Solved

Promoting another server 2003 Domain Controller to Existing Domain and DNS integrated zones.

Posted on 2014-09-09
11
216 Views
Last Modified: 2014-09-27
Hello, we have a network with server 2003 based domain controllers and today I have promoted another server 2003 to become a domain controller.  Our Active Directory is configured with Active Directory Integrated DNS zones.  The DC promo went without a hitch with one potential major exception (of course).  DNS server role was not active as it wasn't installed on this server.  So I had to put the CD and install this role after running DC promo.  I was then prompted by a wizard asking me to configure all these DNS zones etc.  Which I was assuming I would not have to do as it would automatically pull all of the DNS information down via an Active directory replication update from our other DCs (hence active directory integrated DNS).  So I canceled out of this DNS wizard not liking the language or context it was using.  But here's the kicker, it still enabled the DNS server service even though I canceled the wizard without filling anything out.  Note that it was at the point where it said review the DNS check list before clicking next, but I cancel just after that in the next screen where it had a bunch of radio button options.

Anyway, when I went into the DNS server menu, it looks like it pulled all of our zone info down from the other domain controllers.  But I tested by adding a new record on the new dns server, and then another on the old dns server and these two new records were not added to the other domain controllers, even after 10 minutes.

I received a bunch of DNS errors on the new DC's dns event log section.  Of error event ID 4513 and  4015.

So for the time being I have shut this new domain controller off fairly quickly, about 30 minutes total after having done this, just to make sure that it doesn't somehow wipe out all of the dns records in our other older domain controller, which would be fantastically bad.

So my question is, what has gone wrong, how do I fix this and is there any risk to our other domain controllers dns records?

Thanks for the help.
0
Comment
Question by:CnicNV
  • 7
  • 4
11 Comments
 

Author Comment

by:CnicNV
ID: 40314935
Ok, so it looks like errors 4513 and 4015 relate to something going wrong/not being setup/not intuitive about how Active Directory Integrated DNS zones did not automatically create or add its self into the newly minted Domain Controller's directory partition forestdnszones.  No idea why, even when it appears that the zones selected to replicate do show up on the new DC's DNS server manager interface (at least all the records that were there from the initial setup replication).  Despite a restart of the server, these DNS errors still persist in the new DC and A records added in its DNS do not replicate to the old DC and visa versa.

The event ID 4513 suggests that I "Right click the applicable DNS server (I am guessing the new one), and then click 'Create default application directory partitions'".  I am wonder why I need to do this, I why this was not automatically done when the new DC had is DNS server service activated?  If I manually do this, will it create a blank partition with no DNS records in the new DC that will then replicate this blank list over to the old DC and wipe out all of the years of dns records we have created?

Is there a simple way to fix this, or should i just demote this new DC and provision a new one, making sure I install the DNS server role before I even attempt to promote it to a domain controller?

Thanks
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 40314938
Error 4513 indicates that the new DC isn't included in the replication scope of at least one directory partition. I don't know why that would've happened, though. Which directory partitions are indicated in those errors?

Also, could you post the output of the dnscmd /enumdirectorypartitions command on that server?
0
 

Author Comment

by:CnicNV
ID: 40315460
Thanks for the response, yeah that's what it looks like.  The directory partition in the alert is the following "forestdnszones.ourdomain.com"

Is there a way to fix this without wrecking other things (IE our dns zones on our good domain controller), or should I simply demote this semi botched newly provision DC and then create another one with an entirely different name/ip address, but this time enabling DNS server role before doing so?
0
 

Author Comment

by:CnicNV
ID: 40315470
Also, what roles should one enable before promoting a windows server 2003 to a domain controller?  Apparently DNS lol, is there anything else?
thanks
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 40316030
It's not normally necessary to install the DNS Server role before promoting a DC; adding the role during the promotion should work just as well. There aren't any other roles that should be added before promoting.

What about the output of dnscmd /enumdirectorypartitions?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:CnicNV
ID: 40319605
Ok so the output I am getting on that server when I type in the dnscmd is the following....

Enumerated directory partition count = 2

DomainDnsZones.ourdomain.com                                      Not-Enlisted Auto Domain
ForestDnsZones.ourdomain.com                                         Not-Enlisted Auto Forest

Command completed successfully.


Also, note that when I check this server's active directory sites and services gui, it shows all domain controllers that we have, but when I check the older domain controller with the FSMO role and which is what seems to be the only one working properly, IE where most of our networks ad protocol traffic goes to for requests, it only has two domain controllers list, (out of a total of 4).  It's self, and another DC that has been marked as tombstoned, which is part of the reason I am trying to promote some other domain controllers, so that I can demote this tombstoned one and have other replication partners.

thanks
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 40319758
Try running the following two commands on that server:

dnscmd /enlistdirectorypartition domaindnszones.domain.com
dnscmd /enlistdirectorypartition forestdnszones.domain.com


(Replace domain.com with your actual domain name, of course.)

That might suffice to get rid of the DNS errors. However...

If you've got a DC that's tombstoned, you may as well go ahead and force-demote it, then perform a metadata cleanup to remove it from AD. The sooner this is done, the better.
It sounds like AD replication isn't working among the remaining DCs if they aren't all showing up in AD Sites and Services. Run repadmin /showrepl on each one to get an idea of what's replicating successfully and what isn't.
0
 

Author Comment

by:CnicNV
ID: 40319997
Ok so I ran the repadmin /showrepl command on one of the new DCs and it shows that it is replicating successfully to the other 3 DCs.  But when I run the same command on the primary domain controller (a legacy term I guess) or the FSMO/Global catalog one, it shows all replications errors IE the 1815 ones, but only with one of the other 3 domain controllers.  IE the other older tomb stoned one.  It doesn't even acknowledge the other two new ones as success or failures.

And this seems to correlate with the anecdotal tests I have been doing.  IE I delete a someuser (an account that someone created a long time ago) from one of the new DCs, this deletion change will propagate to the other 3 DCs (including the tombstoned one) with the exception of the FSMO one, which retains it.

So, I am not going to do anything major now to active directory (IE the Friday rule), but I think I am going to demote the tombstoned one early next week as well as the other two new DCs.  So I start with things in such a way that only the FSMO DC remains.

Then I am going to promote two more DCs again and hopefully they will establish 100% replication with each other.

How does DC promotion work in an environment with two existing DCs.  Do the new DCs go to the FSMO DC to do the initial replication, or do they hit all existing DCs at once, or do they pick one of the two randomly, or do they use the one with the highest USN number?  I am just wondering if newly promoted DCs are pulling initial information from the tombstoned DC and thus are immediately ostracized by the FSMO DC.

Thanks
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 500 total points
ID: 40320404
If you run the promotion in advanced mode, you can choose which DC to use as the source. That's dcpromo /adv in 2003, I believe. They should be able to figure out not to use the tombstoned DC in any case, though.
0
 

Accepted Solution

by:
CnicNV earned 0 total points
ID: 40337526
Excellent, thanks for the tip.  

What got it working in my case was the following.  Demote all Domain Controllers other than the "Primary" or FSMO rolled one.  Only one of the 3 additional domain controllers demoted "gracefully".  This was the one that didn't even show up in the domain controllers OU.  The other two would fail the demotion attempt.  I had to do DC force demotion for those two.  The tombstoned one was one of these.  After this, I did an Active Directory metadata clean up, instructions for which can be found in may youtube vids.  Once the tombstoned DC was removed, I could now promote new domain controllers without issue that have been replicating with the FSMO DC.  I have checked the event logs and I am not getting any of the same errors, and many AD and DNS creation/deletion tests have ensured full duplex replication between DCs.  

So, it appears that the tombstoned DC was effecting my ability to promote additional DCs that could replicate full duplex with AD.

In any case, thanks again.
0
 

Author Closing Comment

by:CnicNV
ID: 40347411
What got it working in my case was the following.  Demote all Domain Controllers other than the "Primary" or FSMO rolled one.  Only one of the 3 additional domain controllers demoted "gracefully".  This was the one that didn't even show up in the domain controllers OU.  The other two would fail the demotion attempt.  I had to do DC force demotion for those two.  The tombstoned one was one of these.  After this, I did an Active Directory metadata clean up, instructions for which can be found in may youtube vids.  Once the tombstoned DC was removed, I could now promote new domain controllers without issue that have been replicating with the FSMO DC.  I have checked the event logs and I am not getting any of the same errors, and many AD and DNS creation/deletion tests have ensured full duplex replication between DCs.  

So, it appears that the tombstoned DC was effecting my ability to promote additional DCs that could replicate full duplex with AD.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Dentrix G4 1 31
Windows Update not working 12 72
Microsoft Remote app to an application server slow 3 41
Bizarre hard disk problem 15 73
The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now