Need DNS Help BAD!

Server2:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         ......................... SERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Replications
         ......................... SERVER2 passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER2 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SERVER2\netlogon)
         [SERVER2] An net use or LsaPolicy operation failed with error 1203, No
network provider accepted the given network path..
         ......................... SERVER2 failed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\server.domain.com, wh
en we were trying to reach SERVER2.
         Server is not responding or is not considered suitable.
         ......................... SERVER2 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER2 passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER2 passed test MachineAccount
      Starting test: Services
         ......................... SERVER2 passed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER2 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SERVER2 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2 failed test frsevent
      Starting test: kccevent
         ......................... SERVER2 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/17/2006   11:04:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/17/2006   11:04:37
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/17/2006   11:05:35
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/17/2006   11:05:35
            (Event String could not be retrieved)
         ......................... SERVER2 failed test systemlog
      Starting test: VerifyReferences
         ......................... SERVER2 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : domain
      Starting test: CrossRefValidation
         ......................... domainpassed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... domainpassed test CheckSDRefDom

   Running enterprise tests on : domain.com
      Starting test: Intersite
         ......................... domain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... domain.com passed test FsmoCheck

Server2 Dcdiag /test:dns Results:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         ......................... SERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : domain

   Running enterprise tests on : domain.com
      Starting test: DNS
         Test results for domain controllers:

            DC: server2.domain.com
            Domain: domain.com


               TEST: Forwarders/Root hints (Forw)
                  Error:Both root hints and forwarders are not configured. Pleas
e configure either forwarders or roothints

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: domain.com
               server2                      PASS PASS FAIL PASS PASS PASS n/a

         ......................... domain.com failed test DNS

how are the DNS set up ?
is the DNS AD intgrated ?
do the DNS servers point to themselves for dns and point to the other for secondary ?
the clients should point to the DNS ?DC in the site.
any ISP or trusted domain ip addresses should be added as forwarders.
 can you run dcdiag /v (verbose mode) and netdiag /v (verbose) and paste the out put ?

can you check for errors in FRS logs ?
when you type net share on the command prompt of both dc's and check whether the netlogon and sysvol are shared on both dc's. if not chk for FRS errors.

need some background.....what happened, has this ever worked? just two DC's? what has happened in the last week with your DC's?

The story:

I had 1 Server running with Exchange and SQL also web sites. This was at the main location. They opened a second location... I installed a 2nd server called server2 and installed AD and attached it to the main location. Everything worked fine until I wanted to setup DFS. At this point it didn't work so someone told me to download Sonar to see what's going on. I installed it on both servers. The reselts were Server could see itself, but not Server2 and Server2 could see itself and server. Someone told me here that I need DNS on server2. So I installed it and thats when everything went NUTS. Now I can't fix it or find someone to help me fix it. So I'm posting here.

Here is the setup:

Server
Exchange
SQL
Web Sites
192.168.0.10
Linksys Tunnel setup between both location
Dedicated Line both locations with 5 Statics at each end.

Server2
Nothing running on it but a small program they use to do sales (DOS)
192.168.1.10
Linksys Tunned setup
Dedicated Line

Antivirus Turned off until problems are fixed.

No Firewalls running and when you go to see if its off and click on settings a window pops up and says "Windows Firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys)"

So that's the story behind this mess I have.

did you mean you installed AD and then connected up....or did install the DC as an additional one in that domain letting AD replicate?

I was told to add it as a another DC to a Domain. I needed users to replicate between both servers.
The main server had AD the server2 was a stand alone then I added AD to connect to the main server.

ah good good, though we may have been on different wave lengths for a second!

if possible i would like to demote your second server and get DNS sorted out on one DC first, then we can repromote your other DC, does that sound ok to you?

Yes sounds good... I've never demoted a server before what steps do I take? And are there any question I will have to answer while demoting?

you simply run dcpromo on the second server, it will ask you if its the last DC in the domain, say no of course, that removes AD completely from that machine

once you have that one gone and are down to one DC, recreate your DNS zones and run dcidag. we can go from there

I get a message trying to do this:

This Domain controller is a Global Catalog Server. Global Catalogs are used to process user logons. You should make sure other Global catalogs are accessible to users of this domain before removing active directory from this computer.

thats fine, as long as your other DC is a GC then use the DCPROMO /FORCEREMOVAL switch,

then you need to follow this
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

How do I find out which is a GC?
I can't loose the users and I've heard removing a server will distroy all users and passwords

you can check under sites and services - if the old one was your first then it will be a GC

thats not an issue with users.....your DC's arent replicating anyway, your first one will be fine

Well seems nothing is going for me.

Error:

The Operation Failed Because:

Active Directory could not find another domain controller to transfer the remaining data in directory partition.

well do you get this error when trying to demote the dc2 ?
does that directory partition show DC=forestdnszones,dc=xxx,dc=xxx
if thats the case then open the DNS snapin, and right click on the zone created, under properties somewhere there is an option where in you can specify whether it would replicate to all the DC's dns servers in the forest or domain, change that to all the DNS servers in the domain.

what about the other DC is it also a GC ?
what is the reason they have not replicated ?
use repadmin /showreps it should show the last sucessful replication time as well as the reason that it failed replication. I also see that FRS is having a problem. does net share show sysvol and netlogon shared ?
if not then the server would not behave as a DC and hence would fail any LDAP query.
there are other ways to demote the server as well, for example there is product options in the registry under which if you change the product type to
1. LanmanNT (DC)
2. ServerNT (member server)
3. WinNT ( work station)
now if you change the product type to ServerNT and reboot the box it would not behave as a DC, after which you can do a metadata cleanup on the DC1 and then run a DCpromo on the DC2 (promote it to a DUMMY domain and then gracefully demote it) this would remove any traces of the previous domain then you can take a backup from DC1, restore it to a location and use Dcpromo /adv and install from media after which the machines would replicate. if DC1 already has DNS as AD integrated just install DNS on 2 and the dns info gets replicated along when both DC's replicate.no need of creating any zones.

Note: It is always good to keep a system state backup handy when making a change in configuration.

All I'm trying to do is get these 2 servers talking again... Even since I installed DNS on 2nd server everything went down the tubes.

The problem started when DFS wouldn't work. I ran Sonic to see what the problem was and server 1 couldn't see server2 but Server2 could see itself and server1.

I wish that I could just remove DNS from second server and delete all entries in Server1 in DNS and just fix it, but we know that's too easy and Microsoft wouldn't allow "Easy"

BTW... The reason for DNS on server2 is someone told me for DFS to work I need to install DNS on server2.

Something is just not setup right somewhere. And this information just seems like too much work. I quess this is what happens when Microsoft tries to copy Novell with AD.

well if you want to fix this try to find the root cause,
firts find out how many days its been since last sucessful replication ? and why the replication is failing. if they have not replicated beyond the tombstone then removal of the problem server would be the only option.
check why the replication is failing ?
in dns on both servers find whether both Dc's have registered their guids , the alias CNAME.
find out what error replication is failing on, in ADUC do both DC account show under the DC OU.

didnt think it would demote gracefully.....try the forceremoval switch

Got this warning message:


This Domain Controller is a DNS Server. If you remove Active Directory from this computer, all of the DNS data that is stored in Active Directory-intergrated zones will be lost. If you remove Active Directory from this DNS Server, Update the configurations of all computers on your network that refer to IP address of this DNS Server with the IP address of a new DNS Server.

Do you want to continue removing Active Directory from this computer?

indeed

I'm shaking... LOL

When I do this forceremoval switch am I going to loose anything?  Users?  
Something has to screw up after doing this.
If I do this step what do I need to be prepaired for next?
Is cleanup going to be a mess?
How to connect both servers again?

Just want to know what I'm getting into ahead of time before I run this.

:) its ok i know the feeling

your additional DC which is causing all you greif, holds a replica of the original DC's AD DB. You cant kill anything by removing the replica......

the cleanup process takes about 2 mins and is command line based :)

once cleaned we repromote

Unless i cam missing something here this should be painless.....

Ok... Back from some time off.

What are the steps that I need to do so when I force the removal I can start right away to bring it back online?

all went well i take it?