"eaglesix" <> wrote in message
news:a42836d7-7db2-430c-b200-...
>I have a 2003 AD network with three DC running 2003 AD mixed mode and
> one NT4 BDC. The person i had help setup the DNS advised we not set
> the msdcs forward zone as dynamic.
>
> My problem is the DNS entry for the PDC is pointing to the wrong DC.
> DNS is pointing to the machine that was the first DC in the domain and
> I assume the PDC entry pointing to it is in there due to that.
>
> Using ntdsutil shows the role of the PDC with the correct DC.
>
> nslookup -type=SRV _ldap._tcp.pdc._msdcs.<domainname> pulls up the
> wrong PDC entry.
>
> Can i just modify the DNS entry for the PDC to point to the new
> machine so everything matches? Do I need to wait until most users are
> off the network? Or can this be done at any time? The network has
> been working fine this way for quite awhile. But if machines query
> DNS for the DC offering the PDC service they will get the wrong
> machine.
>
> I appreciate any help as always
>
Sounds like this is an AD issue. I am cross-posting this to the AD newsgroup
for your convenience. Although many of the folks respond to both groups, I
think it would be better for specific exposure to the AD group. However you
can just check back here for responses.
What do you mean by not setting the _msdcs.yourdomain.local zone as dynamic?
You mean not to set as AD Integrated (store data in AD) or not to allow
Dynamic Updates? That's ill advised. I suggest to keep it AD integrated,
using the Forest Replication scope as well as to allow updates, otherwise
any changes in AD do not get registered.
I suggest you ask a qualified engineer who is familiar with AD and DNS how
to set it up. Or post here. But looks like we may need more info from you.
Read below for more info.
As for the PDC Emulator and other roles, are you sure that DC you are
referring to is the actual PDC Emulator Role holder? Run the following to
verify all Role holders:
netdom query fsmo
No, you can't simply alter the SRV records to change what you believe is the
PDC Emulator compared to what is in the SRV records in DNS. The SRV records
are automatically published (registered into DNS) automatically by the
Netlogon service based on what the service finds in the AD database.
To insure that the records are accurate, or at least to make sure the
Netlogon service is accurately publishing the records, perform the
following:
rename the system32\config\netlogon.dns and netlogon.bak files.
ipconfig /registerdns
net stop netlogon
net start netlogon
Go back to DNS and refresh the records to manually look at the records.
Re-run your nslookup command. Compare to what the netdom output gave you. If
the netdom output says it's DC2, but DC1 is registering as the PDC Emulator,
then it appears the problem is deeper, such as a replication issue.
What can cause issues with AD? The following is a list, but not limited to,
the causes of AD issues.
1. Using the ISP's DNS addrresses in your DCs. Since AD relies on DNS, it
will be asking your ISP, 'where is my domain controller?' The ISP's DNS does
not have that info. Only use your DCs for DNS and configure a Forwarder (DNS
properties, Forwarding tab) to your ISP's DNS. If you have multiple DCs (not
including the NT4, which should NOT be running DNS) - in each DC, DNS#1
entry should be itself, and DNS#2 entry should be another DC in the same
subnet, or one across the WAN if no other DCs are on the same subnet. For
the NT4 box, point it to two of your DCs, not matter which order. Whatever
you do, do NOT use the ISP's DNS other than as a forwarder. The same goes on
all client and other machines on the network.
2. Single label name. This is a common issue many years ago when some admins
upgraded their NT4 domains to AD but did not choose a proper AD DNS domain
name, such as domain.com, domain.local, etc. A single label name example is
"DOMAIN" (without the TLD - top level domainname - of .com, .net, .local,
etc). This issue is extremely, extremely problematic.
3. Multihomed DC - DC has more than one NIC and/or IP address, and/or has
RRAS installed. Very problematic and requires registry changes to make it
work. Suggest to disable or team the NICs and use your routers for routing
data across subnets.
4. Disjointed namespace - Primary DNS Suffix does not match the zone name in
DNS, which muct have updates allowed.
5. Dynamic Updates are not allowed. Extremely problematic. Registration with
Windows 2003 AD is every 24 hours. If not allowed, you will get (IIRC)
EventID 5782 errors, among other errors associated with incorrect SRV data.
That;s just for starters. There are more issues associated wtih AD
functionality problems.
To better assist if you feel there is a problem that needs further
investigation and evaluation, please post the following:
1. Unedited ipconfig /all from your DCs.
2. Run dcdiag /v and netdiag /v and post any errors in the results.
3. Event log errors - post the eventID# and Source name
I hope that helps.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Similar Threads
Linear Mode
