DNS/Active Directory Issue

Sponsored Links

I recently added a new dc that is also the new global catalog server. I was
unable to demote the old dc using the dcpromo.

I have 2 main problems:

1. Clients are not using the new active directory server, for example i am
unable to share documents, cannot add users because I cannot find the ad when
trying to change permissions, etc.

2. Clients are also not using the new dns server (which is also the new
dc/global catalog server) to access the internet. I know this because
everytime I unplug the old dc from the network no one is able to access the
internet and they all have the new dns server added to their nic settings as
the primary dns server.

All addresses are static so there is no dhcp server. Also the dcdiag and
netdiag has a bunch of errors:

Hello Lem@community.nospam,

Just to get you correct, the old DC is still up and running? Or is it shutdown
or disconnected? Please describe in detail about.

Did you make the new server DNS server?

Did you reconfigure the clients to use the new DNS server?

Did you move/transfer the 5 FSMO roles to the new one?

Hi Meinolf Weber,

Yes I did make the new server the new main dns server as well.

I also configured the clients to use the new server as their dns servers
(added the new server as the Primary DNS server in their NIC settings).

I also transferred all 5 of the FSMO roles including global catalog to the
new server.

The old dc server is still connected to the network.
The old dc server has not been demoted because it will not boot normally it
gets stuck at active directory is rebuilding indicies and then an error comes
up which I listed below:

lssas.exe - system error
Security Accounts Manager initialization failed because of the following
error: Directory Service cannot start. Error Status: 0x00002e1

Also the old dc server is still connected because it is the only way right
now to give users access to the internet.

After looking over my posts I noticed that my old server has dhcp service
configured which I never configured we have all ways used static ips, so I
dont know why that is. and our domain uses the netbios name cub_domain.

cubnet.com was that servers old domain ilcuboard.local is the name that is
supposed to be there.

Hello Lem@community.nospam,

Why are the both servers from different domains? New machine dbserver2 is
ilcuboard.local, old machine netserver1 is cubnet.com???

Please clarify this configuration, did you setup a NEW domain with the new
server? Is the new server maybe a SBS server operating system?

Also if you do not use a NIC on a DC disable it, the second NIC on netserver1
witht 169.254.x.x address.

The servers are actually not in different domains I believe this happened
because I renamed the domain from cubnet.com to ilcuboard.local about 4 years
ago.

I renamed the domain from cubnet.com to ilcuboard.local because cubnet.com
caused problems with some internet sites. Our domain is only accessible
locally so I had to rename the domain to ilcuboard.local. But during that
process the old dc kept the old cubnet.com suffix but it still operated
without major problems with this setup.

I will also disable all inactive nics, thanks for the tip.

Hello Lem,

Thank you for posting here.

According to description, my understanding of the problematic system
environment is as followed. If I have any misunderstanding, please feel
free to let me know.

Scenario:
==========

Old DC:
Host Name . . . . . . . . . . . . : netserver1
IP Address. . . . . . . . . . . . : 192.168.100.87
Primary Dns Suffix . . . . . . . : cubnet.com

New DC:
Host Name. . . . . . . . . : dbserver2
IP Address . . . . . . . . : 192.168.100.94
Primary Dns Suffix . . . . . . . : ilcuboard.local

Current domain name: ilcuboard.local

Based on the experience, here is some information which may be helpful for
you.

Analysis and Suggestion:
=====================

1. Please try to change to "Primary DNS suffix" of Old DC "netserver1" to
"ilcuboard.local"

2. Can you tell me if the DNS lookup zone type is "Active Directory
Integrated" on all the DNS servers? If not, please change the type to "
Active Directory Integrated"

3. After you change the DNS lookup zone type, please adjust the DNS servers
sequence in the NIC configuration of all the DCs and the domain clients.

The DNS servers sequence is as followed.

Primary DNS Server: 192.168.100.94
Secondary DNS Server: 192.168.100.87
Third DNS Server: 192.168.100.77

4. Please check on the new DC dbserver2 to see if the DNS zone
"ilcuboard.local" is created; meanwhile, please let me know how you renamed
the domain.

5. To verify all the domain clients can access the Internet, please enable
Forwarder on the Primary DNS Server and make it point to the ISP DNS server.

6. Afterwards, please clear cache on all the DNS servers

7. Then, you may run "net stop netlogon" and then run "net start netlogon"
on all the domain controllers to manually register the SRV records in the
DNS database.

Please note: before you restart the netlogon service, please verify all the
Primary DNS suffix of all the domain controller is "ilcuboard.local" (the
same as the current domain name)

8. After that, please check if the issue will re-occur.

Since the issue is little complex and it may need a rather long period of
troubleshooting. If the issue is important or urgent to you, I would like
to suggest that you contact Microsoft Product Support Services via
telephone so that a dedicated Support Professional can assist with this
request.

To obtain the phone numbers for specific technology request please take a
look at the web site listed below.

http://support.microsoft.com/default...S;PHONENUMBERS

If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.

Hope the issue will be resolved soon.

David Shen
Microsoft Online Partner Support

Hello Lem,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions. Please feel free to respond to the newsgroups if I can assist
further.

David Shen
Microsoft Online Partner Support

Hi David,

I've been following all the suggestions in this thread and was able to
rebuild the network without losing all of my ad objects and the dns was the
key.

But the problem is not totally solved yet I have my main zone created
ilcuboard.local and I cannot create a new zone on the rebuilt dns server. I
rebuilt it with the same name and ip address of the failed ad/dns server. The
error is "the zone cannot be created. there was a server failure."

also running a netdiag /fix returns the following results:

Also to provide more information all of the suggestions are coming in handy,

so my current domain is ad integrated on both servers. the main server is
the netserver1.ilcuboard.local and the backup will be mserver1.ilcuboard.local

Netserver1 was was rebuilt by wiping replacing the hardrive that crashed
then reinstalling without the new name of netserver1.ilcuboard.local instead
of netserver1.cubnet.com which was the old suffix.

The netserver1 is not currently the primary dc the primary is mserver1 which
will be changed once I figure out this last part of getting rid of the
remains of the cubnet.com suffix and being able to create new zones on the
netserver1 which i want to be my primary again.

I also demoted dbserver2 back to member server status.

all the clients can access the internet and the shared folders work now so i
am almost completely done with this problem once i figure out how to get rid
of the problems i mentioned above.

Please let me know if there is any other information needed.

Hello Lem,

Thanks for the reply.

Based on the research of the message that you provided with me. I found
that all the SRV resource records cannot be registered on the
'192.168.100.87'(netserver1). To further troubleshoot the issue, please
follow the steps to check if it still exists.

1. please verify the Primary DNS suffix of the DC (netserver1) is
"ilcuboard.local" and the domain name on the DC is also "ilcuboard.local"

2. please also verify that the DNS domain name is "ilcuboard.local" and
the DNS lookup zone type is "Active Directory Integrated"

3. Afterwards, please run "net stop netlogon" and then run "net start
netlogon" on the DC (netserver1) to manually register the SRV records in
the
DNS database.

Hope it helps.

David Shen
Microsoft Online Partner Support

Hi David,

I verified that the primary dns suffix on the dc is ilcuboard.local and
verified that the dns server has the ilcuboard.local suffix in its computer
name.

To verify that the zone is active directory integrated i checked the
properties of the ilcuboard.local zone and under the general tab, replication
not an active directory integrated zone is greyed out.

I also ran the net stop/start netlogon commands. I dont know if the error i
get when trying to create a new zone "the zone cannot be created. there was a
server failure." has to do with anything but i am only able to create a
secondary zone for reverse zone which doesnt work because it has a red x on
it after its created.

Please let me know what you think.

Hi LEM,

Thanks for the reply.

Analysis and Suggestion:
=======================

According to the netdiag report, the problematic DC (netserver1) still uses
old domain suffix (cubnet.com) to register SRV resource records on the DNS
server. As you has done domain rename before, it seems that some old domain
information are still left. When using random to rename a domain, we should
use he rendom /clean command to remove the old domain names from Active
Directory. This cleanup step removes all values of msDS-DnsRootAlias from
the domain naming operations master, and removal of this value is
replicated to all domain controllers in the forest.

According to the symptom, it seems that the "random /clean" command was not
run properly before performing domain rename.

Please run the command line "random /clean" on the problematic DC/

Meanwhile, you can try the following steps to delete the value
"msDS-DnsRootAlias" to check if the issue will re-occur.

1. Open ADSIEdit.msc. Navigate to the following location.

CN=<domain name>, CN=Partitions, CN=Configuration, DC=<domain name>,
DC=local

2. Right-click on the object and select properties.

3. Verify the attribute "msDS-DnsRootAlias". If any value does exists,
clear the value. i.e. msDS-DnsRootAlias: <not set>

4. Force replication to all the domain controllers.

5. Rename the netlogon.dns and netlogon.dnb file in
%systemroot%\system32\config directory on the problematic domain controller.

6. Stop and restart the netlogon service.

7. Run netdiag to test this issue again.

Hope it helps.

David Shen
Microsoft Online Partner Support

Hi David,

I performed the rendom /clean on all the dcs in the domain just to be sure
because you're right I did not perform this step when i did the domain
rename. But I ran it and the netdiag tests passed as I will post below. But
the dcdiag still had errors in it.

I also renamed the netlog.dns and .dnb files. But I was unable to locate the
msDS-DnsRootAlias attribute, I checked the location on both dcs and could not
find the value so i guess that is a good thing.

I still cannot create a zone but Im thinking I may need to post that in a
new thread.

Hello LEM,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions. Please feel free to respond to the newsgroups if I can assist
further.

David Shen
Microsoft Online Partner Support