Hello,

I am having a weird DNS issue after adding a new 2012 R2 Domain Controller (with DNS) to our existing environment. We had three 2008 R2 Domain Controllers with DNS prior to adding the 2012 R2 DC. I am decommissioning one of the old DC's so I started pointing the other DCs DNS settings to the new DC on Friday.

On Monday, users were not able to resolve certain network resources (file server, SQL server, SharePoint, so far). After looking at the DNS records for all four DNS servers, I noticed that the newest DC was missing the A records of the resources end users could not resolve. 

The missing DNS records showed up on the previous 3 DNS servers, but were missing from the newest one. All other records appear to be there, minus the handful of missing ones I have discovered thus far. I added static records for the missing ones on the new DNS server and the change updated across all DNS servers. 

But the question is, why did this happen? I cannot seem to find an explanation anywhere for a similar scenario. Is there something special I need to do on 2012 R2 Domain Controllers/DNS servers? I thought records were supposed to be identical across all DNS servers?

Thanks in advance for any help you may provide

Hi,

DNS servers hosting AD integrated zones use active directory replication to get the records across to each other, i would recommend running a 'DCDiag' & post the results if there are any errors here (you may want to anonymize the data)

you could also run 'repadmin /replsummary' which will output the status of AD replication & see if there are any failures there.

Thanks
Daniel

Hello,

please see https://support.microsoft.com/en-us/kb/2520155/en-us about a known issue when changing the DNS Servers on Windows Server 2008 R2.

Hi,

DNS servers hosting AD integrated zones use active directory replication to get the records across to each other, i would recommend running a 'DCDiag' & post the results if there are any errors here (you may want to anonymize the data)

you could also run 'repadmin /replsummary' which will output the status of AD replication & see if there are any failures there.

Thanks
Daniel

Hello,

please see https://support.microsoft.com/en-us/kb/2520155/en-us about a known issue when changing the DNS Servers on Windows Server 20

Thanks Daniel. I ran both and the only warning or error I received was for FRSEvent about the SYSVOL being shared and it may cause group policy problems. Any other ideas?

This is one symptom of replication issues. If the SYSVOL has not initialized, then the folder will be empty and no GPOs will be available for any logons. This is crucial.

What event log errors do you see related to any of the AD logs? Post the eventID# and the Source name of the event.

What DNS address is the new DC using as DNS? We prefer it to point to the other DCs until things settle to make sure it works.

Can you post an unedited ipconfig /all from the four DCs for us to eva

Thanks Daniel. I ran both and the only warning or error I received was for FRSEvent about the SYSVOL being shared and it may cause group policy problems. Any other ideas?

This is one symptom of replication issues. If the SYSVOL has not initialized, then the folder will be empty and no GPOs will be available for any logons. This is crucial.

What event log errors do you see related to any of the AD logs? Post the eventID# and the Source name of the event.

What DNS address is the new DC using as DNS? We prefer it to point to the other DCs until things settle to make sure it works.

Can you post an unedited ipconfig /all from the four DCs for us to eva

There is some stuff in the SYSVOL folder on DC7 (the new DC), but it doesn't have the exact some things as DC6. It is having trouble replicating from a 2012 DC (DC6) which I never mentioned because it doesn't have the DNS role installed. The event IDs for the FRS Warnings is 13508. I did some research and it appears that could be DNS related.

Here are the ipconfigs for all of the DCs. I removed the domain name. Also, I noticed some of these have duplicate DNS entries, perhaps that is part of the problem?

C:\windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC7
   Primary Dns Suffix  . . . . . . . : **
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : **


Ethernet adapter Internal Network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 44-A8-42-12-95-28
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d43e:ac77:f015:9428%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.1.93(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.17.1.1
   DHCPv6 IAID . . . . . . . . . . . : 306489410
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-D0-2C-25-44-A8-42-12-95-28

   DNS Servers . . . . . . . . . . . : ::1
                                       172.17.1.39
                                       127.0.0.1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\Administrator.RPCS>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC6
   Primary Dns Suffix  . . . . . . . : **
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : **

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-2D-85
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e836:d5f9:9be7:7475%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.1.83(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.17.1.1
   DHCPv6 IAID . . . . . . . . . . . : 251663709
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-6F-0C-58-00-15-5D-01-2D-27

   DNS Servers . . . . . . . . . . . : 172.17.1.38
                                       172.17.1.39
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\administrator.RPCS>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC5
   Primary Dns Suffix  . . . . . . . : **
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : **

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
   Physical Address. . . . . . . . . : 00-14-22-14-5F-FE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b571:d6d0:c0e0:5137%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.1.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   IPv4 Address. . . . . . . . . . . : 172.17.1.13(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.17.10.30
   DHCPv6 IAID . . . . . . . . . . . : 301995042
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-0D-21-3E-00-14-22-14-5F-FF

   DNS Servers . . . . . . . . . . . : 172.17.1.3
                                       172.17.1.38
                                       172.17.1.39
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\administrator.RPCS>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC4
   Primary Dns Suffix  . . . . . . . : **
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : **

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-02-02-87
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::94de:9001:8518:f425%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.1.39(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.17.1.1
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-E5-65-72-00-15-5D-02-02-87

   DNS Servers . . . . . . . . . . . : ::1
                                       172.17.1.38
                                       127.0.0.1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\administrator.RPCS>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC3
   Primary Dns Suffix  . . . . . . . : **
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : **

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-2D-86
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9401:2617:acb1:b442%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.1.38(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.17.1.1
   DHCPv6 IAID . . . . . . . . . . . : 251663709
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-A7-AE-08-00-15-5D-01-2D-86

   DNS Servers . . . . . . . . . . . : 172.17.1.39
                                       127.0.0.1
                                       172.17.1.38
   NetBIOS over Tcpip. . . . . . . . : Enabled

Sorry for the late reply!

DC7 and DC4:
Let's remove the IPv6 "::1" address on DC7 and DC4,  by going into the IPv6 properties, DNS address section, and set it to automatically get an IP. That will remove it.

Remove the redundant 127.0.0.1. One of them will suffice.

-

DC6:
Add 127.0.0.1 as the last DNS entry.

-

DC3:
Remove 172.17.1.38, since that is it's own IP and the 127.0.0.1 already references itself. Just make sure 127.0.0.1 is the last entry.

-

DC5:
This guy is a mess. It  has two IPs.What's up with that? Not good. That will cause AD communications issues, because both get registered into DNS. Pick one and remoe the other. My guess is you probably want 172.17.1.3, because it's in DNS.

And,  And the gateway address is different than the others. Do you have more than one router?

So if we go with 172.17.1.3, then:

1. Remove 172.17.1.13
2. Remove 172.17.1.3 from DNS.
3. Add 127.0.0.1 in DNS as the last entry.
4. Change the gateway to 172.17.1.1

-

After making all the changes, run the following:

1. ipconfig /registerdns
2. net stop netlogon
3. net start netlogon

Then report back with updated ipconfigs. Check the event logs then and let me know if that clears up Sysvol replication.

Hi,

Is there any update about this problem?

Thanks, Ace! I have been out of town but I will make these changes and get back to you.

Unfortunately, I cannot speak to the DC5 config. That was done prior to me being here so who knows what the other IP address is for. It IS the primary DC since it is physical, but DC7 is its replacement so it will be decommissioned once everything works as it should. I am still not sure why all DNS records were in sync with the exception of a couple handful (that just so happened to be critical servers) on DC7. Very odd.

Nonetheless, I will let you know how it goes. Thank you!

Thanks, Ace! I have been out of town but I will make these changes and get back to you.

Unfortunately, I cannot speak to the DC5 config. That was done prior to me being here so who knows what the other IP address is for. It IS the primary DC since it is physical, but DC7 is its replacement so it will be decommissioned once everything works as it should. I am still not sure why all DNS records were in sync with the exception of a couple handful (that just so happened to be critical servers) on DC7. Very odd.

Nonetheless, I will let you know how it goes. Thank you!

Hi Ace,

I finally had a chance to update the DNS settings. Everything seems to be working fine (as far as DNS) but I am still getting FRS warnings. It seems the problem is the DCs with the warning (DC4, DC5, DC7) cannot replicate from DC6 which is the Server 2012 DC (no DNS role installed). I am thinking of just installing the DNS role to see if that fixes anything. 

Also,  DCs failed the NCSecDesc (DC3, DC4, DC5) test. I believe this is a new error, at least since changing the DNS settings on each DC.

I feel all of this is somehow related but I cannot figure it out!

Thanks,

Mike

Hi Ace,

I finally had a chance to update the DNS settings. Everything seems to be working fine (as far as DNS) but I am still getting FRS warnings. It seems the problem is the DCs with the warning (DC4, DC5, DC7) cannot replicate from DC6 which is the Server 2012 DC (no DNS role installed). I am thinking of just installing the DNS role to see if that fixes anything. 

Also,  DCs failed the NCSecDesc (DC3, DC4, DC5) test. I believe this is a new error, at least since changing the DNS settings on each DC.

I feel all of this is somehow related but I cannot figure it out!

Thanks,

Mike

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep to remove that error, otherwise, forget it.

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
https://support.microsoft.com/en-us/kb/967482

At least it says things are now working.

-

For FRS errors, what is the exact error? Also check here for non-existent DCs.

In ADSI Edit, connect to the Domain NC (Default Name Context), then expand and drill down to:
1. Domain.com (your domain name)
2. System
3. File Replication Service
4. Click on Domain System Volume (SYSVOL)
5. Do you see the old DC in there? If so, carefully just delete that object, and nothing else.