Windows 2000 Server - How to repair or replace DNS service
I have several problems, but I think they are linked to DNS.
Background: Uploaded list of new users to windows 2000 server with active directory. Part way through list got a "Relative Identifier pool empty" or similar. I now know this is a RID issue.
Searches here and on the internet said to ensure the domain controller is one and to see if there was a global catalog. I could not find one where I was told to look.
I actually lost all domain functionality twice. A reboot brought it back. Lost as in when clicking on any of the active directory sections, It said no domain controller was available.
Learned about a program called dcdiag /v, That was helpful.
You can see the output here
http://www.jerlo.com/dcdiag.jpg
The first failure is is DNS related.
I do not know how to either repair or replace the DNS service. I have inherited the system from a predecessor and was not involved in the setup.
Thank you.
Jerlo
Background: Uploaded list of new users to windows 2000 server with active directory. Part way through list got a "Relative Identifier pool empty" or similar. I now know this is a RID issue.
Searches here and on the internet said to ensure the domain controller is one and to see if there was a global catalog. I could not find one where I was told to look.
I actually lost all domain functionality twice. A reboot brought it back. Lost as in when clicking on any of the active directory sections, It said no domain controller was available.
Learned about a program called dcdiag /v, That was helpful.
You can see the output here
http://www.jerlo.com/dcdiag.jpg
The first failure is is DNS related.
I do not know how to either repair or replace the DNS service. I have inherited the system from a predecessor and was not involved in the setup.
Thank you.
Jerlo
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not really, but if you do have other DCs out there it is CRITICAL they point to the main DC for DNS.
ASKER
Ran netdiag /fix. Everything looked good till we got to Global results.
error message: [WARNING] The system volume has not been completely replicated to local machine. This machine is not working properlly as a DC."
Also lower yet: DNS Test . . . Failed:
[Fatal] Failed to fix: DC DNS entry LCS.org. Reregestration on DNS server '192.168.0.2'failed.
Below this an incredible number of DNS Error Code: DNS_ERROR_RCODE_NOT_IMPLEM
see image http://jerlo.com/dnsfix.jpg
net stop/start worked fine.
ipconfig /registerdns seem to work. No error messages in the dns log.
cannot seem to see SRV records. using article above for checking SRV, the nslookup gives a non-existent domain error message.
I am not convinced that this is functioning as a domain controller. Is there a utility that tells me for sure?
What about de-promote/re-promote the domain controler?
thank you.
error message: [WARNING] The system volume has not been completely replicated to local machine. This machine is not working properlly as a DC."
Also lower yet: DNS Test . . . Failed:
[Fatal] Failed to fix: DC DNS entry LCS.org. Reregestration on DNS server '192.168.0.2'failed.
Below this an incredible number of DNS Error Code: DNS_ERROR_RCODE_NOT_IMPLEM
see image http://jerlo.com/dnsfix.jpg
net stop/start worked fine.
ipconfig /registerdns seem to work. No error messages in the dns log.
cannot seem to see SRV records. using article above for checking SRV, the nslookup gives a non-existent domain error message.
I am not convinced that this is functioning as a domain controller. Is there a utility that tells me for sure?
What about de-promote/re-promote the domain controler?
thank you.
ASKER
Iwas discussing this issue with another admin over the phone. I asked how I could be sure that the DC was really a DC. He said the in the my network places shares there should be two shares, NETLOGON and SYSVOL.
Since this is an inherited system, I decided to install 2000 server on another machine to see what was involved. That machine shows both shares.
Since this is an inherited system, I decided to install 2000 server on another machine to see what was involved. That machine shows both shares.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We are making progress.
Josiah is gone. YEA!
Net start/stop, netdiag /fix and ipconfig registerdns seem successful
I installed DNS on lcs-dc-01 as a standard secondary forward and reverse lookup zone. Forward succeeded, reverse did not.
I cannot find the SRV records in DNS for either DC. I go to the forward zone / lcs.org/ and there three lines TYPE NS, SOA, A and no lines looking like the article desccribes.
Netlogon.dns looks good
NSLOOKUP says "can't find server name for address 192.168.0.2: non-existent domain"
ALL 5 fsmo rolls are pointing to lcs-dc01
Neither computer has the service NTFRS listed nor as an option to run.
You did not specify that active directory must be installed on lcs-dc-01, but it is implied by the last comment. Do I need to install it?
I ran DCDIAG /v on lcs-dc01. Got a failed connectivity and failed fsmocheck
Netdiag on lcs-dc01 no global catalog and similar no DC messages
AD replication & FRS not done (what is FRS?)
I really appreciate your help and encouraged by the progress. But I am done for today. any further instructions will be done tomorrow.
Thank you.
Josiah is gone. YEA!
Net start/stop, netdiag /fix and ipconfig registerdns seem successful
I installed DNS on lcs-dc-01 as a standard secondary forward and reverse lookup zone. Forward succeeded, reverse did not.
I cannot find the SRV records in DNS for either DC. I go to the forward zone / lcs.org/ and there three lines TYPE NS, SOA, A and no lines looking like the article desccribes.
Netlogon.dns looks good
NSLOOKUP says "can't find server name for address 192.168.0.2: non-existent domain"
ALL 5 fsmo rolls are pointing to lcs-dc01
Neither computer has the service NTFRS listed nor as an option to run.
You did not specify that active directory must be installed on lcs-dc-01, but it is implied by the last comment. Do I need to install it?
I ran DCDIAG /v on lcs-dc01. Got a failed connectivity and failed fsmocheck
Netdiag on lcs-dc01 no global catalog and similar no DC messages
AD replication & FRS not done (what is FRS?)
I really appreciate your help and encouraged by the progress. But I am done for today. any further instructions will be done tomorrow.
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
More Progress :)
Everything seems to work except it still fails as GC, DC and the FSMO also fails. Yet I can now create a user, which is good.
The below event log seems to indicate the problem. The sysvol share is not being created and that can stop AD.
I have been looking at article http://support.microsoft.com/kb/257338 but some of what it directs I cannot find or do. Example, in dssite.msc I can find no check topology command nor can I find ntfrsutl.exe.
Event ID 13566
File Replication Service is scanning the data in the system volume. Computer LCS-DC01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
I have not yet done everyting to lcs-dc-01 as directed above.
I think if we can get the sysvol functioning properly, then everything else will fall in place.
Thank you again for your patience and efforts.
Everything seems to work except it still fails as GC, DC and the FSMO also fails. Yet I can now create a user, which is good.
The below event log seems to indicate the problem. The sysvol share is not being created and that can stop AD.
I have been looking at article http://support.microsoft.com/kb/257338 but some of what it directs I cannot find or do. Example, in dssite.msc I can find no check topology command nor can I find ntfrsutl.exe.
Event ID 13566
File Replication Service is scanning the data in the system volume. Computer LCS-DC01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
I have not yet done everyting to lcs-dc-01 as directed above.
I think if we can get the sysvol functioning properly, then everything else will fall in place.
Thank you again for your patience and efforts.
ASKER
MORE INFO
I looked at the link for the FRS tools.
Installed FRSdiag. Its output was a bunch of text files. You can download them in a zip file from:
http://jerlo.com/LCS-DC01_on_2007-08-26_at_8.21.30_AM_FRSDiag.CAB
I looked at the link for the FRS tools.
Installed FRSdiag. Its output was a bunch of text files. You can download them in a zip file from:
http://jerlo.com/LCS-DC01_on_2007-08-26_at_8.21.30_AM_FRSDiag.CAB
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
would = wouldnt.... I would NOT suggest this in a large environment, but for two DC's it is perfectly fine.
ASKER
POP!! Go the corks.
Nonauthorative FRS restore did the trick. Netdiag shows no errors, dcdiag, no errors
SRV records are on lcs-dc01, DNS seems to be behaving.
I manually created 3 users, I unjoined and rejoined a computer to the domain.
I uploaded my entire list of 125 users which is what originally depleted the relative identifier pool.
Last 3 items:
1. there are no SRV records on the second server, LCS-dc-01. Should there be?
2. There is still no NETLOGON share on the server. Does there need to be?
3. Are there any other items or checks to make sure all is well?
Thank you for your time and sticking with me.
Jerlo
Nonauthorative FRS restore did the trick. Netdiag shows no errors, dcdiag, no errors
SRV records are on lcs-dc01, DNS seems to be behaving.
I manually created 3 users, I unjoined and rejoined a computer to the domain.
I uploaded my entire list of 125 users which is what originally depleted the relative identifier pool.
Last 3 items:
1. there are no SRV records on the second server, LCS-dc-01. Should there be?
2. There is still no NETLOGON share on the server. Does there need to be?
3. Are there any other items or checks to make sure all is well?
Thank you for your time and sticking with me.
Jerlo
ASKER
MORE to Consider
AD Sites and Services under lcs-dc01 the NTDS settings are empty. Should they be?
AD Sites and Services under lcs-dc-01, there are no NTDS settings folder. Shold there be?
ON lcs-dc-01, I installed DHCP, but did not define a scope. Do I need to define a scope? Should it be the same as the DHCP running on lcs-dc01? Will this conflict with the DHCP server running on lcs-dc01?
Thanks again.
Jerlo
AD Sites and Services under lcs-dc01 the NTDS settings are empty. Should they be?
AD Sites and Services under lcs-dc-01, there are no NTDS settings folder. Shold there be?
ON lcs-dc-01, I installed DHCP, but did not define a scope. Do I need to define a scope? Should it be the same as the DHCP running on lcs-dc01? Will this conflict with the DHCP server running on lcs-dc01?
Thanks again.
Jerlo
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
LOL
I agree, Kill and rename. Except it never showed up in the metacleanup. Only lcs-dc01 and josiah. I ran the metacleanup a second time after josiah removal and the only server that appeared was lcs-dc01.
But I will try again and not for several days or weeks. This whole exercise has cost me and I must attend to other non-server related issues.
I assume the questions I asked above are inconsequential since there was no comment.
So I am going to print all this out and save for the future and unless you direct me to do something else, you can close this thread.
Thank you again.
Jerlo
I agree, Kill and rename. Except it never showed up in the metacleanup. Only lcs-dc01 and josiah. I ran the metacleanup a second time after josiah removal and the only server that appeared was lcs-dc01.
But I will try again and not for several days or weeks. This whole exercise has cost me and I must attend to other non-server related issues.
I assume the questions I asked above are inconsequential since there was no comment.
So I am going to print all this out and save for the future and unless you direct me to do something else, you can close this thread.
Thank you again.
Jerlo
If ntdsutil doesnt see it you can just rebuild it and just delete from AD S&S.
re:
"I assume the questions I asked above are inconsequential since there was no comment."
You are correct... what I suggested would fix both.
Glad I could help.
re:
"I assume the questions I asked above are inconsequential since there was no comment."
You are correct... what I suggested would fix both.
Glad I could help.
how is this going?
ASKER
Good, I seem to be having some unexpected fallout though.
1, I posted in ID 22789675 . Basically, re-initializing FRS wiped my GPO and logon scripts. No apparent copies of the logon scripts. I do not know if some of the GPO are needed by the system or if all had been created at some point and I just need to re-create the one I need. I hoped there was a way to re-generate them, but I expect not.
2. Some machines will not connect. The user can connect successfully elsewhere, so I believe it is a computer setting issue. I either get a DNS error message or domain not available message.
Re-imaging one computer fixed it for that one. Someone suggested I double check the dns settings and make sure there were no mapped drives. It seems OK.
As far as LCS-dc-01, I removed DHCP and DNS, shut it down and unplugged from the network just to make sure the problem computers were not pulling addresses or resolving to that computer.
I am having an issue with the log on script that I am going to post in another question.
Thanks again. I do not know what I would have done without your help. :)
Jerlo
1, I posted in ID 22789675 . Basically, re-initializing FRS wiped my GPO and logon scripts. No apparent copies of the logon scripts. I do not know if some of the GPO are needed by the system or if all had been created at some point and I just need to re-create the one I need. I hoped there was a way to re-generate them, but I expect not.
2. Some machines will not connect. The user can connect successfully elsewhere, so I believe it is a computer setting issue. I either get a DNS error message or domain not available message.
Re-imaging one computer fixed it for that one. Someone suggested I double check the dns settings and make sure there were no mapped drives. It seems OK.
As far as LCS-dc-01, I removed DHCP and DNS, shut it down and unplugged from the network just to make sure the problem computers were not pulling addresses or resolving to that computer.
I am having an issue with the log on script that I am going to post in another question.
Thanks again. I do not know what I would have done without your help. :)
Jerlo
Ya... the good news is the policies aren't gone... they should be in a hidden folder in sysvol. Labled NTFRS_Pre-Existing or something like that. When you D2/D4 a machine it copies the current policy files to the that folder. If you copy all those files back into sysvol you should be good.
Make sure the client machine is point to the DC before joining the domain.
Make sure the client machine is point to the DC before joining the domain.
ASKER
Sigh . . . a flash of hope . . . dismay :(
I found the folders. Empty, 0 KB.
I do not know what may have happened. I do not think I could have accidentally deleted the GPO's during this process, but odd things have been happening right along with this.
Are there required system GPO's? Or are they made as needed?
Thank you.
Jerlo
I found the folders. Empty, 0 KB.
I do not know what may have happened. I do not think I could have accidentally deleted the GPO's during this process, but odd things have been happening right along with this.
Are there required system GPO's? Or are they made as needed?
Thank you.
Jerlo
Here is an article to rebuild the default policies.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The bad news is the dcgpofix is for win2003 server and above.
the good news is you gave me the proper wording for a successful search to recreatedefpol which is designed specifically for windows 2000 server.
The GPO I made yesterday now works.
Still need to post my scripting issue.
Thanks once again.
Jerlo
the good news is you gave me the proper wording for a successful search to recreatedefpol which is designed specifically for windows 2000 server.
The GPO I made yesterday now works.
Still need to post my scripting issue.
Thanks once again.
Jerlo
np
How is it going?
FYI. It seems your all good. Im going to stop watching this now. GL
ASKER
Agreed. Thank you for all your help.
Jerlo
Jerlo
no worries... make sure to pick a solution and resolve this.
ASKER
Upon further investigation, we do have a second "DC" called LCS-dc-01 (Primary above is called LCS-dc01).
But there is no DNS or active directory listed on the second server. I believe at one point it may have been de-promoted. I am not sure it's status now. Before, wWe were having IP address conflicts. A "consultant" came in and removed DCHP from it. I am not sure if this is a member server. It is listed as a SERVER in ADSI, but there are no NTDS Settings.
Does this information change any of the process above?
Thank you.