Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Windows Server General Help » Domain Replica
Domain Replica [message #163892] Tue, 09 June 2009 18:08 Go to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
Server1 - Windows Server 2003 R2 SP2 + patches up to May 2009
Server2 - Windows Server 2003 R2 SP2 + patches up to May 2009
Both servers are DC and GC. Server1 is the FSMO role holder.

I'm troubleshooting slow startup on my 2 servers. I suspect that there are
remnants of old Win2003 or Windows NT4 servers that are still in the
registry of AD.

I ran ADSIEDIT.MSC and found the following:

Domain [servername.companyname.com]
- DC=companyname,DC=com (right click, Properties)

There's an entry that looks like this:
Attribute: domainReplica
Syntax: Unicode String
Value: WinSrv2003

Here's the problem:
WinSrv2003 no longer exists. It was a temporary server that I installed
years ago. It has been removed since then.

Could this be why the servers take as long as 15 minutes to get to Press
CTRL ALT DEL to login?

Instead of the non existent replica, what should this entry be? Is it safe
to erase the entry, make it blank?

Is there any easy way to search thru ADSI Edit entries (something like
searching thru registry)?
Re: Domain Replica [message #163896 is a reply to message #163892] Tue, 09 June 2009 18:18 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
You probably want to start with dcdiag

(dcdiag /c /v /e) and work from there. If there are old domain controllers
in Ad you will want to precisely follow the metadata cleanup process to
completly and correctly remove all the old links.

slow startups usually are indicative of DNS issues or misconfigurations.

John wrote:
> Server1 - Windows Server 2003 R2 SP2 + patches up to May 2009
> Server2 - Windows Server 2003 R2 SP2 + patches up to May 2009
> Both servers are DC and GC. Server1 is the FSMO role holder.
>
> I'm troubleshooting slow startup on my 2 servers. I suspect that
> there are remnants of old Win2003 or Windows NT4 servers that are
> still in the registry of AD.
>
> I ran ADSIEDIT.MSC and found the following:
>
> Domain [servername.companyname.com]
> - DC=companyname,DC=com (right click, Properties)
>
> There's an entry that looks like this:
> Attribute: domainReplica
> Syntax: Unicode String
> Value: WinSrv2003
>
> Here's the problem:
> WinSrv2003 no longer exists. It was a temporary server that I
> installed years ago. It has been removed since then.
>
> Could this be why the servers take as long as 15 minutes to get to
> Press CTRL ALT DEL to login?
>
> Instead of the non existent replica, what should this entry be? Is it
> safe to erase the entry, make it blank?
>
> Is there any easy way to search thru ADSI Edit entries (something like
> searching thru registry)?

--
/kj
Re: Domain Replica [message #163899 is a reply to message #163892] Tue, 09 June 2009 18:19 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello John" a,

Long/slow startup/logon times often result on DNS problems, please make sure
that only domain DNS servers are used on the NIC and not an ISP DNS server.
Please post an unedited ipconfig /all so wecan exclude this.

If old removed DCs exist in the database follow this article to remove them:
http://support.microsoft.com/kb/555846/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Server1 - Windows Server 2003 R2 SP2 + patches up to May 2009 Server2
> - Windows Server 2003 R2 SP2 + patches up to May 2009 Both servers are
> DC and GC. Server1 is the FSMO role holder.
>
> I'm troubleshooting slow startup on my 2 servers. I suspect that there
> are remnants of old Win2003 or Windows NT4 servers that are still in
> the registry of AD.
>
> I ran ADSIEDIT.MSC and found the following:
>
> Domain [servername.companyname.com]
> - DC=companyname,DC=com (right click, Properties)
> There's an entry that looks like this:
> Attribute: domainReplica
> Syntax: Unicode String
> Value: WinSrv2003
> Here's the problem:
> WinSrv2003 no longer exists. It was a temporary server that I
> installed
> years ago. It has been removed since then.
> Could this be why the servers take as long as 15 minutes to get to
> Press CTRL ALT DEL to login?
>
> Instead of the non existent replica, what should this entry be? Is it
> safe to erase the entry, make it blank?
>
> Is there any easy way to search thru ADSI Edit entries (something like
> searching thru registry)?
>
Re: Domain Replica [message #163901 is a reply to message #163899] Tue, 09 June 2009 19:07 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66272678cbb7784a0147eb@msnews.microsoft.com...
> Hello John" a,
>
> Long/slow startup/logon times often result on DNS problems, please make
> sure that only domain DNS servers are used on the NIC and not an ISP DNS
> server. Please post an unedited ipconfig /all so wecan exclude this.

NIC config is correct. I'm not using ISP DNS IP addresses in any of the 2
servers.
see my reply to kj [SBS MVP] for more info.

> If old removed DCs exist in the database follow this article to remove
> them:
> http://support.microsoft.com/kb/555846/en-us

I'll take a look at the article. Thanks.
Re: Domain Replica [message #163905 is a reply to message #163896] Tue, 09 June 2009 19:03 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
Thanks to both for your quick reply.
more below...

"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:OEsw6AV6JHA.3860@TK2MSFTNGP05.phx.gbl...
>
> (dcdiag /c /v /e) and work from there. If there are old domain controllers
> in Ad you will want to precisely follow the metadata cleanup process to
> completly and correctly remove all the old links.

I did the above command and dump the result to a text file. Then I open the
text file and do the following:

1) Search for a string (old server names). Nothing found.
2) Search for "fail" without quotes. Here's the result (not sure if this is
normal):

Summary of test results for DNS servers used by the above domain
controllers:

DNS server: 128.63.2.53 (h.root-servers.net.)
2 test failures on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
[Error details: 9003 (Type: Win32 - Description: DNS name does
not exist.)]

DNS server: 128.8.10.90 (d.root-servers.net.)
2 test failures on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
[Error details: 9003 (Type: Win32 - Description: DNS name does
not exist.)]
....
....
and so on. All root hint DNS servers show up like the 2 errors shown above.
The internal DNS test show up fine:

DNS server: 192.168.0.3 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the forest
root domain is registered

There are no other FAILs other than Forwarders. Note: I didn't configure DNS
to use forwarders.

Here's how DNS is configured (default gateway omitted):

Server1
IP 192.168.0.3
Preferred DNS 192.168.0.3
Alternate DNS 192.168.0.5

Server2
IP 192.168.0.5
Preferred DNS 192.168.0.3
Alternate DNS 192.168.0.5

More info (several different boot result)

Turn on Server1 when Server2 is OFF - it takes about 15 minutes to get to
Press CTRL ALT DEL to logon

Turn on Server1 when Server2 is already running for hours - it takes about
3 minutes to get to Press CTRL ALT DEL to logon

Turn on Server1 and Server2 at the same time - both servers take about 15
minutes to get to Press CTRL ALT DEL to logon

Turn on Server2 when Server1 is already running for hours- it takes about 3
minutes to get to Press CTRL ALT DEL to logon

Of course if I restart one of the servers when the other is already up and
running, boot time is normal (that is, doesn't take 15 minutes to get to
logon prompt).

Sorry for the long post.
Re: Domain Replica [message #163908 is a reply to message #163905] Tue, 09 June 2009 19:45 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"John" <a> wrote in message news:OE7K8ZV6JHA.6004@TK2MSFTNGP02.phx.gbl...
> Thanks to both for your quick reply.
> more below...
>
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:OEsw6AV6JHA.3860@TK2MSFTNGP05.phx.gbl...
>>
>> (dcdiag /c /v /e) and work from there. If there are old domain
>> controllers in Ad you will want to precisely follow the metadata cleanup
>> process to completly and correctly remove all the old links.
>
> I did the above command and dump the result to a text file. Then I open
> the text file and do the following:
>
> 1) Search for a string (old server names). Nothing found.
> 2) Search for "fail" without quotes. Here's the result (not sure if this
> is normal):
>
> Summary of test results for DNS servers used by the above domain
> controllers:
>
> DNS server: 128.63.2.53 (h.root-servers.net.)
> 2 test failures on this DNS server
> This is not a valid DNS server. PTR record query for the
> 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
> [Error details: 9003 (Type: Win32 - Description: DNS name does
> not exist.)]
>
> DNS server: 128.8.10.90 (d.root-servers.net.)
> 2 test failures on this DNS server
> This is not a valid DNS server. PTR record query for the
> 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
> [Error details: 9003 (Type: Win32 - Description: DNS name does
> not exist.)]
> ...
> ...
> and so on. All root hint DNS servers show up like the 2 errors shown
> above. The internal DNS test show up fine:
>
> DNS server: 192.168.0.3 (<name unavailable>)
> All tests passed on this DNS server
> This is a valid DNS server.
> Name resolution is funtional. _ldap._tcp SRV record for the forest
> root domain is registered
>
> There are no other FAILs other than Forwarders. Note: I didn't configure
> DNS to use forwarders.
>
> Here's how DNS is configured (default gateway omitted):
>
> Server1
> IP 192.168.0.3
> Preferred DNS 192.168.0.3
> Alternate DNS 192.168.0.5
>
> Server2
> IP 192.168.0.5
> Preferred DNS 192.168.0.3
> Alternate DNS 192.168.0.5
>
> More info (several different boot result)
>
> Turn on Server1 when Server2 is OFF - it takes about 15 minutes to get to
> Press CTRL ALT DEL to logon
>
> Turn on Server1 when Server2 is already running for hours - it takes
> about 3 minutes to get to Press CTRL ALT DEL to logon
>
> Turn on Server1 and Server2 at the same time - both servers take about 15
> minutes to get to Press CTRL ALT DEL to logon
>
> Turn on Server2 when Server1 is already running for hours- it takes about
> 3 minutes to get to Press CTRL ALT DEL to logon
>
> Of course if I restart one of the servers when the other is already up and
> running, boot time is normal (that is, doesn't take 15 minutes to get to
> logon prompt).
>
> Sorry for the long post.
>


First, the best practice is to point to itself as the first entry, and a
partner DC as the second entry.

What's bothering me is seeing the following two Root servers in the dcdiag
errors.
DNS server: 128.63.2.53 (h.root-servers.net.)
DNS server: 128.8.10.90 (d.root-servers.net.)

This may be indicative of an older Root list. Configure two forwarders, one
for 4.2.2.2 and the other 4.2.2.3. Rerun dcdiag.

Also, there's a reference to the loopback address. That usually comes up
when the loopback is used as a DNS address. Are there any listed under IP
PRoperties, Advanced button?

I didn't see as such, but I have to ask, are any of these multihomed or have
RRAS installed?

Also, create a reverse zone for 192.168.0.0. That will eliminate and reverse
lookup (PTR) errors.

PLease run a sample nslookup for one DC from the other, as well as one to
yahoo.com, and post the results.

Thanks,


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: Domain Replica [message #163942 is a reply to message #163905] Wed, 10 June 2009 09:27 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello John" a,

I agree with Ace's suggestions and tips about forwarders and the older root
DNS servers listed. Configure the preferred NIC to itself and the secondary
to the other DNS server. If both servers are down and you start up the long
time is ok, not optimal, but no problem. The servers search during startup
for a DNS server and even if pointed to itself the DNS server service needs
long time to start and so that's the reason for long boot time when none
DNS server is available. Best option is to shutdown only one server at a
time.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks to both for your quick reply.
> more below...
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:OEsw6AV6JHA.3860@TK2MSFTNGP05.phx.gbl...
>
>> (dcdiag /c /v /e) and work from there. If there are old domain
>> controllers in Ad you will want to precisely follow the metadata
>> cleanup process to completly and correctly remove all the old links.
>>
> I did the above command and dump the result to a text file. Then I
> open the text file and do the following:
>
> 1) Search for a string (old server names). Nothing found.
> 2) Search for "fail" without quotes. Here's the result (not sure if
> this is
> normal):
> Summary of test results for DNS servers used by the above domain
> controllers:
>
> DNS server: 128.63.2.53 (h.root-servers.net.)
> 2 test failures on this DNS server
> This is not a valid DNS server. PTR record query for the
> 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
> [Error details: 9003 (Type: Win32 - Description: DNS name
> does
> not exist.)]
> DNS server: 128.8.10.90 (d.root-servers.net.)
> 2 test failures on this DNS server
> This is not a valid DNS server. PTR record query for the
> 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
> [Error details: 9003 (Type: Win32 - Description: DNS name
> does
> not exist.)]
> ...
> ...
> and so on. All root hint DNS servers show up like the 2 errors shown
> above.
> The internal DNS test show up fine:
> DNS server: 192.168.0.3 (<name unavailable>)
> All tests passed on this DNS server
> This is a valid DNS server.
> Name resolution is funtional. _ldap._tcp SRV record for the
> forest
> root domain is registered
> There are no other FAILs other than Forwarders. Note: I didn't
> configure DNS to use forwarders.
>
> Here's how DNS is configured (default gateway omitted):
>
> Server1
> IP 192.168.0.3
> Preferred DNS 192.168.0.3
> Alternate DNS 192.168.0.5
> Server2
> IP 192.168.0.5
> Preferred DNS 192.168.0.3
> Alternate DNS 192.168.0.5
> More info (several different boot result)
>
> Turn on Server1 when Server2 is OFF - it takes about 15 minutes to get
> to Press CTRL ALT DEL to logon
>
> Turn on Server1 when Server2 is already running for hours - it takes
> about 3 minutes to get to Press CTRL ALT DEL to logon
>
> Turn on Server1 and Server2 at the same time - both servers take about
> 15 minutes to get to Press CTRL ALT DEL to logon
>
> Turn on Server2 when Server1 is already running for hours- it takes
> about 3 minutes to get to Press CTRL ALT DEL to logon
>
> Of course if I restart one of the servers when the other is already up
> and running, boot time is normal (that is, doesn't take 15 minutes to
> get to logon prompt).
>
> Sorry for the long post.
>
Re: Domain Replica [message #163956 is a reply to message #163908] Wed, 10 June 2009 12:46 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"John" <a> wrote in message news:ejo77oe6JHA.5012@TK2MSFTNGP05.phx.gbl...
>
> "Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
> wrote in message news:eIzqqxV6JHA.1420@TK2MSFTNGP04.phx.gbl...
>>
>> First, the best practice is to point to itself as the first entry, and a
>> partner DC as the second entry.
>
> In the past I got preferred DNS set to point to itself and Alternate DNS
> to the other server. That didn't solve my long boot time problem. It took
> 15 minutes to get to the logon prompt when both servers are switched on at
> the same time. It does look like it's waiting for a functioning DNS box.
> Unfortunately DNS service happens to take at least 10-15 minutes to start.
> I have no idea why.
>
>> What's bothering me is seeing the following two Root servers in the
>> dcdiag errors.
>> DNS server: 128.63.2.53 (h.root-servers.net.)
>> DNS server: 128.8.10.90 (d.root-servers.net.)
>> This may be indicative of an older Root list.
>
> I realized that they point to old IPs but unsure how to update them to
> point to new IPs. Where do I get new IPs from?
>
>> Also, there's a reference to the loopback address. That usually comes up
>> when the loopback is used as a DNS address. Are there any listed under IP
>> PRoperties, Advanced button?
>
> None. There's no 127.0.0.1 in the DNS tab (Advanced button).
>
>> I didn't see as such, but I have to ask, are any of these multihomed or
>> have RRAS installed?
>
> The server comes with 2 NICs but I disabled one of them in Device Manager
> right after installing Windows Server. So the answer is no, there's no
> RRAS installed and it's not a multihomed server.
>
>> Also, create a reverse zone for 192.168.0.0. That will eliminate and
>> reverse lookup (PTR) errors.
>
> It's already there... DNS - Reverse Lookup Zones - 0.168.192.in-addr.arpa
>
>> PLease run a sample nslookup for one DC from the other, as well as one to
>> yahoo.com, and post the results.
>
> NSLOOKUP is executed on Server1. Here's the result:
>
> C:\>nslookup Server2
> Server: Server1.domain-name.com
> Address: 192.168.0.3
>
> Name: Server2.domain-name.com
> Address: 192.168.0.5
>
> ---------------------
>
> C:\>nslookup yahoo.com
> Server: Server1.domain-name.com
> Address: 192.168.0.3
>
> Name: yahoo.com
> Addresses: 209.191.93.53, 69.147.114.224, 209.131.36.159
>



Hmm, nslookup looks good. Maybe it's just the Root issues. Take a look at
this to update the Roots on a 2003 box.

How to troubleshoot DNS name resolution on the Internet in Windows ...To
update root hints on a Windows Server 2003-based DNS server that is
configured as a domain controller: Click Start, point to Administrative
Tools, ...
http://support.microsoft.com/kb/816567

Ace
Re: Domain Replica [message #163958 is a reply to message #163892] Wed, 10 June 2009 12:48 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello John" a,

When starting with all DC/DNS down this time is normal. Prevent it if possible
or have for the first starting server another DNS machine available maybe
in another site and also listed on the NIC.

The root hints you can update this way:
http://technet.microsoft.com/en-us/library/cc757965.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Ace Fekay [Microsoft Certified Trainer]"
> <aceman@mvps.RemoveThisPart.org> wrote in message
> news:eIzqqxV6JHA.1420@TK2MSFTNGP04.phx.gbl...
>
>> First, the best practice is to point to itself as the first entry,
>> and a partner DC as the second entry.
>>
> In the past I got preferred DNS set to point to itself and Alternate
> DNS to the other server. That didn't solve my long boot time problem.
> It took 15 minutes to get to the logon prompt when both servers are
> switched on at the same time. It does look like it's waiting for a
> functioning DNS box. Unfortunately DNS service happens to take at
> least 10-15 minutes to start. I have no idea why.
>
>> What's bothering me is seeing the following two Root servers in the
>> dcdiag
>> errors.
>> DNS server: 128.63.2.53 (h.root-servers.net.)
>> DNS server: 128.8.10.90 (d.root-servers.net.)
>> This may be indicative of an older Root list.
> I realized that they point to old IPs but unsure how to update them to
> point to new IPs. Where do I get new IPs from?
>
>> Also, there's a reference to the loopback address. That usually comes
>> up when the loopback is used as a DNS address. Are there any listed
>> under IP PRoperties, Advanced button?
>>
> None. There's no 127.0.0.1 in the DNS tab (Advanced button).
>
>> I didn't see as such, but I have to ask, are any of these multihomed
>> or have RRAS installed?
>>
> The server comes with 2 NICs but I disabled one of them in Device
> Manager right after installing Windows Server. So the answer is no,
> there's no RRAS installed and it's not a multihomed server.
>
>> Also, create a reverse zone for 192.168.0.0. That will eliminate and
>> reverse lookup (PTR) errors.
>>
> It's already there... DNS - Reverse Lookup Zones -
> 0.168.192.in-addr.arpa
>
>> PLease run a sample nslookup for one DC from the other, as well as
>> one to yahoo.com, and post the results.
>>
> NSLOOKUP is executed on Server1. Here's the result:
>
> C:\>nslookup Server2
> Server: Server1.domain-name.com
> Address: 192.168.0.3
> Name: Server2.domain-name.com
> Address: 192.168.0.5
> ---------------------
>
> C:\>nslookup yahoo.com
> Server: Server1.domain-name.com
> Address: 192.168.0.3
> Name: yahoo.com
> Addresses: 209.191.93.53, 69.147.114.224, 209.131.36.159
Re: Domain Replica [message #163959 is a reply to message #163942] Wed, 10 June 2009 13:00 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662734a8cbb7f70b3393eb@msnews.microsoft.com...
>
> If both servers are down and you start up the long time is ok, not
> optimal, but no problem.

That's exactly what I'm troubleshooting. So you're saying this is normal
behavior? Slow startup occurs when BOTH of them are OFF then switched on
simultaneously or one at a time (doesn't really matter what order). If I
restart either one when the other is already running... there's no problem
(ie: fast startup).

I'd also like to make sure that both servers aren't searching for old
WinServer 2003 (or maybe old NT4 servers) that don't exist any longer.
That's why my first post asked about DomainReplica entry in ADSI Edit. Not
sure if that is contributing to the slow start. It definitely has an entry
of an old WinServer 2003.

> The servers search during startup for a DNS server and even if pointed to
> itself the DNS server service needs long time to start and so that's the
> reason for long boot time when none DNS server is available.

That's what I suspect too. DNS server service takes about 10 minutes to
start.

There's about 10 minutes between the following EVENTS:

FROM

Event Source: EventLog
Event ID: 6009
Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Multiprocessor Free.

TO

Event Source: DNS
Event ID: 2
The DNS server has started.

> Best option is to shutdown only one server at a time.

Of course. However, in rare cases when there's an extended power outage,
both servers automatically shutdown on their own. When electricity comes
back on, both servers take forever to get to Press CTRL ALT DEL to logon.
Re: Domain Replica [message #163960 is a reply to message #163908] Wed, 10 June 2009 12:40 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:eIzqqxV6JHA.1420@TK2MSFTNGP04.phx.gbl...
>
> First, the best practice is to point to itself as the first entry, and a
> partner DC as the second entry.

In the past I got preferred DNS set to point to itself and Alternate DNS to
the other server. That didn't solve my long boot time problem. It took 15
minutes to get to the logon prompt when both servers are switched on at the
same time. It does look like it's waiting for a functioning DNS box.
Unfortunately DNS service happens to take at least 10-15 minutes to start. I
have no idea why.

> What's bothering me is seeing the following two Root servers in the dcdiag
> errors.
> DNS server: 128.63.2.53 (h.root-servers.net.)
> DNS server: 128.8.10.90 (d.root-servers.net.)
> This may be indicative of an older Root list.

I realized that they point to old IPs but unsure how to update them to point
to new IPs. Where do I get new IPs from?

> Also, there's a reference to the loopback address. That usually comes up
> when the loopback is used as a DNS address. Are there any listed under IP
> PRoperties, Advanced button?

None. There's no 127.0.0.1 in the DNS tab (Advanced button).

> I didn't see as such, but I have to ask, are any of these multihomed or
> have RRAS installed?

The server comes with 2 NICs but I disabled one of them in Device Manager
right after installing Windows Server. So the answer is no, there's no RRAS
installed and it's not a multihomed server.

> Also, create a reverse zone for 192.168.0.0. That will eliminate and
> reverse lookup (PTR) errors.

It's already there... DNS - Reverse Lookup Zones - 0.168.192.in-addr.arpa

> PLease run a sample nslookup for one DC from the other, as well as one to
> yahoo.com, and post the results.

NSLOOKUP is executed on Server1. Here's the result:

C:\>nslookup Server2
Server: Server1.domain-name.com
Address: 192.168.0.3

Name: Server2.domain-name.com
Address: 192.168.0.5

---------------------

C:\>nslookup yahoo.com
Server: Server1.domain-name.com
Address: 192.168.0.3

Name: yahoo.com
Addresses: 209.191.93.53, 69.147.114.224, 209.131.36.159
Re: Domain Replica [message #163961 is a reply to message #163956] Wed, 10 June 2009 13:28 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
I looked at the KB article below, particularly the "On a domain controller"
section. It says:

- Add a root server to the list.
- Copy the root hints from another DNS server

There's an Edit button but the article doesn't mention anything about
editing the entry. Are we not allowed to edit root hints IP entries? I
suppose I can try it myself but I'm afraid that I'll break something if I do
without asking the experts first.

"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:ehavDse6JHA.5828@TK2MSFTNGP04.phx.gbl...
>
> Hmm, nslookup looks good. Maybe it's just the Root issues. Take a look at
> this to update the Roots on a 2003 box.
>
> How to troubleshoot DNS name resolution on the Internet in Windows ...To
> update root hints on a Windows Server 2003-based DNS server that is
> configured as a domain controller: Click Start, point to Administrative
> Tools, ...
> http://support.microsoft.com/kb/816567
>
> Ace
>
Re: Domain Replica [message #163962 is a reply to message #163959] Wed, 10 June 2009 13:25 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello John" a,

If old machines are used to try connecting use the article i provided before.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb662734a8cbb7f70b3393eb@msnews.microsoft.com...
>
>> If both servers are down and you start up the long time is ok, not
>> optimal, but no problem.
>>
> That's exactly what I'm troubleshooting. So you're saying this is
> normal behavior? Slow startup occurs when BOTH of them are OFF then
> switched on simultaneously or one at a time (doesn't really matter
> what order). If I restart either one when the other is already
> running... there's no problem (ie: fast startup).
>
> I'd also like to make sure that both servers aren't searching for old
> WinServer 2003 (or maybe old NT4 servers) that don't exist any longer.
> That's why my first post asked about DomainReplica entry in ADSI Edit.
> Not sure if that is contributing to the slow start. It definitely has
> an entry of an old WinServer 2003.
>
>> The servers search during startup for a DNS server and even if
>> pointed to itself the DNS server service needs long time to start and
>> so that's the reason for long boot time when none DNS server is
>> available.
>>
> That's what I suspect too. DNS server service takes about 10 minutes
> to start.
>
> There's about 10 minutes between the following EVENTS:
>
> FROM
>
> Event Source: EventLog
> Event ID: 6009
> Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Multiprocessor
> Free.
> TO
>
> Event Source: DNS
> Event ID: 2
> The DNS server has started.
>> Best option is to shutdown only one server at a time.
>>
> Of course. However, in rare cases when there's an extended power
> outage, both servers automatically shutdown on their own. When
> electricity comes back on, both servers take forever to get to Press
> CTRL ALT DEL to logon.
>
Re: Domain Replica [message #163963 is a reply to message #163961] Wed, 10 June 2009 13:36 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
A couple of root hints IP addresses at
http://support.microsoft.com/kb/816567 do not match those listed at
http://www.internic.net/zones/named.root

I'm not sure which one to trust.

"John" <a> wrote in message news:%23DdaUDf6JHA.1712@TK2MSFTNGP03.phx.gbl...
>I looked at the KB article below, particularly the "On a domain controller"
>section. It says:
>
> - Add a root server to the list.
> - Copy the root hints from another DNS server
>
> There's an Edit button but the article doesn't mention anything about
> editing the entry. Are we not allowed to edit root hints IP entries? I
> suppose I can try it myself but I'm afraid that I'll break something if I
> do without asking the experts first.
>
> "Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
> wrote in message news:ehavDse6JHA.5828@TK2MSFTNGP04.phx.gbl...
>>
>> Hmm, nslookup looks good. Maybe it's just the Root issues. Take a look at
>> this to update the Roots on a 2003 box.
>>
>> How to troubleshoot DNS name resolution on the Internet in Windows ...To
>> update root hints on a Windows Server 2003-based DNS server that is
>> configured as a domain controller: Click Start, point to Administrative
>> Tools, ...
>> http://support.microsoft.com/kb/816567
>>
>> Ace
>>
>
>
Re: Domain Replica [message #163965 is a reply to message #163959] Wed, 10 June 2009 14:41 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"John" <a> wrote in message news:eCl2yze6JHA.5008@TK2MSFTNGP05.phx.gbl...
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb662734a8cbb7f70b3393eb@msnews.microsoft.com...
>>
>> If both servers are down and you start up the long time is ok, not
>> optimal, but no problem.
>
> That's exactly what I'm troubleshooting. So you're saying this is normal
> behavior? Slow startup occurs when BOTH of them are OFF then switched on
> simultaneously or one at a time (doesn't really matter what order). If I
> restart either one when the other is already running... there's no problem
> (ie: fast startup).
>
> I'd also like to make sure that both servers aren't searching for old
> WinServer 2003 (or maybe old NT4 servers) that don't exist any longer.
> That's why my first post asked about DomainReplica entry in ADSI Edit. Not
> sure if that is contributing to the slow start. It definitely has an entry
> of an old WinServer 2003.
>
>> The servers search during startup for a DNS server and even if pointed to
>> itself the DNS server service needs long time to start and so that's the
>> reason for long boot time when none DNS server is available.
>
> That's what I suspect too. DNS server service takes about 10 minutes to
> start.
>
> There's about 10 minutes between the following EVENTS:
>
> FROM
>
> Event Source: EventLog
> Event ID: 6009
> Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Multiprocessor Free.
>
> TO
>
> Event Source: DNS
> Event ID: 2
> The DNS server has started.
>
>> Best option is to shutdown only one server at a time.
>
> Of course. However, in rare cases when there's an extended power outage,
> both servers automatically shutdown on their own. When electricity comes
> back on, both servers take forever to get to Press CTRL ALT DEL to logon.
>


I see, so you're wondering why the long boot when both are down. So it may
actually be it's looking for a DC no longer in existence. Follow the article
Meinolf posted.

Also, yes, you still want to point to itself first.

Here is a little info on how the DNS resolver works with regards to the
order of DNS servers and how they are used:
============================================================ ==========================================
DNS Client side Resolver service Query Process


If the server gets a response, even if it is a negative ('not found')
response, it's a response and will not go to the alternate. If after the
query to the first one times out (after 3 tries), it removes it from the
'eligible' resolvers list and then goes to the next one in the order listed.
It will not go back to the first one until a specified timeout period (read
first link below) unless one of three other things happen: restart the
machine, restart the DNS Client Service or DHCP Client Service, or set a reg
entry to force the TTL to reset the list after each query.

Sorry about all the links. They all give little but in some cases not the
whole picture. The DNS Whitepaper is pretty good to start with.

How DNS Works: DNS Resolution, Client Side Resolver (Time out period,
devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k 3tr_dns_how_gaxc

How DNS Works: DNS Resolution, Client Side Resolver (Time out period,
devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k 3tr_dns_how_gaxc

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the
Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/com munications/nameadrmgmt/w2kdns.asp

How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.m spx

DNS Resolver Cache Service [incvluding NetFailureCacheTime and
NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

286834 - DNS Client Service Doesn't Revert to Using First Server in List
[explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 - Explanation of the Server List Management Feature in the Domain
Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver
uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550


------

DNS Forwarder Resolution and Time Out Process:

Information on how a DNS Forwarder time-out works with using multiple
Forwarder:

Keep in mind, if you have too many forwarders listed, and only one is
recommended (I believe 6 is the most it will use), the client side resolver
may time out waiting for the 4th forwarder to get queried and will go to the
next DNS server listed in the client's IP properties.

Configure a DNS server to use forwarders (you can change the time-out
period)
http://technet.microsoft.com/en-us/library/cc773370.aspx

Good post by Kevin Goodnecht explaining the forwarders time out and
scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issu es-ftopict482618.html
quoted from above link:
"Actually, the DNS service will stick to the Forwarder that provides an
answer, no matter where it is in the list, if one forwarder times out(no
answer) it will move to the next forwarder in the list, if the next
forwarder provides an answer it uses it until it times out. The problem for
you is, that it may not get back around to the first forwarder, before the
Forwarding timeout expires, and it starts using recursion itself and goes to
the root hints.

Now, if you check the box "Do not use recursion" the DNS server will use
only its forwarders, and will not use root hints. But this cannot guarantee
that one of the other servers being used as a forwarder answer the query,

I recommend that if there is a domain that cannot be reached through the
internet root, that you add a secondary zone for that domain on the Win2k
DNS server."
----
By Ace Fekay:
DNS acts as a resolving client when it uses a Forwarder because as the
explanation indicated, it is sending the request elsewhere, essentially
offloading the request so it doesn't have to hit the Roots to devolve the
query. If there are multiple Forwarders, DNS will hit each Forwarder. If it
runs out of Forwarders, only then will it use the Roots, unless the checkbox
to disable recursion is set under the Forwarders tab (not the Advanced tab).
But then that all takes time. Keep in mind there is a time out that a client
will wait, so if the original client request that sent it to your DNS server
is waiting beyond the time out period, and the DNS server is waiting on it's
resolution request from a Forwarder, and the time out period is reached and
no response is received, the client will assume that the DNS address that it
used is no good and will remove it from the 'eligible resolvers list' and
then query the second one.

So for all practical purposes, I never set more than two Forwarders,
otherwise what's the use? If the first two can't resolve it, it probably is
not resolvable anyway.
============================================================ ==========================================

Ace
Re: Domain Replica [message #163975 is a reply to message #163965] Wed, 10 June 2009 17:04 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
Oh my... so many articles to read. I need several days to read them.

Anyway, Meinolf says that long boot time is a normal behavior when all
servers are off then switched on. Based on your experience, is this what is
expected?

As I understand it there's no way to search through ADSIEdit for a string
(eg: OldServerName)? Btw, back to my original post topic, in a single AD
domain with 2 DC controllers, what should the value of domainReplica be? I
don't understand why it contains a value of my old server name. If I recall
correctly, I demoted that server properly before taking it offline for good.

"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:eBLKIsf6JHA.1420@TK2MSFTNGP04.phx.gbl...
>
> I see, so you're wondering why the long boot when both are down. So it may
> actually be it's looking for a DC no longer in existence. Follow the
> article Meinolf posted.
>
> Also, yes, you still want to point to itself first.
>
> Here is a little info on how the DNS resolver works with regards to the
> order of DNS servers and how they are used:
> ============================================================ ==========================================
> DNS Client side Resolver service Query Process
>
>
> If the server gets a response, even if it is a negative ('not found')
> response, it's a response and will not go to the alternate. If after the
> query to the first one times out (after 3 tries), it removes it from the
> 'eligible' resolvers list and then goes to the next one in the order
> listed. It will not go back to the first one until a specified timeout
> period (read first link below) unless one of three other things happen:
> restart the machine, restart the DNS Client Service or DHCP Client
> Service, or set a reg entry to force the TTL to reset the list after each
> query.
>
> Sorry about all the links. They all give little but in some cases not the
> whole picture. The DNS Whitepaper is pretty good to start with.
>
> How DNS Works: DNS Resolution, Client Side Resolver (Time out period,
> devolution, and much more)
> http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k 3tr_dns_how_gaxc
>
> How DNS Works: DNS Resolution, Client Side Resolver (Time out period,
> devolution, and much more)
> http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k 3tr_dns_how_gaxc
>
> W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling
> the Caching Resolver:
> http://www.microsoft.com/windows2000/techinfo/howitworks/com munications/nameadrmgmt/w2kdns.asp
>
> How DNS query works Domain Name System(DNS):
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.m spx
>
> DNS Resolver Cache Service [incvluding NetFailureCacheTime and
> NegativeCacheTime reg entries]:
> http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/cnet/cnbc_imp_qxht.asp
>
> 286834 - DNS Client Service Doesn't Revert to Using First Server in List
> [explained in the DNS white papers] reg to alter it too:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
>
> 261968 - Explanation of the Server List Management Feature in the Domain
> Name Resolver Client:
> http://support.microsoft.com/?id=261968
>
> SP4 Changes DNS Name Resolution - Actual Query Timeout settings the
> resolver uses - (XP too):
> http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
>
>
> ------
>
> DNS Forwarder Resolution and Time Out Process:
>
> Information on how a DNS Forwarder time-out works with using multiple
> Forwarder:
>
> Keep in mind, if you have too many forwarders listed, and only one is
> recommended (I believe 6 is the most it will use), the client side
> resolver may time out waiting for the 4th forwarder to get queried and
> will go to the next DNS server listed in the client's IP properties.
>
> Configure a DNS server to use forwarders (you can change the time-out
> period)
> http://technet.microsoft.com/en-us/library/cc773370.aspx
>
> Good post by Kevin Goodnecht explaining the forwarders time out and
> scenarios with too many Forwarders listed.
> http://help.lockergnome.com/windows2/Strange-forwarding-issu es-ftopict482618.html
> quoted from above link:
> "Actually, the DNS service will stick to the Forwarder that provides an
> answer, no matter where it is in the list, if one forwarder times out(no
> answer) it will move to the next forwarder in the list, if the next
> forwarder provides an answer it uses it until it times out. The problem
> for
> you is, that it may not get back around to the first forwarder, before the
> Forwarding timeout expires, and it starts using recursion itself and goes
> to
> the root hints.
>
> Now, if you check the box "Do not use recursion" the DNS server will use
> only its forwarders, and will not use root hints. But this cannot
> guarantee
> that one of the other servers being used as a forwarder answer the query,
>
> I recommend that if there is a domain that cannot be reached through the
> internet root, that you add a secondary zone for that domain on the Win2k
> DNS server."
> ----
> By Ace Fekay:
> DNS acts as a resolving client when it uses a Forwarder because as the
> explanation indicated, it is sending the request elsewhere, essentially
> offloading the request so it doesn't have to hit the Roots to devolve the
> query. If there are multiple Forwarders, DNS will hit each Forwarder. If
> it runs out of Forwarders, only then will it use the Roots, unless the
> checkbox to disable recursion is set under the Forwarders tab (not the
> Advanced tab). But then that all takes time. Keep in mind there is a time
> out that a client will wait, so if the original client request that sent
> it to your DNS server is waiting beyond the time out period, and the DNS
> server is waiting on it's resolution request from a Forwarder, and the
> time out period is reached and no response is received, the client will
> assume that the DNS address that it used is no good and will remove it
> from the 'eligible resolvers list' and then query the second one.
>
> So for all practical purposes, I never set more than two Forwarders,
> otherwise what's the use? If the first two can't resolve it, it probably
> is not resolvable anyway.
> ============================================================ ==========================================
>
> Ace
>
Re: Domain Replica [message #163977 is a reply to message #163958] Wed, 10 June 2009 17:55 Go to previous messageGo to next message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66273ae8cbb813217a06eb@msnews.microsoft.com...
> Hello John" a,
>
> When starting with all DC/DNS down this time is normal.

OK so this is the second/third time you say that it's a normal behavior.

> Prevent it if possible

Prevent what? Prevent it from starting so slow? That's exactly what I'm
after.

> or have for the first starting server another DNS machine available maybe
> in another site and also listed on the NIC.

There's only 1 site with 2 servers. Both are domain controllers. I set
Server2 Primary DNS to point to Server1 IP for a reason, that is to get
Server2 to start as quick as it can. That doesn't work as expected. Server2
still takes about 15 minutes to start.

> The root hints you can update this way:
> http://technet.microsoft.com/en-us/library/cc757965.aspx

I can't pull up that article. It keeps timing out on me. Will try again
later. Thanks.
Re: Domain Replica [message #163981 is a reply to message #163975] Wed, 10 June 2009 19:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
Inline...

"John" <a> wrote in message news:OevvY8g6JHA.4404@TK2MSFTNGP04.phx.gbl...
> Oh my... so many articles to read. I need several days to read them.

At least read my portion of it, which is a good synopsis of how it works.


>
> Anyway, Meinolf says that long boot time is a normal behavior when all
> servers are off then switched on. Based on your experience, is this what
> is expected?

Absolutely.


>
> As I understand it there's no way to search through ADSIEdit for a string
> (eg: OldServerName)? Btw, back to my original post topic, in a single AD
> domain with 2 DC controllers, what should the value of domainReplica be? I
> don't understand why it contains a value of my old server name. If I
> recall correctly, I demoted that server properly before taking it offline
> for good.


Look through the SRV records, and you can use NTDSUtil with the Metadata
Cleanup procedure to see what's out there.

Cleanup (Metadata Cleanup) the AD database from the crashed DC - How to
remove data in Active Directory after an unsuccessful domain controller
demotion
http://support.microsoft.com/kb/216498

Ace
Re: Domain Replica [message #164002 is a reply to message #163908] Thu, 11 June 2009 15:15 Go to previous message
John  is currently offline John  United States
Messages: 1125
Registered: July 2009
Senior Member
"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:eIzqqxV6JHA.1420@TK2MSFTNGP04.phx.gbl...
>
> What's bothering me is seeing the following two Root servers in the dcdiag
> errors.
> DNS server: 128.63.2.53 (h.root-servers.net.)
> DNS server: 128.8.10.90 (d.root-servers.net.)
>
> This may be indicative of an older Root list

Older? What's the new IPs?

I compare those IPs to the list at http://www.internic.net/zones/named.root
(last update: Dec 12, 2008). They both match.

I've also compared all other root hints entries from a to m. They all match
what's listed at internic.net. Did they change those IPs in 2009?
Previous Topic:extend boot partition
Next Topic:Can you help please
Goto Forum:
  


Current Time: Sun Aug 20 05:43:45 EDT 2017

Total time taken to generate the page: 0.04606 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software