Add Windows Server 2012 DC to existing 2003 Domain

I have and existing Windows server standard 2003 domain. It is a single domain controller which has DNS and DHCP enabled. The server holds all FSMO roles. The functional level is 2003.  I am trying to promote a 2012 server to a DC as well however I am getting this error: Verification of replica failed. Active directory domain controller for the domain XYZ could not be contacted. Ensure that you supplied the correct DNS domain name.  I had no problem joining the server to the existing domain and I can ping the 2003 server by name and ip address.  Not sure what is going on here.  Please help.  If you have suggestions of things to check , please be detailed.  thanks.
schmad01Asked:
Who is Participating?
 
DrDave242Connect With a Mentor Commented:
From your screenshots, it appears that the _msdcs zone is completely missing. All that's present is the delegation record for it, which won't do any good if the zone isn't there. Fortunately, the zone is a snap to recreate:

1.

In the DNS console, right-click Forward Lookup Zones and select New Zone. click Next on the intro screen.

2.

Select Primary zone and Store the zone in Active Directory. Click Next.

3.

Select To all DNS servers running on domain controllers in this forest and click Next.

4.

Name the zone _msdcs.MCBMD.local. (Case doesn't really matter here; it just looks better if it matches the other zone.) Click Next.

5.

Select Allow only secure dynamic updates and click Next.

6.

Click Finish to create the zone.After the zone is created, verify that the 2003 DC is only using itself for DNS (which I think you already verified, but it couldn't hurt to double-check) and run the following four commands on it:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon


Close the DNS console and wait a few minutes, then open the DNS console and check the _msdcs.MCBMD.local zone. It should contain folders named dc, domains, gc, and pdc, as well as a few records. You don't need to drill down through all of the folders unless you want to; as long as they're there, you're probably good to go. Try to promote the 2012 server again.
0
 
helpfinderIT ConsultantCommented:
did you do adprep on 2003 machine?
0
 
SandeshdubeySenior Server EngineerCommented:
There is no need to run adprep manually to add win2012 DC.Enusre that DFL/FFL is Win2003.http://kpytko.wordpress.com/2012/09/07/adding-first-windows-server-2012-domain-controller-within-windows-200320082008r2-network/

Note: Win2012 DC does not support Exchange 2003.http://technet.microsoft.com/en-us/library/ff728623(v=exchg.141).aspx

Check the DNS setting on the Server it should point to online DC on Win2012 server.If multiple NIC are configured disable the same.Check the NIC binding and ensure that public IP address is not configured in NIc properties.http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Tempararly disable antivirus and window firewall too.Enusr that required port are open for AD communication.http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
schmad01Author Commented:
Sandeshdubey, Everything you mention above has already been checked.
0
 
SandeshdubeySenior Server EngineerCommented:
Can you post the dcdiag /q of online DC and ipconfig /all details of online DC and Win2012.
0
 
schmad01Author Commented:
DCDIAG report (I x'd out server name for security - XXXXXX is 2003 server YYYYYY is 2012 server and replaced domain name with "Domain":

The host 783b68ae-b788-457e-b72a-0cd4c0c00ec5._msdcs.MCBMD.local could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (783b68ae-b788-457e-b72a-0cd4c0c00ec5._msdcs.Domain.local) couldn't be

         resolved, the server name (XXXXXX.Domain.local) resolved to the IP

         address (192.168.109.6) and was pingable.  Check that the IP address

         is registered correctly with the DNS server.
         ......................... XXXXXX failed test Connectivity
-------------------------------------------------------------------------------------------------------
IP CONFIG ALL 2003 SERVER



Windows IP Configuration



   Host Name . . . . . . . . . . . . : XXXXXX

   Primary Dns Suffix  . . . . . . . : Domain.local

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : Domain.local



Ethernet adapter Local Area Connection 2:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection with I/O Acceleration #2

   Physical Address. . . . . . . . . : 00-30-48-7D-E8-FD

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 192.168.109.6

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.109.10

   DNS Servers . . . . . . . . . . . : 192.168.109.6

---------------------------------------------------------------------------------------------------

IPCONFIG /ALL 2012 SERVER

Windows IP Configuration

   Host Name . . . . . . . . . . . . : YYYYYY
   Primary Dns Suffix  . . . . . . . : Domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Domain.local

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : F0-1F-AF-CE-35-9B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ddd7:a19:4689:794e%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.109.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.109.10
   DHCPv6 IAID . . . . . . . . . . . : 267394991
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-FA-B1-C0-F0-1F-AF-CE-35-9B
   DNS Servers . . . . . . . . . . . : 192.168.109.6
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{7EF54E3D-BB69-4AB4-95A5-F5CEAE468521}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
SandeshdubeySenior Server EngineerCommented:
From the dcdiag output the dns quid registration failed.Check the dns console is the quid missing.

It seems that in NIC properties "Register this connections Address in DNS"  is unchecked.Ensure that it is check and restart the netlogon service and check.

It could be also due to duplicte dns zone or duplicate quid present in AD database.We will check this later first check above parameters.

If multiple NIc are present diable the unrequired NIC and also check nic binding.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
0
 
schmad01Author Commented:
Ok, not familiar with "quid". Where do I check this exactly?
0
 
SandeshdubeySenior Server EngineerCommented:
See the image posted where dns quid exist.
DNS-quid.png
0
 
schmad01Author Commented:
See attachment.  

And  "Register this connections Address in DNS" was already checked.
dns.png
0
 
schmad01Author Commented:
Also see these errors in eventviewer for dns and not sure how to resolve:

The DNS server encountered a packet addressed to itself on IP address 192.168.109.6. The packet is for the DNS name "_ldap._tcp.pdc._msdcs.MCBMD.local.". The packet will be discarded. This condition usually indicates a configuration error.
 
Check the following areas for possible self-send configuration errors:
  1) Forwarders list. (DNS servers should not forward to themselves).
  2) Master lists of secondary zones.
  3) Notify lists of primary zones.
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server.
  5) Root hints.
 
Example of self-delegation:
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
  (bar.example.microsoft.com NS dns1.example.microsoft.com)
  -> BUT the bar.example.microsoft.com zone is NOT on this server.
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record.
 
You can use the DNS server debug logging facility to track down the cause of this problem.

For more information, see Help and Support Center at
0
 
schmad01Author Commented:
Also, on the new 2012 server, I have Active Directory domain services installed. Would it hurt if I added the DNS role to the new server before attempting to promote it even though there are issues with the 2003 server DNS?
0
 
SandeshdubeySenior Server EngineerCommented:
Have you checked that dns quid is registered?
You need to first fix dns issue on Win2003 server.
0
 
schmad01Author Commented:
How do I check that? if it isn't how can I register it?
0
 
SandeshdubeySenior Server EngineerCommented:
Have you verified on the NIC properties "Register this connections Address in DNS" is checked.In the dns console see if the dn quid (cname record) exits.See image already posted.
0
 
schmad01Author Commented:
Yes, NIC properties  "Register this connections Address in DNS" is checked.  See attached file. I don't think the CNAME is there.
Dns2.png
0
 
SandeshdubeySenior Server EngineerCommented:
Can you expand the _msdct folder in DNS and post the image
0
 
schmad01Author Commented:
I hope you meant _msdcs, I didn't see _msdct.  Attached.
-msdcs.png
-msdcs2.png
0
 
SandeshdubeySenior Server EngineerCommented:
In the DNS console in MCBMD.local zone check does the cname record(dns quid) exist for DC.

•Right click MCBMD.local  
•Choose New Alias (CNAME)
•In the Alias Name field, type in 783b68ae-b788-457e-b72a-0cd4c0c00ec5
•In the "Fully qualified..." field, type in DCname.MCBMD.local
0
 
schmad01Author Commented:
Getting late here. Will do tomorrow and update.
0
 
schmad01Author Commented:
I added the CName and just to confirm, I replaced DCname with my Domain controller name.
Ran a dcdiag and same thing. Do I need to give it time to update itself?
0
 
schmad01Author Commented:
I'm beginning to wonder whether I should uninstall Dns and re-install.
0
 
SandeshdubeySenior Server EngineerCommented:
Restart the dns and netlogon service and check.Also run dcdiag/fix and ipconfig /flushdns and registerdns and check how does it work.

If it is not working you can take backup of dns and reinstall the same.For dns backup see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/6409b8d5-da43-41f6-83ba-f706a6422dcc/dns-manual-backup?forum=winserverDS
0
 
schmad01Author Commented:
Restart the dns and netlogon service and check.Also run dcdiag/fix and ipconfig /flushdns and registerdns and check how does it work.  -- I already tried all that and it did not work.

What exactly do you mean in the second paragraph by "reinstall the same".  Should I take these steps?
-convert dns to primary zone (uncheck integrate with active directory)
-remove dns in configure your server
-remove dns folder from system32
-in system32\config remove netlogon.dnb and netlogon.dns
reinstall dns (configure your server) with the correct zone name

then at the command prompt:

ipconfig /registerdns
net stop netlogon
net start netlogon

Will it have any negative effects?
0
 
SandeshdubeySenior Server EngineerCommented:
You can reinstall the dns but you need to take backup of dns before you proceed see the link posted instead of converting the zone to primary take the AD integrated dns backup.The above commands will not have negative impact.
0
 
schmad01Author Commented:
I successfully performed backup and successfully performed the steps to remove and re-install dns but the problem persists. Even after deleting old dns files though, the forward zones stayed the same. I'm wondering if that's where the problem lies. Is there a safe way to "re-do" the forward zones?
0
 
schmad01Author Commented:
I'm still at a loss.  I've tried everything and still get this when trying to promote the 2012 server.  Verification of replica failed. Active directory domain controller for the domain XYZ could not be contacted. Ensure that you supplied the correct DNS domain name.

I also disabled IPV6 thinking this may be interfering but no luck.  Help
0
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
You problem is that dns quid is not registered. You can manually create the same as suggested before.Anyways can you check the dns zone for any duplicate dns zone which may be causing the issue.http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
0
 
schmad01Author Commented:
Attached is from adsi edit. I see no duplicates. Please go over with me in detail about the guid not being registered and exactly how to do that. thanks.
adsiedit1.png
0
 
SandeshdubeySenior Server EngineerCommented:
You also need to connect to domainDNSzone and Forestdnszone see the link alredy posted.
0
 
schmad01Author Commented:
In number 4, When I name the zone, Do I include the period after local or is that just the end of your sentence?
0
 
SandeshdubeySenior Server EngineerCommented:
No the period is not required at the end create the msdcs.MCBMD.local zone as DrDave242 suggested.

Full marks to DrDave242 complelty missed the same.Once the zone is created restart the netlogon and dns service and it seems you should be looking good after performing the same.
0
 
schmad01Author Commented:
That was it!!!  Thank you very much!!!
0
 
DrDave242Commented:
I don't like to make a big deal out of these, but it does seem like I should get some credit. Maybe not all of it, because Sandeshdubey did quite a lot of troubleshooting, but something at least...
0
 
SandeshdubeySenior Server EngineerCommented:
Agreed with DrDave242 the points should be assigned to DrDave242 . schmad01 can you please change the same.

DrDave242 you can post objection if required.
0
 
schmad01Author Commented:
I was so excited I wasn't thinking. Of course, how do I change?
0
 
DrDave242Commented:
I submitted a request for attention. It seems an objection can only be posted if an asker accepts his own comment as the answer (something I didn't know until just now).

A moderator will sort it out. Thanks! :)
0
 
schmad01Author Commented:
You got it.  Thank you guys.
0
 
schmad01Author Commented:
Thank you both.
0
All Courses

From novice to tech pro — start learning today.