one computer in domain can't contact DNS....

Posted on 2005-04-08
Medium Priority
Last Modified: 2012-06-27
I just removed an OLD DC, that was formerly the only one, out of the domain yesterday. All of a sudden e-mail is no longer accessable from outside the domain. Everything works well inside, but outside there's nothing.
It is very slow to connect to the e-mail server and there is an eventID on this box that is:

2013 - smtpsvc
SMTP could not connect to any DNS server. Either none are configured, or all are down.

The internet is not accessable on this box, which is probably why you can't contact it from outside. However, if you switch the IP address it will start going out to the internet.
It will start failing again as soon as the static mapping is updated with the new address on the firewall.

All the entries are gone from this server concerning the old DC, I have gone through MS's article on removing a DC after an unsuccessful demotion (even though it went successfully), and all the DNS settings are pointing to the new DC.

The other point of interest is an error on the remaining DC that is:

6702 - DNS
DNS server has updated its own host (A) records.  In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

Does anyone have an idea what would be causing only one box to not be able to talk to the outside world?
Question by:wlandymore
  • 3
  • 2
LVL 10

Expert Comment

ID: 13737174
Are you using the same static IP address that was used on the old DC.   This is very important.

You will need to run some of the following tests and give me more details:

Goto Start > Run > type cmd and enter....

then type the following:

C:\> nslookup
>set type=mx
>www.xxxxx.com - this is your domain name that resolve your email e.g. user@xxxxx.com.......

tell me the outcome.

Author Comment

ID: 13737316
the outcome was:

     primary name server =  controller.domain.com
     responsible mail addr=  admin
     serial                       =  3474
     refresh                    =  900
     retry                       =  600
     expire                     =  86400
     default TTL             =  3600
The controller there is the only DC left in the domain now that the other one was demoted.

Author Comment

ID: 13737999
even though the record was in the DNS for the e-mail server I entered "ipconfig /registerdns" at the command prompt and now the e-mail server seems to have access to the outside world.
However, it's still 'spotty' and I have a feeling this is because of the firewall.
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

LVL 10

Expert Comment

ID: 13741868
This server will need to have SMTP (25) and DNS (53) ports open outbound.  This is why I said it needs the old DC server address which is probably already routing "ip any any" outbound on your firewall.
LVL 23

Accepted Solution

sciwriter earned 1500 total points
ID: 13742325
Why not just plug it back in, get all the domain setup off, including IP and user accounts, and then either --
1. manaully change the IP in the user accounts to the new server, or easier
2. Use the 2003 AD migration wizard?  This wizard was designed to do exactly this.

You can save yourself DAYS of hassle, migrating those accounts and settings with the migration wizard.
You run it on 2003, but you have to have the old DC plugged in, for it to find the accounts...

Author Comment

ID: 13789901
although I found a solution to this problem myself, I'm awarding the points to you, sciwriter. Your answer did not exactly provide a fix to the problem I was having, but it did provide a possible 'better' solution if a situation like this came up again. More preventative than mine which was just in the time of need AFTER the problem happened.


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question