lundi 12 août 2013

[Windows Server 2012] Issues with Active Directory in a Lab environment - Part 1


Active Directory is a great feature in Windows Server. However, imagine you lose or crash your DC's during tests..
In that series, I will share my own experience and show how to solve that troubles.

1. The DNS is waiting for Active Directory - KB 2001093
2. DFSR JET database is not shut down cleanly
3. This server has been disconnected from other partners for 60 days
4. The DFS Replication service failed to register the WMI providers


1. The DNS server is waiting for Active Directory


Symptoms
At first, the DNS server located on your Domain Controller doesn't want to start.
You can also notice it takes a lot of time to start computer and to logon.

In Event logs, you get the Event ID 4013:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller...

Cause and Resolution
The domain controller try to get inbound replicate. In an attempt to boot with the latest DNS zone contents, DNS servers hosting AD-integrated copies of DNS zones delay DNS service.

If you have several domain controllers, Microsoft recommends to set as first DNS another DNS server and to set the DC itself as an additional alternate DNS server.


In a lab environment, you can bypass the initial synchronization requirements in Active Directory by disabling the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations (=0 REG_DWORD) registry value. However, that configuration is not recommended in a production environment.


To get more information, read KB 2001093 Troubleshooting DNS Event ID 4013: The DNS server was unable to load AD integrated DNS zones.

In particular, note the following best practices:
Domain controllers hosting AD-integrated DNS zones should not point to a single domain controller and especially only to themselves as preferred DNS for name resolution.
Configuring domain controllers to point to a single DNS server's IP address, including the 127.0.0.1 loopback address, represents a single point of failure. This is somewhat tolerable in a forest with only one domain controller but not in forests with multiple domain controllers. 
Hub-site domain controllers should point to DNS servers in the same site as them for preferred and alternate DNS server and then finally to itself as an additional alternate DNS server. 
Branch site domain controllers should configure the preferred DNS server IP address to point to a hub-site DNS server, the alternate DNS server IP  address to point to an in-site DNS server or one in the closest available site, and finally to itself using the 127.0.0.1 loopback address or current static IP address.



See you soon
Julien

Aucun commentaire:

Enregistrer un commentaire