Solved

Add Windows Server 2012 DC to existing 2003 Domain

Posted on 2013-11-05
40
1,715 Views
Last Modified: 2013-11-11
I have and existing Windows server standard 2003 domain. It is a single domain controller which has DNS and DHCP enabled. The server holds all FSMO roles. The functional level is 2003.  I am trying to promote a 2012 server to a DC as well however I am getting this error: Verification of replica failed. Active directory domain controller for the domain XYZ could not be contacted. Ensure that you supplied the correct DNS domain name.  I had no problem joining the server to the existing domain and I can ping the 2003 server by name and ip address.  Not sure what is going on here.  Please help.  If you have suggestions of things to check , please be detailed.  thanks.
0
Comment
Question by:schmad01
  • 21
  • 14
  • 3
  • +1
40 Comments
 
LVL 19

Expert Comment

by:helpfinder
ID: 39625496
did you do adprep on 2003 machine?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626179
There is no need to run adprep manually to add win2012 DC.Enusre that DFL/FFL is Win2003.http://kpytko.wordpress.com/2012/09/07/adding-first-windows-server-2012-domain-controller-within-windows-200320082008r2-network/

Note: Win2012 DC does not support Exchange 2003.http://technet.microsoft.com/en-us/library/ff728623(v=exchg.141).aspx

Check the DNS setting on the Server it should point to online DC on Win2012 server.If multiple NIC are configured disable the same.Check the NIC binding and ensure that public IP address is not configured in NIc properties.http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Tempararly disable antivirus and window firewall too.Enusr that required port are open for AD communication.http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
0
 

Author Comment

by:schmad01
ID: 39626224
Sandeshdubey, Everything you mention above has already been checked.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626227
Can you post the dcdiag /q of online DC and ipconfig /all details of online DC and Win2012.
0
 

Author Comment

by:schmad01
ID: 39626271
DCDIAG report (I x'd out server name for security - XXXXXX is 2003 server YYYYYY is 2012 server and replaced domain name with "Domain":

The host 783b68ae-b788-457e-b72a-0cd4c0c00ec5._msdcs.MCBMD.local could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (783b68ae-b788-457e-b72a-0cd4c0c00ec5._msdcs.Domain.local) couldn't be

         resolved, the server name (XXXXXX.Domain.local) resolved to the IP

         address (192.168.109.6) and was pingable.  Check that the IP address

         is registered correctly with the DNS server.
         ......................... XXXXXX failed test Connectivity
-------------------------------------------------------------------------------------------------------
IP CONFIG ALL 2003 SERVER



Windows IP Configuration



   Host Name . . . . . . . . . . . . : XXXXXX

   Primary Dns Suffix  . . . . . . . : Domain.local

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : Domain.local



Ethernet adapter Local Area Connection 2:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection with I/O Acceleration #2

   Physical Address. . . . . . . . . : 00-30-48-7D-E8-FD

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 192.168.109.6

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.109.10

   DNS Servers . . . . . . . . . . . : 192.168.109.6

---------------------------------------------------------------------------------------------------

IPCONFIG /ALL 2012 SERVER

Windows IP Configuration

   Host Name . . . . . . . . . . . . : YYYYYY
   Primary Dns Suffix  . . . . . . . : Domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Domain.local

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : F0-1F-AF-CE-35-9B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ddd7:a19:4689:794e%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.109.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.109.10
   DHCPv6 IAID . . . . . . . . . . . : 267394991
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-FA-B1-C0-F0-1F-AF-CE-35-9B
   DNS Servers . . . . . . . . . . . : 192.168.109.6
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{7EF54E3D-BB69-4AB4-95A5-F5CEAE468521}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626345
From the dcdiag output the dns quid registration failed.Check the dns console is the quid missing.

It seems that in NIC properties "Register this connections Address in DNS"  is unchecked.Ensure that it is check and restart the netlogon service and check.

It could be also due to duplicte dns zone or duplicate quid present in AD database.We will check this later first check above parameters.

If multiple NIc are present diable the unrequired NIC and also check nic binding.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
0
 

Author Comment

by:schmad01
ID: 39626372
Ok, not familiar with "quid". Where do I check this exactly?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626377
See the image posted where dns quid exist.
DNS-quid.png
0
 

Author Comment

by:schmad01
ID: 39626393
See attachment.  

And  "Register this connections Address in DNS" was already checked.
dns.png
0
 

Author Comment

by:schmad01
ID: 39626423
Also see these errors in eventviewer for dns and not sure how to resolve:

The DNS server encountered a packet addressed to itself on IP address 192.168.109.6. The packet is for the DNS name "_ldap._tcp.pdc._msdcs.MCBMD.local.". The packet will be discarded. This condition usually indicates a configuration error.
 
Check the following areas for possible self-send configuration errors:
  1) Forwarders list. (DNS servers should not forward to themselves).
  2) Master lists of secondary zones.
  3) Notify lists of primary zones.
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server.
  5) Root hints.
 
Example of self-delegation:
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
  (bar.example.microsoft.com NS dns1.example.microsoft.com)
  -> BUT the bar.example.microsoft.com zone is NOT on this server.
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record.
 
You can use the DNS server debug logging facility to track down the cause of this problem.

For more information, see Help and Support Center at
0
 

Author Comment

by:schmad01
ID: 39626432
Also, on the new 2012 server, I have Active Directory domain services installed. Would it hurt if I added the DNS role to the new server before attempting to promote it even though there are issues with the 2003 server DNS?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626433
Have you checked that dns quid is registered?
You need to first fix dns issue on Win2003 server.
0
 

Author Comment

by:schmad01
ID: 39626491
How do I check that? if it isn't how can I register it?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626501
Have you verified on the NIC properties "Register this connections Address in DNS" is checked.In the dns console see if the dn quid (cname record) exits.See image already posted.
0
 

Author Comment

by:schmad01
ID: 39626518
Yes, NIC properties  "Register this connections Address in DNS" is checked.  See attached file. I don't think the CNAME is there.
Dns2.png
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626522
Can you expand the _msdct folder in DNS and post the image
0
 

Author Comment

by:schmad01
ID: 39626562
I hope you meant _msdcs, I didn't see _msdct.  Attached.
-msdcs.png
-msdcs2.png
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39626637
In the DNS console in MCBMD.local zone check does the cname record(dns quid) exist for DC.

•Right click MCBMD.local  
•Choose New Alias (CNAME)
•In the Alias Name field, type in 783b68ae-b788-457e-b72a-0cd4c0c00ec5
•In the "Fully qualified..." field, type in DCname.MCBMD.local
0
 

Author Comment

by:schmad01
ID: 39626741
Getting late here. Will do tomorrow and update.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:schmad01
ID: 39628165
I added the CName and just to confirm, I replaced DCname with my Domain controller name.
Ran a dcdiag and same thing. Do I need to give it time to update itself?
0
 

Author Comment

by:schmad01
ID: 39628261
I'm beginning to wonder whether I should uninstall Dns and re-install.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39629080
Restart the dns and netlogon service and check.Also run dcdiag/fix and ipconfig /flushdns and registerdns and check how does it work.

If it is not working you can take backup of dns and reinstall the same.For dns backup see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/6409b8d5-da43-41f6-83ba-f706a6422dcc/dns-manual-backup?forum=winserverDS
0
 

Author Comment

by:schmad01
ID: 39629257
Restart the dns and netlogon service and check.Also run dcdiag/fix and ipconfig /flushdns and registerdns and check how does it work.  -- I already tried all that and it did not work.

What exactly do you mean in the second paragraph by "reinstall the same".  Should I take these steps?
-convert dns to primary zone (uncheck integrate with active directory)
-remove dns in configure your server
-remove dns folder from system32
-in system32\config remove netlogon.dnb and netlogon.dns
reinstall dns (configure your server) with the correct zone name

then at the command prompt:

ipconfig /registerdns
net stop netlogon
net start netlogon

Will it have any negative effects?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39629292
You can reinstall the dns but you need to take backup of dns before you proceed see the link posted instead of converting the zone to primary take the AD integrated dns backup.The above commands will not have negative impact.
0
 

Author Comment

by:schmad01
ID: 39631388
I successfully performed backup and successfully performed the steps to remove and re-install dns but the problem persists. Even after deleting old dns files though, the forward zones stayed the same. I'm wondering if that's where the problem lies. Is there a safe way to "re-do" the forward zones?
0
 

Author Comment

by:schmad01
ID: 39631867
I'm still at a loss.  I've tried everything and still get this when trying to promote the 2012 server.  Verification of replica failed. Active directory domain controller for the domain XYZ could not be contacted. Ensure that you supplied the correct DNS domain name.

I also disabled IPV6 thinking this may be interfering but no luck.  Help
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 100 total points
ID: 39632379
You problem is that dns quid is not registered. You can manually create the same as suggested before.Anyways can you check the dns zone for any duplicate dns zone which may be causing the issue.http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
0
 

Author Comment

by:schmad01
ID: 39632425
Attached is from adsi edit. I see no duplicates. Please go over with me in detail about the guid not being registered and exactly how to do that. thanks.
adsiedit1.png
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39632458
You also need to connect to domainDNSzone and Forestdnszone see the link alredy posted.
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 400 total points
ID: 39632470
From your screenshots, it appears that the _msdcs zone is completely missing. All that's present is the delegation record for it, which won't do any good if the zone isn't there. Fortunately, the zone is a snap to recreate:

1.

In the DNS console, right-click Forward Lookup Zones and select New Zone. click Next on the intro screen.

2.

Select Primary zone and Store the zone in Active Directory. Click Next.

3.

Select To all DNS servers running on domain controllers in this forest and click Next.

4.

Name the zone _msdcs.MCBMD.local. (Case doesn't really matter here; it just looks better if it matches the other zone.) Click Next.

5.

Select Allow only secure dynamic updates and click Next.

6.

Click Finish to create the zone.After the zone is created, verify that the 2003 DC is only using itself for DNS (which I think you already verified, but it couldn't hurt to double-check) and run the following four commands on it:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon


Close the DNS console and wait a few minutes, then open the DNS console and check the _msdcs.MCBMD.local zone. It should contain folders named dc, domains, gc, and pdc, as well as a few records. You don't need to drill down through all of the folders unless you want to; as long as they're there, you're probably good to go. Try to promote the 2012 server again.
0
 

Author Comment

by:schmad01
ID: 39632482
In number 4, When I name the zone, Do I include the period after local or is that just the end of your sentence?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39632557
No the period is not required at the end create the msdcs.MCBMD.local zone as DrDave242 suggested.

Full marks to DrDave242 complelty missed the same.Once the zone is created restart the netlogon and dns service and it seems you should be looking good after performing the same.
0
 

Author Comment

by:schmad01
ID: 39632570
That was it!!!  Thank you very much!!!
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39632575
I don't like to make a big deal out of these, but it does seem like I should get some credit. Maybe not all of it, because Sandeshdubey did quite a lot of troubleshooting, but something at least...
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39632579
Agreed with DrDave242 the points should be assigned to DrDave242 . schmad01 can you please change the same.

DrDave242 you can post objection if required.
0
 

Author Comment

by:schmad01
ID: 39632584
I was so excited I wasn't thinking. Of course, how do I change?
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39632595
I submitted a request for attention. It seems an objection can only be posted if an asker accepts his own comment as the answer (something I didn't know until just now).

A moderator will sort it out. Thanks! :)
0
 

Author Comment

by:schmad01
ID: 39632599
You got it.  Thank you guys.
0
 

Author Closing Comment

by:schmad01
ID: 39640584
Thank you both.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now