Active Directory - The specified domain does not exist or could not be contacted

Posted on 2004-09-04
Last Modified: 2008-01-09
I have a Win 2000 server that is old and needs replacement. I have a new machine, fresh install.
It has DNS, and uses itself as dns in network configuration. I have run DCPROMO and marked it as global catalog, confimed by event 1119. The old server is still flagged as Global Catalog.

The problem - if i shut the other server down I can no longer access Active Directory information. I cannot add permissions to shares and I cannot view the Active Diretory tree for the domain.

But if I open Active Diretory Users And Computers, Click Action and Connect to Domain Controller and select the new machine I have the whole active diretory tree there, even with the old server down.

I am now terrified of a hardware failure. So far everything is working (both machines up) but I need to be able to turn the old server off. It will fail soon.

Thanks for the help, Roberto.
Question by:rmaranhao
LVL 23

Expert Comment

by:Saqib Khan
ID: 11981590
Maybe You Should Run Dcpromo on the OLD Machine and demote it.
LVL 23

Expert Comment

by:Saqib Khan
ID: 11981591
and one more thing.
When you Ran Dcpromo on the New MAchine, which option did you choose?

Make sure you choosed Addition Domain in the Exisiting Domain.
LVL 16

Accepted Solution

JamesDS earned 500 total points
ID: 11981856
You need to transfer the FSMOs off the old DC and decommission it gracefully

Read this:
Use the section "Using the Ntdsutil Tool for Role Placement"

DON'T sieze the roles, transfer them.

Once you have transferred the roles, run DCPROMO on the old machine and fully the wizard to remove AD from it, then remove it from the domain.


Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.


Author Comment

ID: 11982274
I chose aditional domain controller. What chills my spine when I think about seizing the role is this: If I demote the old machine and my problem I DNS related, then my networks goes .....

How can I be shure I have the correct settings in the new machine? Why doesn't the new machine allow me to see the active directory tree? I haven't made any changes to the active diretory and so far I am not worried about errors when an user tries to change his/her password.

What concerns me is that I have a new machine, running AD and DNS and when the old machine is down ALL the Active Directory functions, including domain logon, fail.

James, I read the link you sent and undestood most of it. Please correct me if I'm wrong but shoudn't the new machine at least authenticate user logons ?

Thanks for all the help.
LVL 16

Expert Comment

ID: 11983791
If the new DC is running DNS and it is configured for dynamic update, then once GC and all the FSMO roles are TRANSFERRED (NOT SIEZED) there is no reason why the old one cannot be taken down.

The reason your logons are failing is likely due to the database not fully replicating - which is probably DNS related.

Make sure that the DNS service for the new DC contains the full AD zone tree and all the _MSDCS entries for your domain.
Also make sure that the content of the SYSVOL Folders on each machine are the same - SYSVOL contains your GPOs and is usually the last thing to be replicated.

Use the REPLMON tool from the support tools pack of the CD (\support) to connect to each DC and see if it is replicating ok, you can rightclick on each DC and select replicate this DC and also kick off the topology generator

So long as the AD is replicated to the second DC then even if it all fails it is still recoverable without the need to restore (I have done a few of those!)


LVL 84

Expert Comment

ID: 11985001
At the moment, your problem is here: "It has DNS, and uses itself as dns in network configuration." Since this is an additional DC, its first DNS entry should point to your first DNS server, and only the secondary DNS entry should point to itself. Your first DC should only point to itself.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

As for shutting down the old server, there's basically no need to transfer the roles from the W2k machine manually; but under *no* circumstances simply shut it down and throw it away or install something else on it, like it was possible in NT4. Demote the W2k DC first, and the FSMO roles should be transferred during this process. Once you run dcpromo to demote the old server, it will move the FSMO roles that are still on the DC you're demoting.
Removing Active Directory from a Domain Controller
NOTE: When a domain controller is demoted, if it is not the last domain controller in the domain, it performs a final replication and then transfers the roles to another domain controller.

Then depending on your DNS setup (if you have a primary zone on your first DNS and a secondary on your second), you might have to change the SOA in your DNS from your old DNS to the new one.

HOW TO: Promote and Demote Domain Controllers in Windows 2000

Here's some more about transferring roles:

Flexible Single Master Operation Transfer and Seizure Process

HOW TO: View and Transfer FSMO Roles in the Graphical User Interface

FSMO Placement and Optimization on Windows 2000 Domain Controllers

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question