I am getting the following from dcdiag - As I have just taken over this
network I am still learning its configuration. We run two DC's (Stihlse1 and
Stihlse2) with two installations of AD on same servers. Problems arose when I
noticed that after adding a new user that the email for this user wasn't
available.

Below the dcdiag info I am adding ipconfig information from each server.

Testing server: Default-First-Site-Name\STIHLSE1
      Starting test: Replications
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Schema,CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup
failure.
            The failure occurred at 2006-03-09 07:44:30.
            The last success occurred at 2006-02-21 14:49:33.
            369 failures have occurred since the last success.
            The guid-based DNS name
d2955723-7b9a-4bf5-911b-8b09b1094d8a._msdcs.stihlse.com
            is not registered on one or more DNS servers.
         [STIHLSE3] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 07:48:36.
            The last success occurred at 2006-02-21 14:49:33.
            428 failures have occurred since the last success.
            The source remains down. Please check the machine.
         REPLICATION-RECEIVED LATENCY WARNING

Stihlse1:

Windows IP Configuration



   Host Name . . . . . . . . . . . . : stihlse1

   Primary Dns Suffix  . . . . . . . : stihlse.com

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : Yes

   WINS Proxy Enabled. . . . . . . . : Yes

   DNS Suffix Search List. . . . . . : stihlse.com



PPP adapter RAS Server (Dial In) Interface:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

   Physical Address. . . . . . . . . : 00-53-45-00-00-00

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.0.1.70

   Subnet Mask . . . . . . . . . . . : 255.255.255.255

   Default Gateway . . . . . . . . . :



Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter

   Physical Address. . . . . . . . . : 00-0B-CD-E5-A5-4D

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.0.1.2

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.1.254

   DNS Servers . . . . . . . . . . . : 10.0.1.2


Stihlse3:

Windows IP Configuration



   Host Name . . . . . . . . . . . . : stihlse3

   Primary Dns Suffix  . . . . . . . : stihlse.com

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : stihlse.com



Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter

   Physical Address. . . . . . . . . : 00-14-C2-59-64-CA

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.0.1.3

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.1.254

   DNS Servers . . . . . . . . . . . : 10.0.1.2

You appear to have a DNS related issue (most AD issues have DNS problems as a
root cause!)

1. Check DC DNS config
Point Dcs to other DCs for DNS client name resolution
You have an inconsistent config as per the below
One DC also has IP routing enabled???

2. Check client DNS config
3. Check for presence of DC SRV records
4. Run dcdiag and netdiag in fix mode. This will try to fix the basic DNS
issues.

I would suggest you create a detailed inventory of the environment so you
better understand what you're faced with. Post back with more details.

neil



Show quoteHide quote

Neil,

I'm going through your reply listing now, but wanted to show you this -
soon after the first run I ran dcdiag again and it has changed somewhat -

Testing server: Default-First-Site-Name\STIHLSE1
      Starting test: Replications
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Schema,CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 08:01:38.
            The last success occurred at 2006-02-21 14:49:33.
            370 failures have occurred since the last success.
            [STIHLSE3] DsBindWithSpnEx() failed with error 1722,
            The RPC server is unavailable..
            The source remains down. Please check the machine.
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 08:01:17.
            The last success occurred at 2006-02-21 14:49:33.
            429 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 08:36:28.
            The last success occurred at 2006-03-09 07:54:44.
            8 failures have occurred since the last success.
            The source remains down. Please check the machine.
         REPLICATION-RECEIVED LATENCY WARNING
         STIHLSE1:  Current time is 2006-03-09 08:41:26.
            CN=Schema,CN=Configuration,DC=stihlse,DC=com
               Last replication recieved from STIHLSE3 at 2006-02-21 14:49:33.
            CN=Configuration,DC=stihlse,DC=com
               Last replication recieved from STIHLSE3 at 2006-02-21 14:49:33.

Show quoteHide quote

Neil,

After the first run I decided to rerun dcdiag again and now have this
output -

Testing server: Default-First-Site-Name\STIHLSE1
      Starting test: Replications
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Schema,CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 08:01:38.
            The last success occurred at 2006-02-21 14:49:33.
            370 failures have occurred since the last success.
            [STIHLSE3] DsBindWithSpnEx() failed with error 1722,
            The RPC server is unavailable..
            The source remains down. Please check the machine.
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 08:01:17.
            The last success occurred at 2006-02-21 14:49:33.
            429 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 08:36:28.
            The last success occurred at 2006-03-09 07:54:44.
            8 failures have occurred since the last success.
            The source remains down. Please check the machine.
         REPLICATION-RECEIVED LATENCY WARNING
         STIHLSE1:  Current time is 2006-03-09 08:41:26.
            CN=Schema,CN=Configuration,DC=stihlse,DC=com
               Last replication recieved from STIHLSE3 at 2006-02-21 14:49:33.
            CN=Configuration,DC=stihlse,DC=com
               Last replication recieved from STIHLSE3 at 2006-02-21 14:49:33.

Source DC has timed out trying to contact destination DC.

If you have resolved all DNS issues and network issues, I'm tempted to day
reboot both DCs (out of hours of course!)

One or both may be in a distressed state, due to a bad memory leak, bug or
other issue.

neil




Show quoteHide quote

I'm totally confused...  You don't mention Stihlse3 yet Stihlse1 is trying
to replicate with it.  Then you mention have two installations of AD on same
serers?  What does this mean?  Are you explaining you have a dual boot with
two DC's on each server?

Bring up your DNS and go to
stihlse.com / _msdcs / dc / _tcp /

Check to see how many kerberos records (Service Location (SRV)) you have.
Look in the data columns and see the definitions to see if you recognize all
your servers.  Are there DC'sin there that no longer exist or are there any
missing?  The reason I ask is I wonder if you have lost machines that were
never cleaned up.



Show quoteHide quote

Paul,

Sorry for the confusion - The DC's are on Stihlse1 and Stihlse3 and after
checking the Kerberos records are straight - one for each of the above
servers.

Show quoteHide quote

Paul,
Correct me if I'm wrong but I believe that the problem is with
Stihlse3...any ideas on where to look now?

Show quoteHide quote

Paul, here is Stihlse1's dcdiag /v /c /e  log

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine stihlse1, is a DC.
   * Connecting to directory service on server stihlse1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 2 of them.
   Done gathering initial info.

Doing initial required tests
    Testing server: Default-First-Site-Name\STIHLSE1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... STIHLSE1 passed test Connectivity

   Testing server: Default-First-Site-Name\STIHLSE3
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         [STIHLSE3] LDAP search failed with error 58,
         The specified server cannot perform the requested operation..
         ***Error: The machine, STIHLSE3 could not be contacted, because of a

         bad net  response.  Check to make sure that this machine is a Domain

         Controller.
         ......................... STIHLSE3 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\STIHLSE1
      Starting test: Replications
         * Replications Check
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Schema,CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 11:19:14.
            The last success occurred at 2006-02-21 14:49:33.
            374 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: CN=Configuration,DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 11:19:57.
            The last success occurred at 2006-02-21 14:49:33.
            435 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,STIHLSE1] A recent replication attempt failed:
            From STIHLSE3 to STIHLSE1
            Naming Context: DC=stihlse,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2006-03-09 11:20:39.
            The last success occurred at 2006-03-09 07:54:44.
            16 failures have occurred since the last success.
            The source remains down. Please check the machine.
         * Replication Latency Check
            DC=ForestDnsZones,DC=stihlse,DC=com
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=stihlse,DC=com
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc.  0 had no latency information (Win2K DC). 
         REPLICATION-RECEIVED LATENCY WARNING
         STIHLSE1:  Current time is 2006-03-09 11:22:16.
            CN=Schema,CN=Configuration,DC=stihlse,DC=com
               Last replication recieved from STIHLSE3 at 2006-02-21 14:49:33.
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=stihlse,DC=com
               Last replication recieved from STIHLSE3 at 2006-02-21 14:49:33.
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc.  0 had no latency information (Win2K DC). 
            DC=stihlse,DC=com
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc.  0 had no latency information (Win2K DC). 
         ......................... STIHLSE1 passed test Replications
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for
DC=ForestDnsZones,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for
DC=DomainDnsZones,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for
CN=Configuration,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... STIHLSE1 passed test Topology
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for
CN=Configuration,DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for
DC=stihlse,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... STIHLSE1 passed test CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC STIHLSE1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=stihlse,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=stihlse,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=stihlse,DC=com
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=stihlse,DC=com
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=stihlse,DC=com
            (Domain,Version 2)
         ......................... STIHLSE1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\STIHLSE1\netlogon
         Verified share \\STIHLSE1\sysvol
         ......................... STIHLSE1 passed test NetLogons
      Starting test: Advertising
         The DC STIHLSE1 is advertising itself as a DC and having a DS.
         The DC STIHLSE1 is advertising as an LDAP server
         The DC STIHLSE1 is advertising as having a writeable directory
         The DC STIHLSE1 is advertising as a Key Distribution Center
         The DC STIHLSE1 is advertising as a time server
         The DS STIHLSE1 is advertising as a GC.
         ......................... STIHLSE1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com
         ......................... STIHLSE1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3277 to 1073741823
         * stihlse1.stihlse.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1777 to 2276
         * rIDPreviousAllocationPool is 1777 to 2276
         * rIDNextRID: 1816
         ......................... STIHLSE1 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC STIHLSE1 on DC STIHLSE1.
         * SPN found :LDAP/stihlse1.stihlse.com/stihlse.com
         * SPN found :LDAP/stihlse1.stihlse.com
         * SPN found :LDAP/STIHLSE1
         * SPN found :LDAP/stihlse1.stihlse.com/STIHL
         * SPN found
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/30bc8f2c-2038-485a-aad6-0eadc22d5e1e/stihlse.com
         * SPN found :HOST/stihlse1.stihlse.com/stihlse.com
         * SPN found :HOST/stihlse1.stihlse.com
         * SPN found :HOST/STIHLSE1
         * SPN found :HOST/stihlse1.stihlse.com/STIHL
         * SPN found :GC/stihlse1.stihlse.com/stihlse.com
         ......................... STIHLSE1 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... STIHLSE1 passed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... STIHLSE1 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         STIHLSE1 is in domain DC=stihlse,DC=com
         Checking for CN=STIHLSE1,OU=Domain Controllers,DC=stihlse,DC=com in
domain DC=stihlse,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com
in domain CN=Configuration,DC=stihlse,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... STIHLSE1 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... STIHLSE1 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... STIHLSE1 passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15
minutes.
         ......................... STIHLSE1 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/09/2006   11:00:00
            Event String: Driver Amyuni PDF Converter 2.07 required for

printer Intuit Internal Printer is unknown.

Contact the administrator to install the driver

before you log in again.
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/09/2006   11:00:02
            Event String: Driver hp LaserJet 1300 PCL 6 required for

printer !!joe!hplaser is unknown. Contact the

administrator to install the driver before you

log in again.
         ......................... STIHLSE1 failed test systemlog
      Starting test: VerifyReplicas
         ......................... STIHLSE1 passed test VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=STIHLSE1,OU=Domain Controllers,DC=stihlse,DC=com and backlink on

         CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=STIHLSE1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=stihlse,DC=com

         and backlink on CN=STIHLSE1,OU=Domain Controllers,DC=stihlse,DC=com

         are correct.
         The system object reference (serverReferenceBL)

         CN=STIHLSE1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=stihlse,DC=com

         and backlink on

         CN=NTDS Settings,CN=STIHLSE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stihlse,DC=com

         are correct.
         ......................... STIHLSE1 passed test VerifyReferences
      Starting test: VerifyEnterpriseReferences
         ......................... STIHLSE1 passed test
VerifyEnterpriseReferences
      Starting test: CheckSecurityError
         * Dr Auth:  Beginning security errors check!
         Found KDC STIHLSE1 for domain stihlse.com in site
Default-First-Site-Name
         Checking machine account for DC STIHLSE1 on DC STIHLSE1.
         * SPN found :LDAP/stihlse1.stihlse.com/stihlse.com
         * SPN found :LDAP/stihlse1.stihlse.com
         * SPN found :LDAP/STIHLSE1
         * SPN found :LDAP/stihlse1.stihlse.com/STIHL
         * SPN found
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/30bc8f2c-2038-485a-aad6-0eadc22d5e1e/stihlse.com
         * SPN found :HOST/stihlse1.stihlse.com/stihlse.com
         * SPN found :HOST/stihlse1.stihlse.com
         * SPN found :HOST/STIHLSE1
         * SPN found :HOST/stihlse1.stihlse.com/STIHL
         * SPN found :GC/stihlse1.stihlse.com/stihlse.com
         Source DC STIHLSE3 has possible security error (1722).  Diagnosing...
               Found KDC STIHLSE1 for domain stihlse.com in site
Default-First-Site-Name
               Checking time skew between servers:
                   STIHLSE3
                   STIHLSE1
               Time is in sync:  0 seconds different.
               Checking machine account for DC STIHLSE3 on DC STIHLSE1.
               * SPN found :LDAP/stihlse3.stihlse.com/stihlse.com
               * SPN found :LDAP/stihlse3.stihlse.com
               * SPN found :LDAP/STIHLSE3
               * SPN found :LDAP/stihlse3.stihlse.com/STIHL
               * SPN found
               * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/d2955723-7b9a-4bf5-911b-8b09b1094d8a/stihlse.com
               * SPN found :HOST/stihlse3.stihlse.com/stihlse.com
               * SPN found :HOST/stihlse3.stihlse.com
               * SPN found :HOST/STIHLSE3
               * SPN found :HOST/stihlse3.stihlse.com/STIHL
               * SPN found :GC/stihlse3.stihlse.com/stihlse.com
               Checking for CN=STIHLSE3,OU=Domain
Controllers,DC=stihlse,DC=com in domain DC=stihlse,DC=com on 1 servers
                  Object is up-to-date on all servers.
               * Security Permissions check for all NC's on DC STIHLSE3.
               * Security Permissions Check for
                 CN=Schema,CN=Configuration,DC=stihlse,DC=com
               * Security Permissions Check for
                 CN=Configuration,DC=stihlse,DC=com
               * Security Permissions Check for
                 DC=stihlse,DC=com
         Ignoring DC STIHLSE3 in the convergence test of object
CN=STIHLSE1,OU=Domain Controllers,DC=stihlse,DC=com, because we cannot
connect!
         Checking for CN=STIHLSE1,OU=Domain Controllers,DC=stihlse,DC=com in
domain DC=stihlse,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... STIHLSE1 failed test CheckSecurityError

   Testing server: Default-First-Site-Name\STIHLSE3
      Skipping all tests, because server STIHLSE3 is
      not responding to directory service requests

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test
CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : stihlse
      Starting test: CrossRefValidation
         ......................... stihlse passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... stihlse passed test CheckSDRefDom

   Running enterprise tests on : stihlse.com
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... stihlse.com passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\stihlse1.stihlse.com
         Locator Flags: 0xe00003fd
         PDC Name: \\stihlse1.stihlse.com
         Locator Flags: 0xe00003fd
         Time Server Name: \\stihlse1.stihlse.com
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\stihlse1.stihlse.com
         Locator Flags: 0xe00003fd
         KDC Name: \\stihlse1.stihlse.com
         Locator Flags: 0xe00003fd
         ......................... stihlse.com passed test FsmoCheck
      Starting test: DNS
         Test results for domain controllers:

            DC: stihlse3.stihlse.com
            Domain: stihlse.com


               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Error: No WMI connectivity
                  [Error details: 0x800706ba (Type: HRESULT - Facility:
Win32, Description: The RPC server is unavailable.) - Connection to WMI
server failed]


            DC: stihlse1.stihlse.com
            Domain: stihlse.com


               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                   Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service Pack level: 0.0) is supported
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000001] HP NC7781 Gigabit Server Adapter:
                     MAC address is 00:0B:CD:E5:A5:4D
                     IP address is static
                     IP address: 10.0.1.2
                     DNS servers:
                        10.0.1.2 (<name unavailable>) [Valid]
                  The A record for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found
(primary)
                  Root zone on this DC/DNS server was not found

               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     204.117.214.10 (<name unavailable>) [Valid]

               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server

               TEST: Dynamic update (Dyn)
                  Dynamic update is enabled on the zone stihlse.com.
                  Test record _dcdiag_test_record added successfully in zone
stihlse.com.
                  Test record _dcdiag_test_record deleted successfully in
zone stihlse.com.

               TEST: Records registration (RReg)
                  Network Adapter [00000001] HP NC7781 Gigabit Server Adapter:
                     Matching A record found at DNS server 10.0.1.2:
                     stihlse1.stihlse.com

                     Matching CNAME record found at DNS server 10.0.1.2:
                     30bc8f2c-2038-485a-aad6-0eadc22d5e1e._msdcs.stihlse.com

                     Matching DC SRV record found at DNS server 10.0.1.2:
                     _ldap._tcp.dc._msdcs.stihlse.com

                     Matching GC SRV record found at DNS server 10.0.1.2:
                     _ldap._tcp.gc._msdcs.stihlse.com

                     Matching PDC SRV record found at DNS server 10.0.1.2:
                     _ldap._tcp.pdc._msdcs.stihlse.com


         Summary of test results for DNS servers used by the above domain
controllers:

            DNS server: 10.0.1.2 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server.
               Name resolution is funtional. _ldap._tcp SRV record for the
forest root domain is registered

            DNS server: 204.117.214.10 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg
Ext 

________________________________________________________________
            Domain: stihlse.com
               stihlse3                     PASS FAIL n/a  n/a  n/a  n/a 
n/a 
               stihlse1                     PASS PASS PASS PASS PASS PASS
n/a 

         ......................... stihlse.com failed test DNS

Bill, From what I see, it may be you're missing a DNS object. Have you tried
running the DNSLINT utility?

It sounds like a very similar problem I had last year. I was able to resolve
it by doing a compare of  my two DC's with DNS LINT and see what object was
missing.

Details are here on how to use the utility
http://support.microsoft.com/?kbid=321046

Show quoteHide quote

Some other info.

Run in DOS this command

dnslint /ad DC1IPADDY /s DC2IPADDY /v

This will create an HTML report. You should see in red what is incorrect in
your DNS config
It will most likely be at the bottom of the report and in red

Alias (CNAME) and glue (A) records for forest GUIDs from server - followed
by the info on both your DC's

Whatever is in red, you'll need to recreate that object via the DNS Manager
Go into DNS Manager
Then into Forward lookup zone of your domain
then go into the root of _msdcs
Right click in the root and select "New Alias CNAME"
The alias name will be what's in red from your DNSLINT output, something
like "9c14f7ac-7252-45lr-8ab3-bbd7b2d923ea._msdcs.mydomain.com"
The FQDN will be your domain controllers name that you are on.

Once you add that in. Close the DNS Manager
Run DCDIAG /fix

Then re-run "dnslint /ad DC1IPADDY /s DC2IPADDY /v"

It should be fixed.

Then try doing your replication and that should be fixed as well.

Hope that helps you out.


Show quoteHide quote

I ran dnslint like you said and the only issues found in RED where the
following:

UDP port 53 responding to queries: NO

One or more DNS servers did not respond to UDP queries


Show quoteHide quote

Okay, So it's not the missing DNS object issue.

Port 53 is the port DNS uses, do you have the builtin firewall enabled on
that failing Domain Controller?

I just noticed a configuration error in your IP info on STIHLSE3
A DNS server should always point to itself in the IP configuration.

Change your DNS IP on STIHLSE3 to 10.0.1.3

Right now you have it pointing to your other DNS server which is incorrect.
This may be causing problems.


Show quoteHide quote

Hazard,

please check the second responce - I ran the dnslint incorrectly - I only
have one dns server (10.0.1.2). After running it on that ip address there
were no errors.

Whether this is a problem or not, but on 10.0.1.3 the firewall is set on....

Show quoteHide quote

Bill,

My guess is the firewall is blocking UDP 53 Port. You could either turn off
the firewall or add that port and protocol as an exception.
You can have one DNS server, but if you selected Active Directory Integrated
DNS, It will try and replicate your DNS info onto another DC's DNS.
If that DC is missing the DNS, you will have multiple replication errors
which is what you are showing in you info.


Show quoteHide quote

I ran it incorrectly - there are no errors found in DNS running dnslint /ad
/s ip-address /v - we have only one dns server.

Show quoteHide quote

That is your problem "Only one DNS Server"
Active Directory relies heavily on DNS. It it trying to replicate the DNS
from your one DC to the other. Problem is, it has nothing to replicate to.

This would also be a major problem for you if STIHLSE1 failed or crashed.
You would have no internal DNS.
You need to install DNS Server on STIHLSE3 so SE1 can replicate the DNS to
it.

If you have two DC's it makes logical sense to replicate DNS from one to the
other for failover sake.

Cheers,

Show quoteHide quote

What you are saying makes perfect sense -

It's been a while since I setup DNS under Microsoft (worked on Novell for
sometime), but by installing it on Stihlse3, will Stihlse1 automatically
replicate to it?

I also am confused as this system has been running this way from what I am
told for some time now - and it looks like the problems started in
February...????

Show quoteHide quote

Setting up the DNS on STIHL3, you'll need to create the forward zone of your
internal domain and a reverse zone
Right click on the forward zone and select properties.
On the General tab, you'll want it to be set to AD Integrated Zone, and
replication to all DNS Servers in the zone.
You'll need both forward zones setup like this. As well as the reverse.
I'm pretty sure it will start replicating properly after that is configured.
Remember each DC's DNS IP in the network config should point to itself

If your event log is setup to overwrite events as needed, then it may have
overwritten prior errors.


Show quoteHide quote

Here's some good resources.

http://www.petri.co.il/dns.htm

Show quoteHide quote

Hazard,

As soon as I completed the second dns server install - everything
replicated perfectly. I'll go through now and make sure that dns is running
smoothly on both servers but right now all looks great - thanks for all your
help.

Great to hear Bill,

Glad I could assist in some way

Show quoteHide quote

Domain controller server planning
File Sharing
Active Directory and Clustering
Replication
Mailbox creation
Windows 2000 server with xp clients
access to Server 2K3
Replacing Domain Controller
Restoring a single group
restrict group access