How to test for a healthy DNS?

I have a domain with 1 DC called "Servant" which runs Windows 2000 Advanced Server SP4

I would like to add a second DC running Windows 2003 Standard Edition which I want to promote as a DC and eventually take over all roles from SERVANT.

When I have tried to do this before there were replication issues caused by Access Denied errors on SERVANT. The two DCs in the domain couldn't replicate properly and the new server couldn't be demoted gracefully.  After a forced demotion via dcpromo I cleaned up the metadata with ntdsutils and ADSIEdit.

I suspect that the root of the problem was that my DNS or system permissions on SERVANT wasn't very healthy to start off with. How can I check / ensure that everything is healthy on SERVANT so that I can avoid the problems I encountered? I also have the option to build a new domain and join all 10 client PCs to the new server, but the transition will be much more disruptive.

Thanks for any help.
JannieTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

Correctly configured DNS server should contain appropriate A nd SRV resource records. Host (A) record is registered in DNS which support dynamic DNS with the follownig command: "ipconfig /registerdns".
Servicel locator (SRV) records are registered by Netlogon service on restart. Go to Administrative tools, Services and restart Netlogon service.

The follwing article explains how to check if all SRV records were registered:

"How to verify that SRV DNS records have been created for a domain controller"
http://support.microsoft.com/kb/816587

In short: every record in netlogon.dns file should be in your _msdcs.domain.com zone.

HTH

Toni
0
JannieTAuthor Commented:
HA! Good info, Toni. All the records listed in netlogon.dns shows in the DNS console, but I still don't feel 100% at ease yet.

Can you (or anyone else) please cast your expert eye on this snapshot of my DNS tree:

http://www.kanokbannasan.org/relocation/dns-tree.png

Apart from the A records showing in the forward lookup zone's domain name root (one dynamic registered client looking odd), we have the

service records as indicated in pink. There is also one CNAME record in the _msdcs root that is not showing.

Does this look normal / healthy?

Thanks,
Jannie
0
Toni UranjekConsultant/TrainerCommented:
Which roles does prod-ws01 hold? Is it DNS server? Then (same as parent) folder entries are correct. One identifies DNS domain, another (SOA) identifies prod-ws01 as Start Of Authourity DNS for your domain.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

JannieTAuthor Commented:
prod-ws01 is a PC client and has been offline for more than a week. Up to now I had DHCP update DNS records (which I just discovered isn't the best practice and have just disabled). It looks like my DHCP has assigned this lease to servant during a remote logon. See:

http://www.kanokbannasan.org/relocation/dhcp_tree.png

0
JannieTAuthor Commented:
When I originally cleaned up the DNS after I forced the second DC demotion, I deleted these two zones from the DNS, because they were refering exclusively to the demoted server:

ForestDNSZones.omf-publishers.local
DomainDNSZones.omf-publishers.local

Would this be a concern?
0
Toni UranjekConsultant/TrainerCommented:
You've deleted application partitons, this is not critical at the moment.

Delete host record for prod-ws01, go to every domain controller, go to command prompt and run this commands, and the post picture of your DNS console.
ipconfig /registerdns
net stop netlogon
net start netlogon

Open in new window

0
JannieTAuthor Commented:
Hi Toni, sorry for my slow answer. I am supervising a building project and trying to set up a new server at the same time.

Snapshot of my DNS console after doing the above:
http://www.kanokbannasan.org/relocation/dns_tree_01-02-2008.png

I ran netdiag on the DC (we only have one, the new one is offline and not promoted yet) and it seems to think that the machine has two NICs. The 'virtual' one is assigned the IP address in the dynamic range and the real NIC is static set to 192.168.0.2

---------------------------
    Computer Name: SERVANT
    DNS Host Name: Servant.OMF-Publishers.local
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 6 Model 10 Stepping 0, AuthenticAMD
    List of installed hotfixes :
        KB329115
 ...
        Q828026
        Update Rollup 1


Netcard queries test . . . . . . . : Passed
    [WARNING] The net card 'RAS Async Adapter' may not be working because it has not received any packets.



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Servant
        IP Address . . . . . . . . : 192.168.0.2
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.0.1
        Primary WINS Server. . . . : 192.168.0.2
        Dns Servers. . . . . . . . : 192.168.0.2


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed

        WINS service test. . . . . : Passed

    Adapter : {6EB2B373-D79A-4C09-8FEF-BB3167675382}

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Servant
        IP Address . . . . . . . . : 192.168.0.67
        Subnet Mask. . . . . . . . : 255.255.255.255
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 127.0.0.1


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{0FC2A3AD-46A6-4680-BE46-CE6DED09DDAB}
        NetBT_Tcpip_{6EB2B373-D79A-4C09-8FEF-BB3167675382}
    2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.2' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{0FC2A3AD-46A6-4680-BE46-CE6DED09DDAB}
        NetBT_Tcpip_{6EB2B373-D79A-4C09-8FEF-BB3167675382}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{0FC2A3AD-46A6-4680-BE46-CE6DED09DDAB}
        NetBT_Tcpip_{6EB2B373-D79A-4C09-8FEF-BB3167675382}
    The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


The command completed successfully

0
JannieTAuthor Commented:
ipconfig /all dump:

-------------------------------------------------------------------------------------------

Windows 2000 IP Configuration



      Host Name . . . . . . . . . . . . : Servant
      Primary DNS Suffix  . . . . . . . : OMF-Publishers.local
      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : Yes

      WINS Proxy Enabled. . . . . . . . : No

      DNS Suffix Search List. . . . . . : OMF-Publishers.local

Ethernet adapter Local Area Connection:



      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
      Physical Address. . . . . . . . . : 00-11-2F-D6-7A-AC

      DHCP Enabled. . . . . . . . . . . : No

      IP Address. . . . . . . . . . . . : 192.168.0.2

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Default Gateway . . . . . . . . . : 192.168.0.1

      DNS Servers . . . . . . . . . . . : 192.168.0.2
      Primary WINS Server . . . . . . . : 192.168.0.2


PPP adapter RAS Server (Dial In) Interface:



      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

      Physical Address. . . . . . . . . : 00-53-45-00-00-00

      DHCP Enabled. . . . . . . . . . . : No

      IP Address. . . . . . . . . . . . : 192.168.0.67

      Subnet Mask . . . . . . . . . . . : 255.255.255.255

      Default Gateway . . . . . . . . . :

      DNS Servers . . . . . . . . . . . : 127.0.0.1
0
Toni UranjekConsultant/TrainerCommented:
You have RRAS or modem installed on your DC? And if the answer is yes, question is: why? ;)

0
JannieTAuthor Commented:
Hmmm, we have both. The DC doubles as a fax server (thus the modem) and the RRAS is for a VPN connection from home if I need to look up something on the server. We are a small team and the DC is the only machine that is allways on.
0
JannieTAuthor Commented:
I found a MS KB article called "Name resolution and connectivity issues on a Routing and Remote Access Server that also runs DNS or WINS" at http://support.microsoft.com/kb/292822 that seems to fix this specific problem.

Toni, if you can't see anything else that looks strange can you please post something that says so so that I can give you the points and close the question.

Also, if you have a suggestion how we can avoid having RRAS and a modem on the server, that would be very helpful.
0
Toni UranjekConsultant/TrainerCommented:
Hi!

Sorry for the delay, mutltihomed DC are in general bad idea, but the following article should help you to configure your server so that it won't register modem's IP in DNS.

"The Host's "A" Record Is Registered in DNS After You Choose Not to Register the Connection's Address"
http://support.microsoft.com/kb/275554

HTH

Toni
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JannieTAuthor Commented:
Thanks for you help, Toni!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.