Link to home
Start Free TrialLog in
Avatar of SW111
SW111

asked on

windows 2003 active directory dns post-fsmo problem

I NEED HELP URGENTLY PLEASE.
PLEASE LOOK AT MY PREVIOUS PROBLEM (link below):

I've posted a problem on
https://www.experts-exchange.com/questions/27024480/Promoting-secondary-AD-domain-controller.html?anchorAnswerId=35718251#a35718251

I followed the guide there but then after seizing fsmo, turns out in SERVER2, the DNS and DHCP part is not replicated.
I tried creating DNS but the result is an error box saying:
"The zone cannot be created. The data is invalid".

What do I do now?

Thank You
Avatar of SW111
SW111

ASKER

Update:

I tried rebooting the system, and now I ended up not being able to login to the system at all.
It says my domain does not exist.
Do you still have the old DNS and another DC? (I am considering you have)

Reboot the server, after the BIOS post press F8 to get the boot menu options. Boot into "Directory Services Restore Mode" (DSRM) and login using the DSRM credentials. (Username: Administrator)
Change the primary DNS ip of you server in the network connection properties to that of a working DNS on the domain, save the changes and then reboot the server in the normal mode. You should be able to login.
Another way is, if you have another DC and DNS then go to the DNS console on that server and then go to the properties of the forward lookup zones, change the zone type to primary non-active directory integrated. This will create the DNS record files on the following path :  C:\Windows\System32\DNS

the name of the files will be the same as your forward lookup zones. Now on the problem server while in DSRM open the DNS console, and create the forward lookup zone by the same name. Make sure the zone is not active directory integrated. Now this will create a file on the same location on the problem server as well. Now stop the DNS service and copy the zones from the other DNS server to the same location on the problem server thus replacing the old files. Restart the server in normal mode and try to login.

Try the steps above and let me know if it works out.. else will think of some other solution.
Avatar of SW111

ASKER

Ashutosapre:

Well, originally I have 2 DC:
Primary DC (Server1)(50.0.0.11)
Secondary DC (Server2)(50.0.0.12)

Server1 was the problematic one. Which is why I unplugged it and promote server2 to take the FSMO roles.

The problem now is that after taking FSMO role, it seems to have a problem its DNS. I even can't add new forward & reverse zone.
Logging in will take about 3 attempts and 1 hour. (it will reject the first 2 attempts, saying domain is not found, although if I input the wrong password it will say so).

So on your proposed solution above, what IP should I use? (Server1 is already disconnected, and so should be taken out of the equation? so we're using server2 only with ip 50.0.0.12. What shall I change that to?)

Also, this server2 IS "the other DC.... "



Avatar of Leon Fester
OK, let's start from scratch... :)

You have how many functioning DCs currently, and on what DC(s) are your FSMO roles being hosted?  You mentioned that you have Seized the roles.  This assumes catastrophic failure of the DC which hosted those roles.  Make sure it stays offline.  Also, if you use DHCP, make sure you point your DNS servers to a server which is online and not the failed DC.

Because AD uses DNS for almost everything, you must make sure it is healthy.  Also, is your DNS AD integrated or not?  Finally, when you seized the roles, did you do a metadata cleanup to make sure the failed server is out of AD completely?

Metadata cleanup process: http://support.microsoft.com/kb/216498
DNS Best Practices for Server 2003: http://technet.microsoft.com/en-us/library/cc778439%28WS.10%29.aspx

DrUltima
Avatar of SW111

ASKER

DrUltima, sounds good. Thanks....

Originally I have 3 dc. 2 on the same site (50.0.0.0) and 1 on a different site (50.0.2.0).
There seems to be nothing wrong with 50.0.2.0 site, so I will leave it as it is.

The original dc 50.0.0.11, named SERVER1, was the primary dc, ad, dns & dhcp server in one. Other than it's not accepting new clients to join domain, it seems to work fine.
BUT I have unplugged this server and seize the fsmo role to the secondary dc.

The problem is now Server2 doesn't have dns (& dhcp). Login is difficult, I suspect because there is no dns.

Dns is supposed to be integrated, so I dont understand why its not being replicated to server2 in the first place. Dns IS integrated in the original server1.

I didnt run metadata cleanup after the role seizing, because it's not in the guide.

You will probably have guessed that I have no technical training in this and mostly these are all done by following guides. Unfortunately, so far, ms guides has been somewhat unclear as it involves a lot of theory and tend to cover a lot of scenarios.  So a more detailed help will help me understand better of what is going on.

Thank you
Good.  Leave SERVER1 unplugged.  Even though DNS is AD integrated, you still have to add those Roles to the server.  They do not manually appear.  On Server 2003, Start -> Manage Your Server.  Make sure DNS and DHCP roles are present.  If they are not, add them.  Cleaning up the metadata is not vital right now, but getting DNS and DHCP functioning on SERVER2 is.  DNS should be automatically set up as it is AD integrated.  You will have to manually build a new Scope on your DHCP addition.  Once we have those features running, we can then address your metadata and/or your older AD controller.

DrUltima
Avatar of SW111

ASKER

DrUltima,
That is exactly where I start to worry. Failing to fix server1, my fool-proof gameplan was to unplug server 1 and promote server2. BUT it's not so foolproof after all...

Adding dns failed. Neither forward nor reverse zone can be added. It says data is invalid...
Sometimes it mentions about directory partition and other times it mentions root holder (which I tried to add manually via properties page of server2 on dns window, but didnt help)

If we're tackling the issues one by one, I agree with you that for now the most immediate one is to activate dns on server2

Thank you
You should not need to add any Zones in DNS.  What should happen is that you should add the DNS server role.  Then when the server talks to AD (itself), it should populate your forward and reverse lookup zones for you (assuming they were indeed, ad integrated).  What exact error failed when you tried to add the role (not the Zone)?  Are there any DNS related entries in your Event Logs (specifically, the system log)?

Unfortunately, seizing FSMO roles is the equivalent of taking a sledge hammer to AD to get a square peg into a round hole.  Will it work?  Yes.  Will it be painful and perhaps difficult?  Also, yes.  You cannot ever bring SERVER1 back online on your network, as it is not a rogue AD Controller.  It will have to be wiped and rebuilt before it can be added back to AD.  You also have to clean out the ghost entries from metadata (and probably should, as that can potentially cause DNS issues, too).

DrUltima
Avatar of SW111

ASKER

I didnt actually add the role from the server role pop up window (the one that pops up when w2k3 starts). But I tried addin something like "add dns to AD" by right clicking on the dns window. (not in the office right now, so can't say for sure).
What I can say for sure is that that option basicaly asks the input for both forward and reserve zone in one wizard. It will end up giving the same error as when I try to add the zones.

When I add the zones, the errors are mostly a 2 line, tiny windows error box: "adding zone failed. Data is invalid".
But ocassionally i also says something about directory partition does not exist (and in fact, on dns windows, if I right click on one of the lihes on the left hand panel, there is an option to create this partition, but it doesnt work)

I havent tried the clearing metadata option. Is this the same with clearing cache? I've tried the clearing cache option but doesnt seem to do anything.
Most importantly: are there any risk in running the clear metadata procedure?

Finally, my last-ditch-back-to-square-one game plan: system restore server2 to before seizing fsmo, THEN plug back in Server1. Is this going to be a problem?

Thank you
ASKER CERTIFIED SOLUTION
Avatar of Justin Owens
Justin Owens
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SW111

ASKER

DrUltima,

Ok. Slowing down to regroup. The thing is that I was supposed to send the new server (the one I've been trying to join into the domain) to a new branch in 2 days. Hence the urgency.

Sorry about not being able to view server2 right now, as I'm probably at a different timezone than you. It is 2am here. I will do this first thing tomorrow morning and post back.

Noted to scrap the last ditch plan :) somehow in my mind it was a possible scenario. But I'm always happy to listen to higher authority :)
Looks like a 12 hours offset from each other.  I normally don't look at EE of an evening, but I will check tonight.  If you can post an update by, let's say... 09:00 your time, which would be 21:00 my time, I will make it a point to look and respond.

DrUltima
Avatar of SW111

ASKER

Hi, Good Morning DrUltima,

1. So in dnsmgmt, I see the server name: SERVER2, and under it:
Cached Lookup, Forward Lookup Zone, Reverse Lookup Zone, Event Viewer.

Fwd zone is empty
Reverse zone has some entries (subfolders, which I did NOT create and is NOT my domain)

Event Viewer>DNS Events show a bunch of Warning:
 
Event Type:	Warning
Event Source:	DNS
Event Category:	None
Event ID:	7062
Date:		5/10/2011
Time:		7:57:33 AM
User:		N/A
Computer:	SERVER02
Description:
The DNS server encountered a packet addressed to itself on IP address 10.0.0.12. The packet is for the DNS name "mycomputer.backbone.mydomain.com.". The packet will be discarded. This condition usually indicates a configuration error. 
 
Check the following areas for possible self-send configuration errors: 
  1) Forwarders list. (DNS servers should not forward to themselves). 
  2) Master lists of secondary zones. 
  3) Notify lists of primary zones. 
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server. 
  5) Root hints. 
 
Example of self-delegation: 
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. 
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com, 
  (bar.example.microsoft.com NS dns1.example.microsoft.com) 
  -> BUT the bar.example.microsoft.com zone is NOT on this server. 
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record. 
 
You can use the DNS server debug logging facility to track down the cause of this problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 50 25 00 00               P%..

Open in new window


2. The partition I was talking about is the Application Directory Partition

3. On the "manage your server" window, DNS Server is shown already installed (So its already a role?)

4. Do you mind if II contact you directly via your email address?

Thank You
Avatar of SW111

ASKER

Btw, when adding a fwd zone, this is what I get:

The zone cannot be replicated to all DNS Servers in the (null) AD domain because the required application directory partition does not exist
Avatar of SW111

ASKER

Just saw this link:
http://support.microsoft.com/kb/938459

I get all the errors on that link. That was why I tried to change the dc in the first place.
So I guess I'm at step #1, because the "another" dns server doesnt work.
SW111,

EE policy prohibits me from posting an email address for job solicitations, however you can contact me directly by using the "Hire Me" link on my Expert profile.  Any work related to this Question, I would insist, be able to be posted back here for the sake of the PAQ.

DrUltima
Avatar of SW111

ASKER

DrUltima,

We solved it!!
It turns out that I'm having the exact same problem with this person:
http://www.petri.co.il/forums/showthread.php?t=26637&page=6

And the solution is to run (see post by Kennhon #59):
netdom resetpwd /server:Server2 /userd:mydomain\Administrator /passwordd:*
Only that in my case I need to change "Server2" to IP Address (probably because DNS not working yet)

And after that reboot, and when I relogin, the dns filled itself and is back to its normal state.

Thank You so much for your help.
I sent you a message through the EE system, but evidently that will have to wait for the next chance. Would like to have worked with you though.

Kind Regards,
SW