Timesync/Netlogon/DNS Problems

[Chris Hall]

Good morning,

We tried to access the AD Users and Computers snap-in on a DC and received
an error:

Naming information cannot be located because:
The logon attempt failed

I started looking at Event Viewer on the PDC (SYSTEMS_SERVER) and saw
several errors. My first thought was time synchronization because of the
errors:
ERROR 1:
Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 54
Date: 1/7/2004
Time: 2:47:07 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
The Windows Time Service was not able to find a Domain Controller. A
time and date update was not possible.

And this error:
ERROR 2:
Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 64
Date: 1/7/2004
Time: 2:47:07 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
Because of repeated network problems, the time service has not been
able to find a domain controller to synchronize with for a long time. To
reduce network traffic, the time service will wait 960 minutes before trying
again. No synchronization will take place during this interval, even if
network connectivity is restored. Accumulated time errors may cause certain
network operations to fail. To tell the time service that network
connectivity has been restored and that it should resynchronize, execute
"w32tm /s" from the command line.

I followed Q216734 with no results. Since AD is tightly integrated with DNS,
when I saw the error below, I deleted the RR, then stopped/started the dns
to recreate the record (which it doesn't appear that it did).

ERROR 3:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 1/7/2004
Time: 3:49:59 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
Registration of the DNS record
'2e9e6fd9-baf8-487c-9e3f-f42670b908ed._msdcs.securityfederalbank.com. 600 IN
CNAME
systems_server.securityfederalbank.com.' failed with the following
error:
DNS RR set that ought to exist, does not exist.

Not sure what else to do at this point. Since I changed the administrator
password on the PDC (SYSTEMS_SERVER), I was able to logon to the LEXINGTON
server with the new password, which I would assume means that AD is
replicating. If that's true, then why would I get the first and second
errors?


We have 2 sites(OPERATIONS, LEXINGTON), 2 servers(SYSTEMS_SERVER,
LEXINGTON), 2 subnets(10.10.1.0/24, 10.10.2.0/24), and 1 Inter-site
transport(IP). Each server is located in different physical locations,
connected by a Frame Relay network.

Thanks for taking the time to read this very long post!

 

[Chris Smith]

May be a combo of problems but I think it is DNS related.

To be sure check a few things first:

Fix your time issues: Make sure your time is set properly
on both servers, Check the timezones settings and then
issue a

net time /setsntp:%servername%

on the server that does not carry the FSMO roles (the
second DC to be installed, unless you moved them)

You can do this the other way around but it is easy to
remember that your Server hosting the FSMO roles is your
source for time

Now that your time is synced between servers, make sure of
the following:

Both servers are Global Catalog servers (go to the NTDS
settings in Sites and services and check box to become a
GC)

If password changes repl then you most likely do not have
a problem here. If you did you would see problems in your
FRS event log.

In regard to DNS problems, your event points to the fact
that the DNS server that is authoritative for the Active
Directory domain name is not listed on the DNS tab of the
Advanced TCP/IP Settings dialog box.

See: http://support.microsoft.com/?kbid=284963

Good Luck

-Chris

-----Original Message-----
Good morning,

We tried to access the AD Users and Computers snap-in on a DC and received
an error:

Naming information cannot be located because:
The logon attempt failed

I started looking at Event Viewer on the PDC (SYSTEMS_SERVER) and saw
several errors. My first thought was time synchronization because of the
errors:
ERROR 1:
Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 54
Date: 1/7/2004
Time: 2:47:07 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
The Windows Time Service was not able to find a Domain Controller. A
time and date update was not possible.

And this error:
ERROR 2:
Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 64
Date: 1/7/2004
Time: 2:47:07 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
Because of repeated network problems, the time service has not been
able to find a domain controller to synchronize with for a long time. To
reduce network traffic, the time service will wait 960 minutes before trying
again. No synchronization will take place during this interval, even if
network connectivity is restored. Accumulated time errors may cause certain
network operations to fail. To tell the time service that network
connectivity has been restored and that it should resynchronize, execute
"w32tm /s" from the command line.

I followed Q216734 with no results. Since AD is tightly integrated with DNS,
when I saw the error below, I deleted the RR, then stopped/started the dns
to recreate the record (which it doesn't appear that it did).

ERROR 3:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 1/7/2004
Time: 3:49:59 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
Registration of the DNS record
'2e9e6fd9-baf8-487c-9e3f-

f42670b908ed._msdcs.securityfederalbank.com. 600 IN

 

[Chris Hall]

Chris,

I appreciate your reply.

Since I posted my message, I restarted the 2nd dc and was then able to
access the AD Users & Comp snap-in. And as I mentioned, when I changed the
admin password on the 1st dc, it replicated over to the 2nd. But when you
mentioned FRS errors, I checked for FRS errors on the 2nd and did see an
error:

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 1/8/2004
Time: 11:02:31 AM
User: N/A
Computer: LEXINGTON
Description:
The File Replication Service is having trouble enabling replication
from SYSTEMS_SERVER to LEXINGTON for e:\active
directory\sysvol\domain using the DNS name
systems_server.securityfederalbank.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name
systems_server.securityfederalbank.com from this computer.
[2] FRS is not running on systems_server.securityfederalbank.com.
[3] The topology information in the Active Directory for this
replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log
message indicating that the connection has been established.

Time does appear to be synchronizing at this point, so I'll review your
post, make changes and go from there. I'll post the results.

Thanks again!
Chris

 

[Chris Hall]

One more thing: You mention making sure BOTH servers are GC servers. I'm
still learning about AD, but isn't the first DC installed the GC server for
the domain? And don't you need just one per domain?

 

[Chris Hall]

Chris,

I looked at the article 284963, but the dns server IS setup on both the
first and second DCs. On both DCs, I have the first DC set as the primary
dns server in the TCP/IP properties. I'm not seeing errors in the DNS logs
at this point. I am seeing errors in the Directory Service logs, however.

Event Type: Error
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1311
Date: 1/12/2004
Time: 2:43:20 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
The Directory Service consistency checker has determined that either (a)
there is not enough physical connectivity published via the Active Directory
Sites and Services Manager to create a spanning tree connecting all the
sites containing the Partition
CN=Configuration,DC=securityfederalbank,DC=com, or (b) replication cannot be
performed with one or more critical servers in order for changes to
propagate across all sites (most often due to the servers being
unreachable).

For (a), please use the Active Directory Sites and Services Manager to do
one of the following:
1. Publish sufficient site connectivity information such that the system can
infer a route by which this Partition can reach this site. This option is
preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the
Partition CN=Configuration,DC=securityfederalbank,DC=com in this site from a
Domain Controller that contains the same Partition in another site.

For (b), please see previous events logged by the NTDS KCC source that
identify the servers that could not be contacted.


Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1566
Date: 1/12/2004
Time: 2:43:20 PM
User: N/A
Computer: SYSTEMS_SERVER
Description:
All servers in site
CN=Lexington,CN=Sites,CN=Configuration,DC=securityfederalbank,DC=com that
can replicate partition CN=Configuration,DC=securityfederalbank,DC=com over
transport CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=securityfederalbank,DC=com are
currently unavailable.

While I am somewhat new to this, I believe I set everything up correctly.
Here's the topology:

I have 2 sites with a server located in each site. The sites are linked with
a site link (IP is the transport protocol). The first server was setup to be
the Bridgehead server. Am I missing anything here? I just went through this
stuff a couple of months ago....looked pretty simple in the lab :O)

I can do an nslookup of both servers by complete domain name on both
servers.

Suggestions?