New Domain Controller DNS Issues

Similar Messages

• New Domain controller, DNS client settings before FSMO transfer

  I recently promoted a new domain controller.  It is the fourth domain controller and third in the site.  I plan to decommission the other two domain controllers in the site leaving just the new one.   Right now the new domain controller points
  its tcp\ip client to the other other domain controller\DNS servers as primary and itself at the bottom.  The other domain controllers point to themselves as primary and the newest domain controller on the bottom of the list.  Clients on the network
  use the original domain controllers as DNS from DHCP first and then the new domain controller DNS.  Is it okay to transfer all the FSMO roles to the new domain controller or should I make all the DNS clients point to it first?

  Hi,
  It is possible to first change your FSMO roles and after this is done then point your DNS clients to the new DC. This should not be a problem.
  some interesting information about assigning your FSMO Roles: http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html
  Hope this helps you out.

• Server 2012 Domain Controller / DNS Issue

  If you did ipconfig /registerdns, I'm assuming you did ipconfig /flushdns prior to that correct? Just want to make sure...
  Once you are sure you did both, go ahead and type in nslookup in the command prompt. What does it display as the current DNS server? Once you type that in, you can type in the IP address of your new DC and see what it resolves to. Please get back to us with those results when possible.

  We had a domain controller go down in a multi domain controller environment. We set a new one up and promoted it to the domain. Assigned it all the necessary roles and joined it to the domain. It has been 4 days since we did this and we cannot ping it by host name. We can ping it by IP address. I have forced replication, which allowed me to ping it by host name for a few hours, but then it stopped working. I have tried to change the DNS primary to a different DC, making the host a secondary DNS, that didn't fix it. I am looking for any suggestions on how to fix it. I have done a ipconfig /registerdns , restarted DNS services but still not able to ping host name of DC on a consistent basis.
  Any suggestions ?
  [email protected]
  This topic first appeared in the Spiceworks Community

• New Domain Controller does not show in our different site's Domain controller's Sites and Services

  Hi,
  we have two sites in our AD environment. OMA site and NY site. we have three domain controllers in our OMA site and two domain controllers in our NY site. All our DCs are windows server 2008R2 except one in our OMA site that is 2003R2 the domain
  functional level is also 2003R2.
  We decided to raise our functional level to 2008R2. I added a new domain controller in our OMA site and transferred all FESMOS from the DC that was running 2003R2 to this new domain controller.
  the issue now is that our NY site does not make any connection with the new domain controller in OMA site. it does not even show it under sites and services. I have checked the DNS settings and everything. if you try to replicate the connections
  from NY site it gives the following error: "The naming context is in the process of being removed or is not replicated from the specific server."
  can anyone plz tell me why this is happening mt brain is just frozen at this moment and cant figure out why is this happening

  Just noticed this replication issue has been going on for a while now but we never noticed until I added new DC. here is the error log for the NY site DC.
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          1/4/2014 8:11:40 AM
  Event ID:      2042
  Task Category: Replication
  Level:         Error
  Keywords:      Classic
  User:          ANONYMOUS LOGON
  Computer:      NORDC1.vertrue.com
  Description:
  It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
   The reason that replication is not allowed to continue is that the two DCs may contain lingering objects.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
  of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".  If the local destination DC was allowed to replicate with the source DC, these potential lingering object
  would be recreated in the local Active Directory Domain Services database.
  Time of last successful replication:
  2013-05-16 15:26:38
  Invocation ID of source directory server:
  9236ac56-d046-4632-b072-acbe823c5f6c
  Name of source directory server:
  accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com
  Tombstone lifetime (days):
  90
  The replication operation has failed.
  User Action:
    The action plan to recover from this error can be found at
  http://support.microsoft.com/?id=314282.
   If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
  <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
  DC> <Destination DC DSA GUID> <NC>".
   If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at
  http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
   If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
   Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
  DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime
  number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.  Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
  located immediately.
  Alternate User Action:
  Force demote or reinstall the DC(s) that were disconnected.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
      <EventID Qualifiers="49152">2042</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>5</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-01-04T13:11:40.963263500Z" />
      <EventRecordID>38018</EventRecordID>
      <Correlation />
      <Execution ProcessID="660" ThreadID="1596" />
      <Channel>Directory Service</Channel>
      <Computer>NORDC1.vertrue.com</Computer>
      <Security UserID="S-1-5-7" />
    </System>
    <EventData>
      <Data>2013-05-16 15:26:38</Data>
      <Data>9236ac56-d046-4632-b072-acbe823c5f6c</Data>
      <Data>accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com</Data>
      <Data>90</Data>
      <Data>Allow Replication With Divergent and Corrupt Partner</Data>
      <Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
    </EventData>
  </Event>

• Strange issues with domain controller/DNS server

  Our domain controller/DNS server was working fine this morning. Then suddenly we stopped being able to access certain things on it. I could ping it, RDP into it, and access some files on it, but I couldn't run any applications hosted on it, accessing shared
  network files was slow, and different people around the office were getting access denied errors to files and folders they had full control of in NTFS (and in shared permissions).
  At first I noticed an NTP error so I registered w32tm and started the service and that got rid of the error but didn't fix anything.
  Oddly, machines still had internet access.
  We tried rebooting everything, restarting services, nothing has helped.
  When I accessed the server directly through the console I could access everything, could connect to any machine in the office, nothing seemed to be wrong with it.
  Any ideas?

  Is there any recent changes in your network or firewall or antivirus? Is there any change/updates performed in the AD side? I would suggest find out changes being done at the AD or Network/FIrewall level. You can run various diagnostic test within your AD
  environment to find the overall health of the AD infra.
  What does DCDIAG actually… do?
  Active Directory Replication Status Tool Released 
  http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

  Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information. 
  I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is. 
  The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
  setup.)
  For 6+ months everyone had access to the shared files and databases on each workstation without issue. 
  In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already. 
  Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
  no logon servers available to service the logon request”.  While access is rejected I’m still able to ping the DC both via its name and IPV4 address. 
  (Pinging via its name results in an IPv6 address in the response.) 
  Other network connectivity appears intact (able to browse the web, perform network discovery.)
  Things that ‘seem’ to allow access on this computer until the next failure:
  Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
  Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
  After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username. 
  Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
  Most Problematic Computer:
  Event ID 8016:  System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.) 
  Event ID 131:  NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’ 
  ‘No such host is known.”
  Event ID 5719:  NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
  And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
   The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  Event 1030:  The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
  at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
  On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
  Ipconfig/all from the server:
     Connection-specific DNS Suffix 
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
     Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
   10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 234638804
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
     DNS Servers . . . . . . . . . . . : ::1
  127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ipconfig/all from the problematic computer:
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix 
  . : wp.comcast.net
     Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
     Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
  rred)
     Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
     Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
  10.1.10.1
     DHCP Server . . . . . . . . . . . : 10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 54535618
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
     DNS Servers . . . . . . . . . . . : 2001:558:feed::1
  2001:558:feed::2
                  10.1.10.42
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next.  Could a failing piece of hardware be the culprit? 
  Thanks,
   -JT

  Hi,
  According to the error you have posted.
  A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
  Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
  Netlogon 5719 and the Disappearing Domain [Controller]
  http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
  Did you refer to this KB article?
  Event ID 5719 is logged when you start a Domain Member
  http://support.microsoft.com/kb/938449
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Adding new domain controller under tree domain

  i have one forest root domain is ABC.com and one tree root domain under this forest is DEF.com ,
  i want to add a new domain controller under tree root domain in windows server 2008 r2? i need steps and DNS configuration on forest or domain level
  Thnx

  If you want to add an additional domain controller to a domain you should promote the new dc with the primary dns in the nic settings of the new dc pointing at the current dc and once promoted you should point the original ip address nic settings to
  the new dc.  I am making the assumption that you are using AD integrated DNS.
  http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Help with setting up active directory domain controller/DNS - need this for Clustering

  Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
  I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
  When I look at my server manager AD DS complain about DNS:
  NASE-2012-234    4015    Error    Microsoft-Windows-DNS-Server-Service    DNS Server    1/14/2014 12:54:06 AM
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  When I click on DNS this is the error:
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  Output of DCDiag -v is below.
  PS C:\Users\Administrator> dcdiag -v
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine NASE-2012-234, is a Directory Server.
     Home Server = NASE-2012-234
     * Connecting to directory service on server NASE-2012-234.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
  ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
  e,DC=com
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
  SDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
  N=Configuration,DC=lab,DC=nase,DC=com
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 1 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
           Check the DNS server, DHCP, server name, etc.
           Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
           ......................... NASE-2012-234 failed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Test omitted by user request: DNS
        Test omitted by user request: DNS
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : lab
        Starting test: CheckSDRefDom
           ......................... lab passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... lab passed test CrossRefValidation
     Running enterprise tests on : lab.nasecom
        Test omitted by user request: DNS
        Test omitted by user request: DNS
        Starting test: LocatorCheck
           GC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           PDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           KDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           ......................... lab.nase.com passed test LocatorCheck
        Starting test: Intersite
           Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
           provided.
           ......................... lab.nasecom passed test Intersite
  PS C:\Users\Administrator>

  http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions.  You might want to post your question there.
  .:|:.:|:. tim

• How to use DNS server for name resolution for items which don't exist in active directory domain controller DNS

  Dear Experts,
  In our office we have a domain controller call it 'Office.com', all computers and corporate servers e.g. exchange, antivirus etc. are member of this 'office.com', it is also having a DNS. All users in office have there preferred DNS set to the corporate
  DNS
  We are working for ministry and offering services to them from our data center so have many servers which are for ministry but they are in our data center. For all these servers we created another DNS server which contains all entries for these servers in
  forward and reverse lookup zones. In this DNS we also created a forward lookup zone for our corporate servers and zone name is 'office.com'
  What we are trying to have is name resolution of all servers which are listed in other DNS build in our office on Win 2008 R2 for ministry servers
  If the user change his preferred DNS to ministry DNS he can resolve the ministry server but then we can not control any thing through group policy since they are using other DNS and not the corporate DNS. 
  How this can be done ? like any group policy applied to corporate domain controller must take effect on users and in addition to this user must also be able to resolve server names in ministry project DNS
  Please assist ASAP.
  regards,

  Hello,
  ok so the GPO setting doesn't apply in any case.
  Clients machines use the first DNS server in the list of configured ones on the NIC. If that one is available search for additional DNS servers will stop.
  What i can not really understand is your description about the second DNS server. This should normally either another DC with AD integrated DNS, so everything is replicatedwithin AD replication or you use a secondary DNS on domain member server that pulls
  the informations from the Master.
  It sounds for me that you have configured a machine with DNS server role and created manually the zone with the same name as the domainand manually create there the required A records?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• My New domain controller wont see the pdc

  hi, i have a windows 2003 pdc that is the only one on the network, previous IT people did not have a BDC or system back up. Now the current domain controller is giving trouble, i tried to install a secondary 2003 domain controller (BDC) but it dose not see
  the primary domain controller and it wants to be the pdc. The problem is how ever i want to keep all the previous user accounts and settings in the ad. I have tried using admt but it dose not recognise another dc how can i transfer all user info stored in
  the active directory. 
   

  Hi scipiotechadmin,
  Is the function level of your domain is Windows Server 2003? If so, you can use the Windows Server 2003 Active Directory Domain Rename Tools which can provide a security-enhanced and supported methodology to rename one or more domains (as well as application
  directory partitions) in a deployed Active Directory forest:
  Windows Server 2003 Active Directory Domain Rename Tools
  For your information, please refer to the following articles to get more help:
  What Is Domain Rename?
  How Domain Rename Works
  Regards,
  Lany Zhang

• DNS Host (A) Rec. is Static for new Domain Controller

  I was just questioned by my boss on why there are Static Host (A) records for Domain Controllers since I started and not before.  The only conclusion that I can come up with is that they are new Server 2008 R2 systems.  We are about to do an IP
  Renumber here at the Corporate Office and this is how it was found that there are these Host (A) records.
  Can someone explain to me why they are static and not dynamic now?  I would also like to be pointed to some documentation so that I can present it to her if possible?

  This is by design.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/afd3c338-1706-4898-b269-550c018073c0/dns-entry-for-dc-not-dynamically-updating-server-2008-r2?forum=winserverDS
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/ed97a286-d884-43d6-87e2-5cd5e59cfe9a/windows-2008-r2-domain-controllers-and-static-dns-entries?forum=winserverNIS
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Guest Anchor Controller DNS issues

  Hi,
  I have an anchor controller (4402) is running version 4.0.219.0 in our DMZ
  The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
  Change required (which were attemped).
  1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
  2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
  Problems
  The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
  The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
  Diagnosis
  It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
  A reboot of the controller did not make any difference.
  Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
  Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
  We had to roll back the changes to the original configuration in order to bring the service back on-line.

  Hello Eoin
  Where is the external dhcp server ? in the same DMZ or on the inside network ? we have a /19 subnet allocated to the guests and I dont foresee any throttling on the dns queries.. The connectivity anyway till the anchor controller is on EoIP, and is just like the client connecting onto a local controller..
  laptops which had issues -> was the problem interim or its just that they are not able to get the web redirect page at all ?
  Check the release notes for any bugs on this software:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn402190.html#wp170104
  Raj

• Best practise to add new domain controller 2008r2 and de-promote 2003 x86

  Depending on the size of the environment and the complexity determines where the roles should be held.The PDCe role should be held on a machine that has the better hardware. It will resolve any password conflicts and account lockouts. It also keeps the time clocks synchronized across the domain.The other roles are responsible for kind of basic housekeeping across the domain and forest. Such as the Domain Naming master it is responsible for name changes across the domain.The Schema Master which is responsible for updates to the directory and the RID master which issues pools of IDs for DCs to issue for new users or computers.The infrastructure master is responsible for keeping multiple domains and forests in sync. The infrastructure master does not do a lot in a single forest single domain environment and can be placed on any DC....

  Also if you are upgrading why not go right to 2012. 
  Might save a few years on having to upgrade again.
  Here is a great guide from MS
  http://community.spiceworks.com/how_to/57636-migrate-active-directory-from-server-2003-to-server-201...
  

• Redundant domain controller DNS settings

  Hi guys,
  We have two domain controllers, both DNS and GC. I am curious as to what the recommended IP DNS settings should be for both DCs? I think it is like this...
  DC1
  DNS1 - DC2
  DNS2 - DC1
  DC2
  DNS1 - DC1
  DNS2 - DC2
  Is this the right setup?
  Thanks
  Aaron

  Is this the right setup?
  Yes it is correct. I would go with 127.0.0.1 for 'Alternate DNS server'.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• NEW Domain Controller to Replace Old One

  After you demote the physical machine, but before you change the new machine , make sure to carefully go through all your DNS zones and delete the references to the IP and Host Name of the demoted machine.  I found that demoting DCs doesn't do a good job of cleaning out DNS.

  I'm building a new DC for my network and have a couple of questions.
  I currently have 2 DCs, one is a VM (DC1 also FSMO) and the other a physical box (DC2). DC2 is on aging equipment and needs replacing so my plan was to build a new box and create a new DC, but I want to put the IP address from DC2 on the new DC (DC3) so I don't have to change the DNS config on all of my client PCs.
  How would you go about this? - I'm thinking, get DC3 up and running (fully configured as a DC) then demote DC2 and decommission it, then change the IP of DC3 to the address that was used by DC2.
  It seems a little too easy and I feel like I'm missing something so I thought I'd ask the Spice Heads :)
  Thanks
  This topic first appeared in the Spiceworks Community