I have two DHCP servers configured for multiple VLANs. Everything works fine, but I've noticed a strange thing, on the same vlan I find some differences into leases of two servers. Another difference is that a server has filled rispect the other.
What could be the problem?
Lately I have enabled the DNS scavenging and set the lease duration to the default value (8 days).
Thanks
Hello,
on my cliënt i have many times the following error :
The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:
Adapter Name : {58FC55C1-4A77-4278-8AD8-F00CFD04DF81}
Host Name : computer
Primary Domain Suffix : domain.local
DNS server list :
fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3
Sent update to server : <?>
IP Address(es) :
192.168.98.1
The system could not remove these host (A or AAAA) RRs because the update request timed out while awaiting a response from the DNS server. This is probably because the DNS server authoritative for the zone where these RRs need to be updated is either not currently running or reachable on the network.
Dynamic updates in DNS is enabled.
What is the problem here?
Thx
I have several scopes that are reported as full.
However, when i go in and check the leases i can see several free ones.
How come, and what can i do to fix the problem?
Tor Arne
I've having trouble with client access to the internet at a remote site.
Demand Dial HQ is a W2k3 RRAS, remote is W2k8. VPN connection established.
The remove RRAS Server connects to internet without issue, but Desktops behind that server have odd behavior. Some internet sites get some response most no response. I can successfully ping or tracert from the Desktop computers, but IE doesn't return a response.
Since the internet connection works from the server, I ran a tracert on the server and compared it to the tracert ran on the desktop. I then noticed something which seemed odd. The server access route was using the IP address it obtained as caller from the DHCP at HQ, but the Desktop access route was using the IP address the HQ caller obtained at the remote site.
I know this is confusing, Any ideas?
I have a Windows Server 2012 Std Edition on a IBM 3550 M2 to a Lab at work. Every couple of days when users try to connect using PPTP to server, the connection hangs on completing connection. at the SAME time the System loses the ability to ping the Server.
This happens with both Windows 7 & 8. I have setup a ping to the server from the workstation to the server ping 172.16.21.203 -t and when the VPN tries to connect the ping times out when @ the same time that connection begins to complete the
connection. All communication to the server hangs from the workstation perspective.
The Ping from the server to the workstation may drop a ping but keeps on working. A ping to the gateway from the server never fails.
The work station can be remote on a separate subnet or from a Home network and the failure symptom is the same. Of course from Home we have a VPN to the intranet as well as a subnet on the home router. The lad Domain controller's and DHCP servers IP is 10.11.1.1/240 Second Nic on the VPN Server.
Example Simple failure
Workstation 172.16.5.200/24 192.16.5.1 <->RRAS Server 172.168.20.203/25 172.16.20.129.
Home to intranet to Lab.
Laptop(192.168.15.23/24 192.168.15.1 <-> ATT Client VPN 172.16.100.200/24 192.16.100.1 <->RRAS Server 172.168.20.203/25 172.16.20.129.
At the time of the Failure Both types of connections fail and Remote Session to the Server quits.
On the Home connection the Ping fails to an ARP and it uses the default IP 192.168.15.23 as the source, not the VPN IP which is in the ARP table.The inconsequential error on server is that the remote client does not support the authentication protocol needed. before the failure the same configuration works fine. I get my static route pushed down just fine.
I If I either kill the request to connect to the VPN Ping starts to work normally. and I can remote into the rras server.
The only workaround that I found through much PD and frustration: Restart rras Service on the server and it works until is quits again.It seemed to happen more often on a Broadcom 5709 Nic, so I moved it to a Intel Pro 1000 Nic and the failure still occurs. .
All Nic Drivers are current.
The failure occurs on Windows 7 or 8 at the same time. The route to from the Server to the Nic does not fail, though the opposite logical path fails.
Please advise......
Dear Experts.
I have one sql server configured on windows server 2008 r2 with one public IP in my head office. Other branch offices access that server from different locations. We are planing to build one more SQL server in public Cloud so that we can access our data if that physical server fails in Head office goes down. I know this is the funny implementation of SQL but this is the exact status of that network.
i want below mentioned things.
(a) Physical server in Head office and Server in cloud should be synced/replicated (there is no AD but could be installed if required).
(b) I want a way where user will hit a virtual IP and will access SQL. May be round robin or as per server utilization ratio (50/50, 60/40)
(c) If any one goes down there should not be any impact for users. Right now all users are pointed to Physical server in HO.
i thought to build one more server in HO and creating some NLB kind of stuff using windows services. Is this possible?
Regards Suman B. Singh
Hi I am currently trying to setup a VPN solution for approximately 500 users.
The current setup I believe is unsecure as all users have access to everything in the network.
The customers main router is in my office and every branch office router connects to the main router over IPsec Tunnels. The users currently VPN into a server in my office which puts them on the internal subnet that has access to all store subnets. I currently assign static IP's to each VPN user so that I can track who is doing what.
I would like to have a VPN server in a DMZ on a different subnet and be able to control who has access to what, wether it be devices on the internal subnet or devices within their store subnet.
I need all users to have remote default gateway enabled on their computers as I want them to use the filtered internet access when connected via VPN.
During some testing I was able to use NAP to restrict user access to specific IP addresses but users were unable to get internet access. (Clients still on Internal Subnet)
We would like to implement system health checks before allowing them access to the network.
I don't know if using RADIUS is of any benefit here as we are only using the one VPN server.
I just want a solution that will be easy to manage by AD possibly and not have to configure firewall policies on the router for every individual user.
Hi,
Sorry for the strange title, but i cant seem to find any logic in this problem..
We have a 3rd party application for control of our VoIP system, and it uses TCP port 3333 to connect to the server that runs the application, and when one of my DirectAccess clients tries to start the application (it runs from a UNC-path) the application starts fine, but it cant connect to the server.
My first thought - there must be some element in the server / client configuration tied up on a IPv4 address. I checked everything, and asked the developers of the software, and there wasn't, everything runs on DNS names (witch should work, and i can ping the server by its DNS name).
My second thought - Maybe it gets blocked! Checked my network firewall log, the log seemed pretty normal. After I checked the firewall on the client, and tried to create a custom rule allowing TCP port 3333 - still no dice..
I also did a "NETSTAT" command on the client, while trying to connect, the TCP connection stalled at "SYN_SENT" - for me, still seems like the TCP port is blocked somewhere..
So, now I am a bit lost, i hope someone can help me - thanks!
/Mick Negendahl
Hello. We have two main sites, one in California and one in New York. We have a DHCP server in each location that generally serves each geographic location. We use traditional scopes to hand out addresses to each locations networks and everything was working fine. Someone then added a superscope at each site contains scopes within it for the other corresponding site. I am guessing this was done for redundancy. After this was done, computers randomly go over the WAN and get their DHCP addresses from the other site. From my reading, it shouldn't do this unless the local DHCP server is down. This is causing problems as we don't necessarily always have our DHCP reservations setup in the corresponding superscope across the wan. Our servers haven't experienced any issues in terms of network outages or errors etc so the local DHCP server has been available during these occurrences.
Example: A DHCP client in California had an address of 10.1.10.100. It was shut down for work over night. When we booted it up, even though it has a reservation in the California scope of 10.1.10.x, it went across the wan to New York and pulled an address of 10.1.10.124 from the New York superscope of 10.1.10.124 (the California backup superscope).
Does anyone have any ideas why we might be experience this behavior? My thoughts are that in this scenario, the usage of superscopes is not even necessary and we should be using regular DHCP scopes, but I also need to find out why we are seeing
this behavior.
Dear All,
I have the problem that the DHCP server does not update the DNS Records. FYI the same server is AD, DHCP and DNS and there is a second server with the same roles, serving the same roles in a remote site.
By looking the DHCP log i see the bellow:
30,02/27/13,16:49:43,DNS Update Request,192.168.9.67,gws-apo.test.local,,,0,6,,,
11,02/27/13,16:49:43,Renew,192.168.9.67,gws-apo.test.local,5CE2F4771EAD,,2369975068,0,,,
31,02/27/13,16:49:43,DNS Update Failed,192.168.9.67,gws-apo.test.local,,,0,6,,,
I can see succeses as well, but maybe its because their records deleted due to agging. If i try ipconfig /release and then /renew i get the error anyway.
The DNS dynamic update credentials has been set, and the account is added to the DNSUpdateProxy group. I have checked the "Enable DNS Dynamic updates: Always dynamically update DNS A and PTR Records", "Discard A and PTR records when lease is deleted" and "Dynamic update DNS A.....". Also Name Protection is off.
The Dynamic updates of DNS has been configured as "secure only" and on the Security the DNSUpdateProxy has been added with full permissions.
Any other idea? I have checked a lot but didn't found anything else.
Thanks,
George
Hi,
I have windows server 2012 essentials setup and I'm using it for DNS since it handles all its necessary entries for easy domain joining and such. However, I'm using my router for DHCP, static assigning of IP addresses to some servers, and therefore the DNS entries for those servers; in addition I put those servers on the companyname.com domain so that demos and stuff show better URLs, but there are also externally hosted DNS entries that manage the rest of the companyname.com domain (i.e. our corporate site) so that its available externally. In addition the external DNS is through comcast business so technically those are assigned by their DHCP and could change. So, what I wanted to do is to have the windows server 2012 essentials handle the companyname.local domain, and then forward all other requests to the router which knows about the special internal companyname.com IP addresses, as well as the external comcast DNS servers. My understanding is that this should be accomplished with a DNS forwarder pointed at the router, which I have configured. My router at 192.168.1.1, the server is at 192.168.1.25, and clients are setup (through DHCP) to have their DNS server as 192.168.1.25 (the server).
The problem is that what appear to be random fqdns cannot be resolved by the server; i.e. lets say I have a server foo (.50) and bar (.51); foo will work on both
nslookup foo.companyname.com // => returns 192.168.1.50 nslookup foo.companyname.com 192.168.1.1 // => returns 192.168.1.50
However, bar won't work on the server, but will on the router
nslookup bar.companyname.com // => returns Non-existent domain nslookup bar.companyname.com 192.168.1.1 // => returns 192.168.1.51
I haven't found the exact way to get it to work, but if I restart the server, the query bar again from the server it will correctly return the forwarded request's answer. I'm not sure what's happening, although it seems like perhaps the router is sometimes responding slowly or the server is somehow not getting a response, and then its caching that forever. My questions are:
Thanks,
\Peter
Hi,
I recently upgrade 30 users to Win7 64bit and now we are having problem connecting to either Win2008 64bit and Win2003 32bit servers using NetBios name but works using IP.
Win7 64bit workstations TCP/IP Settings:Preferred DNS server point to DNS DC server ip address. DNS suffix for this connection point to domain name(xxxxx.com). WINS addresses point to DC IP Address. Enable NetBIOS over TCP/IP is selected.
Any suggestions?
Thank you.
Hello, and boy have I got a mess! I am hoping not needing to demote our DC2 to go back as member server then promoting it back up again, but following is the situation.
We have an integrated active directory network with one DC (DC1) running W2k3 Enterprise, x64, SP2, being the primary domain controller. We did have two DC's, however, DC2 became corrupted. We ended up needing to seize the roles away from it, and then we corrected AD in our domain's (PDC) DC1. Effectively, we had to force DC2 down, as AD would not allow to have removed gracefully from the network, or from itself.
All running fine after removed second DC's roles and DC2 from network.
Our forest / domain level is 2000 native, Schema version 30 (We have a W2k server running on site).
Once re-installed W2k3 to the old DC(2) Server, we updated it to SP2, with all patches, then joined it to the Domain as a member server. We then DCPromo'd DC2, and we saw errors as we thought we would, but also past the first 2 hours, and continued to see errors on the newly raised DC through now, as what you will see below past my test results. Currently, it is as if DC2 is not a fully recognized secondary domain controller.
Some other facts:
When I open Explore and type in “\\domain (dot) com \ sysvol” , from either DC1 or DC2, then right click on domain properties, the DFS active partition path is DC1 ( \\ DC1 (dot) DomainName (dot) com \ Sysvol )
Under Explorer, I see the following under “\\ Domain (dot) com \ Sysvol”:
\\domain.com\SysVol
\\domain.com\SysVol\domain.com
\\domain.com\SysVol\domain.com\Policies (...Has all 7 policies)
\\domain.com\SysVol\sysvol
\\domain.com\SysVol\sysvol\domain.com
\\domain.com\SysVol\sysvol\domain.com\Policies (...Has 2 policies)
I also ran the NetDom Query FSMO Role holder for the domain, and both show DC1 having all 5 roles, however, on both the DC’s they do not recognize DC2 as any FSMO role holder.
Following are some test results ran against our DC1 & Promoted DC2:
---------------------------------
NetDom fsmo query on DC1
---------------------------------
Schema owner DC1.domain.com
Domain role owner DC1.domain.com
PDC role DC1.domain.com
RID pool manager DC1.domain.com
Infrastructure owner DC1.domain.com
---------------------------------
NetDom fsmo query on DC2
---------------------------------
Schema owner DC1.domain.com
Domain role owner DC1.domain.com
PDC role DC1.domain.com
RID pool manager DC1.domain.com
Infrastructure owner DC1.domain.com
---------------------------------
NetDiag (on DC1 – The Primary DC Server)
---------------------------------
All tests passed, except the following:
DNS Test failed:
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.
[FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{12341234-5678-1234-1234-123456789012}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{12341234-5678-1234-1234-123456789012}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to 'DOMAIN*' via browser. [ERROR_INVALID_FUNCTION]
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Cannot lookup package Kerberos.
The error occurred was: (null)
NOTE: Interesting thing I see here is under Redir and Browser test, “Cannot sent mailslot to “DOMAIN*”...”
A Star? Wildcard?
---------------------------------
Ran Test - NetDiag (on DC2)
---------------------------------
Computer Name: DC2
DNS Host Name: DC2.domain.com
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
List of installed hotfixes :
KB333333
Q121212
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : DC2
IP Address . . . . . . . . : 192.168.1.6
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Dns Servers. . . . . . . . : 192.168.1.2
192.168.1.6
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger
Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{TCPIP234-5678-1234-1234-123456789012}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.2'
and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.6'
and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{TCPIP234-5678-1234-1234-123456789012}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{TCPIP234-5678-1234-1234-123456789012}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'DOMAIN' is to '\\DC1.domain.com'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
---------------------------------
RepAdmin test against DC1:
---------------------------------
repadmin running command /bind against server localhost
Bind to localhost succeeded.
Extensions supported:
BASE : Yes
ASYNCREPL : Yes
REMOVEAPI : Yes
MOVEREQ_V2 : Yes
GETCHG_COMPRESS : Yes
DCINFO_V1 : Yes
RESTORE_USN_OPTIMIZATION : Yes
KCC_EXECUTE : Yes
ADDENTRY_V2 : Yes
LINKED_VALUE_REPLICATION : No
DCINFO_V2 : Yes
INSTANCE_TYPE_NOT_REQ_ON_MOD : Yes
CRYPTO_BIND : Yes
GET_REPL_INFO : Yes
STRONG_ENCRYPTION : Yes
DCINFO_VFFFFFFFF : Yes
TRANSITIVE_MEMBERSHIP : Yes
ADD_SID_HISTORY : Yes
POST_BETA3 : Yes
GET_MEMBERSHIPS2 : Yes
GETCHGREQ_V6 (WHISTLER PREVIEW) : Yes
NONDOMAIN_NCS : Yes
GETCHGREQ_V8 (WHISTLER BETA 1) : Yes
GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes
GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes
ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes
GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes
VERIFY_OBJECT (WHISTLER BETA 3) : Yes
XPRESS_COMPRESSION : Yes
Repl epoch: 0
---------------------------------
RepAdmin test against DC2:
---------------------------------
repadmin running command /bind against server localhost
Bind to localhost succeeded.
Extensions supported:
BASE : Yes
ASYNCREPL : Yes
REMOVEAPI : Yes
MOVEREQ_V2 : Yes
GETCHG_COMPRESS : Yes
DCINFO_V1 : Yes
RESTORE_USN_OPTIMIZATION : Yes
KCC_EXECUTE : Yes
ADDENTRY_V2 : Yes
LINKED_VALUE_REPLICATION : No
DCINFO_V2 : Yes
INSTANCE_TYPE_NOT_REQ_ON_MOD : Yes
CRYPTO_BIND : Yes
GET_REPL_INFO : Yes
STRONG_ENCRYPTION : Yes
DCINFO_VFFFFFFFF : Yes
TRANSITIVE_MEMBERSHIP : Yes
ADD_SID_HISTORY : Yes
POST_BETA3 : Yes
GET_MEMBERSHIPS2 : Yes
GETCHGREQ_V6 (WHISTLER PREVIEW) : Yes
NONDOMAIN_NCS : Yes
GETCHGREQ_V8 (WHISTLER BETA 1) : Yes
GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes
GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes
ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes
GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes
VERIFY_OBJECT (WHISTLER BETA 3) : Yes
XPRESS_COMPRESSION : Yes
Repl epoch: 0
---------------------------------
Ran Test GPOtool (DC1)
---------------------------------
Validating DCs...
Available DCs:
DC1.domain.com
Searching for policies...
Found 7 policies
----------
Policy {1886644A-ACB8-4BC7-90E9-BAE1FA4FC1F2}
Friendly name: File and Print Sharing (avast deployment)
Policy OK
----------
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Policy
Policy OK
----------
Policy {39205F28-8F6C-4936-A4C7-ADFE234CBDA1}
Friendly name: IE Restriction
Policy OK
----------
Policy {5DBB01F7-A49D-4254-AC59-0891E124F83B}
Friendly name: File and Print Enable & ICF Disable
Policy OK
----------
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Policy OK
----------
Policy {C8D887EA-2384-4F93-AF04-0DA5A9C9EC78}
Friendly name: New Group Policy Object
Policy OK
----------
Policy {E9EDFD1A-DFB7-48DA-870B-3FDCD2BF7C8D}
Friendly name: Nonexe
Policy OK
----------
Policies OK
---------------------------------
Ran Test GPOtool (DC2)
---------------------------------
Validating DCs...
Available DCs:
DC1.domain.com
Searching for policies...
Found 7 policies
---------------
Policy {1886644A-ACB8-4BC7-90E9-BAE1FA4FC1F2}
Friendly name: File and Print Sharing (avast deployment)
Policy OK
---------------
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Policy
Policy OK
---------------
Policy {39205F28-8F6C-4936-A4C7-ADFE234CBDA1}
Friendly name: IE Restriction
Policy OK
---------------
Policy {5DBB01F7-A49D-4254-AC59-0891E124F83B}
Friendly name: File and Print Enable & ICF Disable
Policy OK
---------------
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Policy OK
---------------
Policy {C8D887EA-2384-4F93-AF04-0DA5A9C9EC78}
Friendly name: New Group Policy Object
Policy OK
---------------
Policy {E9EDFD1A-DFB7-48DA-870B-3FDCD2BF7C8D}
Friendly name: Nonexe
Policy OK
---------------
Policies OK
---------------
Event Errors:
---------------
The following event errors are read from the newly raised DC (DC2) not only in the first hour, but also in following day, in 24 hours (bellow these will follow the DC1 Errors):
Event Source: MSDTC
Event ID: 53258
d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1168
No Callstack, CmdLine: C:\WINDOWS\system32\msdtc.exe
Event Source: MSDTC
Event ID: 4193
MS DTC started with the following settings (OFF = 0 and ON = 1):
Security Configuration:
Network Administration of Transactions = 0,
Network Clients = 0,
Inbound Distributed Transactions using Native MSDTC Protocol = 0,
Outbound Distributed Transactions using Native MSDTC Protocol = 0,
Transaction Internet Protocol (TIP) = 0,
XA Transactions = 0
Filtering Duplicate events = 1
Event Source: EventSystem
Event ID: 4625
Description:
The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80040154). Class not registered
Event Source: ESENT
Event ID: 101
Description:
lsass (388) The database engine stopped.
Event Source: Userenv
Event ID: 1517
Description:
Windows saved user S-1-5-00-12345678901-1234567890-1234567890-500 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
Event Source: MSDTC
Event ID: 4143
Description:
MS DTC has detected that a DC Promotion has happened since the last time the MS DTC service was started.
Event Source: MSDTC
Event ID: 53258
Info: Same as above 53258
Event Source: LoadPerf
Event ID: 1001
Description:
Performance counters for the MSDTC (Distributed Transaction Coordinator) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Event Source: LoadPerf
Event ID: 1000
Description:
Performance counters for the MSDTC (Distributed Transaction Coordinator) service were loaded successfully. The Record Data contains the new index values assigned to this service.
Event Source: MSDTC
Event ID: 4104
Description:
The Microsoft Distributed Transaction Coordinator service was successfully installed.
Event Source: MSDTC
Event ID: 4143
Description:
MS DTC has detected that a DC Promotion has happened since the last time the MS DTC service was started.
Event Source: MSDTC
Event ID: 53258
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 3580
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe
Event Source: LoadPerf
Event ID: 1001
Description:
Performance counters for the ContentIndex (ContentIndex) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Event Source: LoadPerf
Event ID: 1001
Description:
Performance counters for the ContentFilter (ContentFilter) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Event Source: LoadPerf
Event ID: 1001
Description:
Performance counters for the ISAPISearch (ISAPISearch) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Event Source: HHCTRL
Event ID: 1904
Description:
The description for Event ID ( 1904 ) in Source ( HHCTRL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.
You may be able to use the /AUXSOURCE= flag to retrieve this description;
The following information is part of the event: about:blank
Event Source: SceSrv
Event ID: 1003
Description:
Notification of policy change from LSA/SAM has been retried and failed. Error 4312 to save policy change for account S-1-5-00 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.
Event Source: AutoEnrollment
Event ID: 13
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80040154). Class not registered
Event Source: MSDTC
Event ID: 53258
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1144
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe
Event Source: Userenv
Event ID: 1058
Description:
Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=domain,DC=com. The file must be present at the location <\\domain.com\sysvol\domain.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.
Event Source: Userenv
Event ID: 1030
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
---------------------------------
NOTE: Following are the (PDC) DC1 Event Errors. Following errors, mostly in 24 hours below:
---------------------------------
Event Source: Userenv
Event ID: 1058
Description:
Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=Domain,DC=com. The file must be present at the location <\\doamain.com\sysvol\doamain.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.
Event Source: Userenv
Event ID: 1030
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event Source: NTDS Replication
Event ID: 1226
Description:
The following object was created on a remote domain controller with an object name that already exists on the local domain controller.
Object:
DC=12345678-1234-5678-abcd-12345678901._msdcs,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
Object GUID:
87654321-1234-5678-abcd-123456789012
Existing object GUID:
43214321-1234-5678-abcd-123456789012
The object with the following GUID will be renamed since the other object had this name more recently.
Object GUID:
87654321-1234-5678-abcd-123456789012
Renamed object name:
12345678-1234-5678-abcd-12345678901._msdcs
CNF:87654321-1234-5678-abcd-123456789012
Event Source: NTDS KCC
Event ID: 1925
Description:
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
CN=Configuration,DC=domain,DC=com
Source domain controller:
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Source domain controller address:
12345678-1234-5678-abcd-12345678901._msdcs.domain.com
Intersite transport (if any):
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network connectivity is available.
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.
Event Source: NTDS KCC
Event ID: 1104
Description:
The Knowledge Consistency Checker (KCC) successfully terminated the following change notifications.
Directory partition:
DC=DOMAIN,DC=com
Destination network address:
12345678-1234-5678-abcd-12345678901._msdcs.DOMAIN.com
Destination domain controller (if available):
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com
This event can occur if either this domain controller or the destination domain controller has been moved to another site.
Event Source: NTDS Replication
Event ID: 1226
Description:
The following object was created on a remote domain controller with an object name that already exists on the local domain controller.
Object:
DC=12345678-1234-5678-abcd-12345678901._msdcs,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
Object GUID:
87654321-1234-5678-abcd-123456789012
Existing object GUID:
43214321-1234-5678-abcd-123456789012
The object with the following GUID will be renamed since the other object had this name more recently.
Object GUID:
87654321-1234-5678-abcd-123456789012
Renamed object name:
12345678-1234-5678-abcd-12345678901._msdcs
CNF:87654321-1234-5678-abcd-123456789012
Event Source: NTDS Replication
Event ID: 1226
Description:
The following object was created on a remote domain controller with an object name that already exists on the local domain controller.
Object:
DC=abcd4321-1234-5678-abcd-123456789012._msdcs,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
Object GUID:
dcert321-1234-5678-abcd-123456789210
Existing object GUID:
fghij321-1234-5678-abcd-123456789210
The object with the following GUID will be renamed since the other object had this name more recently.
Object GUID:
fghij321-1234-5678-abcd-123456789210
Renamed object name:
abcd4321-1234-5678-abcd-123456789012._msdcs
CNF:fghij321-1234-5678-abcd-123456789210
Please note:
DC1
Currently, DC1 has no Application, System, or Directory Service Errors since a few days past.
However, replication, I.e. KCC has not run since error showed, and then showing will be shut down.
The <st1:place w:st="on">Main</st1:place> “DNS Manager” shows four sets of Reverse records (225.in-addr.arpa, 127.in-addr.arpa, 0.in-addr.arpa, and 1.168.192.in-addr.arpa, whereas the created mmc will show the only and correct set “1.168.192.in-addr.arpa”.
One item I know I will perform is re-do the reverse DNS Zones.
DC2
Still shows many errors: Application Error Events 13, 1030, 1058.
I look forward to any help that may assist me in finding a solution to this issue in this Forum. =)
Hi All,
I am seeing some funny DNS issues and have investigated our 3 DNS servers (also domain controllers). The current setup is as follows:
Server A: AD Integrated - Windows Server 2003 (points to itself as the primary server)
Server B: Secondary DNS Server - Windows Server 2008 R2 (points to server A as the primary)
Now this all looks good... until we throw in Server C to the mix:
Server C: AD Integrated DNS Server - Windows Server 2008 R2 (points to itself as the primary)
--
The S/N in the SOA record for both AD integrated servers DO NOT match up! They are always different.
I think it is because both AD integrated servers are pointing to themselves as the primary? That is to say, if I look at the properties of a zone and go to the SOA tab, the "primary server" fields are different.
I understand I have probably left out some relevant information so please let me know!
Appreciate the help experts.
Cheers
Hi
The time on our domain is set at around 6 minutes fast. If I manually change the time on any of the machines (including the domain controller), it will resync to the incorrect time in a matter of hours. A while back I asked a third party engineer to fix this issue, and he appeared to do so, as the time was correct for several weeks. However, after a month or so, all machines suddenly synced back to being 6 minutes fast. How do I find out where my domain is getting the incorrect time from and how can I change this?
Thanks
Steve
Hi
we have domain with 2 Domain controllers that all of them are DNS Server and work perfectly for 4 years with windows 2003 R2 enterprise server, last year we migrated to windows 2008 R2 and add 2 additional DC, at now we have 4 DCs.
all server work good, but last day in one of the DC, discovered that does not any records in DNS manager except 4 record that belong to 4 DCs computer only.
we restart dns service, and netlogon service and also did "repadmin /syncall /e" but nothings happen.
please let m eknow how can I fix this problem.
Regards,
Mahdi
sir/madam
iam able to ping to the server and i could see user in the active directory service but still iam not able to share my pc and its printer
first :
1. i restarted the computer browser
but once i had reinstalled the xp o.s then it worked for few days but after that again the same problem
please rectify my problem
hello!
I've recently encountered an issue where (example) below dns record cannot be resolved by any 2003 DNS server (we have a mixture of 2003 and 2008, all running DC role as well). I can query that without any problem from windows 2008.
example of query that fails on 2003:
www.securitybsides.com
DNS architecture is very simple. All external queries are resolved by root hints, and all servers have same root hints configured.
any ideas? do you also encounter issues while trying to resolve this address from w2003 DNS ?
Hello,
I newly created a smb Network. I bought 2 HP-V1910 24G Switches and created some VLAN's. On each Switch I created the following VLAN's:
Switch Nr. 1 has the IP 192.168.100.254 (VLAN 1) and Switch Nr. 2 has the IP 192.168.100.2 (VLAN 1).
At Switch Nr. 1 I created all VLAN-Interfaces (that one should be the router too) and a static Default route to my Firewall (0.0.0.0/0 192.168.2.1 in VLAN 102). At Switch Nr. 2 I only created a Default route to 0.0.0.0/0 192.168.100.254 (Switch Nr. 1). On my Firewall I made a Return-Route to 192.168.0.0/16 with Gateway 192.168.2.254.
My new Windows 2012 Server and DC's resist in 192.168.2.0/24 Net all configured with Standard-Gateway 192.168.2.254. BPA for DNS now said that no root Servers will be reachable.
At my first DC (with DNS) 192.168.2.10 I've done a ping to 198.41.0.4, this works very well and fast (root-server). Then I've done a ping -a 198.41.0.4 and the answer was with the correct hostname [a.root-servers.net] 198.41.0.4. But if i try to do nslookup -type=NS . 198.41.0.4 the Server reports a timeout (2 Seconds). So I tried to increase the timeout to 20 seconds. Then the Server will Report a Server fail for the Domain (dot) "."
So I thought it will be DNSSEC (Packets will be caught in Firewall oder will be to small), but that's not the cause (tried all). After all I tried in DNS properties the local and recursive test. The local test is successful, but the recursive is fail. DNS-Server are configured without forwarders, on Firewall i tried both Settings: With DNS-Proxy enabled and disabled, no result. I tried to disable IPv6-NIC in DNS-Settings i tried to directly go to Firewall (192.168.2.1 as Default-Gateway), everything without a better result.
IP-Config on DNS-Server 1 is:
IPv6 is configured as Auto (link-local).
Am I blind? So where is my Problem to recursive DNS Queries?
Thank you in advance.