?
Solved

AD integrated DNS not working after transitioning domain controller from Server 2003 to Server 2008 R2

Posted on 2011-02-20
18
Medium Priority
?
2,485 Views
Last Modified: 2012-05-11
I've promoted a new Server 2008 R2 server to a domain controller (single forest domain).  My old domain controller is Server 2003 and will be decommissioned once this problem is solved.  It is also my DNS and DHCP.  Now DNS is Active Directory integrated and has replicated to my new domain controller, but for some reason doesn't work.  Any clients I point to the Svr2008 DNS doesn't resolve hosts.

Here's what I've done thus far:

-Added new Svr2008 to the domain.
-Prepped domain with adprep (forest and domain)
-Promoted Svr2008 to Domain Controller and installed AD DS.
-Transferred all FSMO roles to new Svr2008 and made Svr2008 a Global Catalog Server as well. (both new and old servers are GC Servers)
-Confirmed Replication between two domain controllers.

I'm looking at the DNS role on the Svr2008 and it shows all my zones replicated.  My main zone looks like this:

-domain.local
    -_msdcs
    -_sites
    -_tcp
    -_udp
    -_domaindnszones
    -_forstdnszones

Open in new window



My Events Viewer summary for DNS isn't showing any errors at the moment.  I have a single client pointing to this DNS server but it cannot resolve anything.  My OLD DNS is still up and running for now and I have a new DHCP scope thats waiting to be activate with the new DNS server address for my clients.

The only thing I can see that is a problem is my Best Practices Analyzer has a single error:
Title:
DNS: Zone _msdcs.domain.local is an Active Directory integrated DNS Zone and must be available.

Severity:
Error

Date:
2/20/2011 11:41:21 AM

Category:
Configuration

Issue:
The Active Directory integrated DNS zone _msdcs.domain.local was not found.

Impact:
DNS queries for the Active Directory integrated zone _msdcs.domain.local might fail.

Resolution:
Restore the Active Directory integrated DNS zone _msdcs.domain.local.

More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=189238

Open in new window


_msdcs does exist but as a subzone of my main domain zone.  I'm not sure what the problem is.  What am I missing?  THANKS!
0
Comment
Question by:DrPcKen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 5
18 Comments
 
LVL 44

Expert Comment

by:Amit
ID: 34938116
Check replication is working properly or not.

Some troubleshooting KB
http://support.microsoft.com/kb/824449
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34938224
Summary of troubleshooting:
I ran dcdiag /test:dns on my Srv2003 machine
         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: domain.local
               Svr2003                      PASS PASS PASS PASS WARN PASS n/a

         ......................... domain.local passed test DNS

Open in new window


The Warning for Dyn is  
               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
domain.local.

Open in new window



I also ran dcdiag /test:dns on my new Srv2008 and got the following:
               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record i
n zone domain.local

               Svr2008                          PASS PASS PASS PASS WARN PASS n/a
         ......................... domain.local passed test DNS

Open in new window


Moving through more troubleshooting steps now.
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34938255
Ok I think the whole problem has to do with the fact that my _msdcs is a subzone of my main domain.local zone.  Is it possible to  'move' it or delete it and recreate it as a main zone?

Apparently in Win2000 it is suppose to be a subzone, but in 2003 and up it is suppose to be its own zone.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:DrPcKen
ID: 34938418
Ok I ran dcdiag /a on my Svr2008 and here are the results.  I'm not sure if the problem is what I mentioned above or maybe a server time error.
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = Svr2008

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Domain\Svr2003

      Starting test: Connectivity

         ......................... Svr2003 passed test Connectivity

   
   Testing server: Domain\Svr2008

      Starting test: Connectivity

         ......................... Svr2008 passed test Connectivity



Doing primary tests

   
   Testing server: Domain\Svr2003

      Starting test: Advertising

         Warning: Svr2003 is not advertising as a time server.

         ......................... Svr2003 failed test Advertising

      Starting test: FrsEvent

         ......................... Svr2003 passed test FrsEvent

      Starting test: DFSREvent

         ......................... Svr2003 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... Svr2003 passed test SysVolCheck

      Starting test: KccEvent

         ......................... Svr2003 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... Svr2003 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... Svr2003 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... Svr2003 passed test NCSecDesc

      Starting test: NetLogons

         ......................... Svr2003 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... Svr2003 passed test ObjectsReplicated

      Starting test: Replications

         ......................... Svr2003 passed test Replications

      Starting test: RidManager

         ......................... Svr2003 passed test RidManager

      Starting test: Services

            Invalid service type: RpcSs on Svr2003, current value

            WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

         ......................... Svr2003 failed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x825A002F

            Time Generated: 02/20/2011   12:47:37

            (Event String (event log = System) could not be retrieved, error

            0x13d)

         An error event occurred.  EventID: 0xC25A001D

            Time Generated: 02/20/2011   12:47:37

            (Event String (event log = System) could not be retrieved, error

            0x13d)

         ......................... Svr2003 failed test SystemLog

      Starting test: VerifyReferences

         ......................... Svr2003 passed test VerifyReferences

   
   Testing server: Domain\Svr2008

      Starting test: Advertising

         ......................... Svr2008 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... Svr2008 passed test FrsEvent

      Starting test: DFSREvent

         ......................... Svr2008 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... Svr2008 passed test SysVolCheck

      Starting test: KccEvent

         ......................... Svr2008 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... Svr2008 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... Svr2008 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... Svr2008 passed test NCSecDesc

      Starting test: NetLogons

         ......................... Svr2008 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... Svr2008 passed test ObjectsReplicated

      Starting test: Replications

         ......................... Svr2008 passed test Replications

      Starting test: RidManager

         ......................... Svr2008 passed test RidManager

      Starting test: Services

         ......................... Svr2008 passed test Services

      Starting test: SystemLog

         ......................... Svr2008 passed test SystemLog

      Starting test: VerifyReferences

         ......................... Svr2008 passed test VerifyReferences

   
   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : domain

      Starting test: CheckSDRefDom

         ......................... domain passed test

         CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... domain passed test

         CrossRefValidation

   
   Running enterprise tests on : domain.local

      Starting test: LocatorCheck

         ......................... domain.local passed test

         LocatorCheck

      Starting test: Intersite

         Doing intersite inbound replication test on site Default-Site: 
         ......................... domain.local passed test

         Intersite

Open in new window

0
 
LVL 44

Expert Comment

by:Amit
ID: 34938677
Run DCDiag with /v and post it here
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34938744
this is off the 2008 server.

Host names are as follows:
PDC = New 2008 server
PXE-PDC = old 2003 server

http://pastebin.com/C6V5eQs5


Thank you!
0
 
LVL 44

Expert Comment

by:Amit
ID: 34938771
Thanks for posting the details.

I can see lot of disk write errors. Check hardware, where you have disk issue on 2008 server. I assume to due to disk write error, AD information is unable to replicate completly.

I encountered same issue in past and after disk issue was fixed, replication completed and all was back to normal.
0
 
LVL 44

Expert Comment

by:Amit
ID: 34938784
hey check one more this. Logs show

FRS is not running on pxe-pdc.domain.local.

Start the service. Let replication finish, then rerun the dcdiag again..
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34938832
I hope there isn't a disk issues, it is a brand new server.  I do see this in ADDS Event Viewer.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2/20/2011 11:15:19 AM
Event ID:      1539
Task Category: Service Control
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      pdc.domain.local
Description:
Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
 
Hard disk:
d:
 
Data might be lost during system failures.

Could that be the problem?  I'll start FRS now.  THANK YOU FOR LOOKING AT THIS!!
0
 
LVL 44

Accepted Solution

by:
Amit earned 1600 total points
ID: 34938874
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34938877
Hmm FRS was running on PXE-PDC.  I checked on PDC also and it is on there too.  Restarted them both.  Here's new dcdiag log:

http://pastebin.com/LYyWZUiU

Oh and don't worrya bout the MATRIX site, I need to remove it once I get all this working. We dont' use that site anymore.
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34938918
Ok let me run some disk checks.  Thank you!!!
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34939007
I think it has to do with enabling write cache on the disks and I'm not able to turn it off.  Let me work on it more.

Thank you for pointing me in the right direction!
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34939585
Ok I FINALLY got write cache turned off (long story).  Can you look through my dcdiag now and tell me what you see? I've looked but you might see something I don't.  DNS on new server still isn't working.  AGAIN ignore the Matrix site in the log. THanks!!

http://tinypaste.com/67d59

Oh and how can I purge old events from showing up in the dcdiag /v?  it is still showing old event errors even though i cleared the log.
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34939626
Also, I found event iD 2088 in the event viewer of the server2003 domain controller

Alternate server name:
 pdc
Failing DNS host name:
 cd30c224-fe86-49b9-a8a8-38b678662240._msdcs.domain.local


I'm convinced that it has something to do with the _msdcs zone as a subzone of the main zone, but I'm not sure how to fix it.
0
 
LVL 1

Author Comment

by:DrPcKen
ID: 34939990
If it helps at all, all clients pointing to my new domain controller can resolve hostnames internally.  Just not anything on the net.
0
 
LVL 1

Assisted Solution

by:DrPcKen
DrPcKen earned 0 total points
ID: 34947924
Ok so I found the problem.  Turns out there was no Pointer record for my New server in the reverse lookup zone.  

0
 
LVL 1

Author Closing Comment

by:DrPcKen
ID: 34986616
Helped me narrow down my issue with the hard disks.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question