Adding another domain controller in Domain

techassosysadmin
techassosysadmin used Ask the Experts™
on
I am adding another domain controller in my existing domain. but getting some DNS related error.I an unable to find the solution of the error. Kindly help me to resolve this issue. Below is the detail of my network.

Domain controller details:
Operating System: Windows 2003 Server
Server ip: 192.168.20.201
Subnet mask: 255.255.255.0
gateway: 192.168.20.1
DNS: 192.168.20.201
          192.168.20.1


Additional Domain controller details:
Operating System: Windows 2008 R2 Server
Server ip: 192.168.20.200
Subnet mask: 255.255.255.0
gateway: 192.168.20.1
DNS: 192.168.20.201
          192.168.20.1


The error which i am getting during process is below:


The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "TA.COM":

The error was: "DNS server failure."
(error code 0x0000232A RCODE_SERVER_FAILURE)

The query was for the SRV record for _ldap._tcp.dc._msdcs.TA.COM

Common causes of this error include the following:

- The DNS servers used by this computer contain incorrect root hints. This computer is configured to use DNS servers with the following IP addresses:

192.168.20.201

- One or more of the following zones contains incorrect delegation:

TA.COM
COM
. (the root zone)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
remove router IP as an alternate DNS server and define forwarders in DNS setup
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Use only DNS IP address of the existing Domain Controller and try again. Alternatively, please visit my blog and follow an article for that at
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

Regards,
Krzysztof

Commented:
Did you prepare the forest and domains with adprep /forestprep and /domainprep, before adding a new 2008 R2 DC?

You must upgrade the AD Schema before adding a new 2008 or 2008 R" domain controller.
Before that: check what is the forest and domain functional levels.

DOMAIN: right click the domain node in "Active Directory Users and computers" console and then "raise the domain functional level". Take note and then click CANCEL

FOREST: right click the ROOT node in the "Active Directory Domains and Trusts" and then "raise forest functional level". Take note and then click CANCEL.

HERE:
http://technet.microsoft.com/en-us/library/cc733027%28v=ws.10%29.aspx
and you should read the documentation in the links deeply.


If you didn't the preparation, i suggest you to demote the new DC, uninstalling DNS, then prepare (raising func. levels as needed before), and promote a NEW DC. If it's possible this should be the best solution.

HTH. Bye.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
and if you are installing DC other that 2003 you need to prepare your environment first for that. You can also follow an article on my blog for that at
http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/

Krzysztof
As you are introducing a first Windows 2008 R2 domain controller into a Windows 2003 domain, you need to prepare it.
http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
As you are introducing a first Windows 2008 R2 domain controller into a Windows 2003 domain, you need to prepare it.
http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
First ,

 You need to remove the Default gateway address from the DNS server IP address from both domain controllers.

I Assume your DNS is haivng AD Integrated zone. I would suggest you to use

On Domain controller,

 Primary DNS server IP address - 192.168.20.200
 Secondary DNS server IP address  - 192.168.20.201

On ADC,

 Primary DNS server IP address - 192.168.20.201
 Secondary DNS server IP address  - 192.168.20.200

Once this is done . Stop the netlogon service and restart it again on both the domain controller.

 Just to clarify,

Are you using ISP IP address in DNS forwarders? Or you are using Root hints for external name resoution

If you are using Forwarders , then I would reocmmend you to Define this in your main DC and point your additional domain controller to your main DC.

Regards,

_Prashant_

Author

Commented:
I have already upgraded the AD Schema before adding a new 2008 R2 domain controller and also have raised forest and domain functional levels.
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
OK then follow an article I posted above for adding additional DC. There is step-by-step procedure to do that (with DNS settings also)

Krzysztof

Author

Commented:
@Prashant

I followed your steps too but didn't get success. No i am not using ISP ip address in forward. i have mentioned my router ip in forward.

@Krzysztof

I am unable to follow whole procedure as provided by you as i am getting error in adding ADC.
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Can you tell me please in which step ? If possible, please also post a screen shot

Thank you in advance

Krzysztof
Ok,

Can you please post unedited ipconfig /all from your ADC  and DC?

Seems the server which you are trying to add as additional domain controller unable to locate the SRV Records of DC.

Also if you provide your DNSMGMT.MSC screen shot that will be helpful.

I presume that you have already restarted netlogon service on the Domain controller (By goint to services.msc on DC)

Regards,

_Prashant_

Author

Commented:
@Prashant, @Krzysztof

Screen shots of DC & ADC (ipconfig /all) and steps at which error coming, is attached
sceen1.jpg
dc.JPG
adc.jpg
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
As this is ta.com domain where it might be connected with .com public domain, you should remove default gateway IP address from additional DC to prevent forwarding DNS query to the Internet. After that try once again.

And one more thing, when you do that changes, try to ping from ADC in command-line

ping ta.com

and verify if it returns IP address of your DC (.201)

Krzysztof

Author

Commented:
@Krzysztof

I removed default gateway IP address and follow the procedure but same error is coming. ping ta.com is coming from ADC without any interruption before & after removing  gateway.
Ipconfig /all results seems to be fine for me/

Ok,

Follow these steps

1. Restart once again Netlogon service on your DC
2.Disable all the NIC other than Ethernet Adaptor local area connection on ADC
3. Disalbe the local firewall and Anitvirus on both the DC and ADC and check

Regards,

_Prashant_
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
OK, looks like there is problem with DC. Can you reboot it in convenient time for you and check again ?

Krzysztof

Author

Commented:
I have already done below steps..but didn't get success.

1. Restarted once again Netlogon service on my DC
2. No other NIC installed on ADC
3. Disabled all the local firewall and Antivirus on both the DC and ADC
4. I have rebooted my DC & ADC also
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Can you try to join ADC using NetBIOS Domain name instead of DNS domain name, please ?

I.e

join to domain: TESTENV-PL
instead of testenv.local

Krzysztof
Why do you login with the local administrator. I hope your server is joined to the domain. Then login with the domain admin account.
Install the ADDS DSrole first and then run dcpromo.
Why do you login with the local administrator. I hope your server is joined to the domain. Then login with the domain admin account.
Install the ADDS DSrole first and then run dcpromo.
If my suggestion above doesn't help, then do this:

http://support.microsoft.com/kb/816587

check on the dc for the srv records. Otherwise there is a way to copy the srv records from the netlogon.dns file to your dns server.
If my suggestion above doesn't help, then do this:

http://support.microsoft.com/kb/816587

check on the dc for the srv records. Otherwise there is a way to copy the srv records from the netlogon.dns file to your dns server.
Ok,

 Can you please take a screen shot of dnsmgmt.msc and Forward lookup zone and post it here ?

Regards,

_Prashant_
No SRV record (_ldap._tcp.dc._msdcs.TA.COM) was available in DNS. Reinstall DNS and use below command to add SRV record in DNS.

DNS srv rec -addrec _ldap._tcp.dc._msdcs.TA.COM:600:0:100:636:tail2k3server.ta.com

then use below command
ipconfig /registerdns
net stop netlogon
net start netlogon

I have passed that error steps.

Author

Commented:
Friends..

I have done below steps successfully for domain control change
1. Prepare our 2003 dc for 2008 adc
2. Successfully added 2008 adc
3. successfully transferred FSMO roles to 2008 Server

but after shutdown of our 2003 DC. we are unable to access out domain. is there any solution for it.
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Yes, open DNS Management console and configure forwarders :)
For 2008 you should do these steps
http://technet.microsoft.com/en-us/library/cc754941.aspx

set up DNS servers of your ISP or put Google (8.8.8.8 or/and 8.8.4.4)

Additionally, please ensure if you fixed option 006 on your DHCP server in scopes/servers options

Krzysztof

Author

Commented:
Friends..

I have done below steps successfully for domain control change
1. Prepare our 2003 dc for 2008 adc
2. Successfully added 2008 adc
3. successfully transferred FSMO roles to 2008 Server

but after shutdown of our 2003 DC. i am unable to access our existing domain. is there any solution for it.
I would recommend you to run the below command line and check clients are in which Site and what DC they are contacting for authentication purpose

To determine the AD site of a client:

•NLTEST /DSGETSITE
 

To determine a DC within a set of DC of DCs in the client's AD site that could authenticate/service the client:

•NLTEST /DSGETDC:<FQDN DOMAIN>

Reference - http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-1.aspx

If for some reason client computers at remote site still contacting main DC for authentication then there is a problem with remote DC Generic record registration in DNS

i.e SRV Records for Remote DC has not been registered in DNS. IF this is the case you need to stop the netlogon service and start it back from services.msc on DC so that it can register the SRV Records in DNS

Additionally you can run netdaig /fix on DC to fix DNS Related issues (Applicable only for windows server 2003 or bleow)

Regards,

_Prashant_

Author

Commented:
I passed error steps by this

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial