----- Original Message -----
From: Lokesh Mahale
Sent: Wednesday, May 13, 2009 4:32 AM
Subject: Event ID 1925 NTDS Replication : Attempt to establish a replication link failed due to DNS lookup problem.
Event ID 2088: DNS lookup failure occurred with replication success.
Event Type:Warning
Event Source:NTDS Replication
Event Category:DS RPC Client
Event ID:2088
Date:3/21/2005
Time:2:29:34 PM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
Active Directory could not use DNS to resolve the IP address of the
source domain controller listed below. To maintain the consistency
of Security groups, group policy, users and computers and their passwords,
Active Directory successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.
Event Source:NTDS Replication
Event Category:DS RPC Client
Event ID:2088
Date:3/21/2005
Time:2:29:34 PM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
Active Directory could not use DNS to resolve the IP address of the
source domain controller listed below. To maintain the consistency
of Security groups, group policy, users and computers and their passwords,
Active Directory successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on
member computers, domain controllers or application servers in this
Active Directory forest, including logon authentication or access to network
resources.
member computers, domain controllers or application servers in this
Active Directory forest, including logon authentication or access to network
resources.
You should immediately resolve this DNS configuration error so that
this domain controller can resolve the IP address of the source
domain controller using DNS.
this domain controller can resolve the IP address of the source
domain controller using DNS.
Alternate server name:
dc1
Failing DNS host name:
4a8717eb-8e58-456c-995a-c92e4add7e8e._msdcs.contoso.com
dc1
Failing DNS host name:
4a8717eb-8e58-456c-995a-c92e4add7e8e._msdcs.contoso.com
NOTE: By default, only up to 10 DNS failures are shown for any given
12 hour period, even if more than 10 failures occur. To log all
individual failure events, set the following diagnostics registry
value to 1:
12 hour period, even if more than 10 failures occur. To log all
individual failure events, set the following diagnostics registry
value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its
operating system has been reinstalled with a different computer
name or NTDSDSA object GUID, remove the source domain controller's
metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
operating system has been reinstalled with a different computer
name or NTDSDSA object GUID, remove the source domain controller's
metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory
and is accessible on the network by typing "net view \\<source DC name>"
or "ping <source DC name>".
and is accessible on the network by typing "net view \\<source DC name>"
or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server
for DNS services, and that the source domain controller's host record
and CNAME record are correctly registered, using the DNS Enhanced
version of DCDIAG.EXE available on http://www.microsoft.com/dns
for DNS services, and that the source domain controller's host record
and CNAME record are correctly registered, using the DNS Enhanced
version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a
valid DNS server for DNS services, by running the DNS Enhanced
version of DCDIAG.EXE command on the console of the destination
domain controller, as follows:
valid DNS server for DNS services, by running the DNS Enhanced
version of DCDIAG.EXE command on the console of the destination
domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449
Cause:
Failure to resolve the current CNAME resource record of the source domain controller to an IP address can have the following causes:
The source domain controller is powered off, is offline, or resides on an isolated network, and Active Directory and Domain Name System (DNS) data for the offline domain controller has not been deleted to indicate that the domain controller is inaccessible.
One of the following conditions exists:
The source domain controller has not registered its resource records in DNS.
The destination domain controller is configured to use an invalid DNS server.
The source domain controller is configured to use an invalid DNS server.
The DNS server that is used by the source domain controller does not host the correct zones or the zones are not configured to accept dynamic updates.
The direct DNS servers that are queried by the destination domain controller cannot resolve the IP address of the source domain controller as a result of nonexistent or invalid forwarders or delegations.
Active Directory has been removed on the source domain controller and then reinstalled with the same IP address, but knowledge of the new NTDS Settings GUID has not reached the destination domain controller.
Active Directory has been removed on the source domain controller and then reinstalled with a different IP address, but the current host address (A) resource record for the IP address of the source domain controller is either not registered or does not exist on the DNS servers that are queried by the destination domain controller as a result of replication latency or replication error.
The operating system of the source domain controller has been reinstalled with a different computer name, but its metadata either has not been removed or has been removed and not yet inbound-replicated by the destination domain controller.
Solution:
First, determine whether the source domain controller is functioning. If the source domain controller is not functioning, remove its remaining metadata from Active Directory.
If the source domain controller is functioning, continue with procedures to diagnose and solve the DNS problem, as needed:
Use Dcdiag to diagnose DNS problems.
Register DNS SRV resource records plus host records.
Synchronize replication between the source and destination domain controllers.
Verify consistency of the NTDS Settings GUID.
Determine Whether a Domain Controller Is Functioning
To determine whether the source domain controller is functioning, use the following test.
To determine whether the source domain controller is functioning, use the following test.
Requirements
Administrative credentials: To complete this procedure, you must be a member of the Domain Users group in the domain of the domain controller.
Tools: Net view
To determine whether a domain controller is functioning
To confirm that the domain controller is running Active Directory and is accessible on the network, at a command prompt type the following command, and then press ENTER:
To confirm that the domain controller is running Active Directory and is accessible on the network, at a command prompt type the following command, and then press ENTER:
net view \\SourceDomainControllerName
where SourceDomainControllerName is the NetBIOS name of the domain controller.
This command displays the Netlogon and SYSVOL shares, indicating that the server is functioning as a domain controller. If this test shows that the domain controller is not functioning on the network, determine the nature of the disconnection and whether the domain controller can be recovered or whether its metadata must be removed from Active Directory manually. If the domain controller is not functioning and cannot be restored, use the procedure in the following section, "Clean Up Domain Controller Metadata," to delete the data from Active Directory that is associated with that server.
Clean Up Domain Controller Metadata
If tests show that the domain controller is no longer functioning but you still see objects representing the domain controller in Active Directory Sites and Services, replication will continue to be attempted, and you must remove these objects from Active Directory manually. You must use Ntdsutil to clean up (delete) the metadata for the defunct domain controller.
If tests show that the domain controller is no longer functioning but you still see objects representing the domain controller in Active Directory Sites and Services, replication will continue to be attempted, and you must remove these objects from Active Directory manually. You must use Ntdsutil to clean up (delete) the metadata for the defunct domain controller.
If the defunct domain controller is the last domain controller in the domain, you should also remove the metadata for the domain. Allow sufficient time for all global catalog servers in the forest to inbound-replicate the domain deletion before promoting a new domain with the same name.
The process for cleaning up metadata is improved in the version of Ntdsutil that is included with Windows Server 2003 SP1. Instructions for cleaning up metadata with the Windows Server 2003 version of Ntdsutil and the Windows Server 2003 SP1 version of Ntdsutil are provided in the following procedure.
Requirements
Administrative credentials: To complete this procedure, you must be a member of the Enterprise Admins group.
Tools: Ntdsutil (System32 command-line tool)
To clean up server metadata
Open a Command Prompt.
Open a Command Prompt.
Type the following command, and then press ENTER:
ntdsutil
At the ntdsutil: command prompt, type the following command, and then press ENTER:
metadata cleanup
Perform metadata cleanup as follows:
If you are performing server metadata cleanup only and you are using the version of Ntdsutil.exe that is included with Windows Server 2003 SP1, at the metadata cleanup: command prompt, type the following, and then press ENTER:
remove selected server ServerName
Or
remove selected server ServerName1onServerName2
remove selected server ServerName
Or
remove selected server ServerName1onServerName2
Value Description
ServerName, ServerName1
The distinguished name of the domain controller whose metadata you want to remove, in the form cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain
ServerName2
The DNS name of the domain controller to which you want to connect and from which you want to remove server metadata
If you are performing metadata cleanup by using the version of Ntdsutil.exe that is included with Windows Server 2003 with no service pack, or if you are performing both domain metadata cleanup and server metadata cleanup, perform metadata cleanup as follows:
At the metadata cleanup: command prompt, type the following command, and then press ENTER:
connection
connection
At the server connections: command prompt, type the following command, and then press ENTER:
connect to server Server
connect to server Server
At the connection: command prompt, type the following command, and then press ENTER:
quit
quit
At the metadata cleanup: command prompt, type the following command, and then press ENTER:
select operation target
select operation target
At the select operation target: command prompt, type the following command, and then press ENTER:
list sites
list sites
A numbered list of sites appears. Type the following command, and then press ENTER:
select site SiteNumber
select site SiteNumber
At the select operation target: command prompt, type the following command, and then press ENTER:
list domains in site
list domains in site
A numbered list of domains in the selected site appears. Type the following command, and then press ENTER:
select domain DomainNumber
select domain DomainNumber
At the select operation target: command prompt, type the following command, and then press ENTER:
list servers in site
list servers in site
A numbered list of servers in a domain and site is displayed. Type the following command, and then press ENTER:
select server ServerNumber
select server ServerNumber
At the select operation target: command, type the following command, and then press ENTER:
quit
quit
At the metadata cleanup: command, type the following command, and then press ENTER:
remove selected server
remove selected server
If the server whose metadata you have removed is the last domain controller in the domain and you want to remove the domain metadata, at the metadata cleanup: command prompt, type the following command, and then press ENTER:
remove selected domain
Metadata for the domain that you selected in step h is removed.
remove selected domain
Metadata for the domain that you selected in step h is removed.
At the metadata cleanup: and ntdsutil: command prompts, type quit, and then press ENTER.
