New User and Win2K Issues

[Andy Johnson]

Hi, I am a new user to the Microsoft NewsGroups. I have a couple of
strarnge issues that I am looking for some help solving.

I am having DNS issues and am getting some weird KCC errors in the event
logs on a DC in the Forest Root and a DC in the domain tree. My Forest Root
is "test-forest.com" and my domain tree is "test-tree.co.uk"

I get the following entries in the event viewer ....


The attempt to establish a replication link with parameters



Partition: CN=Schema,CN=Configuration,DC=test-forest,DC=com

Source DSA DN: CN=NTDS
Settings,CN=server1,CN=Servers,CN=test-sites,CN=Sites,CN=Configuration,DC=te
st-forest,DC=com

Source DSA Address:
003e5f9a-a8a6-4f56-96c7-0a4906779615._msdcs.test-forest.com

Inter-site Transport (if any):



failed with the following status:



Could not find the domain controller for this domain.



The record data is the status code. This operation will be retried



Any help greatly appreciated ...



Andy

 

[Ace Fekay [MVP]]

In

Hi, I am a new user to the Microsoft NewsGroups. I have a couple of
strarnge issues that I am looking for some help solving.

I am having DNS issues and am getting some weird KCC errors in the
event logs on a DC in the Forest Root and a DC in the domain tree.
My Forest Root is "test-forest.com" and my domain tree is
"test-tree.co.uk"

I get the following entries in the event viewer ....


The attempt to establish a replication link with parameters



Partition: CN=Schema,CN=Configuration,DC=test-forest,DC=com

Source DSA DN: CN=NTDS
Settings,CN=server1,CN=Servers,CN=test-sites,CN=Sites,CN=Configuration,DC=te
st-forest,DC=com

Source DSA Address:
003e5f9a-a8a6-4f56-96c7-0a4906779615._msdcs.test-forest.com

Inter-site Transport (if any):



failed with the following status:



Could not find the domain controller for this domain.



The record data is the status code. This operation will be retried



Any help greatly appreciated ...



Andy

Welcome to the newsgroups!

If you already knew all this, I apologize, but just want to give a blurb on
AD and DNS:

Rule of thumb about AD and DNS:
If you reference your ISP's DNS addresses in any internal machine (including
DCs and clients) in an AD environment, I guarantee dozens of errors will
occur, such as the KCC ones you're experiencing.

This error is common for most folks not familiar with AD's totatl
requirements. To me, if I was charging for this stuff to fix it, it's would
be guaranteed job security!!! Just as the lawn grows and the grass cutter
comes to cut it!

Make sure you remove them and only point to your internal DNS server that is
hosting the AD zone name ONLY. Setup a forwarder to your ISP's DNS in your
DNS server proeprties, under the Forwarders tab and that will take care of
Internet resolution.

Here's a link to read:

DNS and AD FAQs:
http://support.microsoft.com/?id=291382

And to setup a forwarder, step 3 in this article. If forwarding is grayed
out, then that means the Root zone exists (the period ","), it needs to be
deleted, also shown how to in this article:
http://support.microsoft.com/?id=300202


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

Try forgetting the forwarding from the other tree to the root, but to the Internet ISP instead. So haver everything forward to the ISP.

To allow forest data to be found from both sides of the fence (both trees), put a secondary copy of the Forest root zone in the DNS servers at the other tree and try again. This way there's no question that the zone info is available on the other side. My feeling is that the root can find the other, but the other can't find it's way back to that specific DC. I would also make sure that FRDC2 (and everything else for that matter) are properly registered in all locations in the SRV records. More importantly is the _msdcs.forestGUIDdomainname be available on both sides of the fence.

Also what can hurt this (not sure of your topology) is NAT, it can't tranverse a NAT. Firewalls are a mess too with 30 ports needing to be opened. VPNs in both cases, if this were the case, would be better off.

Hope it helps

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Ace,

Thanks for the speedy reply.

Our DSN is setup as follows:

Forest Root (test-forest.com) Domain Tree (test-tree.co.uk)

FRDC1 - Forwarder setup to forward to the interner DTDC1 - Forwarder setup to forward to the Forest Root DC's
Forward lookup zone of test-forest.com Forward lookup zone of test-tree.co.uk
Forward lookup zone of test-tree.co.uk

FRDC2 - Forwarder setup to forward to the interner DTDC2 - Forwarder setup to forward to the Forest Root DC's
Forward lookup zone of test-forest.com Forward lookup zone of test-tree.co.uk
Forward lookup zone of test-tree.co.uk

We are using AD Integrated Zones with allow Dynamic Update set to YES

Using Active Directory Sites and Services on FRDC1, I can force replication between both FRDC1 and FRDC2 on the forest root and with DTDC1 and DTDC2 in the domain tree.
Using Active Directory Sites and Services on FRDC2, I can force replication between both FRDC1 and FRDC2 on the forest root but not with DTDC1 and DTDC2 in the domain tree.
Using Active Directory Sites and Services, I can force replication between both DTDC1 and DTDC2 in the domain tree and with FRDC1 and FRDC2 on the forest root. (The message "Could not find the domain controller for this domain" is displayed.

It appears I can "go up the tree" from either domain tree DC but only "down the tree" from a FRDC1 in the forest root. I can not go "down the tree" from FRDC2

In the event log, I am only getting the KCC errors on one DC per domain.

I am sure this is DNS related. If the KCC is saying it cant find a Domain Controller is it missing an SRV entry somewhere?

Sorry, I know this is an essay but I'm really stumped here !!

Thanks again,

Andy