Adding AD Integrated DNS role on 'one' W2K8R2 DC (2008R2 FFL/DFL domain) breaks LDAP (port 389).

-

hello,

we have had issue when attempting migrate/test ad integrated dns on 1 of our dcs.

our environment:
1 parent domain (2 x w2k8r2 dc)
1 child domain (3 x w2k8r2 dc)

as add dns service 1 of dcs, kaboom!  ldap 389 not longer able used of our enterprise apps. 
we've tried same thing when adding additional dc (promoting new/additional dc) role installed.  same exact global effect! 

any microsoft engineer out there knows (in depth) dns & ad ldap architecture able answer question. 

btw, way roll following: 
1)  remove dns role dc
2)  delete guid (using adsi edit) from:  configuration -> cn=configuration... -> cn=partitions...

as step 2 completed, ldap on 389 working ok. 

what's happening?
389 accepting connections unable bind (authentication on 389 broken?)

unfortunately did not chance test ldap on ssl (port 636) while had issue.  nor did chance test 389 basic bind & test using ldp.exe. 

any skilled appreciated. 

thanks!


what guid in step #2 did delete?

.

what you're describing can attributed poorly designed parent-child dns resolving infrastructure. i've seen in past. when add dns, not block 389, or else matter. feeling when added dns, may have added zone manually. if that's case, duplicate zone gets created doesn't have resources "find" dc.

.

how parent child dns infrastructure designed? read following specifics, let know scenario you've followed.

dns design options in multi-domain forest - how create parent-child dns delegation, , how configure dns create new tree in forest
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

.

also, have duplicate zones? realized alread in adsi edit, i'm not sure guid you've deleted. if implying it's duplicate zone guid, called either "inprogress...{guid}" or "cnf...{guid}," yes, they are duplicate zone. tells me more manually created zone , didn't "wait" zone auto-appear.

now if zone does not auto-appear, such after promotion, or if never appeared after dc has been , running, tells me there bigger problem, such ad replication issue, or dns not designed properly, or both, bad dns design cause replication problems.

read more specifics:

using adsi edit resolve conflicting or duplicate ad integrated dns zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

.

also, please post ipconfig /all of 2 parent dcs , 3 child dcs. between info, , letting know how you've designed dns between 2 domains, determine issue is.

.

ace

.

ace fekay
mvp, mct, mcitp enterprise administrator, mcts windows 2008 & exchange 2007 & exchange 2010, exchange 2010 enterprise administrator, mcse & mcsa 2003/2000, mcsa messaging 2003
microsoft certified trainer
microsoft mvp - directory services
complete list of technical blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

this posting provided as-is no warranties or guarantees , confers no rights.

facebooktwitterlinkedin




Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more

DFSR RPC replication errors 5014 1726 with large files over VPN

-
i have similar issue ryan in reply http://social.technet.microsoft.com/forums/en-gb/winserverfiles/thread/6d49fd71-2236-4fcb-9763-bf1c03459ee8 cited below. start additional thread here because other 1 related windows server 2003 (r2) , i'm (as ryan) on windows 2008 r2 x64. here first of post ryan: i've got same problem on 2008 r2 dfsr server.  the spoke server has 2x intel 1 gigb on-board nics in active/standby teamed configuration. the hub server (running on vmware using 10gbit vmnet3 nic driver) logs dfsr event 5014 every 2-15mins (usually around 5mins). the spoke server not log event. replication running slowly. initial sync/replication. had re-configure replication folder because of lost dfsr database on spoke server.  could teamed nic on spoke causing error on host? a note: last time did initial sync on folder processed @ 30k files , hour. time it's doing few hundred and hour. another note: hub server has several replication groups , conne...
Read more

ADFS 3.0 Event ID 4625 | An Error occurred During Logon | Status: 0xC000035B

-
we're getting these random errors on our adfs security logs, how can track down generating them? an account failed log on. subject: security id: null sid account name: - account domain: - logon id: 0x0 logon type: 3 account logon failed: security id: null sid account name: account domain: failure information: failure reason: an error occured during logon. status: 0xc000035b sub status: 0x0 process information: caller process id: 0x0 caller process name: - network information: workstation name: - source network address: - source port: - detailed authentication information: logon process: kerberos authentication package: kerberos transited services: - package name (ntlm only): - key length: 0 event generated when logon request fails. generated on computer access attempted. subject fields indicate account on local system requested logon. commonly service such server service, or local process such ...
Read more