Link to home
Start Free TrialLog in
Avatar of DontKnow
DontKnow

asked on

Windows 2000 DNS server is misconfigured after upgrading from NT 4.0

My Windows 2000 DNS Server has a major problem (this was an upgrade from NT). Netlogon gives me a message that it "cannot register or deregister because there is no DNS server". Here's roughly what my DNS screen looks like:
----------------------------------------
DNS
  Computer-name
      Cached Lookups
      Forward Lookups
      Reverse Lookups
----------------------------------------


Here's what I see under cached lookups:

---------------------------------------------
Cached Lookups
    (.)
        Net
           .........other stuff

---------------------------------------------

I have done an extensive amount of research and still don't know what the "Cached Lookups" domain is. Many articles I have read warn against the (.) root domain but they all say it would be under the "Forward lookup" zone, not under Cached Lookups. I don't get the option to delete "Cached Lookups". The server gives me the option to delete the "Net" folder but when I press delete it says: domain cannot be deleted - the zone doesnt exist.

I definitely feel I have to get rid of the "cached Lookups" folder to fix my problem, but I can't ( I have tried everything).

Here's my question:

My zone is Active Directory Integrated, what would happen if I deleted the "Computer Name" from DNS and started building the DNS over again? Will I get into real trouble with the Active Directory. I don't think it knows where the DNS is anyway. Or better yet, what if I removed DNS entirely and then added it back.

Or aternativelty is this something that "netdiag.exe /fix" would take care of?

Please do not point me to online documents - I have read all of them. And remember that I can't delete the (.) root folder. It doesnt let me (unless there is a tricky way to do it).

Avatar of Pber
Pber
Flag of Canada image

I assume the DNS service is running on an Windows 2000 domain controller since you said it was Active directory integrated.

I've broken AD many times and it usually always because of DNS.  Removing the Computer name from DNS doesn't actually remove DNS, it just removes the ability to administer DNS on that computer.  I wouldn't worry about the cached lookup zone, I have the structure you have and mine works fine.

What do you see under your forward lookup zone?

Anyhow, you should be able to remove DNS and reinstall.  AD will be down, so I would do this after hours.  I still wouldn't recommend it.

But first try this...

Make sure in the TCP/IP that the server is pointing to itself for DNS (once again assuming DNS is installed on this machine)
Make sure "Append primary and connection specific DNS suffixes" are selected.
Check "Append parent suffixes of the primary DNS suffix"
Check "Register this connection's addresses in DNS"

Enter your AD DNS name in "DNS suffix for this connection"

On the DNS server, make sure you have a zone that matches your AD DNS name.  If not create it.
You may want to turn off Secure dynamic updates until DNS it working.

At a command prompt try:

c:\ipconfig /registerdns

This should register this server into DNS.  I've had problems with not having the DHCP client enabled while using NIC Teaming.

c:\ipconfig /flushdns
This will flush the DNS cache. The server will look into cache before it query's DNS.  This forces it to look at the DNS server.

If you are using NetBIOS, you might want to try:
c:\nbtstat -R
This is similar to /flushdns but for NetBIOS

c:\nslookup
This will allow you to query the DNS server to see if you can resolve things.

Also in the Windows 2000 support tools there a tool called Active Directory Replication monitor.  This tool is good for checking replication problems.

What kind of events are you getting in the Directory Service, DNS, Replication event logs?

Let me know what happens





Avatar of DontKnow
DontKnow

ASKER

I follwed your directions and here's what I have

Make sure in the TCP/IP that the server is pointing to itself for DNS (once again assuming DNS is installed on this machine)
     This is the case

Make sure "Append primary and connection specific DNS suffixes" are selected.
     These radio buttons are selected
   
Check "Append parent suffixes of the primary DNS suffix"
     This is the case

Check "Register this connection's addresses in DNS"
     This is selected

Enter your AD DNS name in "DNS suffix for this connection"
       The name was there

On the DNS server, make sure you have a zone that matches your AD DNS name.  If not create it.
       I did have a zone that matched the AD DNS name
   
I typed in the following command as you suggested:
c:\ipconfig /registerdns
I got a message: Registraion of resource records has started. Any error will be reported in the event viewer in 15 minutes. No error were reported

I ran the follwing command as well
c:\ipconfig /flushdns     it did it's job

I stopped the DNS service and restarted it and then stopped and restarted Netlogon. Netlogon again gave me the follwoing message:

Dynamic registration and deregistration of one or more DNS records failed because no DNS servers are available.

Here's some extra info - (assume that my domain name is "mydomain", and computer name is "compname"):

Under my forward lookup zone:

Forward Lookup
      SOA
      NS           compname.mydomain.
      NS           compname.mydomain.loc
        A            compname       IP

I don't know why I have 2 NS records but I havent been able to delete one.

Also, I don't have any SRV records, which I think should be appearing automatically under the Forward Lookup - I am assuming that's what netlogon is trying to do and can't.

I think the machine, or the domain doesnt understand there is a DNS on the same machine. As a result I cannot add a new DC to this domain. When I try to do that I get a message saying "no domain found" or something like that. I can add workstations to this domain though without any problems.

I think I am hosed. What kind of troubles could I get into if I just delete the computer name from my DNS and start rebuilding it. Of course that's no guarantee that would work either. At the moment users can log into the machine and do their work and I don't want to jeopardize that.

I think I will add another 100 points for your trouble.

I follwed your directions and here's what I have

Make sure in the TCP/IP that the server is pointing to itself for DNS (once again assuming DNS is installed on this machine)
     This is the case

Make sure "Append primary and connection specific DNS suffixes" are selected.
     These radio buttons are selected
   
Check "Append parent suffixes of the primary DNS suffix"
     This is the case

Check "Register this connection's addresses in DNS"
     This is selected

Enter your AD DNS name in "DNS suffix for this connection"
       The name was there

On the DNS server, make sure you have a zone that matches your AD DNS name.  If not create it.
       I did have a zone that matched the AD DNS name
   
I typed in the following command as you suggested:
c:\ipconfig /registerdns
I got a message: Registraion of resource records has started. Any error will be reported in the event viewer in 15 minutes. No error were reported

I ran the follwing command as well
c:\ipconfig /flushdns     it did it's job

I stopped the DNS service and restarted it and then stopped and restarted Netlogon. Netlogon again gave me the follwoing message:

Dynamic registration and deregistration of one or more DNS records failed because no DNS servers are available.

Here's some extra info - (assume that my domain name is "mydomain", and computer name is "compname"):

Under my forward lookup zone:

Forward Lookup
      SOA
      NS           compname.mydomain.
      NS           compname.mydomain.loc
        A            compname       IP

I don't know why I have 2 NS records but I havent been able to delete one.

Also, I don't have any SRV records, which I think should be appearing automatically under the Forward Lookup - I am assuming that's what netlogon is trying to do and can't.

I think the machine, or the domain doesnt understand there is a DNS on the same machine. As a result I cannot add a new DC to this domain. When I try to do that I get a message saying "no domain found" or something like that. I can add workstations to this domain though without any problems.

I think I am hosed. What kind of troubles could I get into if I just delete the computer name from my DNS and start rebuilding it. Of course that's no guarantee that would work either. At the moment users can log into the machine and do their work and I don't want to jeopardize that.

I think I will add another 100 points for your trouble.

Well your setup looks good.

As far as deleting the Name server.  Select the Name server, right click.  Select properties, under the Name server tab, you should be able to remove the other entry.

It seems like the DCpromo didn't take (probably due to DNS).  Look at the DCpromo.log file in c:\winnt\debug and look for errors.

Does NSlookup query the DNS?  Make sure the server can atleast query itself.

Is the DNS server allowing Dynamic updates?  This is needed for the records to be updated.

Is there a file in c:\winnt\system32\config called netlogon.dns  This file will have the srv records in it.

What events are you getting in the Event logs?

If you are hosed, I wouldn't worry about deleting the zone.  Recreate as a primary and try to have the DC recreate the records (Start Netlogon).  I hosed my AD once and I entered in all the SRV records manually and AD came back.  

I follwed your directions and here's what I have

Make sure in the TCP/IP that the server is pointing to itself for DNS (once again assuming DNS is installed on this machine)
     This is the case

Make sure "Append primary and connection specific DNS suffixes" are selected.
     These radio buttons are selected
   
Check "Append parent suffixes of the primary DNS suffix"
     This is the case

Check "Register this connection's addresses in DNS"
     This is selected

Enter your AD DNS name in "DNS suffix for this connection"
       The name was there

On the DNS server, make sure you have a zone that matches your AD DNS name.  If not create it.
       I did have a zone that matched the AD DNS name
   
I typed in the following command as you suggested:
c:\ipconfig /registerdns
I got a message: Registraion of resource records has started. Any error will be reported in the event viewer in 15 minutes. No error were reported

I ran the follwing command as well
c:\ipconfig /flushdns     it did it's job

I stopped the DNS service and restarted it and then stopped and restarted Netlogon. Netlogon again gave me the follwoing message:

Dynamic registration and deregistration of one or more DNS records failed because no DNS servers are available.

Here's some extra info - (assume that my domain name is "mydomain", and computer name is "compname"):

Under my forward lookup zone:

Forward Lookup
      SOA
      NS           compname.mydomain.
      NS           compname.mydomain.loc
        A            compname       IP

I don't know why I have 2 NS records but I havent been able to delete one.

Also, I don't have any SRV records, which I think should be appearing automatically under the Forward Lookup - I am assuming that's what netlogon is trying to do and can't.

I think the machine, or the domain doesnt understand there is a DNS on the same machine. As a result I cannot add a new DC to this domain. When I try to do that I get a message saying "no domain found" or something like that. I can add workstations to this domain though without any problems.

I think I am hosed. What kind of troubles could I get into if I just delete the computer name from my DNS and start rebuilding it. Of course that's no guarantee that would work either. At the moment users can log into the machine and do their work and I don't want to jeopardize that.

I think I will add another 100 points for your trouble.

You are right. DCPROMO didnt take. Here's the log:
dcpromos t:0x284 00002  running Windows NT 5.0 build 2195  
dcpromos t:0x284 00003  logging mask 0038
dcpromos t:0x284 00004  DLL_PROCESS_ATTACH
dcpromos t:0x284 00005  Enter DcPromoSaveDcStateForUpgrade
dcpromos t:0x284 00006    Enter IsDSRunning
dcpromos t:0x284 00007      Enter MyDsRoleGetPrimaryDomainInformation
dcpromos t:0x284 00008        Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromos t:0x284 00009          Calling DsRoleGetPrimaryDomainInformation
dcpromos t:0x284 00010          lpServer  : (null)
dcpromos t:0x284 00011          InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromos t:0x284 00012          Error 0x0 (!0 => error)
dcpromos t:0x284 00013        Exit  MyDsRoleGetPrimaryDomainInformationHelper
dcpromos t:0x284 00014        MachineRole   : 0x5
dcpromos t:0x284 00015        Flags         : 0x0
dcpromos t:0x284 00016        DomainNameFlat: ACADEMY-NT
dcpromos t:0x284 00017        DomainNameDns : (null)
dcpromos t:0x284 00018        DomainForestName: (null)
dcpromos t:0x284 00019      Exit  MyDsRoleGetPrimaryDomainInformation
dcpromos t:0x284 00020      DS is NOT running
dcpromos t:0x284 00021    Exit  IsDSRunning
dcpromos t:0x284 00022    Calling DsRoleServerSaveStateForUpgrade
dcpromos t:0x284 00023    AnswerFile : (null)
dcpromos t:0x284 00024    Error 0x0 (!0 => error)
dcpromos t:0x284 00025  Exit  DcPromoSaveDcStateForUpgrade
dcpromos t:0x164 00026  DLL_PROCESS_DETACH
dcpromos t:0x164 00027  closing log file

NSLOOKUP runs fine and it finds everything.

The DNS is set to do dynamic updates but it cant do them.

netlogon.dns does exit and has SRV records in it.

And yes I am hosted.

What is the problem exactly? Is it that the DC doesn't know it is the primary? If I delete the entire zone from DNS and reinstall, do I have to rerun DCPROMO? I guess tell me what you would do in this scenario and I will give you your points. You have been quite helpful and there doesnt seem to be an easy solution.
I follwed your directions and here's what I have

Make sure in the TCP/IP that the server is pointing to itself for DNS (once again assuming DNS is installed on this machine)
     This is the case

Make sure "Append primary and connection specific DNS suffixes" are selected.
     These radio buttons are selected
   
Check "Append parent suffixes of the primary DNS suffix"
     This is the case

Check "Register this connection's addresses in DNS"
     This is selected

Enter your AD DNS name in "DNS suffix for this connection"
       The name was there

On the DNS server, make sure you have a zone that matches your AD DNS name.  If not create it.
       I did have a zone that matched the AD DNS name
   
I typed in the following command as you suggested:
c:\ipconfig /registerdns
I got a message: Registraion of resource records has started. Any error will be reported in the event viewer in 15 minutes. No error were reported

I ran the follwing command as well
c:\ipconfig /flushdns     it did it's job

I stopped the DNS service and restarted it and then stopped and restarted Netlogon. Netlogon again gave me the follwoing message:

Dynamic registration and deregistration of one or more DNS records failed because no DNS servers are available.

Here's some extra info - (assume that my domain name is "mydomain", and computer name is "compname"):

Under my forward lookup zone:

Forward Lookup
      SOA
      NS           compname.mydomain.
      NS           compname.mydomain.loc
        A            compname       IP

I don't know why I have 2 NS records but I havent been able to delete one.

Also, I don't have any SRV records, which I think should be appearing automatically under the Forward Lookup - I am assuming that's what netlogon is trying to do and can't.

I think the machine, or the domain doesnt understand there is a DNS on the same machine. As a result I cannot add a new DC to this domain. When I try to do that I get a message saying "no domain found" or something like that. I can add workstations to this domain though without any problems.

I think I am hosed. What kind of troubles could I get into if I just delete the computer name from my DNS and start rebuilding it. Of course that's no guarantee that would work either. At the moment users can log into the machine and do their work and I don't want to jeopardize that.

I think I will add another 100 points for your trouble.

ASKER CERTIFIED SOLUTION
Avatar of Pber
Pber
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for hanging in there. I should be able to take it from here.
Glad to help.  I spent ALOT of time dealing with DNS issues when we setup AD.  You don't learn unless you break something... and I learned alot.
(:

Good luck