Link to home
Start Free TrialLog in
Avatar of Michael L
Michael LFlag for United States of America

asked on

Domain Cannot Be Found

So, I introduced my new Server 2008 machine into my Server 2003 domain. Then, without using dcpromo at all, I made my new, 2008 server, an alternate DC and allowed everything to replicate. I then gave the new server Operations Master for all three tabs, just to see if users would use the user.bat script in the new servers SYSVOL. Anyway, without changing any of my users' profile paths. They didn't use that batch file. I then gave Ops Master back to the 2003 server. All this without disturbing network connectivity. When I power down the new server, people all of a sudden lose connectivity to the old server. I'm baffled by all this and I MUST get this network up and running TODAY! Please help!

Tremendous thanks in advance,
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image

How did you make the server a alternate without dcrpomoing?
Check to make sure the clients aren't poiting to the new server for DNS. When the server is shutdown on the old server run netdiag and post results.
Some users may have been authenticating against the new server. I've found if the server doing the authentication goes down, this may happen. If the users log off and back on, they should be okay.
Avatar of Michael L


I guess, perhaps, I assumed it was an alternate since it was recognized as another DC. Should I run dcpromo before I follow your second comment?
@TBone2K, I tried logging them off then on (even rebooted) and still... the domain could not be found/connected to.
Go into DHCP scope options and remove the new server's IP address.
Then, go to the troubled client and type IPconfig /release and IPconfig /renew.
That should have said:

I am going to add to what dariusq recommended:

Go into DHCP scope options and remove the new server's IP address as a DNS server.

Then, go to the troubled client and type IPconfig /release and IPconfig /renew.
I agree with ChiefIT, but just to make sure everything is covered, do a repair on the network connection on the client. That is, right click on the network connection and chose "Repair". That does a release/renew, plus it flushes the dns cache.
Ok, so I ran the dcpromo wizard and it doesn't seem to see my other server. I don't want to finish the wizard and have all my AD stuff wiped. Everything else shows that it is a DC, though. I'm thoroughly confused.
Did you dcpromo the server to join the existing domain? Did you create a new domain or join a existing forest?
First,look for sysvol & netlogon share is accessible on network.
Secondly,DNs is configured of helath DC as preferred dns.
Thirdly,promote new server as an ADC using DCpromo.
Fourthly,look client is not getting IP of dhcp from new server,so you can expire the lease.
Fifth, Look is it if not problem with switch or router.
Also, run dcdiag & post the results.

Actually, I didn't dcpromo anything. I don't want to wipe the main (old) server's AD without promoting the new server, even though it has taken over DC/GC. I cannot use dcpromo because it doesn't give me the choice to promote the new server. I'll run dcdiag and netdiag then post.
You must dcpromo a system to make it a DC. I'm confused on what you mean "even though it has taken over DC/GC"?

You must update the schema before adding this server to the domain please read link below.
@dariusg - The problem with dcpromo is that my old server doesn't give me the option to promote my new server. My schema is updated already. I'll attach the dcdiag as a .txt since there's a lot:
What do you mean that you old server doesn't give you the option to promote the new server? You should be running dcpromo on the new server? I'm not understanding what you are doing. Can you please read the link provided and the steps to make sure you are following them correctly. Thanks!.
I did it on the new server and all it's showing me is that it wants to delete its AD. I'll read the link.
You must have created a new domain when you ran dcpromo on the new server you didn't join a existing.
I joined the existing. my new server is under the same domain.
This is where I'm confused:

"without using dcpromo" at all, I made my new, 2008 server, an alternate DC and allowed everything to replicate

When you look at AD Sites and Services do you see 2 DCs?
Yes, I do. And my new server is the GC while the old is just another DC.
Post a ipconfig /all from both DCs and a client. Run just dcdiag without any switches and post.
Man, I'm sorry for all this confusion. This thread looks ridiculous...
Without switches meaning a clean dcdiag command? For what it's worth, I ran echo %logonserver% and it shows everyone using the old server still, which confuses me further.
Yes just a dcdiag and ipconfig /all. Not a problem.
Sorry it took so long, but they are:
Server1 wouldn't run dcdiag, btw...
Those are kind of hard to read. Are you running just dcdiag without switches?

Remove the If you have Ipv6 enable uncheck it so it will be disabled. Make sure you disable all NICs that aren't being used in servers with more then one NIC. Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.

I've removed that (loopback?) a few times, but it keeps reappearing. Also, server1 has both NICs bridged to and server2 has one NIC disabled (using it for the NAS soon) while the other one is IPv4 at (server1's old ip).

When you say, "without switches," do you mean without "/a, /e, /x, etc." or physical switches?
do you have RRAS enabled?
No, I don't, ChiefIT.
Correct just run dcdiag.

Ok, that's what I've done both times. Will "ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix" disconnect the network at all? If so, I'll have to wait until COB to run those.
No the network will not disconnect.
Ok, here it is. I really have to get this thing finished soon! Please let me know the best course of action. Thanks!
Still having issues connecting to DNS it seems like. Do ipconfig /all post. Take a screenshot of DNS post.
Dariusq, I think the router is supplying DHCP, and therefore DNS.
Ok, here's another ipconfig /all from both servers again.
Do these servers have static IP addresses?

Disable IPv6. Remove put the actual IP address of the server for DNS run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
They all have static IPs, yes. I have disabled IPv6 and keep removing, but it persists. I'll try it again.
Sometimes you need to clean up the arp cache.
@ChiefIT - How do I clean up the ARP cache?
@dariusq - Do I run those commands with both servers on? Do I run them on both or the new one?
Do it on both servers to make sure you have the most updated data for both servers.
Did you want me to bring back any results?
Also, at this point, if I just disconnect Server1, would Server2 take over?
No, you need to demote the server but we need to make sure if you demote that you would still have a functioning domain.

Please post results.
Here it is again:
When did you run these commands?
End of the day, yesterday.
Ok because the dates on the errors were for yesterday so I wanted to make sure this was run yesterday.
On server1 run a netdiag.
Here's that netdiag:

So, I ran into an article an EE expert submitted:
Would this be something I should pursue?
If you had a failed DC at one point without demoting it gracefully then yes you would need to run the metadata cleanup on AD to remove failed lingering objects from the failed DC.

So, Server1 passes all tests except for having a functioning default gateway which isn't a problem.
Avatar of ChiefIT
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@Darius: So, what does that mean for my network then? Where do I go from here?
Let me give you my story then:
DC1 = Charlie (Server1 running 2003)
DC2 = Bob (Server2 running 2008)
Charlie was the only DC until Bob came along. Before Bob, Charlie had AD, DNS, and SQL (I think). Every client on Charlie's network is using static IP addresses and were all looking at Charlie for DNS. Bob needed to replace Charlie because he was better and faster, but their Administrator didn't do it the way it should have been done, using dcpromo. Bob was made "Operations Master" and GC, but the clients still don't see him as these.
Now they sit on the network together still, except Bob now shows as a DC and had AD, DNS, and DHCP. Bob and Charlie have swapped IP addresses, too, so everyone should be looking at Bob for DNS. Bob's IPv6 is disabled and DNS matches his own IP with no Alternate DNS.
I hope this helps...
Thank you for sticking with me,
A little more info. After updating the schema, I may have only transfered the RID, PID, and Infrastructure FSMO roles, according to this article:
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok, real quick... about 15 PCs and 50+ clients and all are looking at server 2 as a NAS. Easy fix. I can just put those files back on the old NAS (since it's still running) and redirect/remap them to it.
I would have to agree Chief it is a mess. I would start from scratch removing the Windows 2008 DC then running a metadata cleanup and remove all DNS records for any DCs execpt for the Windows 2003.

Once you have done all this try promoting again.
Goodness... Ok, I will give this a shot tomorrow, while no one is working...
Let us know if you need anything
Yes. let us know.
With all of this going on, I wouldn't mind if one of you made me a short little checlist of what I need to do. for now, I'm going to perform a metadata on the 2003 server, once I figure out how to do it. Thanks :)
Real quick: The ntdsutil wouldn't work for me, but I went in and deleted Server2 as a DC from both servers and went into AD Services and deleted the NTDS settings as well. Server1 is DC, GC with AD and all FSMO roles (I'm fairly certain). Now what?
DCPROMO wouldn't work either. Says it's NOT the last DC on the domain, which is causing me to believe that I did NOT create two domains with the same name.
What can't you dcpromo?
Ok, here's what I've done:
1. I cleaned up Server2, deleting it as DC and deleting its NTDS Settings on both servers (not sure if that matters). Rebooted.
2. Made sure I had the schema extended with forestprep, domainprep, and gdprep.
3. DCpromo worked and I made Server2 a DC in the domain with Global Catalog.
4. Then I transfered all FSMO roles via AD Schema; Domains and Trusts; and Users and Computers, following this:
What's next? DCpromo on Server1 to demote? I ran a DCdiag and will post shortly... It doesn't look good. It looks like a DNS problem at this point...
Here are the latest dcdiag results:
Ok, I've gone so far as to migrate Server1's DNS config data to Server2's DNS folder (system32\dns). I've swapped their IPs and tried giving Server2 (MESERVER2) the name that belonged to Server1 (MESERVER). Server1 accepted the name change, but Server2 would not. Error was that it could not find the domain or what the F ever.
I'm really getting sick of this. I've done everything I've been suggested to do and things seemed to have transfered smoothly. All roles have been given to Server2. Server2 is the GC. Server2 has DNS configured. Still, the clients look to Server1 when logging in. I take Server1 off the network and Server2 still doesn't seem to play DC. I'm getting fed up with this. What am I doing wrong?
If you are trying to change the name of server2 to server1 you can't as long as Server1 is a DC. As long as server is running as a DC most clients will go to it to logon. Do you have Server2 as a DNS server on the clients?

Server2 is a DC also and has DNS configured...
Are the clients pointing to Server2 for DNS?
You currently have metadata of your "removed domain controller" on the remaining DC.

To fix this, perform a metadata cleanup. This would include DNS and FRS. I see that it is looking for a replication partner in your DCdiag report. That partner no longer exists.

To perform a metadata cleanup, follow this article. It explains how to clean up AD, DNS and FRS metadata.

Once that is complete we should evaluate the current status of the remaining DC. Perform a IPconfig /all as well as a DCdiag /v. Provide that information.

I am thinking you may have the old DNS server remaining as a preferred DNS server on that remaining DC. If so, I could see problems. I also want to make sure we are not looking at problems with IPv6 as well as problems with any metadata. After the metadata cleanup, removing that old DC out of the preferred DNS server list, and making sure IPv6 is good, you should have a clean foundation to build upon.
IPv6 is off. This is all beginning to confuse me. Which server am I cleaning up?
You deleted, or removed one DC from the domain. You want to clean the remaining DC. We will get to the DC you tried to demote, but ended up removing after we get a good, solid foundation under us.
Before I proceed, I was wondering if I should just create a new domain and start (nearly) from scratch and have the clients join my new domain. How would I import the old AD data?
No, let's fix this left over domain. Once AD is sorted out, you should have a strong domain. It appears like clients are authenticating with the domain server good. That is about 7/8's of a good domain controller.
Ok, so you want me to go onto Server1 and run metadata cleanup? What am I doing with Server2 during this? I've gave all FSMO roles back to Server1 last night.
You want to metadata cleanup any failed DCs you had. Demote Server2. Run metadata cleanup on Server1 to remove all objects for Server2. Go into DNS remove all entries in DNS.
Remove all Server2 DNS entries or ALL entries?
Sorry all Server2 after you do the metadata cleanup.
Do you want results?
Yes, provide DCdiag as well as IPconfig /all
Ok, I removed Server2 using dcpromo, but when I ran ntdsutil > metadata cleanup > remove selected server server2, it couldn't be found (I included this in the attached PDF. Could it be that the metadata was already removed?

Yes, so remove all DNS records for Server2.

On Server1 are you getting any errors in the Event logs?
Do I go into NTDS Settings and delete them off of both servers to remove all DNS records for Server2?
Just go into the DNS console and delete the DNS entries.
In both servers' consoles?
Disregard last comment. Ok, want results?
Server2 should have DNS service removed.

Server1 you want to just remove the records.

What should I do after? It's a pain because the distance between the servers and my desk is over 100 yards, plus I have a few security doors to go through.
Run a dcdiag then post results for server1.
Ok, I removed DNS from Server2, but there was nothing of Server2's DNS records on Server1. Ran dcdiag and everything passed this time. Now what?
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Scanner is occupied, but here are the results:

-Server1 dcdiag:


-Server1 ipconfig /all
Ethernet adapter
IP Address..........
Subnet Mask.........
DNS Servers.........
Primary WINS Server.

-Server2 dcdiag
Trying to find home server...
***ERROR: geserver2 is not a Directory Server.

-Server2 ipconfig /all
Ethernet adapter
IP Address.......... (Preferred)
Subnet Mask.........
DNS Servers.........
Primary WINS Server.
Tunnel adapter Local Area Connection* 8
IPv6................ 2002:720e:e1e::720e:e1e
DNS Servers.........
(I'm not sure why there is a IPv6 address, when I've disabled it. Usual?)
I've also attached this info...

@dariusq only:


Was all FRS metadata removed with the AD demotion. It appears like things are splendid and we can ensure DC2 has AD removed and is ready to be promoted back into the domain.

Remember we have a mixed domain with a 2003 server and a 2008 server. So we have to prep the current PDCe for a mixed domain. Hopefully you are more experienced in preping a DC to become a mixed domain than I am. I always use two of the same. meaning 2003 standard. When I upgraded, I have two 2003 R2 and now two 2008 servers.

What I would do PRIOR to promoting the second DC in there is run DHCPloc.exe to make sure there is NO chance of a rogue DHCP server, Hence a rogue DNS server in the mix. I still have suspicions that we do have a rogue DHCP/DNS server in there.

IPv6 is enabled on server 2. I recommend you disable it.

IPv6 is a tunneling routing protocol. In other words, your router has to be compatible with IPv6. Your router will have to also be configured to use an IPv6 routing protocol. I don't believe this is the case for you. So, you are creating extra networking by having IPv6 enabled.

IPv6 will not allow routing of netbios broadcast data without a WINS connection, (which you have). IPv6 is primarily used for EGP routing, (Exterior Gateway Protocol) routing, to overcome the lack of IPs in public IPv4 IPs.

IPv6 is not recommended for a Private LAN. However, I see it appears you are on a public LAN. That's something you should discuss with your Networking engineers. Many services can be routed through a corporate router, like Email and network shares.

So, think about this question: DO YOU NEED TO BE ON A PUBLIC LAN?  

A bit about IPv6 and how it changed from IPv4:

I've disabled IPv6 on both NICs of Server2, but now I only have one NIC enabled (
 We're not going to use IPv6. This IS a private LAN. I'll verify I have IPv6 disabled, but where do we go from here? How does it seem we're on a public LAN? Excuse my noobiness...
Your using 114.... address. Most private lans use 10... or 192... or 174... IPaddresses for a private LAN. 114 address sheme is not a typical, but fully functional IP for a private IP space.

Once you disabled IPv6, reboot server 2 and then go to the command prompt and see if you see this information:

The below two lines shouldn't be in your IPconfig.

IP Address.......... (Preferred)
Subnet Mask.........
DNS Servers.........
Primary WINS Server.
Tunnel adapter Local Area Connection* 8 <<<<<<<<<IP V6 information about the tunnel:
IPv6................ 2002:720e:e1e::720e:e1e <<<<<<<<<IPv6 IP address
DNS Servers.........
Yea, 114 addresses were chosen by the previous Admin for no particular reason. I'll disable IPv6 (again) and reboot. Then I'll verify it doesn't show up on ipconfig /all. What would cause it to keep appearing anyway? Am I delusional? So, after this, what next?
At this point, download DHCPloc.exe. This is a DHCP locator.

I want to make sure you don't have a rogue node providing DHCP to your network, that will also provide DNS.

The problem with a rogue DHCP server is that rogue DHCP server will by default provide DNS as well. The problem with that is, your SRV records will not be saved on a rogue DNS server. These SRV records are used for replciation, Domain authentication, and pointing the way to your Domain controllers. I think this may have been one of your problems when joining the other server to the domain and promoting it.

I think you will find you have a solid domain, right now. So, we are about ready to bring DC2 back on line. Make sure there are no rogue DHCP servers, and also make sure DC2 has IPv6 removed. Then, let's make sure DC2 is ready to be brought into the domain.

So, complete:
1) the look for a rogue DHCP server
2) removal of IPv6

3) get back in touch with us and let's prepare you for bringing DC2 back on line.
So, run DHCPloc.exe on Server1?
If disabling doesn't work on IPv6, Uninstall IPv6. So, instead of unchecking it, highlight it and select the "uninstall" button.

IPv6 leads to DNS and Netbios issues throughout the domain. This is probably one of your original problems.
I can't download it. This network is very strict...
First thing I did was verify that I did disable IPv6 on both NICs, but it doesn't give me the option to uninstall it. I click on the checkbox so that I can check its configuration, but it says I need to install IPv6 first. Can we consider it gone? I thought so, until I ran ipconfig on it. It still shows IPv6 with an IP address. I don't know what's going on there.
So, then I ran dhcploc in cmd (Server1) in the format it prompted after I just typed "dhcploc". I used -p, -a, and -i with Server1's IP address (
Anyway, it came back with this IP:
That IP address belonged to the disabled NIC on Server2. Is this our rogue DHCP server? If so, how in the hell?
I also checked IPv4's NetBios and it is set to "Default" on both servers.
Let's install IPv6 and then try to uninstall it. I don't know why it is being persistant.
Yes, this is most likely your conflicting DHCP server. It appears that your two DHCP servers are conflicting with one another. Since they were both Microsoft servers, they had to be manually authorized. So, two DHCP servers may be by design. See below for details.

With DHCPloc.exe, you should see DHCP offers from both DHCP servers. If within the same scope and dishing out within the same address pool, they will conflict with one another. If you ONLY see one server offering DHCP, that is your ONLY DHCP server.

You can have two DHCP servers on the same scope. BUT, they can NOT be dishing out from the same address pool.

Check the scope and address pool of both.


As and example, this is what I like to do:

--For the scope, I use the entire set of IPs.

--with the address poo I use a 50/50 basisl:

FYI **Microsoft recommends a 75/25 matchup.

Here's my typical configuration of the address pool on two servers on a /24 subnet, (which you are on).  NOT configured and are used for fixed IPs  are for DHCP server 1's address pool are for DHCP server 2's address pool

So, your fixed IP's are coverd and you have 100 IPs on each server for a redundant DHCP server if one fails.
So, what do I need to do besides install and uninstall IPv6? When I removed DNS from Server2, I also removed DHCP. When I initially configured DHCP, I chose to determine the scopes later. I never got to it anyway, but now it's gone. Was my syntax wrong? In dhcploc I only entered Server1's IP which returned with that .31 IP.
If you ran DHCPloc and only one server returned an offer, that means ONLY that server is supplying DHCP. So, it appears like Server 2 was seen by Server 1's DHCP. So, Server1 shut itself down.

So, here is how you fix this.

You can have one server provide DHCP, or you can have a second server provide DHCP, but it can not provide the same IPs as the other server.

On server 1:
1)  install the DHCP role, (if not already installed)
2) configure the scope to be your entire IP space 114.....
3) configure your address pool to be about a hundred IPs.
4) Make sure your fixed IP addresses have exceptions to any of those IPs within the address pool being assigned.

On Server 2:
1) DHCP is already installed.
2) configure your scope to be your entire IP space 114..
3) configure a DIFFERENT address pool of about 100 IPs
4) Make sure your fixed IP addresses have exceptions to any of those IPs within the address pool being assigned.

As an example:

I have two servers:
>> to is my scope on both servers

My address pool is divided between them and also has a group of IPs that are not configured for FIXED IPs, like my servers:
Here's my typical configuration of the address pool on two servers on a /24 subnet, (which you are on).

Now for my address pool:
NOTE configured: (used for fixed IPs)
DHCP server 1:

DHCP server 2:

Scope is the entire list of IPs for that network. Sometimes this can be on different subnets. That's called a superscope:

Address pool is a list of IPs that DHCP server has to provide to its clients.

Exemptions are tags that tell the DHCP server NOT to assign that IP address.

Reservations, reserve that IP for a specific client or server. This reservation will tag the specified IP for a DHCP lease, (NOT a fixed IP).

>>DHCP SCOPE OPTIONS- is where you configure IPs of your network that are passed down to your DHCP clients for WINS, DNS, Time Servers, and Gateway/routers. (NOTE, DNS means YOUR DNS servers not outside DNS servers)

So, after configuring your DHCP scope and address pools for each server, go into DHCP scope options and configure those to point to important nodes on YOUR network.
Should I still follow what darius suggested and remove Server2 from the domain and delete the computer from Server1's AD?
Yes if you ran metadata cleanup on this system you need to remove then re-add.
Also, is it necessary to have a WINS server? We don't do web browsing or email.
No, it isn't required.
Took Server2 of the domain and deleted it in AD. I tried installing IPv6, but it won't do it without the disc. Anyway, I joined it back to the domain as a normal user, but it used itself to logon. "Echo %logonserver%" showed Server2.
When I try to map to some network drives, it only shows Server2's shared drives. I went ahead and set up the DHCP on Server2 so that the address pools don't conflict/overlap having reconfigured Server1's properly. It was a bit messy. Do I need to include exceptions with Server2 even if my machines do not have static IPs withing its range (xxx.151 - xxx.250)? Then I turned it on, just to see if dhcploc would pick it up and it did. It showed (Server1) and (Server2) which should be correct.
DNS on Server2 is still pointing at Server1. It's just not using it to logon, I guess (not running it's scripts)...  Everything on Server1 is running great still. I don't believe I've screwed anything up there yet.
Deleted the WINS service, too.
Exclusions are not necessary, if they are not within the Address pool you are assigning IPs from. Just make sure you don't assign another fixed IP node with that particular IP address.
Now what? Dcpromo?
Damn, I wish we can edit out comments. Anyway, why is my Server2 not seeing anything on the network?
all sounds good:

To clarify, it sounds like Server 2 is a member server at this point, without the DNS or active directory role. Is that correct????
Yes, it looks that way. No, I have not configured DNS service for Server2 or AD.

Do you want to take over? I don't often work promote into mixed domains.  Your experience with mixed domains is probably much better than mine.

I think we are ready:

@ Autophobic:

Maybe a triple check with a good DCdiag /v on server 1,  prior to promoting Server 2.

Triple check is a good idea.
DCdiag /v resulted in all pass except frsevent. Last time I ran this, frsevent passed. Not this time. Is FRSdiag necessary?
Do a Metadata cleanup on the FRS ONLY. That would be in AD sites and services. Remove Server 2 from Active directory sites and services on DC1.
Ok, Server2 exists nowhere in Server1 AD except for as a member computer. I ran another dcdiag and still have that frsevent error. I didn't really expect it to go away anyway, since I deleted Server2 before I ran dcdiag.
Also, setting the scope sets the pool also, it seemed. I noticed it when "Address Pool" showed as encompassing the same range of IPs on both servers. I changed that, so now they're at xxx.1 to xxx.150 on Server1 and xxx.151 to xxx.250 on Server2 with exception to xxx.1 to xxx.50 on Server1. Ran dhcploc and the results reflect these changes.
How do I fix this frsevent failure? I see that there is frsdiag.exe provided by Microsoft, but I can't download it here.
Check your FRS event logs and provide the errors. It appears on DC1 like you have FRS or DNS metadata of Server 2. The metadata cleanup for FRS and DNS should clear that server from showing up as a replication partner.

The problem you are seeing with FRS is your PDCe is seeing Server 2 as a replication partner. So, this has to be some metadata.
Once again:

The metadata cleanup article should resolve this issue.

Here is another method, from microsoft:

Use ADSIEdit to delete the FRS member object. To do this, follow these steps:

   1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
   2. Expand the Domain NC container.
   3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
   4. Expand CN=System.
   5. Expand CN=File Replication Service.
   6. Expand CN=Domain System Volume (SYSVOL share).
   7. Right-click the domain controller you are removing, and then click Delete.
Also, dcdiag looks in your logs to find the errors these logs could be old.
So, I ran metadata cleaner again, but there is no other DC remaining on the domain. HOWEVER, in DNS console, looking at Root Hint or wtv, I found that it was still pointing at Server2. I changed it back to point at Server1, then ran dcdiag again. No errors. not even frsevent. Yay! Can I proceed with dcpromo now?
Yes you can now.
Ok, so... first thing Monday, I will dcpromo Server2.

PREP this domain if you are going into a mixed domain environment.

Dariusq, can you help with properly prepping the domain.

I never uses mixed mode on the 22 sites I work on. So, I am not skilled at what ...prep command is used in what situation. I just know it needs to be prepped if the operating systems are different, or if you are using one with R2 and one is not, or if one is an SBS machine and you are trying to bring a second on line.

I think the preping has already been done.
Prepping has been done.

So, I ran dcpromo on Server2. Left the Global Catalog option checked and unchecked DNS. I'd rather configure that when I've successfully added Server to as a DC. I have the following warnings and errors:

Event ID 13508: The File Replication Service is having trouble enabling replication from server1 to server2 for d:\windows\sysvol\domain using the DNS name server1. FRS will keep retrying.
Event ID 2506: The value named %1 in the server's registry key %2 was not valid, and was ignored. If you want to change the value, change it to one that is the correct type and is within the acceptable range, or delete the value to use the default. This value might have been set up by an older program that did not use the correct boundaries.

Event ID 2886: The security of this directory server can be significantly enhanced by
configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or
Digest) LDAP binds that do not request signing (integrity verification) and
LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted)
connection. Even if no clients are using such binds, configuring the server
to reject them will improve the security of this server.

Event ID 12366: An unhandled exception was encountered while processing a VSS writer event callback method. The VSS writer infrastructure is in an unstable state. Restart the service or application that hosts the writer.

Also, just to preview the dcpromo process on Server1, I went through the wizard to see if it would see Server2, and I got the error saying no other active directory domain controllers for that domain could be contacted.

Post ipconfig /all again for both servers. Have you rebooted since  the promotion?
I have rebooted both and ran ipconfig /all. I also checked the Event Logs on Server1 and have the following warnings and errors:
5781: Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
1059: The DHCP service failed to see a directory server for authorization.
4: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server <computer name>$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (<domain name>), and the client realm. Please contact your system administrator.
22: The time provider NtpServer encountered an error while digitally signing the  NTP response for peer <IP>:<port>. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: <error>. (<error code>)
1411: The Directory Service failed to construct a mutual authentication Service
Principal Name (SPN) for server SERVERNAME.  The call is denied.
2092: This server is the owner of the following FSMO role but does not consider it valid. For the partition which contains the FSMO this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

7062: DNS Server encountered a packet addresses to itself -- IP address <ip address>. The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.

3000: The DNS server is logging numerous run-time events.  For information about these events, see previous DNS Server event log entries.  To prevent the DNS Server from clogging server logs, further logging of this event and other events with higher Event IDs will now be suppressed.
6702: DNS Server has updated its own host (A) records. In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.
13568: The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is   : "c:\winnt\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.


Can you go into the DNS console on Server1 and take a screenshot of your DNS zones then post.
I can't. It would be a security violation.
Ok let's do this then. Can you open the DNS console? What do you see? Do you have a and a zone? Or do you just have a zone? Is the msdcs folder below the grayed out? Do you have SRV records pointing to Server1? Do you have a A record for both servers? zone had SRV records for both servers in all except PDC where it only had Server1. zone had A records for all, but in the DNS folder there was a record only for Server2. I changed it to Server1... No, the msdcs folder was not grayed out, either.
Curious. This DNS name is not considered single-label, is it?
You just brought a new server on line. At this point, you need to get your SRV records from DC2 to DC1.

First and formost: make sure each of the DC's nics has itself as the primary DNS server, and the other DNS server as the secondary. MAKE sure both servers have fixed IPs, and are not getting IPs from the DHCP server.

Then, go to both DC's command prompt and type.

IPconfig /flushdns
IPconfig /registerdns
Net Stop Netlogon
Net Start Netlogon.

Now Force replicate between the two servers and then PDC1 should have DC2's SRV records on board. After that, run a DCdiag /v on both DCs and let's look at the progress.

To force replicate, go into AD sites and services and follow this procedure.

To force replicate, and save yourself time:
a) go to the Active Directory Sites and Services Snapin
b) navigate to Default First Site>>Servers
c)Pick the server you want to replicate TO and expand it
d)right click what is showing (NTDS site?) and select "replicate now"

You are running into Journal wrap, time service problems, and authentication problems because DC1, (that is your PDCe FSMO role holder), doesn't see the SRV records for DC2.

Don't worry. This is pretty easy.

If you get lost, you can see how to on this article:

So, you had no A record for Server1, right? If your msdcs folder isn't grayed out then you need to delete the delegated zone
Apologies about the "grayed out" thing. I followed your instructions, ChiefIT, and I got popups for both saying replication was successful. I looked in DNS Console again and yes, under, the msdcs folder is grayed out and so is the DNS folder.
Under msdcs\_pdc\_tcp folder, it still shows only Server1. Since the replication I've received the following errors:
1030: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
1058: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<domain name>,DC=com. The file must be present at the location <\\<domain name>\sysvol\<domain name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (<error description>.). Group Policy processing aborted.
7062: DNS Server encountered a packet addresses to itself -- IP address <ip address>. The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.
1000: The DNS server could not open the file %1. Check that the file exists in the %SystemRoot%\System32\Dns directory and that it contains valid data. The event data is the error code.
6: I don't remember which this was...
15: Don't remember either. If these are important I could go pull it real quick...
6702: DNS Server has updated its own host (A) records. In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code. (This might have been corrected, though.)
The scanner is being used, but here is some dcdiag results:
"Found 2 DCs. Testing 1 of them."
Passed connectivity.
Ignored ForestDnsZones, DomainDnsZones, Schema, Config
"Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc."
Passed Rep Site Latency Check, NCSecDesc, NetLogons, Advertising, KnowsOfRoleHolders, RidManager, MachineAccount, Services, ObjectsReplicated, frssysvol, frsevent, kccevent
Failed systemlog
Passed the rest.
"Value named GESERVER in the server's reg key OptionalNames was not valid, and was ignored."
Then it said Server1 could not be registered on Server2. Server2's ip address cannot be claimed by Server1.
Then a few KRB_AP_ERR_MODIFIED errors from Server2.
Failed Group Policy processing and print spooler.
Terminal server cannot register 'TERMSRV' Service Principal Name.
DNS Server service terminated unexpectedly.
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection.
Passed everything else except LocatorCheck.
As dariusq recommended, delete both MSDCS file folders on both DNS servers.

One folder will be its own forward lookup zone, the second will be under your domain's forward lookup zone.

In fact, this is exactly how it looks like and what dariusq recommended to me to fix the same exact problem.
After that, go to the command prompt and restart the netlogon service again. They will recreate the MSDCS file folder ONLY under your forward lookup zone.
After restarting the netlogon service, then force replicate.


I think dariusq was, at one time, under the impression that 1030 and 1058 errors are not caused by DNS. I am about to show him that these domain controllers replicate the sysvol and netlogon shares then share these out using MUPcache.
Let me explain what's going on for you:

The domain controller's DNS servers carry SRV records. These records include the authentication server pointer, FRS partners and a number of other services. FRS is used to replicate a number of different things. This inculdes the Sysvol and Netlogon share. The sysvol file folder holds  your Group Policies.

The greyed out folder is a delegation record. It is created on your 1st domain server in the forest. Microsoft, designed it like that, to allow replication to forest servers or trusted top-level domain servers within the forest. It doesnt' need to be this way. For you, you can delete both of your MSDCS file folders. Upon restarting the netlogon service, they will recreate themselves as one record, (under your forward lookiup zone, and hold your SRV records.

The problem with these delegation records, as Chris Dent and Dariusq points out, is they don't update.

DNS is the cause of all your issue, including FRS, domain authentication, and Group policies. Since this one delegation record timed out, Nothing knows where domain services are. So, DNS is causing a Domino effect.

1) delete the MSDCS file folders on both DNS servers
2) restart the netlogon service on both servers
3) force replicate between the two servers
4) check your DCdiag reports again for any other discrepancies that we can help with.
I agree Chief DNS is causing the whole issue from that start that is why I asked for a screen like yours. I think I skipped asking this in the beginning but the root cause is DNS. If your SYSVOL and Netlogon don't share usually it is DNS after a promotion that is causing you a issue or you have some metadata that needs cleaning up but what I was trying to get to in the last couple of posts is that the deletegate msdcs folder was causing the problem.

You want to have a zone then deletegated zone for you is to much I don't like that MS automatically does this.
Man, thank you two so very much. I will follow these instruction in a few minutes. Do I do these on both Servers?
Yes, both DNS servers.

After deleting them, make sure BOTH DNS servers hold no MSDCS file folders. Then, restart netlogon. Then, force replicate. Then, DCdiag.

Ethernet adapter
IP Address..........
Subnet Mask.........
DNS Servers.........<<<<<<<PRIMARY
                   .........<<<<<< ALTERNATE

Ethernet adapter
IP Address..........
Subnet Mask.........
DNS Servers.........<<<<<<<<<<<<<<<PRIMARY

Prior to replicating and after deleting the MSDCS file folders in DNS, we need you to pay particular attention to the NIC configurations, especially DNS.

Both servers should set THEMSELVES as primary and the other server as alternate, as shown above.

Also, while restarting the netlogon service, also flush your DNS cache and re-register the HOST A.

So, your steps should be in this exact order:

1) Delete your MSDCS file folders on BOTH SERVERS.
2) Check and make sure your NIC configuration are like the above for primary and alternate DNS servers.
3) Go to the command prompt and type these four commands in order:
IPconfig /flushdns
IPconfig /registerdns
Net stop Netlogon
Net start Netlogon
4) Force replicate:
Yes, I have my NICs configured exactly like that. I'll be back with results in a little less than an hour.
4a) to force replicate:
a) go to the Active Directory Sites and Services Snapin
b) navigate to Default First Site>>Servers
c)Pick the server you want to replicate TO and expand it
d)right click what is showing (NTDS site?) and select "replicate now"
5) DCdiag and provide any errors.

DCdiag is going to show us any FRS errors. You may be in journal wrap. This means you have a partial data set of replicated data between the two DCs. To overcome journal wrap, you may need to use the burflag method. Or you can try some less invasive procedures first.

1) Try to force replicate again
2)Restart the FRS service on both DCs
3) Use the Burflag method to reset your FRS replication> This will require guidance.  

Journal wrap will be easily spotted by continuing event errors of 1030 and 1058 Group policies, as well as errors in the 13000's for FRS events.  Those errors can be seen on this article I wrote (How to diagnose and fix errors 1030 and 1058):

Ok, I did everything you instructed me to, except I clicked Replicate Now on Server1... before I proceed or post dcdiag, should I start over? I am getting ID 1030 and ID 1058 Errors constantly on Server1 and ID 1006 and ID 4 Errors on Server2. Only Server2 had those grayed-out delegate folders for some reason. They were on Server1 yesterday and I didn't delete them.
Server2's DNS events also had a 6702 Error followed by Infos 4 and 2. Server2's FRS events had 13508 and 13565 Errors, but Server1 had zero events. It made me wonder if Server1 had FRS or if logging was just off.
So, I did go into Server1's AD Sites snap in and click Replicate on Server1. I'm sure that made my efforts moot, requiring me to do this all again. When I try to access Server2's AD Sites, I get this error message: "Naming information cannot be located because: Access is denied."
Breif dcdiag /v, Server1:
Ignored those tests first few tests again (as I posted above).
Passed all until it skipped Intersite "Skipping Default-First-Site, this site is outside the scope provided by the command line arguments provided."
Passed the rest. No failures.
Brief dcdiag (no verbose because the Kerberos errors were so many that I couldn't c&p all results) Server2:
Failed test Advertising
Passed all until error in NCSecDesc "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=classified, DC=genet.
Failed NCSecDesc.
Failed NetLogons, too "Unable to connect to NETLOGON share! An net use or LsaPolicy operation failed with error 67, The network name cannot be found.
Passed all again until Kerberos client errors and Group Policy processing failures.
Failed test SystemLog.
Passed the rest.
I was looking at your articel, Chief, and noted:
"2003 Server R2 and newer should never use the BurFlag method because of the enhanced features of DFSR (Distributive File Share Replication) over FRS (File replication service)."
I have used Burflag with Succes with Windows 2008 server.  

Do you have the netlogon folder shared?
go to the command prompt on both DCs and type:

Dcdiag /test:netlogons
Ok, I looked at NETLOGON folder and it says it's a share folder, but it doesn't give me the usual option to share it.
Also, it seems my SYSVOL is inside a sysvol... Could this be a problem? I think I saw in Chief's article that it was.
Server1 dcdiag /test:netlogons:
Testing server: Default-First-Site\Server1 passed connectivity and NetLogons
Server2 dcdiag /test:netlogons:
Testing server: Default-First-Site\Server2 passed connectivity and failed NetLogons (Unable to connect to the NETLOGON share!)
On server 2, this is what we need to do:

Thought I have stated in my article that DFSR will unhose itself while in journal wrap, there are certain files that are not members of the Distibutive File Share replication. Sysvol, and Netlogon are examples.

Your connectivity appears good. This should mean DNS is fixed. However, it appears like you have a partial data set in the Netlogon share. This will probably lead to LSA errors. I always wondered where DFSR picks up and FRS leaves off.

Let's first confirm that we have ALL DNS errors fixed. Use DCdiag /v to look for any DNS errors.

If no DNS errors, lets use the burflag NON-Authoritative restore to reset File replication.

Both, the non-authoritative and authoritative restores are provided on this article. Please choose NON-AUTHORITATIVE if this is NOT your FSMO role holder:
Use burflag on Server 1 or 2?
This will be done on server 2. That's the one with a partial data set in the Netlogon share.
So, the errors/failures in the dcdiag results I posted were not DNS related?
Continue with the Burflag, Non-authoritative restore on DC2.

Post DCdiag /v failures afterwards on both servers.

Server1 dcdiag /v:
Passed all.

Server2 dcdiag /v:
Failed Advertising "Unable to reach Server2. SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE."
Then a few more identical messages about how FRS is having trouble enabling replication from Server1 to Server2 for "c:\windows\sysvol\domain."
Is it because of its SYSVOL\sysvol?
Then Passed FrsEvent, DFSREvent, SysvolCheck, and everything else until
Failed NCSecDesc and NetLogons.
Passed all after that.
This article was written before 2008, but should have the same principle. We need to verify that your Server 2 is advertising itself as a global catalog server>
So, you are the experts and can tell me if Server2 is advertising as a GC, right?
I read the article and the two other articles it referenced. I'm gonna follow this particular set of instructions and look for these Event IDs:

Event ID 1559, 1578, 1801
After you promote the domain controller to a global catalog server, domain partitions in the forest will be replicated to the new global catalog server. When all partitions have successfully replicated to the new global catalog server, event ID 1119 will be logged in the Directory Services log on the domain controller. The event description states that the computer is now advertising itself as a global catalog server.

To confirm that the domain controller is a global catalog server, follow these steps:
1.     Click Start, click Run, type cmd, and then click OK.
2.     Type nltest /dsgetdc: Domain_name /server: Server_Name, and then press ENTER.
3.     Verify that the server is advertising the "GC" (global catalog) flag. For example, when you type the command in step 2, you will receive a message that is similar to the following if the GC flag is present:
DC: \\ Server_Name
Address: \\ IP Address
Dom Guid: 47bc7d87-309e-4a2a-bac3-c9866a66bab8
Dom Name: Domain_name
Forest Name: Domain_name .com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE The command completed successfully
Sound good?
Are you getting these errors on the Windows 2003 server?
Ok, Server2 (2008) does not have events 1559, 1578, or 1801. I ran the nltest above and the results were for Server1 (2003). GC flag showed all Server1's info (IP, Guid, Name, etc.).
Something interesting; I looked at Server2 in AD Users and Computers > Domain Controllers > then NTDS Settings Properties and it was showing Replicate from: Server1 / Replicate to: Server1. Could that be the result of when I clicked "Replicate now" on Server1 first?
Anyway, Server1 still has all roles and both servers were checked as GC.
Darius, out of those events in the article you posted, I've only received error 1006.
Are you getting it on the Windows 2003 server though?
Not on Server1.
Ok because server1 is the only Windows 2003 DC, right?

So, now in your DNS you only have zone on both servers right? You have msdcs folder not grayed out.
Yes, my other server is a Windows 2008 DC. The last time I looked, both DNS consoles showed zones with no msdcs folders grayed out. I will verify right now.
Here is how each DNS Console looks like:
Server1 has Forward Lookup, Reverse Lookup, and Event Viewer.
Under Forward Lookup I have \ domain \ \ \ FE-12 (which is a project name)

Server2 has Forward Lookup, Reverse Lookup, Conditional Forwarders, and Global Logs
Under Forward Lookup I have \ domain \ \ \ FE-12 (which is a project name)
Nothing is grayed out, but it looks like there may be some orphan domains?
So, I just did some Googling to see what some typical, single-domain, DNS Consoles look like and... it looks as if my DNS is all cluttered!
You do have some DNS issues still you have the zone which should be deleted.

You should only have with the msdcs folder listed under the zone where you can click on the folder and view records.
I agree.

What do you think about scratching DNS on DC2 and redoing it. In other words, prevent if from being a global catalog, remove the DNS role. Reinstall the DNS role, restart the netlogon service and flushing DNS cache and registering the Host A, and finally reinstating the Global catalog?
I think we can leave the GC on it then remove the DNS role and add the DNS zone back.
@ Dariusq:

Yah, because I am seeing unusual errors in DNS. Whe already went down the path of deleting the MSDCS file folders, and they just came back.

I think its time to unhose DNS indefinately.

You game for taking him through the steps of unhosing DNS?
Also, look over.

Yes, we can walk through the steps.
Thanks guys. I was off today and will be Monday. Please stick with me on this.
Ok, I'm ready. What do I need to do?
What zones do you have in your system? You should only have

Please look over link that I posted.
I looked over the link and did the regedit. So, on both servers, make sure I'm only showing (deleting other zones)?
Correct deleting other zones that contain in them.
Ok, I deleted them all except and Did you want a dcdiag /v?
I have a lot of 1030 and 1058 errors on Server1 and 1058 and 1006 errors on Server2. Server 2 also has a lot of 4 warnings.
And when I open up AD, I get an error popup saying Failed to open Group Policy Objects due to lack of appropriate rights.
You want to delete the _msdcs.domain.zom.
Ok, once I delete the, what do I do next? Stop/start DNS on both?
If you only have the zone with the msdcs folder listed under this zone without any grayed out folders with record listed in this folder run dcdiag /fix.
Both servers?
Both servers.
After deletion,
Server1 dcdiag /fix
Failed connectivity test
Skipped all Default-First-Site\Server1 tests, because not responding to directory service requests
Passed everything else.
Server2 dcdiag /fix
Failed connectivity test
Skipped all Default-First-Site\Server2 tests, because not responding to directory service requests
Passed all until DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down
Failed LocatorCheck test
Passed Intersite test
Please post screenshot of DNS this will help out a lot. Do you hae SRV records in the msdcs folder?
SRV records are in the msdcs\tcp folder
Hate to tell you I can't see anything. Can you do another?
Wow... Ok, there has to be another way. It's fine on my end, but this site is not hosting it well... Let me try cropping.
Try these, too, I guess...
So, all looks good. If you look in the GC do you have records?
I did. So, it looks good, but don't my dcdiag /fix results say otherwise?
Yes, they do this is where I'm getting hung up at. If you go to AD Sites and Services Server1 is a GC right?
Post the whole dcdiag /fix. Server1 is only pointing to itself for DNS right?
It's pointing at itself for primary and at Server2 for alternate as ChiefIT suggested.
Lets not do that yet. I would try giving it a reboot as well. Something is missing here.
Ok, change to point only at itself on both servers, reboot both, dcdiag /fix and post both?
Please reboot server1 first then server2.
Ok, I poked around a little more and found, in AD Sites, that the Default-First-Site showed no GPOL in its properties. Is that normal? Also, in the NTDS Settings (or when I right-clicked on AD Sites\Def-First-Site) the replication looks like Server2 is repping from Server2...
Both servers are GCs.
From Server2, I cannot open AD Sites.
Now, attached are the dcdiag /fix results.

What is on Server2's DNS does it look just like Server1?
Last time I checked, yes. I'll confirm in a few mins. Driving to work now.
Ok, they're identical.
I think we need to demote Server2 again.
Ok, dcpromo? Then what?
Once it is fully demoted remove DNS make this system a member server fully. Once you have this done run another dcdiag. Are you using the Windows 2008 dcdiag?
So, fully demote Server2... Remove from the domain first or just make it a member server? When I run dcdiag, I just go to each server and run it from its command prompt. I assumed I was using 2008 dcdiag.
That sounds correct I think we promoted Server2 to early since DNS wasn't fixed.
Dcdiag on Server1 and post after?
Dcdiag after the demotion.
Roger that. On both?
Just server1 since server2 won't be a DC anymore.
Step 1)
If you removed server 2 from ANY nic confiburation, put it back.

So, on the NIC configurations, they should look like this:

On server 1:
Preferred DNS serverlist:   Primary is DC1's IP address, Alternate is DC2's IP address

On server 2:
Preferred DNS server.list: Primary is DC2's IP address, Alternate is DC1's IP address

Go to both server's command prompt and type the following:

IPcofnig /flushdns
IPconfig /registerDNS

Net Stop Netlogon
Net Start Netlogon

That will re-register the SRV records and allow for AD authentication.

You deleted the MSDCS file folders, Those folders carry the SRV records, Upon scratching those folders you need to rebuild the SRV records.

Once you rebuild the records, try DCdiag /v to see if you have any errors on both servers.


If you have a pretty clean DNS, Force replicate between the servers.
I'm glad I haven't left yet! So, what am I doing? Demoting Server2 or going through Chief's steps?
I don't think it necessary to demote. DNS is coming about. All you need to do is make sure the SRV records are registered in DNS.

1) But, make sure BOTH servers are on the NIC configurations of BOTHS servers.

2) Then Run the DNS registration gauntlet of commands.

3) After that, check DNS with DCdiag.

If all looks good for DNS, FORCE replicate.
I think AD wasn't fully replicated because of the DNS issue. Since AD Sites and Services can be opened and GC errors we are getting in the dcdiags.
So, I'll try Chief's first? Then if it's still problematic, I'll demote. Sound good?
@ dariusq:

When you and Chris Dent helped me with the greyed out MSDCS delegation folder, I had to recreate the SRV records by restarting the netlogon services.

These records, of course, include a pointer to the authentication servers, (the AD server). They also point the way to FRS replication partners.

I believe your not seeing the GC servers, event themselves, because of DNS. I do agree.

On 11/13/09 07:50 AM you had me configure my NICs and run flush and register already, then force rep.
How does it look? What errors do you see in DCdiag /v?
Oh, oops. No, I mean... you asked me to do that another time and I posted the results. My bad...
It was on:
ID:25740383Author:ChiefITDate:11/04/09 07:38 AM
We have done a lot of things since then. I think you need to re-register your SRV records, at this point, and things will be good.

Ok. I'll follow your instructions then post.
When you run a dcdiag /fix you should update all SRV records.
dcdiag /fix after Chief's flush & register instructions?
I was just stating the dcdiag /fix should update your SRV records just likel restarting the netlogon service.
Ok, one final set of instructions, please. What shall I do right now? I'm getting confused :P

Dariusq and I had this discussion before..

I am no sure if DCdiag /fix or even DCdiag /fix:DNS registers the SRV records. I do know that restarting the netlogon does.

I am pretty sure dariusq is probably right, but I have always used the netlogon service restart for SRV records.

 It doesn't hurt to do both
Ok, here are the results...
Server2 results start with the many Kerberos and Group Policy errors.

Am I SoL then?
Everything looks good except those errors that state it can't authenticate to AD but the DC is advertising it is a DC.
So what do I need to do now? Remove Server2 as DC, make it a member server, and dcpromo again?
Remove Server2 and leave Server2 off line until we get clear on Server1 totally. Something weird is going on.
Ok, what should I ran and post on Server1 while Server2 is off?
Run the normal dcdiag and ipconfig.
Ok, demote and remove Server2, run dcdiag and ipconfig, post.
Server2 won't demote: "The operation failed because: Managing the network session with failed. 'Logon Failure: The target account name is incorrect."
I cannot acces Server1's shared drives either. I can't even access Server1 through \\server1\
I can ping Server1 though.
In ipconfig /all the results on both servers show no DHCP enabled. I checked both DHCP services and they're "Active" with accurate, non-conflicting address pools and exceptions.
It's also showing WINS service when I know I removed it.

DHCP disable means that you have a Static IP address.

You can ping Server1 by name or just IP address?
Are you sure IPv6 is disabled?

Post ipconfig /all in this windows not in another attach document.
I pinged by IP address and I'm as sure I have IPv6 disabled as I'm sure that it shows it's checkbox unchecked. It won't give me the option to uninstall it, either. Yes, the static IPs for the servers and clients are static, even if I have a DHCP enabled for them with a pool exclusion encompassing those clients' IPs. I'll be back with an ipconfig /all on Server2.
You shouldn't have DHCP enabled though.
This is the best I could do as far as showing results clearly.
Looks good how about your netdiag?
If I remember right, IPv6 was disabled but we had a few lines that remained.

I am thinking the IP stack may be corrupt. I think we might fix it by researching and removing the corrupt reg keys from IPv6.

First off, let's try the command prompt uninstall process:

netsh interface ipv6 uninstall

At any time, you will want to see if you are successful. To do so, let's go to the command prompt and type IPconfig /all.

If you see anything that pertains to ""Teredo Tunneling"" or see a base 16 IP address, we were unsuccessful in removing or uninstalling IPv6.

Now, IP V6 can also cause problems with the computers routing table as well as DNS!!!

These things should also be looked at prior to promoting the second DC.

I would have to agree with Chief.
Ok, I'll look into all of this and run through the IPv6 cleanup. Post netdiag after?
Dcdiag for Server1.
Ok, I'm in deep **** here now. I was off during the day because I had to come in tonight (now) for some tests we're going to do (not network related). Apparently, my users could not log on because Server1's event logs were full. I just ran audits yesterday. They filled up in one day. Before that it could be left for a month and not be filled up. It's locked up back there now, and I have things I have to do so I cannot check the server(s). This is getting to the point where I may have to create a new domain (domain2) with the new server, starting from scratch. Is there anything else I can do before that? I'm about to get burned here. The data on this network is crucial.
Kerberos and that stupid Symantec Endpoint Protection crap (which, for some reason, is not accepting my credentials anymore) is giving a lot of errors. I'm about to be in panic mode... All of these things I'm doing is seeming to make my network even more buggy. I have users who cannot access their profiles (permissions), some are still looking to sync with Server2, some are being prompted for the NAS username and password (where all the data is) within command prompt, Server2 cannot see Server1. This is insane...
Please give me something. At least advice on how I should go about creating a new domain.
Need I say that this is an emergency?
You  have SEP? Remove it this is most likely what has been causing the problems.
Where are you located??

Are you in Seattle?
I agree with SEP being a major problem.
Also, make sure that the clients are pointing to server2 for DNS. Run ipconfig /flushdns on the clients.
Avatar of sarithvs

Dear Autophobic:

I do understand your feelings I am not going to read all this again
I think now you have 2 DC and due to some reason it is not working properly
Still you have 2003 DC Online? , if yes
Transfer all the FSMO role to 2003 server first
Again conform with netdom /query  fsmo
For netdom you have install support tools from windows CD
And run the command from c:\program files\support tools\  folder

You should see the 5 roles owner should be the 2003 server

shutdown all other DC's

Once done

Check the  TCP /IP configuration
Disable(uninstall or remove ) all the teaming and unused interface including any VPN keep only one with IP address ( once configured we configure the teaming   )

Assume you 2003 DC Ip address is

IP Address. . . . . . . . . . . . :<< Your IP here
 Subnet Mask . . . . . . . . . . . :
 DNS Servers . . . . . . . . . . . : << this should be the IP address of the same 2003 DC  Server

Once done

1)      Reregister the IPS
Ipconfig /registerdns
Ipconfig /flushdns

2)      Restart DNS server
Net stop dns && net start dns

3)      Restart the netlogon service

In command prompt type nslookup

Default Server:
Address:  The out put should be like this

if you are getting
Default Server:  default server

check the Tcp/Ip address configuration and see the IP address is there

 Once finish  go to any  client IP assign a static IP and while configuring the DNS give   your 2003 DCs IP address eg:- dont give any other IPS like ISP's DNS
From the client take CMD and try to ping your domain name (only domain name  eg:- )  you should get the replay from if not go to the DNS in DC and delete the all entry other than your 2003 DC , ( In the A record , name server TAB  etc&.)

Once everything is    Under control we can continue the installation of 2nd  DC  

Once done Please let me know how I can help on this issue
Hi Sarathvs:

I think we have been duking it out with Symantec Endpoint Protection. It has prevented us from using DNS as we wished. For that reason, we have been demoting and promoting back into the system.

Once we disable SEP and follow the same steps we have been giving the author over a hundred times over, I think life will be dandy.

It very well might be SEP. I drove to work this morning thinking I need to get rid of it. Ever since I installed it, things have been going wrong. This has all been very frustrating. So, this is what I'm going to do:
1. Remove SEP and LiveUpdate.
2. Ensure I give all roles back to Server1 and (hopefully) restore its healthy state.
3. Follow Sarithvs's instructions (yes, these are exactly the same instructions Chief and darius have been giving me, but SEP must have been in the way).
3.1 Laugh in maniacally.
4. Report back with what?
*3.1 Laugh maniacally (oops).
Ok, I did everything sarithvs suggested:
Default Server:  unknown
Address:  (correct IP)
Nslookup server1:
Default Server:
Address:  (still correct)
From client I pinged, by name, Server1, Server2, and our NAS and all gave reply.
I tried to demote Server2 again, but:
"The operation failed because: Managing the network session with failed. 'Logon Failure: The target account name is incorrect."
All passed except:
WINS skipped, Trust relationship skipped, Gateway failed (no gateway configed anyway), WAN config skipped, IP Security skipped

All passed except:
Replication failed, frsevent failed, systemlog failed
Also posted errors:
Failed replication from Server2 to Server1 (expected?)
Dynamic registration of DNS record errors.

I have 3 questions
What is our plan?  Migration of active directory from 2003 to 2008 is it?
For that we need one working Active directory , in that server we need to do

1)      Adprep /forestprep  (you have to put the 2008 CD in the old windows 2003 and run the command ) I think you already finished this step this will do the the schema up gradation  

2)      Install a new windows 2008 new server ,join it to the domain as member server

3)      Do the DCPROMO and create a additional domain controller for existing domain  

This Is it , very simple

So we can start  troubleshooting  

Please dont install any AV software with network protection in the Active directory (while testing )
""From client I pinged, by name, Server1, Server2, and our NAS and all gave reply.""

What is this NAS ? is it a server or server name ? or domain controller ?

Which server is giving this answer ?
Default Server:  unknown
Address:  (correct IP)
Can you please check the 1st DNS preference of that server it should be the same server IP , if it is same that server is missing PTR record pointing to it
If you haven't removed Server2 yet since removing SEP then I would do a metadata cleanup for this server then remove all DNS records for this server and started the promotion again.
"From client I pinged, by name, Server1, Server2, and our NAS and all gave reply."
Ok, forget NAS. It's our network storage.
The plan is to migrate from Server1 (2003) to Server2 (2008).
Server1 is giving the "unknown" answer with IP when I run nslookup and "" answer with IP when I run nslookup server1.
I cannot demote Server2! When I run dcpromo on it, it asks me for a password and is not accepting the one I input.
I have removed Server2 and am ready to just reinstall the OS incase it's absolutely shot.
Metadata cleanup while Server2 is online?

Ok, SEP and LiveUpdate is off of all systems. I still cannot demote Server2, but I've deleted it from Server1's Active Directory, claiming that it is forever offline and cannot be removed using DCPROMO. I noticed that some clients were still trying to sync files to Server2. Odd.
Ok, what now?
After you have ran the metadata cleanup make sure you have delete all records for Server2 within DNS.

See if your network behaves correctly now without Server2. Make sure server1 and no clients point to server2 for DNS. Let's get the network back to the begining before promotion of server2. I want to make sure all works.
All records? SRV, CNAME, A, etc.? Anything that says Server2 or contains its IP address?
I've deleted any trace of Server2 from DNS.
From AD Sites, I deleted Server2's NTDS Settings, but cannot delete the container: "Do not delete Server2 cotainer object. Server2 contains objects representing domain controller Server2 and possibly other domain controllers. To delete these objects, demote the domain controllers using the AD Install Wizard (DCPROMO). If the DC represented by these objects are permanently offline and can no longer be demoted using DCPROMO, you must delete them one at a time."
I ran dcdiag again on Server1:
Failed frsevent only.
I think you need to delete the connecter under NTDS also dont forget to disable GC from that demoting  server

For that take the Properties for NTDS remove the tick mark and wait for 15 mint

Server1 is giving the "unknown" answer with IP when I run nslookup and "" answer with IP when I run nslookup server1.

I dont understand, you are getting the correct answer or not?

Please make sure the DNS is working fine while doing nslookup   you should get
 you need to test the same from  client PC. Also do a ping test you should get the replay from server1 IP address this will help up to delete the orphan enters from DNS

Please post the output of netdom
netdom /query fsmo
netdom /query dc

no need to  run dcdiag   every time it will not fix the issue
I'm saying when I run just "nslookup" I get the "unknown" answer, BUT when I run "nslookup server1" I get ""
I deleted the NTDS Settings under Server2 in the DNS console.

Ok first we need to fix it
Tell me the first preferred DNS is local server IP address ?
If yes can you check the reveres DNS is configured ?
If yes can you please check that PTR for the same server is created ?  
After that  you need to ping from  client PC do a ping  you should get the replay from server1 IP address this will help up to delete the orphan enters from DNS
Please post the output of netdom
netdom /query fsmo
netdom /query dc
Here we go run dcpromo /forceremoval on Server2.

Run metadata cleanup on Server1 to remove all lingering objects for Server2.
Before I answer, here is the latest:
I ran nslookup again from a couple clients and server:
"DNS request timed out. Can't find server name for address
Default server: Unknown
One client was looking at Server2 when I ran nslookup:

"DNS request timed out. Can't find server name for address
Default server: Unknown
I fixed that.
Netdom /query fsmo: Schema, Domain, PDC, RID, Infra (all belong to Server1)
Netdom /query gc: Server1 and Server2
I then ran metadata cleanup again with Server2 still on the network. Then I disconnected it and deleted it from AD Sites (it allowed me to delete the object this time).
Ran netdom /query dc again: Server1 (only)
So, in AD Sites, it showed Server1 and Server2 replicating from each other. I'm guessing this was causing Server2 records to be recreated in DNS. I went back through DNS and deleted Server2 records that were recreated in the GC, DomainDNSZones, and ForestDNSZones folders.
Now, from what I just posted, how should I proceed?
@darius - Server1 shows no other server during metadata cleanup anymore. As far as I know, Server1 has nothing of Server2 in DNS console, AD Sites, or AD Users (Domain Controllers). Run forceremoval still?
Also, in AD Sites, Server1 still shows Server2 in its NTDS Settings as a replication partner.
You need to forceremoval on Sever2 if you want to promote again.

If Server1 still show Server2 as a replication partner then you most likley have some objects that haven't been cleaned in AD.
Force removal on Server2 while connected?
Yes, since you have removed it from AD then you need to run forceremoval then run the metadata cleanup on Server1 and remove any lingering objects from Server2.
there is nothing in the server 2 I am not sure you can run forceremoval

Please reinstall the server 2 with windows 2008 and keep it ready , don't add it to the domain I will advice you when we are ready

I fixed that . mean now you are geting the correct server1  insted of Unknown is it ?

Ran netdom /query dc again: Server1 (only)

Very Good

yes now we can proceed to next setup

which is cleaning Up old server entrys

check active directory users and computer OU make sure there is only one DC
I am sure because netdom is give correct
next step go to ad site and delete the connector from both DCs

carefully !!!

delete NTDS from server 2
delete the server 2 object

Also please check this KB

How to remove data in Active Directory after an unsuccessful domain controller demotion

once done
do a system state ntbackup
Sorry, "I fixed that . mean now you are geting the correct server1  insted of Unknown is it ?" means I have that client pointing to Server1 for DNS now.
I've deleted Server2 from AD Users \ Domain Controllers
I've deleted Server2's NTDS Settings and Object from AD Sites
I'll do the rest of what you posted.
Once everything finish
test From client PC,  ping and make sure you are getting response from server 1
This is the time for  dcdiag
Before you start on anything with Server2 you want to make sure Server1 is functioning correctly.

Ok, so I ran metadata cleanup (again) - same results. Actually, I didn't follow through since Server2 no longer exists as a server during metadata. I also deleted all records of Server2 from DNS (they reappeared in ForestDNSZones). The kb also mentions deleting the CNAME in _msdcs.root domain of forest zone in DNS. So, I did delete the CNAME record under the _msdcs folder.

dcdiag: Default-First-Site\Server1
Starting test: Connectivity
Oops, it got cut off. Anyway, could not be resolved to an IP address. Although the GUID DNS name couldn't be resolved, the server name ( resolved to the IP address and was pingable.Check that the IP address is registered correctly with the DNS server. Failed
Passed all else.
net stop netlogon && net start netlogon
ipconfig /registerdns
ipconfig /flushdns
netdiag /fix
So, when you look in DNS you only have the zone rigth? You also have a msdcs folder that isn't grayed out under this zone?
Correct, darius.

Sarithvs, I will run those again in a few.
Ok, I have _kerberos and _ldap SRV records for Server1 in:

Active Directory creates its SRV records in the following folders:

I have _ldap._tcp.domain in:
Nslookup shows the same thing:
Server: Unknown
Netdiag /fix:
All Passed except Skipped Trust Relationships and IP Security
Now run a symantec metadata cleanup prior to promotion.

though you have gone into ADD/REMOVE programs symantec leaves metadata in registry and application data, enough to run SEP. You have to remove that.

SEP may still be causing you fits.

Run this tool on BOTH DCs.

Stupid GD network won't let me download it...
Download cleanwipe.
Chief, I've actually gone through and removed it from Program Files, Application Data, and the registry (manually from CURRENT_USER and LOCAL_COMPUTER).
So, should I still run cleanwipe? It downloaded just fine. Also, do I need (or should I) reinstall Server 2008 on Server2? Should I rename Server2 to something like Server2008?
Alright, so it appears you might be ready to promote?

How does DCdiag look on DC1?

Can you perform NSlookup from "soon to be" DC2 to DC1?

Are you seeing any intermittent time outs on the network?

Tell us a little bit about DC2's DNS status.

Is DC1 listed as the preferred DNS server on DC2's NIC conifguration.
On DC2 I removed DNS, DHCP, FRS, AD (dcpromo /forceremoval), etc. It's so far as disconnected from the domain and is ready to be reinstalled.
Want to to pull another dcdiag off of DC1?
Nslookup from DC2 (it's actually just Server2 [no longer a DC]) still?
I'll make sure Server2 looks to DC1 for DNS once I get these answered :)
If you don't have anything critical and a reinstall would be easy for you I recommend doing one on Server2.
Ok, it's underway. I'm also going to run CleanWipe and SCSCleanWipe since Server1 has had both SEP 11 and SAVCE 10.x
Server2 ( is now SERVER2008 (
I ensured SERVER2008 had IPv6 disabled on both NICS (even while disabled one NIC entirely) before I even joined it to the domain and clicked the box telling it to register it in DNS.
I reserved SERVER2008's IP in Server1's DHCP then joined the domain with the name SERVER2008.
Once I joined the domain, I see its record created in DNS for IPv4 AND IPv6. It's that persistent? Anyway, I don't know how to get rid of it...
Also, SERVER2008 did not run any login scripts. This is where I'm at now.
1)      If you ever install Symantec in your machine cleanwipe is a good idea

Is it having static IP ?  Nslookup is giving correct ? I think you already answered yes
Now we are going to promote 2nd DC


1)      It is strongly recommended that  you should  format reinstsall this server before starting
2)      Disable IPV6
3)      You should Configure static ( it is not at all recommended   to keep AD server as a DHCP client )
IP address  <<== New IP address (must exclude from DHCP )
GW<<= (if needed )
DNS<<= (should be the server 1 IP address  )
4)      Add server 2008 as a member server in the old domain
5)      Logon as domain\administrator
6)      Install DNS servers  
Administrative tools >> Server Manager.>> click Roles.>>results pane click Add Roles>> Before You Begin page click Next.>>select the DNS service & Active Directory Domain Services
7)      Install active directory using DC promo
8)      Existing forest >>add domain controller to an existing domain
9)      Once finish restart the server  
Server has been reinstalled and is now named SERVER2008.

IPv6 has been disabled.

Static IP is new configured and has a reserved IP in Server1's DHCP Address pool. Should I remove it from reserved?

Added SERVER2008 as a member - this is where DNS registered it's IPv6 address.

Will install AD with DNS when promoting SERVER2008 (?) or install DNS before I install AD (?), but is the IPv6 going to be a problem? It's very persistent...

Post ipconfig /all for current setup.
IP Address...........................
Sub Mask.............................
DHCP................................... No
I did have multiple errors logged, though:
Application: 1015
DNS: 7062
System: 3019
Also, when I logged into Server1 today, my admin.bat didn't run.
Please read  sarithvs comments
DNS<<= (should be the server 1 IP address  )
4)      Add server 2008 as a member server in the old domain
5)      Logon as domain\administrator
6)      Install DNS servers  
Administrative tools >> Server Manager.>> click Roles.>>results pane click Add Roles>> Before You Begin page click Next.>>select the DNS service & Active Directory Domain Services

Take screenshot of DNS from Server1 then post.
Thanks, TJOSY, but I want to make sure Server1 DNS is 100% before I proceed. I'll be back with that screenshot, darius.
Sorry, the scanner is occupied, but here's exactly what it looks like:

- Forward Lookup Zones
---- _msdcs------ dc
-------- _sites
---------- Default-First-Site
------------ _tcp
-------- _tcp (under dc)
------ domains (under _msdcs)
-------- 125e186d-4546-xxxx-xxxx-xxxxxxxxxxxx
---------- _tcp
------ gc (under _msdcs)
-------- _sites
---------- Def-First-Site
------------ _tcp
-------- _tcp (under gc)
-----+ pdc (under _msdcs)
---+ _sites (under
---+ _tcp
---+ _udp
---+ DomainDnsZones
+ Reverse Lookup Zones
-Event Viewer
-- DNS Events

And with _msdcs highlighted, it shows 5 records:

dc (folder)
domains (folder)
gc (folder)
pdc (folder)
fd72f436-xxxx-xxxx-xxxx-xx... Alias (CNAME)
It was supposed to look like this:

- Forward Lookup Zones
---- _msdcs
------ dc
-------- _sites
---------- Default-First-Site
------------ _tcp
-------- _tcp (under dc)
------ domains (under _msdcs)
-------- 125e186d-4546-xxxx-xxxx-xxxxxxxxxxxx
---------- _tcp
------ gc (under _msdcs)
-------- _sites
---------- Def-First-Site
------------ _tcp
-------- _tcp (under gc)
-----+ pdc (under _msdcs)
---+ _sites (under
---+ _tcp
---+ _udp
---+ DomainDnsZones
+ Reverse Lookup Zones
-Event Viewer
-- DNS Events

And with _msdcs highlighted, it shows 5 records:

dc (folder)
domains (folder)
gc (folder)
pdc (folder)
fd72f436-xxxx-xxxx-xxxx-xx... Alias (CNAME)

Some clients are still not running the login scripts. On these clients, I run nslookup:
Server: Unknown
I ping Server1 from the client using Server1 IP and name "Server1" and get replies just fine, though.
I just looked at the DNS for my other network and it has a .(root) folder under Forward Lookup Zones, right above the folder. In it includes a record for SOA (Start of Authority). Should I be seeing this in my broken network?

Here's how it looks:
- Forward Lookup Zones
--- .(root)
----- com
------- domain (grayed out, but includes NS record for the server)
One last thing; is it certain I'm not required to have a Reverse Lookup Zone?
You don't need a reverse lookup zone. You are showing an A record for Server1 in all zones?
There are A records in all zones:
Forward Lookup/ has two records:
(Same as parent folder).....
Weird because my other network has these same records in the Forward/ folder, except the record with "(Same as parent folder)" has the GUID instead of IP.
(Same as parent... )...........
Forest and TAPI3Dir show the same as Domain DnsZones
Disregard my last comment about this other network's server having two A records as well. It only has one. The other one was an NS record.
Server1's ForwardLookup/ folder does have two, though, so what I posted about that is accurate.
Actually, disregard anything I've mentioned about this other network. It's completely irrelevant and will/might end up confusing.
I just read this in an article:
"I have assumed that you plan to install a forward lookup zone, but what about the reverse lookup zone?  It only takes a minute to install the reverse lookup zone and without it utilities like DNSLint and NSLookup will not function." 
Are clients looking in SYSVOL or NETLOGON when logging on?
Please help. I know this has been going on for a very long time. There have been more than a handful of participants helping me in this and I truly appreciate it. I have learned  a lot through this ordeal, but I really need this resolved. I'll have to proceed if assistance has ceased.
Nslookup will not resolve the server name, but will show the IP.
Some clients are not accessing SYSVOL or NETLOGON (which ever the case is). Server1 has both, where I'm guessing it should only have one or the other.
IPv6 is persistent.
The clients that do run the logon scripts are being prompted to enter admin credentials before remapping drives (I'm thinking I can just place a copy of user.bat on the local machine).
SERVER2008 is a member server and I'm not sure what else to do to make Server1's DNS happy, but maybe it's ready for a new DC and a demotion. I'll install AD on SERVER2008 with DNS and configure that to point at Server1, then DCPROMO into the existing domain. I'll then go into DNS and make Server1 replicate to SERVER2008. I'll transfer all roles to it, copy user profiles over using robocopy (when I figure out how to), edit scripts to point to SERVER2008, and test it's functionality with ipconfig, dcdiag, netdiag, dnslint, etc. then run to some client PC and do more validation. I'm running out of options and fear people are giving up...

I just created a Reverse Lookup Zone with the network's IP and followed the configuration advice from the article I posted. Now...

Nslookup from Server1, SERVER2008, and clients:

Server: Server1


UDP Port 53:  YES
Authoritatively:  YES
**DNS may the root server, but no DNS records for the domain exists
SOA record data from server:
Authoritative: Unknown
Hostmaster: Unknown
Zone serial: Unknown
Zone expires: Unknown
Refresh: Unknown
Retry: Unknown
Default TTL: Unknown
*S*OA records are unavailable or there are missing DNS servers
The SOA record entries on Server1 did not match those in my other, working network. The only difference was that Hostmaster showed only Hostmaster and not Adding "" did not change the DNSLint results, though. Not even after flushing, reregistering, stopping, and starting DNS. So far, all I've fixed was nslookup results.