Link to home
Create AccountLog in
Avatar of rbsd176
rbsd176

asked on

Demoted DC Can't Reach Other DC's

We have a 2008R2 core server on our network which was tombstoned. The server had DNS and DHCP for the branch. My plan was to forcefully demote the DC (as it was not replicating due to tombstone), perform a metadata cleanup, and re-promote the DC (maintaining the DHCP and DNS server roles).

The server demoted gracefully. The DC was no longer in DNS or AD sites & services. However, after attempting to re-promote the DC, I seem to be having DNS issues on the DC. DNS was manually set to itself (as it was the DNS server for the site). Even after setting DNS to another DNS server in our domain and flushing/registering DNS, I can't seem to get it to see the other servers on the network. NSLookup times out.  I've checked AD Sites and Services and our inter-site transports are correct.  This subnet should be replicating from our headquarters.  I am using the fqdn (mydomain.local) when I try to re-add the server to the domain.

I'm able to ping other servers, I just can't reach them by hostname.  I am unable to telnet to another DNS server using port 53 because Server 2008 core does not have telnet.

I also tried disabling IPv6.  No luck.
Avatar of Peter Hutchison
Peter Hutchison
Flag of United Kingdom of Great Britain and Northern Ireland image

Is there one network card in it? Check registry for any old entries (HLKM\System\CurrentControlSet\Services\Tcpip).

Does it have Windows Firewall enabled or User Access Control enabled?

Try resetting the network adapter to defaults using netsh command:
http://support.microsoft.com/kb/299357
Avatar of rbsd176
rbsd176

ASKER

UAC and Windows firewall are disabled.

If I reset the network adapter to defaults, will it remove the TCP/IP or DNS settings?  That would cause a problem because the server is at a remote branch.
To add telent

To install an optional feature

    At a command prompt, type:

    start /w ocsetup <featurename>

    Where featurename is the name of a feature from the following list:
        Failover Clustering: FailoverCluster-Core

        Network Load Balancing: NetworkLoadBalancingHeadlessServer

        Subsystem for UNIX-based applications: SUACore

        Multipath IO: MultipathIo

        Removable Storage: Microsoft-Windows-RemovableStorageManagementCore

        BitLocker Drive Encryption: BitLocker

    noteNote
    To install the remote administration tool for BitLocker, type the following at a command prompt:

    start /w ocsetup BitLocker-RemoteAdminTool

        Windows Server Backup: WindowsServerBackup

        Simple Network Management Protocol (SNMP): SNMP-SC

        Windows Internet Name Service (WINS): WINS-SC

        Telnet client: TelnetClient
Avatar of rbsd176

ASKER

I don't have server manager.  It's server core.  I can't connect remotely through server manager on another server because it needs a hostname.
Avatar of rbsd176

ASKER

Unfortunately I think this is a limitation of server core.  I receive the error "The specified Windows component could not be found: telentclient".
You can add a static entry to your DNS for the remote server with its hostname and ip address.
Avatar of rbsd176

ASKER

I tried adding a host record on the DC at our headquarters and using repadmin /syncall, it still can't reach any other DNS servers.
Avatar of rbsd176

ASKER

Just tried to reset TCP on the server using NETSH on a lab server.  This won't work because it's a remote server and it resetting TCP clears the IP settings.  Won't be able to get back in after it's reset.
Avatar of rbsd176

ASKER

My last option if I can't figure this out is to bring up a 2008 DC and DNS server at our HQ branch with IP settings for the remote branch, place the DNS server in the remote site in DNS through server manager, then ship the server to the branch.  I'm confident that with an active DNS server at the site, it will be able to add to the domain.  However, I would like to figure this out remotely if at all possible.
Did you make sure the telnet is spelled correctly..


The reply you sent you had it wrong
Did you figure out why it had stopped replicating in the first place. This could also be the reason why dns isn't working as well?
Avatar of rbsd176

ASKER

Yes I made sure telnet was spelled correctly.  The server was not replicating because there was another DC at the site that was not properly decommissioned.  It was just removed from the network, never demoted, etc.
You can use netsh to replace the nameserver records. Alternatively, modify the zone access rights to allow non DC access to the AD zones.  Main issue is likely due to the fact that the server's machine account was tombstoned.
Netdom or use powershell to reset the machine password/account in the AD.
Avatar of rbsd176

ASKER

Set DNS primary/secondary to known good DNS server at another branch.  No luck.  Attempted to use netdom to reset the machine account and password.  The server is not on the domain, it's in a workgroup.  It cannot reset the machine account/password while in a workgroup.
Avatar of rbsd176

ASKER

Update: I'm able to access DNS management for the server using RSAT on a Windows 7 VM.  There seems to be some incompatibility between server manager for Windows 8 and Server 2008.  

Within DNS manager, on this server, there are no zones.  

Is it a good idea to export the zones from another DNS server on the network and import into DNS on that server?
AD DNS zones are AD integrated.
Avatar of rbsd176

ASKER

Correct.  Remember that this server is not on a domain.  It's not receiving DNS updates from anywhere.  Now that I have discovered that all DNS zones were removed when the server was demoted, it won't be able to receive updated DNS from anywhere.

Simply, here is the issue:

- I demoted DC.  It was a DNS server for the branch.
- All DNS zones were removed.
- I need the DNS zones back so I can talk to other DNS servers.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account