Solved

dcpromo doesnt setup DNS on new 2003 server

Posted on 2011-03-03
10
377 Views
Last Modified: 2012-05-11
Help Experts!

I've run dcpromo on a new member server for a new branch office.

I successfully joined the domain, set iit to a fixed IP and installed DNS. dcpromo seems to work, but the DNS Forward Lookup Zones dont get filled in.

I can see that the system has put the Server into the right SItes & services site and it's been put in the Domain COntrollers OU in AD users and Computers.  I can ping the main office server and vis-versa.

Looking at the DNS Event Logs, I can see an Event IF:800 notice saying

===The zone <subnet>.in-addr.arpa is configured to accept updates but the A record for the primary server in the zone's SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot  be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause DNS clients to be unable to perform DNS updates.====

Looking at the DNS console, there is no forward lookup zone but one reverse lookup zone for the main sites subnet.   I also get a NTFrs error 13508

=The File Replication Service is having trouble enabling replication from \\MainOfficeServer.mydomain.local to BranchServer for c:\windows\sysvol\domain using the DNS name \\MainOfficeServer.mydomain.local . FRS will keep retrying.
 Following are some of the reasons you would see this warning.

1] FRS can not correctly resolve the DNS name \\MainOfficeServer.mydomain.local  from this computer.
 [2] FRS is not running on \\MainOfficeServer.mydomain.local
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. . =

I'd really appreciate help in fixing this.
0
Comment
Question by:jmsjms
  • 5
  • 4
10 Comments
 
LVL 1

Expert Comment

by:ITnavigators
Comment Utility
Most of the time these issues are DNS related. I assume you have another DNS server running on your other DC. Check your TCP/IP settings and also make sure Windows Firewall is disabled and stopped.
Set 2 DNS entries in your TCP/IP settings, the first to your other DC and the second to the server you are working with.
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
- on your branchoffice server, check if the primany DNS server in TCP/IP properties is set to target the mainofficeserver (at least for the moment).
- on your mainofficeserver, open dns console and check the replication topology (all dns servers in the domain, the forest, all dc in the domain), is the zone integrated to AD or not, is accept secure or non-secure updates?
0
 

Author Comment

by:jmsjms
Comment Utility
Thanks for your comments.  Yes I agree it's a DNS issue.

This is a DC for a new branch and so yes there are 2 DCs running DNS at the main site.  I have already set the first DNS entry on the Branch Server to one of the 2 Main site DCs and set the second to itself.

THe zone is AD integrated  What shoud the Secure/non-secure update setting be?  I'll check the zones on the master DNS server for the topology.  ANything specific to look for?

I dont understand this error as I've done this at 4 other sites exacly the same way and it worked fine.
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
it can probably be due to a replication latency, or the DC not yet registered as a replication partner for the DNS NC (if integrated to AD).
you can run a repadmin /showrepl command to see if each NC is correctly replicated.
personaly i think this error isn't really one and you could skip it. but we can perform some checks to be sure. you can also run dcdiag on your dc.
0
 

Author Comment

by:jmsjms
Comment Utility
Tasmant, I've just logged in again to try out your suggestions and the DNS zones look to be populated.

The repadmin /showrepl commend gives a list of inbound Neighbors and shows link at 12:56 todaqy to the Mian site DC being successful. see attachment.

DCDiag shows successful on all tests.

Normally I promote a DC and the DNS gets updated within a few mins, I did the server around 4pm yesterday and it still didnt have zones in the DNS 12pm last night!

Is there any further check just to be sure?

Should I wait anylonger before switchin the DNS settings on the TCO box of the server so it points to itself first, then the main DC?

Cheers
John

C:\>repadmin /showrepl

repadmin running command /showrepl against server localhost

BrandhSite\BranchServerName
DC Options: (none)
Site Options: (none)
DC object GUID: 3ec1fcf8-fe0f-4c04-8f09-83dfe6b06aea
DC invocationID: 51796e6b-f9b0-428c-9642-42f7b0ea6d9f

==== INBOUND NEIGHBORS ======================================

DC=thedomain,DC=local
    MainSite\MainDC via RPC
        DC object GUID: 184c1286-15b0-4f43-be29-b4c27450d7a3
        Last attempt @ 2011-03-04 12:56:53 was successful.

CN=Configuration,DC=thedomain,DC=local
    MainSite\MainDC via RPC
        DC object GUID: 184c1286-15b0-4f43-be29-b4c27450d7a3
        Last attempt @ 2011-03-04 12:56:53 was successful.

CN=Schema,CN=Configuration,DC=thedomain,DC=local
    MainSite\MainDC via RPC
        DC object GUID: 184c1286-15b0-4f43-be29-b4c27450d7a3
        Last attempt @ 2011-03-04 12:56:53 was successful.

DC=DomainDnsZones,DC=thedomain,DC=local
    MainSite\MainDC via RPC
        DC object GUID: 184c1286-15b0-4f43-be29-b4c27450d7a3
        Last attempt @ 2011-03-04 12:56:53 was successful.

DC=ForestDnsZones,DC=thedomain,DC=local
    MainSite\MainDC via RPC
        DC object GUID: 184c1286-15b0-4f43-be29-b4c27450d7a3
        Last attempt @ 2011-03-04 12:56:53 was successful.


C:\>

Open in new window

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
Comment Utility
In all case as you have DC=DomainDnsZones,DC=thedomain,DC=local and DC=ForestDnsZones,DC=thedomain,DC=local then your zone is integrated to Active Directory.

As i thank all seems fine and this error was just a latency issue. I've already seen those kind of errors, and often it is related to network design and DNS. In your case it should have been faster.

I think you can switch DNS now if you want. Let the mainoffice servers as the secondary DNS (and third DNS if you have 2 DNS in your main office).

To be sure you could try a dcdiag /e (all enterprise), but really all seems fine. Review your event logs a last time.
0
 

Author Comment

by:jmsjms
Comment Utility
Zones are AD integrated and set to secure updates only
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
that's fine
0
 

Author Comment

by:jmsjms
Comment Utility
Theres some weird bits in the enterprise check but I think they warrant another question.

THanks for the info, the check info is really appreciated.

Cheers.
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
Have a nice week-end ;)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now