?
Solved

DC trying to generating DNS records for old Active Directory domain

Posted on 2016-11-01
12
Medium Priority
?
50 Views
Last Modified: 2016-11-06
About 3 years ago, I changed my Active Directory domain name from 'old.local' to 'new.com'. As far as I can tell, I did everything at the time to make sure DNS and the whole AD infrastructure reflected this change. As far as I recall, dcdiag brought up everything as ok.

I've had some recent issues, potentially with AD, and this has caused me to run dcdiag again. The result is:

"Dynamic registration or deletion of one or more DNS records associated with DNS domain 'old.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)."

In addition:

"The dynamic registration of the DNS record '_ldap._tcp.gc._msdcs.old.local.' 600 IN SRV 0 100 3268 DC1.new.com.' failed on the following DNS server"

I've tried various things, including deleting the file C:\Windows\System32\config\netlogon.dns (which was full of entries for the old domain, merged in with the new). I then ran a fresh ipconfig /registerdns, followed by restarting the netlogon service. A few mins later, the new netlogon.dns file is regenerated, but with all the same incorrect entries.

I've also gone through all AD tools I can think of to check there isn't lingering entries for the fold domain, including AD Domains & Trusts, AD Sites and Services, ADSI Edit and LDP.exe. Nothing flags up as troublesome :-(

Any thoughts on where else to look, or what else to do is much appreciated!
0
Comment
Question by:bluemercury
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 7

Expert Comment

by:No More
ID: 41868921
When you open DNS snap-in can you see old forward lookup zone there ?
0
 
LVL 1

Author Comment

by:bluemercury
ID: 41868968
Nope, no forward lookup zone in place, I think it was deleted and replicated to other DC a long time ago. I have noticed there are lots of reverse DNS A records for the old domain - any way this could be relevant? There didn't seem to be a way to delete individual records though :-(

Cheers
0
 
LVL 7

Expert Comment

by:No More
ID: 41868994
Well you should remove any records of old domain

_msdcs.domain.local open this forward lookup zone and check everything for old records and remove them
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 40

Expert Comment

by:footech
ID: 41869068
You shouldn't have any zones for old.local if the domain rename was completed.

Check your DC's primary DNS suffix (easy way, run ipconfig /all).  Make sure it is not old.local.

Using ADSI Edit, check the msDS-AllowedDNSSuffixes attribute.
-Double-click the domain directory partition for the domain you want to modify.
-Right-click the domain container object, and then click Properties.
-On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS-AllowedDNSSuffixes.
What do you have there?
0
 
LVL 1

Author Comment

by:bluemercury
ID: 41869327
Hi footech.

Yep - concur with you points on there shouldn't be any 'old.local' DNS zones - from memory, the AD name change was ultimately a complete success (short of the problem I'm currently suffering, clearly!)

I'd already run ipconfig /all before posting, but just to double check I've run it just now and it lists the primary DNS suffix correctly as the 'new.com' domain.

In ADSI Edit, I can obviously only see things for the new.com domain (should I create a host records for the old DC hostname in the HOSTS file, to see if it can find any remnants of the old AD in ADSI Edit?). I've followed your instructions for the current domain, and the msDS-AllowedDNSSuffixes has no entries at all in this. Is this normal behaviour? I suspect like you, I hoped to see our old domain there, but alas no :-(

Many thanks
0
 
LVL 1

Assisted Solution

by:cmlbaete
cmlbaete earned 2000 total points
ID: 41869378
Hi Bluemercury

I'm wondering if you have any old registry entries that make refer to the old domain. A slight Stab in the dark but ties in with an issue I had recently.
0
 
LVL 40

Expert Comment

by:footech
ID: 41869403
No, changing the HOSTS file would have no effect on what you see in ADSI Edit.  It looks at the AD database, which is the same one both before and after the rename.
Yes, that attribute should be blank (generally).  Just double-checking to make sure rendom /clean was ran.

BTW, you can remove individual (or multiple) DNS records (like the old PTRs that you mentioned) just by selecting them and pressing the Delete key (or right-clicking and choosing Delete).
0
 
LVL 1

Author Comment

by:bluemercury
ID: 41869410
Thanks cmlbaete. Really appreciate the input - I hadn't thought beyond the AD infrastructure / schema itself, and that of course some rogue entries could be sitting in the local registry of the DC.

I think this has led to a solution, along with finding some finer details on other websites - I went down this path having got your comment.

Many thanks, will be posting details and awarding points shortly :-)
0
 
LVL 1

Accepted Solution

by:
bluemercury earned 0 total points
ID: 41869420
It would seem the main registry entry that needs altering is found in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

AlternateComputerNames was the entry containing the old DC name, which I altered.

In addition, I also browsed to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

and altered the OptionalNames entry. This appeared to be correct (as it was listed as a NETBIOS style name that hadn't changed) but dcdiag was grumbling about it being wrong, so I changed it to the full DNS host name like the above, and it seemed to like that.

Then I restarted the system.

Following this, I browsed to %windir%\System32\config and renamed netlogon.dns and netlogon.dnb with '-old' suffixes in the name, just in case they were needed again.

Then fired up a command prompt, and did the following:

Ipconfig /flushdns
Net stop netlogon
Net start netlogon
Ipconfig /registerdns


This generated new netlogon.dns and netlogon.dnb files, and on opening netlogon.dns with notepad, I now don't see any records generated for the old domain. If I run dcdiag, in this regard it is now happy.

I did this over an hour ago, and it has retained settings correctly, so I'm assuming this is fixed.

I used sections of the two articles below to come to this solution:
http://serverfault.com/questions/413248/after-renaming-the-machine-name-still-able-to-ping-the-old-machine-name
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b63d45cc-69ab-41c1-8ac5-d92ca2d76ed0/domain-rename-cleaning-up-after?forum=winserverDS

Thanks to everyone for their input - will sum up and award points now
0
 
LVL 1

Author Comment

by:bluemercury
ID: 41869422
Thanks footech - thought that was probably the case with AD DB not being depedent on the host name.

You'll see above (sorry for the cross-over, just saw your message) that cmlbaete's comment lead me down the path of reviewing the registry, which indeed seems to be where the problem lay. So I'm going to award them the points, although really appreciate your efforts in trying to help me :-) Cheers
0
 
LVL 40

Expert Comment

by:footech
ID: 41869426
Glad you got it worked out.
1
 
LVL 1

Author Closing Comment

by:bluemercury
ID: 41876017
Closing comment - my own solution details what needs to be done for anyone else searching for this, but it was cmlbaete who suggested problem might reside in the registry, which indeed appeared to be totally the issue, so awarding points to them. Many thanks to all for your help :-)
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question