problem addding a domain controller to an existing domain on different subnet

mizarTorino
mizarTorino used Ask the Experts™
on
Hi all,

we have a domain with three domain controllers (one with Windows Server 2003 and others with Windows Server 2000) all in our office network 192.168.1.0/24. Whe also have a static VPN connection to another office of our company located in another city (with subnet 192.168.12.0/24) and here we have another Windows 2003 Server not included in any domain (WORKGROUP).

What we are trying to do is to promote this server to a domain controller in order to allow our colleagues of other office to authenticate in the company domain. When we try to use dcpromo we get the following error:

An Active Directory domain controller for the domain MIZARSPA could not be contacted.
Ensure that the DNS domain name is typed correctly.
If the name is correct, then click Details for troubleshooting information.

Details are:

The domain name MIZARSPA might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.
If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain MIZARSPA:
The query was for the SRV record for _ldap._tcp.dc._msdcs.MIZARSPA
The following domain controllers were identified by the query:
mizarsrvcert.mizarspa
mizarsrv.mizarspa
mizarsrv07.mizarspa
mizarsrvcert.mizarspa
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
For information about correcting this problem, click Help.

Has anyone idea of what this error means and possible solutions?

The DNS settings seem correct, the server is using the domain controller as DNS server.

Thanks to anybody will reply to this post.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bluntTonyHead of ICT
Top Expert 2009

Commented:
HI there,

Firstly, ensure that the server you are promoting it using an existing DC/DNS server as it's primary DNS server. Also test connectivity by pinging the IP address of the DC/DNS server being used.

Now when you promote the new server, you need to provide the DNS domain name, not the NetBIOS name, e.g. domain.local, as opposed to simply DOMAIN.

Tony
bluntTonyHead of ICT
Top Expert 2009

Commented:
Or is your DNS domain name actually a single name?
bluntTonyHead of ICT
Top Expert 2009

Commented:
If it's a single label DNS domain name, then can you ping the DNS names and/or the IP addresses of the domain controllers in the main office?

If you can, then it sounds like your router/firewall is blocking certain ports required.

This technet article details the ports required to allow a DC to replicate with other DC across a firewall (3 different approaches to this): http://technet.microsoft.com/en-us/library/bb727063.aspx

Tony
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Hi,

I've checked that:
- the server is using an existing DC/DNS server as primary DNS, I've checked connectivity using ping and nslookup
- our domain is actually a single name (MIZARSPA, not mizarspa.local)
- I can ping addresses of DC from the server

Our network admin says that there are no blocks on the firewall between the server and the DCs. Monday we will check the issues described in the article you have posted.

Thanks by now.

Commented:
single lable DNS names are not a best practice. And as you have seen, it may/will cause problems
for additional measures/info see:
http://support.microsoft.com/kb/300684 
bluntTonyHead of ICT
Top Expert 2009

Commented:
I have to strongly agree with ZJORZ, single label DNS names are a bad idea.

That aside, if you run

nslookup _ldap._tcp.dc._msdcs.MIZARSPA

Are all the DC names returned valid domain controllers? Are they all still up and running? Are the Host (A) records for these DC names pointing to the correct IP addresses? And you can ping all of these domain controllers by IP address and DNS name?

If yes to all of the above, it would suggest a firewall issue of some sort. Any windows firewall on the machine you are trying to promote? Try turning it off and trying again.

Tony

Author

Commented:
This is the result of nslookup

C:\Documents and Settings\Administrator>nslookup _ldap._tcp.dc._msdcs.MIZARSPA
Server:  mizarsrv07.mizarspa
Address:  192.168.1.20

Name:    _ldap._tcp.dc._msdcs.MIZARSPA

The server MIZARSRV07 is our primary domain controller, it is up and running, and the DNS is ok. The only strange issue is that we have 3 DCs (the two others are both Win 2000 Server).
bluntTonyHead of ICT
Top Expert 2009

Commented:
Apologies, I was unclear in my last post. Run these 3 commands in order:

nslookupset q=srv_ldap._tcp.dc._msdcs.MIZARSPA

Now how many DC names are returned? Then follow the questions in my last post.

However from what you say it sounds like you may have leftover SRV records for old DCs still in DNS which could be causing you issues. Go through your _msdcs zone in the DNS console and remove any SRV records (ldap, kdc, gc, pdc) that refer to old non-existent DCs. The records here should only refer to the 3 current DCs. Leftover records can remain after unsuccessful demotions and records may have to be removed.

Alternately you could clear the msdcs zone and then restart the netlogon service on each of the 3 remaining DCs. This will rebuild this zone from scratch but I wouldn't recommend this just yet just in case you do have replication problems.

Tony

Author

Commented:
Here the result:

C:\Documents and Settings\Administrator>nslookup
Default Server:  mizarsrv07.mizarspa
Address:  192.168.1.20

> set q=srv
> _ldap._tcp.dc._msdcs.MIZARSPA
Server:  mizarsrv07.mizarspa
Address:  192.168.1.20

_ldap._tcp.dc._msdcs.MIZARSPA   SRV service location:
          priority       = 3
          weight         = 100
          port           = 389
          svr hostname   = mizarsrvcert.mizarspa
_ldap._tcp.dc._msdcs.MIZARSPA   SRV service location:
          priority       = 1
          weight         = 100
          port           = 389
          svr hostname   = mizarsrv.mizarspa
_ldap._tcp.dc._msdcs.MIZARSPA   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = mizarsrv07.mizarspa
_ldap._tcp.dc._msdcs.MIZARSPA   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = mizarsrvcert.mizarspa
mizarsrvcert.mizarspa   internet address = 192.168.1.14
mizarsrv.mizarspa       internet address = 192.168.1.13
mizarsrv.mizarspa       internet address = 192.168.98.13
mizarsrv07.mizarspa     internet address = 192.168.1.20
mizarsrv07.mizarspa     internet address = 192.168.98.20
mizarsrv07.mizarspa     internet address = 192.168.84.1
mizarsrv07.mizarspa     internet address = 192.168.216.1
mizarsrvcert.mizarspa   internet address = 192.168.1.14
>

As you can see there are two entry for the DC "mizarsrvcert". We have found and deleted the wrong entry in the DNS but we still get the same error when running dcpromo. The DNS doesn't contain others wrong entries.

Commented:
maybe not in this case though, but I have had occasions where the list returned by NSLOOKUP as shown above was not complete!
bluntTonyHead of ICT
Top Expert 2009

Commented:
SO have you confirmed that Windows Firewall on the new DC is not causing an issue?

What strikes me about DNS is that only two of the four SRV records would be returned by a query as they have prioity 0 (mizarsrv07 and mizarsrvcert). Also mizarsrvcert has 4 IP addresses registered in DNS. A DC should only have one Host (A) record referring to it's DNS name. If you have a multihomed DC it usually easier to disable all but one of the NICs from updating DNS with their IP addresses.

Otherwise, by default a client could get any one of the four IP addresses. Some of these may not be contactable from certain subnets, and the routes traffic take to reach these IP addresses may have firewalls blocking certain ports.

Tony

Author

Commented:
Hi Tony,

after cleaning the DNS entries this is the result of the DNS query:

> _ldap._tcp.dc._msdcs.MIZARSPA
Server:  mizarsrv07.mizarspa
Address:  192.168.1.20

_ldap._tcp.dc._msdcs.MIZARSPA   SRV service location:
          priority       = 3
          weight         = 100
          port           = 389
          svr hostname   = mizarsrvcert.mizarspa
_ldap._tcp.dc._msdcs.MIZARSPA   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = mizarsrv07.mizarspa
_ldap._tcp.dc._msdcs.MIZARSPA   SRV service location:
          priority       = 1
          weight         = 100
          port           = 389
          svr hostname   = mizarsrv.mizarspa
mizarsrvcert.mizarspa   internet address = 192.168.1.14
mizarsrv07.mizarspa     internet address = 192.168.1.20
mizarsrv.mizarspa       internet address = 192.168.1.13

We don't have any local firewall software on servers and the firewall that holds the static VPN between our offices has no blocking rules defined on it (between DCs and the new server).

It could be a problem of packet fragmentation?
May be useful to manually clear the SRV entries for non-primary DCs (mizarsrv and mizarsrvcert)?

Thanks by now.
Giampiero

We have found the problem and solved it!

The key was in the first row of the error details:
"The domain name MIZARSPA might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS."

We have setted up a WINS service on an existing DCs (mizarsrv) and registered the domain name MIZARSPA associated with the primary DC (mizarsrv07), after configuring the WINS on the network interface the dcpromo has recognized the DOMAIN and installed the Active Directory on the new server.

At the end, it was something related to the domain name resolution.

Thank you Tony and everybody has posted in this thread.


bluntTonyHead of ICT
Top Expert 2009

Commented:
Hi there,

Glad you got it sorted but I can't help thinking that adding the WINS service to allow NetBIOS name resolution has simply masked the problem rather than fixed it. I'm assuming your domain NetBIOS name is 'MIZARSPA'? You've simply provided NetBIOS as a means to locate the DC instead of DNS, rather than fixing the problem with DNS.

NetBIOS/WINS is not an essential element of AD and is not strictly required for a fully functioning domain providing DNS is set up correctly. One immediately obvious issue is the single label domain name which you may want to look at in future.

Anyhow, glad you got the immediate problem of promoting the server resolved. If you experience problems down the line you know where you may want to start looking.

Regards,

Tony

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial