DC trying to generating DNS records for old Active Directory domain

Posted on 2016-11-01
Last Modified: 2016-11-06
About 3 years ago, I changed my Active Directory domain name from 'old.local' to ''. As far as I can tell, I did everything at the time to make sure DNS and the whole AD infrastructure reflected this change. As far as I recall, dcdiag brought up everything as ok.

I've had some recent issues, potentially with AD, and this has caused me to run dcdiag again. The result is:

"Dynamic registration or deletion of one or more DNS records associated with DNS domain 'old.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)."

In addition:

"The dynamic registration of the DNS record '_ldap._tcp.gc._msdcs.old.local.' 600 IN SRV 0 100 3268' failed on the following DNS server"

I've tried various things, including deleting the file C:\Windows\System32\config\netlogon.dns (which was full of entries for the old domain, merged in with the new). I then ran a fresh ipconfig /registerdns, followed by restarting the netlogon service. A few mins later, the new netlogon.dns file is regenerated, but with all the same incorrect entries.

I've also gone through all AD tools I can think of to check there isn't lingering entries for the fold domain, including AD Domains & Trusts, AD Sites and Services, ADSI Edit and LDP.exe. Nothing flags up as troublesome :-(

Any thoughts on where else to look, or what else to do is much appreciated!
Question by:bluemercury
  • 6
  • 3
  • 2
  • +1

Expert Comment

by:No More
ID: 41868921
When you open DNS snap-in can you see old forward lookup zone there ?

Author Comment

ID: 41868968
Nope, no forward lookup zone in place, I think it was deleted and replicated to other DC a long time ago. I have noticed there are lots of reverse DNS A records for the old domain - any way this could be relevant? There didn't seem to be a way to delete individual records though :-(


Expert Comment

by:No More
ID: 41868994
Well you should remove any records of old domain

_msdcs.domain.local open this forward lookup zone and check everything for old records and remove them
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 40

Expert Comment

ID: 41869068
You shouldn't have any zones for old.local if the domain rename was completed.

Check your DC's primary DNS suffix (easy way, run ipconfig /all).  Make sure it is not old.local.

Using ADSI Edit, check the msDS-AllowedDNSSuffixes attribute.
-Double-click the domain directory partition for the domain you want to modify.
-Right-click the domain container object, and then click Properties.
-On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS-AllowedDNSSuffixes.
What do you have there?

Author Comment

ID: 41869327
Hi footech.

Yep - concur with you points on there shouldn't be any 'old.local' DNS zones - from memory, the AD name change was ultimately a complete success (short of the problem I'm currently suffering, clearly!)

I'd already run ipconfig /all before posting, but just to double check I've run it just now and it lists the primary DNS suffix correctly as the '' domain.

In ADSI Edit, I can obviously only see things for the domain (should I create a host records for the old DC hostname in the HOSTS file, to see if it can find any remnants of the old AD in ADSI Edit?). I've followed your instructions for the current domain, and the msDS-AllowedDNSSuffixes has no entries at all in this. Is this normal behaviour? I suspect like you, I hoped to see our old domain there, but alas no :-(

Many thanks

Assisted Solution

cmlbaete earned 500 total points
ID: 41869378
Hi Bluemercury

I'm wondering if you have any old registry entries that make refer to the old domain. A slight Stab in the dark but ties in with an issue I had recently.
LVL 40

Expert Comment

ID: 41869403
No, changing the HOSTS file would have no effect on what you see in ADSI Edit.  It looks at the AD database, which is the same one both before and after the rename.
Yes, that attribute should be blank (generally).  Just double-checking to make sure rendom /clean was ran.

BTW, you can remove individual (or multiple) DNS records (like the old PTRs that you mentioned) just by selecting them and pressing the Delete key (or right-clicking and choosing Delete).

Author Comment

ID: 41869410
Thanks cmlbaete. Really appreciate the input - I hadn't thought beyond the AD infrastructure / schema itself, and that of course some rogue entries could be sitting in the local registry of the DC.

I think this has led to a solution, along with finding some finer details on other websites - I went down this path having got your comment.

Many thanks, will be posting details and awarding points shortly :-)

Accepted Solution

bluemercury earned 0 total points
ID: 41869420
It would seem the main registry entry that needs altering is found in:


AlternateComputerNames was the entry containing the old DC name, which I altered.

In addition, I also browsed to:


and altered the OptionalNames entry. This appeared to be correct (as it was listed as a NETBIOS style name that hadn't changed) but dcdiag was grumbling about it being wrong, so I changed it to the full DNS host name like the above, and it seemed to like that.

Then I restarted the system.

Following this, I browsed to %windir%\System32\config and renamed netlogon.dns and netlogon.dnb with '-old' suffixes in the name, just in case they were needed again.

Then fired up a command prompt, and did the following:

Ipconfig /flushdns
Net stop netlogon
Net start netlogon
Ipconfig /registerdns

This generated new netlogon.dns and netlogon.dnb files, and on opening netlogon.dns with notepad, I now don't see any records generated for the old domain. If I run dcdiag, in this regard it is now happy.

I did this over an hour ago, and it has retained settings correctly, so I'm assuming this is fixed.

I used sections of the two articles below to come to this solution:

Thanks to everyone for their input - will sum up and award points now

Author Comment

ID: 41869422
Thanks footech - thought that was probably the case with AD DB not being depedent on the host name.

You'll see above (sorry for the cross-over, just saw your message) that cmlbaete's comment lead me down the path of reviewing the registry, which indeed seems to be where the problem lay. So I'm going to award them the points, although really appreciate your efforts in trying to help me :-) Cheers
LVL 40

Expert Comment

ID: 41869426
Glad you got it worked out.

Author Closing Comment

ID: 41876017
Closing comment - my own solution details what needs to be done for anyone else searching for this, but it was cmlbaete who suggested problem might reside in the registry, which indeed appeared to be totally the issue, so awarding points to them. Many thanks to all for your help :-)

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question