asked on
Turning on Active Directory
I have what has been a Windows NT domain. My boss has decided that we need to migrate to W2k (not W2k3). This network contains about 20 Win machines at the main location and 4 at a remote site.
The network, which includes Windows PCs as well as Linux servers, uses private IP addr, served by a Linux server (Fedora 9). The DNS Administrator said that DNS is set to accept AD service records.
All of the client PCs are running either W2k Pro or XP Pro. There are only 2 NT machines still in existence. One is the former file server & BDC at the main office. That has been turned off. The other is the BDC running in the remote office.
I have configured a new W2k Svr fileserver and everyone is using it w/o a problem.
I upgraded the PDC from NT to W2k.
A) I want to turn on AD on this domain.
B) I want to promote the new (W2K) fileserver to a DC as soon as I can.
C) I want to promote a W2k Srvr machine in the remote office
D) I want to turn off the final NT machine in the remote office.
When I click on the "Configure your server" option on the W2k Server DC, I get the following msg:
Running the AD install Wizard will demote this server to be a member server or stand alone server depending on what type of domain controller this is. Before you proceed, be sure there are no dependent servers connected to this server.
~~~
Questions:
1) Should I proceed with this? (steps A,B,C& D in that or some other order)
2) If this DC is demoted, do I need to have another DC on the LAN before I do this?
3) I read something about emulation mode and native mode for W2k DCs: that emulation mode is done when there are NT machines (BDCs?) on the network and native when there are not. Does native mode start as soon as the last NT machine is shut down? What are the implications for turning on AD while there is still a remote BCD?
4) Is there a way to verify that AD is actually working?
5) When I want to get AD working on the fileserver and the remote W2k server, do I just do a "dcpromo". Can/should I do this before I get AD running on the former NT/PDC now W2k/DC?
The network, which includes Windows PCs as well as Linux servers, uses private IP addr, served by a Linux server (Fedora 9). The DNS Administrator said that DNS is set to accept AD service records.
All of the client PCs are running either W2k Pro or XP Pro. There are only 2 NT machines still in existence. One is the former file server & BDC at the main office. That has been turned off. The other is the BDC running in the remote office.
I have configured a new W2k Svr fileserver and everyone is using it w/o a problem.
I upgraded the PDC from NT to W2k.
A) I want to turn on AD on this domain.
B) I want to promote the new (W2K) fileserver to a DC as soon as I can.
C) I want to promote a W2k Srvr machine in the remote office
D) I want to turn off the final NT machine in the remote office.
When I click on the "Configure your server" option on the W2k Server DC, I get the following msg:
Running the AD install Wizard will demote this server to be a member server or stand alone server depending on what type of domain controller this is. Before you proceed, be sure there are no dependent servers connected to this server.
~~~
Questions:
1) Should I proceed with this? (steps A,B,C& D in that or some other order)
2) If this DC is demoted, do I need to have another DC on the LAN before I do this?
3) I read something about emulation mode and native mode for W2k DCs: that emulation mode is done when there are NT machines (BDCs?) on the network and native when there are not. Does native mode start as soon as the last NT machine is shut down? What are the implications for turning on AD while there is still a remote BCD?
4) Is there a way to verify that AD is actually working?
5) When I want to get AD working on the fileserver and the remote W2k server, do I just do a "dcpromo". Can/should I do this before I get AD running on the former NT/PDC now W2k/DC?
Windows OSWindows 2000
Last Comment
cyberfool
ASKER
I'm not sure what you mean by a "single-label DNS domain name".
So if I understand your comments, then there is no reason to run the A/D wizard.
In your answer to #3, you mean any in the whole domain, or just not any in the LAN?
So if I understand your comments, then there is no reason to run the A/D wizard.
In your answer to #3, you mean any in the whole domain, or just not any in the LAN?
ASKER
And a followup. Do I need to just shutdown the NT BDCs or do I need to shut them down & manually remove them from the domain?
Open a command prompt on the AD DC, enter
set userdnsdomain
This should report something like yourdomain.local, yourdomain.com, yourdomain.whatever, but not just yourdomain (no TLD)
Yes, you already ran the wizard during the W2k upgrade.
As long as you have an NT4 *BDC* left in your *domain*, you need to stay in mixed mode.
You can just shutdown NT4 BDCs and delete their computer object in AD; an NT4 BDC can't be demoted (other than using Upromote, which is a third-party tool).
set userdnsdomain
This should report something like yourdomain.local, yourdomain.com, yourdomain.whatever, but not just yourdomain (no TLD)
Yes, you already ran the wizard during the W2k upgrade.
As long as you have an NT4 *BDC* left in your *domain*, you need to stay in mixed mode.
You can just shutdown NT4 BDCs and delete their computer object in AD; an NT4 BDC can't be demoted (other than using Upromote, which is a third-party tool).
ASKER
I believe that during the upgrade from/of NT/PDC to W2k/DC there was an option to initiate Active Dir. I choose not to do so, since I was still using an NT machine as the file server & the DNS had not been upgraded to accept service records.
Now, when I type, on the W2k/DC the command
C:\>userdnsdomain
I get the exact message:
'userdnsdomain' is not recognized as an internal or external command,
operable program or batch file.
I searched for the files usersdnsdomain.*, dcdiag.exe and netdiag.exe. None of the 3 are found anywhere on the C: drive of the W2k/DC.
As for the event viewer I get the error msg:
Dynamic registration or deregistration of one or more DNS recods failed because no DNS servers are available.
So I went and checked the Local area connection. The primary DNS is set to 192.168.128.2. I can ping the DNS server and when I type a
nslookup experts-exchange.com
I get, in part:
Non-authoritative answer:
Name experts-exchange.com
Address: 64.156.132.140
So DNS is working and available. I have full access to the internet through my firewall to the internet. My hunch is either A/D is not installed or turned on at all OR there is some A/D dns setting that has not been set.
Now, when I type, on the W2k/DC the command
C:\>userdnsdomain
I get the exact message:
'userdnsdomain' is not recognized as an internal or external command,
operable program or batch file.
I searched for the files usersdnsdomain.*, dcdiag.exe and netdiag.exe. None of the 3 are found anywhere on the C: drive of the W2k/DC.
As for the event viewer I get the error msg:
Dynamic registration or deregistration of one or more DNS recods failed because no DNS servers are available.
So I went and checked the Local area connection. The primary DNS is set to 192.168.128.2. I can ping the DNS server and when I type a
nslookup experts-exchange.com
I get, in part:
Non-authoritative answer:
Name experts-exchange.com
Address: 64.156.132.140
So DNS is working and available. I have full access to the internet through my firewall to the internet. My hunch is either A/D is not installed or turned on at all OR there is some A/D dns setting that has not been set.
You have to enter
set userdnsdomain
dcdiag and netdiag are part of the Support Tools.
Check the DNS server you're using, they *have* to be configured to accept dynamic updates, and they *have* to support SRV records. Otherwise install DNS on your DC, use this for your domain members, and forward requests to your Linux DNS servers.
If you can start Active Directory Users and Computers on the new DC, this should be a DC. At least during an upgrade from NT4 to W2k3, there is no option to cancel dcpromo; I'm not sure about W2k, though.
10 DNS Errors That Will Kill Your Network
http://redmondmag.com/features/article.asp?EditorialsID=413
Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
Windows 2000 Service Pack 4 Support Tools
http://www.microsoft.com/Downloads/details.aspx?familyid=F08D28F3-B835-4847-B810-BB6539362473&displaylang=en
Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en
set userdnsdomain
dcdiag and netdiag are part of the Support Tools.
Check the DNS server you're using, they *have* to be configured to accept dynamic updates, and they *have* to support SRV records. Otherwise install DNS on your DC, use this for your domain members, and forward requests to your Linux DNS servers.
If you can start Active Directory Users and Computers on the new DC, this should be a DC. At least during an upgrade from NT4 to W2k3, there is no option to cancel dcpromo; I'm not sure about W2k, though.
10 DNS Errors That Will Kill Your Network
http://redmondmag.com/features/article.asp?EditorialsID=413
Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
Windows 2000 Service Pack 4 Support Tools
http://www.microsoft.com/Downloads/details.aspx?familyid=F08D28F3-B835-4847-B810-BB6539362473&displaylang=en
Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en
ASKER
I installed the s/w, ran the programs as instructed.
I double checked that the DNS server (linux-based) has the correct records in both the domain & IPaddr file. I can do a nslookup of upsilonc (the FSMO/DC) I can ping the DNS server. I can ping the DC from the DNS server.
Here are the results:
~~~~~~~~~~~~~
~~dcdiag yields the following:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Main\UPSILONC
Starting test: Connectivity
3e072786-cd61-4bb8-88a1-1e
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(3e072786-cd61-4bb8-88a1-1
couldn't be resolved, the server name (upsilonc.baltixxxx.com)
resolved to the IP address (192.168.128.145) and was pingable. Check
that the IP address is registered correctly with the DNS server.
......................... UPSILONC failed test Connectivity
Doing primary tests
Testing server: Main\UPSILONC
Skipping all tests, because server UPSILONC is
not responding to directory service requests
Running enterprise tests on : baltixxxx.com
Starting test: Intersite
......................... baltixxxx.com passed test Intersite
Starting test: FsmoCheck
......................... baltixxxx.com passed test FsmoCheck
~~~~~~~~~~~~~~~~~~~~~~~~~
~~netdiag yeilds the following:
..........................
Computer Name: UPSILONC
DNS Host Name: upsilonc.baltixxxx.com
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 10 Stepping 0, AuthenticAMD
List of installed hotfixes :
KB820888
KB822343
KB822831
KB823182
KB823559
KB824105
KB825119
KB826232
KB828035
KB828741
KB828749
KB832353
KB832359
KB835732
KB837001
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB842773
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890046
KB890859
KB891781
KB893066
KB893086
KB893756
KB893803v2
KB894320
KB896358
KB896422
KB896423
KB899587
KB899589
KB899591
KB900725
KB901017
KB901214
KB905414
KB905495-IE6SP1-20050805.1
KB905749
KB908519
KB908531
KB909520
KB911280
KB911564
KB913580
KB914388
KB917008
KB917537
KB918118
KB920213
KB920670
KB920683
KB920685
KB921398
KB922582
KB923191
KB923810
KB923980
KB924270
KB924667
KB925398_WMP64
KB925902
KB926247
KB926436
KB927891
KB928843
KB930178
KB931784
KB933729
KB935839
KB935840
KB937894
KB938464-IE6SP1-20080429.1
KB938827
KB942831
KB943055
KB943485
KB944338
KB945553
KB948590
KB948745
KB950749
KB950974
KB951066-OE6SP1-20080625.1
KB951698_DX9
KB951748
KB952954
KB953155
KB954211
KB954600_WM41
KB955069
KB956390-IE6SP1-20080820.1
KB956391
KB956802
KB957095
KB957097
KB957280
KB958215-IE6SP1-20081016.1
KB958644
KB958687
KB960714-IE6SP1-20081211.1
KB960715
KB967715
Q147222
Q816093
Update Rollup 1
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : upsilonc.baltixxxx.com
IP Address . . . . . . . . : 192.168.128.145
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.128.1
Primary WINS Server. . . . : 192.168.128.130
Secondary WINS Server. . . : 192.168.128.145
Dns Servers. . . . . . . . : 192.168.128.2
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Failed
No gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{FE325991-58D6
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.
You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[FATAL]: All DNS servers authoritative for 'upsilonc.baltixxxx.com' are currently down.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.128.2'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{FE325991-58D6
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{FE325991-58D6
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
I double checked that the DNS server (linux-based) has the correct records in both the domain & IPaddr file. I can do a nslookup of upsilonc (the FSMO/DC) I can ping the DNS server. I can ping the DC from the DNS server.
Here are the results:
~~~~~~~~~~~~~
~~dcdiag yields the following:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Main\UPSILONC
Starting test: Connectivity
3e072786-cd61-4bb8-88a1-1e
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(3e072786-cd61-4bb8-88a1-1
couldn't be resolved, the server name (upsilonc.baltixxxx.com)
resolved to the IP address (192.168.128.145) and was pingable. Check
that the IP address is registered correctly with the DNS server.
......................... UPSILONC failed test Connectivity
Doing primary tests
Testing server: Main\UPSILONC
Skipping all tests, because server UPSILONC is
not responding to directory service requests
Running enterprise tests on : baltixxxx.com
Starting test: Intersite
......................... baltixxxx.com passed test Intersite
Starting test: FsmoCheck
......................... baltixxxx.com passed test FsmoCheck
~~~~~~~~~~~~~~~~~~~~~~~~~
~~netdiag yeilds the following:
..........................
Computer Name: UPSILONC
DNS Host Name: upsilonc.baltixxxx.com
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 10 Stepping 0, AuthenticAMD
List of installed hotfixes :
KB820888
KB822343
KB822831
KB823182
KB823559
KB824105
KB825119
KB826232
KB828035
KB828741
KB828749
KB832353
KB832359
KB835732
KB837001
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB842773
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890046
KB890859
KB891781
KB893066
KB893086
KB893756
KB893803v2
KB894320
KB896358
KB896422
KB896423
KB899587
KB899589
KB899591
KB900725
KB901017
KB901214
KB905414
KB905495-IE6SP1-20050805.1
KB905749
KB908519
KB908531
KB909520
KB911280
KB911564
KB913580
KB914388
KB917008
KB917537
KB918118
KB920213
KB920670
KB920683
KB920685
KB921398
KB922582
KB923191
KB923810
KB923980
KB924270
KB924667
KB925398_WMP64
KB925902
KB926247
KB926436
KB927891
KB928843
KB930178
KB931784
KB933729
KB935839
KB935840
KB937894
KB938464-IE6SP1-20080429.1
KB938827
KB942831
KB943055
KB943485
KB944338
KB945553
KB948590
KB948745
KB950749
KB950974
KB951066-OE6SP1-20080625.1
KB951698_DX9
KB951748
KB952954
KB953155
KB954211
KB954600_WM41
KB955069
KB956390-IE6SP1-20080820.1
KB956391
KB956802
KB957095
KB957097
KB957280
KB958215-IE6SP1-20081016.1
KB958644
KB958687
KB960714-IE6SP1-20081211.1
KB960715
KB967715
Q147222
Q816093
Update Rollup 1
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : upsilonc.baltixxxx.com
IP Address . . . . . . . . : 192.168.128.145
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.128.1
Primary WINS Server. . . . : 192.168.128.130
Secondary WINS Server. . . : 192.168.128.145
Dns Servers. . . . . . . . : 192.168.128.2
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Failed
No gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{FE325991-58D6
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.
You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[FATAL]: All DNS servers authoritative for 'upsilonc.baltixxxx.com' are currently down.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.128.2'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{FE325991-58D6
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{FE325991-58D6
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
The output above indicates serious DNS errors as well as problems reaching the default gateway.
For testing purposes, install DNS on this server exactly as outlined in the article linked below (except for the part about "Promote This Server to Domain Controller (Optional--Recommended)"),
Once DNS is installed, enter "ipconfig /registerdns" in a command window, and restart the netlogon service. Check if the SRV records have been created, and run dcdiag/netdiag again.
Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/kb/237675
How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/kb/241515
SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/kb/239897
For testing purposes, install DNS on this server exactly as outlined in the article linked below (except for the part about "Promote This Server to Domain Controller (Optional--Recommended)"),
Once DNS is installed, enter "ipconfig /registerdns" in a command window, and restart the netlogon service. Check if the SRV records have been created, and run dcdiag/netdiag again.
Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/kb/237675
How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/kb/241515
SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/kb/239897
ASKER
The short version is: where on the Windows Server do I supply the ad.domain.com?
The long version is:
I've carefully reviewed all 3 web pages you point out. The one on setting up the DNS for Active Directory is
appropriate for a stand-alone server, but unfortunately, mine is not only in a domain, but the only DC local to most users.
To remove it from the domain might cause even worse problems.
I have taken a close look at the netdiag report. Our gateway does not return pings.
It is a little Netgear box and I looked through the config parameters and didn't see any easy way to turn it on.
However, the settings reached by Local Area Connection Status => Local Area Connection Properties=>TCP/IP Properties is correct.
In fact, if they were not, I'd not be able to reach this website, which I'm doing from the server
(not best practices, I know) & BTW: there is only one network I/F on this machine.
~
But getting back to the DNS server, one of the articles explained about creating a zone record in the named.conf file,
which I did. Essentially, I created a subdomain. But I'm unclear how to configure my Windows server to utilize this.
Here are the details: My "Domain name" in terms of the internet domain, etc is lets say baltimore.com.
So I created in the named.conf file a zone for ad.baltimore.com
So I only see a couple of places where the domain name occurs. First, under Advanced TCP/IP settings, there
is "Append these DNS suffixes", which I've had baltimore.com in and there is a "DNS suffix for this connection"
field, which I also have baltimore.com
But where on the Windows Server do I supply the ad.baltimore.com? I just don't see where that goes.
I think if I got that right, then Active Directory would be able to register with the DNS server &
I would be well on my way. I am still getting the System events that "dynamic registration or deregistration of
one or more DNS records failed because no DNS server are available." But the DNS server is available because I'm
using it to retreive static records as well as to resolve external names. It is just that the DC doesn't know what
subdomain to use to register the dynamic records.
The long version is:
I've carefully reviewed all 3 web pages you point out. The one on setting up the DNS for Active Directory is
appropriate for a stand-alone server, but unfortunately, mine is not only in a domain, but the only DC local to most users.
To remove it from the domain might cause even worse problems.
I have taken a close look at the netdiag report. Our gateway does not return pings.
It is a little Netgear box and I looked through the config parameters and didn't see any easy way to turn it on.
However, the settings reached by Local Area Connection Status => Local Area Connection Properties=>TCP/IP Properties is correct.
In fact, if they were not, I'd not be able to reach this website, which I'm doing from the server
(not best practices, I know) & BTW: there is only one network I/F on this machine.
~
But getting back to the DNS server, one of the articles explained about creating a zone record in the named.conf file,
which I did. Essentially, I created a subdomain. But I'm unclear how to configure my Windows server to utilize this.
Here are the details: My "Domain name" in terms of the internet domain, etc is lets say baltimore.com.
So I created in the named.conf file a zone for ad.baltimore.com
So I only see a couple of places where the domain name occurs. First, under Advanced TCP/IP settings, there
is "Append these DNS suffixes", which I've had baltimore.com in and there is a "DNS suffix for this connection"
field, which I also have baltimore.com
But where on the Windows Server do I supply the ad.baltimore.com? I just don't see where that goes.
I think if I got that right, then Active Directory would be able to register with the DNS server &
I would be well on my way. I am still getting the System events that "dynamic registration or deregistration of
one or more DNS records failed because no DNS server are available." But the DNS server is available because I'm
using it to retreive static records as well as to resolve external names. It is just that the DC doesn't know what
subdomain to use to register the dynamic records.
If you have "baltimore.com" under "Append these DNS suffixes" (and I'm actually still waiting for the result of "set userdnsdomain") then this is, in all likelihood, your AD domain name, and dynamic updates *have* to be registered in that zone. You can't "supply the ad.baltimore.com" - this would involve renaming the AD domain, which is only possible after either upgrading to W2k3 (and renaming AD is not without risks), or downgrading to NT4 again and then upgrading back to W2k, using ad.baltimore.com as AD domain name.
ASKER
Sorry. I didn't realize you were waiting for info from me. All of the following was done on the W2k DC:
C:\> set userdnsdomain
USERDNSDOMAIN=baltimore.co
C:\>
BTW: I added to the named.conf file the following lines in the zone section for baltimore.com
allow-update {192.168.128.145; };
check-names warn;
I also added the two subnets into the A/D database. This greatly reduced the number of negative error messages. The only 2 warning events in I'm getting in system log are:
ID=5781 NETLOGON
Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
ID=11 w32time
The NTP server didn't respond.
I am also getting one warning message in the Application Log
ID=35 WinMgmt
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0
Other than these 3, no warning or failed type errors.
The 5781 error message is puzzling, since I am able to access the DNS data when I am logged on. For example, I'm accessing experts-exchange.com on the DC that is generating the 5781 error. Likewise, I can successfully do forward or reverse DNS lookups of local & external machines at the command line of the DC.
I feel that thanks to your help, I am one setting away from getting this right.
C:\> set userdnsdomain
USERDNSDOMAIN=baltimore.co
C:\>
BTW: I added to the named.conf file the following lines in the zone section for baltimore.com
allow-update {192.168.128.145; };
check-names warn;
I also added the two subnets into the A/D database. This greatly reduced the number of negative error messages. The only 2 warning events in I'm getting in system log are:
ID=5781 NETLOGON
Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
ID=11 w32time
The NTP server didn't respond.
I am also getting one warning message in the Application Log
ID=35 WinMgmt
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0
Other than these 3, no warning or failed type errors.
The 5781 error message is puzzling, since I am able to access the DNS data when I am logged on. For example, I'm accessing experts-exchange.com on the DC that is generating the 5781 error. Likewise, I can successfully do forward or reverse DNS lookups of local & external machines at the command line of the DC.
I feel that thanks to your help, I am one setting away from getting this right.
The 5781 might come from the DNS server running Bind, and not sending the expected "Success" message. If the SRV (see links above) entries are registering in DNS, you can probably ignore this error.
Troubleshooting Netlogon Event 5774, 5775, and 5781
http://support.microsoft.com/kb/259277
For the W32Time service, UDP port 123 outbound needs to be allowed.
Configure the service to use another time server instead of time.windows.com:
net time /setsntp:<a.b.c.d>
net stop w32time & net start w32time
A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680
The ID 35 isn't AD relevant.
Troubleshooting Netlogon Event 5774, 5775, and 5781
http://support.microsoft.com/kb/259277
For the W32Time service, UDP port 123 outbound needs to be allowed.
Configure the service to use another time server instead of time.windows.com:
net time /setsntp:<a.b.c.d>
net stop w32time & net start w32time
A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680
The ID 35 isn't AD relevant.
ASKER
I've done a dump using the dig command and the SRV records are NOT being registered in the DNS server.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
The SOA and the NS records were pointing to the previous domain controller, named PHI, rather than the new one named PHI2. I corrected those two things and Active Directory was able to create service records on the BIND 9, DNS server.
ASKER
The SOA & NS records were pointing to the now-retired DNS server, not the current DNS server. Thanks for your help in letting me know what the SRV records looked like. The format of the SRV records seems to be obscure; I suppose that MS wants everyone to use Windows-based DNS servers. But we got it working with BIND 9 and are very happy with it. Thanks again.
2) Yes.
3) That would be the two modes a W2k domain can be running in, "Mixed Mode" and "Native Mode". You can upgrade the AD to "native" as soon as you don't have NT4 *BDCs* anymore (you can still have NT4 *members*).
4) Event log, dcdiag.exe, netdiag.exe.
5) Basically, yes. The second part of the question is n/a