Solved

Adding Member DC

Posted on 2008-10-23
31
669 Views
Last Modified: 2013-12-05
I have a Windows 2000 DC, which we installed 4-5 years ago. When we promoted it to DC, we made a mistake naming it properly. Here is what it says under System Properties -> Network Identification
Full Computer Name: Server1.
Domain: COMPANY.LOCAL

I cannot change the Full computer name (to Server1.COMPANY.LOCAL) as this server is a DC in production environment. I have about 100 user accounts & can't really blow the AD. Now I got a new server & it is Windows 2003 R2. I am trying to make it a Member Server & it cannot see the old Windows 2000 DC. I am certain that it is because the Win2K server name is not in correct format. I successfully ran adprep, domainprep & forestprep commands on Win2k server.

The whole idea is to make Windows 2003 server a member server & then transfer roles to it. wonder if someone can help me out!!  Thank you.
0
Comment
Question by:jbara
  • 13
  • 7
  • 4
  • +3
31 Comments
 
LVL 7

Expert Comment

by:Mikealcl
Comment Utility
Random Idea but what about using a LMHOST file to specify the domain controller?
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
Nope..   That idea hasn't been feasible since the NT days..  AD requires LDAP, GC, Kerberos, and many other DNS records in order to function..  Simply giving it a NETBIOS name and IP won't solve that.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
Actually, if the domain is in Mixed Mode, then it MIGHT work.   But I would suspect the problem here is DNS.  As in the servers DNS are incorrectly configured.

Make sure the TCP/IP properties of BOTH servers point to the LAN IP address of the existing DC.  There should be NO OTHER DNS servers listed.  The server name is fine.  That's how it's supposed to look from memory and I don't recall EVER seeing an instance where the SERVER NAME caused problems joining the domain.
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
I thought it looked funny, so I checked an old 2000 server I have floating around here..  The Full Computer Name is listed as   Server.Domain.Local...   He has only Server1.            <no domain.local>

Interesting to say the least.  Sorry that I have no more ideas, but I am interested to see how it gets resolved..
0
 

Author Comment

by:jbara
Comment Utility
Thank you for your comments/suggestions so far. Here is some more info.....
I see there is also problem with my DNS on my Windows 2000 (old) server. When I try to run dcpromo on my 2003 server, I get the following error:
-----------------------------------------------------
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain DOMAIN.LOCAL:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.DOMAIN.LOCAL

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the domain are not registered in DNS. These records are registered with a DNS server automatically when a domain controller is added to a domain. They are updated by the domain controller at set intervals. This computer is configured to use DNS servers with following IP addresses:

192.168.1.11

- One or more of the following zones do not include delegation to its child zone:

DOMAIN.LOCAL
LOCAL
. (the root zone)
 
For information about correcting this problem, click Help.
---------------------------------------------------
When I look under DNS on my 2000 server it does not have any entries under Forward Lookup Zone -> DOMAIN.LOCAL for:
_msdcs
_sites
_tcp
_udp
DNS says that it is Active Dirictori-Integraed. I did try removing & installing DNS after posting my original question, but no change. I have 2 more Windows 2000 servers at different locations & they do have all these records & are working fine. Also their names are in correct format.
I hope there is a solution out there. I do not want to rebuild AD from sctatch. Thank you everyone for your help!!  jbara
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
Please post a cut-and-paste or graphic image of the results of IPCONFIG /ALL on the Existing DC and the new server.
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
Uhh, yeah.  if you have no entries under any of the _ records, then you are pretty hosed up.

You could TRY to manually create them, using one of the other DC's as a template, but I'm not 100% convinced that will solve your problem.

Unless someone knows a magic trick, I'm thinking that a reinstall is going to be the way to go.

The good news is at least it's a small domain, right?  I mean, I sure hope it is, otherwise why only have one DC?

Besides, I wouldn't want to have the entire future of my directory pinned on some hopefully proper repair job..

I know it sucks, and it's not the answer you're looking for, but if it were me, that would certainly be the route I'd take.

Sorry,
exx
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
humor me ... post the information I requested before you go through a big reinstall process
0
 

Author Comment

by:jbara
Comment Utility
From Windows 2000 Server (Existing DC)
C:\>ipconfig /all
Windows 2000 IP Configuration
        Host Name . . . . . . . . . . . . : SERVER1
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 3:
        Media State . . . . . . . . . . . : Cable Disconnected
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
        Physical Address. . . . . . . . . : 00-1B-21-0B-09-7A

Ethernet adapter D-Link Array - DLink Server Card Virtual Adapter:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : D-Link Virtual Miniport Software for
 Ethernet
        Physical Address. . . . . . . . . : 00-05-5D-6D-A9-C1
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.11
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
C:\>
--------------------------------------------------------------
From Windows 2003 Server (New)
C:\>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : SERVER2
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-1A-64-66-F6-D4
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.11
C:\>
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
Set connection specific primary DNS suffix for DC in NIC->Properties->TCP/IP->Properties->Advanced->DNS
Ensure that the DNS-zone allows dynamic updates and run netdiag/fix on DC.
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
That, and I'm seeing that 192.168.1.11 shows as "cable disconnected", but you have the other IP (that appears to be cabled/connected - 192.168.1.10) configured to use 192.168.1.11 as your DNS server..  ?
0
 

Author Comment

by:jbara
Comment Utility
Cable disconnected - that is 2nd NIC in the old server (Windows 2000 DC) & it is disabled.
192.168.1.11 is connected & working fine. It is Windows 2000 DC.
192.168.1.10 is Windows 2003 (new) server and is pointed to my old server (192.168.1.11) for DNS.

Please let me know if you need any other info. Thank you.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
Set connection specific DNS-suffix and run netdiag/fix to re-register SRV-records in DNS-zone.
0
 

Author Comment

by:jbara
Comment Utility
I ran the netdiag /fix & DNS test failed. Please see the attachment.
Thanks,
jbara
Netdiag.doc
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
Ensure that DNS-zone allows dynamic updates.
0
 

Author Comment

by:jbara
Comment Utility
Yes, it is set up to allow dynamic updates. It's always been that way.

Please remember that I do not have any _records under DNS. Please check the Netdiag results in the attached file above. there are errors in that report.

Also, full computer name for my DC is: Server1.  (we made a mistake when we promoted it to a DC)
It was supposed to be Server1.COMPANY.LOCAL  

Thank you for looking into this issue!!
jbara
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I would also run dcdiag in verbose mode to a log file and see what it says,\

Do it for each DC you have.


I hope this helps !
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
LDAP test. . . . . . . . . . . . . : Failed
    [WARNING] The default SPN registration for 'HOST/SERVER1' is missing on DC 'SERVER1'.
    [FATAL] The default SPNs are not properly registered on any DCs.

Run 'setspn -r server1'
What is the output of 'setspn server1'?


Delete the DNS-records that can't be re-registered and re-run netdiag/fix
0
 

Author Comment

by:jbara
Comment Utility
Hi,
This is the only DC in my Windows 2000 domain (in a production environment). I'll try to run these commands in about a day or so, after working hours. I'll post the results after. Please let me know if I should be careful about something.
Thank you,
jbara
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
'setspn -R server1' will re-register HOST-SPN.
'setspn servername' will only display current SPNs for the server.

netdiag/fix (or restarting netlogon-service) re-registers missing SRV-records, so just make sure that the zone allows dynamic updates should be enough.
0
 

Author Comment

by:jbara
Comment Utility
Hi,
I ran setspn & here are the results...
-------------------------------------------------------------------------
C:\Program Files\Resource Kit>setspn -r server1
Failed to crack name COMPANY\server1 into the FQDN, (0) 1 0x2

C:\Program Files\Resource Kit>
-------------------------------------------------------------------------
0
 

Author Comment

by:jbara
Comment Utility
I also ran setspn -L & here are the results:
C:\Program Files\Resource Kit>setspn -L SERVER1
Registered ServicePrincipalNames for CN=SERVER1,OU=Domain Controllers,DC=COMPANY,DC=LOCAL:
    SMTPSVC/SERVER1
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/SERVER1
    DNS/SERVER1
    GC/SERVER1/COMPANY.LOCAL
    HOST/SERVER1/COMPANY
    HOST/SERVER1
    HOST/SERVER1/COMPANY.LOCAL
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/625c8b6d-813c-46c5-a909-8706e47d1696/COMPANY.LOCAL
    LDAP/625c8b6d-813c-46c5-a909-8706e47d1696._msdcs.COMPANY.LOCAL
    LDAP/SERVER1/COMPANY
    LDAP/SERVER1
    LDAP/SERVER1/COMPANY.LOCAL

C:\Program Files\Resource Kit>
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
Comment Utility
Well, it's pretty natural that it can't split out FQDN-part when the server doesn't have primary DNS suffix set.
As HOST-SPN with FQDN is missing, try to add it manual with the following command:
'setspn -a HOST/server1.domain.com server1'

One more thing to try is forcing the primary DNS suffix with GPO
Computer Configuration\Administrative Templates\System\DNS Client\Primary DNS Suffix
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/94006.mspx?mfr=true

or edit the registry manually
HKLM\System\CurrentControlSet\Services\TcpIp\Parameters
\NV Domain (REG_SZ)=domain.com
\Domain (REG_SZ)=domain.com
0
 

Author Comment

by:jbara
Comment Utility
I am sorry to ask you this....
'setspn -a HOST/server1.domain.com server1' ------ in this command, does it have to be "domain.com" OR should I replace it with my domain name "COMPANY.LOCAL"

Also, I checked registry. The following entries has no value
\NV Domain (REG_SZ)
\Domain (REG_SZ)

Again, does it have to be "domain.com" OR it should be "COMPANY.LOCAL"

I just want to clarify this.
please & thanks.
jbara
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
Yes, domain.com shall be replaced with your own FQDN domain.
The post should had been company.local to use same naming convention as earlier posts. Sorry for the confusion.
0
 

Author Comment

by:jbara
Comment Utility
I am away from the office for few days. will make these changes close to next weekend & post the results. I do have the good feeling though. Now I have hope that it will work for me. Thank you. jbara
0
 

Author Comment

by:jbara
Comment Utility
Hi,
I edited the registry & rebooted the server. It was very interesting to see the the _records showed up in DNS. Also, workstations started registering themselves. WOW, you are a genius. I can't thank you enough. I am pretty sure that I be able to add my 2k3 server as a member server. I did not have to run setspn-a command. Just editing the registry did the trick for DNS.  The only error I get in the System Event Viewer is 5781, which is just minor thing. I'll be running dcpromo on my 2k3 server over the weekend & I do not anticipate any problem. I'll let you know how it goes....

Your help is greatly appreciated.  Thank you ever so much!!
Cheers,
jbara
0
 

Author Closing Comment

by:jbara
Comment Utility
henjoh09,
Thank you very much for helping me out. It saved me a lot of time & hassle of reconfiguring all workstations. Your help is greatly appreciated. There is no doubt that you are an real wizard. Please keep up the good work........
Sincerely,
jbara
0
 

Author Comment

by:jbara
Comment Utility
henjoh09,
I ran dcpromo on my 2003 server & it worked. I was able to add 2k3 server as a member server. My AD is replicating. Thank you ever so much for helping me out.

Also, thanks to everyone else who participated & tried to help me out.
jbara
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now