[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


DC trying to generating DNS records for old Active Directory domain

Posted on 2016-11-01
Medium Priority
Last Modified: 2016-11-06
About 3 years ago, I changed my Active Directory domain name from 'old.local' to 'new.com'. As far as I can tell, I did everything at the time to make sure DNS and the whole AD infrastructure reflected this change. As far as I recall, dcdiag brought up everything as ok.

I've had some recent issues, potentially with AD, and this has caused me to run dcdiag again. The result is:

"Dynamic registration or deletion of one or more DNS records associated with DNS domain 'old.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)."

In addition:

"The dynamic registration of the DNS record '_ldap._tcp.gc._msdcs.old.local.' 600 IN SRV 0 100 3268 DC1.new.com.' failed on the following DNS server"

I've tried various things, including deleting the file C:\Windows\System32\config\netlogon.dns (which was full of entries for the old domain, merged in with the new). I then ran a fresh ipconfig /registerdns, followed by restarting the netlogon service. A few mins later, the new netlogon.dns file is regenerated, but with all the same incorrect entries.

I've also gone through all AD tools I can think of to check there isn't lingering entries for the fold domain, including AD Domains & Trusts, AD Sites and Services, ADSI Edit and LDP.exe. Nothing flags up as troublesome :-(

Any thoughts on where else to look, or what else to do is much appreciated!
Question by:bluemercury
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1

Expert Comment

by:No More
ID: 41868921
When you open DNS snap-in can you see old forward lookup zone there ?

Author Comment

ID: 41868968
Nope, no forward lookup zone in place, I think it was deleted and replicated to other DC a long time ago. I have noticed there are lots of reverse DNS A records for the old domain - any way this could be relevant? There didn't seem to be a way to delete individual records though :-(


Expert Comment

by:No More
ID: 41868994
Well you should remove any records of old domain

_msdcs.domain.local open this forward lookup zone and check everything for old records and remove them
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 41

Expert Comment

ID: 41869068
You shouldn't have any zones for old.local if the domain rename was completed.

Check your DC's primary DNS suffix (easy way, run ipconfig /all).  Make sure it is not old.local.

Using ADSI Edit, check the msDS-AllowedDNSSuffixes attribute.
-Double-click the domain directory partition for the domain you want to modify.
-Right-click the domain container object, and then click Properties.
-On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS-AllowedDNSSuffixes.
What do you have there?

Author Comment

ID: 41869327
Hi footech.

Yep - concur with you points on there shouldn't be any 'old.local' DNS zones - from memory, the AD name change was ultimately a complete success (short of the problem I'm currently suffering, clearly!)

I'd already run ipconfig /all before posting, but just to double check I've run it just now and it lists the primary DNS suffix correctly as the 'new.com' domain.

In ADSI Edit, I can obviously only see things for the new.com domain (should I create a host records for the old DC hostname in the HOSTS file, to see if it can find any remnants of the old AD in ADSI Edit?). I've followed your instructions for the current domain, and the msDS-AllowedDNSSuffixes has no entries at all in this. Is this normal behaviour? I suspect like you, I hoped to see our old domain there, but alas no :-(

Many thanks

Assisted Solution

cmlbaete earned 2000 total points
ID: 41869378
Hi Bluemercury

I'm wondering if you have any old registry entries that make refer to the old domain. A slight Stab in the dark but ties in with an issue I had recently.
LVL 41

Expert Comment

ID: 41869403
No, changing the HOSTS file would have no effect on what you see in ADSI Edit.  It looks at the AD database, which is the same one both before and after the rename.
Yes, that attribute should be blank (generally).  Just double-checking to make sure rendom /clean was ran.

BTW, you can remove individual (or multiple) DNS records (like the old PTRs that you mentioned) just by selecting them and pressing the Delete key (or right-clicking and choosing Delete).

Author Comment

ID: 41869410
Thanks cmlbaete. Really appreciate the input - I hadn't thought beyond the AD infrastructure / schema itself, and that of course some rogue entries could be sitting in the local registry of the DC.

I think this has led to a solution, along with finding some finer details on other websites - I went down this path having got your comment.

Many thanks, will be posting details and awarding points shortly :-)

Accepted Solution

bluemercury earned 0 total points
ID: 41869420
It would seem the main registry entry that needs altering is found in:


AlternateComputerNames was the entry containing the old DC name, which I altered.

In addition, I also browsed to:


and altered the OptionalNames entry. This appeared to be correct (as it was listed as a NETBIOS style name that hadn't changed) but dcdiag was grumbling about it being wrong, so I changed it to the full DNS host name like the above, and it seemed to like that.

Then I restarted the system.

Following this, I browsed to %windir%\System32\config and renamed netlogon.dns and netlogon.dnb with '-old' suffixes in the name, just in case they were needed again.

Then fired up a command prompt, and did the following:

Ipconfig /flushdns
Net stop netlogon
Net start netlogon
Ipconfig /registerdns

This generated new netlogon.dns and netlogon.dnb files, and on opening netlogon.dns with notepad, I now don't see any records generated for the old domain. If I run dcdiag, in this regard it is now happy.

I did this over an hour ago, and it has retained settings correctly, so I'm assuming this is fixed.

I used sections of the two articles below to come to this solution:

Thanks to everyone for their input - will sum up and award points now

Author Comment

ID: 41869422
Thanks footech - thought that was probably the case with AD DB not being depedent on the host name.

You'll see above (sorry for the cross-over, just saw your message) that cmlbaete's comment lead me down the path of reviewing the registry, which indeed seems to be where the problem lay. So I'm going to award them the points, although really appreciate your efforts in trying to help me :-) Cheers
LVL 41

Expert Comment

ID: 41869426
Glad you got it worked out.

Author Closing Comment

ID: 41876017
Closing comment - my own solution details what needs to be done for anyone else searching for this, but it was cmlbaete who suggested problem might reside in the registry, which indeed appeared to be totally the issue, so awarding points to them. Many thanks to all for your help :-)

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question