Replication NTDS Settings

Tutorials Win: Microsoft Windows Forum

I have added additional DC to my domain. And replication process accomplished
well, at least i guess it is well. I can see users, i have checked dns it is
updated. Both old and new dns services have all and same entries.

1. But I can not see NTDS Settings entries to replicate now process in Sites
and Services for my new server. What may be problem? Is it important? And
also i have not checked global catalog server for new server. Can it cause
this problem?

2. I want to ask another question. can there be two server which is checked
as global catalog server in a single domain? or what should i do for this
situation?

3. For last question, can i test for transfer roles from old one to newer
one at this question?

thanks
Top

Re: Replication NTDS Settings by Meinolf

Meinolf
Tue Mar 25 04:46:48 PDT 2008

Hello EmreCAN,

see inline

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I have added additional DC to my domain. And replication process
> accomplished well, at least i guess it is well. I can see users, i
> have checked dns it is updated. Both old and new dns services have all
> and same entries.
>
> 1. But I can not see NTDS Settings entries to replicate now process in
> Sites and Services for my new server. What may be problem? Is it
> important? And also i have not checked global catalog server for new
> server. Can it cause this problem?

So the new DC is added but no NTDS settings are displayed or is the Connection
itself not displayed (automatically generated)

> 2. I want to ask another question. can there be two server which is
> checked as global catalog server in a single domain? or what should i
> do for this situation?

Make the second also GC for redundancy if the first fails. No problem in
a single domain.

> 3. For last question, can i test for transfer roles from old one to
> newer one at this question?

Ofcourse you can test it, but why? If you not will remove the FSMO roles
holder there is no real need. http://support.microsoft.com/kb/324801

> thanks
>


Top

Re: Replication NTDS Settings by EmreCAN

EmreCAN
Tue Mar 25 05:50:00 PDT 2008

yes i can not (automatically generated) entry in NTDS settings. And also my
sysvol sharing folder is also empty.

And also when i make dcdiag/v test it gives error on netlogons test with
1203 error number. and also it gives error for advertising and fsrevent

"Meinolf Weber" wrote:

> Hello EmreCAN,
>
> see inline
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > I have added additional DC to my domain. And replication process
> > accomplished well, at least i guess it is well. I can see users, i
> > have checked dns it is updated. Both old and new dns services have all
> > and same entries.
> >
> > 1. But I can not see NTDS Settings entries to replicate now process in
> > Sites and Services for my new server. What may be problem? Is it
> > important? And also i have not checked global catalog server for new
> > server. Can it cause this problem?
>
> So the new DC is added but no NTDS settings are displayed or is the Connection
> itself not displayed (automatically generated)
>
> > 2. I want to ask another question. can there be two server which is
> > checked as global catalog server in a single domain? or what should i
> > do for this situation?
>
> Make the second also GC for redundancy if the first fails. No problem in
> a single domain.
>
> > 3. For last question, can i test for transfer roles from old one to
> > newer one at this question?
>
> Ofcourse you can test it, but why? If you not will remove the FSMO roles
> holder there is no real need. http://support.microsoft.com/kb/324801
>
> > thanks
> >
>
>
>
Top

Re: Replication NTDS Settings by Jorge

Jorge
Tue Mar 25 07:57:55 PDT 2008

Hi
Point the additional DC to the existing DC/DNS (assuming that is also a DNS
server), then rightclick on the additional DC NIC ad choose repair, then
restart the netlogon service, then go to ADSS or use repadmin to force
replication.

Lets know the results.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top

Re: Replication NTDS Settings by EmreCAN

EmreCAN
Tue Mar 25 08:03:05 PDT 2008

Hello meinolf weber
Thank you for helping, i will happy if this problem is solved, it critical
for my career

I will send all you want and dcdiag and netdiag erros, (but i did not run in
verbose mode, if you want i will do send)

thanks again

Windows IP Configuration

Host Name . . . . . . . . . . . . : intserv2
Primary Dns Suffix . . . . . . . : netserv.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : netserv.com

Ethernet adapter Internal Network Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-08-A1-3F-EF-3A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.32.2
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . :

Ethernet adapter External Network Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Attansic L1 Gigabit Ethernet
10/100/1000B
ase-T Controller
Physical Address. . . . . . . . . : 00-1D-60-49-B2-30
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.18.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.18.1
DNS Servers . . . . . . . . . . . : 192.168.18.1



Windows IP Configuration

Host Name . . . . . . . . . . . . : intsrv3
Primary Dns Suffix . . . . . . . : netserv.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : netserv.com

Ethernet adapter Internal Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-08-A1-3F-F1-D3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.32.3
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.32.2



On intsrv3 netdiag errors

Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the
local
machine. This machine is not working properly as a DC.

on intsrv3 dcdiag errors

Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\INTSRV3\netlogon)
[INTSRV3] An net use or LsaPolicy operation failed with error 1203,
Win
32 Error 1203.

Starting test: Advertising
Warning: DsGetDcName returned information for
\\intserv2.netserv.com, w
hen we were trying to reach INTSRV3.
Server is not responding or is not considered suitable.

......................... INTSRV3 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... INTSRV3 failed test frsevent

Starting test: kccevent
An Warning Event occured. EventID: 0x80000632
Time Generated: 03/25/2008 16:46:55
(Event String could not be retrieved)
......................... INTSRV3 failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000415
Time Generated: 03/25/2008 16:15:59
Event String: The DHCP/BINL service on the local machine has
An Error Event occured. EventID: 0x0000041C
Time Generated: 03/25/2008 16:15:59
Event String: The DHCP/BINL service on this workgroup server
An Error Event occured. EventID: 0x00000415
Time Generated: 03/25/2008 16:22:47
Event String: The DHCP/BINL service on the local machine has
An Error Event occured. EventID: 0x0000041C
Time Generated: 03/25/2008 16:22:47
Event String: The DHCP/BINL service on this workgroup server
An Error Event occured. EventID: 0x00000415
Time Generated: 03/25/2008 16:25:11
Event String: The DHCP/BINL service on the local machine has
An Error Event occured. EventID: 0x0000041C
Time Generated: 03/25/2008 16:25:11
Event String: The DHCP/BINL service on this workgroup server
An Error Event occured. EventID: 0x00000416
Time Generated: 03/25/2008 16:32:08
Event String: The DHCP/BINL service on the local machine,
......................... INTSRV3 failed test systemlog



and also there is errors on dcdiag on intserv2(primary server)


Testing server: Default-First-Site-Name\INTSERV2
Starting test: Connectivity
The host 2791712c-8b92-4287-bce2-b8b5f3b18ceb._msdcs.netserv.com
could
not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(2791712c-8b92-4287-bce2-b8b5f3b18ceb._msdcs.netserv.com) couldn't be
resolved, the server name (intserv2.netserv.com) resolved to the IP
address (192.168.18.3) and was pingable. Check that the IP address
is
registered correctly with the DNS server.
......................... INTSERV2 failed test Connectivity

netdiag errors for intserv2 (i guess this is because netserv.com is not
registered for real DNS and i guess it is not important

DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'intserv2.netserv.com.'. [ERROR_TIMEOUT]
The name 'intserv2.netserv.com.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server for the
name
'intserv2.netserv.com.'. [ERROR_TIMEOUT]
The name 'intserv2.netserv.com.' may not be registered in DNS.
[WARNING] The DNS entries for this DC cannot be verified right now on
DNS
server 192.168.18.1, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC registered.




> Hello EmreCAN,
>
> Please post an unedited ipconfig /all from both machines
>
>
Top

Re: Replication NTDS Settings by EmreCAN

EmreCAN
Tue Mar 25 08:12:02 PDT 2008

By the way i did not transfer roles to the newer one, can it be problem?

"EmreCAN" wrote:

> Hello meinolf weber
> Thank you for helping, i will happy if this problem is solved, it critical
> for my career
>
> I will send all you want and dcdiag and netdiag erros, (but i did not run in
> verbose mode, if you want i will do send)
>
> thanks again
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : intserv2
> Primary Dns Suffix . . . . . . . : netserv.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : Yes
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : netserv.com
>
> Ethernet adapter Internal Network Interface:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
> Physical Address. . . . . . . . . : 00-08-A1-3F-EF-3A
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.32.2
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . :
>
> Ethernet adapter External Network Interface:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Attansic L1 Gigabit Ethernet
> 10/100/1000B
> ase-T Controller
> Physical Address. . . . . . . . . : 00-1D-60-49-B2-30
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.18.3
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.18.1
> DNS Servers . . . . . . . . . . . : 192.168.18.1
>
>
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : intsrv3
> Primary Dns Suffix . . . . . . . : netserv.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : netserv.com
>
> Ethernet adapter Internal Interface:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
> Physical Address. . . . . . . . . : 00-08-A1-3F-F1-D3
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.32.3
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 192.168.32.2
>
>
>
> On intsrv3 netdiag errors
>
> Domain membership test . . . . . . : Failed
> [WARNING] Ths system volume has not been completely replicated to the
> local
> machine. This machine is not working properly as a DC.
>
> on intsrv3 dcdiag errors
>
> Starting test: NetLogons
> Unable to connect to the NETLOGON share! (\\INTSRV3\netlogon)
> [INTSRV3] An net use or LsaPolicy operation failed with error 1203,
> Win
> 32 Error 1203.
>
> Starting test: Advertising
> Warning: DsGetDcName returned information for
> \\intserv2.netserv.com, w
> hen we were trying to reach INTSRV3.
> Server is not responding or is not considered suitable.
>
> ......................... INTSRV3 passed test frssysvol
> Starting test: frsevent
> There are warning or error events within the last 24 hours after the
> SYSVOL has been shared. Failing SYSVOL replication problems may cause
> Group Policy problems.
> ......................... INTSRV3 failed test frsevent
>
> Starting test: kccevent
> An Warning Event occured. EventID: 0x80000632
> Time Generated: 03/25/2008 16:46:55
> (Event String could not be retrieved)
> ......................... INTSRV3 failed test kccevent
> Starting test: systemlog
> An Error Event occured. EventID: 0x00000415
> Time Generated: 03/25/2008 16:15:59
> Event String: The DHCP/BINL service on the local machine has
> An Error Event occured. EventID: 0x0000041C
> Time Generated: 03/25/2008 16:15:59
> Event String: The DHCP/BINL service on this workgroup server
> An Error Event occured. EventID: 0x00000415
> Time Generated: 03/25/2008 16:22:47
> Event String: The DHCP/BINL service on the local machine has
> An Error Event occured. EventID: 0x0000041C
> Time Generated: 03/25/2008 16:22:47
> Event String: The DHCP/BINL service on this workgroup server
> An Error Event occured. EventID: 0x00000415
> Time Generated: 03/25/2008 16:25:11
> Event String: The DHCP/BINL service on the local machine has
> An Error Event occured. EventID: 0x0000041C
> Time Generated: 03/25/2008 16:25:11
> Event String: The DHCP/BINL service on this workgroup server
> An Error Event occured. EventID: 0x00000416
> Time Generated: 03/25/2008 16:32:08
> Event String: The DHCP/BINL service on the local machine,
> ......................... INTSRV3 failed test systemlog
>
>
>
> and also there is errors on dcdiag on intserv2(primary server)
>
>
> Testing server: Default-First-Site-Name\INTSERV2
> Starting test: Connectivity
> The host 2791712c-8b92-4287-bce2-b8b5f3b18ceb._msdcs.netserv.com
> could
> not be resolved to an
> IP address. Check the DNS server, DHCP, server name, etc
> Although the Guid DNS name
> (2791712c-8b92-4287-bce2-b8b5f3b18ceb._msdcs.netserv.com) couldn't be
> resolved, the server name (intserv2.netserv.com) resolved to the IP
> address (192.168.18.3) and was pingable. Check that the IP address
> is
> registered correctly with the DNS server.
> ......................... INTSERV2 failed test Connectivity
>
> netdiag errors for intserv2 (i guess this is because netserv.com is not
> registered for real DNS and i guess it is not important
>
> DNS test . . . . . . . . . . . . . : Failed
> [WARNING] Cannot find a primary authoritative DNS server for the
> name
> 'intserv2.netserv.com.'. [ERROR_TIMEOUT]
> The name 'intserv2.netserv.com.' may not be registered in DNS.
> [WARNING] Cannot find a primary authoritative DNS server for the
> name
> 'intserv2.netserv.com.'. [ERROR_TIMEOUT]
> The name 'intserv2.netserv.com.' may not be registered in DNS.
> [WARNING] The DNS entries for this DC cannot be verified right now on
> DNS
> server 192.168.18.1, ERROR_TIMEOUT.
> [FATAL] No DNS servers have the DNS records for this DC registered.
>
>
>
>
> > Hello EmreCAN,
> >
> > Please post an unedited ipconfig /all from both machines
> >
> >
Top

Re: Replication NTDS Settings by EmreCAN

EmreCAN
Tue Mar 25 08:15:05 PDT 2008


i have configured primary one as DNS server for additional one.
in adss how can i replicate, there is no "replicate now" in NTDS Settings
entries
and also how can use repadmin to force repl. ?

Thanks
"Jorge Silva" wrote:

> Hi
> Point the additional DC to the existing DC/DNS (assuming that is also a DNS
> server), then rightclick on the additional DC NIC ad choose repair, then
> restart the netlogon service, then go to ADSS or use repadmin to force
> replication.
>
> Lets know the results.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
Top

Re: Replication NTDS Settings by Jorge

Jorge
Tue Mar 25 08:50:03 PDT 2008

Ok, this is a little bit confused,
I noitice that you have a "external " interface with DNS defined, and a
internal NIC with no DNS is this true? Let's try the following, tell me the
IP configuration of the existing server, and the IP configuration of the
additional server, also, are you using multiple NICs on the servers? Are you
using RRAS with any of those servers?


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top

Re: Replication NTDS Settings by EmreCAN

EmreCAN
Tue Mar 25 09:11:02 PDT 2008

My primary server have two NICs, In this server we have installed ISA service
also.
We are using second NIC for internet access.

And also we have second NIC on additional server, but it is disabled. We
will later install ISA service on this server.

Do i need configure DNS IP for internal NIC on the primary server?

"Jorge Silva" wrote:

> Ok, this is a little bit confused,
> I noitice that you have a "external " interface with DNS defined, and a
> internal NIC with no DNS is this true? Let's try the following, tell me the
> IP configuration of the existing server, and the IP configuration of the
> additional server, also, are you using multiple NICs on the servers? Are you
> using RRAS with any of those servers?
>
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
Top

Re: Replication NTDS Settings by Jorge

Jorge
Tue Mar 25 09:58:48 PDT 2008

Ok, before we move on, can you explain why are you using ISA on DCs? Are you
using SBS? Did you know that using ISA n DCs may represent security issues?
Can you use dedicated servers for ISA? How isa is configured? And finally
why did you configuired DNS on external interface and no DNS on internal
interface?


Post ipconfig /all for both servers.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top

Re: Replication NTDS Settings by EmreCAN

EmreCAN
Tue Mar 25 22:42:00 PDT 2008

Because we have one server hardware for this location, but if you tell me the
main security vulnerability about this , I can tell this my manager and send
another server to there?

I have a first rule that accept all protocols from internal, and second rule
accepts all protocols from localhost to internal.

I have forget to to configure DNS for internal interface, i am changing it
to 127.0.0.1 now.

For external int. we have a DSL modem, and configured DSL Modem IP as DNS
server for ext NIC.

I have send ipconfig outputs my previous posts in this subject.

Thanks


"Jorge Silva" wrote:

> Ok, before we move on, can you explain why are you using ISA on DCs? Are you
> using SBS? Did you know that using ISA n DCs may represent security issues?
> Can you use dedicated servers for ISA? How isa is configured? And finally
> why did you configuired DNS on external interface and no DNS on internal
> interface?
>
>
> Post ipconfig /all for both servers.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
Top

Re: Replication NTDS Settings by Jorge

Jorge
Wed Mar 26 12:51:49 PDT 2008

hi again, do a search for ISA server on domain controllers, you'll see lots
f information about why it's not recommended, how to configure it, and why
you should avoid that configuration. Also do a search for multihomed domain
controllers, you'll also find lots of documented problems regarding to this
type of configuration.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top

Re: Replication NTDS Settings by EmreCAN

EmreCAN
Thu Mar 27 00:00:02 PDT 2008

hi jorge,
Thank you for helpings, every thing works well now, Replication has
accomplished
except there is still an dcdiag error like that

Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... INTSRV3 failed test frsevent


altough 24 hours passed after replication. What do you think the problem is?

And also i will read the documents you refered, thanks again for your help.



"Jorge Silva" wrote:

> hi again, do a search for ISA server on domain controllers, you'll see lots
> f information about why it's not recommended, how to configure it, and why
> you should avoid that configuration. Also do a search for multihomed domain
> controllers, you'll also find lots of documented problems regarding to this
> type of configuration.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
Top

Re: Replication NTDS Settings by Jorge

Jorge
Thu Mar 27 09:33:09 PDT 2008

check the eventlog for these errors (time - date), they may be logged during
the problematic time, and if you're not having those problems now, you can
saftly ignore that.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top