\nBefore you get too far, can you please confirm your DNS settings on both domain controllers?<\/p>\n
DC1 should have DC2 as its primary DNS server on the NIC. 127.0.0.1 should be secondary.<\/p>\n
DC2 should have DC1 as its primary DNS server on the NIC. 127.0.0.1 should be secondary.<\/p>\n<\/blockquote>\n<\/aside>\n
After reading this somewhere else i have made sure that this is my configuration. thanks.<\/p>","upvoteCount":2,"datePublished":"2014-08-12T12:28:05.000Z","url":"https://community.spiceworks.com/t/primary-dns-domain-controller-problems/329465/19","author":{"@type":"Person","name":"jamesrussell3","url":"https://community.spiceworks.com/u/jamesrussell3"}},{"@type":"Answer","text":"
Also here is some recent errors i found in the seconday DCs logs:<\/p>\n
System<\/p>\n
Source: Security-Kerberos<\/p>\n
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server everest$. The target name used was ‘domain’<\/em>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain<\/em>) is different from the client domain (domain<\/em>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.<\/p>\nsource: NETLOGON<\/p>\n
The dynamic registration of the DNS record ‘ForestDnsZones.domain<\/em>. 600 IN A secondary DC ip addresss<\/em>’ failed on the following DNS server:<\/p>\nDNS server IP address: primary DC ip address<\/em><\/p>\nReturned Response Code (RCODE): 5<\/p>\n
Returned Status Code: 9017<\/p>\n
For computers and users to locate this domain controller, this record must be registered in DNS.<\/p>\n
USER ACTION<\/p>\n
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run ‘nltest.exe /dsregdns’ from the command prompt on the domain controller or restart Net Logon service.<\/p>\n
Or, you can manually add this record to DNS, but it is not recommended.<\/p>\n
ADDITIONAL DATA<\/p>\n
Error Value: DNS bad key.<\/p>\n
DFS Replication<\/p>\n
Source: DFSR<\/p>\n
The DFS Replication service encountered an error communicating with partner EVEREST for replication group Domain System Volume.<\/p>\n
Partner DNS address: Everest.domain<\/em><\/p>\nOptional data if available:<\/p>\n
Partner WINS Address: Everest<\/p>\n
Partner IP Address: primary DC ip address<\/em><\/p>\nThe service will retry the connection periodically.<\/p>\n
Additional Information:<\/p>\n
Error: 1825 (A security package specific error occurred.)<\/p>\n
Connection ID: -<\/p>\n
Replication Group ID: -<\/p>","upvoteCount":0,"datePublished":"2014-08-12T12:57:59.000Z","url":"https://community.spiceworks.com/t/primary-dns-domain-controller-problems/329465/20","author":{"@type":"Person","name":"jamesrussell3","url":"https://community.spiceworks.com/u/jamesrussell3"}}]}}
Hi all,
I’m having a bit of an issue with our primary domain controller and was wondering if anyone can point me in the right direction.
Last week this was our working environment:
A single local domain with a primary domain controller and a backup domain controller. The backup domain controller replicates the primary domain controller which runs DNS, DHCP and Active Directory.
On Friday i noticed that after i had created a new user in Active Directory on our primary DC they then couldnt log on. From here i did a bit of investigating and found that our backup DC had effectively taken over as primary, changes i made on our backup DC were taking effect correctly and when i run “echo %LOGONSERVER%” from a client machine it lists our backup DC. Both DC’s have correct IP addresses and have eachother as preferred DNS servers and then themselves as alternate DNS servers.
I’m sorry, i’m not too clued up on domain conntrolling so am probably missing some obvious diagnosis tasks but if anyone can give some advice i’m eager to learn!
On the bright side if there is an issue with our primary DC then it has seamlessly moved over to our backup DC. I just need to fix the issue and return to our primary DC!
Many thanks,
James.
@Microsoft
6 Spice ups
randy1699
August 12, 2014, 9:35am
2
I thought it was just whichever DNS/Login/DHCP that responded first.
1 Spice up
randy1699
August 12, 2014, 9:36am
3
Adding the user to the primary DC should have taken up to 15 minutes to sync with the backup DC.
1 Spice up
britv8
August 12, 2014, 9:36am
4
I take it this is a single AD Site and the DCs are in the same AD site?
1 Spice up
Do you not have a primary domain controller which is preferred on the domain?
Also do you not have one way replication going from your primary DC to your secondary DC? otherwise you wouldnt know which one to make changes to in regard to active directory etc.
britv8
August 12, 2014, 9:38am
6
Guys, there is no BDC and PDC any more. AD is a multi master environment with FSMO roles dealing with specific issues, such as the PDCe role
OP
run DCdiag on both DCs
run Repadmin /replsummary and post the files (once sanitized of your company names)
what Os,s are running?
what do the event logs say on the DCs
8 Spice ups
changes made on the primary DC didnt take effect even after an hour or so, and still havent. Changes i made in the secondary DC happened after a few seconds.
kelly
August 12, 2014, 9:48am
8
When you run repadmin /replsummary from each DC do you get all successes or some fails?
How is NTP configured for each? Do their times match?
3 Spice ups
Yes we have a single AD on the domain and both DCs use it.
britv8:
Guys, there is no BDC and PDC any more. AD is a multi master environment with FSMO roles dealing with specific issues, such as the PDCe role
OP
run DCdiag on both DCs
run Repadmin /replsummary and post the files (once sanitized of your company names)
what Os,s are running?
what do the event logs say on the DCs
thanks, i will get the info now and post it.
rockn
August 12, 2014, 9:52am
10
Run the diags as britv8 has suggested. There is obviously something amiss and I would imagine that the other clients on the network are using cached credentials
1 Spice up
britv8
August 12, 2014, 9:53am
11
Just so you understand %logonserver% a bit more. If the DCs are in the same AD site, the client will be presented with a list of DCs for that site, IIRC the client requests a login off all DCs and whichever one answers first, is the login server. Usually this is the less loaded DC, as it can respond quicker. So your logonserver is a red herring here
2 Spice ups
britv8
August 12, 2014, 9:57am
12
in event viewer IIRC for 2008 R2 , there is a Directory Service log, so look for errors or warnings there. As
@kelly has indicated , you should check your time is right on the DCs (well the whole environment really)#####
1 Spice up
This is what i get when run on the primary DC (EVEREST): *note EVEREST is our primary and BLACKCOMB is our secondary
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>repadmin /replsummary
Replication Summary Start Time: 2014-08-12 12:52:07
Beginning data collection for replication summary, this may take awhile:
…
Source DSA largest delta fails/total %% error
BLACKCOMB 58m:38s 0 / 5 0
EVEREST 17d.14h:03m:17s 5 / 5 100 (2148074274) The target prin
cipal name is incorrect.
Destination DSA largest delta fails/total %% error
BLACKCOMB 17d.14h:03m:18s 5 / 5 100 (2148074274) The target prin
cipal name is incorrect.
EVEREST 58m:39s 0 / 5 0
This is what i get when run on our seconday DC (BLACKCOMB) *note EVEREST is our primary and BLACKCOMB is our secondary
C:\Users\Administrator.ACL>repadmin /replsummary
Replication Summary Start Time: 2014-08-12 12:56:11
Beginning data collection for replication summary, this may take awhile:
…
Source DSA largest delta fails/total %% error
EVEREST 17d.14h:07m:21s 5 / 5 100 (2148074274) The target prin
cipal name is incorrect.
Destination DSA largest delta fails/total %% error
BLACKCOMB 17d.14h:07m:22s 5 / 5 100 (2148074274) The target prin
cipal name is incorrect.
Experienced the following operational errors trying to retrieve replication info
rmation:
8341 - Everest.ACL.local
britv8
August 12, 2014, 10:01am
14
1 Spice up
Just so you know i havent posted anything about times
I have to pop out for a metting now. I will look in the event viewer more when i get back and also run the other diag bits.
Thanks again everyone!
britv8
August 12, 2014, 10:01am
16
Yeah sorry got confused about times , have removed that bit to my post
1 Spice up
thanks alot britv8! i thought that looked like the issue.
Seriously everyone on this site is amazing help!
Rob-Dunn
August 12, 2014, 10:29am
18
Before you get too far, can you please confirm your DNS settings on both domain controllers?
DC1 should have DC2 as its primary DNS server on the NIC. 127.0.0.1 should be secondary.
DC2 should have DC1 as its primary DNS server on the NIC. 127.0.0.1 should be secondary.
4 Spice ups
Thanks again britv8, the second article looks to be relevant. However i will need to restart the server for the fix so shall need to do this out of hours this evening.primary DC servername ” from the secondary DC i get access is denied but when i run “net view \primary DC ip address ” the command completes successfully.
Rob Dunn:
Before you get too far, can you please confirm your DNS settings on both domain controllers?
DC1 should have DC2 as its primary DNS server on the NIC. 127.0.0.1 should be secondary.
DC2 should have DC1 as its primary DNS server on the NIC. 127.0.0.1 should be secondary.
After reading this somewhere else i have made sure that this is my configuration. thanks.
2 Spice ups
Also here is some recent errors i found in the seconday DCs logs:
System
Source: Security-Kerberos
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server everest$. The target name used was ‘domain’ . This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain ) is different from the client domain (domain ), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
source: NETLOGON
The dynamic registration of the DNS record ‘ForestDnsZones.domain . 600 IN A secondary DC ip addresss ’ failed on the following DNS server:
DNS server IP address: primary DC ip address
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run ‘nltest.exe /dsregdns’ from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
DFS Replication
Source: DFSR
The DFS Replication service encountered an error communicating with partner EVEREST for replication group Domain System Volume.
Partner DNS address: Everest.domain
Optional data if available:
Partner WINS Address: Everest
Partner IP Address: primary DC ip address
The service will retry the connection periodically.
Additional Information:
Error: 1825 (A security package specific error occurred.)
Connection ID: -
Replication Group ID: -
