Link to home
Start Free TrialLog in
Avatar of cyberfool
cyberfool

asked on

Turning on Active Directory

I have what has been a Windows NT domain.  My boss has decided that we need to migrate to W2k (not W2k3).  This network contains about 20 Win machines at the main location and 4 at a remote site.  

The network, which includes Windows PCs as well as Linux servers, uses private IP addr, served by a Linux server (Fedora 9).  The DNS Administrator said that DNS is set to accept AD service records.  

All of the client PCs are running either W2k Pro or XP Pro.  There are only 2 NT machines still in existence.  One is the former file server & BDC at the main office.  That has been turned off.  The other is the BDC running in the remote office.  

I have configured a new W2k Svr fileserver and everyone is using it w/o a problem.  
I upgraded the PDC from NT to W2k.  

A) I want to turn on AD on this domain.  
B) I want to promote the new (W2K) fileserver to a DC as soon as I can.
C) I want to promote a W2k Srvr machine in the remote office
D) I want to turn off the final NT machine in the remote office.

When I click on the "Configure your server" option on the W2k Server DC, I get the following msg:

Running the AD install Wizard will demote this server to be a member server or stand alone server depending on what type of domain controller this is.  Before you proceed, be sure there are no dependent servers connected to this server.

~~~
Questions:
1) Should I proceed with this?  (steps A,B,C& D in that or some other order)

2) If this DC is demoted, do I need to have another DC on the LAN before I do this?

3) I read something about emulation mode and native mode for W2k DCs: that emulation mode is done when there are NT machines (BDCs?) on the network and native when there are not. Does native mode start as soon as the last NT machine is shut down?  What are the implications for turning on AD while there is still a remote BCD?  

4) Is there a way to verify that AD is actually working?

5) When I want to get AD working on the fileserver and the remote W2k server, do I just do a "dcpromo".  Can/should I do this before I get AD running on the former NT/PDC now W2k/DC?
Avatar of oBdA
oBdA

1) By upgrading your PDC, you've already created an AD; the wizard was running during the upgrade (and you hopefully did not use a single-label DNS domain name during the upgrade). The former PDC now owns all FSMO roles.
2) Yes.
3) That would be the two modes a W2k domain can be running in, "Mixed Mode" and "Native Mode". You can upgrade the AD to "native" as soon as you don't have NT4 *BDCs* anymore (you can still have NT4 *members*).
4) Event log, dcdiag.exe, netdiag.exe.
5) Basically, yes. The second part of the question is n/a
Avatar of cyberfool

ASKER

I'm not sure what you mean by a "single-label DNS domain name".

So if I understand your comments, then there is no reason to run the A/D wizard.

In your answer to #3, you mean any in the whole domain, or just not any in the LAN?
And a followup.  Do I need to just shutdown the NT BDCs or do I need to shut them down & manually remove them from the domain?
Open a command prompt on the AD DC, enter
set userdnsdomain

This should report something like yourdomain.local, yourdomain.com, yourdomain.whatever, but not just yourdomain (no TLD)
Yes, you already ran the wizard during the W2k upgrade.
As long as you have an NT4 *BDC* left in your *domain*, you need to stay in mixed mode.
You can just shutdown NT4 BDCs and delete their computer object in AD; an NT4 BDC can't be demoted (other than using Upromote, which is a third-party tool).
I believe that during the upgrade from/of  NT/PDC to W2k/DC there was an option to initiate Active Dir.  I choose not to do so, since I was still using an NT machine as the file server & the DNS had not been upgraded to accept service records.

Now, when I type, on the W2k/DC the command
C:\>userdnsdomain

I get the exact message:

'userdnsdomain' is not recognized as an internal or external command,
operable program or batch file.

I searched for the files usersdnsdomain.*, dcdiag.exe and netdiag.exe.  None of the 3 are found anywhere on the C: drive of the W2k/DC.


As for the event viewer I get the error msg:

Dynamic registration or deregistration of one or more DNS recods failed because no DNS servers are available.

So I went and checked the Local area connection.  The primary DNS is set to 192.168.128.2.  I can ping the DNS server and when I type a
nslookup experts-exchange.com
I get, in part:

Non-authoritative answer:
Name experts-exchange.com
Address: 64.156.132.140

So DNS is working and available.  I have full access to the internet through my firewall to the internet.  My hunch is either A/D is not installed or turned on at all OR there is some A/D dns setting that has not been set.

You have to enter
set userdnsdomain

dcdiag and netdiag are part of the Support Tools.
Check the DNS server you're using, they *have* to be configured to accept dynamic updates, and they *have* to support SRV records. Otherwise install DNS on your DC, use this for your domain members, and forward requests to your Linux DNS servers.
If you can start Active Directory Users and Computers on the new DC, this should be a DC. At least during an upgrade from NT4 to W2k3, there is no option to cancel dcpromo; I'm not sure about W2k, though.

10 DNS Errors That Will Kill Your Network
http://redmondmag.com/features/article.asp?EditorialsID=413

Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

Windows 2000 Service Pack 4 Support Tools
http://www.microsoft.com/Downloads/details.aspx?familyid=F08D28F3-B835-4847-B810-BB6539362473&displaylang=en

Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en
I installed the s/w, ran the programs as instructed.  
I double checked that the DNS server (linux-based) has the correct records in both the domain & IPaddr file.  I can do a nslookup of upsilonc (the FSMO/DC) I can ping the DNS server.  I can ping the DC from the DNS server.  


Here are the results:

~~~~~~~~~~~~~
~~dcdiag yields the following:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Main\UPSILONC
      Starting test: Connectivity
         3e072786-cd61-4bb8-88a1-1e09487f0d6a._msdcs.baltixxxx.com's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (3e072786-cd61-4bb8-88a1-1e09487f0d6a._msdcs.baltixxxx.com)

         couldn't be resolved, the server name (upsilonc.baltixxxx.com)

         resolved to the IP address (192.168.128.145) and was pingable.  Check

         that the IP address is registered correctly with the DNS server.
         ......................... UPSILONC failed test Connectivity

Doing primary tests
   
   Testing server: Main\UPSILONC
      Skipping all tests, because server UPSILONC is
      not responding to directory service requests
   
   Running enterprise tests on : baltixxxx.com
      Starting test: Intersite
         ......................... baltixxxx.com passed test Intersite
      Starting test: FsmoCheck
         ......................... baltixxxx.com passed test FsmoCheck

~~~~~~~~~~~~~~~~~~~~~~~~~
~~netdiag yeilds the following:

..........................................

    Computer Name: UPSILONC
    DNS Host Name: upsilonc.baltixxxx.com
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 6 Model 10 Stepping 0, AuthenticAMD
    List of installed hotfixes :
        KB820888
        KB822343
        KB822831
        KB823182
        KB823559
        KB824105
        KB825119
        KB826232
        KB828035
        KB828741
        KB828749
        KB832353
        KB832359
        KB835732
        KB837001
        KB840987
        KB841356
        KB841533
        KB841872
        KB841873
        KB842526
        KB842773
        KB871250
        KB873333
        KB873339
        KB885250
        KB885834
        KB885835
        KB885836
        KB888113
        KB890046
        KB890859
        KB891781
        KB893066
        KB893086
        KB893756
        KB893803v2
        KB894320
        KB896358
        KB896422
        KB896423
        KB899587
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB905414
        KB905495-IE6SP1-20050805.184113
        KB905749
        KB908519
        KB908531
        KB909520
        KB911280
        KB911564
        KB913580
        KB914388
        KB917008
        KB917537
        KB918118
        KB920213
        KB920670
        KB920683
        KB920685
        KB921398
        KB922582
        KB923191
        KB923810
        KB923980
        KB924270
        KB924667
        KB925398_WMP64
        KB925902
        KB926247
        KB926436
        KB927891
        KB928843
        KB930178
        KB931784
        KB933729
        KB935839
        KB935840
        KB937894
        KB938464-IE6SP1-20080429.120000
        KB938827
        KB942831
        KB943055
        KB943485
        KB944338
        KB945553
        KB948590
        KB948745
        KB950749
        KB950974
        KB951066-OE6SP1-20080625.120000
        KB951698_DX9
        KB951748
        KB952954
        KB953155
        KB954211
        KB954600_WM41
        KB955069
        KB956390-IE6SP1-20080820.120000
        KB956391
        KB956802
        KB957095
        KB957097
        KB957280
        KB958215-IE6SP1-20081016.120000
        KB958644
        KB958687
        KB960714-IE6SP1-20081211.120000
        KB960715
        KB967715
        Q147222
        Q816093
        Update Rollup 1


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : upsilonc.baltixxxx.com
        IP Address . . . . . . . . : 192.168.128.145
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.128.1
        Primary WINS Server. . . . : 192.168.128.130
        Secondary WINS Server. . . : 192.168.128.145
        Dns Servers. . . . . . . . : 192.168.128.2


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Failed
            No gateway reachable for this adapter.

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{FE325991-58D6-4D93-B06C-6EF2A3741EDF}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Failed

    [FATAL] NO GATEWAYS ARE REACHABLE.
    You have no connectivity to other network segments.
    If you configured the IP protocol manually then
    you need to add at least one valid gateway.


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
              [FATAL]: All DNS servers authoritative for 'upsilonc.baltixxxx.com' are currently down.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.128.2'. Please wait for 30 minutes for DNS server replication.
    [FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{FE325991-58D6-4D93-B06C-6EF2A3741EDF}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{FE325991-58D6-4D93-B06C-6EF2A3741EDF}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


The command completed successfully
The output above indicates serious DNS errors as well as problems reaching the default gateway.
For testing purposes, install DNS on this server exactly as outlined in the article linked below (except for the part about "Promote This Server to Domain Controller (Optional--Recommended)"), and let the DC point to itself for DNS. Configure the DNS server to forward requests to your Linux DNS server.
Once DNS is installed, enter "ipconfig /registerdns" in a command window, and restart the netlogon service. Check if the SRV records have been created, and run dcdiag/netdiag again.

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/kb/237675

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/kb/241515

SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/kb/239897
The short version is:   where on the Windows Server do I supply the ad.domain.com?

The long version is:

I've carefully reviewed all 3 web pages you point out.  The one on setting up the DNS for Active Directory is
appropriate for a stand-alone server, but unfortunately, mine is not only in a domain, but the only DC local to most users.  
To remove it from the domain might cause even worse problems.

I have taken a close look at the netdiag report.  Our gateway does not return pings.  
It is a little Netgear box and I looked through the config parameters and didn't see any easy way to turn it on.  
However, the settings reached by Local Area Connection Status => Local Area Connection Properties=>TCP/IP Properties is correct.  
In fact, if they were not, I'd not be able to reach this website, which I'm doing from the server
(not best practices, I know)  & BTW: there is only one network I/F on this machine.

~

But getting back to the DNS server, one of the articles explained about creating a zone record in the named.conf file,
which I did.  Essentially, I created a subdomain.  But I'm unclear how to configure my Windows server to utilize this.  

Here are the details:   My "Domain name" in terms of the internet domain, etc is lets say baltimore.com.  
So I created in the named.conf file a zone for ad.baltimore.com  

So I only see a couple of places where the domain name occurs.  First, under Advanced TCP/IP settings, there
is "Append these DNS suffixes", which I've had baltimore.com in and there is a "DNS suffix for this connection"
field, which I also have baltimore.com

But where on the Windows Server do I supply the ad.baltimore.com?  I just don't see where that goes.  
I think if I got that right, then Active Directory would be able to register with the DNS server & 
I would be well on my way.  I am still getting the System events that "dynamic registration or deregistration of
one or more DNS records failed because no DNS server are available."  But the DNS server is available because I'm
using it to retreive static records as well as to resolve external names.  It is just that the DC doesn't know what
subdomain to use to register the dynamic records.
If you have "baltimore.com" under "Append these DNS suffixes" (and I'm actually still waiting for the result of "set userdnsdomain") then this is, in all likelihood, your AD domain name, and dynamic updates *have* to be registered in that zone. You can't "supply the ad.baltimore.com" - this would involve renaming the AD domain, which is only possible after either upgrading to W2k3 (and renaming AD is not without risks), or downgrading to NT4 again and then upgrading back to W2k, using ad.baltimore.com as AD domain name.
Sorry.  I didn't realize you were waiting for info from me.  All of the following was done on the W2k DC:

C:\> set userdnsdomain

USERDNSDOMAIN=baltimore.com
C:\>

BTW: I added to the named.conf file the following lines in the zone section for baltimore.com

allow-update {192.168.128.145; };
check-names warn;

I also added the two subnets into the A/D database.  This greatly reduced the number of negative error messages.  The only 2 warning events in I'm getting in system log are:

ID=5781 NETLOGON
Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.

ID=11 w32time
The NTP server didn't respond.

I am also getting one warning message in the Application Log
ID=35  WinMgmt
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Other than these 3, no warning or failed type errors.

The 5781 error message is puzzling, since I am able to access the DNS data when I am logged on.  For example, I'm accessing experts-exchange.com on the DC that is generating the 5781 error.  Likewise, I can successfully do forward or reverse DNS lookups of local & external machines at the command line of the DC.  

I feel that thanks to your help, I am one setting away from getting this right.


The 5781 might come from the DNS server running Bind, and not sending the expected "Success" message. If the SRV (see links above) entries are registering in DNS, you can probably ignore this error.
Troubleshooting Netlogon Event 5774, 5775, and 5781
http://support.microsoft.com/kb/259277

For the W32Time service, UDP port 123 outbound needs to be allowed.
Configure the service to use another time server instead of time.windows.com:
net time /setsntp:<a.b.c.d>
net stop w32time & net start w32time

A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680

The ID 35 isn't AD relevant.
I've done a dump using the dig command and the SRV records are NOT being registered in the DNS server.  
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The SOA and the NS records were pointing to the previous domain controller, named PHI, rather than the new one named PHI2.  I corrected those two things and Active Directory was able to create service records on the BIND 9, DNS server.
The SOA & NS records were pointing to the now-retired DNS server, not the current DNS server.  Thanks for your help in letting me know what the SRV records looked like.  The format of the SRV records seems to be obscure; I suppose that MS wants everyone to use Windows-based DNS servers.  But we got it working with BIND 9 and are very happy with it.  Thanks again.