Solved

No DNS forward zone in a new DC

Posted on 2011-09-30
47
2,494 Views
Last Modified: 2012-08-13
Hello experts,

We have an old Windows Server 2003 SP2 DC (192.168.100.100). I have recently added a new Windows 2008 R2 SP1 DC (192.168.100.103).

I am having some errors when using NetDiag in 2003 like:

[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.100.103'. Please wait for 30 minutes for DNS server replication.

Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'RESALAGROUP' is broken. [ERROR_NO_LOGON_SERVERS]

I have opened DNS console in the 2008 server, and I found that there are no forward zones, only two reverse zones are available there.

Shall I add a forward zone manually in order to solve this? If yes, which kind of forward zones shall I select? And how to replicate DNS entries from the old server?
0
Comment
Question by:Muhajreen
  • 24
  • 16
  • 5
  • +1
47 Comments
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36895489
It seems that replication is not completed,no need to manually create the forward lookup zone if the zone is Active Directory integrated zone.It seems your zone is Active Directory integrated zone as the reverse zone is replicated.

Check the DNS setting on the new Server it should point to itself.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.If 127.0.0.1 is entered as dns remove the same and add ip address.Also point alternat DNS server entry to old DC

Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.Once the setting is done reboot the DC and wait for few mins and check if the zone information is available.

Ran repadmin /syncall /AdeP to force the replication and check.If still the DNS zone info is not loaded post the dcdiag /q and repadmin /replsum output of new DC.

0
 

Author Comment

by:Muhajreen
ID: 36895623
Thank you. Here is the new server IP config:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\me>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SalHoExchange
   Primary Dns Suffix  . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : D-Link DFE-538TX 10/100 Adapter
   Physical Address. . . . . . . . . : XXXXXX
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::48a0:9c3f:c0a1:d613%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.100.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.254
   DHCPv6 IAID . . . . . . . . . . . : 251659613
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-AC-39-9B-00-05-5D-D2-F1-6E

   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.100.103
                                       192.168.100.100
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{8A98CCB4-5057-4B79-86B8-48AE6EAF0343}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

After rebooting new server, I tried:

C:\Windows\system32>repadmin.exe /syncall /AdeP
Syncing all NC's held on SalHoExchange.
Syncing partition: DC=ForestDnsZones,DC=domain,DC=com
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=SALHODC,CN=Servers
,CN=SALHO,CN=Sites,CN=Configuration,DC=domain,DC=com (network error): 1722
(0x6ba):
    The RPC server is unavailable.
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=SALHOEXCHANGE,CN=S
ervers,CN=SALHO,CN=Sites,CN=Configuration,DC=domain,DC=com (network error):
 1722 (0x6ba):
    The RPC server is unavailable.

SyncAll exited with fatal Win32 error: 8440 (0x20f8):
    The naming context specified for this replication operation is invalid.

SALHODC is the old server.
SALHOEXCHANGE is the new server.

Old server doesn't have IPV6. Is it ok then?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36895692
It seems that on the DC firewall is on turn off windows firewall on boih DC and reboot.
http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

After reboot again ran dcdiag /q and repadmin.exe /syncall /AdeP.Make sure that both the DC ping each other

Below ports should be open on the firewall.
Port Assignments for Active Directory Replication
Service Name      UDP         TCP
LDAP                     389        389
LDAP                                   636
GC                                      3268
Kerboros                  88        88
DNS                          53        53
smb over IP              445     445
 
0
 

Author Comment

by:Muhajreen
ID: 36896194
C:\Documents and Settings\haythamk>dcdiag /q
         The host 2186c8c7-7f57-4077-b049-f0fe8cf1620c._msdcs.domain.com could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (2186c8c7-7f57-4077-b049-f0fe8cf1620c._msdcs.domain.com) couldn't be resolved, the server name (salhodc.domain.com) resolved to the IP address (192.168.100.100) and was pingable.  Check that the IP
 address is registered correctly with the DNS server.
         ......................... SALHODC failed test Connectivity
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... domain.com failed test FsmoCheck
0
 

Author Comment

by:Muhajreen
ID: 36896195
All ports are open on both DCs
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36897017
You NEED to seize the PDC role onto one of your existing Domain Controllers. You want to make sure your AD infrastructure is healthy before you make changes to it. Follow the below link to seize the role.

http://support.microsoft.com/kb/255504
0
 

Author Comment

by:Muhajreen
ID: 36897044
Thank you.

The problem seemed after I tried to transfer FSMO roles to the new DC. All four roles where successfully transferred, but Schema Master failed. Then I discovered the RPC and DNS issues.

I have only two DCs in the organization, the old one is a Windows server 2003 and it has Exchange 2003 SP2 on it. The new one is a Windows 2008 R2 SP1.

I have an idea, please give me your comment about it: I will temporarily build a new 2008 R2 server, and make it a DC, then try to transfer the five FSMO roles to it. Does this help solve my issue?

Another idea: I will re-transfer the four FSMO roles from the new DC to the old one, then dcpromo the new DC, and re-format and build it again. Is it ok?

I believe that old DC may be infected with a virus, and I am unable to setup a new Symantec endpoint protection client on it.
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36897116
Go to the DC with the missing Lookup zones and go to the DNS Console. From the left pane, right click on the DC name and select "Create Default Application Directory Partitions". Click on yes and give it some time to create the zone. This should get the dns setup on the DC.
0
 

Author Comment

by:Muhajreen
ID: 36897125
Thank you.

When I clicked "Create Default Application Directory Partitions", I received an error: "The specified directory partition already exists"
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36897140
Does it exist?
0
 

Author Comment

by:Muhajreen
ID: 36897170
In DNS console, I same the same two reverse zones which are replicated from the old DC, but I never see the forward zone, and that is the problem which I am posting here regarding it.

Shall I remove and re-initiate the partitions? If yes, how to do so?
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36897384
Does the forward zone still exist on the old DC? If so, then yes, re-initiate the partitions on the new DC.
Use this command on the new DC to remove the old partitions:
dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN>

Use this command on the new DC to recreate them:
dnscmd <ServerName> /CreateBuiltinDirectoryPartitions /AllDomains
0
 

Author Comment

by:Muhajreen
ID: 36897442
I tried :

dnscmd 192.168.100.103 /UnenlistDirectoryPartition SalhoExchange.domain.com, then I got error:

Unenlist Directory Partition failed: SalhoExchange.domain.com
Status = 9901
Command failed: DNS_ERROR_DP_DOES_NOT_EXIST   9901
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36897455
2 Things:
1 - You need to use the servername, not IP address
2 - SalhoExchange.domain.com is not resolving on the DC you're running the command on, make sure that the DNS settings on correct on the DC you're running this command on
0
 
LVL 2

Expert Comment

by:Akeener
ID: 36898066
Since your forward zone does exist on the old server, you may want to temporarily change the primary DNS setting on you new server to point to the old server. You need to resolve to your DNS zones to run the commands listed above. Once the replication happens and the new server has the forward dns zone, change the DNS setting back.

From your IPconfig/all;
   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.100.103
                                       192.168.100.100
change to;
   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.100.100
                                       192.168.100.103
0
 

Author Comment

by:Muhajreen
ID: 36898297
I have changed the primary DNS setting of the new server to point to the old server. Still the same error that DP does not exist.

The name SalhoExchange.domain.com is pingable from the new server.

Are you sure that the partition name is the same of FQDN ?
0
 

Author Comment

by:Muhajreen
ID: 36898316
BTW, I don't know why those two reverse DNS zones are present there. I don't use them. They where made by a previous admin who has left the organization.

May I remove those two reverse zones? Do they affect the AD ?
0
 

Author Comment

by:Muhajreen
ID: 36898325
I have just tried:

dnscmd SalHoExchange.domain.com /enlistDirectoryPartitionSalhoExchange.domain.com

Enlist directory partition failed: salhoexchange.domain.com
    status = 9901 (0x000026AD)
Command failed:  DNS_ERROR_DP_DOES_NOT_EXIST     9901    0x26AD
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36898371
Run these tests:

nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com
nltest /dsgetdc:domain.com /gc
 
nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com
nltest /dsgetdc:domain.com /gc
 
0
 

Author Comment

by:Muhajreen
ID: 36898512
I ran those two commands on the new dc, I think you have repeated the same commands twice.


C:\Windows\system32>nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com

Server:  salhodc.domain.com
Address:  192.168.100.100

_ldap._tcp.dc._msdcs.domain.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = salhoexchange.domain.com
_ldap._tcp.dc._msdcs.domain.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = salhodc.domain.com
salhoexchange.domain.com   internet address = 192.168.100.103
salhodc.domain.com internet address = 192.168.100.100


C:\Windows\system32>nltest /dsgetdc:domain.com /gc
           DC: \\SalHoExchange.domain.com
      Address: \\192.168.100.103
     Dom Guid: 35fece82-29a1-43a6-8897-7894c553b005
     Dom Name: domain.com
  Forest Name: domain.com
 Dc Site Name: SALHO
Our Site Name: SALHO
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully
0
 
LVL 2

Expert Comment

by:Akeener
ID: 36899414
At this point I would create a Forward Zone on the New Server with your Domain name. Set up the Old Server to allow Zone Transfer, Set the New Server to get the Zone from the Old Server. Once you have the Zone on the New Server, change it to be AD integrated, either Forest or Domain based on what the Old Server is set for. Then once that is working, be sure to change the Primary DNS Server setting on the New Server back to it's IP address.
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899429
Run this command exactly the way shown below except change the domain name to your existing name

dnscmd SalHoExchange /enlistDirectoryPartition domain.com

0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899434
Also, run dnscmd /enumzones and give us the output
0
 

Author Comment

by:Muhajreen
ID: 36899447
Thanks for your patients

C:\Windows\system32>dnscmd SalHoExchange /enlistDirectoryPartition domain.com

Enlist directory partition failed: domain.com
    status = 9901 (0x000026AD)
Command failed:  DNS_ERROR_DP_DOES_NOT_EXIST     9901    0x26AD


C:\Windows\system32>dnscmd /enumzones

Enumerated zone list:
        Zone count = 4

 Zone name                      Type       Storage         Properties

 .                              Cache      AD-Domain
 100.168.192.in-addr.arpa       Primary    AD-Legacy       Update Rev
 99.168.192.in-addr.arpa        Primary    AD-Domain       Update Rev
 TrustAnchors                   Primary    AD-Forest


Command completed successfully.

May I remove those two reverse zones? I don't use them, and I don't know why somebody has added them.
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899448
Also, run the following commands in the below order

dnscmd /clearcache
dnscmd /resetforwarders
dnscmd /enumdirectorypartitions <- this should give us the correct partition to use for creating the directory partition we need to create
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899452
Run the above commands and let me know the outcome. You can remove the reverse dns zones but leave the ones that are relevant to your network.
0
 

Author Comment

by:Muhajreen
ID: 36899464
C:\Windows\system32>dnscmd /clearcache

. completed successfully.
Command completed successfully.

C:\Windows\system32>dnscmd /resetforwarders
Forwarders reset successfully.

Command completed successfully.

C:\Windows\system32>dnscmd /enumdirectorypartitions
Enumerated directory partition list:

        Directory partition count = 2
 DomainDnsZones.domain.com            Enlisted Auto Domain
 ForestDnsZones.domain.com            Enlisted Auto Forest


Command completed successfully.
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899468
Run this command:

dnscmd SalHoExchange /enlistDirectoryPartition ForestDnsZones.domain.com


0
 

Author Comment

by:Muhajreen
ID: 36899470
C:\Windows\system32>dnscmd SalHoExchange /enlistDirectoryPartition DomainDnsZone
s.domain.com

Enlist directory partition failed: DomainDnsZones.domain.com
    status = 9904 (0x000026B0)
Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904    0x26B0


C:\Windows\system32>dnscmd SalHoExchange /enlistDirectoryPartition ForestDnsZone
s.domain.com

Enlist directory partition failed: ForestDnsZones.domain.com
    status = 9904 (0x000026B0)
Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904    0x26B0
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899474
Now run dnscmd /enumzones again
0
 

Author Comment

by:Muhajreen
ID: 36899478
C:\Windows\system32>dnscmd /enumzones

Enumerated zone list:
        Zone count = 4

 Zone name                      Type       Storage         Properties

 .                              Cache      AD-Domain
 100.168.192.in-addr.arpa       Primary    AD-Legacy       Update Rev
 99.168.192.in-addr.arpa        Primary    AD-Domain       Update Rev
 TrustAnchors                   Primary    AD-Forest


Command completed successfully.
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899480
Restart the DNS service and refresh the zones. It seems that the zones are setup but it's just now showing up in dns
0
 

Author Comment

by:Muhajreen
ID: 36899482
Ok I am totally rebooting the system.
0
 

Author Comment

by:Muhajreen
ID: 36899493
After rebooting the system, I have the very same results for :

dnscmd /enumzones
dnscmd SalHoExchange /enlistDirectoryPartition ForestDnsZones.domain.com
0
 
LVL 6

Assisted Solution

by:joeyfaz
joeyfaz earned 250 total points
ID: 36899498
Run these 2 commands:

dnscmd SalHoExchange /UNenlistDirectoryPartition ForestDnsZones.domain.com
dnscmd SalHoExchange /UNenlistDirectoryPartition DomainDnsZones.domain.com

Restart DNS service then run:

dnscmd SalHoExchange /enlistDirectoryPartition ForestDnsZones.domain.com
dnscmd SalHoExchange /enlistDirectoryPartition DomainDnsZones.domain.com
0
 

Author Comment

by:Muhajreen
ID: 36899639
dnscmd SalHoExchange /UNenlistDirectoryPartition ForestDnsZones.domain.com

Command failed: RCODE_REFUSED 9005 0x232D
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36899717
The only thing left to do is demote the server, uninstall DNS, then Promote again
0
 

Author Comment

by:Muhajreen
ID: 36899731
Ok, I will first try to re-transfer the 4 FSMO roles to the old dc, and then will try to demote it.
0
 
LVL 2

Expert Comment

by:Akeener
ID: 36900490
Have you tried my suggestion? I would do so before you try moving the FSMO's. If you cannot resolve things through DNS you chance of success transferring the FSMO is low.
0
 

Author Comment

by:Muhajreen
ID: 36901422
I have transfered FSMO roles, demoted the DC, un-joined it from the domain, then re-joint again and made made it a DC again. Now the same DNS problem exists :( . I will try Akeener solution.
0
 

Author Comment

by:Muhajreen
ID: 36901432

"At this point I would create a Forward Zone on the New Server with your Domain name."

Would you please advice which type of forward zones I have to make?

"Set up the Old Server to allow Zone Transfer, Set the New Server to get the Zone from the Old Server."

How to do so?

"Once you have the Zone on the New Server, change it to be AD integrated, either Forest or Domain based on what the Old Server is set for."

Shall it accept changing to AD integrated simply?? Will I receive the same problems I have received before? especially that AD integrated zone already exists.
0
 

Author Comment

by:Muhajreen
ID: 36901729
I have noticed many DNS errors in the new DC event log, here is one of them:

Log Name:      System
Source:        NETLOGON
Date:          10/3/2011 8:29:16 AM
Event ID:      5774
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SalHoDC2.domain.com
Description:
The dynamic registration of the DNS record '_ldap._tcp.SALHO._sites.DomainDnsZones.domian.com. 600 IN SRV 0 100 389 SalHoDC2.domain.com.' failed on the following DNS server:  

DNS server IP address: 173.192.132.50
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
  Or, you can manually add this record to DNS, but it is not recommended.  


I don't know anything about this DNS server: 173.192.132.50, does this indicate an attack?
0
 
LVL 2

Expert Comment

by:Akeener
ID: 36902999
On the Old Server with the good DNS forward zone, go to Domain.com, DomainDnsZone, _tcp and see if this SalHoDC2 173.192.132.50 SRV Record is there. If so delete it.

Once that is done, on your Old Server go to DNS, go to yourForward Lookup Zone, Domain.com, Right click the Zone. Click on the "Zone Transfer" tab. Click "Allow zone Transfers:" and click the Radio Button "Only to the following servers". Add your New Server Ip address ( 192.168.100.103 ). On the New Server, go to DNS, Right click the New Server Name, SalHoExchange, click Next on the New Zone Wizard screen. Uncheck "Store the zone in Active Driectory but leave the Primary Zone" Radio button checked. Click next.  Forward lookup zone should checked by default. Click next. Give the Zone the same name as what is on your Old Server, Domain.com, I believe you use. Click next. Removed the .dns extention that gets applied. Click next. Leave the next screen defaults and click next. Click finish. Once the Zone is created right click on the Zone and choose "Transfer from Master.
When the zone has transfered. right click the Zone, go to Properties change the "Type", "Replication;" and "Dynamic updates;" to match how they are set on your Old Server.
0
 

Author Comment

by:Muhajreen
ID: 36904936
Thank you.

Once the Zone is created right click on the Zone and choose "Transfer from Master.

There is no such option
0
 
LVL 2

Accepted Solution

by:
Akeener earned 250 total points
ID: 36905455
on your Old Server go to DNS, go to your Forward Lookup Zone, Domain.com, Right click the Zone. Click on the "Zone Transfer" tab. Click "Allow zone Transfers:" and click the Radio Button "Only to the following servers". Add your New Server Ip address ( 192.168.100.103 ). On the New Server, go to DNS, Right click the New Server Name, SalHoExchange, click Next on the New Zone Wizard screen. Uncheck "Store the zone in Active Driectory, choose Secondary Zone. Click next.  Enter the IP address of your Old Server on the "Master DNS Servers" Window. Click next. Click Finish.

When the zone has transfered. right click the Zone, go to Properties change the "Type", "Replication;" and "Dynamic updates;" to match how they are set on your Old Server
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36906359
I'd suggest going through your DNS records and remove any unknown IP address records. Also, make sure that the NIC binding order and any DNS search order settings are properly set on both domain controllers.
0
 

Author Comment

by:Muhajreen
ID: 36907561
You drawn my attention to something:

In the old server, right click domain.com DNS zone, select properties, General tab:

Status: Running
Type: Primary
Replication: Not an active directory integrated zone.

Then I clicked Type => Change, and checked the check box (Store the zone in Active Directory), now the zone is replicated and it appears in both servers !!

Although it's a simple and basic choice (I think), but I didn't know it, also nobody drawn my attention to it.

Many thanks to both of you Joeyfaz and Akeener for your patience, and thanks also to Sandeshdubey.
0

Join & Write a Comment

Suggested Solutions

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now