DNS cannot be installed on this domain controller

We have a new Server 2012R2 machine.  Getting an error after trying to promote to domain controller.  I've added the roles of Active Directory Sites and Services, AD users and computers, AD domains and trusts and DNS.  But I get the error, "DNS cannot be installed on this domain controller because this domain does not host DNS."  We absolutely use DNS on our domain.  But this halts the install and I can't go any further in the server promotion.  I've researched this and I haven't found a situation that matches ours exactly.  Some say to run dcpromo from a cmd prompt but that has gone away in 2012R2.  We only have one other DC it is a Windows Server 2008 Standard machine.  I have verified that it has the DNS role.
Josh HindSystems AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it_saigeDeveloperCommented:
Have you looked at this Microsoft TID?

http://support.microsoft.com/en-us/kb/2002584

-saige-
0
Josh HindSystems AdminAuthor Commented:
Yes I have.  I tried the commands listed.  They didn't help.
0
it_saigeDeveloperCommented:
Could you provide the output for a DCDIAG?

-saige-
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Paul MacDonaldDirector, Information SystemsCommented:
I would check to make sure you can reach the extant DCs from this new machine.  It may be there's a networking/firewall issue that's preventing this new DC from contacting DNS.
0
Josh HindSystems AdminAuthor Commented:
Performing initial setup:
   Trying to find home server...
   ***Error: *servername* is not a Directory Server.  Must specify /s:<Directory
   Server> or  /n:<Naming Context> or nothing to use the local machine.
   ERROR: Could not find home server.
0
it_saigeDeveloperCommented:
Is this on the server you are trying to promote?  Try running it on one of the current DCs.

-saige-
0
Paul MacDonaldDirector, Information SystemsCommented:
You can also check the functional level of the domain.  Have you run ADPREP?

I still suspect a networking issue though.
0
Josh HindSystems AdminAuthor Commented:
I ran it. It revealed a bunch of problems.  It's attached.
0
it_saigeDeveloperCommented:
No attachment found.  Also on the DC that fails, please run the following:
dcdiag /test:dcpromo /dnsdomain:<the FQDN of your domain> /replicadc
dcdiag /test:registerindns /dnsdomain:<the FQDN of your domain>

Open in new window

-saige-
0
Josh HindSystems AdminAuthor Commented:
Trying to attach again.
DCDIAG-Output.txt
0
it_saigeDeveloperCommented:
Check your DNS servers for the following entry:

0961ed88-0d2d-4b51-b0a6-355721d097d7._msdcs.domain.*****.us

Also which server holds your PDCe FSMO role?
   Running enterprise tests on : domain.*****.us
      Starting test: LocatorCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1355
         A Good Time Server could not be located.
         ......................... domain.*****.us failed test LocatorCheck

Open in new window


-saige-
0
Josh HindSystems AdminAuthor Commented:
The server that held the PDCe FSMO role died due to multiple hard drive failure.  The output of the nslookup command is attached.  Two of the three machines are no longer on the domain.
DNS-Info.txt
0
it_saigeDeveloperCommented:
What server now holds the PDCe FSMO role?  Matter of fact, where do all of your FSMO roles reside?

-saige-
0
Josh HindSystems AdminAuthor Commented:
They were on one of the servers that died.   Can I promote the current DC to those roles?
0
David Johnson, CD, MVPOwnerCommented:
powershell seize-fsmo-roles.ps1
Move-ADDirectoryServerOperationMasterRole -Identity “BRAVO” -Force -Verbose –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster 

Open in new window

change BRAVO to your working DC name
0
it_saigeDeveloperCommented:
Have you ran the script provided by David yet?  Once you have done this, then you will want to do a metadata cleanup of all orphaned DC's.  Orphaned DC's are domain controllers that have been removed from the domain but still have entries in AD because of a failed or improper removal.

https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3/view/Discussions

-saige-
0
Josh HindSystems AdminAuthor Commented:
I finally got the script to run but now it is reporting an error.  I am attaching it.
error.txt
0
it_saigeDeveloperCommented:
What OS version do you have on the DC that you are running this script from?  If it is 2008R2 or higher, it should work.  Otherwise, we can always just use NTDSUTIL to accomplish the same thing.

http://www.petri.com/seizing_fsmo_roles.htm

-saige-
0
Josh HindSystems AdminAuthor Commented:
It is not R2 it's  Windows Server 2008 Standard.
0
it_saigeDeveloperCommented:
In that case, just refer to the link on petri.com to seize the roles using NTDSUTIL.

-saige-
0
Josh HindSystems AdminAuthor Commented:
Ok *Server1* now has roles: Schema, Naming Master, PDC, RID and Infrastructure.   Working on the metadata cleanup now.
0
it_saigeDeveloperCommented:
Once finished with this, I would normally setup a GPO to configure the time services properly.  However, first I want to check the validity and health of your current FRS.

http://blogs.technet.com/b/askds/archive/2008/05/22/verifying-file-replication-during-the-windows-server-2008-dfsr-sysvol-migration-down-and-dirty-style.aspx

Once you have verified a health FRS.  Let's configure your time services:

1. Reset the time service to default values on your PDCe FSMO role holder.

Run the following commands from an elevated command prompt to reset the time service:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Open in new window

2. Configure a group policy using a WMI filter to configure the time services on only the PDCe FSMO role holder.

To configure a GPO refer to this previous EE PAQ: http:/Q_28597899.html#a40553961

3. Force a group policy update on the PDCe FSMO role holder.

Run the following command from an elevated command prompt:
gpupdate /force

Open in new window

4. Reset the time service on each additional DC (not including the PDCe FSMO role holder) and set each to use the Domain Hierarchy for completeness.

Run the following commands from an elevated command prompt to reset the time service:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover

Open in new window

If *any* of your current DC's are VM's you will want to ensure that the HyperV Time Integration Service is disabled.

-saige-
0
it_saigeDeveloperCommented:
Any update?  We still have a little bit of work to do to complete this process.  Once you are finished with the above, run a DCDIAG on SERVER1 and lets see where we stand.

-saige-
0
Josh HindSystems AdminAuthor Commented:
I am still working on the tasks outlined in 40699444.  I will update with new DCDIAG summary when completed.
0
Josh HindSystems AdminAuthor Commented:
Here is the updated dcdiag output.
dcdiag2.txt
0
it_saigeDeveloperCommented:
Ok now run:
dcdiag /test:dcpromo /dnsdomain:<the FQDN of your domain> /replicadc
dcdiag /test:registerindns /dnsdomain:<the FQDN of your domain>

Open in new window

On the server that you want to promote.

-saige-
0
Josh HindSystems AdminAuthor Commented:
Ok both commands yielded "sufficient".
Testing.txt
0
it_saigeDeveloperCommented:
Let's add it to your domain then.

-saige-
0
Josh HindSystems AdminAuthor Commented:
It is added to the domain.
0
it_saigeDeveloperCommented:
Let's run a DCDIAG on the newly added server.

-saige-
0
Josh HindSystems AdminAuthor Commented:
It has not been promoted to DC yet.
0
it_saigeDeveloperCommented:
My mistake, when I said add it to your domain, I meant run DCPROMO on it.

-saige-
0
Josh HindSystems AdminAuthor Commented:
I've tried doing that but it brings up a message referring me to a technet article.
dc-promo-message.jpg
dc-promo-message.jpg
0
it_saigeDeveloperCommented:
Which message?

-saige-
0
Josh HindSystems AdminAuthor Commented:
I attached it to ID: 40701655
0
it_saigeDeveloperCommented:
0
Josh HindSystems AdminAuthor Commented:
Ok so it completed but gave the attached message.
Final-Message.jpg
0
it_saigeDeveloperCommented:
Ok.  Let's look at the DNS and NIC configuration on SERVER1.

-saige-
0
Josh HindSystems AdminAuthor Commented:
Ok *Server1* has three DNS entries:

192.*.*.14 (itself because it was the only DNS server on the domain)
8.8.8.8 (Google DNS)
8.8.4.4 (Google DNS)
0
it_saigeDeveloperCommented:
Do you want additional DNS servers (it is good practice to have multiple).  That being said, here is what we want to do on Server1.

1. Reset the DNS zones for AD.

In the TCP/IP properties remove all DNS entries and put in 127.0.0.1 (this is just temporary).  Then from a command prompt run the following:
dcdiag /fix
netdiag /fix
ipconfig /flushdns
ipconfig /registerdns
net stop server
net start server

Open in new window

Once that is completed, then we will change the DNS entries in TCP/IP properties so that it only has the static ip for SERVER1 (192.*.*.14).

2. Configure the DNS forwarders and Root Hints

Open the DNS Management Console, right-click on SERVER1 and choose properties:Capture.JPGSelect the Forwarders tab and enter the external DNS servers that this server will communicate with, in your case, the Google DNS servers (while these will suffice, it is generally a good practice to use your ISP's DNS servers for geographical reasons):Capture.JPGSelect the Root Hints tab, press the 'Copy from Server' button, enter 198.41.0.4 -or- a.root-servers.net and press 'OK':Capture.JPG

3. Validate proper setup of your AD domain zone(s)

With the DNS Management Console open, expand your Forward Lookup Zones.  Locate and expand the zone that represents your AD domain, you should see something similar to:Capture.JPGRight-click on the zone that represents your AD Domain Name, select properties:Capture.JPGAnd validate the following settings on the General tab:Capture.JPGOn the Start of Authority tab, validate that you have SERVER1 listed as the primary server (Note:This name field contains the fully qualified domain record for the server; e.g. SERVER1.mydomain.com.; don't forget the trailing period) and that you have a responsible person listed:Capture.JPGFinally make sure that SERVER1 is listed under the Name Servers tab:Capture.JPG
After completing the following steps, do the same for each additional DC.  As you add DC's, you want to fill out the DNS settings on each DC.

The order of IP's usually fall into two different categories depending upon who you ask:

Category 1 - First IP address is the static IP of the localhost server (not the localhost address 127.0.0.1) with each additional DNS server's static IP listed.

Category 2 - First IP address is the static IP of a local DNS server that is not the localhost server with each additional DNS server's static IP listed.  The static IP address of the localhost server is included in the additional DNS server's static IP list.

Again it just depends on who you ask how this gets configured (heck Microsoft can't even agree):
From the Active Directory team at Microsoft:

It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:
1.If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
2.If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
4.Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
5.DC’s should have at least two DNS client entries.
6.Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
7.We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
8.(Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

There are plans afoot to consolidate all this info, expand it, and get our message consistent and consolidated. This has started in the Windows Server 2008 R2 BPA for DNS. We also recently released a new namespace planning site that explains and prevents some design pitfalls:

DNS Namespace Planning Solution Center
http://support.microsoft.com/namespace

And we offer this great guide and portal site:

Creating a DNS Infrastructure Design
http://technet.microsoft.com/en-us/library/cc725625(WS.10).aspx

DNS Portal
http://technet.microsoft.com/en-us/network/bb629410.aspx
Source

-saige-
0
Josh HindSystems AdminAuthor Commented:
Ok, a few things.  I've finished tweaking the DNS settings.  I obtained DNS info from my service provider and entered it on *SERVER1*.  I ran the commands listed in #1, it did not like 'netlogon'.  It told me "'netdiag' is not recognized as an internal
operable program or batch file."  Upon researching I found it was an older command not available on 2008 anymore so I moved on.  In #2 I already had a.root-servers.net entered.  Only, b through m.root-servers.net are listed as well.  Should I delete them?  Finally, in DNS manager I don't see the newly promoted DC.  It is listed in "name servers" for our domain though.
0
it_saigeDeveloperCommented:
For #2, you will have a.root-servers.net entered, we are just copying the latest root hint's records from that server.  We want to leave the rest of the list as is.

As for the servers shown in DNS Manager, DNS manager only shows the local server by default, you have to manually add additional servers.

-saige-
0
Josh HindSystems AdminAuthor Commented:
Thanks, it_saige!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.