netdiag /fix DNS_ERROR_RCODE_NOT_IMPLEMENTED error

Awhile back I set up a domain named xxx.com but followed the 81-page
"Step-by-Step Guide to Implementing Domain Rename" procedure at
http://www.microsoft.com/technet/dow...ainrename.mspx to the
best of my ability. But I must have missed something there.

Most everything has worked out fine. But I keep getting a persistent error
when when I run netdiag /fix:
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry xxx.com. re-registeration on DNS
server '192.168.254.13' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry xxx.com. re-registeration on DNS
server '192.168.254.13' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.xxx.com. re-registeration
on DNS server '192.168.254.13' failed.

and many more such.

I can edit C:\WINDOWS\system32\config\netlogon.dns and netlogon.dns to
either remove bogus xxx.com entries or change them to xxx.net and when I run
netdiag /fix after doing that it doesn't complain. But as soon as I restart
the netlogon service, those two files revert to the way they were and netdiag
/fix fails the same way. Looking at netlogon.dns it looks for the most part
as if there are duplicate entries for xxx.com and xxx.net.

When I go into Administrative Tools\DNS everthing looks just fine: there are
no traces left there of xxx.com.

Related symptom #1: Every time I restart the NetLogon service, I get a
couple Event ID: 5781, Source: NETLOGON errors in the System Event Viewer,
the first of which reads:
Dynamic registration or deletion of one or more DNS records associated with
DNS domain 'xxx.com.' failed. These records are used by other computers to
locate this server as a domain controller (if the specified domain is an
Active Directory domain) or as an LDAP server (if the specified domain is an
application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain
wrong IP address(es) of the preferred and alternate DNS servers - no, this is
OK
- Specified preferred and alternate DNS servers are not running - this is
OK too
- DNS server(s) primary for the records to be registered is not running -
this is OK
- Preferred or alternate DNS servers are configured with wrong root hints -
I don't know where to find this
- Parent DNS zone contains incorrect delegation to the child zone
authoritative for the DNS records that failed registration - I don't think I
set up any child zones

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration
or deletion of the DNS records by running 'nltest.exe /dsregdns' (I ran this
and it returned 'Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully') from the command prompt or by
restarting Net Logon service. Nltest.exe is available in the Microsoft
Windows Server Resource Kit CD.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp

Related symptoms #2 (and my most pressing problem): I can't run
Administrative Tools\Domain Security Policy 'cause it keeps saying, "Failed
to open the Group Policy Object. You may not have appropriate rights."
Details: "The network path was not found".

I'm doing all this from the Administrator account for the domain.

I've scoured the registry for all instances of xxx.com and replaced them
with xxx.net. I looked for all instances of xxx.com on the C drive but
mainly only found the C:\WINDOWS\system32\config\netlogon.dns and
netlogon.dns files and a bunch of log entries.

So I don't know what else to try.

see WHAT step you did not do from the domain rename procedure. make sure you
do ALL the steps that apply and do not skip anything!

Well, I don't want to go through the whole procedure of attempting to rename
my domain again; it's now named what I want: xxx.net. For the most part,
it's been functioning just fine. In any case, at this point I've already
done the rename and I'm trying to avoid re-creating the domain from scratch
on a new machine. I just want to fix what's broken, if possible. The best I
could do at this point is retrace my steps in that document. And it did
yield one result: I was able to fix "related problem #2" by running gpfixup.
Can't remember if I did it before but if I did, I must have done it wrong.
But I still have duplicate junk in my C:\WINDOWS\system32\config\netlogon.dns
and I still get the same error when running netdiag /fix.

Here are all the steps I retraced today:
p. 7
Raise Forest Functional Level to Windows Server 2003 - did that first thing
way back when
Creating Necessary Shortcut Trust Relationships - no trust relationships to
begin with; only one domain, one forest
p. 8
Pre-Creating Parent-Child Trust Relationships for a Restructured Forest -
not necessary; only one domain, one forest
p. 15
Use the DNS MMC snap-in to create the required DNS zones compiled - done
Configure DNS zones according to "Add a forward lookup zone" in Windows
Server 2003 Server Help and Support Center - done, using the Windows Interface
Configure dynamic DNS update according to "Allow dynamic updates" in Windows
Server 2003 Server Help and Support Center. - according to help, "How client
and server computers update their DNS names
By default, computers that are statically configured for TCP/IP attempt to
dynamically register host (A) and pointer (PTR) resource records (RRs) for IP
addresses configured and used by their installed network connections. By
default, all computers register records based on their fully qualified domain
name (FQDN)." I check and the full computer name of the primary domain
controller is poweredge.xxx.net
Preparing Folder Redirection to Domain-Based DFS - don't care about this
Preparing Roaming User Profiles on Domain-Based DFS - don't use roaming
profiles
p. 16
Configuring Member Computers for Host Name Changes By default, the Primary
DNS Suffix of a member computer of an Active Directory domain is configured
to change automatically when domain membership of the computer changes - all
this worked just fine; all member computers automatically renamed to the
xxx.net. In any case, when I run ADSIEDIT.msc (p. 22), everything in there
looks fine: only xxx.net; no xxx.com. msDS AllowedDNSSuffixes are net; com
p. 25, step 4
With the Group Policy object selected, click Edit - this currently fails for
both the "Default Domain Controllers Policy" and "Default Domain Policy". So
I can't continue with steps 5-9 on this page
Preparing Certification Authorities - at this point I don't care much about
Certificate Authorities. My old domain wasn't configured with certificate
authorities. At some point soon I'll need them. But this was never a part
of the migration.
pp. 28 - 30
Set Up the Control Station - I did set up a separate Windows Server machine
to act as the Control Station. But that's since been converted to something
else a few months ago.
p. 31
rendom /list - I did this
p. 33
edit the domainlist.xml file - I did this
pp. 35-36
Renaming Application Directory Partitions - I did this
p. 37
review the new forest description in domainlist.xml - did this
p. 38
Generate Domain Rename Instructions - rendom /upload - did this
pp. 39-42
Push Domain Rename Instructions to All DCs and Verify DNS Readiness
Not sure it makes sense to run this on the domain server at this late date,
but executing (on page 41):
Dsquery server –hasfsmo name
now returns:
dsquery failed:`name' is an unknown parameter.
type dsquery /? for help.
p. 42
I think I ran:
repadmin /syncall /d /e /P /q poweredge
It's been a long time now so I can't remember for sure.
It asks to check for presence of required DNS resource records. I use the
DNS MMC snap-in to check for the presence of the records listed in Table 1.
It's hard to make sure the names are right 'cause I think the GUI splits out
the first part of the name as what looks like a path and the last part as
it's "domain"
There is a record of type CNAME named
1af4ff5b-6293-47c8-a5dd-8b37a74af4b7._msdcs.xxx.net
There is a SRV record pertaining to the PDC named
_ldap._tcp.pdc._msdcs.xxx.net
There is a SRV record pertaining to a global catalog (GC) server named
_ldap._tcp.gc._msdcs.xxx.net
There is a SRV record pertaining to a (DC) server named
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.xxx.net
p. 45
verify the readiness of domain controllers in the forest by running
rendom /prepare
I remember that working OK.
p. 47
execute the domain rename instructions on all domain controllers by running
rendom /execute
I remember that working OK as well.
p. 50
I don't run Exchange so I didn't do any Exchange-specific steps. I did
reboot the control station twice and run
rendom /end
p. 51
I never had external trusts so I didn't do anything regarding external trusts.
p. 52
I did not fix up Dfs topology. I don't think I need to do this. But maybe
I'm wrong.
p. 55
I ran gpfixup:
gpfixup /olddns:xxx.com /newdns:xxx.net /dc:poweredge.xxx.net
which fixed my problem editing "Default Domain Policy" and "Default Domain
Controllers Policy"
But when I ran
repadmin /syncall /d /e /P /q poweredge.xxxx.net xxx.net
I got
Syncing partition: xxx.net
SyncAll exited with fatal Win32 error: 8420 (0x20e4):
The naming context could not be found.
p. 56
After the Domain Rename Procedure
pp. 57-61
Verify Certificate Security After Domain Rename - since I haven't set up
certificate security, I don't have to do this yet. (my
C:\WINDOWS\system32\certsrv has no certdat.inc file, for instance)
p. 62
I used the Active Directory Domains and Trusts MMC snap In to look for any
traces of xxx.com - nothing
p. 67
I did Rename Domain Controllers as part of this original process
p. 68
Appendix begins

For reference, here's the complete contents of my
C:\WINDOWS\system32\config\netlogon.dns - after it was regenerated when
restarting the netlogon service:

xxx.net. 600 IN A 192.168.254.13
xxx.com. 600 IN A 192.168.254.13
xxx.net. 600 IN A 169.254.78.137
xxx.com. 600 IN A 169.254.78.137
_ldap._tcp.xxx.net. 600 IN SRV 0 100 389 poweredge.xxx.net.
_ldap._tcp.xxx.com. 600 IN SRV 0 100 389 poweredge.xxx.net.
_ldap._tcp.Default-First-Site-Name._sites.xxx.net. 600 IN SRV 0 100 389
poweredge.xxx.net.
_ldap._tcp.Default-First-Site-Name._sites.xxx.com. 600 IN SRV 0 100 389
poweredge.xxx.net.

As you can see, I still have a lot of "xxx.com" junk left over. Where is
this stuff coming from? How can I get rid of it?

Does anyone have any Idea what Joe's problem was here?

We did a domain migration/rename last year and I just noticed this same *exact* problem. We definitely followed all the steps when we did the rename, checking each one off as we went through.

And Joe actually did a really good job of documenting everything here. Any ideas?

In the microsoft.public.windows.server.active_directory newsgroup this posting
isn't listed anymore, so please describe in detail the problem you have including
the OS version(SP/patch level) also with error messages or complete event
viewer errors.