Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!
When a Windows 2003 Server is converted to a domain controller, a number of special domain name system entries are written to that machine's DNS Server (which is usually Microsoft's own DNS server, but a third-party server can also be used). These entries include information about the domain's global unique identifier (GUID), so that Active Directory can query DNS through the GUID address.
If an admin mistakenly promotes a computer to the status of domain controller without first installing and configuring DNS, then AD's DNS entries won't be written correctly. And when these special entries are missing, tests like the command-like dcdiag will fail on simple connectivity tests with the DNS server. The error message usually looks something like this:
's server GUID DNS name could not be resolved to an IP address. Check items such as the DNS server, DHCP and server name. Although the GUID DNS name (<guid>._msdcs.domain-name.local) couldn't be resolved, the server name (<server-name.domain-name.local>) resolved to the IP address (<server/DNS ip>) and was pingable. Check that the IP address is registered correctly with the DNS server.</I> <P>Obviously, a problem like this is going to cripple AD functionality, so here's how to fix it:<OL> <LI>Make sure the system's TCP/IP settings are correctly configured to support a local DNS server: <LI>Open My Network Places | Local Area Connection (or whichever network connection is being used) | Internet Protocol (TCP/IP) | Properties | Advanced | DNS. <LI>Set the first DNS server to be the local computer -- either the machine's own network address or 127.0.0.1 (the loopback address). <LI>Select "Append primary and connection-specific DNS suffixes" as well as "Append parent suffixes of the primary DNS suffix." <LI>Select "Register this connection's address in DNS." Click OK to close. <LI>At a command prompt, type <B>ipconfig /flushdns</B>, then <B>ipconfig / registerdns</B> to flush out the DNS resolver cache and register the DNS source records, respectively. <LI>Open the DNS Management Console and look for a host (A) record for the computer name, a Start of Authority (SOA) record and a Name Server record (NS). <LI>In Forward Lookup Zones, right-click and get the Properties for the Active Director domain's DNS zone (usually listed as your domain name). <LI>Select "Active Directory-integrated" for the zone type and "Secure Only" for the dynamic updates type. Click OK to close <LI>At a command prompt, type <B>netdiag /fix</B>, then <B>net stop netlogon</B> and <B>net start netlogon</B> to finalize the changes. <LI>Run <B>dcdiag</B> one more time to make sure the domain controller's DNS is working.</LI></OL> <p><hr><i>Serdar Yegulalp is editor of the<a href=http://www.thegline.com/win2k/> Windows Power Users Newsletter</a>. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!</i></p><BR></body></html>
Dig deeper on Microsoft Active Directory Security