NINE-11.com
www.nine-11.com
Troubleshooting DNS related DCPromo Errors

 

What are the most common DNS related Dcpromo errors? How do I fix them?

Some common issues that you may encounter with Active Directory installation and configuration can cause a partial or complete loss of functionality in Active Directory. These issues may include, but not be limited to:

  • Domain Name System (DNS) configuration errors.


  • Network configuration problems
    Difficulties when you upgrade from Microsoft Windows NT.

You must configure DNS correctly to ensure that Active Directory will function properly.

Review the following configuration items to ensure that DNS is healthy and that the Active Directory DNS entries will be registered correctly:

  • DNS IP configuration
  • Active Directory DNS registration
  • Dynamic zone updates
  • DNS forwarders
  • DNS IP Configuration

An Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP on an Active Directory DNS server must be configured to point to itself to allow the server to register with its own DNS server.

To view the current IP configuration

Open a command window and type

ipconfig /all

to display the details. You can modify the DNS configuration by following these steps:

  1. Right-click My Network Places, and then click Properties.


  2. Right-click Local Area Connection, and then click Properties.


  3. Click Internet Protocol (TCP/IP), and then click Properties.


  4. Click Advanced, and then click the DNS tab. Configure the DNS information as follows: Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if no dedicated DNS server will be configured.


  5. If the resolution of unqualified names setting is set to Append these DNS suffixes (in order), the Active Directory DNS domain name should be listed first (at the top of the list).


  6. Verify that the DNS Suffix for this connection setting is the same as the Active Directory domain name.


  7. Verify that the Register this connection's addresses in DNS check box is selected.


  8. At a command prompt, type

    9. ipconfig /flushdns

  9. to purge the DNS resolver cache, and then type
    ipconfig /registerdns

    This Registers the DNS resource records.

  10. Start the DNS Management console. There should be a host record (an "A" record in Advanced view) for the computer name. There should also be a Start of Authority (SOA in Advanced view) record pointing to the domain controller (DC) as well as a Name Server record (NS in Advanced view).

Active Directory DNS Registration

The Active Directory DNS records must be registering in DNS. The DNS zone can be either a standard primary or an Active Directory-integrated zone. An Active Directory-integrated zone is different from a standard primary zone in several ways. An Active Directory-integrated zone provides the following benefits:

  • The Windows 2000 DNS service stores zone data in Active Directory. This causes DNS replication to create multiple masters, and it allows any DNS server to accept updates for a directory service-integrated zone. Using Active
  • Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology.
  • Secure dynamic updates are integrated with Windows security. This allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from obtaining existing names from DNS.

Use the following steps to ensure that DNS is registering the Active Directory DNS records:

  1. Start the DNS Management console.


  2. Expand the zone information under the server name.


  3. Expand Forward Lookup Zones, right-click the name of the Active Directory domain's DNS zone, click Properties, and then verify that Allow Dynamic Updates is set to Yes.


  4. Four folders with the following names are present when DNS is correctly registering the Active Directory DNS records. These folders are labeled:

    5. _msdcs
    _sites
    _tcp
    _udp

If these folders do not exist, DNS is not registering the Active Directory DNS records. These records are critical to Active Directory functionality and must appear within the DNS zone. You should repair the Active Directory DNS record registration.

To repair the Active Directory DNS record registration

Check for the existence of a Root Zone entry. View the Forward Lookup zones in the DNS Management console.

There should be an entry for the domain. Other zone entries may exist. There should not be a dot (".") zone. If the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone identifies the DNS server as a root server.

Typically, an Active Directory domain that needs external (Internet) access should not be configured as a root DNS server.

The server probably needs to reregister its IP configuration (by using Ipconfig) after you delete the dot ("."). The Netlogon service may also need to be restarted.

Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command prompt, type

netdiag /fix

After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS records should then be listed.

Note: The server may need to reregister its IP configuration (by using Ipconfig) after you run Netdiag. The Netlogon service may also need to be restarted.

If the Active Directory DNS records do not appear, you may need to manually re-create the DNS zone.

Manually re-create the DNS zone

  1. Start the DNS Management console.


  2. Right-click the name of the zone, and then click Delete.


  3. Click OK to acknowledge any warnings. The Forward Lookup zones no longer list the deleted zone.


  4. Right-click Forward Lookup Zones, and then click New Zone.


  5. The New Zone Wizard starts. Click Next to continue.


  6. Click the appropriate zone type (either Active Directory-integrated or Standard primary, and then click Next.


  7. Type the name of the zone exactly as it appears in Network Identification, and then click Next.


  8. Click the appropriate zone file, or a new zone file. Click Next, and then click Finish to finish the New Zone Wizard.


  9. The newly created zone appears in the DNS Management console.


  10. Right-click the newly created zone, click Properties, and then change Allow Dynamic Updates to Yes.


  11. At a command prompt, type
    net stop netlogon
    and then press ENTER. The Netlogon service is stopped.


  12. Type
    net start netlogon
    and then press ENTER. The Netlogon service is restarted.


  13. Refresh the view in the DNS Management console. The Active Directory DNS records should be listed under the zone.

If the Active Directory DNS records still do not exist, there may be a disjointed DNS namespace.

Dynamic Zone Updates

Microsoft recommends that the DNS Lookup zone accept dynamic updates. You can configure this by right-clicking the name of the zone, and then clicking Properties. On the General tab, the Allow Updates setting should be set to Yes, or for an Active Directory-integrated zone, either Yes or Only secure updates. If dynamic updates are not allowed, all host registration must be completed manually.

DNS Forwarders

To ensure network functionality outside of the Active Directory domain (such as browser requests for Internet addresses), configure the DNS server to forward DNS requests to the appropriate Internet service provider (ISP) or corporate DNS servers.

See No Forwarding or Root Hints on Windows 2000 DNS server? for troubleshooting tips.

To configure forwarders on the DNS server:

  1. Start the DNS Management console.


  2. Right-click the name of the server, and then click Properties.


  3. Click the Forwarders tab.


  4. Click to select the Enable Forwarders check box.
    Note: If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone (usually identified by a zone named only with a period, or dot ("."). You must delete this zone to enable the DNS server to forward DNS requests. In a configuration in which the DNS server does not rely on an ISP DNS server or a corporate DNS server, you can use a root zone entry.


  5. Type the appropriate IP addresses for the DNS servers that will accept forwarded requests from this DNS server. The list reads from the top down in order; if there is a preferred DNS server, place it at the top of the list.


  6. Click OK to accept the changes.

Upgrade Installation Considerations

Earlier (Legacy) DNS Servers - DNS servers that run Windows NT 4.0 cannot dynamically register the Active Directory DNS records. The best solution in this case is to install DNS on the Active Directory domain controller to ensure that Active Directory DNS records will be registered for the domain.

Disjointed DNS Namespace - You must configure the correct DNS suffix information before you begin a Windows 2000 upgrade installation. You cannot change the server name and DNS domain information after Active Directory is installed.

To configure the DNS suffix information in Windows NT before you upgrade the computer to a Windows 2000-based Active Directory domain controller:

  1. Right-click Network Neighborhood, and then click Properties.


  2. Click the Protocols tab, click TCP/IP Protocol, and then click Properties.


  3. Click the DNS tab.
  4. In the Domain box, type the complete Active Directory domain name.


  5. Click Apply, and then click OK.


  6. Click OK to quit the Network tool.


  7. Restart the computer.

To verify the settings, open a command window, and then type ipconfig /all. The Host Name line shows the fully qualified domain name.

If you must change the DNS domain information after you install Active Directory, you must run the Dcpromo utility on the computer to remove it from the domain and make it a stand-alone server.

To determine if a disjointed namespace exists on an existing Windows 2000-based domain controller:

  1. Right-click My Computer, and then click Properties.


  2. Click the Network Identification tab.


  3. Compare the DNS suffix section of the full computer name to that of the domain name listing. The full computer name reads as follows: hostname. dns_suffix. These two entries should contain identical suffix information.

If these two entries do not contain identical suffix information, a disjointed DNS namespace exists. This condition prevents proper registration of any Active Directory DNS records.

Note: The only supported method to recover from a disjointed namespace is to use Dcpromo to remove the computer from the domain and make it a stand-alone server. You can then correct the DNS namespace information and run Dcpromo again to promote the computer back to a domain controller.

Links
Windows 2000 Deployment Planning Guide

Troubleshooting Common Active Directory Setup Issues in Windows 2000 - 260371
 
NINE-11.com
www.Nine-11.com