2008 R2 joining 2000 domain DNS issues

Hi all,
need some help.
We have 2000 domain, native mode, 2 DCs, both are DNS (AD integrated forward lookup zones), only one default site, no subnets defined in AD Sites and services. Both DCs are in 192.168.1.0/24 network
We made another network, 10.103.0.0/16. A week ago we installed new 2008 SP2 (x32) server into that network and joined it to domain, no problem.
Yesterday we installed 2008 R2 (x64) server in 10.103.0.0 and tried to join it to domain too. It failed immediately with the following:

"An error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "mydomain.com".

The error was: "The data is invalid."
(error code 0x0000000D ERROR_INVALID_DATA)

The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.com"

Running nslookup on the problem server shows:

> _ldap._tcp.dc._msdcs.mydomain.com
Server:  mail.mydomain.com
Address:  192.168.1.2

_ldap._tcp.dc._msdcs.mydomain.com  SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = server-db.mydomain.com
_ldap._tcp.dc._msdcs.mydomain.com  SRV service location:
          priority       = 0
          weight         = 0
          port           = 389
          svr hostname   = server-db.mydomain.com
_ldap._tcp.dc._msdcs.mydomain.com  SRV service location:
          priority       = 0
          weight         = 0
          port           = 389
          svr hostname   = m¿^
_ldap._tcp.dc._msdcs.mydomain.com  SRV service location:
          priority       = 0
          weight         = 0
          port           = 389
          svr hostname   = mail.mydomain.com
_ldap._tcp.dc._msdcs.mydomain.com  SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = mail.mydomain.com
server-db.mydomain.com     internet address = 192.168.1.3
server-db.mydomain.com     internet address = 192.168.1.3
mail.mydomain.com  internet address = 192.168.1.2
mail.mydomain.com  internet address = 192.168.1.2
>

The server can join the domain if I enable WINS in network adapter settings (no WINS is running in the domain though) and specify mydomain instead of mydomain.com.
Windows XP also joins domain without problems.

There is definitely a problem with DNS resolution, but I just don't know where to look.

Also - there is a very strange SRV record in DNS that cannot be deleted (reappears immediately): svr hostname   = m¿^
sputnik_itAsked:
Who is Participating?
 
Netman66Connect With a Mentor Commented:
Ok, as I suspected the _msdcs zone is inside the Forward Lookup Zone for the domain.  This is the standard for Windows 2000 DNS but has changed beginning in 2003.

Here's what we need to do to remove this as a potential culprit.  We're going to make the Service record container a proper Application Partition zone.

Right-click Forward Lookup Zone and select New>Zone
Name it _msdcs.domain.com (same as the domain.com zone suffix)
Make it a Primary Zone.
Make it AD Integrated
Set replication to all DNS servers in the Forest.
You can also set the Dynamic Update type to Secure only.

You should now see a new zone at the same level as domain.com and a referral record where the old _msdcs zone used to be (different icon - do not remove).

Next, be certain that all your servers only point to your local DNS servers ONLY - and strictly by their given IP, not the loopback of 127.0.0.1.

Restart the Netlogon service on each DC to ensure it registers properly in DNS.  Give it 30 minutes or so to replicate and test to see if the problem is resolved.

I also noticed your mail server is a DC.....not a great idea, however you cannot change it now or you'll break Exchange.

Let me know.


0
 
Netman66Commented:
Can you post a screenshot of your DNS zones (expanded)?  I think I may know what is happening, but until I get a visual I can't be certain.

0
 
sputnik_itAuthor Commented:
Netman66, thanks for reply
Sure, here it is.
I also discovered that on Windows 2000 (DNS server) node type is set to broadcast. I assume this could lead to misunderstanding between 2008 R2 (hybrid node) in 10.103.0.0 network and DNS in 192.168.1.0 network because there's router in the middle ?
DNS.JPG
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
sputnik_itAuthor Commented:
Another zone (ending with .ru) is secondary and is transferred from another domain, so just leave it aside.
0
 
sputnik_itAuthor Commented:
Another research I just did, maybe this can be useful.:
Restored Acronis image of one of 2000 DC & DNS servers to workstation
Connected both 2008 R2 and 2000 servers directly via hub in one separate network (192.168.1.0/24). Set IP of 2008 R2 to 192.168.1.100/24

Now 2008 R2 can join domain if I supply mydomain. No luck if I supply mydomain.com, the same error.
Changing node type on 2000 server from B to H did nothing
Installing WINS on 2000 server did nothing

Also, I put Windows XP workstation into same hub (with IP 192.168.1.200/24)
It joins domain with any option - mydomain.com or mydomain, no WINS enabled.
0
 
sputnik_itAuthor Commented:
"Ok, as I suspected the _msdcs zone is inside the Forward Lookup Zone for the domain.  This is the standard for Windows 2000 DNS but has changed beginning in 2003."

Wait a second. I have 2003 domain at hand and there's no _mcds zone at domain.com level...
DNS-1.JPG
0
 
Netman66Commented:
If this was ever upgraded from a 2000 domain, then that's why it's inside the domain.com zone rather than at the same level.

Regardless, it's there now and we want it at the same level.

0
 
sputnik_itAuthor Commented:
OK, I did what you said on restored DC&DNS server and you are absolutely right. Setting _msdcs zone on the same level as domain.com did the trick - 2008 R2 now can join domain.com !
Thank you very much for your efforts.
One more question - will it be safe to move this zone at domain.com level in working environment ? I mean, will all clients (including old 2000 servers) see it at new location ?

And regarding this:
"I also noticed your mail server is a DC.....not a great idea, however you cannot change it now or you'll break Exchange."
Do you mean I cannot demote DC on mail server ? Must I move Exchange to another server and demote DC on the old one only after this move ?
0
 
Netman66Commented:
Yes, when you recreate it at the right level it will create a pointer in the old location so that it works regardless.

With respect to demoting a DC that is running Exchange - correct - you cannot do it without breaking Exchange.  If you add other Exchange servers to the site make sure they are running on a member server.  You can then transition the mailboxes, etc. from the Exchange instance running on your DC to the member server before removing Exchange from the DC and cleanly removing it from the org.

Simon is an Exchange MVP and here is an old post he was involved with:

http://forums.msexchange.org/m_1800493316/mpage_1/key_/tm.htm#1800494138

0
 
sputnik_itAuthor Commented:
Great, thank you very much, Netman66, you really made my day )
0
 
Netman66Commented:
You're welcome!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.