Solved

DC trying to generating DNS records for old Active Directory domain

Posted on 2016-11-01
12
25 Views
Last Modified: 2016-11-06
About 3 years ago, I changed my Active Directory domain name from 'old.local' to 'new.com'. As far as I can tell, I did everything at the time to make sure DNS and the whole AD infrastructure reflected this change. As far as I recall, dcdiag brought up everything as ok.

I've had some recent issues, potentially with AD, and this has caused me to run dcdiag again. The result is:

"Dynamic registration or deletion of one or more DNS records associated with DNS domain 'old.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)."

In addition:

"The dynamic registration of the DNS record '_ldap._tcp.gc._msdcs.old.local.' 600 IN SRV 0 100 3268 DC1.new.com.' failed on the following DNS server"

I've tried various things, including deleting the file C:\Windows\System32\config\netlogon.dns (which was full of entries for the old domain, merged in with the new). I then ran a fresh ipconfig /registerdns, followed by restarting the netlogon service. A few mins later, the new netlogon.dns file is regenerated, but with all the same incorrect entries.

I've also gone through all AD tools I can think of to check there isn't lingering entries for the fold domain, including AD Domains & Trusts, AD Sites and Services, ADSI Edit and LDP.exe. Nothing flags up as troublesome :-(

Any thoughts on where else to look, or what else to do is much appreciated!
0
Comment
Question by:bluemercury
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 6

Expert Comment

by:No More
Comment Utility
When you open DNS snap-in can you see old forward lookup zone there ?
0
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
Nope, no forward lookup zone in place, I think it was deleted and replicated to other DC a long time ago. I have noticed there are lots of reverse DNS A records for the old domain - any way this could be relevant? There didn't seem to be a way to delete individual records though :-(

Cheers
0
 
LVL 6

Expert Comment

by:No More
Comment Utility
Well you should remove any records of old domain

_msdcs.domain.local open this forward lookup zone and check everything for old records and remove them
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
You shouldn't have any zones for old.local if the domain rename was completed.

Check your DC's primary DNS suffix (easy way, run ipconfig /all).  Make sure it is not old.local.

Using ADSI Edit, check the msDS-AllowedDNSSuffixes attribute.
-Double-click the domain directory partition for the domain you want to modify.
-Right-click the domain container object, and then click Properties.
-On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS-AllowedDNSSuffixes.
What do you have there?
0
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
Hi footech.

Yep - concur with you points on there shouldn't be any 'old.local' DNS zones - from memory, the AD name change was ultimately a complete success (short of the problem I'm currently suffering, clearly!)

I'd already run ipconfig /all before posting, but just to double check I've run it just now and it lists the primary DNS suffix correctly as the 'new.com' domain.

In ADSI Edit, I can obviously only see things for the new.com domain (should I create a host records for the old DC hostname in the HOSTS file, to see if it can find any remnants of the old AD in ADSI Edit?). I've followed your instructions for the current domain, and the msDS-AllowedDNSSuffixes has no entries at all in this. Is this normal behaviour? I suspect like you, I hoped to see our old domain there, but alas no :-(

Many thanks
0
 
LVL 1

Assisted Solution

by:cmlbaete
cmlbaete earned 500 total points
Comment Utility
Hi Bluemercury

I'm wondering if you have any old registry entries that make refer to the old domain. A slight Stab in the dark but ties in with an issue I had recently.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 39

Expert Comment

by:footech
Comment Utility
No, changing the HOSTS file would have no effect on what you see in ADSI Edit.  It looks at the AD database, which is the same one both before and after the rename.
Yes, that attribute should be blank (generally).  Just double-checking to make sure rendom /clean was ran.

BTW, you can remove individual (or multiple) DNS records (like the old PTRs that you mentioned) just by selecting them and pressing the Delete key (or right-clicking and choosing Delete).
0
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
Thanks cmlbaete. Really appreciate the input - I hadn't thought beyond the AD infrastructure / schema itself, and that of course some rogue entries could be sitting in the local registry of the DC.

I think this has led to a solution, along with finding some finer details on other websites - I went down this path having got your comment.

Many thanks, will be posting details and awarding points shortly :-)
0
 
LVL 1

Accepted Solution

by:
bluemercury earned 0 total points
Comment Utility
It would seem the main registry entry that needs altering is found in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

AlternateComputerNames was the entry containing the old DC name, which I altered.

In addition, I also browsed to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

and altered the OptionalNames entry. This appeared to be correct (as it was listed as a NETBIOS style name that hadn't changed) but dcdiag was grumbling about it being wrong, so I changed it to the full DNS host name like the above, and it seemed to like that.

Then I restarted the system.

Following this, I browsed to %windir%\System32\config and renamed netlogon.dns and netlogon.dnb with '-old' suffixes in the name, just in case they were needed again.

Then fired up a command prompt, and did the following:

Ipconfig /flushdns
Net stop netlogon
Net start netlogon
Ipconfig /registerdns


This generated new netlogon.dns and netlogon.dnb files, and on opening netlogon.dns with notepad, I now don't see any records generated for the old domain. If I run dcdiag, in this regard it is now happy.

I did this over an hour ago, and it has retained settings correctly, so I'm assuming this is fixed.

I used sections of the two articles below to come to this solution:
http://serverfault.com/questions/413248/after-renaming-the-machine-name-still-able-to-ping-the-old-machine-name
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b63d45cc-69ab-41c1-8ac5-d92ca2d76ed0/domain-rename-cleaning-up-after?forum=winserverDS

Thanks to everyone for their input - will sum up and award points now
0
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
Thanks footech - thought that was probably the case with AD DB not being depedent on the host name.

You'll see above (sorry for the cross-over, just saw your message) that cmlbaete's comment lead me down the path of reviewing the registry, which indeed seems to be where the problem lay. So I'm going to award them the points, although really appreciate your efforts in trying to help me :-) Cheers
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
Glad you got it worked out.
1
 
LVL 1

Author Closing Comment

by:bluemercury
Comment Utility
Closing comment - my own solution details what needs to be done for anyone else searching for this, but it was cmlbaete who suggested problem might reside in the registry, which indeed appeared to be totally the issue, so awarding points to them. Many thanks to all for your help :-)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now