DNS/AD overwhelming newbie

I'm not entirely sure what my exact problems are, so I'll just start rambling.  I have 3 2003 servers, fully patched.  All of them are set up to be DCs.  If I try to look at group policies in ADUC on server #1 or server #3, I get:

The domain controller for group policy operations is not available. You may cancel this operation for this session or retry using the following domain controller choices.
-The one with the operations master token for the PDC emulator
-The one used by the active directory snap-ins
-Use any available domain controller

I'm wondering if this coudl be DNS related.  How should the DNS servers be set up for our domain?  Should the all be authoritative for abc.org, or should there be one authoritative, and two secondaries?

I'm not really sure I'm even asking the right questions here, as I am feeling rather frustrated, and in over my head right now.
LVL 3
EddyGurgeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NJComputerNetworksCommented:
In general, you will want to have multiple DNS servers in your domain.  This is because if one server goes offline, your domain can still function.  Redundancy is good.  Typically, you will run DNS on one or more of your domain controllers.  The default way to configure DNS is using Active Directory integrated...this simply means that the DNS database is stored in Active Directory (on all DC's) rather then as a file on the operating system.

I would guess that you are using Active directory integrated DNS (seeing how this is default and recommended).  Therefore, the DNS database is replicated automatically between all domain controllers.  However, only DC's that have the DNS service installed will service DNS queries from clients.  This means that all you have to do is install the DNS service on a DC...the DNS database will automatically be there.  It is very easy to configure...

Anyway, you would not typically use primary and secondary DNS hierarchy...with AD integrated DNS, all DNS servers have a read/write database...they are all peers of each other.

So, I would make sure that at least two DC's have the DNS service running. (or better yet, all DC's could run the DNS service).  Then make sure that all clients and servers point to these internal Windows DNS servers in TCP/IP (don't point any to your ISP DNS...instead, you can configure forwarding on your DNS servers to resolve internet requests..)

1) All clients and servers in your domain should point INTERNALLY for DNS under TCP/IP properties.  No computer should be set to look to the ISP for DNS resolution.  (this will cause problems like you have mentioned)
2) Configure DNS forwarding on your DNS servers.  Go into the DNS console, right click your server name, choose properties from the drop down box.  Click the forwarding tab.  Enter the IP addresses here for your ISP DNS server...this will allow your DNS servers to forward internet bound requests to the Internet DNs servers....

EddyGurgeAuthor Commented:
I looks like I have everything configured in DNS as you stated (I did add the forwarding tidbit though).  At the moment, I am not having clients use them for DNS, only the 3 servers themselves.  If DNS is not my issue with the error I'm getting, any idea what is?  Is AD unhealthy somehow, or just misconfigured?  All the items/users I've added appear on each server, but I can't bring up policies on two of them.
NJComputerNetworksCommented:
Check your configuration regarding the local TCP/IP settings of the DC's themselves:

I.e.

Servername:       DCDNS1
IP:                      10.10.10.1
subnet:               255.255.255.0
Gateway:            10.10.10.10
DNS1:                 10.10.10.1
DNS2:                 10.10.10.2
DNS3:                 10.10.10.3

Servername:       DCDNS2
IP:                      10.10.10.2
subnet:               255.255.255.0
Gateway:            10.10.10.10
DNS1:                 10.10.10.1
DNS2:                 10.10.10.2
DNS3:                 10.10.10.3

Servername:       DCDNS3
IP:                      10.10.10.3
subnet:               255.255.255.0
Gateway:            10.10.10.10
DNS1:                 10.10.10.1
DNS2:                 10.10.10.2
DNS3:                 10.10.10.3

Check you FSMO role placement:  http://support.microsoft.com/kb/255690/  (Use this article to document where your FSMO roles are...you problably won't need to actually move the roles around...but you should document the roles)

Check to make sure that you have at least one global catalog server: http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=13375&DisplayTab=Article

Run DCDIAG in your environment and look for errors: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/BookofSP1/5237db58-a1e8-40cd-ae8a-7f52848a90f2.mspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EddyGurgeAuthor Commented:
Ok, all three now point at each other for DNS.

I changed which machine was the GC (it was the least realiable one, now the most)

I moved all 5 FSMO roles to the most realiable server as well.  DCDiag is happy, The AD error is now gone, and I'm happy.

Thank you very much!
(and watch for more of my questions!)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.