DNS Settings - Repairing a misconfiguration from the initial build

Hi all,

This is going to take a bit of time so please bear with me.

Last christmas our main school server died, it was NT4 and managed to wipe out everything. It was time to upgrade everything....clients to XP and get hold of a brand spanking new 2K3 server, one of those situations that although caused me considerable grey hair expansion, but was worth while. Now I had no clue about AD, profiles, dynamic disks or any off that stuff (had a nice "challenge" with the fact that 2K3 doesn't read an NT4 stripped disk set) so I enlisted the help of the company that sold us the server expecting the "expert" help of a dynamic 2K3 MCSE, at a hefty cost no less. What I actually got was a vague, social misfit who wasn't qualified to remove the server from the box. Needless to say that I was very disappointed.
So we are setting up the server, he enquires as to what our previous domain was called, and I told him it was called "fortress" (at the time we were using a package called Fortres101 to lock down our 98 clients so that the kids couldn't wreck everything).
Away he goes at setting up the AD directory and stuff under the moniker of FORTRESS.COM. I immediately enquired as to the reasoning because that seemed to me to making some sort of tie to the internet to which I got the reply "It needs this to work."
Oh, right......back then I could only rely on my experts help. I have been studying for my MCSE 2003 for eight months now and I am alarmed to learn about how many mistakes he actually made...anyway.
So he does a bit more twidling, watches his clock, can't get this to work, can't get that to work and then his watch tells him that my money has run out and he leaves with a passing all the best. Good ridance. (After a few strong letters of complaint and some threats, I managed to get a refund on his cost in the equation, which is a minor victory)

I get on the phone to a friend who is a 2K MCSE and he proceeds to help me sort out the mess at a reduced price, all the time I am learning the fundamentals before my course starts. We build a second 2K3 server, rename the original server (scary moments) copy AD across, rebuild the original new server with the new name like "our.school", copy the AD structure back, successful. However we were never completely convinced that we got rid of all the FORTRESS.COM references.

Running through DNS, I find that there are still references to FORTRESS.COM in the Netlogon.dns file, also when I put the filter on within DNS management I have three files that contain references to FORTRESS.com, two NS records and the SOA.
I have also got hold of bits of information from various DNS tests that state that no DNS servers have the DNS records for this DC registered. DNS servers for whoever runs FORTRESS.COM still think that they are something to do with our network, because in the system events I get the same entry everyday that "The following DNS server that is authoritative for the DNS domain locator records for this domain controller does not support dynamic DNS updates"
The rest of the message references an IP address that when I referenced through nslookup came up as an address that is in the DNS scope of none other than.... FORTRESS.COM.
It also ties in with a previous post that hasn't had an answer to yet, that the access between the two DC's takes ages, the second server doesn't know where to look and only the main server can access a share on the second, it just takes ages to appear. This would be the case though wouldn't it if DNS isn't working correctly. You cannot access AD from the second DC at all.

I want to remove all references to FORTESS.COM, I want my new main 2K3 to be authoritative for our domain. We have a new ISP with our adsl setup and they have given me two IP's of their DNS servers so presumably this will have to thrown into the mix for any requests that my DC has to forward.

Apologies for the length of the plea, it reflects the tiresome length that this process has taken. Is it a case of uninstalling DNS and starting again and if so will this knacker AD? If this is the case I think I may need some "just for men" hair colour.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

Sounds like quite a fun little experience...

Is there a Forward Lookup Zone called Fortress.com in your local DNS?

The errors you're getting imply that your Domain, possibly the DCs themselves are trying to add records to that zone, registering things like the LDAP Service providers etc might be what it's attempting.

Are there entries for msdcs, ldap, etc in your new domain name, our.school?

The rename process used puzzles me, the only supported method for renaming Windows Domains involves this tool:


Or was the Active Directory Migration Tool used?
SeventhZenAuthor Commented:
It was domain rename. I wasn't too sure about the process completely, but my friend renamed the domain to something more appropriate so that we could pull the information back over in correct form after we had built the server again using this new domain name. We had to rebuild the server because they had partitioned all the drives wrong, it was a complete mess from start to finish really. We used the white papers from that link that you posted together with the tools. Apologies if I am not explaining it completely correctly. The domain was renamed, stuff was moved from server 1 to server 2, server 2 was a backup effectively because of time restraints, rebuilt server 1, pulled all the necessary data back from server 2.

here is an edited version of the original netlogon.dns as it existed yesterday. I copied it then tried to remove the entries but that didn't help. the only thing that exists within our forward lookup zone tag is our.school with the two NS records, SOA and then the host files for all the machines. When you put on the filter for records containing FORTRESS.COM, only the 2 NS records and the SOA exist.

FORTRESS.com. 600 IN A
_ldap._tcp.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.FORTRESS.com. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.FORTRESS.com. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.d417a9d1-c675-4647-ae10-1a6edb4b2d5a.domains._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 389 ERVER.OUR.SCHOOL.
_ldap._tcp.d417a9d1-c675-4647-ae10-1a6edb4b2d5a.domains._msdcs.FORTRESS.com. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
a4d8fd7d-ff33-4c07-84d3-abbde038307a._msdcs.OUR.SCHOOL. 600 IN CNAME SERVER.OUR.SCHOOL.
a4d8fd7d-ff33-4c07-84d3-abbde038307a._msdcs.FORTRESS.com. 600 IN CNAME SERVER.OUR.SCHOOL.
_kerberos._tcp.dc._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._tcp.dc._msdcs.FORTRESS.com. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.FORTRESS.com. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_ldap._tcp.dc._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.dc._msdcs.FORTRESS.com. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.FORTRESS.com. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_kerberos._tcp.OUR.SCHOOL. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._tcp.FORTRESS.com. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._tcp.Default-First-Site-Name._sites.OUR.SCHOOL. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._tcp.Default-First-Site-Name._sites.FORTRESS.com. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._udp.OUR.SCHOOL. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kerberos._udp.FORTRESS.com. 600 IN SRV 0 100 88 SERVER.OUR.SCHOOL.
_kpasswd._tcp.OUR.SCHOOL. 600 IN SRV 0 100 464 SERVER.OUR.SCHOOL.
_kpasswd._tcp.FORTRESS.com. 600 IN SRV 0 100 464 SERVER.OUR.SCHOOL.
_kpasswd._udp.OUR.SCHOOL. 600 IN SRV 0 100 464 SERVER.OUR.SCHOOL.
_kpasswd._udp.FORTRESS.com. 600 IN SRV 0 100 464 SERVER.OUR.SCHOOL.
DomainDnsZones.OUR.SCHOOL. 600 IN A
_ldap._tcp.DomainDnsZones.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
ForestDnsZones.OUR.SCHOOL. 600 IN A
_ldap._tcp.ForestDnsZones.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.pdc._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.pdc._msdcs.FORTRESS.com. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
_ldap._tcp.gc._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
_ldap._tcp.gc._msdcs.FORTRESS.com. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.OUR.SCHOOL. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.FORTRESS.com. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
gc._msdcs.OUR.SCHOOL. 600 IN A
gc._msdcs.FORTRESS.com. 600 IN A
_gc._tcp.OUR.SCHOOL. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
_gc._tcp.FORTRESS.com. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
_gc._tcp.Default-First-Site-Name._sites.OUR.SCHOOL. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
_gc._tcp.Default-First-Site-Name._sites.FORTRESS.com. 600 IN SRV 0 100 3268 SERVER.OUR.SCHOOL.
Chris DentPowerShell DeveloperCommented:

It looks like it's still attempting to register the Service Entries for Fortress.com

> FORTRESS.com. 600 IN A
> _ldap._tcp.OUR.SCHOOL. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
> _ldap._tcp.FORTRESS.com. 600 IN SRV 0 100 389 SERVER.OUR.SCHOOL.
> _ldap._tcp.Default-First-Site-Name._sites.OUR.SCHOOL. 600 IN SRV 0 100 389

Are those entries visible anywhere in the GUI for DNS?

I assume there are no references to the domain in AD Sites and Services?

It could be something still in the Schema which really isn't going to be a lot of fun to remove, so you'll have to give me a little while so I can dig out exactly where you need to be checking.
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Chris DentPowerShell DeveloperCommented:

Do you have ADSI Edit on there? It's part of the Resource Kit.

If you can get that, open it up, connect to your domain controller and see if you have something like:


Directly under the Domain Controller you attached to?

Don't do anything with it if it's there, just look for now.
SeventhZenAuthor Commented:
OK. Checked through DNS GUI with the details option checked. When I got down to ForestDNSZones/Sites/_tcp I found that there are two ldap service location records for second.fortress.com. second was the name of the second server we built when we were renaming/rebuilding the main. So that came back through and has gone undetected !! I can delete these records right? Then there will be no need for anything in my DNS to be pooling to fortress.com? As this is in the Forest could this be the problem?

Chris DentPowerShell DeveloperCommented:

You should be able to delete them yes.

However, you may find it creates them again, and you may find it starts complaining at you if they're gone. So keep an eye on the Event Viewer (mainly DNS and Directory Service).

Chances are if it needs them there and wants to complain it will use dynamic update and re-add them.

Check ADSI Edit as well though, that'll show you what's stored in Active Directory. If the domain is still there then the problem runs deeper than a few DNS entries.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SeventhZenAuthor Commented:
I have just ran the ADSI edit tool and there seems to be no references to DC=FORTRESS,DC=COM in there. I have also deleted the two records. I suppose I just have to wait and see now then, apologies if the problem was as simple as two records. Please excuse my inexperience but I feel that if I can explain why this was happening I could understand it more and possibly pass my 70-291 exam.

How come my DNS server isn't authoritative for the domain, is that because there was a reference to second.fortress.com within the Forest DNS Zone that the main fortress servers were thinking that they were the upmost level in the hierarchy?
Therefore becoming authoritative for the domain at forest level? By that account would deleting the two resource records restore the balance that my server is now authoritative for the domain because it isn't pooling any external DNS servers for record updates.

Chris DentPowerShell DeveloperCommented:

Good, hopefully it won't try to reregister those services. Keep an eye on it though, if it does then the old domain isn't quite gone yet.

Your DNS won't be authoritative for fortress.com presumably because you don't have a Zone File for the domain. Without that there isn't a Start of Authority record and no place for it to register addresses. You did mention an NS Record for the domain (Fortress.com) though? That should also be deleted since the domain no longer exists.

I assume you have a SOA record (and NS Records) for our.school?

As far as Forest Level is concerned that's part of Windows Domains not really DNS, DNS can be authoritative for a hierarchy of domains though - for example the Root Name Servers are each responsible for one of the Top Level Domains like .com or .org etc.
SeventhZenAuthor Commented:
When I put the filter on in the DNS manager, so that it displays names containing fortress.com, in my Forward Lookup zone for our.school. after a refresh, it only displays three records, 2 NS records, server.our.school & server2.our.school and and SOA - server.our.school., our.school.

I thought that these files actually contained the words fortress.com but I had no idea how I could read them, if you can actually read them or how to replace them with clean files.

Now that i have deleted the second.fortress.com files, when I browse through the forward and reverse lookup zones with the filter on, it still shows the three records above, I guess i was expecting it to not show any records at all if fortress.com references had really gone.
Chris DentPowerShell DeveloperCommented:

I don't have a DNS Manager here to check out filtering. It doesn't surprise me too much that it shows the SoA and NS Records.

The best way to check it now would be to use NSLookup and see if your DNS responds to fortress.com and second.fortress.com.
After you've messed with the DNS, issue "ipconfig /flushdns" before performing further tests.  Even on the server console DNS queries are cached.  You may be getting a hit from the cache and not the DNS service.
SeventhZenAuthor Commented:
I used NSlookup to try and check that DNS responds, and it returns the IP addresses as before so i think that all of the old references may have gone but I will keep checking. Flushed the cache to get a clean slate and nslookup returned the IP addresses before, the best thing is that as of today no further records have been created on my server so that one may have been solved.....

however now the DHCP server has deceided to change the scope name from server.our.school to server.mshome.net, could this be something else as a reaction from yesterdays procedures, also when I restart from the DHCP manager, all tasks restart, it fails to start for a few seconds, then comes through. I tried deleting the scope and then restarting from services and that worked fine, I then added the scope back in with the correct name server.our.school. Adding a second DNS server into the DNS manager that is running on my second DC caused the main server to crash. I did this so that i could try and work out the DNS problem across the two servers, but it killed the main server with NOT responding.
Upon a restart, when checking through the DHCP manager it had reverted back to server.mshome.net. Up until yesterday, the DHCP server had always had server.our.school as the scope name. Does this mean it is trying to make links to Mr Gates??

I am totally confused..??
SeventhZenAuthor Commented:
I have also found within IPCONFIG that there is no connection specific dns suffix on either internal or external NIC's, but checking from a client in the lab they have it registered as our.school.
maybe useful??
Have you set option 15 on the DHCP server and scopes?  On only define the specific NIC's `DNS suffix` option if a static IP is defined.  For instance, on both the servers I manage the NIC's are configured as such.

Have toy tied the low-tech idea of wriging down the entire DHCP server configuration, uninstalling the problem DHCP server, re-installing and setting it up from the written down configuration information?

I belive that NSLOOKUP bypasses the DNS client service's cache as it accesses the DNS service directly.

What are your event logs telling you?  Also review all the other logs which the operating system keeps as text files.  For instance, the DHCP service keeps logs of it's actions within `C:\WINDOWS\system32\dhcp`.  That may be of help.   On the DNS service, have you used the extra logging options to catch more details to see exactly what the DNS servers are doing?  Are the DHCP and DNS service bindings correctly set-up?

On the DHCP servers have you correctly set-up the option `DNS dynamic updates registration credentials`?

When you're trouble shooting a problem, adopt the policy of:  Assume nothing, check everything, don't skip torubleshooting steps and start from the absolute basics.
It's way too easy to try hammet the advanced stuff into shape when really it's something quite simple that's messing up the advances stuff.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.