Solved

DNS after DCPROMO

Posted on 2009-05-18
28
1,525 Views
Last Modified: 2012-05-07
Hi. I have a domain controller, running Win Server 2003. The thing is that i did not install DNS along with DCPROMO. This is the 1st domain controller. After DCPROMO was done with its job i proceeded with installing DNS. Will it work? Any SRV records to add?
0
Comment
Question by:ryanswj
  • 18
  • 6
  • 2
  • +2
28 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24410852
Normally DCPROMO should have done it for your. It seems that there was a problem during the processing. So the DNS may or may not work. Try to boot some stations and watch them to get IP addresses  (check from the DNS if they are populated in there) and watch domain logon. If everything is OK then you wont need anything else if it does I'll suggest you to use dcpromo to remove and re-add.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24410904
As you have just set up the domain then it may very well be much simpler to DCPROMO the machine to demote it (using DCPROMPO /forceremoval is needs be), and then DCPROMO it again, electing to install DNS this time !
0
 
LVL 1

Assisted Solution

by:Modar_Hijazi
Modar_Hijazi earned 20 total points
ID: 24410983
You don't have to remove it and re-install it!
It should work perfectly by doing the following

After installing it, configure your forward and reverse zones then u can integrate by the following:

   1. In DNS Manager, expand the DNS Server object.
   2. Expand the Forward Lookup Zones folder.
   3. Right-click the zone you created, and then click Properties.
   4. On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type.
   5. In the Change Zone Type dialog box, click DS Integrated Primary, and then click OK.
   6. The DNS server writes the zone database into Active Directory.
   7. Right-click the zone named ".", and then click Properties.
   8. On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type.
   9. In the Change Zone Type dialog box, DS Integrated Primary, and then click OK.


For more info:
http://support.microsoft.com/?scid=kb%3Ben-us%3B237675&x=11&y=10
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24417871
i'm trying Modar_hijazi's comment now

I cannot afford to un DCPROMO then DCPROMO back again as there are so many accounts, and it'll do something bad to Exchange.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24417899
yes! it works! actually this morning I RDP-ed into the server and then saw that the zones _mscds, _tcp and the rest were all created. I didn't have to touch anything. Anyway, i understand that windows DNS server allows dynamic updates, how is this achieved?
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24417909
Also, another problem.

When i join the domain using my FQDN, it tells me

The following error occured attempting to join the domain "domain.co.cc"
The format of the specified network name is invalid.
0
 
LVL 1

Expert Comment

by:nck534
ID: 24417994
What is your FQDN? do you only have one Domain? I take it this is happening when trying to join a workstation to the domain.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24418053
yes. My FQDN is highly confidential.
I'm afraid i cannot release it here.
It has the same format as domain.co.cc.
i created A entries for domain.co.cc

It is only 1 domain. No complicated forest relationships. DNS servers there too.
I'm waiting for my ISP's DNS to finish updating, because the new subdomains i create on the DNS servers cannot be pinged.
0
 
LVL 1

Expert Comment

by:nck534
ID: 24418781
If it is only one Domain then you should just be using co.cc to join workstations to the domain and not the full FQDN as domain would be your domain servers name.  When joining, it also asks you for an account that has privilege to join workstations to the domain.  User: co\user   pass: ******  .   Some times if the workstation name has already been joined to the domain before, you may need to remove that workstation entry from AD, and join the workstation to a workgroup reboot it and that rejoin the to the domain.  Same thing if the node was joined to a previous domain you will need to set it up to workgroup, reboot and then try joining it to the domain.  Remember use your Application & security logs on the server and client PC to guide you through what is happening if you do not have that configured do so, then try rejoining again and check your App & security logs on server and workstation.  If that does not help try using network monitor or Wireshark on the server & workstation to look at the packets being transferred between the machines.  Between the App logs and Packet sniffers you should be able to find out some really important clues as to what is going on.  Also if this is a public server you may need to wait for your ISP to straighten them selves out before you can determine if it is an issue with your domain or if they are still configuring things on there end.   Be sure to test your DNS, make sure that simple & recursive queries pass, if they do not then you still have DNS problems, and your event logs will tell you that.  Also if you are running SBS 2003 it has to be the primary domain on your network and needs to house all of the FSMO roles or there will be some issues.  I hope this helps
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24420000
haha, the whole domain name is domain.co.cc. I shall try again now.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24420082
I have noticed that the domain domain.co.cc cannot resolve to an IP address.
is that part of the problem?

When joining domain i can get as far as entering the user+pass, then nothing already.

I noticed that my DomainDnsZone, ForestDnsZone has multiple IP addresses! The LAN card we didn't configure has entries there!
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24420103
Maybe nck534 can help me verify my DNS?

it is http://2e4.co.cc
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24421013
> II have noticed that the domain domain.co.cc cannot resolve to an IP address.
> is that part of the problem?

It is not important AD domains and DNS domains have nothing comoon. If it were how would we resolve a domain like company.local ? Besides promoting to DC  you become authoritative DNS domain server. Whether people could queryt it or not.


> When joining domain i can get as far as entering the user+pass, then nothing already.

As I told you earlier. It might not be about DNS (1t had happened to me in the past) It might be something about dcpromo did not go well and finished. I'll suggest you to demote the domain delete all files dor the AD and promote again.

> I noticed that my DomainDnsZone, ForestDnsZone has multiple IP addresses! The LAN card we didn't > configure has entries there!

It is not a problem you have multiple I addresses for your hosts name. This is common when you have more than interface. Your real problem is dcpromote operation did not finish properly.
0
 
LVL 1

Expert Comment

by:nck534
ID: 24422034
Have you checked any of your routing tables.
also is your primary DNS server dns.2e4serv.co.cc

are you running RIP, OSPF, EIGRP?

Maybe this could be a routing issue.  It does need to resolve to an IP address.  You tried doing an nslookup on 2e4.co.cc from another node  

2e4.co.cc is resolving to 2 ip's
Apipa 169.254.17.63   and a 121.6.    .          address.   if you are not using the other nic right now try disabling it, or team them.

Also KeremE may be right here, you really might have to DCPROMPO /forceremoval  and start over but use that as a last resort.  What do your event logs tell you about AD.  Have utilized Ntdsutil at all in this
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24422734
121.6.x.x is correct. That is what i want. That is the server's address.

The error now is that the network name is invalid. I will disable the NIC and delete tha 169 entries.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24422750
nck534, i think you hit the nail on the head. trying still.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24422913
Nope nck534,

Win2k gives me the remote computer is not available

Winxp gives me the format of the network name is invalid.

How? Desperate...
0
 
LVL 1

Expert Comment

by:nck534
ID: 24427068
Do you have any group policies setup yet?    also restart going about this in steps, simple stuff first, can you ping the server from one of the nodes, can the server ping the node, if so move on to using tracert from the server and the node just to see how everything is routing, if that checks out I would then start looking at my event logs to see if the server is having an issue authenticating the client.   May be the client is reaching the server but can not authenticate?     Also be sure to create a reverse lookup zone on your DNS this may help you out, and help with using nslookup to check DNS entry's for a node when you get a node on the domain.  On the DNS do your recursive and simple queries pass?   Have you gotten your root hints yet?   You have your server setup for Active Directory Integrated zones?  
Also go over your DNS entry's with a fine tooth comb maybe there is some thing youre missing.
(Check all of these:  SOA record, NS records, A records, CNAME records.  PTR Records, SRV Records)
Go through every folder in there and look closely at the records, be sure to check the gc folder, there should be an (A) record in there with your servers IP Address if the correct address is not there change it to the right IP.   Also another little trick would be to add the workstation into AD instead of letting AD add it, then try to join the domain.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24429269
yes, GC is fine, has the A records. Perhaps I haven't yet said that this server is on the Internet, not in my Intranet? Server set up for AD zones. No group policies. Reverse Lookup zone for the 255.255.x.x Subnet. Don't see any issue. Client can ping server, server can ping client. In fact I'm connecting to server via REmote Desktop. No firewall, Win Firewall is disabled. Workstation added in AD, tried adding workstation, still no go.

Tried 3 Different DNS servers, all can locate winserv2k3.2e4.co.cc (the server with AD).
my MX, A records for different subdomains work. Maybe you can RDC my server? Don't want to sound too demandind (:

p.s. McAfee VS Enterprise found a W32/.Rahack virus? Could that be a reason?
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24429275
Is there an unknown group policy that blocks remote access to the server from another different connection?
0
 
LVL 1

Expert Comment

by:nck534
ID: 24431481
As for the virus, I would say it is not the reason. here is some info on it:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-010614-1404-99&tabid=1

Do you see anything coming up in your event logs?   Also go through you default domain policy and your default domain controller policy just to rule out if there could be any issues with those settings.  
Run gpresult on your server from the command line just to make sure it is getting its own policies.
I will message you back later today as I have some projects at the office, I will probably be able to RDC to your server around 12pm est time. till then read up on this material below see if any of it can help you
with your issue.

Some helpfull sites & Testing Tools: I strongly suggest that you check these out.
http://technet.microsoft.com/en-us/library/cc783438(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc773199(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc736981(WS.10).aspx
http://www.windowsnetworking.com/articles_tutorials/Quickly-Test-DNS-Resolution.html
http://www.wireshark.org/
http://nmap.org/
http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en
http://www.angryziber.com/w/Home

Note: do not load Wireshark or nmap on your server instead use network monitor on the server or portqry,  only use wireshark & nmap on nodes.  Also nmap may show up as a false positive for some virus scanners.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24432491
Nck534, you should have put your email here! How am i going to give you the credentials?

I increased the point value for this qn. I stay in a timezone with GMT/UTC +8, that's 13 hours difference? This time difference thing is making me go bonkers (:

It is currently 10:40PM, Wednesday 20 May in my country as I post this message. GMT +8 timezone.

Oh yes, I'm going to take a big risk. I set your password in this format: MON17121948-141202135166.
the front date portion is when you joined experts-exchange (in the same format). the back section (after hyphen) is my server's ip address.

User ID is your User ID for Experts Exchange. PLEASE PLEASE reset your password.

If you have any urgent queries, the last resort would be to SMS/text me at +6590997625. I stay in SG.

I really thank you for your help and patience, nck534. Is there any way I can send you a drink? :D
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24432508
im taking the date as DD/MM/YY.
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24432545
IP address format, if the ip is 154.21.22.23 put it as 154212223 if its 147.233.1.67 put it as 147233167
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24432577
leave a note in C:/ when you're done. thanks.

NOTE: TO IMPROVE SECURITY I ENHANCED THE PASSWORD. Follow the top format of DAYDDMMYY-SERVIPADD-ADSERVFQDN

ADSERVFQDN is the server's FQDN. thanks! I'm being paranoid here :)
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24432593
ALL CAPS :)
0
 
LVL 2

Author Comment

by:ryanswj
ID: 24432626
AHH! Sorry!

The format is DAYDDMMYYYY-IPADDRESS-SERVFQDN

0
 
LVL 1

Accepted Solution

by:
nck534 earned 165 total points
ID: 24433862
I cannot access your server.  I can RDC to it and get to the logon but there is some thing with the connection it seems I cannot type anything into login.  My E-Mail is nckkepner@craigtest.com you can send credentials to me through e-mail it is more secure that way.  Make sure you remove the account you have created for me so that no one else trys loging in.  I will wait for your e-mail for further instruction.   lol, yes a drink would be nice.        If I am not able to login through RDC you could setup  Tightvnc and we could do it that way.  I will probably not be able to login again until 6:00pm est USA time.

After everything is fixed I would strongly recomend hardening your server and securing your network.  I can see allot of nodes on your network that I shouldn't be able to see.

0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now