Second Domain Controller 1

[idsi]

My Scenario:

I installed my first domain controller ( Windows 2003 Standard Edition )with AD, DNS and DHCP.
Then i installed Windows 2003 standard edition on another computer then used the wizard to add the AD role and to have this second computer as the additional domain controller. Once i had done that during login i was prompted to login to the first server ( so i thought it was good ). Then i found that their was no DNS settings on the second server. So i configured the DNS using the wizard and added it as the second DNS server but by coping from the first. After that i could see all the entries of the DNS in the first server in the second server.( I thought now everything looks good )
The purpose of my second server was that if my first server is down or out of network, the second server should have the same functionality of the first server.

Problem:
Once i shut down my first server
Some clients couldn't get authenticated from the second server, but some get authenticated. Even if they get authenticated they couldnot use any LAN resources.
In the second server i noticed that Active Directory users and computers cant be accessed.
What am i doing wrong?
Appreciate a quick response

 

[Jpoandl]

You need to add another DNS option in your DHCP scope.

Right now, you probably only have one DNS server listed. Because you added another DNS server to your environment, you need to add this as a secondary DNS server. This way if the primary goes down, you clients will use the secondary.

DNS is needed for clients to log on. So if this the client does not have a valid DNS server in thier local TCP/IP settings, they will have trouble logging on.

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[idsi]

I have DHCP running only in the first server.
But i have given static ips to both the first and second server.
So i am still wondering whether i did something wrong during the AD installation or DNS in the secondary server.
I also checked the Global catalog under NTDS Settings for the second server under Active Directroy Sites and Services.

Appreciate a quick reply

Thanks
idsi

 

[Jpoandl]

I have DHCP running only in the first server."

Well. This is not a good idea. Only having DHCP running on one server is a single point of failure. You should configure DHCP on both servers and split the scope.

"But i have given static ips to both the first and second server." I have no idea what you are talking about here? Static IP? You need to configure the DHCP scope options to hand out both Primary and Secondary DNS IP Addresses to the clients. This way when a client receives a DHCP address, it gives them both a primary DNS server IP and a secondary DNS IP.


Don't forget that you also need to refresh the IP on the client to get the new settings. IPCONFIG /RELEASE can be ran at a command prompt to release the IP. Then run IPCONFIG /RENEW to get a new IP address.

Run IPCONFIG /ALL on the client and verify that two DNS entries are visable.

Now, shut down the primary DC. Try to login to the domain.


Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[idsi]

Joseph appreciate your quick response:
Actually i have a very small network and i really dont require a dhcp.
I have all my local users using a static ip ( private )
Domain name is not a public domain name.

when i do a ipconfig/all on my clients i could see both the ips listed under DNS

My clients can get authenticated to get into windows when the first server is down. But they cant access any resources on the lan, not even connect to the second server ( but can be pinged to the server ). One thing i noticed is that if i login as local administrator in the client machine then i am able to access the resources on the second server or any client machine which has logged in as local administrator. But if i try to map any drive of any other lan resources, it doesn't get authenticated with any of the domain users.
Also i noticed that in the second server if i try to access Active directory Sites and Services then it gives an error - Naming information cannot be located because: The specified domain either does not exists or could not be contacted. Contact your administrator to verify that your domain is properly configured and is currently online.

What all tests and configurations i should do on the second server to ensure that it was installed properly to serve as a back up server when the first server is down.

Appreciate a quick response

 

[Jpoandl]

The process of adding another DC is very straight forward. I doubt anything went wrong here.

However, there could have been a problem when you added DNS. If (on you primary DNS server) you are using Active Directory Integrated zone, all DNS data is automatically saved in Active Directory.

If you are using AD integrated DNS, then you don't have to copy the DNS database. Instead, on the second DC, all's you need to do is ADD the DNS service.

"So i configured the DNS using the wizard and added it as the second DNS server but by coping from the first." If you are using AD integrated DNS, you will not have to COPY anything. You should have just simply added the DNS service to the new DC.

So, I would check DNS. A good way to query DNS is to use the command NSLOOKUP. For example, when you have your primary DC OFFLINE, use NSLOOKUP on the client to see if DNS is working.

ie:

From a command prompt on the client:

C:\>nslookup
Default Server: DNSserver1
Address: 10.10.10.1

> mydomain.com
Server: DNSserver1
Address: 10.10.10.1

Name: mydomain.com
Addresses: 10.10.10.1, 10.10.10.2

> DC2Server
Server: DNSserver1
Address: 10.10.10.1

Name: DC2Server
Address: 10.10.10.2







Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[idsi]

Joseph you are so helpfull.
Some info:
192.168.0.38 is the ip used on the first DC
192.168.0.46 is the ip used on the second DC
idsigis is the name of the domain controller
domainbkup is the machine name of the second DC

I made my first DC offline and tested with the nslookup command on the second DC. please find below the results.

C:>nslookup
DNS request timed out
timed out was 2 seconds
*** can't find server name for address 192.168.0.38 Timed out

Default Server : Unknown
Address : 192.168.0.38


>idsigis
Server : Unknow
Address : 192.168.0.38
DNS request timed out.
timeout was 2 seconds
***Request to Unknown timed out

>domainbkup
Server : unknown
Address : 192.168.0.38
DNS request timed out.
timeout was 2 seconds
***Request to Unknown timed out

Appreciate if you could help me more from here

 

[Jpoandl]

With your first primary DC offline, your only valid DNS/DC is domainbkup.

192.168.0.46 is the ip used on the second DC

The client must have these TCP/IP settings:
DNS 1 = 192.168.0.38
DNS 2 = 192.168.0.46

(-----Check the above------)

Now, here is your results:

C:>nslookup
DNS request timed out
timed out was 2 seconds
*** can't find server name for address 192.168.0.38 Timed out

Default Server : Unknown
Address : 192.168.0.38 <-- Default server is the IP address of the server turned OFF. This is why your DNS queries are failing.

As a test, run this command:


C:\>nslookup
Default Server: unknown
Address: 192.168.0.38

> server 192.168.0.46
Default Server: [192.168.0.46]
Address: 192.168.0.46


Now the default server will be your secondary DNS server. Now, you can query against the available secondary DNS server.....

Test to see if you can resolve host names and the domain name. (If you see can't resolve, this means that your secondary DNS server is not functioning properly. This would explain the symptoms you are experiencing.)





Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[idsi]

Info : idsi1 is the machine name of the first DC
I changed the order of my dns entries in the second dc to 192.168.0.46 and then 192.168.0.38
Then i did the following and got the results like this
C:\>nslookup
Default Server: unknown
Address: 192.168.0.38

> server 192.168.0.46
Default Server: [192.168.0.46]
Address: 192.168.0.46


AFTER THIS I did the following

>idisigis
Server :domainbkup.idsigis
Address:192.168.0.46
domainbkup.idsigis can't find idsigis - Non existent domain

>domainbkup
Server : domainbkup.idsigis
Address : 192.168.0.46
Name : domainbkup.idsigis
Address: 192.168.0.46

>idsi1
Server: domainbkup.idsigis
Address : 192.168.0.46
Name : idsi1.idsigis
Address: 192.168.0.38

Any clues from the above results.
Appreciate your help and quick response

 

[Jpoandl]

Results breakdown:

<----------- First query ---------->
>idisigis
Server :domainbkup.idsigis
Address:192.168.0.46
domainbkup.idsigis can't find idsigis - Non existent domain

Result meaning -> IDISIGIS was not found in the DNS database. (However, it looks like you may have mis-spelled here. should idIsigis exist? I think you meant to type idsigis.) What is the name of the domain? This is what you need to query for. If the name of the domain is Domain.com, enter domain.com in NSLOOKUP. You should get a response showing the IP's of the two DC's.



<---------------- Query Two ----------->
>domainbkup
Server : domainbkup.idsigis
Address : 192.168.0.46
Name : domainbkup.idsigis
Address: 192.168.0.46

Result Meaing -> Successfully found IP address for the given server name. However, I would expect to see this format: servername.netbiosdomainname.com

The result from DNS should be the fully qualified domain name. For example:

Netbios domain name = company1
Fully qualified domain name = company1.com
server name = domainbkup

then the result from DNS should be: domainbkup.company1.com


<------------ Result Three -------------->

>idsi1
Server: domainbkup.idsigis
Address : 192.168.0.46
Name : idsi1.idsigis
Address: 192.168.0.38

Result meaning -> Successful lookup





Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[mlichstein]

You have a single label domain, which is a domain with no dot at the end.

In order to work around this, you have to enter registry keys on your domain controllers, as well as every 2000/XP client on the domain in order for them to be able to register and read DNS records in a single-label zone.

Just to verify my hunch, go into your DNS console and tell me what the name of the zone is under forward lookup zones. Then, inside of that zone, tell me if you have any subzones, like _msdcs, _tcp, _udp, etc. My guess is that you don't.

See the following article for more info about single-label domains and how to work around them.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300684