Domain Controllers and DNS issues 1

[vttech]

I recently built two new windows 2003 and promoted them to DCs (DC3 and DC3) and DNS servers to retire two windows 2000 server DCs (DC1 and DC2). The old DCs (DC1 and DC2) had a DNS primary (DC1) and secondary(DC2) role configuration. When I promoted the new windows 2003 servers to DCs I configured an active directory DNS integrated configuration.

I migrated all the FSMO roles to DC3 and DC4 then I demoted both DC1 and DC2. It seemed to work but then I have a couple of workstations lost group policies that are setup in active directory and the domain admins group got removed from the local workstation administrator group. Also, the end users were receiving the following message on login "Domain Controller is not available" This didn't happen to all my workstations, just around 15-20.

Nothing was changed in Group Policy, but after I added domain admins to the local workstation admins group and rebooted around 6 times the Group Policies took affect again.
Does anyone have an idea what is the issue? or some steps to troubleshoot the issue?


Newbie in search of knowledge

 

[Davetoo]

How long between promoting the two new servers and demoting the old ones?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[Cstorms]

Run dcdiag first and foremost.. That will probably give you a few ideas. If you have multiple DCs and multiple role holders this could cause serious problems. Report back.

 

[vttech]

Davetoo, it had been about a week between the process.


Cstorm, I am not in the office but will run dcdiag first thing in the morning and let you know the results.

Newbie in search of knowledge

 

[vttech]

cstorms I know that the the new DCs do split the FSMO roles

Newbie in search of knowledge

 

[Davetoo]

Do you have any workstations that still get the message?


I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[vttech]

The problem only happened one day and then it seemed to disappear. It happened when I demoted the last old DC.

I ran dcdiag and got the following error

Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 09/05/2007 08:06:52
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 09/05/2007 08:06:53
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 09/05/2007 08:06:53
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 09/05/2007 08:06:54
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 09/05/2007 08:06:55
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 09/05/2007 08:07:02
(Event String could not be retrieved)
......................... DC3 failed test systemlog



Newbie in search of knowledge

 

[Cstorms]

Ok as long as that was the only error, that simply means there are errors logged in System event log. So as long as your aware of these events you can disregard, have you also done a netdiag on these machines? Are there any errors in there?

 

[vttech]

I ran netdiag on the workstations no errors. But when I can netdiag on one of the new DCs I got

DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the name
'dc.vac.org.'. [ERROR_TIMEOUT]
The name 'chcb8.chcb.org.' may not be registered in DNS.
PASS - All the DNS entries for DC are registered on DNS server '10.0.0.9' and other DCs also have some of the names registered.



Newbie in search of knowledge

 

[Cstorms]

Is that dc still a valid machine that should be routable? If not, clear out the entries for any references to this machine in your "sites and services" and verify the SRV records are no longer referencing this in dns.. I assume the reason that your client machines were not authenticating correctly because they still had a cached SRV record for the old dc, which I suspect may still exist in the new dns server somewhere. As far as future troubleshooting are there still issues coming up after you reentered the groups and policies started to apply correctly? I would verify what I mentioned here and if no problems seem to be cropping up atm, to keep watch on your replication logs to see if there are any entries for the old dc's.

Sorry if my explanations are a bit mangled, I am usually choking down caffeine at work while running in and out of the lab. Loonnngg mornings

 

[vttech]

Thanks Cstorm with your help I was able to figure out the issue. Basically I have two nics in the new DC and and DNS was configured on the interfaces tab to "All IP addresses" Thus my error in configuration.

Before that I change the configuration from active directory integrated to type primary and did the following steps

Make sure the zone has Dynamic Updates or Only secure option selected. (Go into DNS and right click select properties)

Stop the netlogon and the DNS service (at cmd prompt type net stop netlogon and net stop dns)

Go to %systemroot%\system32\config folder and then delete the netlogon.dns and netlogon.dnb files

Restart DNS and netlogon

Run netdiag /fix


But this was a good lesson because I never would have looked at the nic except to make sure that tcp/ip was configure to point the internal ip address

Newbie in search of knowledge

 

[Cstorms]

Glad you got it working. Thanks for the update.