Troubleshooting Active Directory replication failures that occur because of DNS lookup failures, event ID 2087, or event ID 2088

This article describes an action plan for administrators and for support professionals to follow when domain controllers that are running Microsoft Windows 2000 or Microsoft Windows Server 2003 cannot replicate Active Directory because of DNS lookup failures. Administrators who are troubleshooting replication or other component failures that occur because of a lack of DNS name resolution should follow this action plan.

This article also discusses two new events, event ID 2087 and event ID 2088, that are logged by destination domain controllers that are running Windows Server 2003 with Service Pack 1 (SP1). These events occur when a lack of DNS name resolution prevents the inbound replication of Active Directory directory service partitions. More significantly, in this problem scenario, Windows Server 2003 SP1-based destination domain controllers will use the source domain controller's fully qualified domain name in DNS or the source domain controller's NetBIOS computer name in Windows Internet Name Service (WINS). The goal of the enhancements in Windows Server 2003 is to minimize the effect of DNS client or DNS server configuration errors on Active Directory replication.

On a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller, the following event messages may be logged in the Directory Service event log.

Message 1

Type: Error
Source: NTDS Replication
Category: DS RPC Client
Event ID: 2087
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ComputerName
Description:
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

Source domain controller: DomainControllerName
Failing DNS host name: GUID._msdcs.DNSDomainName

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449: http://support.microsoft.com/?kbid=824449

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.

Message 2

Type: Warning
Source: NTDS Replication
Category: DS RPC Client
Event ID: 2088
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ComputerName
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name: AlternateServerName
Failing DNS host name: GUID._msdcs.DNSDomainName

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449: http://support.microsoft.com/?kbid=824449

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.

Event ID 2087 occurs when Active Directory replication has failed because of a DNS or a NetBIOS lookup failure. Specifically, the domain controller that logged event ID 2087 was not able to resolve a replication partner's IP address by using one of the following:

• The CNAME resource record
• The fully qualified computer name in DNS
• The NetBIOS computer name

Because the domain controller that logs the event cannot perform inbound replication, Active Directory data may be inconsistent among domain controllers. For example, user and computer group information may be inconsistent.

Event ID 2088 occurs when the following conditions are true:

• Active Directory replication cannot resolve the replication partner�s CNAME resource record to an IP address by using DNS.
• Active Directory can resolve the replication partner�s IP address by using the partner's fully qualified computer name in DNS or by using the partner's NetBIOS computer name in a WINS or in a NetBIOS broadcast.

Note Even if NetBIOS name resolution succeeds, all DNS name resolution failures must be investigated and resolved, as DNS configuration errors can cause Active Directory functions to fail.

DNS lookup problems may cause Active Directory replication to fail in one of the following ways:

• Case 1: A domain controller tries to replicate with another domain controller that is offline, and Active Directory and DNS data for the offline domain controller has not been updated or deleted to indicate that the domain controller is inaccessible.
• Case 2: A domain controller tries to replicate with another domain controller that is online, but because of DNS or networking issues, the domain controllers cannot locate each other.

All domain controllers register SRV, A, and CNAME records in DNS. The CNAME record is of the form Dsa_Guid._msdcs.Dns_Domain_Name. Dsa_Guid is the GUID of the directory system agent (DSA) object for the domain controller. Dns_Domain_Name is the name of the forest where the domain controller is located. Domain controllers require the CNAME record to locate and to identify their replication partners.

The Net Logon service on the domain controller registers all the SRV records. The DNS Client service on the domain controller registers the DNS host (A) record and the GUID CNAME record.

A domain controller uses the following steps to locate its replication partner:

1. The domain controller uses DNS to look for the CNAME record of its replication partner.
2. If the lookup is unsuccessful, the domain controller looks for the DNS A record of its replication partner. For example, the domain controller looks for dc-03.corp.contoso.com.
3. If the DNS A record lookup is unsuccessful, the domain controller performs a NetBIOS broadcast by using the host name of its replication partner. For example, the domain controller uses dc-03.

Case 1

To remove Active Directory and DNS data that is left behind by a domain controller that is no longer in use, follow the procedure in the following Microsoft Knowledge Base article:If the domain controller must be online, resolve the blocking issue, and then put the domain controller back online. When you restart the domain controller, you automatically register Active Directory and DNS data that is required for Active Directory replication with the destination domain controller.

If you do not want to restart the domain controller, but you want to reregister its DNS records, go to step 7, "Register Resource Records in DNS."

Case 2

If replication does not occur because a destination domain controller cannot resolve the DNS name of a replication partner, you must diagnose DNS and network connectivity problems to determine the source of the failure.

To diagnose and to fix DNS support for Active Directory replication, follow these steps:

1. Gather information.
   
   You must have the following information to diagnose and to fix DNS support for Active Directory replication and other operations that depend on DNS:
   • The fully qualified domain name (FQDN) and IP address of the source domain controller.
   • The FQDN and IP address of the DNS server that hosts the DNS zone for the Active Directory domain name.
   Note Domain controller and DNS server information may be the same if the domain controller is also running the DNS Server service that hosts the DNS zone for the Active Directory domain name.
2. Verify network connection settings.
   1. On the domain controller that is reporting the error, click Network Connections in Control Panel.
   2. Right-click the network connection that you want to configure, and then click Properties.
   3. On the General tab for a local area connection or on the Networking tab for all other connections, click Internet Protocol (TCP/IP), and then click Properties.
   4. In Use the following DNS server addresses, verify that the preferred DNS server or the alternate DNS server have the correct IP address of the DNS server that hosts the DNS zone for the Active Directory domain name.
      
      Note We recommend that the preferred DNS server for the domain controller is located in a hub site that is local or well-connected. If you use such a hub site, you reduce replication latency.
   5. If the IP addresses are correct, go to step 3. If the IP address is incorrect, enter the correct address, and then go to step 7.
3. Verify connectivity.
   
   To verify connectivity, use the ping command on the destination domain controller to find the IP addresses of the source domain controller and of the DNS server.
   On the destination domain controller, type the following at a command prompt, and then press ENTER after each command:
   
   ping IP_Address_of_source_domain_controller
   ping IP_Address_DNS_server
   
   If either command is unsuccessful, a network connectivity error may exist. Contact the network administrator to diagnose and to fix this error. If both commands are successful, the error exists in DNS.
4. Verify that the DNS Server service is running.
   
   If the destination domain controller is configured to use a local DNS server, verify that the DNS Server service is running. To do this, type net start �DNS Server� at a command prompt, and then press ENTER.
   
   If the DNS Server service is running, a message appears that indicates that the service is running. If the DNS Server service is installed, but the service is not running, the command starts the DNS Server service.
   
   If the DNS Server service is not installed, a message appears that indicates that the server name is not valid. If the destination domain controller is configured to use a remote DNS server, use the DNS console to start the DNS Server service. To do this, follow these steps:
   1. Open the DNS console.
   2. On the Action menu, click Connect To DNS Server.
   3. In Connect to DNS Server, click The following computer.
   4. To connect to a remote server, specify either the remote server's DNS computer name or its IP address.
   5. Click to select the Connect to the specified computer now check box, and then click OK.
   6. On the Action menu, point to All Tasks, and then click Start.
5. Verify that the resource record is registered.
   
   The destination domain controller uses the DNS CNAME resource record, Dsa_Guid._msdcs.Dns_Domain_Name, to locate its source domain controller replication partner. To verify that this resource record is in the DNS zone for the Active Directory domain name, follow these steps:
   1. Open the DNS console in the console tree. Locate any domain controller that is running the DNS Server service, where the service hosts the DNS zone with the same name as the Active Directory domain name.
   2. In the console tree, click the zone that is named _msdcs.Dns_Domain_Name.
      
      In Windows 2000 Server DNS, _msdcs.Dns_Domain_Name is a subdomain of the DNS zone for the Active Directory domain name. In Windows Server 2003, _msdcs.Dns_Domain_Name is a separate zone.
   The zone that is named _msdcs.Dns_Domain_Name must contain the following:
   • A CNAME resource record that is named Dsa_Guid._msdcs.Dns_Domain_Name.
   • A corresponding A resource record for the name of the DNS server that is identified as the target host in the CNAME record.
   
   
   If the resource records do not exist, go to step 6 to diagnose why the Net Logon service did not register the resource records automatically.
6. Verify that the DNS Server service that hosts the zone for the Active Directory domain name is configured to accept dynamic updates.
   1. In the DNS console, right-click the applicable zone, and then click Properties.
   2. On the General tab, verify that the zone type is Active Directory�integrated.
   3. In Dynamic Updates, click secure only. (In Windows 2000 Server, the secure dynamic update option is named Only secure updates.)
7. Register DNS resource records in DNS.
   
   The Net Logon service on a domain controller registers the DNS resource records that are required for the domain controller to be located in the network. To manually initiate this registration on the source domain controller, type the following at a command prompt, and then press ENTER after each command:
   
   net stop "net logon"
   
   net start "net logon"
   
   The DNS Client service registers the host (A) resource record that the CNAME record points to. To initiate this registration on the source domain controller, type ipconfig /registerdns at a command prompt, and then press ENTER.
8. Verify resource record registration.
   
   To verify that the records were registered successfully, go to step 5, �Verify that the resource record is registered."
9. Force replication on the source and destination domain controllers.
   1. On the destination domain controller, open Active Directory Sites and Services.
   2. In the console tree, click NTDS Settings for the domain controller that you want to force replication on.
   3. In the details pane, right-click the connection that you want to use to replicate directory information, and then click Replicate Now.
   You can also use the repadmin and replmon command-line tools. These tools are available on your Windows Server 2003 installation CD. (The repadmin command is repadmin /syncall /d /e /P source_domain_controller.)
10. Investigate other problems.
    
    If the previous steps do not resolve the errors, a domain controller may not be able to dynamically register its DNS resource records because the DNS servers that the domain controller uses for name resolution cannot find a primary authoritative zone for these resource records. In this case, there are two possible causes:
    • The preferred or alternate DNS servers that are used by the destination domain controller for name resolution contain incorrect root hints. For information about updating the root hints, visit the following Microsoft Web sites:
      http://technet2.microsoft.com/windowsserver/en/library/7b69b6f9-f25e-4594-a04b-f08f3effa2031033.mspx
      http://technet2.microsoft.com/windowsserver/en/library/3e3d2262-518f-4e97-a5cb-737ed52d2cd91033.mspx
    • There are incorrect delegations in the DNS zones. These delegations start at the root and descend to the zone with the same name as the Active Directory domain name. For information about verifying the zone delegations, visit the following Microsoft Web site:
      http://technet2.microsoft.com/windowsserver/en/library/977fa8ed-ec71-4d39-9f9e-9facd5a613641033.mspx
      .

You can also use the Netdiag.exe and Dcdiag.exe command-line tools to troubleshoot DNS and Active Directory infrastructure issues. Both tools are available online or on the Windows Server 2003 installation CD. To download these tools, visit the Windows Server 2003 Resource Kit Tools Web page: