域控制站執行 Active Directory Domain Services 已存取網路上,輸入「net 檢視 \<來源俠名稱>」或「ping<來源俠名稱>」。Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \<source DC name>" or "ping <source DC name>". 3) 確認來源網域控制站使用有效的 DNS 伺服器的 DNS 服務和來源網域控制站主機記錄和 CNAME 記錄正確登記,使用 DNS 增強 DCDIAG.EXE http://www.microsoft.com/dns 提供Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns dcdiag//test: dnsdcdiag /test:dns 4) 請確認此目的地網域控制站正在使用 DNS 服務,有效的 DNS 伺服器執行 DNS 增強 DCDIAG.EXE 命令目的地網域控制站在主機上,如下所示:Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: dcdiag//test: dnsdcdiag /test:dns 5) 適用於進一步的分析的 DNS 錯誤查看 KB 824449: http://support.microsoft.com/?kbid=824449For further analysis of DNS error failures see KB 824449: http://support.microsoft.com/?kbid=824449 其他資料錯誤值:11004 要求的名稱是有效的但是找不到要求類型的資料。Additional Data Error value: 11004 The requested name is valid, but no data of the requested type was found.
診斷 無法來源網域控制站目前別名 (CNAME) 資源記錄解析為 IP 位址下列原因有: 來源網域控制站關機、] 位於 [隔離的網路,或 Active Directory 和 DNS 離線網域控制站的資料已不被表示網域控制站無法存取。 一項下列條件存在: 來源網域控制站在 DNS 不已經登記其資源記錄。 目的地網域控制站設定為使用無效的 DNS 伺服器。 網域控制站來源設定為使用無效的 DNS 伺服器。 來源網域控制站使用 DNS 伺服器未裝載正確的區域,或不接受動態更新設定的區域。 的目的地網域控制站查詢無法解析之根據不存在或不正確轉送程式或委派來源網域控制站的 IP 位址的直接 DNS 伺服器。 已經移除來源網域控制站並具有相同的 IP 位址,然後重新安裝 active Directory Domain Services (AD DS),但達到不知道的新 NTDS 設定 GUID 目的地網域控制站。 已移除網域控制站來源並使用不同的 IP 位址,然後重新安裝 AD DS,但目前主機地址 (A) 資源記錄來源網域控制站的 IP 位址無法登記,或不存在的目的網域控制站查詢根據複寫延遲或複寫錯誤 DNS 伺服器上。 來源網域控制站的作業系統已重新安裝使用不同的電腦名稱,但其中繼資料尚未移除或已移除並不尚未輸入複寫目的地網域控制站。 Diagnosis Failure to resolve the current alias (CNAME) resource record of the source domain controller to an IP address can have the following causes: The source domain controller is powered off, is offline, or resides on an isolated network, and Active Directory and DNS data for the offline domain controller has not been deleted to indicate that the domain controller is inaccessible. One of the following conditions exists: The source domain controller has not registered its resource records in DNS. The destination domain controller is configured to use an invalid DNS server. The source domain controller is configured to use an invalid DNS server. The DNS server that the source domain controller uses does not host the correct zones, or the zones are not configured to accept dynamic updates. The direct DNS servers that the destination domain controller queries cannot resolve the IP address of the source domain controller as a result of nonexistent or invalid forwarders or delegations. Active Directory Domain Services (AD DS) has been removed on the source domain controller and then reinstalled with the same IP address, but knowledge of the new NTDS Settings GUID has not reached the destination domain controller. AD DS has been removed on the source domain controller and then reinstalled with a different IP address, but the current host address (A) resource record for the IP address of the source domain controller is either not registered or does not exist on the DNS servers that the destination domain controller queries as a result of replication latency or replication error. The operating system of the source domain controller has been reinstalled with a different computer name, but its metadata either has not been removed or has been removed and not yet inbound-replicated by the destination domain controller.
Resolution First, determine whether the source domain controller is functioning. If the source domain controller is not functioning, remove its remaining metadata from AD DS. If the source domain controller is functioning, continue with procedures to diagnose and solve the DNS problem, as necessary: Use Dcdiag to diagnose DNS problems. Register DNS service (SRV) resource records plus host records. Synchronize replication between the source and destination domain controllers. Verify consistency of the NTDS Settings GUID. Resolution First, determine whether the source domain controller is functioning. If the source domain controller is not functioning, remove its remaining metadata from AD DS. If the source domain controller is functioning, continue with procedures to diagnose and solve the DNS problem, as necessary: Use Dcdiag to diagnose DNS problems. Register DNS service (SRV) resource records plus host records. Synchronize replication between the source and destination domain controllers. Verify consistency of the NTDS Settings GUID.
判斷是否運作網域控制站 來判斷是否來源網域控制站運作,請使用下面測試。 需求 的成員資格網域使用者網域中的網域控制站群組或相當於,才能完成此程序最小值。 Determine whether a domain controller is functioning To determine whether the source domain controller is functioning, use the following test. Requirements Membership in the Domain Users group in the domain of the domain controller, or equivalent, is the minimum required to complete this procedure. review_detailincludes> Tools: Net view To determine whether a domain controller is functioning To confirm that the domain controller is running AD DS and is accessible on the network, at a command prompt type the following command, and then press ENTER: net view <SourceDomainControllerName> where <SourceDomainControllerName> is the NetBIOS name of the domain controller. This command displays the Netlogon and SYSVOL shares, indicating that the server is functioning as a domain controller. If this test shows that the domain controller is not functioning on the network, determine the nature of the disconnection and whether the domain controller can be recovered or whether its metadata must be removed from AD DS manually. If the domain controller is not functioning and cannot be restored, use the procedure in the following section, "Clean up domain controller metadata," to delete the data that is associated with that server from AD DS.review_detailincludes> Tools: Net view To determine whether a domain controller is functioning To confirm that the domain controller is running AD DS and is accessible on the network, at a command prompt type the following command, and then press ENTER: net view <SourceDomainControllerName> where <SourceDomainControllerName> is the NetBIOS name of the domain controller. This command displays the Netlogon and SYSVOL shares, indicating that the server is functioning as a domain controller. If this test shows that the domain controller is not functioning on the network, determine the nature of the disconnection and whether the domain controller can be recovered or whether its metadata must be removed from AD DS manually. If the domain controller is not functioning and cannot be restored, use the procedure in the following section, "Clean up domain controller metadata," to delete the data that is associated with that server from AD DS.
Clean up domain controller metadata If tests show that the domain controller is no longer functioning but you still see objects representing the domain controller in the Active Directory Sites and Services snap-in, replication will continue to be attempted, and you must remove these objects from AD DS manually. You must use the Ntdsutil tool to clean up (delete) the metadata for the defunct domain controller. If the defunct domain controller is the last domain controller in the domain, you should also remove the metadata for the domain. Allow sufficient time for all global catalog servers in the forest to inbound-replicate the domain deletion before you promote a new domain with the same name. The process for cleaning up metadata is improved in the version of Ntdsutil that is included with Windows Server 2003 Service Pack 1 (SP1). Instructions for cleaning up metadata with the Windows Server 2003 version of Ntdsutil and the Windows Server 2003 SP1 version of Ntdsutil are provided in the following procedure. Requirements Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Clean up domain controller metadata If tests show that the domain controller is no longer functioning but you still see objects representing the domain controller in the Active Directory Sites and Services snap-in, replication will continue to be attempted, and you must remove these objects from AD DS manually. You must use the Ntdsutil tool to clean up (delete) the metadata for the defunct domain controller. If the defunct domain controller is the last domain controller in the domain, you should also remove the metadata for the domain. Allow sufficient time for all global catalog servers in the forest to inbound-replicate the domain deletion before you promote a new domain with the same name. The process for cleaning up metadata is improved in the version of Ntdsutil that is included with Windows Server 2003 Service Pack 1 (SP1). Instructions for cleaning up metadata with the Windows Server 2003 version of Ntdsutil and the Windows Server 2003 SP1 version of Ntdsutil are provided in the following procedure. Requirements Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. review_detailincludes> 工具︰ Ntdsutil(System32 命令列工具) 清理伺服器中繼資料 打開命令提示字元。 命令提示字元中,輸入下列命令,並按一下 ENTER: ntdsutil ntdsutil: 命令提示字元中,輸入下列命令,然後按 ENTER 鍵︰ metadata cleanup 執行清除中繼資料,如下所示︰ 如果您要移除網域中繼資料,以及伺服器中繼資料,請略過以下程序,並使用的程序,以開始執行「步驟答︰ 在 如果您正在執行伺服器中繼資料清理],然後您正在使用之 Ntdsutil.exe,隨附在 Windows Server 2003 SP1,清除中繼資料︰ metadata cleanup: 命令提示字元中,輸入下列命令,然後按 ENTER 鍵︰ 移除選取的伺服器 <ServerName> 或者 移除選取的伺服器 <ServerName1> 上 <ServerName2> review_detailincludes> Tools: Ntdsutil (System32 command-line tool) To clean up server metadata Open a Command Prompt. At the command prompt, type the following command, and then press ENTER: ntdsutil At the ntdsutil: command prompt, type the following command, and then press ENTER: metadata cleanup Perform metadata cleanup as follows: If you are removing domain metadata as well as server metadata, skip the following procedure and use the procedure that begins at step a. If you are performing server metadata cleanup only and you are using the version of Ntdsutil.exe that is included with Windows Server 2003 SP1, at the metadata cleanup: command prompt, type the following command, and then press ENTER: remove selected server <ServerName> Or remove selected server <ServerName1> on <ServerName2>
參數Parameter 描述Description
<伺服器名稱>,<ServerName1><ServerName>, <ServerName1> 分辨的名稱網域控制站您想要移除,其中繼資料在表單 data-cn =<伺服器名稱>,data-cn = 伺服器,data-cn =<站台名稱>,data-cn = 網站 data-cn = 設定,俠 =<ForestRootDomain>The distinguished name of the domain controller whose metadata you want to remove, in the form cn=<ServerName>,cn=Servers,cn=<SiteName>, cn=Sites,cn=Configuration,dc=<ForestRootDomain>
<ServerName2><ServerName2> 網域控制站您要連接到您要移除伺服器中繼資料的 DNS 名稱The DNS name of the domain controller to which you want to connect and from which you want to remove server metadata
If you are performing metadata cleanup by using the version of Ntdsutil.exe that is included with Windows Server 2003 with no service pack, or if you are performing both domain metadata cleanup and server metadata cleanup, perform metadata cleanup as follows: At the metadata cleanup: prompt, type the following command, and then press ENTER: connection At the server connections: prompt, type the following command, and then press ENTER: connect to server <Server> At the connection: prompt, type the following command, and then press ENTER: quit At the metadata cleanup: prompt, type the following command, and then press ENTER: select operation target At the select operation target: prompt, type the following command, and then press ENTER: list sites A numbered list of sites appears. Type the following command, and then press ENTER: select site <SiteNumber> At the select operation target: prompt, type the following command, and then press ENTER: list domains in site A numbered list of domains in the selected site appears. Type the following command, and then press ENTER: select domain <DomainNumber> At the select operation target: prompt, type the following command, and then press ENTER: list servers in site A numbered list of servers in a domain and site is displayed. Type the following command, and then press ENTER: select server <ServerNumber> At the select operation target: prompt, type the following command, and then press ENTER: quit At the metadata cleanup: prompt, type the following command, and then press ENTER: remove selected server If the server whose metadata you have removed is the last domain controller in the domain and you want to remove the domain metadata, at the metadata cleanup: prompt, type the following command, and then press ENTER: remove selected domain Metadata for the domain that you selected in step h is removed. At the metadata cleanup: and ntdsutil: prompts, type quit, and then press ENTER. If you are performing metadata cleanup by using the version of Ntdsutil.exe that is included with Windows Server 2003 with no service pack, or if you are performing both domain metadata cleanup and server metadata cleanup, perform metadata cleanup as follows: At the metadata cleanup: prompt, type the following command, and then press ENTER: connection At the server connections: prompt, type the following command, and then press ENTER: connect to server <Server> At the connection: prompt, type the following command, and then press ENTER: quit At the metadata cleanup: prompt, type the following command, and then press ENTER: select operation target At the select operation target: prompt, type the following command, and then press ENTER: list sites A numbered list of sites appears. Type the following command, and then press ENTER: select site <SiteNumber> At the select operation target: prompt, type the following command, and then press ENTER: list domains in site A numbered list of domains in the selected site appears. Type the following command, and then press ENTER: select domain <DomainNumber> At the select operation target: prompt, type the following command, and then press ENTER: list servers in site A numbered list of servers in a domain and site is displayed. Type the following command, and then press ENTER: select server <ServerNumber> At the select operation target: prompt, type the following command, and then press ENTER: quit At the metadata cleanup: prompt, type the following command, and then press ENTER: remove selected server If the server whose metadata you have removed is the last domain controller in the domain and you want to remove the domain metadata, at the metadata cleanup: prompt, type the following command, and then press ENTER: remove selected domain Metadata for the domain that you selected in step h is removed. At the metadata cleanup: and ntdsutil: prompts, type quit, and then press ENTER.
參數Parameter 描述Description
<伺服器><Server> 連接到您想要的網域控制站的 DNS 名稱The DNS name of a domain controller that you want to connect to
<SiteNumber><SiteNumber> 伺服器的網站,以您想要清理,會出現在清單中相關聯的數字The number that is associated with the site of the server that you want to clean up, which appears in the list
<DomainNumber><DomainNumber> 數字的相關聯的伺服器您想要清理,會出現在清單中的網域The number that is associated with the domain of the server that you want to clean up, which appears in the list
<ServerNumber><ServerNumber> 伺服器您想要清理,會出現在清單中相關聯的數字The number that is associated with the server that you want to clean up, which appears in the list
Use Dcdiag to diagnose DNS problems If the domain controller is functioning online, continue by using the Dcdiag tool to diagnose and fix DNS problems that might be interfering with Active Directory replication. Use the following procedures to complete this process: Verify connectivity and basic DNS functionality. Verify registration of the alias (CNAME) resource record in DNS. Verify and enable secure dynamic updates. Before you begin these procedures, gather the following information, which is contained in the Event ID 2087 message text: The FQDN of the source domain controller and destination domain controller The IP address of the source domain controller The updated version of Dcdiag that is included in Windows Support Tools in Windows Server 2003 SP1 contains tests that provide consolidated and improved testing of basic and advanced DNS features. You can use this tool to diagnose basic DNS functionality and dynamic updates. When you use the enhanced SP1 version of Dcdiag for DNS testing, there are specific requirements that do not apply to all Dcdiag tests. Requirements Membership in Enterprise Admins, or equivalent, is the minimum required to complete the new DNS tests that are available in the SP1 version of Dcdiag. Use Dcdiag to diagnose DNS problems If the domain controller is functioning online, continue by using the Dcdiag tool to diagnose and fix DNS problems that might be interfering with Active Directory replication. Use the following procedures to complete this process: Verify connectivity and basic DNS functionality. Verify registration of the alias (CNAME) resource record in DNS. Verify and enable secure dynamic updates. Before you begin these procedures, gather the following information, which is contained in the Event ID 2087 message text: The FQDN of the source domain controller and destination domain controller The IP address of the source domain controller The updated version of Dcdiag that is included in Windows Support Tools in Windows Server 2003 SP1 contains tests that provide consolidated and improved testing of basic and advanced DNS features. You can use this tool to diagnose basic DNS functionality and dynamic updates. When you use the enhanced SP1 version of Dcdiag for DNS testing, there are specific requirements that do not apply to all Dcdiag tests. Requirements Membership in Enterprise Admins, or equivalent, is the minimum required to complete the new DNS tests that are available in the SP1 version of Dcdiag. review_detailincludes> Tools: Dcdiag.exe Operating system: You can run the enhanced version of Dcdiag on computers running the following operating systems: Windows XP Professional Windows Server 2003 Windows Server 2003 with SP1 You can run the new Dcdiag DNS tests against Microsoft DNS servers that are installed on domain controllers running the following operating systems: Windows 2000 Server with Service Pack 3 (SP3) Windows 2000 Server with Service Pack 4 (SP4) Windows Server 2003 Windows Server 2003 with SP1 You can use the /f: switch in Dcdiag commands to save the output to a text file. Use /f:FileName to generate the file in the location that is indicated in FileName, for example, /f:c:TestDnsTest.txt. review_detailincludes> Tools: Dcdiag.exe Operating system: You can run the enhanced version of Dcdiag on computers running the following operating systems: Windows XP Professional Windows Server 2003 Windows Server 2003 with SP1 You can run the new Dcdiag DNS tests against Microsoft DNS servers that are installed on domain controllers running the following operating systems: Windows 2000 Server with Service Pack 3 (SP3) Windows 2000 Server with Service Pack 4 (SP4) Windows Server 2003 Windows Server 2003 with SP1 You can use the /f: switch in Dcdiag commands to save the output to a text file. Use /f:FileName to generate the file in the location that is indicated in FileName, for example, /f:c:TestDnsTest.txt.
Verify basic DNS functionality To verify the settings that might interfere with Active Directory replication, you can begin by running the basic DNS test that ensures that DNS is operating properly on the domain controller. The basic DNS test checks the following: Connectivity: The test determines whether domain controllers are registered in DNS, can be contacted by PING, and have Lightweight Directory Access Protocol / remote procedure call (LDAP/RPC) connectivity. If the connectivity test fails on a domain controller, no other tests are run against that domain controller. The connectivity test is performed automatically before any other DNS test is run. Essential services: The test confirms that the following services are running and available on the tested domain controller: DNS Client service Net Logon service Key Distribution Center (KDC) service DNS Server service (if DNS is installed on the domain controller) DNS client configuration: The test confirms that DNS servers on all adapters are reachable. Resource record registrations: The test confirms that the host (A) resource record of each domain controller is registered on at least one of the DNS servers that is configured on the client. Zone and start of authority (SOA): If the domain controller is running the DNS Server service, the test confirms that the Active Directory domain zone and start of authority (SOA) resource record for the Active Directory domain zone are present. Root zone: Checks whether the root (.) zone is present. To verify basic DNS functionality At a command prompt, type the following command, and then press ENTER: dcdiag /test:dns /s:<SourceDomainControllerName> /DnsBasic where <SourceDomainControllerName> is the distinguished name, NetBIOS name, or DNS name of the domain controller. As an alternative, you can test all domain controllers in the forest by typing /e: instead of /s:. Copy the report into Notepad or an equivalent text editor. Scroll to the Summary table near the bottom of the Dcdiag log file. Note the names of all domain controllers that report "Warn" or "Fail" status in the Summary table. Find the detailed breakout section for the problem domain controller by searching for the string "DC: <DomainControllerName>". Make the required configuration changes on DNS clients and DNS servers. To validate the configuration changes, rerun Dcdiag /test:DNS with the /e: or /s: switch. If the basic DNS test shows no errors, continue by verifying that resource records that are used to locate domain controllers are registered in DNS. Verify basic DNS functionality To verify the settings that might interfere with Active Directory replication, you can begin by running the basic DNS test that ensures that DNS is operating properly on the domain controller. The basic DNS test checks the following: Connectivity: The test determines whether domain controllers are registered in DNS, can be contacted by PING, and have Lightweight Directory Access Protocol / remote procedure call (LDAP/RPC) connectivity. If the connectivity test fails on a domain controller, no other tests are run against that domain controller. The connectivity test is performed automatically before any other DNS test is run. Essential services: The test confirms that the following services are running and available on the tested domain controller: DNS Client service Net Logon service Key Distribution Center (KDC) service DNS Server service (if DNS is installed on the domain controller) DNS client configuration: The test confirms that DNS servers on all adapters are reachable. Resource record registrations: The test confirms that the host (A) resource record of each domain controller is registered on at least one of the DNS servers that is configured on the client. Zone and start of authority (SOA): If the domain controller is running the DNS Server service, the test confirms that the Active Directory domain zone and start of authority (SOA) resource record for the Active Directory domain zone are present. Root zone: Checks whether the root (.) zone is present. To verify basic DNS functionality At a command prompt, type the following command, and then press ENTER: dcdiag /test:dns /s:<SourceDomainControllerName> /DnsBasic where <SourceDomainControllerName> is the distinguished name, NetBIOS name, or DNS name of the domain controller. As an alternative, you can test all domain controllers in the forest by typing /e: instead of /s:. Copy the report into Notepad or an equivalent text editor. Scroll to the Summary table near the bottom of the Dcdiag log file. Note the names of all domain controllers that report "Warn" or "Fail" status in the Summary table. Find the detailed breakout section for the problem domain controller by searching for the string "DC: <DomainControllerName>". Make the required configuration changes on DNS clients and DNS servers. To validate the configuration changes, rerun Dcdiag /test:DNS with the /e: or /s: switch. If the basic DNS test shows no errors, continue by verifying that resource records that are used to locate domain controllers are registered in DNS.
Verify resource record registration The destination domain controller uses the DNS alias (CNAME) resource record to locate its source domain controller replication partner. Although domain controllers running Windows Server 2003 with SP1 can locate source replication partners by using FQDNs?or, if that fails, NetBIOS names?the presence of the alias (CNAME) resource record is expected and should be verified for proper DNS functioning. You can use Dcdiag to verify registration of all resource records that are essential for domain controller location by using the dcdiag /test:dns /DnsRecordRegistration test. This test verifies registration of the following resource records in DNS: alias (CNAME) (the GUID-based resource record that locates a replication partner) host (A) (the host resource record that contains the IP address of the domain controller) LDAP SRV (the service (SRV) resource records that locate LDAP servers) GC SRV (the service (SRV) resource records that locate global catalog servers) PDC SRV (the service (SRV) resource records that locate primary domain controller (PDC) emulator operations masters) As an alternative, you can use the following procedure to check for only the alias (CNAME) resource record. To verify alias (CNAME) resource record registration In the DNS snap-in, locate any domain controller that is running the DNS Server service, where the server hosts the DNS zone with the same name as the Active Directory domain of the domain controller. In the console tree, click the zone that is named _msdcs.Dns_Domain_Name. In Windows 2000 Server DNS, _msdcs.Dns_Domain_Name is a subdomain of the DNS zone for the Active Directory domain name. In Windows Server 2003 DNS, _msdcs.Dns_Domain_Name is a separate zone. In the details pane, verify that the following resource records are present: An alias (CNAME) resource record that is named Dsa_Guid._msdcs.Dns_Domain_Name A corresponding host (A) resource record for the name of the DNS server If the alias (CNAME) resource record is not registered, verify that dynamic updates are functioning properly. Use the test in the following section. Verify resource record registration The destination domain controller uses the DNS alias (CNAME) resource record to locate its source domain controller replication partner. Although domain controllers running Windows Server 2003 with SP1 can locate source replication partners by using FQDNs?or, if that fails, NetBIOS names?the presence of the alias (CNAME) resource record is expected and should be verified for proper DNS functioning. You can use Dcdiag to verify registration of all resource records that are essential for domain controller location by using the dcdiag /test:dns /DnsRecordRegistration test. This test verifies registration of the following resource records in DNS: alias (CNAME) (the GUID-based resource record that locates a replication partner) host (A) (the host resource record that contains the IP address of the domain controller) LDAP SRV (the service (SRV) resource records that locate LDAP servers) GC SRV (the service (SRV) resource records that locate global catalog servers) PDC SRV (the service (SRV) resource records that locate primary domain controller (PDC) emulator operations masters) As an alternative, you can use the following procedure to check for only the alias (CNAME) resource record. To verify alias (CNAME) resource record registration In the DNS snap-in, locate any domain controller that is running the DNS Server service, where the server hosts the DNS zone with the same name as the Active Directory domain of the domain controller. In the console tree, click the zone that is named _msdcs.Dns_Domain_Name. In Windows 2000 Server DNS, _msdcs.Dns_Domain_Name is a subdomain of the DNS zone for the Active Directory domain name. In Windows Server 2003 DNS, _msdcs.Dns_Domain_Name is a separate zone. In the details pane, verify that the following resource records are present: An alias (CNAME) resource record that is named Dsa_Guid._msdcs.Dns_Domain_Name A corresponding host (A) resource record for the name of the DNS server If the alias (CNAME) resource record is not registered, verify that dynamic updates are functioning properly. Use the test in the following section.
Verify dynamic updates If the basic DNS test shows that resource records do not exist in DNS, use the dynamic update test to diagnose why the Net Logon service did not register the resource records automatically. To verify that the Active Directory domain zone is configured to accept secure dynamic updates and to perform registration of a test record (_dcdiag_test_record), use the following procedure. The test record is deleted automatically after the test. To verify dynamic updates At a command prompt, type the following command, and then press ENTER: dcdiag /test:dns /s:<SourceDomainControllerName> /DnsDynamicUpdate where <SourceDomainControllerName> is the distinguished name, NetBIOS name, or DNS name of the domain controller. As an alternative, you can test all domain controllers by using the /e: switch instead of the /s: switch. If secure dynamic update is not configured, use the following procedure to configure it. To enable secure dynamic updates Open the DNS snap-in. In the console tree, right-click the applicable zone, and then click Properties. On the General tab, verify that the zone type is Active Directory-integrated. In Dynamic Updates, click Secure only. Verify dynamic updates If the basic DNS test shows that resource records do not exist in DNS, use the dynamic update test to diagnose why the Net Logon service did not register the resource records automatically. To verify that the Active Directory domain zone is configured to accept secure dynamic updates and to perform registration of a test record (_dcdiag_test_record), use the following procedure. The test record is deleted automatically after the test. To verify dynamic updates At a command prompt, type the following command, and then press ENTER: dcdiag /test:dns /s:<SourceDomainControllerName> /DnsDynamicUpdate where <SourceDomainControllerName> is the distinguished name, NetBIOS name, or DNS name of the domain controller. As an alternative, you can test all domain controllers by using the /e: switch instead of the /s: switch. If secure dynamic update is not configured, use the following procedure to configure it. To enable secure dynamic updates Open the DNS snap-in. In the console tree, right-click the applicable zone, and then click Properties. On the General tab, verify that the zone type is Active Directory-integrated. In Dynamic Updates, click Secure only.
Register DNS resource records If DNS resource records do not appear in DNS for the source domain controller, you have verified dynamic updates, and you want to register DNS resource records immediately, you can force the registration manually by using the following procedure. The Net Logon service on a domain controller registers the DNS resource records that are required for the domain controller to be located on the network. The DNS Client service registers the host (A) resource record that the alias (CNAME) record points to. Requirements Membership in the Domain Admins group in the forest root domain or the Enterprise Admins group, or equivalent, is the minimum required to complete this procedure. Tools: net stop/start, ipconfig To register DNS resource records manually To initiate registration of domain controller Locator resource records manually on the source domain controller, at a command prompt type the following commands, and then press ENTER after each command: net stop net logon & net start net logon To initiate registration of the host A resource record manually, at a command prompt type the following command, and then press ENTER: ipconfig /flushdns & ipconfig /registerdns Wait 15 minutes, and then review events in Event Viewer to ensure proper registration of the resource records. Repeat the procedure in the "Verify Resource Record Registration" section earlier in this section to verify that the resource records appear in DNS. Register DNS resource records If DNS resource records do not appear in DNS for the source domain controller, you have verified dynamic updates, and you want to register DNS resource records immediately, you can force the registration manually by using the following procedure. The Net Logon service on a domain controller registers the DNS resource records that are required for the domain controller to be located on the network. The DNS Client service registers the host (A) resource record that the alias (CNAME) record points to. Requirements Membership in the Domain Admins group in the forest root domain or the Enterprise Admins group, or equivalent, is the minimum required to complete this procedure. Tools: net stop/start, ipconfig To register DNS resource records manually To initiate registration of domain controller Locator resource records manually on the source domain controller, at a command prompt type the following commands, and then press ENTER after each command: net stop net logon & net start net logon To initiate registration of the host A resource record manually, at a command prompt type the following command, and then press ENTER: ipconfig /flushdns & ipconfig /registerdns Wait 15 minutes, and then review events in Event Viewer to ensure proper registration of the resource records. Repeat the procedure in the "Verify Resource Record Registration" section earlier in this section to verify that the resource records appear in DNS.
Synchronize replication between the source and destination domain controllers After you complete DNS testing, use the following procedure to synchronize replication on the inbound connection from the source domain controller to the destination domain controller. Requirements Membership in the Domain Admins group in the domain of the destination domain controller, or equivalent, is the minimum required to complete this procedure. Synchronize replication between the source and destination domain controllers After you complete DNS testing, use the following procedure to synchronize replication on the inbound connection from the source domain controller to the destination domain controller. Requirements Membership in the Domain Admins group in the domain of the destination domain controller, or equivalent, is the minimum required to complete this procedure. review_detailincludes> Tool: Active Directory Sites and Services To synchronize replication from a source domain controller Open Active Directory Sites and Services. In the console tree, double-click the Sites container, double-click the site of the domain controller to which you want to synchronize replication, double-click the Servers container, double-click the server object of the domain controller, and then click NTDS Settings. In the details pane, in the From Server column, locate the connection object that shows the name of the source domain controller. Right-click the appropriate connection object, and then click Replicate Now. Click OK. If replication does not succeed, use the procedure in the following section to verify consistency of the NTDS Settings GUID.review_detailincludes> Tool: Active Directory Sites and Services To synchronize replication from a source domain controller Open Active Directory Sites and Services. In the console tree, double-click the Sites container, double-click the site of the domain controller to which you want to synchronize replication, double-click the Servers container, double-click the server object of the domain controller, and then click NTDS Settings. In the details pane, in the From Server column, locate the connection object that shows the name of the source domain controller. Right-click the appropriate connection object, and then click Replicate Now. Click OK. If replication does not succeed, use the procedure in the following section to verify consistency of the NTDS Settings GUID.
Verify consistency of the NTDS Settings GUID If you have performed all DNS tests and other tests and replication does not succeed, use the following procedure to verify that the GUID of the NTDS Settings object that the destination domain controller is using to locate its replication partner matches the GUID that is currently in effect on the source domain controller itself. To perform this test, you view the object GUID as it appears in the local directories of each domain controller. Requirements Membership in the Domain Admins group in the domain of the destination domain controller, or equivalent, is the minimum required to complete this procedure. Tool: Ldp.exe (Windows Support Tools) To verify consistency of the NTDS Settings GUID Click Start, click Run, type Ldp, and then click OK. On the Connection menu, click Connect. In the Connect dialog box, leave the Server box empty. In Port, type 389, and then click OK. On the Connection menu, click Bind. In the Bind dialog box, provide Enterprise Admins credentials. If it is not already selected, click Domain. In Domain, type the name of the forest root domain, and then click OK. On the View menu, click Tree. In the Tree View dialog box, type: CN=Configuration,DC=Forest_Root_Domain and then click OK. Navigate to the object CN=NTDS Settings,CN=SourceServerName,CN=Servers,CN=SiteName, CN=Sites,CN=configuration,DC=ForestRootDomain. Double-click the NTDS Settings object and, in the details pane, view the value for the attribute objectGUID. Right-click that value, and then copy it to Notepad. On the Connection menu, click Disconnect. Repeat steps 2 through 11, but in step 3, type the name of the source domain controller, for example, DC03. In Notepad, compare the values of the two GUIDs. If the values do not match, the destination domain controller must receive replication of the valid GUID. Check the GUID value on other domain controllers and attempt replication on the destination domain controller with a different domain controller that has the correct GUID. If the values match, verify that the GUID matches the GUID in the Dsa_Guid._msdcs.Dns_Domain_Name resource record for the source domain controller, as follows: Note the primary DNS servers that each domain controller identifies in the TCP/IP properties in their Network Settings. All the DNS servers that are listed in the respective TCP/IP properties should be able to indirectly or directly resolve this alias (CNAME) resource record. From the servers that are listed, identify the authoritative name server or servers for this domain zone by looking at the server names that are listed for the name server (NS) resource records at the root of the zone. (In the DNS snap-in, select the forward lookup zone for the root domain, and then view the name server (NS) records in the details pane.) On the name server or servers obtained in step b, open the DNS snap-in, and double-click the forward lookup zone for the forest root domain name. Double-click the _msdcs folder, and note the alias (CNAME) resource records that exist for your server name. If there are no records present or the records are incorrect, see article 241505 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=69994http://go.microsoft.com/fwlink/?LinkId=69994). Verify consistency of the NTDS Settings GUID If you have performed all DNS tests and other tests and replication does not succeed, use the following procedure to verify that the GUID of the NTDS Settings object that the destination domain controller is using to locate its replication partner matches the GUID that is currently in effect on the source domain controller itself. To perform this test, you view the object GUID as it appears in the local directories of each domain controller. Requirements Membership in the Domain Admins group in the domain of the destination domain controller, or equivalent, is the minimum required to complete this procedure. Tool: Ldp.exe (Windows Support Tools) To verify consistency of the NTDS Settings GUID Click Start, click Run, type Ldp, and then click OK. On the Connection menu, click Connect. In the Connect dialog box, leave the Server box empty. In Port, type 389, and then click OK. On the Connection menu, click Bind. In the Bind dialog box, provide Enterprise Admins credentials. If it is not already selected, click Domain. In Domain, type the name of the forest root domain, and then click OK. On the View menu, click Tree. In the Tree View dialog box, type: CN=Configuration,DC=Forest_Root_Domain and then click OK. Navigate to the object CN=NTDS Settings,CN=SourceServerName,CN=Servers,CN=SiteName, CN=Sites,CN=configuration,DC=ForestRootDomain. Double-click the NTDS Settings object and, in the details pane, view the value for the attribute objectGUID. Right-click that value, and then copy it to Notepad. On the Connection menu, click Disconnect. Repeat steps 2 through 11, but in step 3, type the name of the source domain controller, for example, DC03. In Notepad, compare the values of the two GUIDs. If the values do not match, the destination domain controller must receive replication of the valid GUID. Check the GUID value on other domain controllers and attempt replication on the destination domain controller with a different domain controller that has the correct GUID. If the values match, verify that the GUID matches the GUID in the Dsa_Guid._msdcs.Dns_Domain_Name resource record for the source domain controller, as follows: Note the primary DNS servers that each domain controller identifies in the TCP/IP properties in their Network Settings. All the DNS servers that are listed in the respective TCP/IP properties should be able to indirectly or directly resolve this alias (CNAME) resource record. From the servers that are listed, identify the authoritative name server or servers for this domain zone by looking at the server names that are listed for the name server (NS) resource records at the root of the zone. (In the DNS snap-in, select the forward lookup zone for the root domain, and then view the name server (NS) records in the details pane.) On the name server or servers obtained in step b, open the DNS snap-in, and double-click the forward lookup zone for the forest root domain name. Double-click the _msdcs folder, and note the alias (CNAME) resource records that exist for your server name. If there are no records present or the records are incorrect, see article 241505 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=69994http://go.microsoft.com/fwlink/?LinkId=69994).