Joining Existing Domain

Discussion in 'DNS Server' started by Paul Smith, May 26, 2005.

  1. Paul Smith

    Paul Smith Guest

    I have just started working on a Windows 2000 domain that was somehow set up
    without DNS. I have installed DNS on the Windows 2000 DC, but it doesn't
    seem to be updating very well, and no SRV records have been created.

    Anyway, I'm trying to install a new Windows 2003 DC into the domain. I have
    set it with the IP of the current DC as the DNS server, but when I do a
    dcpromo it can't find the SRV records on the DC, so it won't allow me to
    continue.

    I figured I'd just install DNS on the 2003 server and have everyone look to
    it. I did so, and VOILA! SRV records. Cool. So I pointed the all of the
    servers to the new DNS server and tried the DC promo again. It then said
    that there were no "A" records for the DC. In spite of a number of "ipconfig
    /registerdns" tries, there were still no records for the DC in DNS. So I put
    them in manually (both an "A" and a "PTR"). I also put in an "A" and a "PTR"
    for the DNS server.

    Now when I do the dcpromo, I get an error saying that DNS was successfully
    queried, and it found the right DC, but it still can't seem to see the DC.
    It says that the "A" record may not be right, but I'm almost sure it is.

    Also, if I do an nslookup from the new 2003 DNS server, it resolves the name
    of the DC to an IP and it's IP to it's name.

    So what's the deal?
     
    Paul Smith, May 26, 2005
    #1
    1. Advertisements

  2. Some facts about DNS registration and what it's requirements are:

    1. The Primary DNS Suffix must match AD's DNS Domain name.
    2. The AD DNS Domain name and the Primary DNS Suffix cannot be a single
    label name.
    3. ONLY ONLY use the internal DNS for AD. If you have multiple DNS servers,
    the data on each must be EXACTLY the same. You cannot use an ISP's DNS
    server in any machines' (DCs and client) IP properties when it comes to AD.
    4. The zone must match #2 and #3 names.
    5. The zone must allow Dynamic Updates.
    6. If the IP address of the DNS entry in NIC properties is 127.0.0.1, change
    it immediately to the actual IP address of this machine.

    That's the basis. If these rules have been followed, registration will occur
    with no problem.

    Now, are you saying you now have two DCs in separate domains since they are
    using different DNS servers?

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Paramount: What's up with taking Enterprise off the air??
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], May 26, 2005
    #2
    1. Advertisements

  3. Paul Smith

    Paul Smith Guest

    "Ace Fekay [MVP]" wrote:

    Ace,

    All...and I mean all... of these things checked out and I still got the
    error. I let DNS percolate over night and we'll see what happens today.
    I've had to mess with DNS a lot since Windows 2000 came out and have found
    that allowing it to catch up with itself for a few hours sometimes makes a
    difference. In the meantime any other ideas you may have will be helpful.
    It's not a crisis, because there are only 15 users at the place. I could
    recreate the domain if I absolutely had to, but it would be quite a pain.

    I don't have two DC's at this point because the dcpromo will only allow me
    to go so far without being able to join up with the old DC. I have DNS
    running on two different servers, but everyone is really only using DNS on
    the new server. These are the records that are the most complete at the
    moment.
     
    Paul Smith, May 26, 2005
    #3
  4. Paul Smith

    Paul Smith Guest

    I checked the thing after letting it run overnight and no luck. I tried
    setting up the old DC as a secondary DNS to the new machine. It got all of
    the records just fine, but still no luck no matter which server I'm pointing
    to for DNS.

    I was wondering if upgrading to service pack 4 on the Windows 2000 server or
    would be a good thing to try. Maybe just upgrading it to Windows 2003? It
    will only be in service long enough to allow the new server to copy AD
    information and then it will be taken off-line permanently. Would any of
    this make sense, or should I just resign myself to recreating the entire
    domain/AD structure on the new server?
     
    Paul Smith, May 26, 2005
    #4
  5. In
    If the zone on the current DC is AD Integrated, you will need to delete the
    secondary zone, once you have DCPROMOed the second server the AD zone will
    replicate to it.
    Service pack 4 would be recommended, but upgrading to Win2k3 probably won't
    help your problem.

    It will only be in service long enough to allow the
    What will be taken offline permanently and why?
    A DC can only be offline for 59 days, on the 60th day its AD database will
    be tombstoned and will no longer replicate with any other DC in the domain.


    Would any of this make sense, or should I just resign
    For AD to work you need a DNS server that supports SRV records and
    preferably dynamic updates. Preferably, DNS should be run on DCs to take
    advantage of AD integrated zones, which are more secure.
    That said, here is what you need to check.
    *The Primary DNS suffix in the ipconfig /all must match the AD domain name
    in ADU&C.
    *There must be a forward lookup zone in DNS for this name.
    *The domain name should NOT be a single-label name (domain.com vs. domain)
    *Single-label domain names require registry entries on the DC and all
    members with Win2kSp4 and later, XP and Win2k3.
    *On the general Tab of the zone properties Dynamic updates should be set to
    Yes or Secure updates only.
    *The DC must use ONLY its own private IP address for its DNS address.

    300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
    http://support.microsoft.com/?id=300202&FR=1

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

    300684 - Information About Configuring Windows 2000 for Domains with
    Single-Label DNS Names
    http://support.microsoft.com/default.aspx?scid=kb;en-us;300684


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], May 27, 2005
    #5


  6. I'm somewhat suprised you are not already on SP4? It may or may not fix your
    problem, but can also cause problems if your domain is a single lahel name,
    which we haven't quite determined yet.

    Can you post an ipconfig /all of this server and one of your clients please?
    I think we should take a look at your config just to make sure wer'e not
    going down the wrong road with helping you.

    Also, you can't just 'yank' a server offline as Kevin said, due to the 60
    day tombstone lifetime of AD objects. The old server's reference wil remain
    in AD until you physically remove it using ntdsutil. So let's not be
    unplugging servers.

    Ace
     
    Ace Fekay [MVP], May 27, 2005
    #6
  7. Paul Smith

    Paul Smith Guest

    As I said, I was just brought into this thing (last week, in fact). A
    completely different company set up the servers, hence the weird
    configurations and the weird problems. I've done all of this stuff before
    and it's usually quite easy. But the setup for this network was botched from
    the beginning, and I'm just trying to clean it all up. That's why I'm
    looking for input. I'm having very unusual problems.

    Part of the reason I didn't upgrade to service pack 4 right away was because
    I knew that we were going to be pulling this server out of service soon. It
    is old, icky, and has virtually no more hard drive space, and it's really not
    serving any purpose except as the DC. So I didn't want to waste a lot of
    time upgrading it for no reason. Also, I wasn't sure if it was going to
    cause more problems than it solved...which is what you were alluding to.

    I'm also not planning on just unplugging it. I will follow the required
    methods for decommissioning it.

    But at the moment, the issue is getting the new server upgraded as a new DC
    and joined to AD so it gets all of the required information.

    The domain is not a "single name". It is, "srmdc.inc". An ipconfig /all of
    the new Windows 2003 server looks like this (remember, I'm using it as a
    primary DNS in a Standard Zone):

    Windows IP Configuration
    Host Name...............................: SRMDOMCON
    Primary DNS Suffix....................: srmdc.inc
    Node Type...............................: Unknown
    IP Routing Enabled....................: No
    WINS Proxy Enabled..................: No
    DNS Suffix Search List...............: srmdc.inc

    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix...:
    Description...............................: (blah blah blah)
    Physical Address.......................: (blahdey blahdy blahdy)
    DHCP Enabled...........................: No
    IP Address................................: 192.168.1.10
    Subnet Mask.............................: 255.255.255.0
    Default Gateway........................:192.168.0.2
    DNS Servers.............................:192.168.0.10

    Again, when I try to do a dcpromo and it asks me to log into the current DC
    so I can add this machine as a new DC, the error I get states that "An
    Active Directory domain controller for the domain srmdc.inc could not be
    contaced." It goes on to say, "The following controllers were identified by
    the (DNS) query: srmdom". This is correct. However it doesn't seem to see
    it as a DC. It says, "Common causes of this error include:
    - Host (A) records that map the name of the domain controller to its IP
    addresses are missing or contain incorrect addresses.

    - Domain controllers registered in DNS are not connected to the network or
    are not running."

    The DC is connected and is running. The records in DNS seem to be correct.
    I had to manually add an A record for it, though. It looks like this:

    srmdom Host (A) 192.168.0.2

    This is also a PTR record that looks like this:

    192.168.0.2 Pointer (PTR) srmdom.srmdc.inc

    Zone transfers on the DNS server are enabled.

    What am I missing?
     
    Paul Smith, May 27, 2005
    #7
  8. Your ipconfig /all is confusing. Your default gateway and DNS address shown
    above, based on the mask, are in a different subnet than the IP address of
    this server. Was that intentional or a typo? Did you copy/paste it from the
    cmd prompt or typed it in?

    Ace
     
    Ace Fekay [MVP], May 27, 2005
    #8
  9. Paul Smith

    Paul Smith Guest

    Sorry Ace, it was a typo. The actual IP of the server is 192.168.0.10.
     
    Paul Smith, May 28, 2005
    #9
  10. Paul Smith

    Paul Smith Guest

    I should also probably mention at this point that I just went ahead and
    upgraded the old DC to SP4 and it didn't help.

    Furthermore, I did a "netdiag" on the DC and it came up with a failed LDAP
    test. I did "netdiag /fix" and it didn't help.

    I looked and couldn't find any resolutions to this (no, the machine doesn't
    run RAS).

    One other interesting thing I've found about the odl DC is that when I
    install DNS and create Forward and Reverse zones, it doesn't create more than
    a couple of records. It doesn't create any "A" records at all, nor does it
    create any of the subfolders you usually see on a DC running DNS...no _tcp,
    no _msdcs, none of them. I've tried stopping and restarting NETLOGON as I
    saw somewhere and it didn't help.

    I'm not sure, and I can't get a straight answer out of the client, but I'm
    thinking this machine may once have been an NT machine and it was upgraded to
    2000.

    If any of this sheds some light on my plight, I'd love some more help.

    Thanks.
     
    Paul Smith, May 28, 2005
    #10
  11. I thought it was a typo!
    :)
     
    Ace Fekay [MVP], May 28, 2005
    #11


  12. On a DC, the Primary DNS Suffix, that shows up in System Properties
    (rt-click My Comp, properties), under the Name ID tab, MUST match Active
    Directory's DNS Domain name that it is a domain controller for.

    A name space can be interpreted in a couple ways. I can create a namespace
    called "domain.com", and in addition, I can create another namespace on the
    same machine called 'usa.domain.com". They are two separate zones and are
    literally, due to the way I created them separately, as two separate
    namespaces. If I had created 'usa' under the 'domain.com' zone, then it
    would be a child domain under the 'domain.com' namespace referred to as
    usa.domain.com.

    Yes, I know it sounds somewhat confusing, but think of it this way, whatever
    domain name is at the root or parent, that is the start of the 'namespace',
    whether it be a 1st level name and a TLD (top level domain called), such as
    'domain.com', or a 2nd level name.1st level name.TLD, such as
    usa.domain.com, and anything under it in that zone you create is part of
    that namespace.

    You can also delegate a child namespace from the parent zone, such as on
    server DNS-01 in the parent corporate NOC (network ops center) in London, I
    create a zone called 'domain.com'. We have a remote location with their own
    administrators that are in a AD child domain called 'usa.domain.com' in New
    York. We want to give them complete control of their own child domain and
    anything under it, since they have their own domain and are in control of
    it. So what we would do is rt-click on the parent domain.com zone and click
    on New Delegation, and type in 'usa'. It automatically suffix the parent
    name of domain.com. Then we provide the DNS servers that will handle the
    zone by FQDN name and their IPs. We literally just created a separate
    namespace and gave them control of that 'namespace'. Now all queries for
    anything in the usa.domain.com zone will be sent to those servers.

    I hope that helps and makes sense.

    Ace
     
    Ace Fekay [MVP], May 28, 2005
    #12

  13. The missing SRV records (the ones with the underscores) is the culprit. They
    stipulate the AD services. They are created automatically by the netlogon
    service. If they're missing, my paycheck says AD will NOT function.

    Dumb question: I know you implied this earlier, but are updates allowed on
    the zone? Is there any abberations in the spelling of the zone? Is DNS set
    to listen on it's correct IP in DNS properties, interface tab? How about the
    nameserver tab, is the info for the server correct?

    Run:
    netdiag /test:dns
    and let us know the results please.

    Also run:
    netdiag /v /fix

    Then delete the system32\config\nelogon.dns and netlogon.bak file. Then:

    ipconfig /registerdns
    net start netlogon
    net stop netlogon.

    Let us know what you come up with. Check for SRV creation.

    Ace
     
    Ace Fekay [MVP], May 28, 2005
    #13
  14. In
    Since this is an upgrade from NT4, plus a few other discrepancies, I'm going
    to suspect a disjointed namespace.
    Post these: (unedited)
    ipconfig /all
    AD Domain name from ADU&C
    Names of forward lookup zones in DNS


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], May 28, 2005
    #14
  15. Paul Smith

    Paul Smith Guest

    Ace,

    The result of netdiag /test:dns on the DC was:

    DNS test.............: failed
    [WARNING] The DNS entries for this DC are not registered correctly on DNS
    server '192.168.0.2'. Please wait for 30 minutes for DNS server replication.

    [FATAL] No DNS servers have the DNS records for this DC registered.

    Just a note to remind you, this result occured when I ran the test on the DC
    with that server pointing to itself for DNS. When I ran in on the server
    when it was pointing to the new Windows 2003 server for DNS everything came
    out cleanly. However it doesn't matter which machine I point everyone to, I
    still can't run dcpromo on the new server.

    Also, when I deleted netdiag.dns, did the ipconfig /registerdns and stopped
    and started netlogon, no new records were created.
     
    Paul Smith, May 28, 2005
    #15
  16. Paul Smith

    Paul Smith Guest

    Kevin,

    The results of ipconfig /all are:

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : srmdom
    Primary DNS Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Intel Pro 1000 XT Gigabit Ethernet Adapter - onboard:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) 82544EI Based Network
    Conne
    ction
    Physical Address. . . . . . . . . : 00-C0-9F-07-35-3E
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.0.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.100
    DNS Servers . . . . . . . . . . . : 192.168.0.2


    Also the namespace in Active Directory Users and Computers is: srmdc.inc
     
    Paul Smith, May 28, 2005
    #16
  17. Paul Smith

    Todd J Heron Guest

    Ace and Kevin have led you to provide the information we needed now to
    diagnose your problem, which is you have a single-label domain name. The
    below articles talk about this. My recommendation is to conduct an Active
    Directory Rename operation to correct. If you want to go down that path I
    can provide you with more information.

    Clients cannot dynamically register DNS records in a single-label forward
    lookup zone:
    http://support.microsoft.com/?id=826743

    Information About Configuring Windows 2000 for Domains with Single-Label DNS
    Names:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&sd=RMVP
     
    Todd J Heron, May 28, 2005
    #17
  18. In
    As I suspected, this is a disjointed namespace, the DC has no Primary DNS
    suffix. I also assume you do have a forward lookup zone in DNS named
    srmdc.inc, so all you need to do is fix the Primary DNS suffix to match this
    name. There is a script in this KB article that will fix this issue for you.

    257623 Domain Controller's Domain Name System Suffix Does Not Match Domain
    Name
    http://support.microsoft.com/?id=257623


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], May 28, 2005
    #18
  19. Paul Smith

    Paul Smith Guest

    Kevin, you are truly a dude! This one worked!

    Just got back from "Revenge of the Sith" got time set up to see
    "Hitchhikers Guide to the Galaxy" and got the silly DNS namespace working to
    the point where it looks like I'll be able to join the Forest after running
    adprep. Lord help me I am in computer geek heaven.

    Thanks again,
    Paul
     
    Paul Smith, May 29, 2005
    #19
  20. In
    Paul,
    Excellent! I'm glad I was finally able to help. One point to make, this is
    for anyone asking for help, getting good help depends on getting all the
    correct data to diagnose. Had you posted the ipconfig /all, the AD domain
    name and the name of the zone in DNS; you would have had this answer on the
    first reply. In fact the problem was pointed to in point "1." in the first
    reply from Ace.

    <snipped from Ace's reply>
    Some facts about DNS registration and what it's requirements are:

    1. The Primary DNS Suffix must match AD's DNS Domain name.
    2. The AD DNS Domain name and the Primary DNS Suffix cannot be a single
    label name.
    3. ONLY ONLY use the internal DNS for AD. If you have multiple DNS servers,
    the data on each must be EXACTLY the same. You cannot use an ISP's DNS
    server in any machines' (DCs and client) IP properties when it comes to AD.
    4. The zone must match #2 and #3 names.
    5. The zone must allow Dynamic Updates.
    6. If the IP address of the DNS entry in NIC properties is 127.0.0.1, change
    it immediately to the actual IP address of this machine.
    <end snip>


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], May 29, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.