Cannot add another DC

When trying to add another DC to the current domain I get the following error.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain corp.kcm.com:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.corp.kcm.com

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the domain are not registered in DNS. These records are registered with a DNS server automatically when a domain controller is added to a domain. They are updated by the domain controller at set intervals. This computer is configured to use DNS servers with following IP addresses:

192.168.1.6

- One or more of the following zones do not include delegation to its child zone:

corp.kcm.com
kcm.com
com
. (the root zone)
JasonBrownleeAsked:
Who is Participating?
 
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
Hi!

1. What is the name of your AD domins?
2. What's the IP of your first DC.
3. Is server that you are trying to add, configured with IP of first server as Preferred DNS server.?

Toni
0
 
UbuntopConnect With a Mentor Commented:
Is the 192.168.1.6 address your existing AD integrated DNS server?

The new AD server has to be using the existing DNS server before it can join.
0
 
JasonBrownleeAuthor Commented:
The name of the AD domain is
corp.kcm.com
The ip of the first DC is 192.168.1.6
and to the 3rd --- yes checked that right after I posted to make sure I wasn't being a tard --
Thanks for the repsonse!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
JasonBrownleeAuthor Commented:
Yes the 192.168.1.6 is the existing DC / DNS Server.
0
 
Toni UranjekConsultant/TrainerCommented:
Configure "corp.kcm.com to accept dynamic updates, restart netlogon service on first server, run "ipconfig /flushdns" on second server and then try dcpmromo again.

If you end up with the same error. check if all records from netlogon.dns are registered in your _msdcs.corp.kcm.com. You didn't listed this zone in your post, what if anything has happened to it?
0
 
UbuntopCommented:
You can check to make sure the SRV records are present on the DNS server.

Forward Lookup Zones >> corp.kcm.com >> _msdcs
You should find several folders listing the existing domains with an SRV record.
0
 
JasonBrownleeAuthor Commented:
When I open the Forward Lookup Zones ---> the name it comes up with is kcm.com
A 2nd folder under it is named corp and inside it I don't see a _msdcs at all.

What is there is 1 name server file and a Start of Authority file as well as a corp folder
Inside the 2nd corp folder there is a list of all the computers on the network and their current ip's

I'm guessing that this isn't setup right?
I didn't set any of this up... I'm kind of taking over a bad situation and trying to right the ship.
0
 
UbuntopCommented:
Forward Lookup Zones >> kcm.com
Right click >> properties.  Make sure that the type is Active Directory Integrated.


Also to query SRV records from your new server.
nslookup
set type=srv
_ldap._tcp.kcm.com
0
 
Toni UranjekConsultant/TrainerCommented:
Restarting netlogon service from command line will register missing records for you or report error in Event viewer, DNS log in couple of minutes.

What happens?
net stop netlogon
net start netlogon

Open in new window

0
 
JasonBrownleeAuthor Commented:
Service stops find and then when starting back up it takes about 45 seconds but it does come back up.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.


C:\Documents and Settings\Administrator>net start netlogon
The Net Logon service is starting........
The Net Logon service was started successfully.
0
 
JasonBrownleeAuthor Commented:
For Ubuntop --

When I ran the nslookup from the new server this is what happened

Default Server:  kcm2k7.corp.kcm.com
Address:  192.168.1.6

> set type= srv
Unrecognized command: set type= srv
> set type=srv
> _idap_tcp.kcm.com
Server:  kcm2k7.corp.kcm.com
Address:  192.168.1.6

*** kcm2k7.corp.kcm.com can't find _idap_tcp.kcm.com: Non-existent domain
>
0
 
UbuntopCommented:
Sorry need to remove the space after the = sign.
nslookup
set type=srv
_ldap._tcp.kcm.com

Open in new window

0
 
UbuntopCommented:
Did anything showup in event log after restarting logon services?

Can you also run dcdiag and then netdiag from the AD server and post relevant results?
0
 
JasonBrownleeAuthor Commented:
Oops --> I ran it again without the space and forgot to take the typo out of the paste. Same result
0
 
Toni UranjekConsultant/TrainerCommented:
Don't paste this commands, because html format will play tricks on you.

You should type what has been suggested from "Ubuntop"
0
 
JasonBrownleeAuthor Commented:
Here is the dcdiag response


C:\Program Files\Windows Resource Kits\Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\KCM2K7
      Starting test: Connectivity
         ......................... KCM2K7 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\KCM2K7
      Starting test: Replications
         ......................... KCM2K7 passed test Replications
      Starting test: NCSecDesc
         ......................... KCM2K7 passed test NCSecDesc
      Starting test: NetLogons
         ......................... KCM2K7 passed test NetLogons
      Starting test: Advertising
         ......................... KCM2K7 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... KCM2K7 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... KCM2K7 passed test RidManager
      Starting test: MachineAccount
         ......................... KCM2K7 passed test MachineAccount
      Starting test: Services
            RPCLOCATOR Service is stopped on [KCM2K7]
            TrkWks Service is stopped on [KCM2K7]
            TrkSvr Service is stopped on [KCM2K7]
         ......................... KCM2K7 failed test Services
      Starting test: ObjectsReplicated
         ......................... KCM2K7 passed test ObjectsReplicated
      Starting test: frssysvol
         Error 5 opening FRS eventlog \\KCM2K7:File Replication Service:
 Access is denied.
         ......................... KCM2K7 failed test frssysvol
      Starting test: kccevent
         Error 5 opening FRS eventlog \\KCM2K7:Directory Service:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... KCM2K7 failed test kccevent
      Starting test: systemlog
         Error 5 opening FRS eventlog \\KCM2K7:System:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... KCM2K7 failed test systemlog

   Running enterprise tests on : corp.kcm.com
      Starting test: Intersite
         ......................... corp.kcm.com passed test Intersite
      Starting test: FsmoCheck
         ......................... corp.kcm.com passed test FsmoCheck

Running netdiag here in a moment.
0
 
JasonBrownleeAuthor Commented:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Windows Resource Kits\Tools>netdiag

.....................................

    Computer Name: KCM2K7
    DNS Host Name: kcm2k7.corp.kcm.com
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
    List of installed hotfixes :
        KB921503
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB926122
        KB927891
        KB929123
        KB929969
        KB930178
        KB931784
        KB931836
        KB932168
        KB933566
        KB933566-IE7
        KB933854
        KB935839
        KB935840
        KB935966
        KB936021
        KB936357
        KB936782
        KB937143-IE7
        KB938127-IE7
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : kcm2k7
        IP Address . . . . . . . . : 192.168.1.6
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.1.1
        Dns Servers. . . . . . . . : 192.168.1.6
                                     192.168.1.1


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{5A98643E-69CB-48B4-9485-24DA770FDD31}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.6'
.
       [WARNING] The DNS entries for this DC cannot be verified right now on DNS
 server 192.168.1.1, ERROR_TIMEOUT.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{5A98643E-69CB-48B4-9485-24DA770FDD31}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{5A98643E-69CB-48B4-9485-24DA770FDD31}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Program Files\Windows Resource Kits\Tools>
0
 
JasonBrownleeAuthor Commented:
Well I'm not sure what fixed it but something I did in those steps you gave me allowed the 2nd server to finally connect.
0
 
UbuntopCommented:
Did you change the "Active Directory-Integrated" setting on the forward lookup zone?

Also is there another DC on 192.168.1.1 or is that just an external DNS (via your router).  I would make sure that your AD server that you ran Netdiag on, only has AD integrated DNS servers in its TCP settings.  It will still resolve externally by default or you can setup forwarders.
If you AD server's primary DNS server (in tcp settings) was set to 192.168.1.1 and that is your router or gateway forwarding requests externally, then you would get a similar result from netdiag and possibly a reason for your posted problem.
0
 
Toni UranjekConsultant/TrainerCommented:
What's on the 192.168.1.1 IP?
0
 
JasonBrownleeAuthor Commented:
192.168.1.1 is the router provided by our ISP ---> and that was the problem.

Quite simple once looked at correctly. Thanks for the help!
0
 
Toni UranjekConsultant/TrainerCommented:
Did you remove 192.168.1.1 not only from DC but from every client in the domain? You should do that to avoid problems in the future.
0
 
JasonBrownleeAuthor Commented:
I'd already set the primary dns for all the clients as 192.168.1.6 ---> simply forgot to check the DC server.
0
All Courses

From novice to tech pro — start learning today.