This article also discusses two new events, event ID 2087 and event ID 2088, that are logged by destination domain controllers that are running Windows Server 2003 with Service Pack 1 (SP1). These events occur when a lack of DNS name resolution prevents the inbound replication of Active Directory directory service partitions. More significantly, in this problem scenario, Windows Server 2003 SP1-based destination domain controllers will use the source domain controller's fully qualified domain name in DNS or the source domain controller's NetBIOS computer name in Windows Internet Name Service (WINS). The goal of the enhancements in Windows Server 2003 is to minimize the effect of DNS client or DNS server configuration errors on Active Directory replication.
Message 1Message 2Event ID 2087 occurs when Active Directory replication has failed because of a DNS or a NetBIOS lookup failure. Specifically, the domain controller that logged event ID 2087 was not able to resolve a replication partner's IP address by using one of the following:
- The CNAME resource record
- The fully qualified computer name in DNS
- The NetBIOS computer name
Event ID 2088 occurs when the following conditions are true:
- Active Directory replication cannot resolve the replication partner’s CNAME resource record to an IP address by using DNS.
- Active Directory can resolve the replication partner’s IP address by using the partner's fully qualified computer name in DNS or by using the partner's NetBIOS computer name in a WINS or in a NetBIOS broadcast.
- Case 1: A domain controller tries to replicate with another domain controller that is offline, and Active Directory and DNS data for the offline domain controller has not been updated or deleted to indicate that the domain controller is inaccessible.
- Case 2: A domain controller tries to replicate with another domain controller that is online, but because of DNS or networking issues, the domain controllers cannot locate each other.
The Net Logon service on the domain controller registers all the SRV records. The DNS Client service on the domain controller registers the DNS host (A) record and the GUID CNAME record.
A domain controller uses the following steps to locate its replication partner:
- The domain controller uses DNS to look for the CNAME record of its replication partner.
- If the lookup is unsuccessful, the domain controller looks for the DNS A record of its replication partner. For example, the domain controller looks for dc-03.corp.contoso.com.
- If the DNS A record lookup is unsuccessful, the domain controller performs a NetBIOS broadcast by using the host name of its replication partner. For example, the domain controller uses dc-03.
Case 1To remove Active Directory and DNS data that is left behind by a domain controller that is no longer in use, follow the procedure in the following Microsoft Knowledge Base article:
If you do not want to restart the domain controller, but you want to reregister its DNS records, go to step 7, "Register Resource Records in DNS."
Case 2If replication does not occur because a destination domain controller cannot resolve the DNS name of a replication partner, you must diagnose DNS and network connectivity problems to determine the source of the failure.
To diagnose and to fix DNS support for Active Directory replication, follow these steps:
- Gather information.
You must have the following information to diagnose and to fix DNS support for Active Directory replication and other operations that depend on DNS:
- The fully qualified domain name (FQDN) and IP address of the source domain controller.
- The FQDN and IP address of the DNS server that hosts the DNS zone for the Active Directory domain name.
- Verify network connection settings.
- On the domain controller that is reporting the error, click Network Connections in Control Panel.
- Right-click the network connection that you want to configure, and then click Properties.
- On the General tab for a local area connection or on the Networking tab for all other connections, click Internet Protocol (TCP/IP), and then click Properties.
- In Use the following DNS server addresses, verify that the preferred DNS server or the alternate DNS server have the correct IP address of the DNS server that hosts the DNS zone for the Active Directory domain name.
Note We recommend that the preferred DNS server for the domain controller is located in a hub site that is local or well-connected. If you use such a hub site, you reduce replication latency.
- If the IP addresses are correct, go to step 3. If the IP address is incorrect, enter the correct address, and then go to step 7.
- Verify connectivity.
To verify connectivity, use the ping command on the destination domain controller to find the IP addresses of the source domain controller and of the DNS server.
On the destination domain controller, type the following at a command prompt, and then press ENTER after each command:
If either command is unsuccessful, a network connectivity error may exist. Contact the network administrator to diagnose and to fix this error. If both commands are successful, the error exists in DNS.
- Verify that the DNS Server service is running.
If the destination domain controller is configured to use a local DNS server, verify that the DNS Server service is running. To do this, type net start “DNS Server” at a command prompt, and then press ENTER.
If the DNS Server service is running, a message appears that indicates that the service is running. If the DNS Server service is installed, but the service is not running, the command starts the DNS Server service.
If the DNS Server service is not installed, a message appears that indicates that the server name is not valid. If the destination domain controller is configured to use a remote DNS server, use the DNS console to start the DNS Server service. To do this, follow these steps:
- Open the DNS console.
- On the Action menu, click Connect To DNS Server.
- In Connect to DNS Server, click The following computer.
- To connect to a remote server, specify either the remote server's DNS computer name or its IP address.
- Click to select the Connect to the specified computer now check box, and then click OK.
- On the Action menu, point to All Tasks, and then click Start.
- Verify that the resource record is registered.
The destination domain controller uses the DNS CNAME resource record, Dsa_Guid._msdcs.Dns_Domain_Name, to locate its source domain controller replication partner. To verify that this resource record is in the DNS zone for the Active Directory domain name, follow these steps:
- Open the DNS console in the console tree. Locate any domain controller that is running the DNS Server service, where the service hosts the DNS zone with the same name as the Active Directory domain name.
- In the console tree, click the zone that is named _msdcs.Dns_Domain_Name.
In Windows 2000 Server DNS, _msdcs.Dns_Domain_Name is a subdomain of the DNS zone for the Active Directory domain name. In Windows Server 2003, _msdcs.Dns_Domain_Name is a separate zone.
- A CNAME resource record that is named Dsa_Guid._msdcs.Dns_Domain_Name.
- A corresponding A resource record for the name of the DNS server that is identified as the target host in the CNAME record.
If the resource records do not exist, go to step 6 to diagnose why the Net Logon service did not register the resource records automatically.
- Verify that the DNS Server service that hosts the zone for the Active Directory domain name is configured to accept dynamic updates.
- In the DNS console, right-click the applicable zone, and then click Properties.
- On the General tab, verify that the zone type is Active Directory–integrated.
- In Dynamic Updates, click secure only. (In Windows 2000 Server, the secure dynamic update option is named Only secure updates.)
- Register DNS resource records in DNS.
The Net Logon service on a domain controller registers the DNS resource records that are required for the domain controller to be located in the network. To manually initiate this registration on the source domain controller, type the following at a command prompt, and then press ENTER after each command:
net stop "net logon"
net start "net logon"
The DNS Client service registers the host (A) resource record that the CNAME record points to. To initiate this registration on the source domain controller, type ipconfig /registerdns at a command prompt, and then press ENTER.
- Verify resource record registration.
To verify that the records were registered successfully, go to step 5, “Verify that the resource record is registered."
- Force replication on the source and destination domain controllers.
- On the destination domain controller, open Active Directory Sites and Services.
- In the console tree, click NTDS Settings for the domain controller that you want to force replication on.
- In the details pane, right-click the connection that you want to use to replicate directory information, and then click Replicate Now.
- Investigate other problems.
If the previous steps do not resolve the errors, a domain controller may not be able to dynamically register its DNS resource records because the DNS servers that the domain controller uses for name resolution cannot find a primary authoritative zone for these resource records. In this case, there are two possible causes:
- The preferred or alternate DNS servers that are used by the destination domain controller for name resolution contain incorrect root hints. For information about updating the root hints, visit the following Microsoft Web sites:http://technet2.microsoft.com/windowsserver/en/library/7b69b6f9-f25e-4594-a04b-f08f3effa2031033.mspx
- There are incorrect delegations in the DNS zones. These delegations start at the root and descend to the zone with the same name as the Active Directory domain name. For information about verifying the zone delegations, visit the following Microsoft Web site:
- The preferred or alternate DNS servers that are used by the destination domain controller for name resolution contain incorrect root hints. For information about updating the root hints, visit the following Microsoft Web sites: