Domain Controllers Can't reach Default Gateway...
in [Active Directory]
|
From: Dave Onex on 19 Nov 2009 21:39 "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:Ox4nWKXaKHA.616(a)TK2MSFTNGP04.phx.gbl... > "Dave Onex" <dave(a)onex.com> wrote in message > news:%239I$xgOaKHA.2188(a)TK2MSFTNGP04.phx.gbl... >> >> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >> news:uGmVSHOaKHA.5544(a)TK2MSFTNGP02.phx.gbl... >>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>> news:e7PLIK$ZKHA.5300(a)TK2MSFTNGP02.phx.gbl... >>>> >>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >>>> news:e%23$9oL%23ZKHA.1596(a)TK2MSFTNGP06.phx.gbl... >>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>> news:uCunV98ZKHA.4932(a)TK2MSFTNGP02.phx.gbl... >>>>>> >>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >>>>>> news:Oscr4y8ZKHA.4268(a)TK2MSFTNGP05.phx.gbl... >>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>> news:e5c%23xlyZKHA.196(a)TK2MSFTNGP05.phx.gbl... >>>>>>>> >>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >>>>>>>> news:Oxgy8exZKHA.1596(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>> "Dave Onex" <dave(a)onex.com> wrote in message >>>>>>>>> news:uWf58uYZKHA.1640(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>> >>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>> news:eCyNwVYZKHA.4920(a)TK2MSFTNGP04.phx.gbl... >>>>>>>>>>> >>>>>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>>>>>>>>>> message news:uFVID6WZKHA.196(a)TK2MSFTNGP05.phx.gbl... >>>>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>>>> news:%23fkA3IWZKHA.5608(a)TK2MSFTNGP05.phx.gbl... >>>>>>>>>>>>> >>>>>>>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>>>>>>>>>>>> message news:%23%23nFpPVZKHA.1640(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>>>>>> news:ea4X7DNZKHA.1592(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>>>>>>>>>>>>>> message news:e1Q%236iBZKHA.5108(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>>>>>>>> news:%23dFH0A%23YKHA.4148(a)TK2MSFTNGP04.phx.gbl... >>>>>>>>>>>>>>>>> Hi Ace; >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> In my case the ISA is just a member of the domain - not a >>>>>>>>>>>>>>>>> domain controller. Making the ISA a domain controller >>>>>>>>>>>>>>>>> would be, in my mind, a recipe for disaster especially >>>>>>>>>>>>>>>>> from a security standpoint. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I did find one other thing though and it was important. On >>>>>>>>>>>>>>>>> one of the domain controllers the active directory DNS >>>>>>>>>>>>>>>>> zone for my domain was missing an important entry. In the >>>>>>>>>>>>>>>>> _msdcs area of DNS it was missing the CNAME entry with the >>>>>>>>>>>>>>>>> GUID for the other domain controller. That's why it >>>>>>>>>>>>>>>>> couldn't replicate with the other domain controller. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> When I was testing the DNS I was just using the other >>>>>>>>>>>>>>>>> domain controllers machine name. I didn't realize that >>>>>>>>>>>>>>>>> that record in that area of the DNS had to be there. In >>>>>>>>>>>>>>>>> fact, I'd never ventured into the active directory entries >>>>>>>>>>>>>>>>> in DNS :-) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Anyway, got it cased and just wanted to update this thread >>>>>>>>>>>>>>>>> for archival purposes. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Best; >>>>>>>>>>>>>>>>> Dave >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm glad you got to the bottom of it. The CNAME GUID, among >>>>>>>>>>>>>>>> other SRV records, are all important records. What was the >>>>>>>>>>>>>>>> cause of the missing records? Normally restarting the >>>>>>>>>>>>>>>> Netlogon service on a DC will create the SRV records. If >>>>>>>>>>>>>>>> all things are configured properly, one thing you can do is >>>>>>>>>>>>>>>> delete the system32\config\netlogon.dns and netlogon.bak >>>>>>>>>>>>>>>> files, then run ipconfig /registerdns, then restart >>>>>>>>>>>>>>>> Netlogon. If they're still not being created, then I >>>>>>>>>>>>>>>> suspect a misconfiguration somewhere. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> As long as you are only using the internal DNS servers, the >>>>>>>>>>>>>>>> zone name allows updates, the Primary DNS Suffix (look at >>>>>>>>>>>>>>>> an ipconfig /all) matches the zone name in DNS, and the >>>>>>>>>>>>>>>> domain is not a single label name, you should be good to >>>>>>>>>>>>>>>> go. You can use this list as things to look for when >>>>>>>>>>>>>>>> troubleshooting Dynamic DNS registration problems. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Ace >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Excellent tips Ace - they certainly would have cased it for >>>>>>>>>>>>>>> me. I don't know why the second Domain controller didn't >>>>>>>>>>>>>>> have an entry for the first. Once I figured that out I just >>>>>>>>>>>>>>> copied the entry from the first to the second and everything >>>>>>>>>>>>>>> worked perfectly :-) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> It's possible that there was a DNS issue - the network has 4 >>>>>>>>>>>>>>> DNS servers and they're pretty complex. I set them up years >>>>>>>>>>>>>>> ago and, generally, I've never looked at them since. So >>>>>>>>>>>>>>> every time I have to make changes I have to revisit DNS and >>>>>>>>>>>>>>> get a handle on it all over again. The neat thing is, >>>>>>>>>>>>>>> there's nothing like a network with perfect DNS. Resolution >>>>>>>>>>>>>>> is instant and everything is snappy :-) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks again, those were/are really good tips. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Best; >>>>>>>>>>>>>>> Dave >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Ok, you got me confused now. You have 4 DNS servers, but you >>>>>>>>>>>>>> have two DCs, correct? Or have I misread this? >>>>>>>>>>>>>> >>>>>>>>>>>>>> The best solution for AD is to use Windows DNS on the DCs >>>>>>>>>>>>>> themselves. Using BIND or a non-DC for DNS will introduce >>>>>>>>>>>>>> complications that if not properly designed, will cause AD >>>>>>>>>>>>>> issues. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The best recommendation as I mentioned, is to use Windows >>>>>>>>>>>>>> DNS. If you have say two DCs, in DC1, point to itself as the >>>>>>>>>>>>>> first DNS entry, and the partner DC2 as the second entry. In >>>>>>>>>>>>>> DC2, point to itself as first and DC1 as the second entry. >>>>>>>>>>>>>> This is assuming that the zone is AD integrated. >>>>>>>>>>>>>> >>>>>>>>>>>>>> If you have four DCs, all DCs should point to themselves as >>>>>>>>>>>>>> the first entry, and choose one of the others as the second >>>>>>>>>>>>>> entry. >>>>>>>>>>>>>> >>>>>>>>>>>>>> If a BIND server is being used, the design would be based on >>>>>>>>>>>>>> what capacity the BIND servers are providing the network. If >>>>>>>>>>>>>> you are using them as a proxy resolver, eg as the forwarders >>>>>>>>>>>>>> for your WIndows DNS servers, and the clients are not using >>>>>>>>>>>>>> them, then there will be no problem. If you are using them >>>>>>>>>>>>>> for AD, BIND doesn't support Kerberos security nor AD >>>>>>>>>>>>>> integration. AD integration means the zone info is store in >>>>>>>>>>>>>> the actual AD database which is replicated to all DCs. A BIND >>>>>>>>>>>>>> or non-DC as a DNS server doesn't support this feature. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Ace >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> No confusion needed - you got it! >>>>>>>>>>>>> >>>>>>>>>>>>> I have two DC's with AD integrated DNS and one other MS DNS >>>>>>>>>>>>> server configured as a secondary to DC1. >>>>>>>>>>>>> I then have one more DNS server sitting at the edge on ISA >>>>>>>>>>>>> 2004 that resolves external requests from external users. >>>>>>>>>>>>> >>>>>>>>>>>>> It's working perfectly thanks to your help! >>>>>>>>>>>>> >>>>>>>>>>>>> Best; >>>>>>>>>>>>> Dave >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> You are welcome! :-) >>>>>>>>>>>> >>>>>>>>>>>> Ace >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Say, now that you are here.... and you know a lot about AD >>>>>>>>>>> etc..... :-) >>>>>>>>>>> >>>>>>>>>>> I have a question that maybe you can help me with - it might be >>>>>>>>>>> a little off-topic but it's the last issue I'm facing on the >>>>>>>>>>> network - everything else is 100% perfect. >>>>>>>>>>> >>>>>>>>>>> My server network is all Windows 2000. One of them has >>>>>>>>>>> Certificate Services installed. It's working perfectly in that >>>>>>>>>>> all domain members got the new root certificate automatically >>>>>>>>>>> through active directory and put it in the trusted root section >>>>>>>>>>> of each machine. In addition, each Windows 2000 machine can >>>>>>>>>>> request a machine cert through the MMC - so Certificate Services >>>>>>>>>>> is working and configured fine. >>>>>>>>>>> >>>>>>>>>>> The problem is my XP Pro laptop. It did not automatically get >>>>>>>>>>> the new root certificate from AD. I waited several days and also >>>>>>>>>>> issued a group policy update command - still nothing. >>>>>>>>>>> >>>>>>>>>>> It used to work back when it was getting the certs from a >>>>>>>>>>> different machine. Network changes meant that the Certificate >>>>>>>>>>> services was removed the old machine and put on a new machine. >>>>>>>>>>> No old certs were transferred in the process - all certs are >>>>>>>>>>> new. >>>>>>>>>>> >>>>>>>>>>> Because the XP laptop wouldn't get the root certificate on it's >>>>>>>>>>> own I manually exported the root certificate for my domain and >>>>>>>>>>> imported it into the trusted root certificates on the laptop. >>>>>>>>>>> From that point on the laptop could request certificates and get >>>>>>>>>>> them. I thought the issue was fixed because I can now L2TP into >>>>>>>>>>> the domain because the certs are all correct..... >>>>>>>>>>> >>>>>>>>>>> But a problem came up. The XP laptop is always coughing up >>>>>>>>>>> errors about w32 time. Specifically, it keeps reporting that the >>>>>>>>>>> time it's getting from the NTP server (a local DC) is not signed >>>>>>>>>>> and that it might have been tampered with. This is not the >>>>>>>>>>> case - the XP laptop is wrong. >>>>>>>>>>> >>>>>>>>>>> The laptop is correctly configured to get it's time from the DC. >>>>>>>>>>> The registry entries are correct. Still, it thinks the time from >>>>>>>>>>> the NTP server is not signed properly. >>>>>>>>>>> >>>>>>>>>>> I cannot help but think this is related to the laptop not being >>>>>>>>>>> able to automatically get the new domain cert from the new >>>>>>>>>>> domain controller (the certificate server). >>>>>>>>>>> >>>>>>>>>>> Is there anyway to 'reset' the laptop's certificate settings? >>>>>>>>>>> Perhaps it's still looking for the old certificate server (even >>>>>>>>>>> though it shouldn't). I tried a gpudate /refresh and while that >>>>>>>>>>> command works, the error still arise about the time server and >>>>>>>>>>> the signature. >>>>>>>>>>> >>>>>>>>>>> I'm about as certain as I can be that actual issue boils down to >>>>>>>>>>> this: The XP laptop did not get it's new domain cert from active >>>>>>>>>>> directory as it should have. I'm quite certain all other >>>>>>>>>>> problems stem from that one oddity. Do you know what would cause >>>>>>>>>>> that? >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> Dave >>>>>>>>>> >>>>>>>>>> AHA! >>>>>>>>>> >>>>>>>>>> I think I cased it. The original problem of the laptop not being >>>>>>>>>> able to download the domain cert was caused by the local group >>>>>>>>>> policy on the laptop being set to NOT perform this action. I >>>>>>>>>> don't know how or why this occurred but the setting was located >>>>>>>>>> at; >>>>>>>>>> >>>>>>>>>> gpedit.msc => Computer Configuration => Windows Settings => >>>>>>>>>> Security Settings => Public Key Policies => Autoenrollment >>>>>>>>>> settings >>>>>>>>>> >>>>>>>>>> Enroll Certificates Automatically was NOT selected :-0 >>>>>>>>>> Shortly after I selected it the laptop went off, got the domain >>>>>>>>>> certificate and then grabbed a local machine certificate for >>>>>>>>>> itself. >>>>>>>>>> >>>>>>>>>> I don't know how that setting changed - this machine used to do >>>>>>>>>> that automatically. Anyway, it's another success story :-) >>>>>>>>>> >>>>>>>>>> Best; >>>>>>>>>> Dave >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Glad to hear you figured that one out. I wouldn't have looked >>>>>>>>> there first, but I assume you must have searched around for >>>>>>>>> possiblities. Are you still getting w32time errors after the >>>>>>>>> change? >>>>>>>>> >>>>>>>>> Ace >>>>>>>> >>>>>>>> >>>>>>>> Hi Ace! >>>>>>>> >>>>>>>> Interestingly enough, it didn't fix the w32time errors. I was sure >>>>>>>> it would because it was the only thing obviously wrong with the >>>>>>>> laptop since the network was changed around. Other then the cert >>>>>>>> issue and the time issue that laptop was as solid as always... >>>>>>>> >>>>>>>> I could not figure out what was wrong with the time service on that >>>>>>>> machine. Instead, I cheated. I went over to my other Xp Pro machine >>>>>>>> and exported the entire W32time registry key and imported it into >>>>>>>> the laptop. That fixed it (go figure!) >>>>>>>> >>>>>>>> Sometimes it's easier to cheat then to diagnose. Thing is, the >>>>>>>> laptop belongs to me and I never changed any of those settings. >>>>>>>> Prior to the changes on the network it always got it's certificates >>>>>>>> and it never had a time problem. So I don't know what caused the >>>>>>>> problems in the first place. But, suffice to say, it's all done >>>>>>>> now! >>>>>>>> >>>>>>>> Best (and thanks!) >>>>>>>> Dave >>>>>>>> >>>>>>> >>>>>>> >>>>>>> Interesting cheat. That's one way of doing it. >>>>>>> >>>>>>> Curious, how did you step up the time service? By registry entries, >>>>>>> or just using the default command lines (whcih works fine)? >>>>>>> >>>>>>> Ace >>>>>>> >>>>>> >>>>>> Hi Ace; >>>>>> >>>>>> I originally set it up just using the default DOS commands. >>>>>> Specifically, net time /setsntp with the server name. When I started >>>>>> having problems I did check for the correct server entry in the >>>>>> registry but that's it. I can't for the life of me figure out where >>>>>> these two issues originally stemmed from because both certs and w32tm >>>>>> never had any issues. They were always 'set it and forget it'. It was >>>>>> only when I changed the network around that these issues cropped up. >>>>>> As a result of the changes I dropped to DOS and entered the /setsntp >>>>>> option to point to the new time server. That seems to be when the >>>>>> problems started but how the registry for w32tm got goofed is beyond >>>>>> me. >>>>>> >>>>> >>>>> Hmm. I can't see how changing the network around could have caused it, >>>>> unless you put in a new DC and transferred the PDC Emulator FSMO role >>>>> to the new one from the old or other DC. Read my blog on the time >>>>> service to get some insight. >>>>> >>>>> Configuring the Windows Time Service for Windows Server >>>>> http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx >>>>> >>>>> Ace >>>>> >>>>> >>>>> >>>> >>>> Hahaha - I din't understand all of that one but it sounds like it might >>>> be what happened. >>>> >>>> Here's what I did. Formerly I had one DC called mail (it was also the >>>> mail server). It was an old NetFinity machine (weighed about 160 >>>> pounds) and I wanted to get rid of it. The problem is, the new machine >>>> absolutely had to have the same name. You can't have two machines with >>>> the same name on the network at the same time so I promoted an existing >>>> machine called NS1 to domain controller with the catalog enabled. >>>> >>>> I then removed the mail server and installed the new mail server. I >>>> then created another new machine (called backup) and then made it a >>>> domain controller too. So, the domain controller used to be mail and >>>> then became NS1 and then I added one called backup. Both of them have >>>> the catalog option enabled. >>>> >>>> Right now I left NS1 as a domain controller - so now I have two. The >>>> mail server is now just mail. But, the NTP server was originally MAIL >>>> and it was also the original Certificate Server. So maybe somewhere in >>>> there the laptop got confused. I know I was (for a while). :-0 >>>> >>>> The good news is that everything worked out perfectly in the end. Every >>>> machine is working perfectly and you can really tell that DNS is tight >>>> because name resolution is instant. On every machine the event and >>>> system logs are spotless with one exception (and this happens on >>>> several machines); >>>> >>>> Event ID 42 >>>> >>>> WMI ADAP was unable to create object Win32_PerfRawData_DNS_DNS for >>>> Performance Library DNS because no value was found for property index >>>> 3272 in the 009 subkey >>>> >>>> I cased that @&#^$ issue before I changed the network around (I had >>>> every event and system log perfect) but I've since forgotten how I >>>> fixed it and Google searches don't seem to return the great results >>>> they used to :-( >>>> >>>> Best! >>>> Dave >>>> >>>> PS>That was a great article on the time service - unfortunately it >>>> never seemed to show in the Google searches back when I was having the >>>> issue :-( >>>> >>> >>> >>> I recently published it from my private archives. >>> >>> See if the following help with that WMI ADAP issue. >>> >>> How to troubleshoot WinMgmt-based performance counter errorsDescription: >>> WMI ADAP was unable to create Object Index number from the Performance >>> Library serivce name because the value is not found in 009 subkey ... >>> http://support.microsoft.com/kb/266416 >>> >>> W2K Event ID 54 \Device\WMIServiceDevice17 posts - 9 authors - Last >>> post: Jul 8 >>> Event ID 42: "WMI ADAP was unable to create object >>> Win32_PerfRawData_DNS_DNS for Performance Library DNS because no value >>> was found for ... >>> http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/b5196294-2a17-48de-b8e0-1f103059b79c >>> >>> Ace >> >> Been there, done them both. The KB article made the most sense but >> entering the clearadap and resyncperf commands result in the error being >> immediately logged again in the system log. This tells me it's not a >> startup issue because the machine is idle at the time. >> >> I suspect I'll have to live with them both. I thought there was a KB >> article on re-building the counters but ever since Microsoft started >> monkeying with the site I can't seem to find anything anymore - Argghh! >> >> Best & Thanks! >> Dave >> > > > Have you seen this one yet? > > How to manually rebuild Performance Counter Library valuesHow to manually > rebuild Performance Counter Library values. View products that this > article applies to. This article was previously published under Q300956 > ... > http://support.microsoft.com/kb/300956 > > Ace > That's the one I was looking for... thank you!
From: Ace Fekay [MCT] on 20 Nov 2009 08:55 "Dave Onex" <dave(a)microsoft.com> wrote in message news:OXoC9qYaKHA.5572(a)TK2MSFTNGP06.phx.gbl... > > "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message > news:Ox4nWKXaKHA.616(a)TK2MSFTNGP04.phx.gbl... >> "Dave Onex" <dave(a)onex.com> wrote in message >> news:%239I$xgOaKHA.2188(a)TK2MSFTNGP04.phx.gbl... >>> >>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >>> news:uGmVSHOaKHA.5544(a)TK2MSFTNGP02.phx.gbl... >>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>> news:e7PLIK$ZKHA.5300(a)TK2MSFTNGP02.phx.gbl... >>>>> >>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >>>>> news:e%23$9oL%23ZKHA.1596(a)TK2MSFTNGP06.phx.gbl... >>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>> news:uCunV98ZKHA.4932(a)TK2MSFTNGP02.phx.gbl... >>>>>>> >>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >>>>>>> news:Oscr4y8ZKHA.4268(a)TK2MSFTNGP05.phx.gbl... >>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>> news:e5c%23xlyZKHA.196(a)TK2MSFTNGP05.phx.gbl... >>>>>>>>> >>>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>>>>>>>> message news:Oxgy8exZKHA.1596(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>> "Dave Onex" <dave(a)onex.com> wrote in message >>>>>>>>>> news:uWf58uYZKHA.1640(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>>> >>>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>>> news:eCyNwVYZKHA.4920(a)TK2MSFTNGP04.phx.gbl... >>>>>>>>>>>> >>>>>>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>>>>>>>>>>> message news:uFVID6WZKHA.196(a)TK2MSFTNGP05.phx.gbl... >>>>>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>>>>> news:%23fkA3IWZKHA.5608(a)TK2MSFTNGP05.phx.gbl... >>>>>>>>>>>>>> >>>>>>>>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>>>>>>>>>>>>> message news:%23%23nFpPVZKHA.1640(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>>>>>>> news:ea4X7DNZKHA.1592(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>>>>>>>>>>>>>>> message news:e1Q%236iBZKHA.5108(a)TK2MSFTNGP06.phx.gbl... >>>>>>>>>>>>>>>>> "Dave Onex" <dave(a)microsoft.com> wrote in message >>>>>>>>>>>>>>>>> news:%23dFH0A%23YKHA.4148(a)TK2MSFTNGP04.phx.gbl... >>>>>>>>>>>>>>>>>> Hi Ace; >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> In my case the ISA is just a member of the domain - not a >>>>>>>>>>>>>>>>>> domain controller. Making the ISA a domain controller >>>>>>>>>>>>>>>>>> would be, in my mind, a recipe for disaster especially >>>>>>>>>>>>>>>>>> from a security standpoint. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I did find one other thing though and it was important. >>>>>>>>>>>>>>>>>> On one of the domain controllers the active directory DNS >>>>>>>>>>>>>>>>>> zone for my domain was missing an important entry. In the >>>>>>>>>>>>>>>>>> _msdcs area of DNS it was missing the CNAME entry with >>>>>>>>>>>>>>>>>> the GUID for the other domain controller. That's why it >>>>>>>>>>>>>>>>>> couldn't replicate with the other domain controller. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> When I was testing the DNS I was just using the other >>>>>>>>>>>>>>>>>> domain controllers machine name. I didn't realize that >>>>>>>>>>>>>>>>>> that record in that area of the DNS had to be there. In >>>>>>>>>>>>>>>>>> fact, I'd never ventured into the active directory >>>>>>>>>>>>>>>>>> entries in DNS :-) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Anyway, got it cased and just wanted to update this >>>>>>>>>>>>>>>>>> thread for archival purposes. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Best; >>>>>>>>>>>>>>>>>> Dave >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I'm glad you got to the bottom of it. The CNAME GUID, >>>>>>>>>>>>>>>>> among other SRV records, are all important records. What >>>>>>>>>>>>>>>>> was the cause of the missing records? Normally restarting >>>>>>>>>>>>>>>>> the Netlogon service on a DC will create the SRV records. >>>>>>>>>>>>>>>>> If all things are configured properly, one thing you can >>>>>>>>>>>>>>>>> do is delete the system32\config\netlogon.dns and >>>>>>>>>>>>>>>>> netlogon.bak files, then run ipconfig /registerdns, then >>>>>>>>>>>>>>>>> restart Netlogon. If they're still not being created, then >>>>>>>>>>>>>>>>> I suspect a misconfiguration somewhere. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As long as you are only using the internal DNS servers, >>>>>>>>>>>>>>>>> the zone name allows updates, the Primary DNS Suffix (look >>>>>>>>>>>>>>>>> at an ipconfig /all) matches the zone name in DNS, and the >>>>>>>>>>>>>>>>> domain is not a single label name, you should be good to >>>>>>>>>>>>>>>>> go. You can use this list as things to look for when >>>>>>>>>>>>>>>>> troubleshooting Dynamic DNS registration problems. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Ace >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Excellent tips Ace - they certainly would have cased it for >>>>>>>>>>>>>>>> me. I don't know why the second Domain controller didn't >>>>>>>>>>>>>>>> have an entry for the first. Once I figured that out I just >>>>>>>>>>>>>>>> copied the entry from the first to the second and >>>>>>>>>>>>>>>> everything worked perfectly :-) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It's possible that there was a DNS issue - the network has >>>>>>>>>>>>>>>> 4 DNS servers and they're pretty complex. I set them up >>>>>>>>>>>>>>>> years ago and, generally, I've never looked at them since. >>>>>>>>>>>>>>>> So every time I have to make changes I have to revisit DNS >>>>>>>>>>>>>>>> and get a handle on it all over again. The neat thing is, >>>>>>>>>>>>>>>> there's nothing like a network with perfect DNS. Resolution >>>>>>>>>>>>>>>> is instant and everything is snappy :-) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks again, those were/are really good tips. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Best; >>>>>>>>>>>>>>>> Dave >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Ok, you got me confused now. You have 4 DNS servers, but you >>>>>>>>>>>>>>> have two DCs, correct? Or have I misread this? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The best solution for AD is to use Windows DNS on the DCs >>>>>>>>>>>>>>> themselves. Using BIND or a non-DC for DNS will introduce >>>>>>>>>>>>>>> complications that if not properly designed, will cause AD >>>>>>>>>>>>>>> issues. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The best recommendation as I mentioned, is to use Windows >>>>>>>>>>>>>>> DNS. If you have say two DCs, in DC1, point to itself as the >>>>>>>>>>>>>>> first DNS entry, and the partner DC2 as the second entry. In >>>>>>>>>>>>>>> DC2, point to itself as first and DC1 as the second entry. >>>>>>>>>>>>>>> This is assuming that the zone is AD integrated. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If you have four DCs, all DCs should point to themselves as >>>>>>>>>>>>>>> the first entry, and choose one of the others as the second >>>>>>>>>>>>>>> entry. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If a BIND server is being used, the design would be based on >>>>>>>>>>>>>>> what capacity the BIND servers are providing the network. If >>>>>>>>>>>>>>> you are using them as a proxy resolver, eg as the forwarders >>>>>>>>>>>>>>> for your WIndows DNS servers, and the clients are not using >>>>>>>>>>>>>>> them, then there will be no problem. If you are using them >>>>>>>>>>>>>>> for AD, BIND doesn't support Kerberos security nor AD >>>>>>>>>>>>>>> integration. AD integration means the zone info is store in >>>>>>>>>>>>>>> the actual AD database which is replicated to all DCs. A >>>>>>>>>>>>>>> BIND or non-DC as a DNS server doesn't support this feature. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Ace >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> No confusion needed - you got it! >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have two DC's with AD integrated DNS and one other MS DNS >>>>>>>>>>>>>> server configured as a secondary to DC1. >>>>>>>>>>>>>> I then have one more DNS server sitting at the edge on ISA >>>>>>>>>>>>>> 2004 that resolves external requests from external users. >>>>>>>>>>>>>> >>>>>>>>>>>>>> It's working perfectly thanks to your help! >>>>>>>>>>>>>> >>>>>>>>>>>>>> Best; >>>>>>>>>>>>>> Dave >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> You are welcome! :-) >>>>>>>>>>>>> >>>>>>>>>>>>> Ace >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Say, now that you are here.... and you know a lot about AD >>>>>>>>>>>> etc..... :-) >>>>>>>>>>>> >>>>>>>>>>>> I have a question that maybe you can help me with - it might be >>>>>>>>>>>> a little off-topic but it's the last issue I'm facing on the >>>>>>>>>>>> network - everything else is 100% perfect. >>>>>>>>>>>> >>>>>>>>>>>> My server network is all Windows 2000. One of them has >>>>>>>>>>>> Certificate Services installed. It's working perfectly in that >>>>>>>>>>>> all domain members got the new root certificate automatically >>>>>>>>>>>> through active directory and put it in the trusted root section >>>>>>>>>>>> of each machine. In addition, each Windows 2000 machine can >>>>>>>>>>>> request a machine cert through the MMC - so Certificate >>>>>>>>>>>> Services is working and configured fine. >>>>>>>>>>>> >>>>>>>>>>>> The problem is my XP Pro laptop. It did not automatically get >>>>>>>>>>>> the new root certificate from AD. I waited several days and >>>>>>>>>>>> also issued a group policy update command - still nothing. >>>>>>>>>>>> >>>>>>>>>>>> It used to work back when it was getting the certs from a >>>>>>>>>>>> different machine. Network changes meant that the Certificate >>>>>>>>>>>> services was removed the old machine and put on a new machine. >>>>>>>>>>>> No old certs were transferred in the process - all certs are >>>>>>>>>>>> new. >>>>>>>>>>>> >>>>>>>>>>>> Because the XP laptop wouldn't get the root certificate on it's >>>>>>>>>>>> own I manually exported the root certificate for my domain and >>>>>>>>>>>> imported it into the trusted root certificates on the laptop. >>>>>>>>>>>> From that point on the laptop could request certificates and >>>>>>>>>>>> get them. I thought the issue was fixed because I can now L2TP >>>>>>>>>>>> into the domain because the certs are all correct..... >>>>>>>>>>>> >>>>>>>>>>>> But a problem came up. The XP laptop is always coughing up >>>>>>>>>>>> errors about w32 time. Specifically, it keeps reporting that >>>>>>>>>>>> the time it's getting from the NTP server (a local DC) is not >>>>>>>>>>>> signed and that it might have been tampered with. This is not >>>>>>>>>>>> the case - the XP laptop is wrong. >>>>>>>>>>>> >>>>>>>>>>>> The laptop is correctly configured to get it's time from the >>>>>>>>>>>> DC. The registry entries are correct. Still, it thinks the time >>>>>>>>>>>> from the NTP server is not signed properly. >>>>>>>>>>>> >>>>>>>>>>>> I cannot help but think this is related to the laptop not being >>>>>>>>>>>> able to automatically get the new domain cert from the new >>>>>>>>>>>> domain controller (the certificate server). >>>>>>>>>>>> >>>>>>>>>>>> Is there anyway to 'reset' the laptop's certificate settings? >>>>>>>>>>>> Perhaps it's still looking for the old certificate server (even >>>>>>>>>>>> though it shouldn't). I tried a gpudate /refresh and while that >>>>>>>>>>>> command works, the error still arise about the time server and >>>>>>>>>>>> the signature. >>>>>>>>>>>> >>>>>>>>>>>> I'm about as certain as I can be that actual issue boils down >>>>>>>>>>>> to this: The XP laptop did not get it's new domain cert from >>>>>>>>>>>> active directory as it should have. I'm quite certain all other >>>>>>>>>>>> problems stem from that one oddity. Do you know what would >>>>>>>>>>>> cause that? >>>>>>>>>>>> >>>>>>>>>>>> Thanks! >>>>>>>>>>>> Dave >>>>>>>>>>> >>>>>>>>>>> AHA! >>>>>>>>>>> >>>>>>>>>>> I think I cased it. The original problem of the laptop not being >>>>>>>>>>> able to download the domain cert was caused by the local group >>>>>>>>>>> policy on the laptop being set to NOT perform this action. I >>>>>>>>>>> don't know how or why this occurred but the setting was located >>>>>>>>>>> at; >>>>>>>>>>> >>>>>>>>>>> gpedit.msc => Computer Configuration => Windows Settings => >>>>>>>>>>> Security Settings => Public Key Policies => Autoenrollment >>>>>>>>>>> settings >>>>>>>>>>> >>>>>>>>>>> Enroll Certificates Automatically was NOT selected :-0 >>>>>>>>>>> Shortly after I selected it the laptop went off, got the domain >>>>>>>>>>> certificate and then grabbed a local machine certificate for >>>>>>>>>>> itself. >>>>>>>>>>> >>>>>>>>>>> I don't know how that setting changed - this machine used to do >>>>>>>>>>> that automatically. Anyway, it's another success story :-) >>>>>>>>>>> >>>>>>>>>>> Best; >>>>>>>>>>> Dave >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Glad to hear you figured that one out. I wouldn't have looked >>>>>>>>>> there first, but I assume you must have searched around for >>>>>>>>>> possiblities. Are you still getting w32time errors after the >>>>>>>>>> change? >>>>>>>>>> >>>>>>>>>> Ace >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi Ace! >>>>>>>>> >>>>>>>>> Interestingly enough, it didn't fix the w32time errors. I was sure >>>>>>>>> it would because it was the only thing obviously wrong with the >>>>>>>>> laptop since the network was changed around. Other then the cert >>>>>>>>> issue and the time issue that laptop was as solid as always... >>>>>>>>> >>>>>>>>> I could not figure out what was wrong with the time service on >>>>>>>>> that machine. Instead, I cheated. I went over to my other Xp Pro >>>>>>>>> machine and exported the entire W32time registry key and imported >>>>>>>>> it into the laptop. That fixed it (go figure!) >>>>>>>>> >>>>>>>>> Sometimes it's easier to cheat then to diagnose. Thing is, the >>>>>>>>> laptop belongs to me and I never changed any of those settings. >>>>>>>>> Prior to the changes on the network it always got it's >>>>>>>>> certificates and it never had a time problem. So I don't know what >>>>>>>>> caused the problems in the first place. But, suffice to say, it's >>>>>>>>> all done now! >>>>>>>>> >>>>>>>>> Best (and thanks!) >>>>>>>>> Dave >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Interesting cheat. That's one way of doing it. >>>>>>>> >>>>>>>> Curious, how did you step up the time service? By registry entries, >>>>>>>> or just using the default command lines (whcih works fine)? >>>>>>>> >>>>>>>> Ace >>>>>>>> >>>>>>> >>>>>>> Hi Ace; >>>>>>> >>>>>>> I originally set it up just using the default DOS commands. >>>>>>> Specifically, net time /setsntp with the server name. When I started >>>>>>> having problems I did check for the correct server entry in the >>>>>>> registry but that's it. I can't for the life of me figure out where >>>>>>> these two issues originally stemmed from because both certs and >>>>>>> w32tm never had any issues. They were always 'set it and forget it'. >>>>>>> It was only when I changed the network around that these issues >>>>>>> cropped up. As a result of the changes I dropped to DOS and entered >>>>>>> the /setsntp option to point to the new time server. That seems to >>>>>>> be when the problems started but how the registry for w32tm got >>>>>>> goofed is beyond me. >>>>>>> >>>>>> >>>>>> Hmm. I can't see how changing the network around could have caused >>>>>> it, unless you put in a new DC and transferred the PDC Emulator FSMO >>>>>> role to the new one from the old or other DC. Read my blog on the >>>>>> time service to get some insight. >>>>>> >>>>>> Configuring the Windows Time Service for Windows Server >>>>>> http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx >>>>>> >>>>>> Ace >>>>>> >>>>>> >>>>>> >>>>> >>>>> Hahaha - I din't understand all of that one but it sounds like it >>>>> might be what happened. >>>>> >>>>> Here's what I did. Formerly I had one DC called mail (it was also the >>>>> mail server). It was an old NetFinity machine (weighed about 160 >>>>> pounds) and I wanted to get rid of it. The problem is, the new machine >>>>> absolutely had to have the same name. You can't have two machines with >>>>> the same name on the network at the same time so I promoted an >>>>> existing machine called NS1 to domain controller with the catalog >>>>> enabled. >>>>> >>>>> I then removed the mail server and installed the new mail server. I >>>>> then created another new machine (called backup) and then made it a >>>>> domain controller too. So, the domain controller used to be mail and >>>>> then became NS1 and then I added one called backup. Both of them have >>>>> the catalog option enabled. >>>>> >>>>> Right now I left NS1 as a domain controller - so now I have two. The >>>>> mail server is now just mail. But, the NTP server was originally MAIL >>>>> and it was also the original Certificate Server. So maybe somewhere in >>>>> there the laptop got confused. I know I was (for a while). :-0 >>>>> >>>>> The good news is that everything worked out perfectly in the end. >>>>> Every machine is working perfectly and you can really tell that DNS is >>>>> tight because name resolution is instant. On every machine the event >>>>> and system logs are spotless with one exception (and this happens on >>>>> several machines); >>>>> >>>>> Event ID 42 >>>>> >>>>> WMI ADAP was unable to create object Win32_PerfRawData_DNS_DNS for >>>>> Performance Library DNS because no value was found for property index >>>>> 3272 in the 009 subkey >>>>> >>>>> I cased that @&#^$ issue before I changed the network around (I had >>>>> every event and system log perfect) but I've since forgotten how I >>>>> fixed it and Google searches don't seem to return the great results >>>>> they used to :-( >>>>> >>>>> Best! >>>>> Dave >>>>> >>>>> PS>That was a great article on the time service - unfortunately it >>>>> never seemed to show in the Google searches back when I was having the >>>>> issue :-( >>>>> >>>> >>>> >>>> I recently published it from my private archives. >>>> >>>> See if the following help with that WMI ADAP issue. >>>> >>>> How to troubleshoot WinMgmt-based performance counter >>>> errorsDescription: WMI ADAP was unable to create Object Index number >>>> from the Performance Library serivce name because the value is not >>>> found in 009 subkey ... >>>> http://support.microsoft.com/kb/266416 >>>> >>>> W2K Event ID 54 \Device\WMIServiceDevice17 posts - 9 authors - Last >>>> post: Jul 8 >>>> Event ID 42: "WMI ADAP was unable to create object >>>> Win32_PerfRawData_DNS_DNS for Performance Library DNS because no value >>>> was found for ... >>>> http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/b5196294-2a17-48de-b8e0-1f103059b79c >>>> >>>> Ace >>> >>> Been there, done them both. The KB article made the most sense but >>> entering the clearadap and resyncperf commands result in the error being >>> immediately logged again in the system log. This tells me it's not a >>> startup issue because the machine is idle at the time. >>> >>> I suspect I'll have to live with them both. I thought there was a KB >>> article on re-building the counters but ever since Microsoft started >>> monkeying with the site I can't seem to find anything anymore - Argghh! >>> >>> Best & Thanks! >>> Dave >>> >> >> >> Have you seen this one yet? >> >> How to manually rebuild Performance Counter Library valuesHow to manually >> rebuild Performance Counter Library values. View products that this >> article applies to. This article was previously published under Q300956 >> ... >> http://support.microsoft.com/kb/300956 >> >> Ace >> > > That's the one I was looking for... thank you! > You are welcome!
From: Dave Onex on 26 Nov 2009 03:02 >> >> That's the one I was looking for... thank you! >> > > > You are welcome! > > Ace, are you still monitoring this thread? I got myself in a little bit of trouble.... :-(
From: Ace Fekay [MCT] on 26 Nov 2009 13:08 "Dave Onex" <dave(a)microsoft.com> wrote in message news:u7dCe7mbKHA.5796(a)TK2MSFTNGP06.phx.gbl... >>> >>> That's the one I was looking for... thank you! >>> >> >> >> You are welcome! >> >> > > Ace, are you still monitoring this thread? I got myself in a little bit of > trouble.... :-( > What did you do?
From: Dave Onex on 26 Nov 2009 14:03
"Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:%23%23XynNsbKHA.4708(a)TK2MSFTNGP02.phx.gbl... > "Dave Onex" <dave(a)microsoft.com> wrote in message > news:u7dCe7mbKHA.5796(a)TK2MSFTNGP06.phx.gbl... >>>> >>>> That's the one I was looking for... thank you! >>>> >>> >>> >>> You are welcome! >>> >>> >> >> Ace, are you still monitoring this thread? I got myself in a little bit >> of trouble.... :-( >> > > > What did you do? > I tried to make my network faster :-0 You found it (the new post). :-) |