Promoting 2nd domain controller

MortgageGuy
MortgageGuy used Ask the Experts™
on
I recently pulled Windows NT server from our network replacing it with Windows 2000 server mirroring the computer name, IP address, DNS, DHCP range just about everything that I could get my hands on.  It appears to be working fine but, there was an existing Windows 2000 server acting as a member server that had terminal server and hosted our company Intranet.  Now, I'm trying to promote the server to be a domain controller and install exchange 2000.  I can't run dcpromo because I'm getting all kinds of DNS lookup errors and it says I can't connect to my active directory on my new windows 2000 server.  HELP!!!  I have looked all over the Internet searching through google and I just can't seem to get it to work.  Any ideas?

Thanks

Bret
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
A couple things that may get you to the next step.  

On the member server, go through the following steps

Right-click My Network Places, and then click Properties.

Right-click Local Area Connection, and then click Properties.

Click Internet Protocol (TCP/IP), and then click Properties.

Click Advanced, and then click the DNS tab. Configure the DNS information as follows: Configure the DNS server addresses to point to the internal DNS server. This should be the computer's own IP address if it is the first server or if no dedicated DNS server will be configured.

If the resolution of unqualified names setting is set to Append these DNS suffixes (in order), the Active Directory DNS domain name should be listed first (at the top of the list).

Verify that the DNS Suffix for this connection setting is the same as the Active Directory domain name.

Verify that the Register this connection's addresses in DNS check box is selected.

At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache, and then type ipconfig /registerdns to register the DNS resource records.

IF THE ABOVE DOESN'T WORK, try this

Take the member server out of the domain, then rejoin it to the domain.

Hope this helps
Was this existing Win2k server a domain controller?  Where was it looking for DNS?  Where was the NT server looking for DNS?
Commented:
>"I recently pulled Windows NT server from our network replacing it with Windows 2000 server mirroring the computer name, IP address, DNS, DHCP range just about everything that I could get my hands on."

When you create a domain there is a SID associated with the domain, when you join a member server or workstation to the domain it has it's own number which is combined with the domain number for identification.  This your first problem.

Your bigger problem is more than likely DNS.  Run netdiag and dcdiag on your serevr and post the results.  Also are you getting any entries in the event log?  If so what is the source an id number of the event?  

Most of us on this site are getting slammed with e-mail due to cleanup they are doing with old questions, give a little extra time for a reply.  Thx, MSGeek.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
Thanks for the suggestions.  

Zefiro, I did everything you said but without restarting as I have people connecting remotely and need to wait until this evening.  I still was getting the same error message.

Robspiere - No the existing Win2k server was never a domain controller.  I'm assuiming both servers used to look for DNS from the two external IP addresses we own, but I could probably be wrong as DNS is not my strong point.

MSGeek - I ran netdiag and got these results, WINS service test failed - unable to query the wins server and the DNS test failed - the dns registration for 'memberserver.name.local' is incorrect on all DNS servers.  Everything else passed with a couple of things giving me warnings.

When I run dcdiag, I get an error message saying memberserver is not a DC.

I looked in the error log and the most recent error said, the master browser has received a server announcement from the computer MAINDC that believes that is the master browser for the domain on transport NetBT_Tcpip.  The master browser is stopping.

What do you guys think?  

Bret
Ok, there's your problem.  Win2k domain controllers need an Active Directory-aware DNS server to work properly.  In a single server environment, your Win2k server is also the DNS server, and this works quite nicely.  Windows updates its active directory-specific content in the DNS server on the fly.

I think you want to make both of these servers domain controllers.  Pick one of them, give it a static IP, and direct it to look at itself for DNS.  Run dcpromo and let Windows walk you through the steps for creating a new forest and domain.  At one point it will complain that it can't register its AD entries in the DNS server, or that it can't find its DNS server, and it will volunteer to setup its own DNS server.  You agree whole-heartedly!

After it's up and running you can go to the other server, give it a static IP, point it to your first server for DNS, and run dcpromo, joining your new domain.

You'll need to have all of your workstations look to your new server for DNS, otherwise they won't work and play nicely with your new network.  You can use DHCP on your server to assign this.

And finally, you'll need to tell your DNS server to look elsewhere for querries it can't find on its own.  Run DNS, right-click on your server in the list, choose Properties, and then click the Forwarders tab.  Specify your ISP's two DNS servers there.  Now any computer on the network will use your server for everything.  Your server will be able to respond to active directory querries, and for all others it will ask your ISP for help.

E presto!

Author

Commented:
Right now I have both servers with a static IP address - main dc 10.0.1.2 and member server 10.0.1.100 everyone else uses DHCP.  If I understand you correctly I have already picked out my main dc and I just need to direct it to look at itself for DNS, which means put everyone of my users including both servers preferred DNS address to be 10.0.1.2.  Then go into DNS click on the properties of the main dc, click on the forwarders tab check enable forwarders and put in my two dns addresses.  

Sounds good!!!  Any other advice as I'm going to be installing exchange 2000 on the 10.0.1.100 server and sound organizational structure using Active Directory on the 10.0.1.2 server?

Bret
Commented:
As Robspiere stated, having duplicate Domain Controllers is good. . .some people say do not use Exchange on a DC, others say it is OK. . .in your case, I don't see a problem.

The thing that bothers me, but is unrelated to your question, is that you stated that you are using a server as a Terminal Server as well as an Intranet server.  Terminal servers should ONLY be used as terminal servers, nothing else should be running on it except the specific apps you want your users to use.  In my experience, the stability of the Terminal Server, as well as its performance are drastically reduced
That's absolutely correct.  

For Exchange 2000, I would suggest working out all of your domain controller issues first, make sure both servers are replicating to each other, and make sure that whole relationship is humming along nicely.  

Then, just follow some simple tips for your Exchange installation.  To make a really secure installation you should have separate volumes for your database files and your logs (this will help performance, too), but if you've only got some legacy box without lots of drives, you're best bet is to make a RAID 1 or 5 array and hope there isn't too much load on the system.  

Get a good Exchange backup tool, like Veritas Backup Exec, or you'll have to stop the Exchange Information Store when you want to back up.  

I think you're all set as far as your DNS config goes.

Good luck!
What zefiro said is true.  Terminal services is not that stable and can bring down a box pretty easily.  

Are you planning on using Terminal Services to host applications or just for remote console (administration, configuration) purposes?  If it's just for you to come in and administer the box, no problem.  If you plan to host an app or two for a bunch of users, you might want to consider getting a dedicated box just for that.

Author

Commented:
Robspiere, my pc is connecting to the network and the Internet as you suggested, but I'm still unable to promote my member server.  Would I need to reboot?

You bring up an interesting point Zefiro.  I am very open to any suggestions for a long term stable network.  It was my understanding that Exchange is required to be installed on a DC, am I wrong?  Would you suggest that I install Exchange and the Intranet server on another PC and leave Terminal Server on its own.  I only have two copies of Windows 2000 Server and one is being used for my primary DC.  I still have two copies for Windows NT Server 4.0.  My mortgage company is growing drastically with the intention of opening small offices in existing real estate company offices in other cities.  They will need to access the network via VPN.  

What do you think?  I greatly appreciate everyone's expertise.  

Bret
Commented:
Well you cant use NT 4 Servers in a Windows 2000 Exchange environment.  (Allright it has been done.)  It is, however, recommended that Exchange 2000 be installed in a Native Mode Domain.  Servers running in Native Mode will not support NT 4 servers.

The other item of note is Exchange 2000 does not need to run on a Domain Controller, it may run on a member server.

I agree with previous advice on Terminal Services, unless it'd running only in admin mode don't run it on any mission critical servers.  

I would recommend making your 10.0.1.2 server your Global Catalog server.  As indicated above point it to itself as the primary DNS server.  If you want redundency you can also run all the services on the second server.  So you would replicate DNS and WINS to Server2, Server2 would also run DHCP with half the scope reserved while your GC server would run DHCP with the other half of your scope reserved.  This wayt if one server goes down users will still be able to authenticate and access some resources, just not all.

What kind of hardware and how many users are we talking about here?  NAother copy of 2000 serevr may be in order.  Don't bring a server down with TS just because you short a license.
When you say you're unable to promote your member server, are you getting an error message?  Yes, a healthy reboot is a find idea.  What are you trying when you go to promote the box?  dcpromo is the command you need.

You can run RRAS (Routing and Remote Access) on either server.  A handful of VPN clients (read, fewer than a dozen) and you won't even feel it.  If these satelite offices have more than one or two users they should have their own servers and domains.  Active Directory to the rescue!

If you want to work some more on why your server doesn't seem to want to be a DC, you should probably ask a new question and close this one.

If you do that, let us know so we can pick up the new thread!

Cheers,
Robspiere

Author

Commented:
I'm still getting the same original error message about the DNS lookup problem when I promote my member server using dcpromo.  I rebooted the server this morning.  The exact error message says The domain domaincontroller.domain.local cannot be contacted.  Ensure that the DNS domain name is typed in correctly.  This condition may be caused by a DNS lookup problem.  If this domain was recently created, its name may not yet be registered with the Domain Naming Service.

I don't want to start a new thread, but I'll increase the points a little bit.  Don't worry I'm not going to forget anyone of you when I go to award the points.  

MSGeek - I have 50 users in three primary locations and then three or four additional locations consisting of about 10 users who either connect via terminal server or through a small four port vpn sonic wall box.  

Commented:
To clarify, you have 50 users spread across three primary locations?  How far apart are these locations?  What type of link do they have between them?  The three or four additional locations, I need the same information as to type of link.

The info on the Sonic Wall was helpful, what about the servers themselves.  So far from what you describe I would highly recommend a seperate server for TS.

Author

Commented:
It is my understanding that our main office has a t1 line and we connect via frame relay to the other two locations.  They don't connect to a server at these locations, but a windows xp home edition computer that Everyone else connects through the Internet via terminal server and we're expecting to grow.  I don't want to have keep buying a bunch of terminal server cals.  Our servers are nothing great, a P4 with 512Mb of memory for the main dc and a p3 with 256MB of memory for the terminal server.  I plan on upgrading the memory in them both a.s.a.p.  From our discussions and by talking with the man with the check book,  I think we are going to need another windows 2000 server for Exchange server and probably another 25 Cals to put us at 75 seats.  

Commented:
I would agree, also that XP home should go!  That is a trainwreck waiting to happen.  AT the very least you may want to place a router and a switch at each of the two ends rather than a workstation running XP Home.  I would opt for 1GB in the P4 DC, at least 1GB in the TS and that much or more in the Exchange Server (Store.exe is a real hog.)  

Author

Commented:
I appreciate the info.  I'm in the process of ordering more memory.  There are routers at both ends.  One connects to our server here at corporate and the other is connected to the XP Home machine at the other office.  This particular machine is considered our "print and DHCP server" at this office.  The computer is always on and has all of their printers shared locally.  I know this is not very efficient.  How can I bypass this mess?  Do I need a server at this location?  We can't really afford another copy of Windows 2000 server with the intention of buying a third copy for Exchange.   Our infrastructure will consist of numerous branches with only a few users at each office.  Ultimately how can they refer back to our main branch here for all of their resources i.e. printers at their location?  Also, why wouldn't this person be able to see our Intranet anymore.  They can ping the address of the Intranet, but they can't ping the name of the Intranet.

HELP!!!

Commented:
>"to the XP Home machine at the other office.  This particular machine is considered our "print and DHCP server" at this office.  The computer is always on and has all of their printers shared locally.  I know this is not very efficient.  How can I bypass this mess?"

Throw some of these down there:
http://www.linksys.com/products/group.asp?grid=34&scid=32
http://h10010.www1.hp.com/wwpc/us/en/sm/WF02a/18972-236253-64302.html

I favor the JetDirects.  You can print to each printer by IP address.

>"Our infrastructure will consist of numerous branches with only a few users at each office.  Ultimately how can they refer back to our main branch here for all of their resources i.e. printers at their location?"

Hehe.. (sorry, this is too fun.)  You can use HP's JetAdmin to remotely configure the JetDirects.  All you need to do is get someone to plug them into power, the printer and the switch at that end.  You can manage the router and teh JetDirects remotely.

>"Ultimately how can they refer back to our main branch here for all of their resources i.e. printers at their location?  Also, why wouldn't this person be able to see our Intranet anymore.  They can ping the address of the Intranet, but they can't ping the name of the Intranet."

How is your connection set up, is it a VPN tunnel?  I guess the key is how do you have DNS configured at the workstations at the other end?  The Default Gateway on each PC should be the router and the firts DNS server listed should be the DNS server at your main office.  

Need any clarification?  MSGeek.

Author

Commented:
Do the printers have to be HP in order to use HP's JetAdmin?  

DNS is configured on these workstations at the other by having our two external DNS addresses.  I have since learned they need to be the IP Address of our main DC.  A lot of users have laptops, so they connect here and at home.  How can DNS be set up to dynamically use our IP address of the main DC and then use whatever means necessary at home dynamically.

Commented:
>"Do the printers have to be HP in order to use HP's JetAdmin? "

Not at all.

>"How can DNS be set up to dynamically use our IP address of the main DC and then use whatever means necessary at home dynamically"

Set your DNS as primary in DHCP and oustide DNS servers as secondaries.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial