I've got a 2008 server and a 2003 server that now aren't talking to each other (replicating AD). Various tools point to a DNS configuration issue, ...but the guys running the DNS server say that these entries should be coming in automatically and that it's the server that isn't registering properly. Here is a typical event log entry, and DCDiag results below ("names changed to protect the innocent") Although everything points to DNS server configuration, is there something on the Win2008 server that could be causing this? The dynamic registration of the DNS record '_ldap._tcp.busad.MYDOMAIN.edu. 600 IN SRV 0 100 389 MYSERVER.busad.MYDOMAIN.edu.' failed on the following DNS server: DNS server IP address: 10.75.90.30 Returned Response Code (RCODE): 5 Returned Status Code: 9017 For computers and users to locate this domain controller, this record must be registered in DNS. USER ACTION Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Or, you can manually add this record to DNS, but it is not recommended. ADDITIONAL DATA Error Value: DNS bad key. DCDIAG Info: C:\Program Files\Windows AIK\Tools\PETools>dcdiag /testns Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server =MYSERVER * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\MYSERVER Starting test: Connectivity The host 6c74d3db-fdfe-XXXX-bc08-04ac54de49bd._msdcs.busad.puc.edu could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc. .........................MYSERVER failed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\MYSERVER Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... .........................MYSERVER passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : busad Running enterprise tests on : busad.MYDOMAIN.edu Starting test: DNS Test results for domain controllers: DC: MYSERVER.busad.MYDOMAIN.edu Domain: busad.puc.edu TEST: Basic (Basc) Error: No LDAP connectivity No host records (A or AAAA) were found for this DC TEST: Records registration (RReg) Network Adapter [00000006] Intel(R) 82566DC-2 Gigabit Network Connection: Warning: Missing CNAME record at DNS server 10.75.90.30: 6c74d3db-fdfe-XXXX-bc08-04ac54de49bd._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.busad.puc.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.afaeada9-b590-XXXX-ac5a-c548c083dee2.domains._msdcs.busad.MYDOMSIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _kerberos._tcp.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _kerberos._tcp.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _kerberos._udp.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _kpasswd._tcp.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.Default-First-Site-Name._sites.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _kerberos._tcp.Default-First-Site-Name._sites.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.gc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _gc._tcp.Default-First-Site-Name._sites.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.30: _ldap._tcp.pdc._msdcs.busad.MYDOMAIN.edu Warning: Missing CNAME record at DNS server 10.75.90.31: 6c74d3db-fdfe-XXXX-bc08-04ac54de49bd._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.busad.puc.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.afaeada9-XXXX-42ff-ac5a-548c083dee2.domains._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _kerberos._tcp.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _kerberos._tcp.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _kerberos._udp.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _kpasswd._tcp.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.Default-First-Site-Name._sites.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _kerberos._tcp.Default-First-Site-Name._sites.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.gc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _gc._tcp.Default-First-Site-Name._sites.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.busad.MYDOMAIN.edu Warning: Missing SRV record at DNS server 10.75.90.31: _ldap._tcp.pdc._msdcs.busad.MYDOMAIN.edu Error: Record registrations cannot be found for all the network adapters Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext _________________________________________________________________ Domain: busad.MYDOMAIN.eduMYSERVER PASS FAIL n/a n/a n/a FAIL n/a ......................... busad.puc.edu failed test DNS C:\Program Files\Windows AIK\Tools\PETools>

Hi, Seems there is a problem in the SRV records. Please try to check it manaually or else use DCDIAG /FIX command to recreate the SRV records. Thanks Syed

Hi, Please follow the steps to check if the issue will re-occur. 1. verify that the primary DNS suffix name of both the DC and the member server are identical to the domain name in the environment first. 2. verify DNS setting in the TCP/IP property of both the DC and the member server is pointed to the current DNS server. 3. Open service console with "Services.msc" on the domain controller, locate the Netlogon service and restart it to make the SRV records manually re-create on the DNS server. 4. please check if the Allow dynamic update is enabled on the DNS server. a. Logon DNS server, open DNS console b. Expand forward lookup zones, right click zone and click Properties. c. On general tab, make sure either "Secure only" or "NonSecure and secure" are selected. d. Click OK. 5. Please also turn on DNS dynamic update protocol on the affected network adapter, follow these steps: a. Right-click the internal network adapter, and then click Properties b. Click TCP/IP , and then click Properties c. Click the Advanced button d. Click the DNS tab, and then click to select the Register this connection's addresses in DNS check box at the bottom of the tab e. Click OK until the Network Properties dialog box is closed f. Click Start , click Run , type cmd , and then press ENTER g. At a command prompt, stop and restart the Netlogon service and initiate the registration of the network adapter in DNS. To do this, use the following command-line statements: net stop netlogon del c:\windows\system32\config\netlogon.dns del c:\windows\system32\config\netlogon.dnb net start netlogon ipconfig /registerdns If the issue persists, let's check the following registry: Check the following registry on the DC: 1. Logon DC, click start, go to run, type regedit and click OK 2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters, make sure these keys are not 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\UseDynamicDns Data type: REG_DWORD Range: 0 - 1 Default value: 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RegisterDnsARecords Data type: REG_DWORD Range: 0 - 1 Default value: 1 Hope it helps.

THANKS so much for your help! I have servers (let's call them A, B, C) where servers A and B are 2003 R2, and server C is 2008. 1. The first portion of your answer appears to have fixed the problem I had with 2 of the three servers not knowing which servers held the various operations master roles. 2. The Registry keys you mentioned did not appear at all on any of the servers. (UseDynamicDns, RegisterDnsARecords). I added them under Parameters but I couldn't determine that it made any difference in replication problems. Are they really supposed to be there? 3. In AD Sites & Services, I was able to force a replication from server B to A, C to A and C to Be, but any attempt to replicate A to B or A to C gave an error message referring to a DNS lookup problem and referenced the article http://go.microsoft.com/fwlink/?LinkId=5171 Info there didn't seem to help. 4. Although I could access shares on server A from the other servers, client computers in the LAN could not see the shares on A, (couldn't even connect to \\A ). 5. I started seeing security events referring to Windows Firewall on server A complaining about lsass.exe listening (and an earlier message about dns.exe).....turning off the firewall seems to allow clients to access shares on A. It ALSO allows the replication from A to B and A to C to complete properly. So, for tonight, Windows Firewall is turned off on Server A (this is on a small internal LAN) What standardexceptionsshould I put intoWindows Firewall (instead of turning it off!)? I tried putting lsass.exe and dns.exe in there, but the replication/share access problems remained. Or do you think there is something else that could be causing the problem Thanks again!

Hi, According to the description, it seems that the issue should be caused by the Windows Firewall on Server A. In order to make all the clients smoothly access to the Server A file share and the AD replication works normally among Server A, B and C. Please enable replication over dynamic RPC, configure the Windows firewall to permit the following port on the problematic server. Service Port/protocol RPC endpoint mapper 135/tcp, 135/udp NetBIOS name service 137/tcp, 137/udp NetBIOS datagram service 138/udp NetBIOS session service 139/tcp RPC static port for AD replication <AD-fixed-port>/TCP RPC static port for FRS <FRS-fixed-port>/TCP SMB over IP (Microsoft-DS, required for file share) 445/tcp, 445/udp LDAP 389/tcp LDAP ping 389/udp LDAP over SSL 636/tcp Global catalog LDAP 3268/tcp Global catalog LDAP over SSL 3269/tcp Kerberos 88/tcp, 88/udp DNS 53/tcp, 53/udp WINS resolution (if required) 1512/tcp, 1512/udp WINS replication (if required) 42/tcp, 42/udp For more information on Windows server component port requirement, please refer to the following Microsoft Knowledge Base article: Service overview and network port requirements for the Windows Server system http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017 Hope it helps.

I've got atwo servers( 2003) that now aren't talking to each other (replicating AD)WhenI replicte them from site & services the followingtextappear :Can you help me?Thanks.In dc1 computer : NTDS Setting From dc 2The following error occured during the attempt to contact the domain contorller dc2: Access is deniedNTDS Setting From dc 1The following error occured during the attempt to synchronize naming context configuration from domain controller dc2 to domain controller 1:Logon Failure : The target account name is incorrectThis opperatin was not contine .In dc2 computer:NTDS Setting From dc 1The following error occured during the attempt to contact the domain contorller dc1:The RPC server is unavailable .NTDS Setting From dc 2 Active Derictory has replicated the connections