Hi everyone,

SOrry for the length of this post, but I will try to desribe the problem in
detail.

Starting point:
2 Windows 2003 Server SP1 DC's - EX-DC1 and EX-DC2.
EX-DC2 also hosts Exchange Server 2003.
Both DC's also host an Active Directory DNS zone.

Goal:
Introduce 2 new Windows Server 2003 R2 SP2 DC's.

I knew that I first need to upgrade AD schema to R2 level, from version 30
(Win2003 SP1) to version 31 (R2).

As this is a production environment, I didn't want to apply Windows SP2 to
existing DC's before running adprep from R2 disk 2.

Instead, I decided to promote another Windows 2003 Server with SP2 (not
R2!!!), move Schema Owner and Infrastrusture Master (IM) roles to it, and
then run forestprep and domainprep on this server. Once this has been
completed, I would join R2 servers to domain, and then promote them to DC's.

So, I promoted Windows 2003 Server with SP2 as new DC and named it EX-DC3.
No DNS zone hosted on it, but it uses EX-DC1 and EX-DC2 as primary and
secondary nameservers.

At this point I have 3 DC's - EX-DC1 (Schema owner), EX-DC2 (Infrastructure
Master) and EX-DC3.

Steps:

1. I transferred Schema Owner role from EX-DC1 to EX-DC3 - no problem.
2. Run adprep /forestprep on EX-DC3 - no problem.
3. Attepmted to transfer IM role from EX-DC2 to EX-DC3 - Error occurred. It
asked me if it should attempt a forcefull transfer, I clicked No. This step
was done from ADUC on EX-DC3.

Current situation:
- ADUC on all 3 DC's states ERROR for IM role. The option to change this
role is disabled in ADUC on all 3 DC's.
- netdom query /Domain:blahblah FSMO - for some reason, this command can be
executed only on EX-DC3, and it reports that EX-DC2 is IM.
- replmon on EX-DC1 and EX-DC2 reports that IM is EX-DC3. However, replmon
on EX-DC3 reports that IM is EX-DC2.
- ntdsutil on EX-DC1 and EX-DC2 reports that IM is EX-DC3. However, ntdsutil
on EX-DC3 reports that IM is EX-DC2.

All in all, EX-DC1 and EX-DC2 think that IM is on EX-DC3, while EX-DC3
thinks that IM is on EX-DC2.

The only thing I tried in the meantime was to transfer IM role to EX-DC3 by
using ntdsutil on EX-DC2 and EX-DC3 but it reports the following error:

ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210333, problem 5002
(UNAVAILABLE), data 8418

Win32 error returned is 0x20af(The requested FSMO operation failed. The
current FSMO holder could not be contacted.)

The account I used is an Enterprise Admin & Schema Admin & Domain Admin.

So - what do I do next? I guess that I should try to seize IM role, but this
is my last resort. Do you guys have any suggestions?

I'm not sure what specifically is going on but I would run diagnostics for
starters since there appears to be issues communicating between the dc's.
Very possibly dns.

Post the ipconfig /all of the three dc's as well as the following:

Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"SrdjanM" <srdjanm@exchange.datagate.net> wrote in message
news:E3E4CAE9-C66F-4F47-86A6-0607DE97B73E@microsoft.com...

Quote:

Hi everyone, SOrry for the length of this post, but I will try to desribe the problem in detail. Starting point: 2 Windows 2003 Server SP1 DC's - EX-DC1 and EX-DC2. EX-DC2 also hosts Exchange Server 2003. Both DC's also host an Active Directory DNS zone. Goal: Introduce 2 new Windows Server 2003 R2 SP2 DC's. I knew that I first need to upgrade AD schema to R2 level, from version 30 (Win2003 SP1) to version 31 (R2). As this is a production environment, I didn't want to apply Windows SP2 to existing DC's before running adprep from R2 disk 2. Instead, I decided to promote another Windows 2003 Server with SP2 (not R2!!!), move Schema Owner and Infrastrusture Master (IM) roles to it, and then run forestprep and domainprep on this server. Once this has been completed, I would join R2 servers to domain, and then promote them to DC's. So, I promoted Windows 2003 Server with SP2 as new DC and named it EX-DC3. No DNS zone hosted on it, but it uses EX-DC1 and EX-DC2 as primary and secondary nameservers. At this point I have 3 DC's - EX-DC1 (Schema owner), EX-DC2 (Infrastructure Master) and EX-DC3. Steps: 1. I transferred Schema Owner role from EX-DC1 to EX-DC3 - no problem. 2. Run adprep /forestprep on EX-DC3 - no problem. 3. Attepmted to transfer IM role from EX-DC2 to EX-DC3 - Error occurred. It asked me if it should attempt a forcefull transfer, I clicked No. This step was done from ADUC on EX-DC3. Current situation: - ADUC on all 3 DC's states ERROR for IM role. The option to change this role is disabled in ADUC on all 3 DC's. - netdom query /Domain:blahblah FSMO - for some reason, this command can be executed only on EX-DC3, and it reports that EX-DC2 is IM. - replmon on EX-DC1 and EX-DC2 reports that IM is EX-DC3. However, replmon on EX-DC3 reports that IM is EX-DC2. - ntdsutil on EX-DC1 and EX-DC2 reports that IM is EX-DC3. However, ntdsutil on EX-DC3 reports that IM is EX-DC2. All in all, EX-DC1 and EX-DC2 think that IM is on EX-DC3, while EX-DC3 thinks that IM is on EX-DC2. The only thing I tried in the meantime was to transfer IM role to EX-DC3 by using ntdsutil on EX-DC2 and EX-DC3 but it reports the following error: ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-03210333, problem 5002 (UNAVAILABLE), data 8418 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.) The account I used is an Enterprise Admin & Schema Admin & Domain Admin. So - what do I do next? I guess that I should try to seize IM role, but this is my last resort. Do you guys have any suggestions?

Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs:

EX-DC1

Windows IP Configuration

Host Name . . . . . . . . . . . . : ex-dc1
Primary Dns Suffix . . . . . . . : exchange.datagate.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : exchange.datagate.net
datagate.net

Ethernet adapter LOCAL:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter
Physical Address. . . . . . . . . : 00-02-B3-E6-EF-3A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.211
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Primary WINS Server . . . . . . . : 192.168.100.211

Ethernet adapter PUBLIC:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
Adapter (10/100)
Physical Address. . . . . . . . . : 00-D0-B7-B6-BA-DF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 62.204.35.211
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 62.204.35.209
DNS Servers . . . . . . . . . . . : 62.204.35.211
62.204.35.212
NetBIOS over Tcpip. . . . . . . . : Disabled


EX-DC2

Windows IP Configuration

Host Name . . . . . . . . . . . . : ex-dc2
Primary Dns Suffix . . . . . . . : exchange.datagate.net
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : exchange.datagate.net
datagate.net

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Ethernet adapter PUBLIC:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on
Motherboard
Physical Address. . . . . . . . . : 00-D0-B7-A7-5E-10
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 62.204.35.212
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 62.204.35.209
DNS Servers . . . . . . . . . . . : 62.204.35.211
62.204.35.212
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter LOCAL:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter
Physical Address. . . . . . . . . : 00-02-B3-E6-F0-A9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.212
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.100.212
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Primary WINS Server . . . . . . . : 192.168.100.211


EX-DC3

Windows IP Configuration

Host Name . . . . . . . . . . . . : ex-dc3
Primary Dns Suffix . . . . . . . : exchange.datagate.net
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : exchange.datagate.net

Ethernet adapter LOCAL:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
Adapter (10/100) #2
Physical Address. . . . . . . . . : 00-07-E9-E6-DC-11
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.217
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter INTERNET:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
Adapter (10/100)
Physical Address. . . . . . . . . : 00-07-E9-E6-DC-10
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 62.204.35.217
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 62.204.35.209
DNS Servers . . . . . . . . . . . : 62.204.35.211
62.204.35.212


I could not find the link to download your script, so I executed all tests
manually. Basically, I found errors and warnings in dcdiag.log only. Warnings
regarding EX-DC3 replication look interesting...anyway, I will paste only
errors and warnings, please let me know if you need complete log:

EX-DC1

Starting test: Topology

* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC1:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC1:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC1:
Default-First-Site-Name/EX-DC3
......................... EX-DC1 failed test Topology

Starting test: CutoffServers

* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC1:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC1:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC1:
Default-First-Site-Name/EX-DC3
......................... EX-DC1 failed test CutoffServers

Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important
DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

......................... EX-DC1 failed test
VerifyEnterpriseReferences


=====================

EX-DC2


Starting test: Topology
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC2:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC2:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC2:
Default-First-Site-Name/EX-DC3
......................... EX-DC2 failed test Topology

Starting test: CutoffServers
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC2:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC2:
Default-First-Site-Name/EX-DC3
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=exchange,DC=datagate,DC=net.
These servers can't get changes from home server EX-DC2:
Default-First-Site-Name/EX-DC3
......................... EX-DC2 failed test CutoffServers

Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important
DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

......................... EX-DC2 failed test
VerifyEnterpriseReferences


=====================

EX-DC3


Testing server: Default-First-Site-Name\EX-DC3
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net has 3
cursors.
CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors.
REPLICATION LATENCY WARNING
EX-DC3: This replication path was preempted by higher priority work.
from EX-DC1 to EX-DC3
Reason: The replication operation failed because of a schema
mismatch between the servers involved.
The last success occurred at 2008-09-23 13:06:23.
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
EX-DC3: This replication path was preempted by higher priority work.
from EX-DC2 to EX-DC3
Reason: The replication operation failed because of a schema
mismatch between the servers involved.
The last success occurred at 2008-09-23 13:10:51.
Replication of new changes along this path will be delayed.
DC=exchange,DC=datagate,DC=net has 3 cursors.
REPLICATION LATENCY WARNING
EX-DC3: This replication path was preempted by higher priority work.
from EX-DC2 to EX-DC3
Reason: The replication operation failed because of a schema
mismatch between the servers involved.
The last success occurred at 2008-09-23 13:10:51.
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
EX-DC3: This replication path was preempted by higher priority work.
from EX-DC1 to EX-DC3
Reason: The replication operation failed because of a schema
mismatch between the servers involved.
The last success occurred at 2008-09-23 13:06:23.
Replication of new changes along this path will be delayed.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
EX-DC3: Current time is 2008-09-24 13:40:34.
CN=Configuration,DC=exchange,DC=datagate,DC=net
Last replication recieved from EX-DC1 at 2008-09-23 13:09:17.
Last replication recieved from EX-DC2 at 2008-09-23 13:10:51.
DC=exchange,DC=datagate,DC=net
Last replication recieved from EX-DC1 at 2008-09-23 13:10:42.
Last replication recieved from EX-DC2 at 2008-09-23 13:10:51.
* Replication Site Latency Check
Site Settings = CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=exchange,DC=datagate,DC=net
[0x904de,v=55782,t=2008-09-24
13:08:49,g=6c5dcccf-4784-4cd0-8ff3-5fca84c19580,orig=47740,local=47740]
Elapsed time (sec) = 1907
......................... EX-DC3 passed test Replications

Starting test: ObjectsReplicated
EX-DC3 is in domain DC=exchange,DC=datagate,DC=net
Checking for CN=EX-DC3,OU=Domain
Controllers,DC=exchange,DC=datagate,DC=net in domain
DC=exchange,DC=datagate,DC=net on 3 servers
Authoritative attribute nTSecurityDescriptor on EX-DC3 (writeable)
usnLocalChange = 20482
LastOriginatingDsa = EX-DC3
usnOriginatingChange = 20482
timeLastOriginatingChange = 2008-09-23 13:05:45
VersionLastOriginatingChange = 2
Out-of-date attribute nTSecurityDescriptor on EX-DC1 (writeable)
usnLocalChange = 11152317
LastOriginatingDsa = EX-DC1
usnOriginatingChange = 11152317
timeLastOriginatingChange = 2006-05-15 15:53:40
VersionLastOriginatingChange = 1
Out-of-date attribute nTSecurityDescriptor on EX-DC2 (writeable)
usnLocalChange = 10920641
LastOriginatingDsa = EX-DC1
usnOriginatingChange = 11152317
timeLastOriginatingChange = 2006-05-15 15:53:40
VersionLastOriginatingChange = 1
Authoritative attribute servicePrincipalName on EX-DC3 (writeable)
usnLocalChange = 20519
LastOriginatingDsa = EX-DC3
usnOriginatingChange = 20519
timeLastOriginatingChange = 2008-09-23 13:06:36
VersionLastOriginatingChange = 20
Out-of-date attribute servicePrincipalName on EX-DC2 (writeable)
usnLocalChange = 31531976
LastOriginatingDsa = EX-DC1
usnOriginatingChange = 33428219
timeLastOriginatingChange = 2008-09-23 13:01:38
VersionLastOriginatingChange = 19
Out-of-date attribute servicePrincipalName on EX-DC1 (writeable)
usnLocalChange = 33428219
LastOriginatingDsa = EX-DC1
usnOriginatingChange = 33428219
timeLastOriginatingChange = 2008-09-23 13:01:38
VersionLastOriginatingChange = 19
Checking for CN=NTDS
Settings,CN=EX-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=exchange,DC=datagate,DC=net
in domain CN=Configuration,DC=exchange,DC=datagate,DC=net on 3 servers
Authoritative attribute msDS-hasMasterNCs on EX-DC3 (writeable)
usnLocalChange = 20141
LastOriginatingDsa = EX-DC3
usnOriginatingChange = 20141
timeLastOriginatingChange = 2008-09-23 13:03:39
VersionLastOriginatingChange = 5
Out-of-date attribute msDS-hasMasterNCs on EX-DC1 (writeable)
usnLocalChange = 33428218
LastOriginatingDsa = EX-DC1
usnOriginatingChange = 33428218
timeLastOriginatingChange = 2008-09-23 13:01:38
VersionLastOriginatingChange = 1
Out-of-date attribute msDS-hasMasterNCs on EX-DC2 (writeable)
usnLocalChange = 31531981
LastOriginatingDsa = EX-DC1
usnOriginatingChange = 33428218
timeLastOriginatingChange = 2008-09-23 13:01:38
VersionLastOriginatingChange = 1
......................... EX-DC3 failed test ObjectsReplicated

Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 09/23/2008 16:50:55
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 09/23/2008 16:50:55
(Event String could not be retrieved)
......................... EX-DC3 failed test frsevent


Once again - thanks a lot.


"Paul Bergson [MVP-DS]" wrote:

You have multihomed dc's which is probably the source of your problems.

You need to configure these dc's so they only have 1 nic per dc and forward
all dns requests to your isp. Go no further until this step is completed.

http://support.microsoft.com/?id=323380

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"SrdjanM" <srdjanm@exchange.datagate.net> wrote in message
news:E70ABAA6-427C-4527-96C0-F6ED97FCBB4F@microsoft.com...

Quote:

Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs: EX-DC1 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc1 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-EF-3A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.211 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-D0-B7-B6-BA-DF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.211 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled EX-DC2 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc2 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard Physical Address. . . . . . . . . : 00-D0-B7-A7-5E-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.212 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-F0-A9 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 192.168.100.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 EX-DC3 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc3 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) #2 Physical Address. . . . . . . . . : 00-07-E9-E6-DC-11 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.217 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter INTERNET: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-07-E9-E6-DC-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.217 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 I could not find the link to download your script, so I executed all tests manually. Basically, I found errors and warnings in dcdiag.log only. Warnings regarding EX-DC3 replication look interesting...anyway, I will paste only errors and warnings, please let me know if you need complete log: EX-DC1 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC1 failed test VerifyEnterpriseReferences ===================== EX-DC2 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC2 failed test VerifyEnterpriseReferences ===================== EX-DC3 Testing server: Default-First-Site-Name\EX-DC3 Starting test: Replications * Replications Check CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:10:51. Replication of new changes along this path will be delayed. DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:10:51. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. * Replication Latency Check REPLICATION-RECEIVED LATENCY WARNING EX-DC3: Current time is 2008-09-24 13:40:34. CN=Configuration,DC=exchange,DC=datagate,DC=net Last replication recieved from EX-DC1 at 2008-09-23 13:09:17. Last replication recieved from EX-DC2 at 2008-09-23 13:10:51. DC=exchange,DC=datagate,DC=net Last replication recieved from EX-DC1 at 2008-09-23 13:10:42. Last replication recieved from EX-DC2 at 2008-09-23 13:10:51. * Replication Site Latency Check Site Settings = CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=exchange,DC=datagate,DC=net [0x904de,v=55782,t=2008-09-24 13:08:49,g=6c5dcccf-4784-4cd0-8ff3-5fca84c19580,orig=47740,local=47740] Elapsed time (sec) = 1907 ......................... EX-DC3 passed test Replications Starting test: ObjectsReplicated EX-DC3 is in domain DC=exchange,DC=datagate,DC=net Checking for CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net in domain DC=exchange,DC=datagate,DC=net on 3 servers Authoritative attribute nTSecurityDescriptor on EX-DC3 (writeable) usnLocalChange = 20482 LastOriginatingDsa = EX-DC3 usnOriginatingChange = 20482 timeLastOriginatingChange = 2008-09-23 13:05:45 VersionLastOriginatingChange = 2 Out-of-date attribute nTSecurityDescriptor on EX-DC1 (writeable) usnLocalChange = 11152317 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 11152317 timeLastOriginatingChange = 2006-05-15 15:53:40 VersionLastOriginatingChange = 1 Out-of-date attribute nTSecurityDescriptor on EX-DC2 (writeable) usnLocalChange = 10920641 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 11152317 timeLastOriginatingChange = 2006-05-15 15:53:40 VersionLastOriginatingChange = 1 Authoritative attribute servicePrincipalName on EX-DC3 (writeable) usnLocalChange = 20519 LastOriginatingDsa = EX-DC3 usnOriginatingChange = 20519 timeLastOriginatingChange = 2008-09-23 13:06:36 VersionLastOriginatingChange = 20 Out-of-date attribute servicePrincipalName on EX-DC2 (writeable) usnLocalChange = 31531976 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428219 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 19 Out-of-date attribute servicePrincipalName on EX-DC1 (writeable) usnLocalChange = 33428219 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428219 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 19 Checking for CN=NTDS Settings,CN=EX-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=exchange,DC=datagate,DC=net in domain CN=Configuration,DC=exchange,DC=datagate,DC=net on 3 servers Authoritative attribute msDS-hasMasterNCs on EX-DC3 (writeable) usnLocalChange = 20141 LastOriginatingDsa = EX-DC3 usnOriginatingChange = 20141 timeLastOriginatingChange = 2008-09-23 13:03:39 VersionLastOriginatingChange = 5 Out-of-date attribute msDS-hasMasterNCs on EX-DC1 (writeable) usnLocalChange = 33428218 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428218 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 1 Out-of-date attribute msDS-hasMasterNCs on EX-DC2 (writeable) usnLocalChange = 31531981 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428218 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 1 ......................... EX-DC3 failed test ObjectsReplicated Starting test: frsevent * The File Replication Service Event log test There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. An Warning Event occured. EventID: 0x800034C4 Time Generated: 09/23/2008 16:50:55 (Event String could not be retrieved) An Warning Event occured. EventID: 0x800034C4 Time Generated: 09/23/2008 16:50:55 (Event String could not be retrieved) ......................... EX-DC3 failed test frsevent Once again - thanks a lot. "Paul Bergson [MVP-DS]" wrote:

It's true - all dc's are multihomed, but I can't just remove one nic for a
number of reasons.

I checked the KB article and all recommmendations from it have been already
applied to both dc's where I host AD DNS zones.

There is one other thing that I forgot to mention in original post, and that
may be very important. After the error during transfer of IM role, I found
out that EX-DC3 was not configured to register it's public NIC in DNS.
Therefore, there was no record of it in either DNS zone. This has been
corrected now. What is confusing here is that transfer of Schema Owner and
adprep /forestprep was not affected by this, they both succeded.

"Paul Bergson [MVP-DS]" wrote:

Quote:

You have multihomed dc's which is probably the source of your problems. You need to configure these dc's so they only have 1 nic per dc and forward all dns requests to your isp. Go no further until this step is completed. http://support.microsoft.com/?id=323380 -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "SrdjanM" <srdjanm@exchange.datagate.net> wrote in message news:E70ABAA6-427C-4527-96C0-F6ED97FCBB4F@microsoft.com... Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs: EX-DC1 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc1 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-EF-3A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.211 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-D0-B7-B6-BA-DF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.211 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled EX-DC2 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc2 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard Physical Address. . . . . . . . . : 00-D0-B7-A7-5E-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.212 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-F0-A9 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 192.168.100.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 EX-DC3 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc3 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) #2 Physical Address. . . . . . . . . : 00-07-E9-E6-DC-11 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.217 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter INTERNET: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-07-E9-E6-DC-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.217 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 I could not find the link to download your script, so I executed all tests manually. Basically, I found errors and warnings in dcdiag.log only. Warnings regarding EX-DC3 replication look interesting...anyway, I will paste only errors and warnings, please let me know if you need complete log: EX-DC1 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC1 failed test VerifyEnterpriseReferences ===================== EX-DC2 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC2 failed test VerifyEnterpriseReferences ===================== EX-DC3 Testing server: Default-First-Site-Name\EX-DC3 Starting test: Replications * Replications Check CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3

I don't know why one would work and one wouldn't, but I have seen nothing
but problems when having multi-homed dc's.

What KB specifically are you referring too?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"SrdjanM" <srdjanm@exchange.datagate.net> wrote in message
news:A2DA89A6-6FBC-4185-B8C8-94CDAE868AF4@microsoft.com...

Quote:

It's true - all dc's are multihomed, but I can't just remove one nic for a number of reasons. I checked the KB article and all recommmendations from it have been already applied to both dc's where I host AD DNS zones. There is one other thing that I forgot to mention in original post, and that may be very important. After the error during transfer of IM role, I found out that EX-DC3 was not configured to register it's public NIC in DNS. Therefore, there was no record of it in either DNS zone. This has been corrected now. What is confusing here is that transfer of Schema Owner and adprep /forestprep was not affected by this, they both succeded. "Paul Bergson [MVP-DS]" wrote: You have multihomed dc's which is probably the source of your problems. You need to configure these dc's so they only have 1 nic per dc and forward all dns requests to your isp. Go no further until this step is completed. http://support.microsoft.com/?id=323380 -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "SrdjanM" <srdjanm@exchange.datagate.net> wrote in message news:E70ABAA6-427C-4527-96C0-F6ED97FCBB4F@microsoft.com... Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs: EX-DC1 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc1 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-EF-3A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.211 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-D0-B7-B6-BA-DF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.211 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled EX-DC2 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc2 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard Physical Address. . . . . . . . . : 00-D0-B7-A7-5E-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.212 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-F0-A9 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 192.168.100.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 EX-DC3 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc3 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) #2 Physical Address. . . . . . . . . : 00-07-E9-E6-DC-11 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.217 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter INTERNET: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-07-E9-E6-DC-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.217 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 I could not find the link to download your script, so I executed all tests manually. Basically, I found errors and warnings in dcdiag.log only. Warnings regarding EX-DC3 replication look interesting...anyway, I will paste only errors and warnings, please let me know if you need complete log: EX-DC1 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC1 failed test VerifyEnterpriseReferences ===================== EX-DC2 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC2 failed test VerifyEnterpriseReferences ===================== EX-DC3 Testing server: Default-First-Site-Name\EX-DC3 Starting test: Replications * Replications Check CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3

Hello SrdjanM,

Following your output from the DC's, you should remove the multihomed configuration
of the DC's. DC's should NOT be multihomed, this creates lot's of problems,
especially with replication.

Paul pointed you the KB article about DNS configuration for internet access.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs: EX-DC1 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc1 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-EF-3A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.211 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-D0-B7-B6-BA-DF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.211 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled EX-DC2 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc2 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard Physical Address. . . . . . . . . : 00-D0-B7-A7-5E-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.212 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-F0-A9 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 192.168.100.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 EX-DC3 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc3 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) #2 Physical Address. . . . . . . . . : 00-07-E9-E6-DC-11 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.217 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter INTERNET: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-07-E9-E6-DC-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.217 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 I could not find the link to download your script, so I executed all tests manually. Basically, I found errors and warnings in dcdiag.log only. Warnings regarding EX-DC3 replication look interesting...anyway, I will paste only errors and warnings, please let me know if you need complete log: EX-DC1 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC1 failed test VerifyEnterpriseReferences ===================== EX-DC2 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC2 failed test VerifyEnterpriseReferences ===================== EX-DC3 Testing server: Default-First-Site-Name\EX-DC3 Starting test: Replications * Replications Check CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:10:51. Replication of new changes along this path will be delayed. DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:10:51. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. * Replication Latency Check REPLICATION-RECEIVED LATENCY WARNING EX-DC3: Current time is 2008-09-24 13:40:34. CN=Configuration,DC=exchange,DC=datagate,DC=net Last replication recieved from EX-DC1 at 2008-09-23 13:09:17. Last replication recieved from EX-DC2 at 2008-09-23 13:10:51. DC=exchange,DC=datagate,DC=net Last replication recieved from EX-DC1 at 2008-09-23 13:10:42. Last replication recieved from EX-DC2 at 2008-09-23 13:10:51. * Replication Site Latency Check Site Settings = CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=excha nge,DC=datagate,DC=net [0x904de,v=55782,t=2008-09-24 13:08:49,g=6c5dcccf-4784-4cd0-8ff3-5fca84c19580,orig=47740,local=47740 ] Elapsed time (sec) = 1907 ......................... EX-DC3 passed test Replications Starting test: ObjectsReplicated EX-DC3 is in domain DC=exchange,DC=datagate,DC=net Checking for CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net in domain DC=exchange,DC=datagate,DC=net on 3 servers Authoritative attribute nTSecurityDescriptor on EX-DC3 (writeable) usnLocalChange = 20482 LastOriginatingDsa = EX-DC3 usnOriginatingChange = 20482 timeLastOriginatingChange = 2008-09-23 13:05:45 VersionLastOriginatingChange = 2 Out-of-date attribute nTSecurityDescriptor on EX-DC1 (writeable) usnLocalChange = 11152317 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 11152317 timeLastOriginatingChange = 2006-05-15 15:53:40 VersionLastOriginatingChange = 1 Out-of-date attribute nTSecurityDescriptor on EX-DC2 (writeable) usnLocalChange = 10920641 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 11152317 timeLastOriginatingChange = 2006-05-15 15:53:40 VersionLastOriginatingChange = 1 Authoritative attribute servicePrincipalName on EX-DC3 (writeable) usnLocalChange = 20519 LastOriginatingDsa = EX-DC3 usnOriginatingChange = 20519 timeLastOriginatingChange = 2008-09-23 13:06:36 VersionLastOriginatingChange = 20 Out-of-date attribute servicePrincipalName on EX-DC2 (writeable) usnLocalChange = 31531976 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428219 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 19 Out-of-date attribute servicePrincipalName on EX-DC1 (writeable) usnLocalChange = 33428219 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428219 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 19 Checking for CN=NTDS Settings,CN=EX-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C onfiguration,DC=exchange,DC=datagate,DC=net in domain CN=Configuration,DC=exchange,DC=datagate,DC=net on 3 servers Authoritative attribute msDS-hasMasterNCs on EX-DC3 (writeable) usnLocalChange = 20141 LastOriginatingDsa = EX-DC3 usnOriginatingChange = 20141 timeLastOriginatingChange = 2008-09-23 13:03:39 VersionLastOriginatingChange = 5 Out-of-date attribute msDS-hasMasterNCs on EX-DC1 (writeable) usnLocalChange = 33428218 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428218 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 1 Out-of-date attribute msDS-hasMasterNCs on EX-DC2 (writeable) usnLocalChange = 31531981 LastOriginatingDsa = EX-DC1 usnOriginatingChange = 33428218 timeLastOriginatingChange = 2008-09-23 13:01:38 VersionLastOriginatingChange = 1 ......................... EX-DC3 failed test ObjectsReplicated Starting test: frsevent * The File Replication Service Event log test There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. An Warning Event occured. EventID: 0x800034C4 Time Generated: 09/23/2008 16:50:55 (Event String could not be retrieved) An Warning Event occured. EventID: 0x800034C4 Time Generated: 09/23/2008 16:50:55 (Event String could not be retrieved) ......................... EX-DC3 failed test frsevent Once again - thanks a lot. "Paul Bergson [MVP-DS]" wrote:

SrdjanM wrote:

Quote:

Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs:

It always amazes me when people post what seems to be real IP and domain
information for all to see.

Quote:

Once again - thanks a lot.

I'm sure any crackers are thanking you for divulging information about
your infrastructure.

Thanks guys.

As I already said, removing one NIC from DCs could cause me more troubles
than I already have, so I don't think that I can risk it.

Besides, I never heard that multihomed DC's are not supported by Microsoft.
All my DC's are placed into same IP subnets, there are no firewalls between
them, so communication problems through either NIC should no be an issue.
FUrthermore, I already configured DNS registrations so that only public
addresses appear in DNS zone, as described in this article:

http://support.microsoft.com/kb/246804

I thought there would be some easier solution to this...but thanks anyway.


"Meinolf Weber" wrote:

Quote:

Hello SrdjanM, Following your output from the DC's, you should remove the multihomed configuration of the DC's. DC's should NOT be multihomed, this creates lot's of problems, especially with replication. Paul pointed you the KB article about DNS configuration for internet access. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs: EX-DC1 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc1 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-EF-3A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.211 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-D0-B7-B6-BA-DF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.211 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled EX-DC2 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc2 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard Physical Address. . . . . . . . . : 00-D0-B7-A7-5E-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.212 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-F0-A9 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 192.168.100.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 EX-DC3 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc3 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) #2 Physical Address. . . . . . . . . : 00-07-E9-E6-DC-11 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.217 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter INTERNET: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-07-E9-E6-DC-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.217 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 I could not find the link to download your script, so I executed all tests manually. Basically, I found errors and warnings in dcdiag.log only. Warnings regarding EX-DC3 replication look interesting...anyway, I will paste only errors and warnings, please let me know if you need complete log: EX-DC1 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC1 failed test VerifyEnterpriseReferences ===================== EX-DC2 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC2 failed test VerifyEnterpriseReferences ===================== EX-DC3 Testing server: Default-First-Site-Name\EX-DC3 Starting test: Replications * Replications Check CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:10:51. Replication of new changes along this path will be delayed. DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema

Hello SrdjanM,

See here why not using multihomed DC's, even it is a lot:
1. Domain Controllers should not be multi-homed
2. Being a VPN Server and even simply running RRAS makes it multi-homed.
3. DNS,..even just all by itself, is better on a single homed machine.
4. Domain Controllers with the PDF Role are automatically Domain Master
Browser. Master Browsers should not be multi-homed

272294 - Active Directory Communication Fails on Multihomed Domain Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats. -----------------------------------------------------


See also:

Multihomed DCs, DNS, RRAS servers.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Below are the manual steps in more detail, which I had outlined in the above
paragraph:

Honestly, multi-homed DCs are not recommended because of the associated issues
that can occur, as you've encountered. We usually recommend purchasing an
inexpensive Linksys, DLink, etc, Cable/DSL router to perform NAT for you,
take out the extra NIC off the DC, but still let the DC handle DHCP (and
not the router).

Little background on AD and DNS:
First, just to get this out of the way, if you have your ISP's DNS addresses
in your IP configuration (DCs and clients), they need to be REMOVED.

If the ISP's DNS is in there, this will cause additional problems.

Also, AD registers certain records in DNS in the form of SRV records that
signify AD's resource and service locations. When there are multiple NICs,
each NIC registers. IF a client, or another DC queries DNS for this DC, it
may get the wrong record. One factor controlling this is Round Robin. If
a DC or client on another subnet that the DC is not configured on queries
for it, Round Robin will kick in offering one or the other. If the wrong
one gets offered, it may not have a route to it. On the other hand, Subnetmask
Priortization will ensure a querying client will get an IP that corresponds
to the subnet it's on, which will work. To insure everything works, stick
with one NIC.

Since this DC is multi-homed, it requires additional configuration to prevent
the public interface addresses from being registered in DNS. This creates
a problem for internal clients locating AD to authenticate and find other
services and resources such as the Global Catalog, file sharing and the SYSVOL
DFS share and can cause GPO errors with Userenv 1000 events to be logged,
authenticating to shares and printers, logging on takes forever, among numerous
other issues.

But if you like, there are some registry changes to eliminate the registration
of the external NIC. Here's the whole list of manual steps to follow.

But believe me, it's much easier to just get a separate NAT device or multihome
a non-DC then having to alter the DC. - Good luck!

1. Insure that all the NICS only point to your internal DNS server(s) only
and none others, such as your ISP's DNS servers' IP addresses.

2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
move the internal NIC (the network that AD is on) to the top of the binding
order (top of the list).

3. Disable the ability for the outer NIC to register. The procedure, as
mentioned, involves identifying the outer NIC's GUID number. This link will
show you how:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
NIC too):
http://support.microsoft.com/?id=246804

4. Disable NetBIOS on the outside NIC. That is performed by choosing to
disable NetBIOS in IP Properties, Advanced, and you will find that under the
"WINS" tab. You may want to look at step #3 in the article to show you how
to disable NetBIOS on the RRAS interfaces if this is a RRAS server.
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
[Registry Entry]:
http://support.microsoft.com/?id=296379

Note: A standard Windows service, called the "Browser service", provides
the list of machines, workgroup and domain names that you see in "My Network
Places" (or the legacy term "Network Neighborhood"). The Browser service
relies on the NetBIOS service. One major requirement of NetBIOS service is
a machine can only have one name to one IP address. It's sort of a fingerprint.
You can't have two brothers named Darrell. A multihomed machine will cause
duplicate name errors on itself because Windows sees itself with the same
name in the Browse List (My Network Places), but with different IPs. You
can only have one, hence the error generated.

5. Disable the "File and Print Service" and disable the "MS Client Service"
on the outer NIC. That is done in NIC properties by unchecking the respective
service under the general properties page. If you need these services on
the outside NIC (which is unlikely), which allow other machines to connect
to your machine for accessing resource on your machine (shared folders, printers,
etc.), then you will probably need to keep them enabled.

6. Uncheck "Register this connection" under IP properties, Advanced settings,
"DNS" tab.

7. Delete the outer NIC IP address, disable Netlogon registration, and manually
create the required records

a. In DNS under the zone name, (your DNS domain name), delete the outer NIC's
IP references for the "LdapIpAddress". If this is a GC, you will need to
delete the GC IP record as well (the "GcIpAddress"). To do that, in the DNS
console, under the zone name, you will see the _msdcs folder. Under that,
you will see the _gc folder. To the right, you will see the IP address referencing
the GC address. That is called the GcIpAddress. Delete the IP addresses referencing
the outer NIC.

i. To stop these two records from registering that information,
use the steps provided in the links below:
Private Network Interfaces on a Domain Controller Are Registered in
DNShttp://support.microsoft.com/?id=295328

ii. The one section of the article that disables these records is done with
this registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
(Create this Multi-String Value under it):
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress
GcIpAddress

iii. Here is more information on these and other Netlogon Service records:

Restrict the DNS SRV resource records updated by the Netlogon service

[including GC]:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_dns_pro_no_rr_in_ad.asp

b. Then you will need to manually create these two records in DNS with the
IP addresses that you need for the DC. To create the

LdapIpAddress, create a new host under the domain, but leave the "hostname"
field blank, and provide the internal IP of the DC, which results in a
record that looks like:
(same as parent) A 192.168.5.200 (192.168.5.200 is used for illustrative
purposes)

i. You need to also manually create the GcIpAddress as well, if this is a
GC. That would be under the _msdcs._gc SRV record under the zone. It is created
in the same fashion as the LdapIpAddress mentioned above.

8. In the DNS console, right click the server name, choose properties, then
under the "Interfaces" tab, force it only to listen to the internal NIC's
IP address, and not the IP address of the outer NIC.

9. Since this is also a DNS server, the IPs from all NICs will register,
even if you tell it not to in the NIC properties. See this to show you how
to stop that behavior (this procedure is for Windows 2000, but will also
work for Windows 2003):
275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address:
http://support.microsoft.com/?id=275554

10. If you haven't done so, configure a forwarder. You can use 4.2.2.2 if
not sure which DNS to forward to until you've got the DNS address of your
ISP.
How to set a forwarder? Good question. Depending on your operating
system,choose one of the following articles:

300202 - HOW TO: Configure DNS for Internet Access in Windows 2000 http://support.microsoft.com/?id=300202&FR=1

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
(How to configure a forwarder):
http://support.microsoft.com/d/id?=323380

Active Directory communication fails on multihomed domain controllers http://support.microsoft.com/kb/272294

<==*** Some additional reading ***==>
More links to read up and understand what is going on:

292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
Controller with Routing and Remote Access and DNS Insta {DNS and RRAS and
unwanted IPs registering]:
http://support.microsoft.com/?id=292822

Active Directory communication fails on multihomed domain controllers http://support.microsoft.com/kb/272294

246804 - How to enable or disable DNS updates in Windows 2000 and in Windows
Server 2003
http://support.microsoft.com/?id=246804

295328 - Private Network Interfaces on a Domain Controller Are Registered in
DNS
[also shows DnsAvoidRegisterRecords LdapIpAddress to avoid reg sameasparent
private IP]:
http://support.microsoft.com/?id=295328

306602 - How to Optimize the Location of a DC or GC That Resides Outside of
a Client's
Site [Includes info LdapIpAddress and GcIpAddress information and the SRV
mnemonic values]:
http://support.microsoft.com/?id=306602

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003 (including how-to configure a forwarder): http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/?id=291382

296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
[Registry Entry]:
http://support.microsoft.com/?id=296379

Rid Pool Errors and other mutlhomed DC errors, and how to configure a multihomed
DC, Ace Fekay, 24 Feb 2006 http://www.ureader.com/message/3244572.aspx

_________________________ +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++

--
Regards,
Ace


This posting is provided "AS-IS" with no warranties or guarantees and confers
no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Thanks guys. As I already said, removing one NIC from DCs could cause me more troubles than I already have, so I don't think that I can risk it. Besides, I never heard that multihomed DC's are not supported by Microsoft. All my DC's are placed into same IP subnets, there are no firewalls between them, so communication problems through either NIC should no be an issue. FUrthermore, I already configured DNS registrations so that only public addresses appear in DNS zone, as described in this article: http://support.microsoft.com/kb/246804 I thought there would be some easier solution to this...but thanks anyway. "Meinolf Weber" wrote: Hello SrdjanM, Following your output from the DC's, you should remove the multihomed configuration of the DC's. DC's should NOT be multihomed, this creates lot's of problems, especially with replication. Paul pointed you the KB article about DNS configuration for internet access. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Thank you so much Paul. Here is the IPCONFIG info from all 3 DCs: EX-DC1 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc1 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-EF-3A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.211 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-D0-B7-B6-BA-DF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.211 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled EX-DC2 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc2 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : exchange.datagate.net datagate.net PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : Ethernet adapter PUBLIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard Physical Address. . . . . . . . . : 00-D0-B7-A7-5E-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.212 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter Physical Address. . . . . . . . . : 00-02-B3-E6-F0-A9 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 192.168.100.212 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Primary WINS Server . . . . . . . : 192.168.100.211 EX-DC3 Windows IP Configuration Host Name . . . . . . . . . . . . : ex-dc3 Primary Dns Suffix . . . . . . . : exchange.datagate.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : exchange.datagate.net Ethernet adapter LOCAL: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) #2 Physical Address. . . . . . . . . : 00-07-E9-E6-DC-11 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.217 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter INTERNET: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100) Physical Address. . . . . . . . . : 00-07-E9-E6-DC-10 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 62.204.35.217 Subnet Mask . . . . . . . . . . . : 255.255.255.240 Default Gateway . . . . . . . . . : 62.204.35.209 DNS Servers . . . . . . . . . . . : 62.204.35.211 62.204.35.212 I could not find the link to download your script, so I executed all tests manually. Basically, I found errors and warnings in dcdiag.log only. Warnings regarding EX-DC3 replication look interesting...anyway, I will paste only errors and warnings, please let me know if you need complete log: EX-DC1 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC1: Default-First-Site-Name/EX-DC3 ......................... EX-DC1 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC1 failed test VerifyEnterpriseReferences ===================== EX-DC2 Starting test: Topology * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test Topology Starting test: CutoffServers * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 * Performing downstream (of target) analysis. Downstream topology is disconnected for DC=exchange,DC=datagate,DC=net. These servers can't get changes from home server EX-DC2: Default-First-Site-Name/EX-DC3 ......................... EX-DC2 failed test CutoffServers Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=EX-DC3,OU=Domain Controllers,DC=exchange,DC=datagate,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... EX-DC2 failed test VerifyEnterpriseReferences ===================== EX-DC3 Testing server: Default-First-Site-Name\EX-DC3 Starting test: Replications * Replications Check CN=Schema,CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. CN=Configuration,DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC1 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:06:23. Replication of new changes along this path will be delayed. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema mismatch between the servers involved. The last success occurred at 2008-09-23 13:10:51. Replication of new changes along this path will be delayed. DC=exchange,DC=datagate,DC=net has 3 cursors. REPLICATION LATENCY WARNING EX-DC3: This replication path was preempted by higher priority work. from EX-DC2 to EX-DC3 Reason: The replication operation failed because of a schema

Thanks again Phillip, I will have a look.

In the meantime the problem has been resolved thanks to MS support...you
were correct, the problem was related to name resolution due to multiple
NICs, but for the time being multiple NIC will have to be used. Replication
is now OK :)

BTW, is there a way to delete this thread from the group, or to edit my post
with ipconfig logs?

Nope, when you post ip config logs you should replace a couple of the octets
with bogus numbers.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"SrdjanM" <srdjanm@exchange.datagate.net> wrote in message
news:6687FA38-3636-42C5-951C-3E276A533025@microsoft.com...

Quote:

Thanks again Phillip, I will have a look. In the meantime the problem has been resolved thanks to MS support...you were correct, the problem was related to name resolution due to multiple NICs, but for the time being multiple NIC will have to be used. Replication is now OK :) BTW, is there a way to delete this thread from the group, or to edit my post with ipconfig logs?