Avatar of techassosysadmin
techassosysadmin
Flag for India asked on

Adding another domain controller in Domain

I am adding another domain controller in my existing domain. but getting some DNS related error.I an unable to find the solution of the error. Kindly help me to resolve this issue. Below is the detail of my network.

Domain controller details:
Operating System: Windows 2003 Server
Server ip: 192.168.20.201
Subnet mask: 255.255.255.0
gateway: 192.168.20.1
DNS: 192.168.20.201
          192.168.20.1


Additional Domain controller details:
Operating System: Windows 2008 R2 Server
Server ip: 192.168.20.200
Subnet mask: 255.255.255.0
gateway: 192.168.20.1
DNS: 192.168.20.201
          192.168.20.1


The error which i am getting during process is below:


The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "TA.COM":

The error was: "DNS server failure."
(error code 0x0000232A RCODE_SERVER_FAILURE)

The query was for the SRV record for _ldap._tcp.dc._msdcs.TA.COM

Common causes of this error include the following:

- The DNS servers used by this computer contain incorrect root hints. This computer is configured to use DNS servers with the following IP addresses:

192.168.20.201

- One or more of the following zones contains incorrect delegation:

TA.COM
COM
. (the root zone)
Windows Server 2008Windows Server 2003Active Directory

Avatar of undefined
Last Comment
techassosysadmin

8/22/2022 - Mon
Tomislavj

remove router IP as an alternate DNS server and define forwarders in DNS setup
Krzysztof Pytko

Use only DNS IP address of the existing Domain Controller and try again. Alternatively, please visit my blog and follow an article for that at
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

Regards,
Krzysztof
ienaxxx

Did you prepare the forest and domains with adprep /forestprep and /domainprep, before adding a new 2008 R2 DC?

You must upgrade the AD Schema before adding a new 2008 or 2008 R" domain controller.
Before that: check what is the forest and domain functional levels.

DOMAIN: right click the domain node in "Active Directory Users and computers" console and then "raise the domain functional level". Take note and then click CANCEL

FOREST: right click the ROOT node in the "Active Directory Domains and Trusts" and then "raise forest functional level". Take note and then click CANCEL.

HERE:
http://technet.microsoft.com/en-us/library/cc733027%28v=ws.10%29.aspx
and you should read the documentation in the links deeply.


If you didn't the preparation, i suggest you to demote the new DC, uninstalling DNS, then prepare (raising func. levels as needed before), and promote a NEW DC. If it's possible this should be the best solution.

HTH. Bye.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Krzysztof Pytko

and if you are installing DC other that 2003 you need to prepare your environment first for that. You can also follow an article on my blog for that at
http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/

Krzysztof
ghouseuddin_mohammed

As you are introducing a first Windows 2008 R2 domain controller into a Windows 2003 domain, you need to prepare it.
http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
ghouseuddin_mohammed

As you are introducing a first Windows 2008 R2 domain controller into a Windows 2003 domain, you need to prepare it.
http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Prashant Girennavar

First ,

 You need to remove the Default gateway address from the DNS server IP address from both domain controllers.

I Assume your DNS is haivng AD Integrated zone. I would suggest you to use

On Domain controller,

 Primary DNS server IP address - 192.168.20.200
 Secondary DNS server IP address  - 192.168.20.201

On ADC,

 Primary DNS server IP address - 192.168.20.201
 Secondary DNS server IP address  - 192.168.20.200

Once this is done . Stop the netlogon service and restart it again on both the domain controller.

 Just to clarify,

Are you using ISP IP address in DNS forwarders? Or you are using Root hints for external name resoution

If you are using Forwarders , then I would reocmmend you to Define this in your main DC and point your additional domain controller to your main DC.

Regards,

_Prashant_
techassosysadmin

ASKER
I have already upgraded the AD Schema before adding a new 2008 R2 domain controller and also have raised forest and domain functional levels.
Krzysztof Pytko

OK then follow an article I posted above for adding additional DC. There is step-by-step procedure to do that (with DNS settings also)

Krzysztof
Your help has saved me hundreds of hours of internet surfing.
fblack61
techassosysadmin

ASKER
@Prashant

I followed your steps too but didn't get success. No i am not using ISP ip address in forward. i have mentioned my router ip in forward.

@Krzysztof

I am unable to follow whole procedure as provided by you as i am getting error in adding ADC.
Krzysztof Pytko

Can you tell me please in which step ? If possible, please also post a screen shot

Thank you in advance

Krzysztof
Prashant Girennavar

Ok,

Can you please post unedited ipconfig /all from your ADC  and DC?

Seems the server which you are trying to add as additional domain controller unable to locate the SRV Records of DC.

Also if you provide your DNSMGMT.MSC screen shot that will be helpful.

I presume that you have already restarted netlogon service on the Domain controller (By goint to services.msc on DC)

Regards,

_Prashant_
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
techassosysadmin

ASKER
@Prashant, @Krzysztof

Screen shots of DC & ADC (ipconfig /all) and steps at which error coming, is attached
sceen1.jpg
dc.JPG
adc.jpg
Krzysztof Pytko

As this is ta.com domain where it might be connected with .com public domain, you should remove default gateway IP address from additional DC to prevent forwarding DNS query to the Internet. After that try once again.

And one more thing, when you do that changes, try to ping from ADC in command-line

ping ta.com

and verify if it returns IP address of your DC (.201)

Krzysztof
techassosysadmin

ASKER
@Krzysztof

I removed default gateway IP address and follow the procedure but same error is coming. ping ta.com is coming from ADC without any interruption before & after removing  gateway.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Prashant Girennavar

Ipconfig /all results seems to be fine for me/

Ok,

Follow these steps

1. Restart once again Netlogon service on your DC
2.Disable all the NIC other than Ethernet Adaptor local area connection on ADC
3. Disalbe the local firewall and Anitvirus on both the DC and ADC and check

Regards,

_Prashant_
Krzysztof Pytko

OK, looks like there is problem with DC. Can you reboot it in convenient time for you and check again ?

Krzysztof
techassosysadmin

ASKER
I have already done below steps..but didn't get success.

1. Restarted once again Netlogon service on my DC
2. No other NIC installed on ADC
3. Disabled all the local firewall and Antivirus on both the DC and ADC
4. I have rebooted my DC & ADC also
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Krzysztof Pytko

Can you try to join ADC using NetBIOS Domain name instead of DNS domain name, please ?

I.e

join to domain: TESTENV-PL
instead of testenv.local

Krzysztof
ghouseuddin_mohammed

Why do you login with the local administrator. I hope your server is joined to the domain. Then login with the domain admin account.
Install the ADDS DSrole first and then run dcpromo.
ghouseuddin_mohammed

Why do you login with the local administrator. I hope your server is joined to the domain. Then login with the domain admin account.
Install the ADDS DSrole first and then run dcpromo.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ghouseuddin_mohammed

If my suggestion above doesn't help, then do this:

http://support.microsoft.com/kb/816587

check on the dc for the srv records. Otherwise there is a way to copy the srv records from the netlogon.dns file to your dns server.
ghouseuddin_mohammed

If my suggestion above doesn't help, then do this:

http://support.microsoft.com/kb/816587

check on the dc for the srv records. Otherwise there is a way to copy the srv records from the netlogon.dns file to your dns server.
Prashant Girennavar

Ok,

 Can you please take a screen shot of dnsmgmt.msc and Forward lookup zone and post it here ?

Regards,

_Prashant_
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
techassosysadmin

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
techassosysadmin

ASKER
Friends..

I have done below steps successfully for domain control change
1. Prepare our 2003 dc for 2008 adc
2. Successfully added 2008 adc
3. successfully transferred FSMO roles to 2008 Server

but after shutdown of our 2003 DC. we are unable to access out domain. is there any solution for it.
Krzysztof Pytko

Yes, open DNS Management console and configure forwarders :)
For 2008 you should do these steps
http://technet.microsoft.com/en-us/library/cc754941.aspx

set up DNS servers of your ISP or put Google (8.8.8.8 or/and 8.8.4.4)

Additionally, please ensure if you fixed option 006 on your DHCP server in scopes/servers options

Krzysztof
techassosysadmin

ASKER
Friends..

I have done below steps successfully for domain control change
1. Prepare our 2003 dc for 2008 adc
2. Successfully added 2008 adc
3. successfully transferred FSMO roles to 2008 Server

but after shutdown of our 2003 DC. i am unable to access our existing domain. is there any solution for it.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Prashant Girennavar

I would recommend you to run the below command line and check clients are in which Site and what DC they are contacting for authentication purpose

To determine the AD site of a client:

•NLTEST /DSGETSITE
 

To determine a DC within a set of DC of DCs in the client's AD site that could authenticate/service the client:

•NLTEST /DSGETDC:<FQDN DOMAIN>

Reference - http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-1.aspx

If for some reason client computers at remote site still contacting main DC for authentication then there is a problem with remote DC Generic record registration in DNS

i.e SRV Records for Remote DC has not been registered in DNS. IF this is the case you need to stop the netlogon service and start it back from services.msc on DC so that it can register the SRV Records in DNS

Additionally you can run netdaig /fix on DC to fix DNS Related issues (Applicable only for windows server 2003 or bleow)

Regards,

_Prashant_
techassosysadmin

ASKER
I passed error steps by this