Computer 'promotion' needn't mean AD problems

Serdar Yegulalp, Contributor

Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!

    Requires Free Membership to View

    Login

When a Windows 2003 Server is converted to a domain controller, a number of special domain name system entries are written to that machine's DNS Server (which is usually Microsoft's own DNS server, but a third-party server can also be used). These entries include information about the domain's global unique identifier (GUID), so that Active Directory can query DNS through the GUID address.

If an admin mistakenly promotes a computer to the status of domain controller without first installing and configuring DNS, then AD's DNS entries won't be written correctly. And when these special entries are missing, tests like the command-like dcdiag will fail on simple connectivity tests with the DNS server. The error message usually looks something like this:
's server GUID DNS name could not be resolved to an IP address. Check items such as the DNS server, DHCP and server name. Although the GUID DNS name (<guid>._msdcs.domain-name.local) couldn't be resolved, the server name (<server-name.domain-name.local>) resolved to the IP address (<server/DNS ip>) and was pingable. Check that the IP address is registered correctly with the DNS server.</I> <P>Obviously, a problem like this is going to cripple AD functionality, so here's how to fix it:<OL> <LI>Make sure the system's TCP/IP settings are correctly configured to support a local DNS server: <LI>Open My Network Places | Local Area Connection (or whichever network connection is being used) | Internet Protocol (TCP/IP) | Properties | Advanced | DNS. <LI>Set the first DNS server to be the local computer -- either the machine's own network address or 127.0.0.1 (the loopback address). <LI>Select "Append primary and connection-specific DNS suffixes" as well as "Append parent suffixes of the primary DNS suffix." <LI>Select "Register this connection's address in DNS." Click OK to close. <LI>At a command prompt, type <B>ipconfig /flushdns</B>, then <B>ipconfig / registerdns</B> to flush out the DNS resolver cache and register the DNS source records, respectively. <LI>Open the DNS Management Console and look for a host (A) record for the computer name, a Start of Authority (SOA) record and a Name Server record (NS). <LI>In Forward Lookup Zones, right-click and get the Properties for the Active Director domain's DNS zone (usually listed as your domain name). <LI>Select "Active Directory-integrated" for the zone type and "Secure Only" for the dynamic updates type. Click OK to close <LI>At a command prompt, type <B>netdiag /fix</B>, then <B>net stop netlogon</B> and <B>net start netlogon</B> to finalize the changes. <LI>Run <B>dcdiag</B> one more time to make sure the domain controller's DNS is working.</LI></OL> <p><hr><i>Serdar Yegulalp is editor of the<a href=http://www.thegline.com/win2k/> Windows Power Users Newsletter</a>. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!</i></p><BR></body></html>

This was first published in August 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top