Solved

Demoted DC Can't Reach Other DC's

Posted on 2013-05-24
18
302 Views
Last Modified: 2013-06-17
We have a 2008R2 core server on our network which was tombstoned. The server had DNS and DHCP for the branch. My plan was to forcefully demote the DC (as it was not replicating due to tombstone), perform a metadata cleanup, and re-promote the DC (maintaining the DHCP and DNS server roles).

The server demoted gracefully. The DC was no longer in DNS or AD sites & services. However, after attempting to re-promote the DC, I seem to be having DNS issues on the DC. DNS was manually set to itself (as it was the DNS server for the site). Even after setting DNS to another DNS server in our domain and flushing/registering DNS, I can't seem to get it to see the other servers on the network. NSLookup times out.  I've checked AD Sites and Services and our inter-site transports are correct.  This subnet should be replicating from our headquarters.  I am using the fqdn (mydomain.local) when I try to re-add the server to the domain.

I'm able to ping other servers, I just can't reach them by hostname.  I am unable to telnet to another DNS server using port 53 because Server 2008 core does not have telnet.

I also tried disabling IPv6.  No luck.
0
Comment
Question by:rbsd176
  • 10
  • 3
  • 3
  • +1
18 Comments
 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
Is there one network card in it? Check registry for any old entries (HLKM\System\CurrentControlSet\Services\Tcpip).

Does it have Windows Firewall enabled or User Access Control enabled?

Try resetting the network adapter to defaults using netsh command:
http://support.microsoft.com/kb/299357
0
 

Author Comment

by:rbsd176
Comment Utility
UAC and Windows firewall are disabled.

If I reset the network adapter to defaults, will it remove the TCP/IP or DNS settings?  That would cause a problem because the server is at a remote branch.
0
 
LVL 9

Expert Comment

by:M Roe
Comment Utility
To add telent

To install an optional feature

    At a command prompt, type:

    start /w ocsetup <featurename>

    Where featurename is the name of a feature from the following list:
        Failover Clustering: FailoverCluster-Core

        Network Load Balancing: NetworkLoadBalancingHeadlessServer

        Subsystem for UNIX-based applications: SUACore

        Multipath IO: MultipathIo

        Removable Storage: Microsoft-Windows-RemovableStorageManagementCore

        BitLocker Drive Encryption: BitLocker

    noteNote
    To install the remote administration tool for BitLocker, type the following at a command prompt:

    start /w ocsetup BitLocker-RemoteAdminTool

        Windows Server Backup: WindowsServerBackup

        Simple Network Management Protocol (SNMP): SNMP-SC

        Windows Internet Name Service (WINS): WINS-SC

        Telnet client: TelnetClient
0
 

Author Comment

by:rbsd176
Comment Utility
I don't have server manager.  It's server core.  I can't connect remotely through server manager on another server because it needs a hostname.
0
 

Author Comment

by:rbsd176
Comment Utility
Unfortunately I think this is a limitation of server core.  I receive the error "The specified Windows component could not be found: telentclient".
0
 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
You can add a static entry to your DNS for the remote server with its hostname and ip address.
0
 

Author Comment

by:rbsd176
Comment Utility
I tried adding a host record on the DC at our headquarters and using repadmin /syncall, it still can't reach any other DNS servers.
0
 

Author Comment

by:rbsd176
Comment Utility
Just tried to reset TCP on the server using NETSH on a lab server.  This won't work because it's a remote server and it resetting TCP clears the IP settings.  Won't be able to get back in after it's reset.
0
 

Author Comment

by:rbsd176
Comment Utility
My last option if I can't figure this out is to bring up a 2008 DC and DNS server at our HQ branch with IP settings for the remote branch, place the DNS server in the remote site in DNS through server manager, then ship the server to the branch.  I'm confident that with an active DNS server at the site, it will be able to add to the domain.  However, I would like to figure this out remotely if at all possible.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 9

Expert Comment

by:M Roe
Comment Utility
Did you make sure the telnet is spelled correctly..


The reply you sent you had it wrong
0
 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
Did you figure out why it had stopped replicating in the first place. This could also be the reason why dns isn't working as well?
0
 

Author Comment

by:rbsd176
Comment Utility
Yes I made sure telnet was spelled correctly.  The server was not replicating because there was another DC at the site that was not properly decommissioned.  It was just removed from the network, never demoted, etc.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You can use netsh to replace the nameserver records. Alternatively, modify the zone access rights to allow non DC access to the AD zones.  Main issue is likely due to the fact that the server's machine account was tombstoned.
Netdom or use powershell to reset the machine password/account in the AD.
0
 

Author Comment

by:rbsd176
Comment Utility
Set DNS primary/secondary to known good DNS server at another branch.  No luck.  Attempted to use netdom to reset the machine account and password.  The server is not on the domain, it's in a workgroup.  It cannot reset the machine account/password while in a workgroup.
0
 

Author Comment

by:rbsd176
Comment Utility
Update: I'm able to access DNS management for the server using RSAT on a Windows 7 VM.  There seems to be some incompatibility between server manager for Windows 8 and Server 2008.  

Within DNS manager, on this server, there are no zones.  

Is it a good idea to export the zones from another DNS server on the network and import into DNS on that server?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
AD DNS zones are AD integrated.
0
 

Author Comment

by:rbsd176
Comment Utility
Correct.  Remember that this server is not on a domain.  It's not receiving DNS updates from anywhere.  Now that I have discovered that all DNS zones were removed when the server was demoted, it won't be able to receive updated DNS from anywhere.

Simply, here is the issue:

- I demoted DC.  It was a DNS server for the branch.
- All DNS zones were removed.
- I need the DNS zones back so I can talk to other DNS servers.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
You can add a DNS server and setup up as a caching server.
I am unclear with what you are trying to do now and which system you are trying to do it with.
Make sure your DS server des not have a root (.) for which it is reflected as authoritative.

The properties of DNS server root tab, should reflected a-f.root-servers.net

You could take down the win2k8 system.
You would then restore the win2k3 system state from backup when it was a DC. This way you will restore the data and the win2k3 as a DC of an AD and should be back functional.

You can then while off network clear the AD setup in the win2k8 and start the process again, but this time make sure that the added DC is synchronized before proceeding with transitioning from one DC to another.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now