AD, DNS issues after adding Windows 2008R2 DC to existing Windows 2000 AD
I am in the process of migrating an existing domain from a Windows 2000 Domain Controller with Exchange 2003 to Windows 2008R2 with Exchange 2010.
I have configured a new Windows 2008R2 Hyper-V Guest onto the network using a static IP, with DNS pointing at the existing 2000 DC and joined the domain. I ran adprep32 /forestprep and /domainprep /gpprep on the 2000 DC (from the 2008R2 media /support folder). I then ran dcpromo on the 2008R2 machine which appeared to run successfully, apart from a message at the end of the process "A delegation for this DNS Server will not be created because the authoritative parent zone cannot be found or it does not support dynamic updates" which I ignored, as a quick search said the message was fine in a single domain.
Now I have the following issues:
Anyone else done a Windows 2000 to Windows 2008R2 AD migration (or just join) that may have seen any of these issues?
I have configured a new Windows 2008R2 Hyper-V Guest onto the network using a static IP, with DNS pointing at the existing 2000 DC and joined the domain. I ran adprep32 /forestprep and /domainprep /gpprep on the 2000 DC (from the 2008R2 media /support folder). I then ran dcpromo on the 2008R2 machine which appeared to run successfully, apart from a message at the end of the process "A delegation for this DNS Server will not be created because the authoritative parent zone cannot be found or it does not support dynamic updates" which I ignored, as a quick search said the message was fine in a single domain.
Now I have the following issues:
Logging on to the 2008R2 machine using a domain account is very slow.
DNS resolution doesn't seem to work correctly - pinging the Windows 2000 DC by name doesn't return the correct IP address (just to confuse things, this site has a AD domain name set the same as their external DNS name, i.e. xyz.com). So pinging windows2000dc.xyz.com returns the external IP address of the web server for the domain rather than the internal IP address. Other 2008R2 member servers ping this internal machine by name just fine. NSLOOKUP returns the prompt "Default Server: UnKnown, Address: ::1" and doesn't resolve internal machine names correctly, but if I enter "server 192.9.205.10" (my 2000DC internal server IP) it resolves fine. Is the strange [inherited] internal IP range causing a problem here? The DNS server address of in the LAN card settings is set to the IP of the 2000DC server, but it's like the system is completely ignoring this.
Event Viewer shows several events on the 2008 machine: DNS Server event 4512 "The DNS server was unable to create the built-in directory partition ForestDnsZones.xyz.com. The error was 9906." and again with DomainDnsZones.xyz.com. I also have NTFRS event 13508 "The File Replication Service is having trouble enabling replication" and Directory Service event 1844 "The local domain controller could not connect with the following domain controller hosting the following directory partition to resolve distinguished names.", both indicating name resolution issues. (Correct, as name resolution doesn't appear to be working properly).
A search on these symptoms seems to reveal some commonality with other 2008R2 systems joining an existing 2000 AD domain, but with no real solutions. Best advice so far has been to transfer the Domain Naming Master FSMO role from the 2000 DC to the 2008 DC, which I have done but with no change so far.Anyone else done a Windows 2000 to Windows 2008R2 AD migration (or just join) that may have seen any of these issues?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mike Thomas
DNS is not working correctly, run dcdiag /test:dns from your new DC and post the output along with an ipconfig/all
ASKER
@Drashiel: AD Integrated DNS. 2008R2 has been DCPROMOd into domain.
Disabled IPv6 and was instantly able to ping the Windows 2000 DC by name (and have the correct IP returned). I've rebooted the 2008R2 server and got an instant domain login, SYSVOL and NETLOGON shares have now appeared too. I haven't seen anything different in DNS, although the Event Viewer says that it's creating the zones now, they just haven't appeared yet. NTFRS says it has enabled replication after repeated retries.
@MojoTech: dcdiag /test:dns now runs through and passes, after disabling IPv6.
I'll give this server a little time to replicate and report back. I'll post back IPCONFIG and DCDIAG results if it's still giving issues.
Disabled IPv6 and was instantly able to ping the Windows 2000 DC by name (and have the correct IP returned). I've rebooted the 2008R2 server and got an instant domain login, SYSVOL and NETLOGON shares have now appeared too. I haven't seen anything different in DNS, although the Event Viewer says that it's creating the zones now, they just haven't appeared yet. NTFRS says it has enabled replication after repeated retries.
@MojoTech: dcdiag /test:dns now runs through and passes, after disabling IPv6.
I'll give this server a little time to replicate and report back. I'll post back IPCONFIG and DCDIAG results if it's still giving issues.
ASKER
OK, AD seems to be replicating properly but I still haven't got any zones showing in DNS. I've attached the output of ipconfig /all, dcdiag /test:DNS, dcdiag and repadmin /showrepl.
(The IP addresses in the DCDIAG logs (208.67.220.220, 208.67.222.222, 212.23.3.100, 212.23.6.100) are the DNS forwarders, by the way).
It's been over 3 hours since DNS was restarted, I would have expected it to have replicated by now.
dcdiag.txt
dcdiag-dns.txt
ipconfig.txt
showrepl.txt
(The IP addresses in the DCDIAG logs (208.67.220.220, 208.67.222.222, 212.23.3.100, 212.23.6.100) are the DNS forwarders, by the way).
It's been over 3 hours since DNS was restarted, I would have expected it to have replicated by now.
dcdiag.txt
dcdiag-dns.txt
ipconfig.txt
showrepl.txt
Do the DNS zones exist on any DNS Servers? clarify as to whether they exist but are not replicating or whether they simply do not exist at all.
(Will go through these outputs now)
(Will go through these outputs now)
192.9.205.10
Is that your original 2000 DC? is that functioning OK at this time?
Does that contain the following zones in DNS.....
_msdcs.reynard-aviation.co
reynard-aviation.com
?
Is that your original 2000 DC? is that functioning OK at this time?
Does that contain the following zones in DNS.....
_msdcs.reynard-aviation.co
reynard-aviation.com
?
ASKER
Yes, forward and reverse zones exist on the Win2000 DC DNS. 
ASKER
Yes, 192.9.205.10 is the 2000 DC.
Seems to be functioning ok..
Yes, those zones exist.
Both servers (2000DC and 2008DC) show up with Service Location records in the _tcp folders.
Seems to be functioning ok..
Yes, those zones exist.
Both servers (2000DC and 2008DC) show up with Service Location records in the _tcp folders.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Are user/computer objects replicating OK?Yes. Created a user on 2008DC, can see it in 2000 DC
Have you tried a simple server restart?Yes - several!
Have you the blow reg hack as well as un-tick IPV6 In the network properties?unticked IPv6 initially, as per Drashiel suggestion, which made AD replicate ok and fixed DNS resolution. Have applied reg-hack and restarted.
The see if the 2008 DNS MMC is able to connect to the server OK?2008 DNS MMC will connect to 2000 DNS
2000 MMC will NOT connect to 2008 DNS
try creating a new made up zone from the 2008 server and see if that replicates the other way then try deleting that from the 2000 server and again checking replication.New zone created on 2008 DC replicates to 2000 DC.
Rebooting now for registry changes to take effect.
OK well I wonder then if you should maybe just create the zones manually on the 2008 box
Firstly point the 2008 domain controller to itself for DNS then type the following command
"net stop netlogon && net start netlogon"
If that does nothing then create the below 2 zones as separate ad integrated zones.
_msdcs.reynard-aviation.co
reynard-aviation.com
once done type again the following
"net stop netlogon && net start netlogon" at the command prompt
these zone may well populate but if not then go through making the 2008 box primary DNS for client machines and member servers.......might as well as this is now fsmo role holder etc now and look at reducing the DNS function of the 200o box with a view to decommission it totally.
Firstly point the 2008 domain controller to itself for DNS then type the following command
"net stop netlogon && net start netlogon"
If that does nothing then create the below 2 zones as separate ad integrated zones.
_msdcs.reynard-aviation.co
reynard-aviation.com
once done type again the following
"net stop netlogon && net start netlogon" at the command prompt
these zone may well populate but if not then go through making the 2008 box primary DNS for client machines and member servers.......might as well as this is now fsmo role holder etc now and look at reducing the DNS function of the 200o box with a view to decommission it totally.
ASKER
Well, red faces all round here..
You know I said that it was definitely an AD-integrated DNS..
Yep, you've guessed - it's not. What a muppet!
I just noticed the 'type' field when I added the extra zone in that said "Active Directory Integrated". Then the original zone sat next to it said "Standard Primary". Changed to AD Integrated and it replicated almost immediately.
Who sets up a DC without AD-integrated DNS?! Serves me right for not double-checking I guess.
Sorry for wasting your time on this MojoTech. Still, the IPv6 issue caused the initial problem, so it wasn't all made up by me.
What should I be doing with IPv6 - leaving it disabled? Do I need the registry fix too? (I used DisabledComponents=0xfffff
You know I said that it was definitely an AD-integrated DNS..
Yep, you've guessed - it's not. What a muppet!
I just noticed the 'type' field when I added the extra zone in that said "Active Directory Integrated". Then the original zone sat next to it said "Standard Primary". Changed to AD Integrated and it replicated almost immediately.
Who sets up a DC without AD-integrated DNS?! Serves me right for not double-checking I guess.
Sorry for wasting your time on this MojoTech. Still, the IPv6 issue caused the initial problem, so it wasn't all made up by me.
What should I be doing with IPv6 - leaving it disabled? Do I need the registry fix too? (I used DisabledComponents=0xfffff
Ah well at least its fixed, leave IPv6 off till your network supports it now its off already. I actually thought about asking you to check the zone type but decided it would be too patronising. I got as far as typing it in comment 36415033 too, I wish I had left it now. ;)
ASKER
Sometimes we all need to be patronised!
Thanks for all your help with this MojoTech, much appreciated. Your diagnostics did point me back at the Zone Type which I'd overlooked/assumed so you got me back on track in the end.
With regards to points, Drashiel came back within 25 minutes suggesting disabling IPv6 which was the key to AD replication, but MojoTech has stuck with it and forced me to check my DNS zone type which sorted DNS replication. I hope both are happy if I split the points that way.
Thanks to all.
Thanks for all your help with this MojoTech, much appreciated. Your diagnostics did point me back at the Zone Type which I'd overlooked/assumed so you got me back on track in the end.
With regards to points, Drashiel came back within 25 minutes suggesting disabling IPv6 which was the key to AD replication, but MojoTech has stuck with it and forced me to check my DNS zone type which sorted DNS replication. I hope both are happy if I split the points that way.
Thanks to all.
ASKER
Would have been sorted sooner if I hadn't made assumptions about my source DNS server setup!