Solved

Errors adding 2nd DC in Hyper-V environment - Examining DSN configuration takes forever during DCPROMO

Posted on 2010-11-17
24
1,007 Views
Last Modified: 2012-08-13
Hyper-V host running on 2 servers
Server1: Guest OS Server 2008 R2 on 1st server is DC with GC
Server2: Guest OS Server 2008 R2 on 2nd server trying to install as 2nd DC with GC

DNS on server2 is set to point to Server1
Was able to successfully join Server2 to the domain SHS.LOCAL
Installed AD role and running DC promo

1st issue: When it gets to Examining DNS Configuration it takes a good 5 minutes, but eventually comes to the Options screen where I choose DNS Server and Global Catalog

2nd issue: "A delegation for this DNS server canot be created because an authoritative parent zone cannot be found or it does not run Windows DNS server.  If you are integrating with an existing DNS infrastructure, you sould manually create a delegation to this DNS server in the parent zone to ensur reliable name resolution from outside the domain "shs.loca".  Otherwise no action is required."

Since this is an internal domain only, I'm not too worried about that one.

3rd issue: Installation Failed because "Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller.... Ensure the provided network credentials have sufficient permissions."

"The RPC server is unavailable"

I disabled the windows firewall on both VMs to no avail.
0
Comment
Question by:pcspcs
  • 13
  • 6
  • 5
24 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34157874
I would check the event log on Server1 and Server2to make sure everything is okay, because it seems like there are problems. You should also run DCDIAG on Server1 and see if it reports any errors.

You should have a DC (even a small one) running outside of Hyper-V. Hyper-V hosts like to see a domain controller when they boot. If they don't, they don't boot properly. Just imagine a power outage taking down all of your servers, but you can't boot the domain controllers which are on Hyper-V which can't boot because there are no domain controllers.

You should also disable the Hyper-V time integration for your domain controller guests, or time in your domain will be messed up.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34158800
Check in your DNS Console do you have a msdcs.domain.com and a domain.com zone with the msdcs folder grayed out under the domain.com zone?
0
 

Author Comment

by:pcspcs
ID: 34160587
Dariusg, Yes, there's a folder for _msdcs.shs.local with four folders under it and there's also a folder for shs.local that has a number of folders under it, including a greyed out _msdcs folder.

Kevinhsieh, It doesn't SEEM like there are problems, there ARE problems - namely the fact that I can't get this server setup as a DC due to those error messages that I listed (most likely the one listed under 3rd issue being the most critical).

I don't see anything alarming in the various event viewer logs, although if someone can tell me something specific to look for and which one to look in then I can report back.

DCDIAG shows all tests passed.

A few other notes:
The Two Hyper-V host servers are not part of the domain or in use for anything other than hosting the VMs, as suggested by the data center we're renting the servers from.  The Hyper-V hosts should not need to find a DC because they are simply stand-alone servers.

Also, this is a pretty straight-forward domain setup using S2008-R2 wizards for the most part - almost nothing done manually.

Server2 does show up in DNS on Server 1.  It also shows up in AD under "computers" after I joined it to the domain.
 
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34164113
Disable any AV or firewalls
0
 

Author Comment

by:pcspcs
ID: 34164511
They are disabled on both servers.
0
 

Author Comment

by:pcspcs
ID: 34179813
What now, experts?

By the way, I was looking into disabling the time sync integration until I came across this article which gives a number of reasons this should not be done: http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx  
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34180407
Is this a new domain/forest? If it is, you can demote or reinstall your first DC and start over.

Can you confirm that the time on both VMS is the same or really close?
0
 

Author Comment

by:pcspcs
ID: 34181650
No, it's not a new domain/forest.  I've had this running for several months and have a few other member servers that are also VM's - some on the same host as the DC and one on the new host.  I know did verify that time was at least within a minute of each other because they all showed the same in the system tray when I looked.
0
 

Author Comment

by:pcspcs
ID: 34189650
Experts?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34191358
Post dcdiag /test:dns
0
 

Author Comment

by:pcspcs
ID: 34192096
Directory Server Diagnosis
Performing initial setup:

   Trying to find home server...
   Home Server = SHSMaster
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SHSMASTER
      Starting test: Connectivity
         ......................... SHSMASTER passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\SHSMASTER
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
        ......................... SHSMASTER passed test DNS

   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : shs
   Running enterprise tests on : shs.local

      Starting test: DNS
         ......................... shs.local passed test DNS
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34192102
Are you adding using a Enterprise Admin account?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:pcspcs
ID: 34193033
Yes.  The Administrator is a member of the group Enterprise Admins
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34196475
Run a metadata cleanup see if you see any lingering DCs that didn't demote properly

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 

Author Comment

by:pcspcs
ID: 34197284
I did this and it only lists on DC, not the new one that I've been unable to add. That makes sense since one of the errors was "Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller"

What doesn't make sense is that the new server can see the DC that's a guest on the other Hyper-V machine and was able to be added to the domain and function as a domain member server.  So why these errors about RPC server not found, etc.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34197409
Well I was hoping there would be another DC listed
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34199148
You can disjoin from the domain the server that you are trying to promote, rejoin it to the domain and try to run dcpromo again.
0
 

Author Comment

by:pcspcs
ID: 34199954
I'm just curious, why would you expect it to be any different this time?  It joined beautifully the first time.  I'd rather not remove and re-add unless there's some reason to believe that this would be causing the error messages posted.  It seems much cleaner an no chance of old junk being left behind to not do it multiple times unless necessary.
0
 

Author Comment

by:pcspcs
ID: 34235198
Anyone?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34236622
Well, we seem unable to go forward, so let's try going back. I don't know that removing the server will help, but my suggestion is to remove it from the domain, and then use ADSI edit to make sure that there are no references to it anywhere. You can then rejoin it to the domain and try to run DCPROMO. Other option is to remove it from the domain, and rebuild the VM from scratch.
0
 

Author Comment

by:pcspcs
ID: 34243444
Allright, I removed the server - made sure there were no references and tried again.  This time I didn't join the domain first.  The results are the same, other than it doesn't wait 5 minutes before coming back with the error about the DNS server for the authoritative parent zone.  It still gives that error (issue #1) but it just does so more quickly, eventually followed by the other two errors including the RPC server error.
0
 

Accepted Solution

by:
pcspcs earned 0 total points
ID: 34243668
I figured it out!  I decided to ping the other server and I noticed that it timed out and reported that it was looking for it at an IPv6 address.  I'm not using IPv6, so I disabled it on all involved servers.  Now it pings properly and I'm also able to promote this server to a DC.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34244316
So glad you got it working.
0
 

Author Closing Comment

by:pcspcs
ID: 34276800
Found solution.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
When we have a dead host and we lose all connections to the ESXi, and we need to find a way to move all VMs from that dead ESXi host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now