Mulitple 2003 Server AD and DNS Issues

after moving all 5 FSMO roles from SERVER1 to SERVER2 after a successfull promotion, I am unable to then promote SERVER3, getting the following error:

"The operation failed because:

This Active Directory installation requires domain configuration changes, but whether these changes have been made on the domain controller xxxx is undetermined. The installation process has quit.  

"The parameter is incorrect." "

When I open up dsa.dsc > operations masters whist connected to SERVER2 everything seems fine, however doing th same from SERVER1 or any of the other 4 DC's I get 'Error' , I'm unable to transfer roles back as the role holder appears offline, I don't want to seize the roles either as all servers need to stay in use and cannot be permanantly removed as per MS KB's.

SERVER 1 and SERVER2 are both runnning AD DNS.. As far as I can tell there are no new CNAME records etc for SERVER2, hoping this is a simple DNS issue.

Any thoughts?
Thanks
premierpcAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
Hi premierpc,

did you tranfer the roles using ntdsutil or windows mmc's?

have you rebooted the servers since?

Cheers!
premierpcAuthor Commented:
Hi,

All 5 roles transferred via mmc as per
http://support.microsoft.com/kb/324801
Reported as successfull


Servers rebooted afterwards

Thanks
Jay_Jay70Commented:
have you created those DNS records as yet that you mentioned above?

are you able to completely resolve the servers from each other?
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

premierpcAuthor Commented:
I can resolved between each, A host records present, however within _msdcs there is no CNAME alias, I dont know how to create the record as the Alias has a non friendly name, example for SERVER1 its bd0aa105-f82e-4b78-9caf-ec6b23864623, assume this is created by AD, and its absence for SERVER2 is causing the problem?

Jay_Jay70Commented:
hmm drilling that deep into dns starts getting complex, is the record been update on any of your servers

what does dcdiag say?
premierpcAuthor Commented:
The record has not been updated on any of the DNS servers, there are also no SRV records for SERVER2..


I'll just run dcdiag now and post results
Jay_Jay70Commented:
hmm messy ...hopefully dcdiag can provde at least some insite
premierpcAuthor Commented:
*********************************
basic dcdiag test results:                            
*********************************


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         SERVER2's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (SERVER2.xxxxx.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2
      Skipping all tests, because server SERVER2 is
      not responding to directory service requests

   Running enterprise tests on : xxxxx.local
      Starting test: Intersite
         ......................... xxxxx.local passed test Intersite
      Starting test: FsmoCheck
         ......................... xxxxx.local passed test FsmoCheck



*********************************
results of dcdiag /test:connectivity
*********************************
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         SERVER2's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (srvfile01.broxapltd.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2

   Running enterprise tests on : xxxxx.local

*************************

Any thoughts on the best way forward
Jay_Jay70Commented:
both server 1 and 2 are registering to the same IP address    nasty

try simple steps to start

ipconfig /flushdns on both servers

ipconfig /registerdns and see if that helps
premierpcAuthor Commented:
JayJay,

I have already flushed & registered, what do you think about deleting the AD zones and starting again?, let everything rebuild!..
Jay_Jay70Commented:
i have never taken the step of deleting AD zones completely

let me trial for you on a test syetem now ill post in sec
Jay_Jay70Commented:
i just deleted the zone off my 2003 trial system and then recreated it and let it re-populate and it was fine

clients started turning up after a flush and register
Jay_Jay70Commented:
when you do an nslookup on that 10.0.5.12 address   which server does it resolve
premierpcAuthor Commented:
last time I did it I deleted the zones then,
net stop netlogon
dns flush
net start netlogon

Ran above on all DC/DNS servers, just concerned that on a live system it may make the problem worse, if the records did'nt create first time round will the secound time?!
premierpcAuthor Commented:
nslookup resolves correctly on both servers 10.0.5.12 to SERVER2
Jay_Jay70Commented:
i am not sure why they wouldnt have created the first time     recreating the zones will search through the domain an reregister everything though so you would assume it would fine the correct name this time...
Netman66Commented:
Try something simple before you get drastic.

DCDIAG /FIX

NETDIAG /FIX


Also, the original error sounds like an error produced when adprep /forestprep has been run BUT /domainprep has not been run - and you are attempting to add a 2003 server as a DC.


Just some thoughts.
premierpcAuthor Commented:
just checking the event log on SERVER2



Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2088
Date:            20/04/2006
Time:            08:43:57
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER2
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 
Alternate server name:
 SERVER1.broxapltd.local
Failing DNS host name:
 ce2baaf5-e529-430e-9074-8771db45736f._msdcs.xxxxx.local
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************

I noticed this morning SERVER2 primary DNS is pointing at SERVER1, secondary DNS at itself, dont want to change as may lose network connectivity.
Jay_Jay70Commented:
and welcome ones..... I havent come across this and am way to unsure to advice deleting entire zones.....
premierpcAuthor Commented:
Netman66,

Original DC SERVER1 is 2003, SERVER2 also 2003, was meant to be a simple role transfer!

output of DCDIAG /FIX

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         SERVER2's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (SERVER2.xxxxx.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2
      Skipping all tests, because server SERVER2 is
      not responding to directory service requests

   Running enterprise tests on : xxxxx.local
      Starting test: Intersite
         ......................... xxxxx.local passed test Intersite
      Starting test: FsmoCheck

Jay_Jay70Commented:
i always have my DC's pointing to themselves primarily and then the next one in line as secondary
premierpcAuthor Commented:
Output of netdiag /fix

The procedure entry point DNSGetPrimaryDomainName_UTF8 could not be located in the dynamic link library DNSAPI.DLL
premierpcAuthor Commented:
JayJay,
Yes that is normally how I would do set it up
premierpcAuthor Commented:
I'm just running dcdiag enhanced version..

dcdiag /test:dns
I will post results once complete

Thanks
Jay_Jay70Commented:
did you change your pointers?
premierpcAuthor Commented:
JayJay,

No I did'nt change ptr's

Here is the output:
************************************************

C:\Program Files\Support Tools>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         The host 9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local co
uld not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local) couldn't
         be resolved, the server name (SERVER2.xxxxx.local) resolved to
         the IP address (10.0.5.12) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : xxxxx

   Running enterprise tests on : xxxxx.local
      Starting test: DNS
         Test results for domain controllers:

            DC: SERVER2.xxxxx.local
            Domain: xxxxx.local


               TEST: Basic (Basc)
                  Error: No LDAP connectivity

               TEST: Records registration (RReg)
                  Network Adapter [00000001] Intel(R) PRO/1000 T Server Adapter:

                     Error: Missing CNAME record at DNS server 10.0.5.10 :
                     9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local


                     Warning: Missing DC SRV record at DNS server 10.0.5.10 :
                     _ldap._tcp.dc._msdcs.xxxxx.local
                     (Ignore the error if DNSAvoidRegisterRecord registry key or
 its Group Policy
                     has been configured to prevent registration of this Record.
)

                     Error: Missing PDC SRV record at DNS server 10.0.5.10 :
                     _ldap._tcp.pdc._msdcs.xxxxx.local

                     Error: Missing CNAME record at DNS server 10.0.5.12 :
                     9973935a-c915-41b9-81d9-fb04ead640d7._msdcs.xxxxx.local


                     Warning: Missing DC SRV record at DNS server 10.0.5.12 :
                     _ldap._tcp.dc._msdcs.xxxxx.local
                     (Ignore the error if DNSAvoidRegisterRecord registry key or
 its Group Policy
                     has been configured to prevent registration of this Record.
)

                     Error: Missing PDC SRV record at DNS server 10.0.5.12 :
                     _ldap._tcp.pdc._msdcs.xxxxx.local

               Error: Record registrations cannot be found for all the network a
dapters

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: xxxxx.local
               srvfile01                    PASS FAIL PASS PASS PASS FAIL n/a

         ......................... xxxxx.local failed test DNS

*******************************************
Netman66Commented:
Can this GUID: 9973935a-c915-41b9-81d9-fb04ead640d7
 
be found in _msdcs.domain.local?


premierpcAuthor Commented:
Netman66,

Hi have checked all servers, 9973935a-c915-41b9-81d9-fb04ead640d7 does'nt appear!

Thanks
Netman66Commented:
You can manually register this entry in _msdcs for now.  I understand that you shouldn't have to, but this should fix the error for now.

Open DNS console.
Expand the domain.
Expand Forward Lookup Zones.
Expand _msdcs.domain.local (or whatever yours is)
Right-click _msdcs.domain.local and select New Alias (CNAME).
For the Alias name use: 9973935a-c915-41b9-81d9-fb04ead640d7
For the Fully Qualified Domain Name use:  SERVER2.xxxxx.local (replace the Xes).

This should replicate and your errors should stop.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
premierpcAuthor Commented:
Netman66,

Thnaks for the info, I will try this morning, do I need to create the missing SRV records to or just the CNAME alias
Thanks
premierpcAuthor Commented:
Ok this is basically what I did to get the DC's talking again and get rid of the 'error' within operations masters

***********************************************************************************
Added
Forward Lookup:

CNAME (Alias) Records
Name: 9973935a-c915-41b9-81d9-fb04ead640d7 (host found using DCDIAG enhanced version only, command syntax dcdiag /test:dns)

Changed
SOA Records:
Server changed from SERVER1.xxxxx.local to SERVER2.xxxxx.local
Serial incremented.

Added
SRV Records:
Added SERVER2.xxxxx.local for following services:
_ldap
_kpasswd (service name needs to be created manually)
_kerberos

Setup all records for the following protocols:
_tcp
_udp

Reverse Lookup:
SOA changed as above to SERVER2.xxxxx.local, again serial incremented.

Notes
Weight should be set to 100, default is 0 when creating records
As SERVER2 is not a GC it will not be found within zone _msdcs\\gc etc
***********************************************************************************

Information may be usefull to someone else in the future, I'm sure just by deleting the AD zone and recreating it would of done the same, but as it's a live system, I decided to be cautious!

DCDIAG tests all pass, Thanks for everyones assistance :) points given
Jay_Jay70Commented:
good stuff

thankyou!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.