Errors adding 2nd DC in Hyper-V environment - Examining DSN configuration takes forever during DCPROMO

Hyper-V host running on 2 servers
Server1: Guest OS Server 2008 R2 on 1st server is DC with GC
Server2: Guest OS Server 2008 R2 on 2nd server trying to install as 2nd DC with GC

DNS on server2 is set to point to Server1
Was able to successfully join Server2 to the domain SHS.LOCAL
Installed AD role and running DC promo

1st issue: When it gets to Examining DNS Configuration it takes a good 5 minutes, but eventually comes to the Options screen where I choose DNS Server and Global Catalog

2nd issue: "A delegation for this DNS server canot be created because an authoritative parent zone cannot be found or it does not run Windows DNS server.  If you are integrating with an existing DNS infrastructure, you sould manually create a delegation to this DNS server in the parent zone to ensur reliable name resolution from outside the domain "shs.loca".  Otherwise no action is required."

Since this is an internal domain only, I'm not too worried about that one.

3rd issue: Installation Failed because "Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller.... Ensure the provided network credentials have sufficient permissions."

"The RPC server is unavailable"

I disabled the windows firewall on both VMs to no avail.
pcspcsAsked:
Who is Participating?
 
pcspcsAuthor Commented:
I figured it out!  I decided to ping the other server and I noticed that it timed out and reported that it was looking for it at an IPv6 address.  I'm not using IPv6, so I disabled it on all involved servers.  Now it pings properly and I'm also able to promote this server to a DC.
0
 
kevinhsiehCommented:
I would check the event log on Server1 and Server2to make sure everything is okay, because it seems like there are problems. You should also run DCDIAG on Server1 and see if it reports any errors.

You should have a DC (even a small one) running outside of Hyper-V. Hyper-V hosts like to see a domain controller when they boot. If they don't, they don't boot properly. Just imagine a power outage taking down all of your servers, but you can't boot the domain controllers which are on Hyper-V which can't boot because there are no domain controllers.

You should also disable the Hyper-V time integration for your domain controller guests, or time in your domain will be messed up.
0
 
Darius GhassemCommented:
Check in your DNS Console do you have a msdcs.domain.com and a domain.com zone with the msdcs folder grayed out under the domain.com zone?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
pcspcsAuthor Commented:
Dariusg, Yes, there's a folder for _msdcs.shs.local with four folders under it and there's also a folder for shs.local that has a number of folders under it, including a greyed out _msdcs folder.

Kevinhsieh, It doesn't SEEM like there are problems, there ARE problems - namely the fact that I can't get this server setup as a DC due to those error messages that I listed (most likely the one listed under 3rd issue being the most critical).

I don't see anything alarming in the various event viewer logs, although if someone can tell me something specific to look for and which one to look in then I can report back.

DCDIAG shows all tests passed.

A few other notes:
The Two Hyper-V host servers are not part of the domain or in use for anything other than hosting the VMs, as suggested by the data center we're renting the servers from.  The Hyper-V hosts should not need to find a DC because they are simply stand-alone servers.

Also, this is a pretty straight-forward domain setup using S2008-R2 wizards for the most part - almost nothing done manually.

Server2 does show up in DNS on Server 1.  It also shows up in AD under "computers" after I joined it to the domain.
 
0
 
Darius GhassemCommented:
Disable any AV or firewalls
0
 
pcspcsAuthor Commented:
They are disabled on both servers.
0
 
pcspcsAuthor Commented:
What now, experts?

By the way, I was looking into disabling the time sync integration until I came across this article which gives a number of reasons this should not be done: http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx 
0
 
kevinhsiehCommented:
Is this a new domain/forest? If it is, you can demote or reinstall your first DC and start over.

Can you confirm that the time on both VMS is the same or really close?
0
 
pcspcsAuthor Commented:
No, it's not a new domain/forest.  I've had this running for several months and have a few other member servers that are also VM's - some on the same host as the DC and one on the new host.  I know did verify that time was at least within a minute of each other because they all showed the same in the system tray when I looked.
0
 
pcspcsAuthor Commented:
Experts?
0
 
Darius GhassemCommented:
Post dcdiag /test:dns
0
 
pcspcsAuthor Commented:
Directory Server Diagnosis
Performing initial setup:

   Trying to find home server...
   Home Server = SHSMaster
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SHSMASTER
      Starting test: Connectivity
         ......................... SHSMASTER passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\SHSMASTER
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
        ......................... SHSMASTER passed test DNS

   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : shs
   Running enterprise tests on : shs.local

      Starting test: DNS
         ......................... shs.local passed test DNS
0
 
Darius GhassemCommented:
Are you adding using a Enterprise Admin account?
0
 
pcspcsAuthor Commented:
Yes.  The Administrator is a member of the group Enterprise Admins
0
 
Darius GhassemCommented:
Run a metadata cleanup see if you see any lingering DCs that didn't demote properly

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
pcspcsAuthor Commented:
I did this and it only lists on DC, not the new one that I've been unable to add. That makes sense since one of the errors was "Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller"

What doesn't make sense is that the new server can see the DC that's a guest on the other Hyper-V machine and was able to be added to the domain and function as a domain member server.  So why these errors about RPC server not found, etc.
0
 
Darius GhassemCommented:
Well I was hoping there would be another DC listed
0
 
kevinhsiehCommented:
You can disjoin from the domain the server that you are trying to promote, rejoin it to the domain and try to run dcpromo again.
0
 
pcspcsAuthor Commented:
I'm just curious, why would you expect it to be any different this time?  It joined beautifully the first time.  I'd rather not remove and re-add unless there's some reason to believe that this would be causing the error messages posted.  It seems much cleaner an no chance of old junk being left behind to not do it multiple times unless necessary.
0
 
pcspcsAuthor Commented:
Anyone?
0
 
kevinhsiehCommented:
Well, we seem unable to go forward, so let's try going back. I don't know that removing the server will help, but my suggestion is to remove it from the domain, and then use ADSI edit to make sure that there are no references to it anywhere. You can then rejoin it to the domain and try to run DCPROMO. Other option is to remove it from the domain, and rebuild the VM from scratch.
0
 
pcspcsAuthor Commented:
Allright, I removed the server - made sure there were no references and tried again.  This time I didn't join the domain first.  The results are the same, other than it doesn't wait 5 minutes before coming back with the error about the DNS server for the authoritative parent zone.  It still gives that error (issue #1) but it just does so more quickly, eventually followed by the other two errors including the RPC server error.
0
 
kevinhsiehCommented:
So glad you got it working.
0
 
pcspcsAuthor Commented:
Found solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.