Domain upgrade / changing of roles of server caused a possible problem

Hi, I recently upgraded our domain...took 2 old 2003 DC offline after doing all the necessary steps with the domain prep..followed all the steps perfectly with no errors......put 2 DC online that are 2008..and successfully raised the functional level of the forest to 2008....also something else that was done was one of the servers was our old terminal server and I removed the terminal server role....

upon completion  I cannot remote to any of my servers except the Primary domain controller......in addition..we have 2 programs that require AD authentication to work...DRAGON NATURALLY SPEAKING (NETWORK EDITION)..and an EMR  that requires it..and we cannot login to those as well...this has me totally baffled...its seems like 2 problems but could be 1...but both happened with the recent changes to the domain...or at the exact same time...

we not longer needed the terminal server as it stood so it seemed like a good idea to remove the role..which in my mind should only affect the terminal server...not every server but 1...

user logins around the facility have been unaffected...nothing reported from over 100 users...just remote desktop to servers (except 1) and 2 AD dependant programs....

any advice would be appreciated...thanks, MIke
Julie BinghamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JAN PAKULAICT Infranstructure ManagerCommented:
1 Have you configured forwarders in your AD DNS?

2 does your new box have same ip/name as old one?

3  are all your operation masters transferred successfully to the new installations?

https://support.microsoft.com/en-us/kb/234790

4  is your dns working correctly?

check it with  from CMD

nslookup

5 also are the ports for remote desktop open on the servers? (3389)

http://www.radmin.com/download/previousversions/portscanner.php
Julie BinghamAuthor Commented:
Hi, thank you for the help...here are the answers to the questions you asked...


1 Have you configured forwarders in your AD DNS?   looking in our dns forwarders it does show our domain name under the forward lookup zones and under that a list of all our machines...so to me this looks right...



2 does your new box have same ip/name as old one?  new box has same IP  but different name as old one..


3  are all your operation masters transferred successfully to the new installations?  these all look great!

https://support.microsoft.com/en-us/kb/234790


4  is your dns working correctly?

check it with  from CMD

nslookup  this is a possible issue...when I run nslookup I get a dns request timeout ...says Default Server unknown...then shows address: ip of our backup domain controller...this looks like a problem..let me know what you think and what I need to do...


5 also are the ports for remote desktop open on the servers? (3389)   I am trying to confirm this port is open on the servers but havent yet...

http://www.radmin.com/download/previousversions/portscanner.php
Julie BinghamAuthor Commented:
some additional information....after seeing nslookup failing to see our primary domain controller.....I looked in server manager..at the dns role...and there is an error listed there....error 6702 ..after looking that up...I get this answer...

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 6702
Description:
DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error should be ignored.
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 0000267c
This issue only occurs when the following conditions are true:
The domain name is a single-label name. This means that the domain name does not have a suffix, such as "local."
The domain name zone is integrated with Active Directory.
The domain name zone is hosted by two or more domain controllers or DNS servers.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Julie BinghamAuthor Commented:
ok...also after running nslookup again...I get unknown.....can't find nslookup: Non-existent domain   then shows the info on the backup domain controller...
Julie BinghamAuthor Commented:
now its just says defualt unknown..then shows the ip of the primary dns server in the list...
JAN PAKULAICT Infranstructure ManagerCommented:
Can you do nslookuP -server 192.168.1.1 (change it with ip of given server)
It looks like your dns cant communicate with ad
Julie BinghamAuthor Commented:
not sure I am doing this right...I input into command prompt.....nslookup -server (then ip of either domain controller)  got invalid command...so I changed -server to -my name of server and ip and got Unknown can't find ip address: non existent domain...

I think you are right on here...what can I do to fix this situation?  I have been searching for the error 6702 on google...and it gives me steps to fix replication...which involve deleting a number of host A files in sites and services...but before doing that I ran the test they suggested....ping the computer name and see if it replies..which it did....let me know what you think the steps to fix it are..thanks!
JAN PAKULAICT Infranstructure ManagerCommented:
In your DNS

1 check that your domain controller has it's host A registered in DNS zone


2 check that the "same as parent folder" records are correctly pointing to the DCs ipaddress

also have a look on this one

https://support.microsoft.com/en-us/kb/914050
MikewbCommented:
Hi, yes...both our domain controllers have their HOST A registered in the forward lookup zone...alsong with what looks like every computer on our domain has a host A....should every computer have a host A?

also under "same as parent folder" both domain controllers are listed there as well as all the old domain controllers which do not exist any longer..

also reading the article you provided...it suggests deleting any A records that do not have the correct ip...like I said in my host A records there are like 100 listed there..some of which are long gone from the network...am I supposed to make sure only the correct ip addresses appear under same as parrent folder and host A by deleting everything else?
MikewbCommented:
I have 8 "same as parent folder"  entries..one is an ip I have never seen..the others are old domain controllers.....and then the 2 new controllers......and then a ton of computers from the network..is that normal? or should it just contain info on the 2 domain controllers?
JAN PAKULAICT Infranstructure ManagerCommented:
MikewbCommented:
ok...I will remove old domain controllers host A & SAME AS PARENT FOLDER entries...I did run cleanup..using  Ntdsutil..but noticed after there were some old servers still listed in sites and services that had to be deleted...perhaps this is causing an issue...since I already ran  Ntdsutil should I run it again?   perhaps my issues are in removing manually the extra old domain controllers...
MikewbCommented:
what listings should be left under "same as parent folder" when I get done?  I have 9 listings under there....2 are the ip addresses of the correct domain controllers and 2 are the computer names of the correct domain controllers..the rest are old domain controllers and one strange IP I have never seen before...
JAN PAKULAICT Infranstructure ManagerCommented:
yes remove old domain controllers - that strange number is it in the same subnet?
try resolve it using nslookup
MikewbCommented:
No..the strange ip looks like some external ip like a website ip? nothing to do with my company...I ran nslookup again for the domain controller and this strange ip..this is what is said...

for domain ip:
default server: unknown
ip address:  (server ip is correct)  

no error

for strange ip number:
default server [strange ip]
addess:  strange ip

no error

does this look like it shouild and that they both resolve?
MikewbCommented:
also...upon trying to delete the old servers...under same as parent folder ..it wont let me delete them like the host A...this is under name server which is above...in there I can select properties and then remove from name servers...but cant delete directly the entry...
MikewbCommented:
ok...after getting more familiar with nslookup it looks like it resolves ok...when I put in the server name it immediatly shows me the servername.domain and the ip associated..so that should show its all working ok....I am just at a loss as to why after the domain change  why are AD associated programs wont allow anyone to login to them...when AD and the domain looks right...

I will remove the old domain controllers under name servers as we discussed leaving only the new ones...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.