Event ID 2087: DNS lookup failure caused replication to fail
Event Type:Error
Event Source:NTDS Replication
Event Category:DS RPC Client
Event ID:2087
Date:3/9/2005
Time:11:00:21 AM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
Active Directory could not resolve the following DNS host name of
the source domain controller to an IP address. This error prevents
additions, deletions and changes in Active Directory from replicating
between one or more domain controllers in the forest. Security
groups, group policy, users and computers and their passwords will
be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access
to network resources.
Source domain controller:
dc2
Failing DNS host name:
b0069e56-b19c-438a-8a1f-64866374dd6e._msdcs.contoso.com
NOTE: By default, only up to 10 DNS failures are shown for any
given 12 hour period, even if more than 10 failures occur. To
log all individual failure events, set the following diagnostics
registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or
its operating system has been reinstalled with a different
computer name or NTDSDSA object GUID, remove the source domain
controller's metadata with ntdsutil.exe, using the steps outlined
in MSKB article 216498.
2) Confirm that the source domain controller is running Active
Directory and is accessible on the network by typing
"net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid
DNS server for DNS services, and that the source domain
controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE
available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using
a valid DNS server for DNS services, by running the DNS Enhanced
version of DCDIAG.EXE command on the console of the destination
domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures.
824449
Cause:
Failure to resolve the current CNAME resource record of the source domain controller to an IP address can have the following causes:
The source domain controller is powered off, is offline, or resides on an isolated network, and Active Directory and Domain Name System (DNS) data for the offline domain controller has not been deleted to indicate that the domain controller is inaccessible.
One of the following conditions exists:
The source domain controller has not registered its resource records in DNS.
The destination domain controller is configured to use an invalid DNS server.
The source domain controller is configured to use an invalid DNS server.
The DNS server that is used by the source domain controller does not host the correct zones or the zones are not configured to accept dynamic updates.
The direct DNS servers that are queried by the destination domain controller cannot resolve the IP address of the source domain controller as a result of nonexistent or invalid forwarders or delegations.
Active Directory has been removed on the source domain controller and then reinstalled with the same IP address, but knowledge of the new NTDS Settings GUID has not reached the destination domain controller.
Active Directory has been removed on the source domain controller and then reinstalled with a different IP address, but the current host address (A) resource record for the IP address of the source domain controller is either not registered or does not exist on the DNS servers that are queried by the destination domain controller as a result of replication latency or replication error.
The operating system of the source domain controller has been reinstalled with a different computer name, but its metadata either has not been removed or has been removed and not yet inbound-replicated by the destination domain controller.
Resolution:
First, determine whether the source domain controller is functioning. If the source domain controller is not functioning, remove its remaining metadata from Active Directory.
If the source domain controller is functioning, continue with procedures to diagnose and solve the DNS problem, as needed:
Use Dcdiag to diagnose DNS problems.
Register DNS SRV resource records plus host records.
Synchronize replication between the source and destination domain controllers.
Verify consistency of the NTDS Settings GUID.
Determine Whether a Domain Controller Is Functioning
To determine whether the source domain controller is functioning, use the following test.
Requirements
Administrative credentials: To complete this procedure, you must be a member of the Domain Users group in the domain of the domain controller.
Tools: Net view
To determine whether a domain controller is functioning
To confirm that the domain controller is running Active Directory and is accessible on the network, at a command prompt type the following command, and then press ENTER:
where SourceDomainControllerName is the NetBIOS name of the domain controller.
This command displays the Netlogon and SYSVOL shares, indicating that the server is functioning as a domain controller. If this test shows that the domain controller is not functioning on the network, determine the nature of the disconnection and whether the domain controller can be recovered or whether its metadata must be removed from Active Directory manually. If the domain controller is not functioning and cannot be restored, use the procedure in the following section, "Clean Up Domain Controller Metadata," to delete the data from Active Directory that is associated with that server.
Clean Up Domain Controller Metadata
If tests show that the domain controller is no longer functioning but you still see objects representing the domain controller in Active Directory Sites and Services, replication will continue to be attempted, and you must remove these objects from Active Directory manually. You must use Ntdsutil to clean up (delete) the metadata for the defunct domain controller.
If the defunct domain controller is the last domain controller in the domain, you should also remove the metadata for the domain. Allow sufficient time for all global catalog servers in the forest to inbound-replicate the domain deletion before promoting a new domain with the same name.
The process for cleaning up metadata is improved in the version of Ntdsutil that is included with Windows Server 2003 SP1. Instructions for cleaning up metadata with the Windows Server 2003 version of Ntdsutil and the Windows Server 2003 SP1 version of Ntdsutil are provided in the following procedure.
Requirements
Administrative credentials: To complete this procedure, you must be a member of the Enterprise Admins group.
Tools: Ntdsutil (System32 command-line tool)
To clean up server metadata
Open a Command Prompt.
Type the following command, and then press ENTER:
ntdsutil
At the ntdsutil: command prompt, type the following command, and then press ENTER:
metadata cleanup
Perform metadata cleanup as follows:
If you are performing server metadata cleanup only and you are using the version of Ntdsutil.exe that is included with Windows Server 2003 SP1, at the metadata cleanup: command prompt, type the following, and then press ENTER:
remove selected server ServerName
Or
remove selected server ServerName1onServerName2
Value Description
ServerName, ServerName1
The distinguished name of the domain controller whose metadata you want to remove, in the form cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain
ServerName2
The DNS name of the domain controller to which you want to connect and from which you want to remove server metadata
If you are performing metadata cleanup by using the version of Ntdsutil.exe that is included with Windows Server 2003 with no service pack, or if you are performing both domain metadata cleanup and server metadata cleanup, perform metadata cleanup as follows:
At the metadata cleanup: command prompt, type the following command, and then press ENTER:
connection
At the server connections: command prompt, type the following command, and then press ENTER:
connect to server Server
At the connection: command prompt, type the following command, and then press ENTER:
quit
At the metadata cleanup: command prompt, type the following command, and then press ENTER:
select operation target
At the select operation target: command prompt, type the following command, and then press ENTER:
list sites
A numbered list of sites appears. Type the following command, and then press ENTER:
select site SiteNumber
At the select operation target: command prompt, type the following command, and then press ENTER:
list domains in site
A numbered list of domains in the selected site appears. Type the following command, and then press ENTER:
select domain DomainNumber
At the select operation target: command prompt, type the following command, and then press ENTER:
list servers in site
A numbered list of servers in a domain and site is displayed. Type the following command, and then press ENTER:
select server ServerNumber
At the select operation target: command, type the following command, and then press ENTER:
quit
At the metadata cleanup: command, type the following command, and then press ENTER:
remove selected server
If the server whose metadata you have removed is the last domain controller in the domain and you want to remove the domain metadata, at the metadata cleanup: command prompt, type the following command, and then press ENTER:
remove selected domain
Metadata for the domain that you selected in step h is removed.
At the metadata cleanup: and ntdsutil: command prompts, type quit, and then press ENTER.