Adding 2nd DC to Server R2 Existing Domain

I have 1 08 server r2 as the DC. I am trying to add the second 08 server r2 into the same domain. During the dcpromo i get to the part where it asks if it is a dns server/global catalog and then when i hit next it comes back and says:

A delegation for this dns server cannot be created because the authoritive parent zone cannot be found or it does not run windows dns server.

Then it goes on to say i would need to manually add the delegation myself bla bla bla.

So why am i getting this. Like i said my other 08 server is the only dc and as far as i can tell dns is working fine. Any tests i should run or what can i do to fix this message. It says i can ignore this and continue but i am waiting so i do not get a screwed up dc off the bat.

Thanks.
LVL 7
valmaticAsked:
Who is Participating?
 
Darius GhassemConnect With a Mentor Commented:
First thing make sure your DC is pointing to itself for DNS. Second make sure clients have this DNS server in their TCP\IP properties. Make sure this DC is a Global Catalog server.

For full test you really need to move over the fsmo roles to make sure everything is running properly.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
That's nothing worrying if you install your first DNS server (DC + DNS). This is because server points to itself as DNS server. When you set up additional DNS server, first you have to be sure that you properly configured NIC settings of that new box. Check if you set up IP address in DNS section of your existing server. Then during promotion process you shouldn't see that message.

Regards,
Krzysztof
0
 
valmaticAuthor Commented:
well on my new DC i am trying to add the DC role to it is not anything yet. No dns no nothing. So i have a static ip set and it of course is pointing for DNS to my #1 DC that also runs dns.

So you are saying this is why i am getting the message?

Should i cancel this wizard and set up DNS by itself then come back and run dcpromo?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Krzysztof PytkoSenior Active Directory EngineerCommented:
No no, definitively you should point in DNS section to your existing DNS server. Then run dcpromo and follow with wizard. Make you new DC as DNS and Global Catalog server and don't worry, everything will be fine! :)

Regards,
Krzysztof
0
 
valmaticAuthor Commented:
when the install is done do i set my new DC to look at itself for DNS then and list the other as its second choice?
0
 
Justin OwensITIL Problem ManagerCommented:
Yes, just make sure that by "others", you don't mean external sources.
0
 
valmaticAuthor Commented:
Yes, i meant by others as in my internal dns server which was the first DC on my domain till this one.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Set up NIC's properties in DNS section

Primary DNS IP address: current DC
Alternative DNS IP address: second DC

Do not configure external forwarders on new DC, only set up forwarders to old DC which contains external (probably ISP) DNS server. Then all unresolved queries from new DC's DNS will be redirected to old DC and it will send them to ISP's DNS server for the Internet access (I hope I wrote it clear ;) )

Additionally, modify option no. 006 in your DHCP server's scope. Add there second DNS IP address of your new DC

Regards,
Krzysztof
0
 
Darius GhassemCommented:
So, you are getting this error for a reason.

Check your DNS Console do you have a msdcs.domain.com zone? Do you have a domain.com zone with the msdcs folder grayed out?
0
 
valmaticAuthor Commented:
Darius, yes i have all thse things you listed.
0
 
valmaticAuthor Commented:
actually let me clarify darius. I have 2 of my own zones listed in dns. I do not see msdcs.domain.com in the root that holds all my zones.

However under my one zone i have a folder called msdsc and it is no greyed out.
0
 
Darius GhassemCommented:
Ok good so you have a domain.com or domain.local zone with the msdcs folder listed under this zone that is not grayed out, right?

You need to make sure that all DNS servers have this zone with this folder not being grayed out. Check your other DNS servers.
0
 
valmaticAuthor Commented:
Yes, both servers have that folder not greyed out under my main domain name.
0
 
Darius GhassemCommented:
Good. Run dcdiag /fix

Do you have records in these folders?
0
 
valmaticAuthor Commented:
Records of what? What am i looking for. Here is my dcdiag /fix.

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = VALDC2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\VALDC2
      Starting test: Connectivity
         ......................... VALDC2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\VALDC2
      Starting test: Advertising
         ......................... VALDC2 passed test Advertising
      Starting test: FrsEvent
         ......................... VALDC2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... VALDC2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... VALDC2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... VALDC2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... VALDC2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... VALDC2 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=valmatic,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=valmatic,DC=com
         ......................... VALDC2 failed test NCSecDesc
      Starting test: NetLogons
         ......................... VALDC2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... VALDC2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... VALDC2 passed test Replications
      Starting test: RidManager
         ......................... VALDC2 passed test RidManager
      Starting test: Services
         ......................... VALDC2 passed test Services
      Starting test: SystemLog
         ......................... VALDC2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... VALDC2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : valmatic
      Starting test: CheckSDRefDom
         ......................... valmatic passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... valmatic passed test CrossRefValidation

   Running enterprise tests on : valmatic.com
      Starting test: LocatorCheck
         ......................... valmatic.com passed test LocatorCheck
      Starting test: Intersite
         ......................... valmatic.com passed test Intersite


0
 
valmaticAuthor Commented:
well there are subfolders in those folders and a couple of cname entries.
0
 
Justin OwensITIL Problem ManagerCommented:
You can safely discard the error on NCSecDesc, as that only has to do with using RODCs.  If you don't plan on using them, this is irrelevant.
0
 
Darius GhassemCommented:
Good that is what we are looking for now start the promotion process if you get the error stating it could not create the delegation record that is fine proceed
0
 
valmaticAuthor Commented:
yeah no RODCs here. Thanks. Hopefully everyting is good. I guess i just have to turn off my main server when i have a chance and see if the second one can log people in and do dns to get to the web.
0
 
valmaticAuthor Commented:
i did promote this one to a DC is there anyway to check that it is functioning as my backup.?
0
 
valmaticAuthor Commented:
so if the first main dc i have that has every roles goes down, will this one not work unless i manually switch the roles?
0
 
Justin OwensITIL Problem ManagerCommented:
If the server which contains the FSMO roles fails, you will have to seize the roles on another server.  It will continue to work in a diminished state before that is done, but not well.
0
 
valmaticAuthor Commented:
so basically logons and dns requests will take a few minutes. Well that kind of stinks, i would think it is more streamed line since having multiples dcs is the usual? Should i balance the roles or do you see no benefit?
0
 
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
There are good arguments for and against having your FSMO roles separated or all on the same machine.  Another Expert (well, several of us, really), addressed the issue of splitting FSMO roles on this Question:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_25204029.html

I would suggest not splitting it unless you are in a very large environment.  There are some Roles which MUST be on the same server:

http://support.microsoft.com/kb/223346

Justin
0
 
valmaticAuthor Commented:
Thanks for the input Justin. I will take a look at those articles.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.