Can't DCPROMO Win 2008 R2 Servers Because of DNS Errors on Win 2003 Domain Controller

I'm trying to add two new Windows 2008 Server R2 Standard edition servers to our domain.  The only domain controller is a Windows 2003 Server.  Neither 2008 servers could run DCPromo.  Both showed the same error message:

Active Directory domain controller for the domain "XXXXX.local" could not be contacted. Ensure that the DNS domain name is typed correctly. If the name is correct, then click details for troubleshooting information.

The error was: "This operation returned because the timeout period expired." (error code 0x000005B4 ERROR_TIMEOUT):

The query was for the SRV record for _ldap.tcp.dc._msdcs.XXXXX.local.

The DNS servers used by this computer for name resolution are not responding.  This computer is configured to use DNS servers with the following addresses:

192.168.1.10

Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

Open in new window


Based on Googling and Expert-Exchanging I did, I decided to try dcdiag on the existing Windows 2003 Server.  Here's the only negative result:

The host c0a4d630-de14-48f2-b648-4f9de7a9d655._msdcs.XXXXX.local could
not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(c0a4d630-de14-48f2-b648-4f9de7a9d655._msdcs.XXXXX.local) couldn't be
resolved, the server name (NT2.XXXXX.local) resolved to the IP address
(192.168.1.10) and was pingable.  Check that the IP address is
registered correctly with the DNS server.
......................... NT2 failed test Connectivity

Open in new window


The Windows 2003 server has, from the day I inherited it 7 years ago, always put out a bunch of Event ID 7062 in the DNS log ("The DNS server encountered a packet addressed to itself.").  I spoke to the guy who installed it, and he said that this was a common error and that nothing's wrong.  Indeed, the Windows 2003 server has been cranking along flawlessly, except for that error message.

I tried the following to fix the problem:

(1) Made sure the DNS server pointed to itself as the preferred DNS server in the TCP/IP settings.
(2) Opened the DNS console and made sure there was a forward lookup zone with the same address as my domain.
(3) Set up a forwarder to point the my ISP's DNS.
(4) Stopped and restarted the net logon service and re-registered the SRV records.
(5) Made sure the DHCP option was set properly to provide clients with the IP address of the windows DNS server only.
(6) Ran "ipconfig /flushdns and ipconfig /registerdns
(7) Cleared the ARP cache with arp -d *
(8) ran dcdiag /fix
(9) net stop netlogon and then net start logon
(10) ran dcdiag /fix again.

Still getting the error in dcdiag and still can't dcpromo the two new servers.  I'm stuck.  Can anyone help me fix the DNS and/or DCPromo problem?
ejfiedlerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lciprianionutCommented:
On the new server that you want to make a DC on DNS settings for NIC add only IP of DNS for first domain controler
e.g. DC1 IP = 10.0.0.1
DC1 DNS = 10.0.0.1
DC2 IP = 10.0.0.2
DC2 DNS = 10.0.0.1
0
Neil RussellTechnical Development LeadCommented:
Have you got the 2008R2 servers using static or DHCP?
0
ejfiedlerAuthor Commented:
Both new servers are "hardwired" to point only to NT2 (192.168.1.10--the original server and DC) for DNS.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Justin OwensITIL Problem ManagerCommented:
First, an ADPREP needs to be run from the Server 2008 installation disk on your Server 2003 DC which is the PDCe (not from your new 2008 servers).  If your 2003 server is 32 bit, use ADPrep32 instead of ADPrep.

Second, your DNS for all AD controllers (assuming integrated DNS and DCs also hosting DNS server) should point to themselves as a primary DNS server and to another internal DNS server as secondary.  They should NEVER point to an external DNS server, such as an ISP.

(DC1 points to DC1 as Primary DNS and DCx as Secondary DNS.  DC2 points to DC2 as Primary DNS and DCx as Secondary DNS).

Your two new servers should also be pointing to your existing AD controllers/DNS servers for primary/secondary DNS settings (again, not an external ISP).

As for the 7062 error, make sure each DNS server doesn't list itself in the forwarders / notify area.  If that area is clean, let me know and we can travel further down that path.  Your former Admin is correct in that it doesn't normally affect AD functionality, but I have never been of the persuasion to just accept a recurring error.  It should not prevent a DCPromo.

DrUltima
0
Justin OwensITIL Problem ManagerCommented:
Just noticed the DHCP reference on a re-read.  Domain Controllers should NEVER be on DHCP.  They need to be statically assigned.
0
e--manCommented:
How many nic's in the 2003 machine, any teaming configured ?
0
ejfiedlerAuthor Commented:
I already ran APPrep32 on the Win 2003 server (with both /forestprep and /domainprep.  Tried running that again just now and the messages returned from both was that each had been done already.

Nothing (other than thte forwarder in the DNS) points to any DNS server other than the current DC.

I've attached a screenshot of the DNS applet from the Win 2003 server. DNS Applet Screenshot
0
Justin OwensITIL Problem ManagerCommented:
Right-click on the actual server (NT2) and click on the Forwarders tab.  Make sure its own IP is not listed there.  Is your Server 2008 machine pointing to the IP address for NT2 as its primary DNS in its NIC settings and another internal DNS servers as secondary with no external servers listed there?  Also, for kicks, you can normally safely disable IPv6 on your 2008 servers to see if that makes a difference.

DrUltima
0
e--manCommented:
Disabling IPV6 in 2008 has caused me a lot of problems in the past, I would use that as a last resort.
0
Neil RussellTechnical Development LeadCommented:
Disabling IPV6 caused problems? I have had it disabled since our first 2008R2 went in. What sort of problems?
0
e--manCommented:
Exchange 2010 for example does not like IPV6 to be disabled, especially after its been installed with it.

On non-exchange boxes its caused machines to hang applying computer settings so I've just made it a rule for myself to leave it as is.

0
Justin OwensITIL Problem ManagerCommented:
I have over two-thousand Windows Server 2008 deployments, and IPv6 is disabled on all of them, including our Exchange 2010 servers.  Not once have I had anything with adverse reactions to this.

DrUltima
0
ejfiedlerAuthor Commented:
FYI:  I did disable the IP V6 on all of the servers involved with this problem and it didn't fix anything.  I think the problem centers around a poorly-configured DNS server on the old 2003 Server.  I'm not at that client site right now.  I'll take the advice from DrUltima when I can get hands-on next week.  I'll let you know what I find out.  Thank you all for your help so far.
0
ChiefITCommented:
Delete the greyed out MSDCS file folder in your domians forward lookup zone. That's a delegation record to your Forest DNS server. Delegation records are used to point to the Forest server's DNS SRV records. BUT, all of your BTFCU.local SRV records are found within your forward lookup zone. So, this delegation record points to a folder that doesn't exist in your domain.

Once done go to the command prompt and type:
Net stop Netlogon
Net start netlogon
DCdiag /fix:DNS

then see what your dcdiag /test:DNS shows.

On this example, you will see a greyed out delgation record, (meaning it's expired), but you also see the forest MSDCS file folder as its own fwd lookup zone that you don't have.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html?sfQueryTermInfo=1+10+30+chiefit+record+srv
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Justin OwensITIL Problem ManagerCommented:
Good catch, Chief.  I didn't see that when I looked at the photo.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.