The question about two AD-integrated DNS servers.

[Guest]

Can anybody help me?
We have a domain with two DCs.
Both of the DCs have AD-integrated DNS zones installed (for fault tolerancey).
I think that there are no problems with replication between the DCs because:
1. There are no errors in the logs;
2. If I create or delete an object on one DC - the same objects appears or disappears on the other DC;
3. If I click "Replicate now" in AD Sites & Services snap-in - everything is OK

But there is one problem: For example after reboot of both DCs, the SOA on both of them is the same (5370 for example) and some time later (about 2-3 hours) the SOA on the first DC is already 5408 and the SOA on the second DC still has the value 5370. If I restart services DNS and NETLOGON, then this SOA also becomes 5408. And there are no errors in the DNS Server log except this two warnings:
Event ID 3000 (sometimes) and Event ID 9999 (every 2-3 hours).

Can anybody say me if it is a problem, or I can ignore this behaviour?

Thanks a lot!

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Can anybody help me?
We have a domain with two DCs.
Both of the DCs have AD-integrated DNS zones installed (for fault
tolerancey).
I think that there are no problems with replication between the DCs
because:
1. There are no errors in the logs;
2. If I create or delete an object on one DC - the same objects
appears or disappears on the other DC;
3. If I click "Replicate now" in AD Sites & Services snap-in -
everything is OK

But there is one problem: For example after reboot of both DCs, the
SOA on both of them is the same (5370 for example) and some time
later (about 2-3 hours) the SOA on the first DC is already 5408 and
the SOA on the second DC still has the value 5370. If I restart
services DNS and NETLOGON, then this SOA also becomes 5408. And there
are no errors in the DNS Server log except this two warnings:
Event ID 3000 (sometimes) and Event ID 9999 (every 2-3 hours).

Can anybody say me if it is a problem, or I can ignore this behaviour?

Thanks a lot!

Verify that the server getting the 3000 and 9999 events does _not_ have a
Secondary forward lookup zone.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

It has Secondary forward lookup zone. And the second DC also has.
The point is that besides this domain(external domain for the
Internet access (ISA Server 2000 SP2 FP1) and mail purposes(MS
Exchange 2000 SP3)) with two DCs we have another (internal) domain
for internal purposes. And Secondary forward lookup zone in external
domain points out the AD-integrated zone in the internal domain. In
the internal domain we also has the similar structure of DNS zones:
there are three DCs with AD-integrated primary DNS zones and with
Secondary forward lookup zones pointing out the AD-integrated zone in
the external domain.
And some more info...

It is this secondary zone causing the 3000 and 9999 events, you can ignore
these.

Tonight I carried out the experiment. I manually created the Host (A)
record on the DC which normaly increments its SOA. This Host did not
immediately appear at the other DC and this host did not appear after
an hour, but today morning it does. And SOA numbers are not equal,
but both of them were incremented. So I can only guess that changes
in the AD-integrated zone (which is inside AD database!!!) transfers
from one DC to another with a big time out. I suppose it's not very
good.

Usually this should not take more then an hour, it really depends on the
replication settings, you can force replication in AD Sites & Services
As for the zone serial AD does not use the zone serial, it may or may not
increment and it may not increment on all DCs.

May be this behaviour caused by heavy load of the DCs?

Could be, you may have replication problems run dcdiag /v from DCs to see if
replication attempts are failing.

Want do you think about it?
Thank you very much for your answer.

The replication sounds kind of slow if what you say is true, it could be in
the replication schedule, you might check it.

 

[Ace Fekay [MVP]]

In

In

It is this secondary zone causing the 3000 and 9999 events, you can
ignore these.


Usually this should not take more then an hour, it really depends on
the replication settings, you can force replication in AD Sites &
Services
As for the zone serial AD does not use the zone serial, it may or may
not increment and it may not increment on all DCs.


Could be, you may have replication problems run dcdiag /v from DCs to
see if replication attempts are failing.

The replication sounds kind of slow if what you say is true, it could
be in the replication schedule, you might check it.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

Just to point out, if the two DCs are in the same site, then the there is no
'schedule' per say. It follows the min 5 max 15 minute rule. So within 15
minutes max for two DCs in the same site is the rule it should follow (and
in this case the same domain since we're talking about domain specific
objects such as users, groups, computers and DNS integrated zones) .

If there were mutliple sites, then I can see why there's a replication lag,
unless the ADUC console isn't being manually refreshed since the console
will NOT refresh on its own unless you manually hit the F5 key, choose
refresh or close and re-open it.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Guest]

Thank you Kevin and Ace.
Your information was helpfull for me.
dcdiag /v was successfull from both of the DCs.
Both DCs are in the one site.
Of course I refreshed snap-ins.
I think that I can safely ignore these events.

 

[Ace Fekay [MVP]]

In

Thank you Kevin and Ace.
Your information was helpfull for me.
dcdiag /v was successfull from both of the DCs.
Both DCs are in the one site.
Of course I refreshed snap-ins.
I think that I can safely ignore these events.

I think you can too. FYI, as for the serial number behavior, here's a link
explaining that:

282826 - Active Directory-Integrated DNS Zone Serial Number Behavior:
http://support.microsoft.com/?id=282826

also:
http://www.eventid.net/display.asp?eventid=3000&eventno=297&source=DNS&phase=1
http://www.eventid.net/display.asp?eventid=9999&eventno=281&source=DNS&phase=1


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Ace, Kevin or somebody else!
I have one more question about DNS:
The question is about my "internal" domain. I described my structure
of two domains("internal" and "external") in previous posts.
There are also no poblems with replication (dcdiag /v is successfull,
and other tests as well) and there are no problems with serial
numbers of integrated zones (SOA records). There are no warnings at
all. But every day on both of the DCs(Windows Server 2003) the
following error records:

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 6702
Date: 27.06.2004
Time: 21:07:15
User: N/A
Computer: MSK-SRV-01

Here is a link that may help you with this one.
http://www.eventid.net/display.asp?eventid=6702&eventno=294&source=DNS&phase=1

 

[Ace Fekay [MVP]]

In

4. About the Netlogon refresh interval - but there is no such a key
value In Windows Server 2003.

The default I believe was changed to 24 hours in Win2k3.

This is for W2k:
http://support.microsoft.com/default.aspx?scid=kb;en-us;265395

But you can try to add that key in W2k3. The worst that can happen is that
it doen;t work and you can remove it.






--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================