Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

windows 2003 active directory dns post-fsmo problem

Posted on 2011-05-09
18
Medium Priority
?
787 Views
Last Modified: 2012-05-11
I NEED HELP URGENTLY PLEASE.
PLEASE LOOK AT MY PREVIOUS PROBLEM (link below):

I've posted a problem on
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27024480.html#a35718251

I followed the guide there but then after seizing fsmo, turns out in SERVER2, the DNS and DHCP part is not replicated.
I tried creating DNS but the result is an error box saying:
"The zone cannot be created. The data is invalid".

What do I do now?

Thank You
0
Comment
Question by:SW111
18 Comments
 

Author Comment

by:SW111
ID: 35718699
Update:

I tried rebooting the system, and now I ended up not being able to login to the system at all.
It says my domain does not exist.
0
 
LVL 7

Expert Comment

by:ashutoshsapre
ID: 35719035
Do you still have the old DNS and another DC? (I am considering you have)

Reboot the server, after the BIOS post press F8 to get the boot menu options. Boot into "Directory Services Restore Mode" (DSRM) and login using the DSRM credentials. (Username: Administrator)
Change the primary DNS ip of you server in the network connection properties to that of a working DNS on the domain, save the changes and then reboot the server in the normal mode. You should be able to login.
Another way is, if you have another DC and DNS then go to the DNS console on that server and then go to the properties of the forward lookup zones, change the zone type to primary non-active directory integrated. This will create the DNS record files on the following path :  C:\Windows\System32\DNS

the name of the files will be the same as your forward lookup zones. Now on the problem server while in DSRM open the DNS console, and create the forward lookup zone by the same name. Make sure the zone is not active directory integrated. Now this will create a file on the same location on the problem server as well. Now stop the DNS service and copy the zones from the other DNS server to the same location on the problem server thus replacing the old files. Restart the server in normal mode and try to login.

Try the steps above and let me know if it works out.. else will think of some other solution.
0
 

Author Comment

by:SW111
ID: 35719214
Ashutosapre:

Well, originally I have 2 DC:
Primary DC (Server1)(50.0.0.11)
Secondary DC (Server2)(50.0.0.12)

Server1 was the problematic one. Which is why I unplugged it and promote server2 to take the FSMO roles.

The problem now is that after taking FSMO role, it seems to have a problem its DNS. I even can't add new forward & reverse zone.
Logging in will take about 3 attempts and 1 hour. (it will reject the first 2 attempts, saying domain is not found, although if I input the wrong password it will say so).

So on your proposed solution above, what IP should I use? (Server1 is already disconnected, and so should be taken out of the equation? so we're using server2 only with ip 50.0.0.12. What shall I change that to?)

Also, this server2 IS "the other DC.... "



0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 26

Expert Comment

by:Leon Fester
ID: 35720125
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35720191
OK, let's start from scratch... :)

You have how many functioning DCs currently, and on what DC(s) are your FSMO roles being hosted?  You mentioned that you have Seized the roles.  This assumes catastrophic failure of the DC which hosted those roles.  Make sure it stays offline.  Also, if you use DHCP, make sure you point your DNS servers to a server which is online and not the failed DC.

Because AD uses DNS for almost everything, you must make sure it is healthy.  Also, is your DNS AD integrated or not?  Finally, when you seized the roles, did you do a metadata cleanup to make sure the failed server is out of AD completely?

Metadata cleanup process: http://support.microsoft.com/kb/216498
DNS Best Practices for Server 2003: http://technet.microsoft.com/en-us/library/cc778439%28WS.10%29.aspx

DrUltima
0
 

Author Comment

by:SW111
ID: 35721114
DrUltima, sounds good. Thanks....

Originally I have 3 dc. 2 on the same site (50.0.0.0) and 1 on a different site (50.0.2.0).
There seems to be nothing wrong with 50.0.2.0 site, so I will leave it as it is.

The original dc 50.0.0.11, named SERVER1, was the primary dc, ad, dns & dhcp server in one. Other than it's not accepting new clients to join domain, it seems to work fine.
BUT I have unplugged this server and seize the fsmo role to the secondary dc.

The problem is now Server2 doesn't have dns (& dhcp). Login is difficult, I suspect because there is no dns.

Dns is supposed to be integrated, so I dont understand why its not being replicated to server2 in the first place. Dns IS integrated in the original server1.

I didnt run metadata cleanup after the role seizing, because it's not in the guide.

You will probably have guessed that I have no technical training in this and mostly these are all done by following guides. Unfortunately, so far, ms guides has been somewhat unclear as it involves a lot of theory and tend to cover a lot of scenarios.  So a more detailed help will help me understand better of what is going on.

Thank you
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35721296
Good.  Leave SERVER1 unplugged.  Even though DNS is AD integrated, you still have to add those Roles to the server.  They do not manually appear.  On Server 2003, Start -> Manage Your Server.  Make sure DNS and DHCP roles are present.  If they are not, add them.  Cleaning up the metadata is not vital right now, but getting DNS and DHCP functioning on SERVER2 is.  DNS should be automatically set up as it is AD integrated.  You will have to manually build a new Scope on your DHCP addition.  Once we have those features running, we can then address your metadata and/or your older AD controller.

DrUltima
0
 

Author Comment

by:SW111
ID: 35721434
DrUltima,
That is exactly where I start to worry. Failing to fix server1, my fool-proof gameplan was to unplug server 1 and promote server2. BUT it's not so foolproof after all...

Adding dns failed. Neither forward nor reverse zone can be added. It says data is invalid...
Sometimes it mentions about directory partition and other times it mentions root holder (which I tried to add manually via properties page of server2 on dns window, but didnt help)

If we're tackling the issues one by one, I agree with you that for now the most immediate one is to activate dns on server2

Thank you
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35721750
You should not need to add any Zones in DNS.  What should happen is that you should add the DNS server role.  Then when the server talks to AD (itself), it should populate your forward and reverse lookup zones for you (assuming they were indeed, ad integrated).  What exact error failed when you tried to add the role (not the Zone)?  Are there any DNS related entries in your Event Logs (specifically, the system log)?

Unfortunately, seizing FSMO roles is the equivalent of taking a sledge hammer to AD to get a square peg into a round hole.  Will it work?  Yes.  Will it be painful and perhaps difficult?  Also, yes.  You cannot ever bring SERVER1 back online on your network, as it is not a rogue AD Controller.  It will have to be wiped and rebuilt before it can be added back to AD.  You also have to clean out the ghost entries from metadata (and probably should, as that can potentially cause DNS issues, too).

DrUltima
0
 

Author Comment

by:SW111
ID: 35722152
I didnt actually add the role from the server role pop up window (the one that pops up when w2k3 starts). But I tried addin something like "add dns to AD" by right clicking on the dns window. (not in the office right now, so can't say for sure).
What I can say for sure is that that option basicaly asks the input for both forward and reserve zone in one wizard. It will end up giving the same error as when I try to add the zones.

When I add the zones, the errors are mostly a 2 line, tiny windows error box: "adding zone failed. Data is invalid".
But ocassionally i also says something about directory partition does not exist (and in fact, on dns windows, if I right click on one of the lihes on the left hand panel, there is an option to create this partition, but it doesnt work)

I havent tried the clearing metadata option. Is this the same with clearing cache? I've tried the clearing cache option but doesnt seem to do anything.
Most importantly: are there any risk in running the clear metadata procedure?

Finally, my last-ditch-back-to-square-one game plan: system restore server2 to before seizing fsmo, THEN plug back in Server1. Is this going to be a problem?

Thank you
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 2000 total points
ID: 35722572
I think it best to slow down a little and regroup.  First, if I am understanding your scenario correctly, you have only one functioning DC: SERVER2.  Apparently you had a failure with SERVER1 which caused you to seize the Roles to SERVER2.  This, in-and-of-itself is not an issue.  AD was designed to function in this scenario.  You really need to be at the console (physically or remoted in) at SERVER2 to progress with this discussion.  It sounds like the DNS Role is already installed on your SERVER2.  If this is the case, you should already see your domain listed in the DNS snap-in, with both forward and reverse lookup zones.  What do you see when you look at the DNS snap in and point it to SERVER2?

As far as your "last-ditch-back-to-square-one game plan".  I highly discourage this action.  It can, and most likely will, cause you even more headache than you are currently experiencing.  How long before you will be able to look at SERVER2 and respond while viewing it?

DrUltima
0
 

Author Comment

by:SW111
ID: 35722839
DrUltima,

Ok. Slowing down to regroup. The thing is that I was supposed to send the new server (the one I've been trying to join into the domain) to a new branch in 2 days. Hence the urgency.

Sorry about not being able to view server2 right now, as I'm probably at a different timezone than you. It is 2am here. I will do this first thing tomorrow morning and post back.

Noted to scrap the last ditch plan :) somehow in my mind it was a possible scenario. But I'm always happy to listen to higher authority :)
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35723033
Looks like a 12 hours offset from each other.  I normally don't look at EE of an evening, but I will check tonight.  If you can post an update by, let's say... 09:00 your time, which would be 21:00 my time, I will make it a point to look and respond.

DrUltima
0
 

Author Comment

by:SW111
ID: 35725600
Hi, Good Morning DrUltima,

1. So in dnsmgmt, I see the server name: SERVER2, and under it:
Cached Lookup, Forward Lookup Zone, Reverse Lookup Zone, Event Viewer.

Fwd zone is empty
Reverse zone has some entries (subfolders, which I did NOT create and is NOT my domain)

Event Viewer>DNS Events show a bunch of Warning:
 
Event Type:	Warning
Event Source:	DNS
Event Category:	None
Event ID:	7062
Date:		5/10/2011
Time:		7:57:33 AM
User:		N/A
Computer:	SERVER02
Description:
The DNS server encountered a packet addressed to itself on IP address 10.0.0.12. The packet is for the DNS name "mycomputer.backbone.mydomain.com.". The packet will be discarded. This condition usually indicates a configuration error. 
 
Check the following areas for possible self-send configuration errors: 
  1) Forwarders list. (DNS servers should not forward to themselves). 
  2) Master lists of secondary zones. 
  3) Notify lists of primary zones. 
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server. 
  5) Root hints. 
 
Example of self-delegation: 
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. 
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com, 
  (bar.example.microsoft.com NS dns1.example.microsoft.com) 
  -> BUT the bar.example.microsoft.com zone is NOT on this server. 
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record. 
 
You can use the DNS server debug logging facility to track down the cause of this problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 50 25 00 00               P%..

Open in new window


2. The partition I was talking about is the Application Directory Partition

3. On the "manage your server" window, DNS Server is shown already installed (So its already a role?)

4. Do you mind if II contact you directly via your email address?

Thank You
0
 

Author Comment

by:SW111
ID: 35725688
Btw, when adding a fwd zone, this is what I get:

The zone cannot be replicated to all DNS Servers in the (null) AD domain because the required application directory partition does not exist
0
 

Author Comment

by:SW111
ID: 35725857
Just saw this link:
http://support.microsoft.com/kb/938459

I get all the errors on that link. That was why I tried to change the dc in the first place.
So I guess I'm at step #1, because the "another" dns server doesnt work.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35728617
SW111,

EE policy prohibits me from posting an email address for job solicitations, however you can contact me directly by using the "Hire Me" link on my Expert profile.  Any work related to this Question, I would insist, be able to be posted back here for the sake of the PAQ.

DrUltima
0
 

Author Closing Comment

by:SW111
ID: 35729304
DrUltima,

We solved it!!
It turns out that I'm having the exact same problem with this person:
http://www.petri.co.il/forums/showthread.php?t=26637&page=6

And the solution is to run (see post by Kennhon #59):
netdom resetpwd /server:Server2 /userd:mydomain\Administrator /passwordd:*
Only that in my case I need to change "Server2" to IP Address (probably because DNS not working yet)

And after that reboot, and when I relogin, the dns filled itself and is back to its normal state.

Thank You so much for your help.
I sent you a message through the EE system, but evidently that will have to wait for the next chance. Would like to have worked with you though.

Kind Regards,
SW
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question