Solved

zones gone in DNS, cannot make new ones

Posted on 2011-02-20
100
1,264 Views
Last Modified: 2012-08-13
Background; small AD student lab, one main server1 that worked fine, one 'backup' server2 that has not been working correctly. I wanted to make server2 the main server so wanted to make it a DC, full replication etc. and swap over completely later. In troubleshooting that one I found that it had partially replicated.  It was listed as a DC and had a few of the lab's comps listed.  I can ping its FQDN, and back and forth.  
Server1 had forward and reverse zones; server2 did not have a reverse zone and I could not create one; msg 'zone cannot be replicated...required application directory does not exist.  Only entereprise admins (which I am) have permissions to create...'
In trying to run tools like dcdiag on both I eventually got to adsiedit.  there were some early incorrect IP addys on server2, which I made when first booting the machine.  I had changed those, and they resolved correctly back and forth.  I deleted the old bad entries.  I then left and server1 ran  updates and rebooted.  Today I could not login to server1; see other thread.  That seems now fixed and I can login, to both and as domain admin.  But dns now on Both servers is showing no zones and I cannot create them.  I get the same msg as above.
Both servers show many instances of two errors, 4000 and 4013.   Earlier server1 did not have errors.   There is no info about those errors.  Google shows that others have had this issue but I have been unable to find a cure.
I have read that dns can be installed After AD, but I think this is where server2 had its issue, when I changed its IP and tried various things to reconnect it to the domain including unisntalling dns and reinstalling, so I am not eager to do that to server1.  
  It seems that the domain is partially connected as the pw change which I did from a command line worked for both servers... and I can RDC to both, by name and using the one pw I gave to domain admin acct.    But the student accounts cannot login, and trying to reconnect a lab comp to the domain says 'target name (domain name) is incorrect'.

edit; ran dcdiag; server1
 Starting test: Connectivity
         The host 0fb7f653-a124-4033-95bb-6b711a0b950f._msdcs.xxx.local co
uld not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (0fb7f653-a124-4033-95bb-6b711a0b950f._msdcs.xxx..local) couldn't
         be resolved, the server name xxx.xxx..local) resolved to
         the IP address (10.30.115.50) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         .........................xxx failed test Connectivity

Doing primary tests

   Testing server: xxx
      Skipping all tests, because server xxx  is
      not responding to directory service requests
Then all other tests, crossvalidation, forestdns zones, domain dns zones, schema, partions, all pass.
warning; DcGetName call failed. error 1355
"A KDC could not be located  All the KDCs are down"
failed test Fsmocheck
0
Comment
Question by:JerryC101
  • 46
  • 45
  • 7
  • +1
100 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 34943098
ok, many works ...
at the beginning, could you:
- check that the network properties on your DCs are configured to point to the same DNS server (server1). So server1 points to itself, and your second server point to server1. Do not add others DNS servers in TCPIP properties.
- please run ipconfig /flushdns on each DC
- please delete the file netlogon.dns in \%SystemRoot%\System32\Config on each DC
- please run the command ipconfig /registerdns on each DC
- please run the command net stop netlogon && net start netlogon on each DC
- please open DNS console, verify if zones are there (maybe _msdcs.domain.com and domain.com) (server1)
- if found, go to the properties of the zone and check if zones are AD integrated. If they are, check the replication, you should choose all DNS servers in the domain.
- install DNS service on the second server (if not already done).
- please provide more details about the logs you get.

try to run:
- dcdiag /v /fix on server1
- netdom query fsmo
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34943373
The host 0fb7f653-a124-4033-95bb-6b711a0b950f._msdcs.xxx.local co
uld not be resolved to an

This here is a delegation record. MSDCS records are used in DNS as your SRV records. Is there a MSDCS zone within DNS?

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

Look at this above link very closely. There is a greyed out folder within DNS called MSDCS. This is a delegation record that has expired. The significance of this record is it point the direction to the MSDCS file folder within DNS. That MSDCS file folder holds your SRV records (for domain SeRVices). If your delegation records are broken, then you will not be able to do anything with DNS easily.

So, let's see what you have.

Let's get a snapshot of what you have in expanded DNS folders. There is a delegation record that your DNS server isn't seeing.

0
 

Author Comment

by:JerryC101
ID: 34945471
I will be back there in about 2 hrs; 1 pacific.  
Before this event I had wanted both to be DC, so had configured both to be its own dns server.  Isn't that right?
 The lab machines were config'd to server1 for dns.

After I posted yesterday I checked the dns in both.  S2 had a forward zone that had an errror msg which I don't clearly recall just now, but I reloaded it and it worked, with all comps/servers in the domain showing up.
Still no zones in S1 though;  maybe propagation overnight?
will be checking later, thanks to all for help.
0
 

Author Comment

by:JerryC101
ID: 34946395
Very apprehensive about deleting "netlogon.dns in \%SystemRoot%\System32\Config"
I think this is what I had done that made pw's not work two days ago.
Have run flushdns.
Have made both servers use S1 for dns.
No other dns servers but that has always been the case.
S1 no zones, S2 has correct forward zone.
0
 

Author Comment

by:JerryC101
ID: 34947182
Did all Tasmani suggestions in order.  Seems to have the same result I posted at the top.


C:\Documents and Settings\Administrator.xxx.000>dcdiag /v /fix

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine xxx, is a DC.
   * Connecting to directory service on server xxxserver1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.  
   Done gathering initial info.

Doing initial required tests

   Testing server: xxx
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 0fb7f653-a124-4033-95bb-6b711a0b950f._msdcs.xxx.local co
uld not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (0fb7f653-a124-4033-95bb-6b711a0b950f._msdcs.xxx.local) couldn't
         be resolved, the server name (xxx.xxx.local) resolved to
         the IP address (10.30.115.50) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         .........................xxx failed test Connectivity

Doing primary tests

   Testing server: xxx
      Skipping all tests, because server xxx is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : xxx
      Starting test: CrossRefValidation
         ......................... xxx passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... xxx passed test CheckSDRefDom

   Running enterprise tests on : xxx.local
      Starting test: Intersite
         Skipping site xxx, this site is outside the scope provided by the
         command line arguments provided.
         ......................... xxx.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\xxx-server1.xxx.local
         Locator Flags: 0xe00003dd
         PDC Name: \\xxx-server1.xxx.local
         Locator Flags: 0xe00003dd
         Time Server Name: \\xxx.xxx.local
         Locator Flags: 0xe00003dd
         Preferred Time Server Name: \\xxx.xxx.local
         Locator Flags: 0xe00003dd
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... xxx.local failed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

C:\Documents and Settings\Administrator.xxx.000>
0
 

Author Comment

by:JerryC101
ID: 34947695
server1, nslookup;
*** Can't find server name for address 10.30.115.50: Non-existent domain
Default Server:  UnKnown
Address:  10.30.115.50
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34947755
Make sure these servers ONLY point to your internal servers for DNS - nowhere else.
Restart the netlogon service on each DC.
Run Ipconfig /registerdns

Run your checks again in 15 minutes.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34947966
Netman, I think he has an expired delegation record within DNS.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948008
I see missing service records - explain why you think delegation record.  A little curious how you came to that conclusion.

:o)


0
 

Author Comment

by:JerryC101
ID: 34948065
<i>Make sure these servers ONLY point to your internal servers for DNS</i>

I have had that config since the start; I only know to do that in 'network connections'.  Is there any other place?
I also had each one pointing to itself, now I have server2 pointing to server1 for dns.  Is that right?
In any case, it seems to have made no difference, except now I can ping the FQDN of each server from itself, but cannot ping each other.  I can ping just the name though both ways.

I am restarting server1
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948084
If the DNS Zones are AD Integrated, then you only need to point each server to itself.  No need to point to the other one - but you can as a secondary server.

Did you upgrade this forest from Windows 2000 in the past? or has this always been at least 2003?

You also need to ensure your KDC services are up and set to Automatic.

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34948090
>> usually with an expired delegation record you see this exact error:

The host 0fb7f653-a124-4033-95bb-6b711a0b950f._msdcs.xxx.local co
uld not be resolved to an
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34948098
Also, he stated that he was skeptical about deleting the "Netlogon DNS" meaning the SRV records.

So, that means the MSDCS file folder with SRV records are there, and that leads me to believe the delegation record that point the way to the SRV records is missing.

I had the exact errors he is seeing, Chris and Dariusq helped me through by telling me to delete the delegation records AND the MSDCS file folders on all DCs, Then go to the command prompt and type these lines on all DCs:
IPconfig /flushdns
IPconfig /register dns
Net Stop Netlogon
Net Start Netlogon
Dcdiag /fix:DNS
0
 

Author Comment

by:JerryC101
ID: 34948113
No html here I see;
"If the DNS Zones are AD Integrated, then you only need to point each server to itself.  No need to point to the other one"  
That's what I thought and had them that way. Server1 did work fine, server2 did briefly but has not which I mentioned above.  I will reset them.
Odd that ping to each's FQDN works but nslookup on server1 can't find itself.  I don't know how to think about that.

upgrade forest; good insight.  though not the forest, but server1 was W2000 and I upgraded that to W2003 before bringing up server2, which has been W2003 all along.
These labs were long ignored, wksta were running 2k and mcaffee 7 which expired in 03.  This was in 08.  So there were some problems... :-)   Most has been working well since but I have so many to take care of I don't have time.  State school, no money etc.  I have been servicing another lab this wknd also, am now done with that for the day.
0
 

Author Comment

by:JerryC101
ID: 34948126
"Also, he stated that he was skeptical about deleting the "Netlogon DNS" meaning the SRV records."

yes, but I did delete them, and went through all of the suggestions completely, in exact order as I mentioned above.
I have not had time to go over the thread you linked to; am hoping to take a look at that, but don't want to confuse things if someone is watching this and currently offering suggestions.

KDC services; don't know.  Will check.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948128
I read your post, yes.  That grey folder for _msdcs under the FLZ means the original subdomain was moved to a primary zone at the same level as the FLZ - completely normal.  It needs to be correct though.

I'd need to see a screenshot of his DNS zones (all expanded) to see what's going on.

Could be a number of things.  The fact that his second DC wasn't 100% should have prompted him to DCPROMO out then back in to fix it before moving forward.

Replication could be broken, the NTFRS service could be stopped, the KDC service appears to be stopped and should not be.  If he's got one good SYSVOL on the primary (first server) then we probably should remove DNS from server 2, fix it on server 1, then D2/D4 the Sysvol to get that up to 100% before moving ahead.

This (Administrator.xxx.000) tells me that the server has been rejoined/re-promo'd at least twice and likely AD has never been allowed to converge properly between.  Or some form of AD restore may have been attempted.


0
 

Author Comment

by:JerryC101
ID: 34948134
server1 took this entire time to reboot since I posted that.  'preparing network connections' showed for a very long time.  Just logged in; will take a look.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948141
That is to be expected when DNS isn't well.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948152
Ok, so server 1 was originally w2k - and thus DNS is setup in the old 2000 configuration.  We need to fix that, and it's pretty easy.

The first thing I want you to do is uninstall the DNS service from server 2.  Point that server to server 1 for DNS.
Next thing is to post a screenshot of your DNS console on server1.  Expand everything so I can see.

We're going to create a new zone, but we'll have to tidy things up first.  Let me know when you're ready.

0
 

Author Comment

by:JerryC101
ID: 34948165
"This (Administrator.xxx.000) tells me that the server has been rejoined/re-promo'd at least twice and likely AD has never been allowed to converge properly between.  Or some form of AD restore may have been attempted."
I inherited this from at least two other techs, now long gone with no documentation.
I have not done an AD restore on server1 but don't know about earlier.  I did research best way to upgrade to 03 and it worked apparently for over a year, til I tried to 'fix' server2 not connecting.

I did think of dcpromo'ing out, but thought I could fix it or at least not make a big error til I had time to do that.  So many dns and AD entries seemed correct that I though it might be a simple fix.   ah well.
What screen shots do you want; and how to I post them?  attachments?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948171
Open up dnsmgmt.msc and expand the server and all the zones.
ALT+PRTSC should get you a screenshot to paste into mspaint.
Attach it as a jpg.

0
 

Author Comment

by:JerryC101
ID: 34948191
Do I have to just uninstall dns, or do I have to do AD also?
I am confused; I thought it'd be in 'add/remove'.  it's not.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948198
On server 2 - Add/Remove>Windows Components>Networking>DNS - uncheck the box.

Don't remove AD on that server just yet.  It may not be necessary - but I need to confirm Sysvol health on server 1 before we go there.

0
 

Author Comment

by:JerryC101
ID: 34948200
'manage your server'/dns; cannot contact the dns server, so cannot stop it or uninstall it there.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948215
Control Panel>Add/Remove>Windows Components>Networking>DNS

You say that doesn't work???

On server 2?

The screenshot should be from server 1.
0
 

Author Comment

by:JerryC101
ID: 34948218
ok got it, seems gone,  not in admin tools list any more.
looking at making the s-shot
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948235
Don't forget to go onto server 2's NIC and put server 1's IP in there for DNS - only the one dns server entry.

0
 

Author Comment

by:JerryC101
ID: 34948270
This is server1 dns.  zones do not open, there is nothing there.  THere was, but it's gone.
dns-s1-2.bmp
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948319
Well, that makes the decision simple then....

On server 1:

1)  Stop the Netlogon service.
2)  In C:\Windows\System32\Config rename netlogon.dnb and netlogon.dns by adding the extension of .old to them (netlogon.dns.old), etc
3)  Restart the DNS service.
4)  Open a cmd prompt and run the command ipconfig /all and post it.

Don't do anything until I prompt you to - if you log out or reboot it could be an issue logging back in - so hang tight.

0
 

Author Comment

by:JerryC101
ID: 34948357
done, in exact order.


Windows IP Configuration

   Host Name . . . . . . . . . . . . : xxxserver1
   Primary Dns Suffix  . . . . . . . : xxxt.loc
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : xxx..loc

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/
   Physical Address. . . . . . . . . : 00-0B-CD-47-4
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.30.115.50
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.30.115.1
   DNS Servers . . . . . . . . . . . : 10.30.115.50
0
 

Author Comment

by:JerryC101
ID: 34948377
I have not done anything.
 I did look at kdc and see that it's disabled.  I am not sure how or why.  It may have been when I was working on the password issue of the other night.
I'm posting this as it seems relevant.  
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948388
OK, in DNS on server 1.

1)  Right click Forward Lookup Zone, select New Zone.
2)  Select Next
3)  Select Primary Zone and be sure the box at the bottom for store in AD is checked, press Next.
4)  On this screen, change the option to the top radio button for all DNS servers in the forest, Next.
5)  The name of this zone is:   _msdcs.domain.loc    <<= where domain.loc is the complete FQDN of your Primary DNS suffix, Next.
6)  Allow only Secure Dynamic Updates, Next.
7)  Finish.

Repeat Steps 1, 2 and 3.  For Step 4, the option is for all DNS servers in the Domain.  Step 5 -  the name of this zone is simply your Primary domain suffix.  Step 6 and 7 remain the same as above.

Let me know when that's done.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948391
Yes, start and set to Automatic that KDC service.

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34948394
Jerry, this is good, but you have to add the second DC as an alternate DC in DNS servers. Example:  

 IP Address. . . . . . . . . . . . : 10.30.115.50
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.30.115.1
   DNS Servers . . . . . . . . . . . : 10.30.115.50 <<<Primary, same as this DC
...................................................10.30.115.xx<<<The other DC

Otherwise they will not see each other during promotion> I think Netman is right on track by thinking you have two domains with the same domian name.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948399
@Chief - The second DC has no DNS on it now.  We're fixing server 1 first.

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34948402
@Netman
Ah, I see..

Going to demote DC2?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948416
We'll see.  DNS fix first, then we'll look at Sysvol to be sure all the content is proper on Server1 before we touch AD on server 2 (in the event all the content is actually on server2).

Then it should be all good.
0
 

Author Comment

by:JerryC101
ID: 34948428
no worky, even after I started kdc DNS zone fail
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34948433
((Monitoring this thread))

Netman's taking you down a great path.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948444
Interesting....seems the upgrade to 2003 didn't go as well as you thought.

No biggie though.

For the first zone I asked you to create simply leave it at All DNS servers in the domain for now.  We can change this later.

KDC isn't for DNS, but it should be started (it's for AD).

0
 

Author Comment

by:JerryC101
ID: 34948455
hmm, not readable; says
the zone cannot be repllcated to all dns servers... because the required application directory does not exist.  Only Ent admins have ...permissions to create...  (which I have)
To store this zone in a domain container....replicate to all domain controllers...

That last also fails, OH!, this time it did not fail. It did create or store the zone, which now appears under 'Forward lookup zones.  Two entries;
 SoA                [1], server1.xxx.local., hostmaster.xxx.local
Name server    server1.xxx.local
dns-s1-3.bmp
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948457
Are you logged in with a Enterprise Admin account??

Check the membership tab on the account you're using.  It should be a member of pretty much everything (see below):

Administrators (local group)
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Schema Admins
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948470
Start the Netlogon service on that server.  I suppose I should have had you do this first, before creating the zones.

0
 

Author Comment

by:JerryC101
ID: 34948472
My login acct has rights to the queen and everything underneath her.  well... um...
0
 

Author Comment

by:JerryC101
ID: 34948477
net logon started successfully
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948490
Are both zones created?

0
 

Author Comment

by:JerryC101
ID: 34948492
'KDC isn't for DNS, but it should be started (it's for AD)."

Yeah I knew that, I'm somewhat frazzled.  This is a big deal.  Class in the AM has to run.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948494
Do you have a machine to communicate with me - right beside this server?

We need to pick up the pace, it's almost midnight here and I have to work tomorrow.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948497
Just keep this page open and hit F5 rather than wait for the email.

0
 

Author Comment

by:JerryC101
ID: 34948511
created the other zone, at first got the error, went back and changed to the other button.
Have forward and reverse zones.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:JerryC101
ID: 34948534
reverse zones show both servers with FQDN and correct IP.  
I think that's good, but is that old records, as dns is gone from S2?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948540
Restart the Netlogon service on server 1 and server 2
Run:  ipconfig /flushdns then ipconfig /registerdns  <= on each server.

Let me know (or post the screenshot) of the zones expanded.  They should look like this:


dns1.jpg
0
 

Author Comment

by:JerryC101
ID: 34948541
and yes, am using another machine side by side  and reloading, .
Thank you so much.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948545
Those records you see are new.

0
 

Author Comment

by:JerryC101
ID: 34948563
s1 registration failed; the RPC server is unavailable.
s2 registration has been initiated. errors in 15mins

THe tree does not expand like that.
In forward there is only the msdcs and two entries in the right pane, as above.
in reverse there is not msdcs; I got to the screen where I put in the ip of the subnet.  right pane 5 entries, same as parent folder, etc etc, then the two server ip.
screeen shot coming
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948569
Reverse Zones are IP to FQDN, they don't contain any service records.

awaiting screenshot
0
 

Author Comment

by:JerryC101
ID: 34948572
screen shot dns tree
dns-s1-4.bmp
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948579
Server1:

1)  Make sure Remote Procedure Call service is started and set to Auto.
2)  RPC Locator service set to Manual - not started.
3)  TCP/IP NetBIOS Helper service - started - set to Auto.
4)  DHCP Client service - started - set to Auto.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948589
You have not yet created the second Forward Lookup Zone.

1)  Right click Forward Lookup Zone, select New Zone.
2)  Select Next
3)  Select Primary Zone and be sure the box at the bottom for store in AD is checked, press Next.
4)  On this screen, make sure it's set for all DNS servers in the domain, press Next.
5)  The name of this zone is:   domain.loc    <<= where domain.loc is the complete FQDN of your Primary DNS suffix, Next.
6)  Allow only Secure Dynamic Updates, Next.
7)  Finish.
0
 

Author Comment

by:JerryC101
ID: 34948596
reverse zones
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948605
Huh?  Your reverse zone is simply the subnet you're in.  It looks like it's already created.

0
 

Author Comment

by:JerryC101
ID: 34948610
1)  Make sure Remote Procedure Call service is started and set to Auto.     It was
2)  RPC Locator service set to Manual - not started.                                     stopped it
3)  TCP/IP NetBIOS Helper service - started - set to Auto.                            it was
4)  DHCP Client service - started - set to Auto.                                             did that, was disabled,
                                                                                                                       am not using it as it's static.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948621
The DHCP Client service is for registration of DNS records as well as providing the service for DHCP addressing - you need it running even if you have a static address on your NIC.

Restart Netlogon service now on both servers.

Post screen shot again please.  It's a lab, is it necessary to black out the domain?  It's local and not exposed to the internet, so I think it's safe enough.
0
 

Author Comment

by:JerryC101
ID: 34948625
Re; second forward zone, again the error you cannot create etc.  went back and changed to 'all domain controllers in AD domain, worked.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948631
That's what I wanted - all DNS servers in Domain.  Your Forest partition seems to be hurting, so domain it will have to be for now.

If the RPC Locator service starts again - leave it be.  It's set to manual and will start and stop as it needs to.

0
 

Author Comment

by:JerryC101
ID: 34948634
net start successful. ss coming
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948646
Server 2:

1)  Make sure Remote Procedure Call service is started and set to Auto.
2)  RPC Locator service set to Manual.  Doesn't matter what state.
3)  TCP/IP NetBIOS Helper service - started - set to Auto.
4)  DHCP Client service - started - set to Auto.
0
 

Author Comment

by:JerryC101
ID: 34948647
a lot filled in apparently correctly.
dns-s1-6.bmp
0
 

Author Comment

by:JerryC101
ID: 34948654
how can there be both dns servers if s2 is off/uninstalled?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948657
Interesting....the service record subdomain wants to live under the domain.

Please expand the _msdcs folder under that new zone you created.

Post ss please.
0
 

Author Comment

by:JerryC101
ID: 34948661
S2 settings were all ok.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948663
This is data from AD.  It doesn't appear to be replicating - if you indeed did remove DNS from server 2.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948675
It's 12:35 am here....

0
 

Author Comment

by:JerryC101
ID: 34948678
I don't get at all why  the first site name is S2
dns-s1-7.bmp
0
 

Author Comment

by:JerryC101
ID: 34948695
I have no sign of dns on s2; it's not listed .  should I have restarted?
Sorry it's so late.  What do you need to do?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948721
Can you send a screenshot of the properties of My Computer please - from server 1.

Also, the output of the following 2 commands:

dcdiag > c:\dcdiag.txt

netdiag > c:\netdiag.txt

No switches please.

Those SRV records are pointing only to server 2 - which means it's hosting the AD that is working right now.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948729
We uninstalled DNS from server 2.  I expect that.  Active Directory is on server 2 as it's a DC.  No issue right now with that.

We should remove any records in DNS on server one that list server 2 as a nameserver.

0
 

Author Comment

by:JerryC101
ID: 34948738
s1 dns events;
4521, error 32 attempting to load zone msdcs... from AD. dns will attempt to load again on the next timeout...  
that was 90 mins ago.

800m zone msdcs... is configured to accept updates but the A record ofr the primary server in SOA record is not available on this dns server.  may be a config problem... if the address cannot be resolved... clients unable to locate a server...

800,  zone 115.30.10 inaddrarpa is config to accept updates but A record is not available,  same as above.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948746
Please send requested info above.

I know there will be errors in the log.
0
 

Author Comment

by:JerryC101
ID: 34948764
ss;   I ran the commands but don't see the output.  ??
dns-s1-8.bmp
0
 

Author Comment

by:JerryC101
ID: 34948776
got it ;
netdiag


....................................

    Computer Name: ECT-SERVER1
    DNS Host Name: ect-server1.laney-ect.local
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
    List of installed hotfixes :
        KB2079403
        KB2115168
        KB2121546
        KB2124261
        KB2141007
        KB2158563
        KB2160329
        KB2183461-IE8
        KB2207559
        KB2229593
        KB2259922
        KB2279986
        KB2286198
        KB2296011
        KB2296199
        KB2345886
        KB2347290
        KB2360131-IE8
        KB2360937
        KB2378111
        KB2387149
        KB2393802
        KB2416400-IE8
        KB2416451
        KB2419635
        KB2423089
        KB2436673
        KB2440591
        KB2443105
        KB2443685
        KB2467659
        KB2476687
        KB2478953
        KB2478960
        KB2478971
        KB2479628
        KB2482017-IE8
        KB2483185
        KB2485376
        KB923561
        KB923810
        KB924667-v2
        KB925398_WMP64
        KB925902-v2
        KB927891
        KB929123
        KB930178
        KB932168
        KB933729
        KB933854
        KB936357
        KB936782
        KB938127
        KB938464-v2
        KB941569
        KB942830
        KB942831
        KB943055
        KB943460
        KB944338-v2
        KB944653
        KB945553
        KB946026
        KB948496
        KB949014
        KB950762
        KB950974
        KB951066
        KB951748
        KB952004
        KB952069
        KB952954
        KB953155
        KB953298
        KB954155
        KB954600
        KB955069
        KB955759
        KB955839
        KB956572
        KB956802
        KB956803
        KB956844
        KB957097
        KB958469
        KB958644
        KB958687
        KB958690
        KB958869
        KB959426
        KB960225
        KB960803
        KB960859
        KB961063
        KB961064
        KB961371
        KB961371-v2
        KB961373
        KB961501
        KB963027
        KB963027-IE7
        KB967715
        KB967723
        KB968389
        KB968537
        KB968816
        KB969059
        KB969805
        KB969883
        KB969897
        KB969898
        KB969947
        KB970238
        KB970483
        KB970653-v3
        KB971032
        KB971468
        KB971486
        KB971557
        KB971633
        KB971657
        KB971737
        KB971961-IE8
        KB972260
        KB972260-IE8
        KB972270
        KB972636-IE8
        KB973037
        KB973346
        KB973354
        KB973507
        KB973525
        KB973540
        KB973687
        KB973815
        KB973869
        KB973904
        KB973917
        KB973917-v2
        KB974112
        KB974318
        KB974392
        KB974455-IE8
        KB974571
        KB975025
        KB975254
        KB975467
        KB975558_WM8
        KB975560
        KB975562
        KB975713
        KB976098-v2
        KB976323
        KB976325-IE8
        KB976662-IE8
        KB976749-IE8
        KB977165
        KB977290
        KB977816
        KB977914
        KB978037
        KB978207-IE8
        KB978251
        KB978262
        KB978338
        KB978542
        KB978601
        KB978695
        KB978706
        KB979306
        KB979309
        KB979482
        KB979683
        KB979687
        KB979907
        KB980182-IE8
        KB980195
        KB980218
        KB980232
        KB980436
        KB981322
        KB981332-IE8
        KB981550
        KB981793
        KB981957
        KB982132
        KB982214
        KB982381-IE8
        KB982666
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : ect-server1
        IP Address . . . . . . . . : 10.30.115.50
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 10.30.115.1
        Dns Servers. . . . . . . . : 10.30.115.50


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{8F30E5AB-408F-48F9-9BB6-480B7A63A6ED}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '10.30.115.50' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{8F30E5AB-408F-48F9-9BB6-480B7A63A6ED}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{8F30E5AB-408F-48F9-9BB6-480B7A63A6ED}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
=======================================
dcdiag


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: ECT\ECT-SERVER1
      Starting test: Connectivity
         ......................... ECT-SERVER1 passed test Connectivity

Doing primary tests
   
   Testing server: ECT\ECT-SERVER1
      Starting test: Replications
         [Replications Check,ECT-SERVER1] A recent replication attempt failed:
            From ECT-SERVER2 to ECT-SERVER1
            Naming Context: CN=Schema,CN=Configuration,DC=laney-ect,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2011-02-21 20:45:09.
            The last success occurred at 2010-07-18 16:59:09.
            4806 failures have occurred since the last success.
         [ECT-SERVER2] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,ECT-SERVER1] A recent replication attempt failed:
            From ECT-SERVER2 to ECT-SERVER1
            Naming Context: CN=Configuration,DC=laney-ect,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2011-02-21 20:45:09.
            The last success occurred at 2010-07-18 16:59:09.
            4806 failures have occurred since the last success.
         [Replications Check,ECT-SERVER1] A recent replication attempt failed:
            From ECT-SERVER2 to ECT-SERVER1
            Naming Context: DC=laney-ect,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2011-02-21 20:45:09.
            The last success occurred at 2010-07-18 16:59:09.
            4806 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         ECT-SERVER1:  Current time is 2011-02-21 20:50:30.
            CN=Schema,CN=Configuration,DC=laney-ect,DC=local
               Last replication recieved from ECT-SERVER2 at 2010-07-18 16:59:53.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Configuration,DC=laney-ect,DC=local
               Last replication recieved from ECT-SERVER2 at 2010-07-18 16:59:53.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=laney-ect,DC=local
               Last replication recieved from ECT-SERVER2 at 2010-07-18 16:59:53.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
         ......................... ECT-SERVER1 passed test Replications
      Starting test: NCSecDesc
         ......................... ECT-SERVER1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... ECT-SERVER1 passed test NetLogons
      Starting test: Advertising
         ......................... ECT-SERVER1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... ECT-SERVER1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... ECT-SERVER1 passed test RidManager
      Starting test: MachineAccount
         ......................... ECT-SERVER1 passed test MachineAccount
      Starting test: Services
         ......................... ECT-SERVER1 passed test Services
      Starting test: ObjectsReplicated
         ......................... ECT-SERVER1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... ECT-SERVER1 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ECT-SERVER1 failed test frsevent
      Starting test: kccevent
         ......................... ECT-SERVER1 passed test kccevent
      Starting test: systemlog
         ......................... ECT-SERVER1 passed test systemlog
      Starting test: VerifyReferences
         ......................... ECT-SERVER1 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : laney-ect
      Starting test: CrossRefValidation
         ......................... laney-ect passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... laney-ect passed test CheckSDRefDom
   
   Running enterprise tests on : laney-ect.local
      Starting test: Intersite
         ......................... laney-ect.local passed test Intersite
      Starting test: FsmoCheck
         ......................... laney-ect.local passed test FsmoCheck
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948777
the output is in C:\dcdiag.txt and netdiag.txt

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948828
wow... one of these servers hasn't been online since July 18, 2010..... this is outside the 60 day tombstone.


On server 1:

run from commandline:  netdom query /domain:laney-ect.local fsmo

Post the output please.
0
 

Author Comment

by:JerryC101
ID: 34948846
only got
the syntax of this command is.... etc
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948854
copy this:

netdom query /domain:laney-ect.local fsmo

0
 

Author Comment

by:JerryC101
ID: 34948864
ey-ect.local fsmo
Schema owner                ect-server1.laney-ect.local

Domain role owner           ect-server1.laney-ect.local

PDC role                    ect-server1.laney-ect.local

RID pool manager            ect-server1.laney-ect.local

Infrastructure owner        ect-server1.laney-ect.local

The command completed successfully.
0
 

Author Comment

by:JerryC101
ID: 34948893
it says in your profile to ask to contact you, is that ok?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948902
Thank goodness for that....

Ok..

Here's what to do.  Follow it closely please.

1)  Make sure Server 1 is a Global Catalog.  Google it if you don't know how to find out and to set it if it isn't one.
2)  Delete the DNS zone we created named, _msdcs.laney-ect.local.
3)  Run DCPROMO on server 2 and remove the DC role from it.  It is NOT the last server in the domain/forest (if you're asked).  If it won't cooperate with you because something fails during this process then re-run it using the /forceremoval switch.
4)  After this, clean up DNS of ALL entries with server 2 in the record.
5)  Try to recreate the DNS zone of _msdcs.laney-ect.local in the Forward Lookup Zones - it must be a Forest zone.  If it's successful, your dns tree should look similar to mine.  You absolutely MUST make sure that server 1 is registered inside the _msdcs zone for _ldap and _kerberos as well as other related service records.  Try running netdiag /fix and dcdiag /fix after removing Server 2 from AD.
6)  Once you have records created properly for server 1, then you could likely reboot it.
7)  after the reboot, you should then attempt to run DCPROMO on Server 2 to make it another DC (if that's what you want).
8)  Make sure (if you're using DHCP for the workstations) that you fix the DNS server address that it's handing out.  Unless you get DNS installed on server 2 after a successful DCPROMO, you want to remove it from DHCP so client's go to server 1 only.

It'a almost 2am here.  I have to get to bed.  Two kids to get moving in the morning - plus myself.

0
 

Author Comment

by:JerryC101
ID: 34948914
Of course there is no way to sufficiently thank you so...  but send me contact info please.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948920
Well, it's way too late to do any more from my end.  I've been helping you for almost 6 hours for something that I could have remoted in and done in about an hour.  I'm not blaming you, but rather a job of this size is incredibly difficult to do on a forum.  The delays between responses, etc. make it far too long.

As long as DNS is working and the SRV records exist for server 1, then the client should be able to log on.  Server 2 isn't even being used so if you had to, you could shut it off for now if you don't want to try to fix it tonight.

I will be online again tomorrow night - I'm on training for the next 3 days, so I won't be online during my business hours.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34948928
Contact me at my alias here at google mail.

0
 
LVL 11

Expert Comment

by:Tasmant
ID: 34960145
Netman did a great job for the moment, did you got your issues resolved since?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34964542
Most of them - yes.  I have not done any work offline, everything was done in the open here in this post.

Still waiting to re-check things and confirm it's fixed completely.
0
 

Author Comment

by:JerryC101
ID: 34966049
server1 seems mostly working, however I just saw that references to server2 ldap have reappeared in server1 dns, and accompanying error messages "unable to create a resource record for _ldap.... etc   The AD def of this record ... contains an invalid dns name"

As I have done nothing with server2 config, I have no idea how this happened.
I'm hoping netman66 will have time to take a look.
It's impossible to overstate the extent of the help he gave me.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34966144
It's artifacts.  You have a site created that I think is unnecessary and the root server was moved out of the Default-First-Site-Name which can cause lots of weirdness.

I'd like to tidy that up.  

I also noticed that the NetBIOS Domain name appears to be different than the FQDN.  This can be an issue when it comes to DNS registration.  This article describes that issue:  http://support.microsoft.com/kb/300684

I don't know for sure without getting into the DIT exactly what the original tech did with respect to naming the domain, so don't change anything based on that article until we get a handle on that.
0
 

Author Comment

by:JerryC101
ID: 34966194
"Site created..."  ECT is the short name of the domain, done that way in the past.  That is what you're referring to I think.
0
 

Author Comment

by:JerryC101
ID: 34966213
Briefly looked over that article; first comment, why do they make it possible when it's pretty clearly so much a bad thing?   It's only me, right? no one else ever thinks this.  <insert smiley  here>

Oy; now I see that other labs are also going to have trouble.
   
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34966229
Starting in 2008 R2 they explicitly prevent creating it.

If the lab is mostly working, then we can make it 100% working and leave well enough alone.

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 34970044
Ok, DNS is healthy now.

The second DC was forceremoved because it was beyond the tombstone period of 60 days and could not be cleanly removed.

A metadata cleanup was needed to remove server 2 from AD on the remaining server.

Server 2 was then added back as a member server.

DNS is functioning correctly now and has the proper forest and domain zones.

There are other small issues, but since this is a lab and the client workstations are working properly it's best to leave things as they are until a plan can be put together to recreate this from scratch.

0
 

Author Closing Comment

by:JerryC101
ID: 34978586
Simply amazing; I cannot say enough.  Long buried settings I knew nothing of were lurking, and netman knew where to go and what to do; saved the day, and truly the week, as a rebuild at this point is not in the cards.
Thank you so much.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now