Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domain controllers running Windows 2000 Server or Windows Server 2003 cannot replicate Active Directory updates if Domain Name System (DNS) lookup failures prevent a destination domain controller from contacting its source replication partner to request changes. Lookup failures occur when a destination domain controller cannot resolve its source replication partner's globally unique identifier (GUID)-based canonical name (CNAME) resource record to an Internet Protocol (IP) address by using DNS. GUID-based CNAME resource records are always registered in the DNS zone _msdcs.ForestRootDomain.

The most common DNS failures occur when DNS client settings are misconfigured on the destination or source domain controller, or the direct and intermediate DNS servers that are used to resolve the query are misconfigured. Network problems or domain controller disconnection problems might also be present. If the problem is due to DNS configuration errors or replication latency, the effect on Active Directory replication is minimized by new improvements to domain controller name resolution in Windows Server 2003 Service Pack 1 (SP1).

Improvements to Domain Controller Name Resolution in SP1

Domain controllers running Windows Server 2003 with SP1 have a more robust response to DNS name resolution failures. Rather than failing on the first attempt to resolve the IP address of a source domain controller by using its CNAME resource record, destination domain controllers running Windows Server 2003 with SP1 use alternate names to attempt resolution and also log events that report problems and prescribe solutions.

DNS Failure Scenarios

All domain controllers register multiple service location (SRV) resource records in DNS as well as a host address (A) resource record for each IP address of the domain controller, plus an additional host resource record for each IP address if the domain controller is a global catalog server. In addition, each domain controller registers a single CNAME resource record.

The following table shows the DNS resource records that are required for proper Active Directory functionality.

Mnemonic Type DNS resource record

pdc

SRV

_ldap._tcp.pdc._msdcs.DnsDomainName

gc

SRV

_ldap_tcp.gc._msdcs.DnsForestRootDomainName

GcIpAddress

A

_gc._msdcs.DnsForestRootDomainName

DsaCname

CNAME

DsaGuid._msdcs.DnsForestRootDomainName

kdc

SRV

_kerberos._tcp.dc._msdcs.DnsDomainName

dc

SRV

_ldap._tcp.dc._msdcs.DnsDomainName

None

A

DomainControllerFQDN

In the CNAME resource record (DSA_GUID._msdcs.ForestRootDNSDomainName), DSA_GUID is the GUID of the NTDS Settings object (also called the Directory System Agent (DSA) object) for the domain controller. ForestRootDNSDomainName is the DNS name of the forest where the domain controller is located. Destination domain controllers use the CNAME resource record to identify and locate their replication partners.

The Net Logon service on the domain controller registers all SRV resource records when the operating system starts up and at regular intervals thereafter. The DNS client service on the domain controller registers the DNS host A resource record.

A domain controller uses the following steps to locate its replication partner:

  1. The destination domain controller queries its DNS server to look for the CNAME resource record of its replication partner. On domain controllers running Windows 2000 Server or Windows Server 2003 with no service pack applied, if this lookup fails to resolve the CNAME resource record to an IP address, DNS lookup (and replication) fails.

  2. On domain controllers running Windows Server 2003 with SP1, if the CNAME lookup is unsuccessful, the domain controller looks for the DNS A resource record of its replication partner. For example, the domain controller looks for DC03.corp.contoso.com.

  3. If the DNS A resource record lookup is unsuccessful, the domain controller performs a network basic input/output system (NetBIOS) broadcast by using the host name of its replication partner. For example, the domain controller uses DC03.

When lookups fail, events that describe the condition are logged in the Directory Service event log.

DNS Events for Lookup Failure

Two new events, event ID 2087 and event ID 2088, are logged on destination domain controllers running Windows Server 2003 with SP1:

  • If all lookups fail, event ID 2087 is logged.

  • If lookup succeeds but either the first or second attempt fails, event ID 2088 is logged.

On domain controllers running Windows 2000 Server or Windows Server 2003 with no service pack applied, the destination domain controller that cannot successfully locate its replication partner in DNS logs event ID 1925.

Regardless of whether replication succeeds or fails, if you receive event ID 1925, event ID 2087, or event ID 2088, you should investigate and correct the cause of the failure because incorrect DNS configuration can affect other essential operations — including logon authentication and access to network resources — on member computers, domain controllers, and application servers. In addition, although fallback name resolution might allow replication to occur, it introduces unnecessary latency and overhead into the replication process.

DNS Requirements for CNAME Lookup Success

Although name resolution in Windows Server 2003 with SP1 is more aggressive at ensuring that replication can occur when a CNAME lookup fails, failure of this method indicates that either the DNS clients or DNS servers are not configured properly. It is important to understand the requirements for successful CNAME lookup and to ensure that DNS is functioning accordingly.

Resolving the fully qualified, GUID-based, CNAME resource record of the source domain controller to the current IP address of the source domain controller requires the following DNS configurations:

  1. In their respective TCP/IP client settings, the source domain controller and destination domain controller must be configured to resolve DNS names by using only valid DNS servers that directly host, forward, or delegate to the following DNS zones:

    1. _msdcs.ForestRootDNSDomainName, to resolve queries for computers in the forest.

    2. The DNS zone that corresponds to the primary DNS suffix of the respective target domain controller, to resolve queries for computers in the domain. (The source domain controller can resolve the domain name of the target domain controller, and the reverse is also true.) The primary DNS suffix is usually the same as the DNS name of the domain to which a computer is joined. You can view the primary DNS suffix in the properties of My Computer.

    If the DNS servers that the source domain controller is configured to use for name resolution do not host these zones directly, the DNS servers that are used must forward or delegate to DNS servers that do host these zones.

  2. The source domain controller must have successfully registered the following resource records:

    • GUID-based CNAME resource record in the DNS zone _msdcs.ForestRootDNSDomainName

    • Host A resource record in the DNS zone that corresponds to its primary DNS suffix

Potential Preliminary Failures Due to Replication Latency

At the time that the destination domain controller queries its DNS servers for the location of its source replication partner, DNS configurations might be correct on both the source and destination domain controllers, but DNS resource record registrations might be in flux as a result of configuration changes on the source domain controller. In this case, DNS lookup can fail as a result of replication latency, as follows:

  • If the source domain controller changes the DNS server on which it registers its CNAME and host A resource records, it is possible that the initial DNS server that the destination domain controller queries to resolve the name of the source domain controller is different than any of the DNS servers on which the CNAME and host A resource records for the source domain controller are currently registered. In this case, DNS replication latency or failures might prevent DNS records that are successfully registered on the DNS servers that the source controller uses from being located by the DNS server that is queried by the destination domain controller.

  • If the Active Directory domain of the DNS server that the destination domain controller uses initially has a parent-child relationship with the Active Directory domain of the servers on which the source domain controller registers its resource records, the forwarder and delegation configuration on both the DNS servers that the source domain controller uses and the DNS servers that the destination domain controller uses, as well as any intermediate DNS servers that are used to resolve the DNS query, must be valid. Any required records on those DNS servers might be subject to replication latency and failure.

Understanding these basic requirements for name resolution that locates the source replication partner provides a more meaningful context for working through solutions when you have replication DNS lookup problems. Choose a problem from the following list that best describes your situation, and then step through the suggested fix:

Event ID 1925: Attempt to establish a replication link failed due to DNS lookup problem

Event ID 2087: DNS lookup failure caused replication to fail

Event ID 2088: DNS lookup failure occurred with replication success