Cannot find a primary authoritative DNS server

  • Thread starter Thread starter Joel Finkel
  • Start date Start date
J

Joel Finkel

I have a small LAN. It has a single Windows 2000 Server, which is set up as a PDC, DNS server, DHCP server, and the gateway to the internet. I have several internal workstations.

The domain name is SDI_DOMAIN. This is an internal name only.

The PDC is, unfortunately, named SDI_SERVER_1.

In order to remove the underscores from the server name of a Windows 2000 PDC, one has to demote it. To save the AD settings, I need to establish a BDC. After installing Windows 2000 Server on a new machine, I attempted to promote it, but it could not successfully attach to the PDC.

This led me investigate the DNS on the PDC.


--------------------------------------------------------------------------------
I am unable to resolve the following error:

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN' valid only on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
[WARNING] Cannot find a primary authoritative DNS server for the name
'SDI_SERVER_1.SDI_DOMAIN.'. [RCODE_SERVER_FAILURE]
The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be registered in DNS.
[FATAL] File \config\netlogon.dns contains invalid DNS entries. [FATAL] File \config\netlogon.dns contains invalid DNS entries. [WARNING] The DNS entries for this DC cannot be verified right now on DNS server 216.231.41.2, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC registered.


--------------------------------------------------------------------------------


This is the log from net config rdr:

Computer name \\SDI_SERVER_1
Full Computer name SDI_SERVER_1.SDI_DOMAIN
User name Administrator

Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B} (00A0CC62262A)

Software version Windows 2000

Workstation domain SDI_DOMAIN
Workstation Domain DNS Name sdi_domain
Logon domain SDI_DOMAIN

COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
The command completed successfully.

--------------------------------------------------------------------------------


All application level protocols work fine. I can ping every machine from every machine.

The PDC has an IP of 192.168.0.1

On its NIC, I have set up TCP/IP:
- it uses the DNS server at 192.168.0.1
- it appends primary and connection specific DNS suffixes
- it appends parent suffixes of the primary DNS suffix
- it has no list of additional DNS suffixes
- it registers this connection's address in DNS

DNS is configured:
- the only Forward Lookup Zone is "sdi_domain"
- NS Record: "sdi_server_1.sdi_domain."
- A records: one for each node in the network (192.168.0.1 - 192.168.0.5)

- there is only one AD-integrated Reverse Lookup Zone
- I had to add the nodes manually, the pointer records did not propagate.
I understand that this may be a known bug.
It may, however, be associated with my problem.


--------------------------------------------------------------------------------


I tried to run DcDiag.exe, but it gave me an error: "Entry point DSIsMangledDnW could not be located in dynamic link library NTDSAPI.dll"

My head hurts, and my wall has a fairly large hole in it. I am hoping someone can assist me in solving this issue.

Thanks in advance for all suggestions.

-Joel Finkel
(e-mail address removed)
 
In
posted their thoughts said:
I have a small LAN. It has a single Windows 2000 Server, which is
set up as a PDC, DNS server, DHCP server, and the gateway to the
internet. I have several internal workstations.

The domain name is SDI_DOMAIN. This is an internal name only.

The PDC is, unfortunately, named SDI_SERVER_1.

In order to remove the underscores from the server name of a Windows
2000 PDC, one has to demote it. To save the AD settings, I need to
establish a BDC. After installing Windows 2000 Server on a new
machine, I attempted to promote it, but it could not successfully
attach to the PDC.

This led me investigate the DNS on the PDC.



I am unable to resolve the following error:

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN' valid only
on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
[WARNING] Cannot find a primary authoritative DNS server
for the name
'SDI_SERVER_1.SDI_DOMAIN.'. [RCODE_SERVER_FAILURE]
The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be registered
in DNS.
[FATAL] File \config\netlogon.dns contains invalid DNS
entries. [FATAL] File \config\netlogon.dns contains invalid DNS
entries. [WARNING] The DNS entries for this DC cannot be
verified right now on DNS server 216.231.41.2, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC
registered.





This is the log from net config rdr:

Computer name \\SDI_SERVER_1
Full Computer name SDI_SERVER_1.SDI_DOMAIN
User name Administrator

Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B} (00A0CC62262A)

Software version Windows 2000

Workstation domain SDI_DOMAIN
Workstation Domain DNS Name sdi_domain
Logon domain SDI_DOMAIN

COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
The command completed successfully.




All application level protocols work fine. I can ping every machine
from every machine.

The PDC has an IP of 192.168.0.1

On its NIC, I have set up TCP/IP:
- it uses the DNS server at 192.168.0.1
- it appends primary and connection specific DNS suffixes
- it appends parent suffixes of the primary DNS suffix
- it has no list of additional DNS suffixes
- it registers this connection's address in DNS

DNS is configured:
- the only Forward Lookup Zone is "sdi_domain"
- NS Record: "sdi_server_1.sdi_domain."
- A records: one for each node in the network (192.168.0.1 -
192.168.0.5)

- there is only one AD-integrated Reverse Lookup Zone
- I had to add the nodes manually, the pointer records did
not propagate.
I understand that this may be a known bug.
It may, however, be associated with my problem.





I tried to run DcDiag.exe, but it gave me an error: "Entry point
DSIsMangledDnW could not be located in dynamic link library
NTDSAPI.dll"

My head hurts, and my wall has a fairly large hole in it. I am
hoping someone can assist me in solving this issue.

Thanks in advance for all suggestions.

-Joel Finkel
(e-mail address removed)
Click to expand...

There are two issues here Joel, one minor, one major.

First, the minor issue.
The nslookup error is benign. All it's doing is trying to tell you what the
name of the DNS server it's using is. That's it. Otherwise, it still works
with subsequent commands. The way it finds it, is it looks in your reverse
zone (based on your subnet) that you have created, looks up the IP, and
tells you what the name is. That's it. Now if you don;t have a reverse zone,
or if you do have a reverse zone, but you don't have a PTR entry for the DNS
address, then the error.

Second, the major issue.
You have a single label domain name, on top of which you have underscores.
The domain name: SDI_DOMAIN is of invalid DNS format.
It should be something to the effect of:
sdi-domain.com
sdi-domain.net
sdi-domain.corp
sdi-domain.joel
etc...

Hence all the errors.

So there's a double bubble going on.

Theres is a reg entry you can implement to overcome the single label name.
It's nmore of a "bandaid". Not recommended. Actually recommended to fix it
somehow first. Unfortunately, if the AD name is SDI_DOMAIN, and not of the
proper form, then it's a tough one. If the actual AD domain name was of
proper form, I have a script that can fix it, but since AD is single label
named, it doesn't look good.

To remove the underscore, renaming the machine name is almost impossible
too.

Tell you what, if your domain is still in mixed mode, and if you still have
any NT4 BDCs around or a machine that you can install an NT4 BDC into the AD
domain, then we can make this work. We can use that for a swing
operation/migration as to not lose your user accounts.

Install the BDC, dump the W2k box flat out.
Promote the BDC to a PDC.
Install NT4 on the original w2k box,
Promote that to a PDC,
Properly set the DNS suffix first. That's done in NT4's TCP/IP properties.
This domain name will be transformed into the Primary DNS Suffix. Make sure
the name is a proper DNS domain name, as mentioned above.
Then upgrade it to W2k. When DCPROMO runs during the upgrade, choose the
proper domain name that you set above.

Ok, here's a link that explains this swing method:

Q292541 - How to Rename the DNS name of a Windows 2000 Domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541

If you want the bandaid for the single label name, here;s the link.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names:
http://support.microsoft.com/?id=300684

BUT this ain't going to help the underscores and you're faced with trying
the method I outlined and that artcile 292541 outlines.

Sorry to be the bear of bad news...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ace,

Thanks. This is quite hilarious. Fortunately, I have a very small set of
logins. In addition, the server does not have an inordinate number of
applications that I would have to reinstall if I simply started over.

Could you please explain the ramifications of simply installing a fresh
Windows 2003 Server, setting it up properly to begin with. What do I have
to do to my XP Pro workstation, for example, "sdi-work-1," which is a member
of the current domain? Do I remove it from the domain before I rebuild the
server?

BTW, I am running in mixed mode, so I could execute this little (or not so
little) trick. But this is actually an NT3.4 -> NT4.0 -> Windows 2000 OS.
It's probably time I rebuilt it all, anyway.

Thanks for you help!

/Joel
(e-mail address removed)


Ace Fekay said:
In
posted their thoughts said:
I have a small LAN. It has a single Windows 2000 Server, which is
set up as a PDC, DNS server, DHCP server, and the gateway to the
internet. I have several internal workstations.

The domain name is SDI_DOMAIN. This is an internal name only.

The PDC is, unfortunately, named SDI_SERVER_1.

In order to remove the underscores from the server name of a Windows
2000 PDC, one has to demote it. To save the AD settings, I need to
establish a BDC. After installing Windows 2000 Server on a new
machine, I attempted to promote it, but it could not successfully
attach to the PDC.

This led me investigate the DNS on the PDC.



I am unable to resolve the following error:

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN' valid only
on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
[WARNING] Cannot find a primary authoritative DNS server
for the name
'SDI_SERVER_1.SDI_DOMAIN.'. [RCODE_SERVER_FAILURE]
The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be registered
in DNS.
[FATAL] File \config\netlogon.dns contains invalid DNS
entries. [FATAL] File \config\netlogon.dns contains invalid DNS
entries. [WARNING] The DNS entries for this DC cannot be
verified right now on DNS server 216.231.41.2, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC
registered.





This is the log from net config rdr:

Computer name \\SDI_SERVER_1
Full Computer name SDI_SERVER_1.SDI_DOMAIN
User name Administrator

Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B} (00A0CC62262A)

Software version Windows 2000

Workstation domain SDI_DOMAIN
Workstation Domain DNS Name sdi_domain
Logon domain SDI_DOMAIN

COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
The command completed successfully.




All application level protocols work fine. I can ping every machine
from every machine.

The PDC has an IP of 192.168.0.1

On its NIC, I have set up TCP/IP:
- it uses the DNS server at 192.168.0.1
- it appends primary and connection specific DNS suffixes
- it appends parent suffixes of the primary DNS suffix
- it has no list of additional DNS suffixes
- it registers this connection's address in DNS

DNS is configured:
- the only Forward Lookup Zone is "sdi_domain"
- NS Record: "sdi_server_1.sdi_domain."
- A records: one for each node in the network (192.168.0.1 -
192.168.0.5)

- there is only one AD-integrated Reverse Lookup Zone
- I had to add the nodes manually, the pointer records did
not propagate.
I understand that this may be a known bug.
It may, however, be associated with my problem.





I tried to run DcDiag.exe, but it gave me an error: "Entry point
DSIsMangledDnW could not be located in dynamic link library
NTDSAPI.dll"

My head hurts, and my wall has a fairly large hole in it. I am
hoping someone can assist me in solving this issue.

Thanks in advance for all suggestions.

-Joel Finkel
(e-mail address removed)
Click to expand...

There are two issues here Joel, one minor, one major.

First, the minor issue.
The nslookup error is benign. All it's doing is trying to tell you what the
name of the DNS server it's using is. That's it. Otherwise, it still works
with subsequent commands. The way it finds it, is it looks in your reverse
zone (based on your subnet) that you have created, looks up the IP, and
tells you what the name is. That's it. Now if you don;t have a reverse zone,
or if you do have a reverse zone, but you don't have a PTR entry for the DNS
address, then the error.

Second, the major issue.
You have a single label domain name, on top of which you have underscores.
The domain name: SDI_DOMAIN is of invalid DNS format.
It should be something to the effect of:
sdi-domain.com
sdi-domain.net
sdi-domain.corp
sdi-domain.joel
etc...

Hence all the errors.

So there's a double bubble going on.

Theres is a reg entry you can implement to overcome the single label name.
It's nmore of a "bandaid". Not recommended. Actually recommended to fix it
somehow first. Unfortunately, if the AD name is SDI_DOMAIN, and not of the
proper form, then it's a tough one. If the actual AD domain name was of
proper form, I have a script that can fix it, but since AD is single label
named, it doesn't look good.

To remove the underscore, renaming the machine name is almost impossible
too.

Tell you what, if your domain is still in mixed mode, and if you still have
any NT4 BDCs around or a machine that you can install an NT4 BDC into the AD
domain, then we can make this work. We can use that for a swing
operation/migration as to not lose your user accounts.

Install the BDC, dump the W2k box flat out.
Promote the BDC to a PDC.
Install NT4 on the original w2k box,
Promote that to a PDC,
Properly set the DNS suffix first. That's done in NT4's TCP/IP properties.
This domain name will be transformed into the Primary DNS Suffix. Make sure
the name is a proper DNS domain name, as mentioned above.
Then upgrade it to W2k. When DCPROMO runs during the upgrade, choose the
proper domain name that you set above.

Ok, here's a link that explains this swing method:

Q292541 - How to Rename the DNS name of a Windows 2000 Domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541

If you want the bandaid for the single label name, here;s the link.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names:
http://support.microsoft.com/?id=300684

BUT this ain't going to help the underscores and you're faced with trying
the method I outlined and that artcile 292541 outlines.

Sorry to be the bear of bad news...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Click to expand...
 
In
posted their thoughts said:
Ace,

Thanks. This is quite hilarious. Fortunately, I have a very small
set of logins. In addition, the server does not have an inordinate
number of applications that I would have to reinstall if I simply
started over.

Could you please explain the ramifications of simply installing a
fresh Windows 2003 Server, setting it up properly to begin with.
What do I have to do to my XP Pro workstation, for example,
"sdi-work-1," which is a member of the current domain? Do I remove
it from the domain before I rebuild the server?

BTW, I am running in mixed mode, so I could execute this little (or
not so little) trick. But this is actually an NT3.4 -> NT4.0 ->
Windows 2000 OS. It's probably time I rebuilt it all, anyway.

Thanks for you help!

/Joel
(e-mail address removed)


"Ace Fekay [MVP]"
In
posted their thoughts said:
I have a small LAN. It has a single Windows 2000 Server, which is
set up as a PDC, DNS server, DHCP server, and the gateway to the
internet. I have several internal workstations.

The domain name is SDI_DOMAIN. This is an internal name only.

The PDC is, unfortunately, named SDI_SERVER_1.

In order to remove the underscores from the server name of a Windows
2000 PDC, one has to demote it. To save the AD settings, I need to
establish a BDC. After installing Windows 2000 Server on a new
machine, I attempted to promote it, but it could not successfully
attach to the PDC.

This led me investigate the DNS on the PDC.



I am unable to resolve the following error:

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN' valid only
on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
[WARNING] Cannot find a primary authoritative DNS server
for the name
'SDI_SERVER_1.SDI_DOMAIN.'. [RCODE_SERVER_FAILURE]
The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be
registered in DNS.
[FATAL] File \config\netlogon.dns contains invalid DNS
entries. [FATAL] File \config\netlogon.dns contains invalid
DNS entries. [WARNING] The DNS entries for this DC cannot be
verified right now on DNS server 216.231.41.2, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC
registered.





This is the log from net config rdr:

Computer name \\SDI_SERVER_1
Full Computer name SDI_SERVER_1.SDI_DOMAIN
User name Administrator

Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B} (00A0CC62262A)

Software version Windows 2000

Workstation domain SDI_DOMAIN
Workstation Domain DNS Name sdi_domain
Logon domain SDI_DOMAIN

COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
The command completed successfully.




All application level protocols work fine. I can ping every machine
from every machine.

The PDC has an IP of 192.168.0.1

On its NIC, I have set up TCP/IP:
- it uses the DNS server at 192.168.0.1
- it appends primary and connection specific DNS suffixes
- it appends parent suffixes of the primary DNS suffix
- it has no list of additional DNS suffixes
- it registers this connection's address in DNS

DNS is configured:
- the only Forward Lookup Zone is "sdi_domain"
- NS Record: "sdi_server_1.sdi_domain."
- A records: one for each node in the network (192.168.0.1 -
192.168.0.5)

- there is only one AD-integrated Reverse Lookup Zone
- I had to add the nodes manually, the pointer records did
not propagate.
I understand that this may be a known bug.
It may, however, be associated with my problem.





I tried to run DcDiag.exe, but it gave me an error: "Entry point
DSIsMangledDnW could not be located in dynamic link library
NTDSAPI.dll"

My head hurts, and my wall has a fairly large hole in it. I am
hoping someone can assist me in solving this issue.

Thanks in advance for all suggestions.

-Joel Finkel
(e-mail address removed)
Click to expand...

There are two issues here Joel, one minor, one major.

First, the minor issue.
The nslookup error is benign. All it's doing is trying to tell you
what the name of the DNS server it's using is. That's it. Otherwise,
it still works with subsequent commands. The way it finds it, is it
looks in your reverse zone (based on your subnet) that you have
created, looks up the IP, and tells you what the name is. That's it.
Now if you don;t have a reverse zone, or if you do have a reverse
zone, but you don't have a PTR entry for the DNS address, then the
error.

Second, the major issue.
You have a single label domain name, on top of which you have
underscores. The domain name: SDI_DOMAIN is of invalid DNS format.
It should be something to the effect of:
sdi-domain.com
sdi-domain.net
sdi-domain.corp
sdi-domain.joel
etc...

Hence all the errors.

So there's a double bubble going on.

Theres is a reg entry you can implement to overcome the single label
name. It's nmore of a "bandaid". Not recommended. Actually
recommended to fix it somehow first. Unfortunately, if the AD name
is SDI_DOMAIN, and not of the proper form, then it's a tough one. If
the actual AD domain name was of proper form, I have a script that
can fix it, but since AD is single label named, it doesn't look good.

To remove the underscore, renaming the machine name is almost
impossible too.

Tell you what, if your domain is still in mixed mode, and if you
still have any NT4 BDCs around or a machine that you can install an
NT4 BDC into the AD domain, then we can make this work. We can use
that for a swing operation/migration as to not lose your user
accounts.

Install the BDC, dump the W2k box flat out.
Promote the BDC to a PDC.
Install NT4 on the original w2k box,
Promote that to a PDC,
Properly set the DNS suffix first. That's done in NT4's TCP/IP
properties. This domain name will be transformed into the Primary
DNS Suffix. Make sure the name is a proper DNS domain name, as
mentioned above.
Then upgrade it to W2k. When DCPROMO runs during the upgrade, choose
the proper domain name that you set above.

Ok, here's a link that explains this swing method:

Q292541 - How to Rename the DNS name of a Windows 2000 Domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541

If you want the bandaid for the single label name, here;s the link.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names:
http://support.microsoft.com/?id=300684

BUT this ain't going to help the underscores and you're faced with
trying the method I outlined and that artcile 292541 outlines.

Sorry to be the bear of bad news...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Click to expand...
Click to expand...

HI Joel,

Sure, if it doesn't matter to you, go ahead and start from scratch. Yes, any
workstations would need to be removed and re-joined to the new domain if you
were to start from scratch.

Those links that Vivien gave you should also be helpful.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Vivien,

Thank you for the very helpful resources. What is your opinion of the
following short-term strategy:

1) Remove all workstations from the domain "SDI_DOMAIN"
2) Demote my Windows 2000 Server from a PDC
3) Uninstall DNS
4) Rename the domain to "SD-IL.CORP"
5) Install DNS and re-configure it
6) Promote the Windows 2000 Server to a PDC
7) Recreate my main user login
8) Rejoin workstations to domain "SD-IL.CORP"

Thanks again.

/Joel



Vivien Wu said:
Hello,

If you would like to build up a fresh Windows Server 2003 system, please
refer to the articles below.

816584 HOW TO: Set Up the Domain Name System for Active Directory in Windows
http://support.microsoft.com/?id=816584

324753 HOW TO: Create an Active Directory Server in Windows Server 2003
http://support.microsoft.com/?id=324753

816106 How to Verify an Active Directory Installation in Windows Server 2003
http://support.microsoft.com/?id=816106

Active Directory Migration tool (ADMT) can be used to migrate users,
groups, and computers.

For more information about ADMT, visit the following Microsoft Web site:

Active Directory Migration Tool Overview
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adm
t.asp

326480 How to Use Active Directory Migration Tool Version 2 to Migrate from
http://support.microsoft.com/?id=326480

Thanks.

--------------------
| From: "Joel Finkel" <[email protected]>
| Subject: Re: Cannot find a primary authoritative DNS server
| Date: Tue, 5 Aug 2003 01:00:14 -0500
| Newsgroups: microsoft.public.win2000.dns

| Ace,
|
| Thanks. This is quite hilarious. Fortunately, I have a very small set of
| logins. In addition, the server does not have an inordinate number of
| applications that I would have to reinstall if I simply started over.
|
| Could you please explain the ramifications of simply installing a fresh
| Windows 2003 Server, setting it up properly to begin with. What do I
have
| to do to my XP Pro workstation, for example, "sdi-work-1," which is a
member
| of the current domain? Do I remove it from the domain before I rebuild
the
| server?
|
| BTW, I am running in mixed mode, so I could execute this little (or not so
| little) trick. But this is actually an NT3.4 -> NT4.0 -> Windows 2000 OS.
| It's probably time I rebuilt it all, anyway.
|
| Thanks for you help!
|
| /Joel
| (e-mail address removed)
|
|
| "Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&[email protected]>
| wrote in message | > In | > Joel Finkel <[email protected]>, posted their thoughts, then I offered my
| > thoughts down below:
| > > I have a small LAN. It has a single Windows 2000 Server, which is
| > > set up as a PDC, DNS server, DHCP server, and the gateway to the
| > > internet. I have several internal workstations.
| > >
| > > The domain name is SDI_DOMAIN. This is an internal name only.
| > >
| > > The PDC is, unfortunately, named SDI_SERVER_1.
| > >
| > > In order to remove the underscores from the server name of a Windows
| > > 2000 PDC, one has to demote it. To save the AD settings, I need to
| > > establish a BDC. After installing Windows 2000 Server on a new
| > > machine, I attempted to promote it, but it could not successfully
| > > attach to the PDC.
| > >
| > > This led me investigate the DNS on the PDC.
| > >
| > >
| > >
| > > I am unable to resolve the following error:
| > >
| > > DNS test . . . . . . . . . . . . . : Failed
| > > [WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN' valid only
| > > on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
| > > [WARNING] Cannot find a primary authoritative DNS server
| > > for the name
| > > 'SDI_SERVER_1.SDI_DOMAIN.'. [RCODE_SERVER_FAILURE]
| > > The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be registered
| > > in DNS.
| > > [FATAL] File \config\netlogon.dns contains invalid DNS
| > > entries. [FATAL] File \config\netlogon.dns contains invalid DNS
| > > entries. [WARNING] The DNS entries for this DC cannot be
| > > verified right now on DNS server 216.231.41.2, ERROR_TIMEOUT.
| > > [FATAL] No DNS servers have the DNS records for this DC
| > > registered.
| > >
| > >
| > >
| > >
| > >
| > > This is the log from net config rdr:
| > >
| > > Computer name \\SDI_SERVER_1
| > > Full Computer name SDI_SERVER_1.SDI_DOMAIN
| > > User name Administrator
| > >
| > > Workstation active on
| > > NetbiosSmb (000000000000)
| > > NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B} (00A0CC62262A)
| > >
| > > Software version Windows 2000
| > >
| > > Workstation domain SDI_DOMAIN
| > > Workstation Domain DNS Name sdi_domain
| > > Logon domain SDI_DOMAIN
| > >
| > > COM Open Timeout (sec) 0
| > > COM Send Count (byte) 16
| > > COM Send Timeout (msec) 250
| > > The command completed successfully.
| > >
| > >
| > >
| > >
| > > All application level protocols work fine. I can ping every machine
| > > from every machine.
| > >
| > > The PDC has an IP of 192.168.0.1
| > >
| > > On its NIC, I have set up TCP/IP:
| > > - it uses the DNS server at 192.168.0.1
| > > - it appends primary and connection specific DNS suffixes
| > > - it appends parent suffixes of the primary DNS suffix
| > > - it has no list of additional DNS suffixes
| > > - it registers this connection's address in DNS
| > >
| > > DNS is configured:
| > > - the only Forward Lookup Zone is "sdi_domain"
| > > - NS Record: "sdi_server_1.sdi_domain."
| > > - A records: one for each node in the network (192.168.0.1 -
| > > 192.168.0.5)
| > >
| > > - there is only one AD-integrated Reverse Lookup Zone
| > > - I had to add the nodes manually, the pointer records did
| > > not propagate.
| > > I understand that this may be a known bug.
| > > It may, however, be associated with my problem.
| > >
| > >
| > >
| > >
| > >
| > > I tried to run DcDiag.exe, but it gave me an error: "Entry point
| > > DSIsMangledDnW could not be located in dynamic link library
| > > NTDSAPI.dll"
| > >
| > > My head hurts, and my wall has a fairly large hole in it. I am
| > > hoping someone can assist me in solving this issue.
| > >
| > > Thanks in advance for all suggestions.
| > >
| > > -Joel Finkel
| > > (e-mail address removed)
| >
| > There are two issues here Joel, one minor, one major.
| >
| > First, the minor issue.
| > The nslookup error is benign. All it's doing is trying to tell you what
| the
| > name of the DNS server it's using is. That's it. Otherwise, it still
works
| > with subsequent commands. The way it finds it, is it looks in your
reverse
| > zone (based on your subnet) that you have created, looks up the IP, and
| > tells you what the name is. That's it. Now if you don;t have a reverse
| zone,
| > or if you do have a reverse zone, but you don't have a PTR entry for the
| DNS
| > address, then the error.
| >
| > Second, the major issue.
| > You have a single label domain name, on top of which you have
underscores.
| > The domain name: SDI_DOMAIN is of invalid DNS format.
| > It should be something to the effect of:
| > sdi-domain.com
| > sdi-domain.net
| > sdi-domain.corp
| > sdi-domain.joel
| > etc...
| >
| > Hence all the errors.
| >
| > So there's a double bubble going on.
| >
| > Theres is a reg entry you can implement to overcome the single label
name.
| > It's nmore of a "bandaid". Not recommended. Actually recommended to fix
it
| > somehow first. Unfortunately, if the AD name is SDI_DOMAIN, and not of
the
| > proper form, then it's a tough one. If the actual AD domain name was of
| > proper form, I have a script that can fix it, but since AD is single
label
| > named, it doesn't look good.
| >
| > To remove the underscore, renaming the machine name is almost impossible
| > too.
| >
| > Tell you what, if your domain is still in mixed mode, and if you still
| have
| > any NT4 BDCs around or a machine that you can install an NT4 BDC into
the
| AD
| > domain, then we can make this work. We can use that for a swing
| > operation/migration as to not lose your user accounts.
| >
| > Install the BDC, dump the W2k box flat out.
| > Promote the BDC to a PDC.
| > Install NT4 on the original w2k box,
| > Promote that to a PDC,
| > Properly set the DNS suffix first. That's done in NT4's TCP/IP
properties.
| > This domain name will be transformed into the Primary DNS Suffix. Make
| sure
| > the name is a proper DNS domain name, as mentioned above.
| > Then upgrade it to W2k. When DCPROMO runs during the upgrade, choose the
| > proper domain name that you set above.
| >
| > Ok, here's a link that explains this swing method:
| >
| > Q292541 - How to Rename the DNS name of a Windows 2000 Domain:
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541
| >
| > If you want the bandaid for the single label name, here;s the link.
| >
| > 300684 - Information About Configuring Windows 2000 for Domains with
| > Single-Label DNS Names:
| > http://support.microsoft.com/?id=300684
| >
| > BUT this ain't going to help the underscores and you're faced with
trying
| > the method I outlined and that artcile 292541 outlines.
| >
| > Sorry to be the bear of bad news...
| >
| >
| > --
| > Regards,
| > Ace
| >
| > Please direct all replies to the newsgroup so all can benefit.
| >
| > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
| > Microsoft Windows MVP - Active Directory
| > --
| > =================================
| >
| >
| >
|
|
|

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.
Click to expand...
 
AF> Sorry to be the bear of bad news...

The usual expression is "bearer of bad news". But I do rather like the image
that the above conjures. (-:
 
Hello,

The process below is almost OK.

You may want to pay attention to the following points:

1. When you configure the DNS server, the name of the forward lookup zone
must be the same as the name of the Active Directory domain or be a logical
DNS container for that name

2. You need to enter the correct domain name when DCPROMO runs. You cannot
rename the domain at step 4).

Thanks.

--------------------
| From: "Joel Finkel" <[email protected]>
| Subject: Re: Cannot find a primary authoritative DNS server
| Date: Tue, 5 Aug 2003 09:57:09 -0500
| Newsgroups: microsoft.public.win2000.dns
|
| Vivien,
|
| Thank you for the very helpful resources. What is your opinion of the
| following short-term strategy:
|
| 1) Remove all workstations from the domain "SDI_DOMAIN"
| 2) Demote my Windows 2000 Server from a PDC
| 3) Uninstall DNS
| 4) Rename the domain to "SD-IL.CORP"
| 5) Install DNS and re-configure it
| 6) Promote the Windows 2000 Server to a PDC
| 7) Recreate my main user login
| 8) Rejoin workstations to domain "SD-IL.CORP"
|
| Thanks again.
|
| /Joel
|
|
|
| | > Hello,
| >
| > If you would like to build up a fresh Windows Server 2003 system, please
| > refer to the articles below.
| >
| > 816584 HOW TO: Set Up the Domain Name System for Active Directory in
| Windows
| > http://support.microsoft.com/?id=816584
| >
| > 324753 HOW TO: Create an Active Directory Server in Windows Server 2003
| > http://support.microsoft.com/?id=324753
| >
| > 816106 How to Verify an Active Directory Installation in Windows Server
| 2003
| > http://support.microsoft.com/?id=816106
| >
| > Active Directory Migration tool (ADMT) can be used to migrate users,
| > groups, and computers.
| >
| > For more information about ADMT, visit the following Microsoft Web site:
| >
| > Active Directory Migration Tool Overview
| >
|
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adm
| > t.asp
| >
| > 326480 How to Use Active Directory Migration Tool Version 2 to Migrate
| from
| > http://support.microsoft.com/?id=326480
| >
| > Thanks.
| >
| > --------------------
| > | From: "Joel Finkel" <[email protected]>
| > | Subject: Re: Cannot find a primary authoritative DNS server
| > | Date: Tue, 5 Aug 2003 01:00:14 -0500
| > | Newsgroups: microsoft.public.win2000.dns
| >
| > | Ace,
| > |
| > | Thanks. This is quite hilarious. Fortunately, I have a very small
set
| of
| > | logins. In addition, the server does not have an inordinate number of
| > | applications that I would have to reinstall if I simply started over.
| > |
| > | Could you please explain the ramifications of simply installing a
fresh
| > | Windows 2003 Server, setting it up properly to begin with. What do I
| > have
| > | to do to my XP Pro workstation, for example, "sdi-work-1," which is a
| > member
| > | of the current domain? Do I remove it from the domain before I
rebuild
| > the
| > | server?
| > |
| > | BTW, I am running in mixed mode, so I could execute this little (or
not
| so
| > | little) trick. But this is actually an NT3.4 -> NT4.0 -> Windows 2000
| OS.
| > | It's probably time I rebuilt it all, anyway.
| > |
| > | Thanks for you help!
| > |
| > | /Joel
| > | (e-mail address removed)
| > |
| > |
| > | "Ace Fekay [MVP]"
<PleaseSubstituteMyFirstName&[email protected]>
| > | wrote in message | > | > In | > | > Joel Finkel <[email protected]>, posted their thoughts, then I offered
my
| > | > thoughts down below:
| > | > > I have a small LAN. It has a single Windows 2000 Server, which is
| > | > > set up as a PDC, DNS server, DHCP server, and the gateway to the
| > | > > internet. I have several internal workstations.
| > | > >
| > | > > The domain name is SDI_DOMAIN. This is an internal name only.
| > | > >
| > | > > The PDC is, unfortunately, named SDI_SERVER_1.
| > | > >
| > | > > In order to remove the underscores from the server name of a
Windows
| > | > > 2000 PDC, one has to demote it. To save the AD settings, I need
to
| > | > > establish a BDC. After installing Windows 2000 Server on a new
| > | > > machine, I attempted to promote it, but it could not successfully
| > | > > attach to the PDC.
| > | > >
| > | > > This led me investigate the DNS on the PDC.
| > | > >
| > | > >
| > | > >
| > | > > I am unable to resolve the following error:
| > | > >
| > | > > DNS test . . . . . . . . . . . . . : Failed
| > | > > [WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN' valid
only
| > | > > on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
| > | > > [WARNING] Cannot find a primary authoritative DNS server
| > | > > for the name
| > | > > 'SDI_SERVER_1.SDI_DOMAIN.'. [RCODE_SERVER_FAILURE]
| > | > > The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be
| registered
| > | > > in DNS.
| > | > > [FATAL] File \config\netlogon.dns contains invalid DNS
| > | > > entries. [FATAL] File \config\netlogon.dns contains invalid
| DNS
| > | > > entries. [WARNING] The DNS entries for this DC cannot be
| > | > > verified right now on DNS server 216.231.41.2, ERROR_TIMEOUT.
| > | > > [FATAL] No DNS servers have the DNS records for this DC
| > | > > registered.
| > | > >
| > | > >
| > | > >
| > | > >
| > | > >
| > | > > This is the log from net config rdr:
| > | > >
| > | > > Computer name \\SDI_SERVER_1
| > | > > Full Computer name SDI_SERVER_1.SDI_DOMAIN
| > | > > User name Administrator
| > | > >
| > | > > Workstation active on
| > | > > NetbiosSmb (000000000000)
| > | > > NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B} (00A0CC62262A)
| > | > >
| > | > > Software version Windows 2000
| > | > >
| > | > > Workstation domain SDI_DOMAIN
| > | > > Workstation Domain DNS Name sdi_domain
| > | > > Logon domain SDI_DOMAIN
| > | > >
| > | > > COM Open Timeout (sec) 0
| > | > > COM Send Count (byte) 16
| > | > > COM Send Timeout (msec) 250
| > | > > The command completed successfully.
| > | > >
| > | > >
| > | > >
| > | > >
| > | > > All application level protocols work fine. I can ping every
machine
| > | > > from every machine.
| > | > >
| > | > > The PDC has an IP of 192.168.0.1
| > | > >
| > | > > On its NIC, I have set up TCP/IP:
| > | > > - it uses the DNS server at 192.168.0.1
| > | > > - it appends primary and connection specific DNS suffixes
| > | > > - it appends parent suffixes of the primary DNS suffix
| > | > > - it has no list of additional DNS suffixes
| > | > > - it registers this connection's address in DNS
| > | > >
| > | > > DNS is configured:
| > | > > - the only Forward Lookup Zone is "sdi_domain"
| > | > > - NS Record: "sdi_server_1.sdi_domain."
| > | > > - A records: one for each node in the network
(192.168.0.1 -
| > | > > 192.168.0.5)
| > | > >
| > | > > - there is only one AD-integrated Reverse Lookup Zone
| > | > > - I had to add the nodes manually, the pointer records did
| > | > > not propagate.
| > | > > I understand that this may be a known bug.
| > | > > It may, however, be associated with my problem.
| > | > >
| > | > >
| > | > >
| > | > >
| > | > >
| > | > > I tried to run DcDiag.exe, but it gave me an error: "Entry point
| > | > > DSIsMangledDnW could not be located in dynamic link library
| > | > > NTDSAPI.dll"
| > | > >
| > | > > My head hurts, and my wall has a fairly large hole in it. I am
| > | > > hoping someone can assist me in solving this issue.
| > | > >
| > | > > Thanks in advance for all suggestions.
| > | > >
| > | > > -Joel Finkel
| > | > > (e-mail address removed)
| > | >
| > | > There are two issues here Joel, one minor, one major.
| > | >
| > | > First, the minor issue.
| > | > The nslookup error is benign. All it's doing is trying to tell you
| what
| > | the
| > | > name of the DNS server it's using is. That's it. Otherwise, it still
| > works
| > | > with subsequent commands. The way it finds it, is it looks in your
| > reverse
| > | > zone (based on your subnet) that you have created, looks up the IP,
| and
| > | > tells you what the name is. That's it. Now if you don;t have a
reverse
| > | zone,
| > | > or if you do have a reverse zone, but you don't have a PTR entry for
| the
| > | DNS
| > | > address, then the error.
| > | >
| > | > Second, the major issue.
| > | > You have a single label domain name, on top of which you have
| > underscores.
| > | > The domain name: SDI_DOMAIN is of invalid DNS format.
| > | > It should be something to the effect of:
| > | > sdi-domain.com
| > | > sdi-domain.net
| > | > sdi-domain.corp
| > | > sdi-domain.joel
| > | > etc...
| > | >
| > | > Hence all the errors.
| > | >
| > | > So there's a double bubble going on.
| > | >
| > | > Theres is a reg entry you can implement to overcome the single label
| > name.
| > | > It's nmore of a "bandaid". Not recommended. Actually recommended to
| fix
| > it
| > | > somehow first. Unfortunately, if the AD name is SDI_DOMAIN, and not
of
| > the
| > | > proper form, then it's a tough one. If the actual AD domain name was
| of
| > | > proper form, I have a script that can fix it, but since AD is single
| > label
| > | > named, it doesn't look good.
| > | >
| > | > To remove the underscore, renaming the machine name is almost
| impossible
| > | > too.
| > | >
| > | > Tell you what, if your domain is still in mixed mode, and if you
still
| > | have
| > | > any NT4 BDCs around or a machine that you can install an NT4 BDC
into
| > the
| > | AD
| > | > domain, then we can make this work. We can use that for a swing
| > | > operation/migration as to not lose your user accounts.
| > | >
| > | > Install the BDC, dump the W2k box flat out.
| > | > Promote the BDC to a PDC.
| > | > Install NT4 on the original w2k box,
| > | > Promote that to a PDC,
| > | > Properly set the DNS suffix first. That's done in NT4's TCP/IP
| > properties.
| > | > This domain name will be transformed into the Primary DNS Suffix.
Make
| > | sure
| > | > the name is a proper DNS domain name, as mentioned above.
| > | > Then upgrade it to W2k. When DCPROMO runs during the upgrade, choose
| the
| > | > proper domain name that you set above.
| > | >
| > | > Ok, here's a link that explains this swing method:
| > | >
| > | > Q292541 - How to Rename the DNS name of a Windows 2000 Domain:
| > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541
| > | >
| > | > If you want the bandaid for the single label name, here;s the link.
| > | >
| > | > 300684 - Information About Configuring Windows 2000 for Domains with
| > | > Single-Label DNS Names:
| > | > http://support.microsoft.com/?id=300684
| > | >
| > | > BUT this ain't going to help the underscores and you're faced with
| > trying
| > | > the method I outlined and that artcile 292541 outlines.
| > | >
| > | > Sorry to be the bear of bad news...
| > | >
| > | >
| > | > --
| > | > Regards,
| > | > Ace
| > | >
| > | > Please direct all replies to the newsgroup so all can benefit.
| > | >
| > | > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
| > | > Microsoft Windows MVP - Active Directory
| > | > --
| > | > =================================
| > | >
| > | >
| > | >
| > |
| > |
| > |
| >
| > Sincerely,
| >
| > Vivien Wu
| > MCSA, MCSE2000 and MCDBA2000
| > Microsoft Partner Online Support
| >
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ====================================================
| > When responding to posts, please Reply to Group via your newsreader so
| > that others may learn and benefit from your issue.
| > ====================================================
| > This posting is provided AS IS with no warranties, and confers no
rights.
| >
|
|
|

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.
 
Hello Joel,

It is right that you configure DNS and then promote it to a PDC. However, I
am not sure how you rename the domain at step 4. Do you mean that you want
to change the computer name?

We can only enter the desired domain name during the dcpromo process. When
you configure the DNS server, we need to configure the name of the forward
lookup zone, and make sure the zone name is the same as the desired domain
name or be a logical DNS container for that name.

*****

The domain account is invalid after you rebuild the domain. When you log on
the workstation as Administrator, you can take ownership of the domain
users' folders even if the domain is invalid.

NOTE: Make sure that you have decrypted all the EFS files before demote the
DC. For related information, check the article below.

276239 Unable to Recover Encrypted Files After the Domain Controller Is
Demoted
http://support.microsoft.com/?id=276239

--------------------
| From: "Joel Finkel" <[email protected]>
| Subject: Re: Cannot find a primary authoritative DNS server
| Date: Wed, 6 Aug 2003 00:55:47 -0500
| Newsgroups: microsoft.public.win2000.dns
|
| Vivien,
| Now you have me a bit confused. I am prepared to sacrifice my netowrk
logins to save my installed programs. Therefore, rather than start with a
brand-new installation of Windows 2003 Server (at this time) I will simply
break apart the domain and rebuild it.
| According to 237675 Setting Up the Domain Name System for Active
Directory (http://support.microsoft.com/default.aspx?scid=kb;en-us;237675)
the proper way to do this is to configure DNS and then promote to a PDC.
This is why I put the steps in the order I did.
| Therefore, I do not understand your point #2:
| > 2. You need to enter the correct domain name when DCPROMO runs. You
cannot
| > rename the domain at step 4).
| Thanks for clearing this up for me.
| One more question concerning my main login account that I use on my
workstation(s). Since it is a domain account, I assume that when the
domain is rebuilt it will no longer be valid. Is this correct? What are
the implications? For example, what happens to all the settings in the
Documents and Settings for that login? The folder is NOT owned by the
domain user, but by the workstation Administrator account. I assume I
should ensure that nothng on any workstation is owned by any domain object,
correct?
| Thanks,
| Joel Finkel
| > Hello,
| >
| > The process below is almost OK.
| >
| > You may want to pay attention to the following points:
| >
| > 1. When you configure the DNS server, the name of the forward lookup
zone
| > must be the same as the name of the Active Directory domain or be a
logical
| > DNS container for that name
| >
| > 2. You need to enter the correct domain name when DCPROMO runs. You
cannot
| > rename the domain at step 4).
| >
| > Thanks.
| >
| > --------------------
| > | From: "Joel Finkel" <[email protected]>
| > | Subject: Re: Cannot find a primary authoritative DNS server
| > | Date: Tue, 5 Aug 2003 09:57:09 -0500
| > | Newsgroups: microsoft.public.win2000.dns
| > |
| > | Vivien,
| > |
| > | Thank you for the very helpful resources. What is your opinion of the
| > | following short-term strategy:
| > |
| > | 1) Remove all workstations from the domain "SDI_DOMAIN"
| > | 2) Demote my Windows 2000 Server from a PDC
| > | 3) Uninstall DNS
| > | 4) Rename the domain to "SD-IL.CORP"
| > | 5) Install DNS and re-configure it
| > | 6) Promote the Windows 2000 Server to a PDC
| > | 7) Recreate my main user login
| > | 8) Rejoin workstations to domain "SD-IL.CORP"
| > |
| > | Thanks again.
| > |
| > | /Joel
| > |
| > |
| > |
| > | | > | > Hello,
| > | >
| > | > If you would like to build up a fresh Windows Server 2003 system,
please
| > | > refer to the articles below.
| > | >
| > | > 816584 HOW TO: Set Up the Domain Name System for Active Directory in
| > | Windows
| > | > http://support.microsoft.com/?id=816584
| > | >
| > | > 324753 HOW TO: Create an Active Directory Server in Windows Server
2003
| > | > http://support.microsoft.com/?id=324753
| > | >
| > | > 816106 How to Verify an Active Directory Installation in Windows
Server
| > | 2003
| > | > http://support.microsoft.com/?id=816106
| > | >
| > | > Active Directory Migration tool (ADMT) can be used to migrate users,
| > | > groups, and computers.
| > | >
| > | > For more information about ADMT, visit the following Microsoft Web
site:
| > | >
| > | > Active Directory Migration Tool Overview
| > | >
| > |
| >
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adm
| > | > t.asp
| > | >
| > | > 326480 How to Use Active Directory Migration Tool Version 2 to
Migrate
| > | from
| > | > http://support.microsoft.com/?id=326480
| > | >
| > | > Thanks.
| > | >
| > | > --------------------
| > | > | From: "Joel Finkel" <[email protected]>
| > | > | Subject: Re: Cannot find a primary authoritative DNS server
| > | > | Date: Tue, 5 Aug 2003 01:00:14 -0500
| > | > | Newsgroups: microsoft.public.win2000.dns
| > | >
| > | > | Ace,
| > | > |
| > | > | Thanks. This is quite hilarious. Fortunately, I have a very
small
| > set
| > | of
| > | > | logins. In addition, the server does not have an inordinate
number of
| > | > | applications that I would have to reinstall if I simply started
over.
| > | > |
| > | > | Could you please explain the ramifications of simply installing a
| > fresh
| > | > | Windows 2003 Server, setting it up properly to begin with. What
do I
| > | > have
| > | > | to do to my XP Pro workstation, for example, "sdi-work-1," which
is a
| > | > member
| > | > | of the current domain? Do I remove it from the domain before I
| > rebuild
| > | > the
| > | > | server?
| > | > |
| > | > | BTW, I am running in mixed mode, so I could execute this little
(or
| > not
| > | so
| > | > | little) trick. But this is actually an NT3.4 -> NT4.0 -> Windows
2000
| > | OS.
| > | > | It's probably time I rebuilt it all, anyway.
| > | > |
| > | > | Thanks for you help!
| > | > |
| > | > | /Joel
| > | > | (e-mail address removed)
| > | > |
| > | > |
| > | > | "Ace Fekay [MVP]"
| > <PleaseSubstituteMyFirstName&[email protected]>
| > | > | wrote in message | > | > | > In | > | > | > Joel Finkel <[email protected]>, posted their thoughts, then I
offered
| > my
| > | > | > thoughts down below:
| > | > | > > I have a small LAN. It has a single Windows 2000 Server,
which is
| > | > | > > set up as a PDC, DNS server, DHCP server, and the gateway to
the
| > | > | > > internet. I have several internal workstations.
| > | > | > >
| > | > | > > The domain name is SDI_DOMAIN. This is an internal name only.
| > | > | > >
| > | > | > > The PDC is, unfortunately, named SDI_SERVER_1.
| > | > | > >
| > | > | > > In order to remove the underscores from the server name of a
Windows
Click to expand...
| > | > | > > 2000 PDC, one has to demote it. To save the AD settings, I
need
| > to
| > | > | > > establish a BDC. After installing Windows 2000 Server on a
new
| > | > | > > machine, I attempted to promote it, but it could not
successfully
| > | > | > > attach to the PDC.
| > | > | > >
| > | > | > > This led me investigate the DNS on the PDC.
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > > I am unable to resolve the following error:
| > | > | > >
| > | > | > > DNS test . . . . . . . . . . . . . : Failed
| > | > | > > [WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN'
valid
| > only
| > | > | > > on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
| > | > | > > [WARNING] Cannot find a primary authoritative DNS
server
| > | > | > > for the name
| > | > | > > 'SDI_SERVER_1.SDI_DOMAIN.'. [RCODE_SERVER_FAILURE]
| > | > | > > The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be
| > | registered
| > | > | > > in DNS.
| > | > | > > [FATAL] File \config\netlogon.dns contains invalid DNS
| > | > | > > entries. [FATAL] File \config\netlogon.dns contains
invalid
| > | DNS
| > | > | > > entries. [WARNING] The DNS entries for this DC cannot be
| > | > | > > verified right now on DNS server 216.231.41.2, ERROR_TIMEOUT.
| > | > | > > [FATAL] No DNS servers have the DNS records for this DC
| > | > | > > registered.
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > > This is the log from net config rdr:
| > | > | > >
| > | > | > > Computer name \\SDI_SERVER_1
| > | > | > > Full Computer name SDI_SERVER_1.SDI_DOMAIN
| > | > | > > User name Administrator
| > | > | > >
| > | > | > > Workstation active on
| > | > | > > NetbiosSmb (000000000000)
| > | > | > > NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B}
(00A0CC62262A)
| > | > | > >
| > | > | > > Software version Windows 2000
| > | > | > >
| > | > | > > Workstation domain SDI_DOMAIN
| > | > | > > Workstation Domain DNS Name sdi_domain
| > | > | > > Logon domain SDI_DOMAIN
| > | > | > >
| > | > | > > COM Open Timeout (sec) 0
| > | > | > > COM Send Count (byte) 16
| > | > | > > COM Send Timeout (msec) 250
| > | > | > > The command completed successfully.
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > > All application level protocols work fine. I can ping every
machine
Click to expand...
| > | > | > > from every machine.
| > | > | > >
| > | > | > > The PDC has an IP of 192.168.0.1
| > | > | > >
| > | > | > > On its NIC, I have set up TCP/IP:
| > | > | > > - it uses the DNS server at 192.168.0.1
| > | > | > > - it appends primary and connection specific DNS suffixes
| > | > | > > - it appends parent suffixes of the primary DNS suffix
| > | > | > > - it has no list of additional DNS suffixes
| > | > | > > - it registers this connection's address in DNS
| > | > | > >
| > | > | > > DNS is configured:
| > | > | > > - the only Forward Lookup Zone is "sdi_domain"
| > | > | > > - NS Record: "sdi_server_1.sdi_domain."
| > | > | > > - A records: one for each node in the network
| > (192.168.0.1 -
| > | > | > > 192.168.0.5)
| > | > | > >
| > | > | > > - there is only one AD-integrated Reverse Lookup Zone
| > | > | > > - I had to add the nodes manually, the pointer
records did
| > | > | > > not propagate.
| > | > | > > I understand that this may be a known bug.
| > | > | > > It may, however, be associated with my problem.
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > > I tried to run DcDiag.exe, but it gave me an error: "Entry
point
| > | > | > > DSIsMangledDnW could not be located in dynamic link library
| > | > | > > NTDSAPI.dll"
| > | > | > >
| > | > | > > My head hurts, and my wall has a fairly large hole in it. I
am
| > | > | > > hoping someone can assist me in solving this issue.
| > | > | > >
| > | > | > > Thanks in advance for all suggestions.
| > | > | > >
| > | > | > > -Joel Finkel
| > | > | > > (e-mail address removed)
| > | > | >
| > | > | > There are two issues here Joel, one minor, one major.
| > | > | >
| > | > | > First, the minor issue.
| > | > | > The nslookup error is benign. All it's doing is trying to tell
you
| > | what
| > | > | the
| > | > | > name of the DNS server it's using is. That's it. Otherwise, it
still
| > | > works
| > | > | > with subsequent commands. The way it finds it, is it looks in
your
| > | > reverse
| > | > | > zone (based on your subnet) that you have created, looks up the
IP,
| > | and
| > | > | > tells you what the name is. That's it. Now if you don;t have a
reverse
Click to expand...
| > | > | zone,
| > | > | > or if you do have a reverse zone, but you don't have a PTR
entry for
| > | the
| > | > | DNS
| > | > | > address, then the error.
| > | > | >
| > | > | > Second, the major issue.
| > | > | > You have a single label domain name, on top of which you have
| > | > underscores.
| > | > | > The domain name: SDI_DOMAIN is of invalid DNS format.
| > | > | > It should be something to the effect of:
| > | > | > sdi-domain.com
| > | > | > sdi-domain.net
| > | > | > sdi-domain.corp
| > | > | > sdi-domain.joel
| > | > | > etc...
| > | > | >
| > | > | > Hence all the errors.
| > | > | >
| > | > | > So there's a double bubble going on.
| > | > | >
| > | > | > Theres is a reg entry you can implement to overcome the single
label
| > | > name.
| > | > | > It's nmore of a "bandaid". Not recommended. Actually
recommended to
| > | fix
| > | > it
| > | > | > somehow first. Unfortunately, if the AD name is SDI_DOMAIN, and
not
| > of
| > | > the
| > | > | > proper form, then it's a tough one. If the actual AD domain
name was
| > | of
| > | > | > proper form, I have a script that can fix it, but since AD is
single
| > | > label
| > | > | > named, it doesn't look good.
| > | > | >
| > | > | > To remove the underscore, renaming the machine name is almost
| > | impossible
| > | > | > too.
| > | > | >
| > | > | > Tell you what, if your domain is still in mixed mode, and if
you
| > still
| > | > | have
| > | > | > any NT4 BDCs around or a machine that you can install an NT4
BDC
| > into
| > | > the
| > | > | AD
| > | > | > domain, then we can make this work. We can use that for a swing
| > | > | > operation/migration as to not lose your user accounts.
| > | > | >
| > | > | > Install the BDC, dump the W2k box flat out.
| > | > | > Promote the BDC to a PDC.
| > | > | > Install NT4 on the original w2k box,
| > | > | > Promote that to a PDC,
| > | > | > Properly set the DNS suffix first. That's done in NT4's TCP/IP
| > | > properties.
| > | > | > This domain name will be transformed into the Primary DNS
Suffix.
| > Make
| > | > | sure
| > | > | > the name is a proper DNS domain name, as mentioned above.
| > | > | > Then upgrade it to W2k. When DCPROMO runs during the upgrade,
choose
| > | the
| > | > | > proper domain name that you set above.
| > | > | >
| > | > | > Ok, here's a link that explains this swing method:
| > | > | >
| > | > | > Q292541 - How to Rename the DNS name of a Windows 2000 Domain:
| > | > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541
| > | > | >
| > | > | > If you want the bandaid for the single label name, here;s the
link.
| > | > | >
| > | > | > 300684 - Information About Configuring Windows 2000 for Domains
with
| > | > | > Single-Label DNS Names:
| > | > | > http://support.microsoft.com/?id=300684
| > | > | >
| > | > | > BUT this ain't going to help the underscores and you're faced
with
| > | > trying
| > | > | > the method I outlined and that artcile 292541 outlines.
| > | > | >
| > | > | > Sorry to be the bear of bad news...
| > | > | >
| > | > | >
| > | > | > --
| > | > | > Regards,
| > | > | > Ace
| > | > | >
| > | > | > Please direct all replies to the newsgroup so all can benefit.
| > | > | >
| > | > | > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
| > | > | > Microsoft Windows MVP - Active Directory
| > | > | > --
| > | > | > =================================
| > | > | >
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | > |
| > | >
| > | > Sincerely,
| > | >
| > | > Vivien Wu
| > | > MCSA, MCSE2000 and MCDBA2000
| > | > Microsoft Partner Online Support
| > | >
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > ====================================================
| > | > When responding to posts, please Reply to Group via your newsreader
so
| > | > that others may learn and benefit from your issue.
| > | > ====================================================
| > | > This posting is provided AS IS with no warranties, and confers no
| > rights.
|

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.
 
Hello,

I have listed the answers to your questions below.

1. The step 7 in 237675 is used to establish the Forward Zone, sd-il.corp.

2. You need to specify the domain name when you run dcpromo.

Thanks.

--------------------
| From: "Joel Finkel" <[email protected]>
| Subject: Re: Cannot find a primary authoritative DNS server
| Date: Wed, 6 Aug 2003 09:57:01 -0500
| Newsgroups: microsoft.public.win2000.dns
|
| Vivien,
| I want the name of the machine to be: sdi-server-1
| I want the name of the domain to be: sd-il.corp
| Looking at 237675 Setting Up the Domain Name System for Active
| Directory
(http://support.microsoft.com/default.aspx?scid=kb;en-us;237675)
| In the section: Configure the DNS Server Using DNS Manager
| Step # 7:
| a.. The new zone contains the locator records for this Active Directory
domain. The name of the zone must be the same as the name of the Active
Directory domain, or be a logical DNS container for that name.
| For example, if the Active Directory domain is named
"support.microsoft.com", legal zone names are "support.microsoft.com",
"microsoft.com", or "com". Type the name of the zone, and then click Next.
| NOTE: If you name the zone "com" we will believe that we are
authoritative for the "com" domain and never forward any requests that we
can not answer out to the real "com" domain servers. The same would be true
if you named it "microsoft.com", you would never use your forwarder to
resolve requests from the real "microsoft.com" servers.
| QUESTION: I this not the step I first establish the new domain,
sd-il.corp, that is, when I perfom this step to establish the Forward Zone,
sd-il.corp?
| QUESTION: I will have to specifiy this domain again when I run dcpromo,
correct?
| Thanks for the warning about the encrypted files. That is not a problem
I will encountner.
| -Joel
| > Hello Joel,
| >
| > It is right that you configure DNS and then promote it to a PDC.
However, I
| > am not sure how you rename the domain at step 4. Do you mean that you
want
| > to change the computer name?
| >
| > We can only enter the desired domain name during the dcpromo process.
When
| > you configure the DNS server, we need to configure the name of the
forward
| > lookup zone, and make sure the zone name is the same as the desired
domain
| > name or be a logical DNS container for that name.
| >
| > *****
| >
| > The domain account is invalid after you rebuild the domain. When you
log on
| > the workstation as Administrator, you can take ownership of the domain
users' folders even if the domain is invalid.
Click to expand...
| >
| > NOTE: Make sure that you have decrypted all the EFS files before demote
the
| > DC. For related information, check the article below.
| >
| > 276239 Unable to Recover Encrypted Files After the Domain Controller Is
| > Demoted
| > http://support.microsoft.com/?id=276239
| >
| > --------------------
| > | From: "Joel Finkel" <[email protected]>
| > | Subject: Re: Cannot find a primary authoritative DNS server
| > | Date: Wed, 6 Aug 2003 00:55:47 -0500
| > | Newsgroups: microsoft.public.win2000.dns
| > |
| > | Vivien,
| > | Now you have me a bit confused. I am prepared to sacrifice my
netowrk
| > logins to save my installed programs. Therefore, rather than start
with a
| > brand-new installation of Windows 2003 Server (at this time) I will
simply
| > break apart the domain and rebuild it.
| > | According to 237675 Setting Up the Domain Name System for Active
| > Directory
(http://support.microsoft.com/default.aspx?scid=kb;en-us;237675)
| > the proper way to do this is to configure DNS and then promote to a
PDC.
| > This is why I put the steps in the order I did.
| > | Therefore, I do not understand your point #2:
| > | > 2. You need to enter the correct domain name when DCPROMO runs. You
| > cannot
| > | > rename the domain at step 4).
| > | Thanks for clearing this up for me.
| > | One more question concerning my main login account that I use on my
| > workstation(s). Since it is a domain account, I assume that when the
| > domain is rebuilt it will no longer be valid. Is this correct? What
are
| > the implications? For example, what happens to all the settings in the
| > Documents and Settings for that login? The folder is NOT owned by the
domain user, but by the workstation Administrator account. I assume I >
Click to expand...
should ensure that nothng on any workstation is owned by any domain object,
| > correct?
| > | Thanks,
| > | Joel Finkel
| > | > | > Hello,
| > | >
| > | > The process below is almost OK.
| > | >
| > | > You may want to pay attention to the following points:
| > | >
| > | > 1. When you configure the DNS server, the name of the forward
lookup
| > zone
| > | > must be the same as the name of the Active Directory domain or be a
| > logical
| > | > DNS container for that name
| > | >
| > | > 2. You need to enter the correct domain name when DCPROMO runs. You
| > cannot
| > | > rename the domain at step 4).
| > | >
| > | > Thanks.
| > | >
| > | > --------------------
| > | > | From: "Joel Finkel" <[email protected]>
| > | > | Subject: Re: Cannot find a primary authoritative DNS server
| > | > | Date: Tue, 5 Aug 2003 09:57:09 -0500
| > | > | Newsgroups: microsoft.public.win2000.dns
| > | > |
| > | > | Vivien,
| > | > |
| > | > | Thank you for the very helpful resources. What is your opinion
of the
| > | > | following short-term strategy:
| > | > |
| > | > | 1) Remove all workstations from the domain "SDI_DOMAIN"
| > | > | 2) Demote my Windows 2000 Server from a PDC
| > | > | 3) Uninstall DNS
| > | > | 4) Rename the domain to "SD-IL.CORP"
| > | > | 5) Install DNS and re-configure it
| > | > | 6) Promote the Windows 2000 Server to a PDC
| > | > | 7) Recreate my main user login
| > | > | 8) Rejoin workstations to domain "SD-IL.CORP"
| > | > |
| > | > | Thanks again.
| > | > |
| > | > | /Joel
| > | > |
| > | > |
| > | > |
| > | > | | > | > | > Hello,
| > | > | >
| > | > | > If you would like to build up a fresh Windows Server 2003
system,
| > please
| > | > | > refer to the articles below.
| > | > | >
| > | > | > 816584 HOW TO: Set Up the Domain Name System for Active
Directory in
| > | > | Windows
| > | > | > http://support.microsoft.com/?id=816584
| > | > | >
| > | > | > 324753 HOW TO: Create an Active Directory Server in Windows
Server
| > 2003
| > | > | > http://support.microsoft.com/?id=324753
| > | > | >
| > | > | > 816106 How to Verify an Active Directory Installation in
Windows
| > Server
| > | > | 2003
| > | > | > http://support.microsoft.com/?id=816106
| > | > | >
| > | > | > Active Directory Migration tool (ADMT) can be used to migrate
users,
| > | > | > groups, and computers.
| > | > | >
| > | > | > For more information about ADMT, visit the following Microsoft
Web
| > site:
| > | > | >
| > | > | > Active Directory Migration Tool Overview
| > | > | >
| > | > |
| > | >
| >
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adm
| > | > | > t.asp
| > | > | >
| > | > | > 326480 How to Use Active Directory Migration Tool Version 2 to
Migrate
Click to expand...
| > | > | from
| > | > | > http://support.microsoft.com/?id=326480
| > | > | >
| > | > | > Thanks.
| > | > | >
| > | > | > --------------------
| > | > | > | From: "Joel Finkel" <[email protected]>
| > | > | > | Subject: Re: Cannot find a primary authoritative DNS server
| > | > | > | Date: Tue, 5 Aug 2003 01:00:14 -0500
| > | > | > | Newsgroups: microsoft.public.win2000.dns
| > | > | >
| > | > | > | Ace,
| > | > | > |
| > | > | > | Thanks. This is quite hilarious. Fortunately, I have a very
| > small
| > | > set
| > | > | of
| > | > | > | logins. In addition, the server does not have an inordinate
number of
Click to expand...
| > | > | > | applications that I would have to reinstall if I simply
started
| > over.
| > | > | > |
| > | > | > | Could you please explain the ramifications of simply
installing a
| > | > fresh
| > | > | > | Windows 2003 Server, setting it up properly to begin with.
What
| > do I
| > | > | > have
| > | > | > | to do to my XP Pro workstation, for example, "sdi-work-1,"
which
| > is a
| > | > | > member
| > | > | > | of the current domain? Do I remove it from the domain before
I
| > | > rebuild
| > | > | > the
| > | > | > | server?
| > | > | > |
| > | > | > | BTW, I am running in mixed mode, so I could execute this
little
| > (or
| > | > not
| > | > | so
| > | > | > | little) trick. But this is actually an NT3.4 -> NT4.0 ->
Windows
| > 2000
| > | > | OS.
| > | > | > | It's probably time I rebuilt it all, anyway.
| > | > | > |
| > | > | > | Thanks for you help!
| > | > | > |
| > | > | > | /Joel
| > | > | > | (e-mail address removed)
| > | > | > |
| > | > | > |
| > | > | > | "Ace Fekay [MVP]"
| > | > <PleaseSubstituteMyFirstName&[email protected]>
| > | > | > | wrote in message | > | > | > | > In | > | > | > | > Joel Finkel <[email protected]>, posted their thoughts, then I
| > offered
| > | > my
| > | > | > | > thoughts down below:
| > | > | > | > > I have a small LAN. It has a single Windows 2000 Server,
| > which is
| > | > | > | > > set up as a PDC, DNS server, DHCP server, and the gateway
to
| > the
| > | > | > | > > internet. I have several internal workstations.
| > | > | > | > >
| > | > | > | > > The domain name is SDI_DOMAIN. This is an internal name
only.
| > | > | > | > >
| > | > | > | > > The PDC is, unfortunately, named SDI_SERVER_1.
| > | > | > | > >
| > | > | > | > > In order to remove the underscores from the server name
of a
| > > Windows
| > | > | > | > > 2000 PDC, one has to demote it. To save the AD settings,
I
| > need
| > | > to
| > | > | > | > > establish a BDC. After installing Windows 2000 Server on
a
| > new
| > | > | > | > > machine, I attempted to promote it, but it could not
| > successfully
| > | > | > | > > attach to the PDC.
| > | > | > | > >
| > | > | > | > > This led me investigate the DNS on the PDC.
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > > I am unable to resolve the following error:
| > | > | > | > >
| > | > | > | > > DNS test . . . . . . . . . . . . . : Failed
| > | > | > | > > [WARNING] The DNS host name 'SDI_SERVER_1.SDI_DOMAIN'
| > valid
| > | > only
| > | > | > | > > on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
| > | > | > | > > [WARNING] Cannot find a primary authoritative
DNS
| > server
| > | > | > | > > for the name
| > | > | > | > > 'SDI_SERVER_1.SDI_DOMAIN.'.
[RCODE_SERVER_FAILURE]
| > | > | > | > > The name 'SDI_SERVER_1.SDI_DOMAIN.' may not be
| > | > | registered
| > | > | > | > > in DNS.
| > | > | > | > > [FATAL] File \config\netlogon.dns contains invalid
DNS
| > | > | > | > > entries. [FATAL] File \config\netlogon.dns contains
| > invalid
| > | > | DNS
| > | > | > | > > entries. [WARNING] The DNS entries for this DC
cannot be
| > | > | > | > > verified right now on DNS server 216.231.41.2,
ERROR_TIMEOUT.
| > | > | > | > > [FATAL] No DNS servers have the DNS records for this
DC
| > | > | > | > > registered.
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > > This is the log from net config rdr:
| > | > | > | > >
| > | > | > | > > Computer name \\SDI_SERVER_1
| > | > | > | > > Full Computer name
SDI_SERVER_1.SDI_DOMAIN
| > | > | > | > > User name Administrator
| > | > | > | > >
| > | > | > | > > Workstation active on
| > | > | > | > > NetbiosSmb (000000000000)
| > | > | > | > > NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B}
| > (00A0CC62262A)
| > | > | > | > >
| > | > | > | > > Software version Windows 2000
| > | > | > | > >
| > | > | > | > > Workstation domain SDI_DOMAIN
| > | > | > | > > Workstation Domain DNS Name sdi_domain
| > | > | > | > > Logon domain SDI_DOMAIN
| > | > | > | > >
| > | > | > | > > COM Open Timeout (sec) 0
| > | > | > | > > COM Send Count (byte) 16
| > | > | > | > > COM Send Timeout (msec) 250
| > | > | > | > > The command completed successfully.
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > > All application level protocols work fine. I can ping
every
| > > machine
| > | > | > | > > from every machine.
| > | > | > | > >
| > | > | > | > > The PDC has an IP of 192.168.0.1
| > | > | > | > >
| > | > | > | > > On its NIC, I have set up TCP/IP:
| > | > | > | > > - it uses the DNS server at 192.168.0.1
| > | > | > | > > - it appends primary and connection specific DNS
suffixes
| > | > | > | > > - it appends parent suffixes of the primary DNS suffix
| > | > | > | > > - it has no list of additional DNS suffixes
| > | > | > | > > - it registers this connection's address in DNS
| > | > | > | > >
| > | > | > | > > DNS is configured:
| > | > | > | > > - the only Forward Lookup Zone is "sdi_domain"
| > | > | > | > > - NS Record: "sdi_server_1.sdi_domain."
| > | > | > | > > - A records: one for each node in the network
| > | > (192.168.0.1 -
| > | > | > | > > 192.168.0.5)
| > | > | > | > >
| > | > | > | > > - there is only one AD-integrated Reverse Lookup Zone
| > | > | > | > > - I had to add the nodes manually, the pointer
| > records did
| > | > | > | > > not propagate.
| > | > | > | > > I understand that this may be a known bug.
| > | > | > | > > It may, however, be associated with my problem.
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > >
| > | > | > | > > I tried to run DcDiag.exe, but it gave me an error:
"Entry
| > point
| > | > | > | > > DSIsMangledDnW could not be located in dynamic link
library
| > | > | > | > > NTDSAPI.dll"
| > | > | > | > >
| > | > | > | > > My head hurts, and my wall has a fairly large hole in it.
I
| > am
| > | > | > | > > hoping someone can assist me in solving this issue.
| > | > | > | > >
| > | > | > | > > Thanks in advance for all suggestions.
| > | > | > | > >
| > | > | > | > > -Joel Finkel
| > | > | > | > > (e-mail address removed)
| > | > | > | >
| > | > | > | > There are two issues here Joel, one minor, one major.
| > | > | > | >
| > | > | > | > First, the minor issue.
| > | > | > | > The nslookup error is benign. All it's doing is trying to
tell
| > you
| > | > | what
| > | > | > | the
| > | > | > | > name of the DNS server it's using is. That's it. Otherwise,
it
| > still
| > | > | > works
| > | > | > | > with subsequent commands. The way it finds it, is it looks
in
| > your
| > | > | > reverse
| > | > | > | > zone (based on your subnet) that you have created, looks up
the
| > IP,
| > | > | and
| > | > | > | > tells you what the name is. That's it. Now if you don;t
have a
| > > reverse
| > | > | > | zone,
| > | > | > | > or if you do have a reverse zone, but you don't have a PTR
entry for
Click to expand...
| > | > | the
| > | > | > | DNS
| > | > | > | > address, then the error.
| > | > | > | >
| > | > | > | > Second, the major issue.
| > | > | > | > You have a single label domain name, on top of which you
have
| > | > | > underscores.
| > | > | > | > The domain name: SDI_DOMAIN is of invalid DNS format.
| > | > | > | > It should be something to the effect of:
| > | > | > | > sdi-domain.com
| > | > | > | > sdi-domain.net
| > | > | > | > sdi-domain.corp
| > | > | > | > sdi-domain.joel
| > | > | > | > etc...
| > | > | > | >
| > | > | > | > Hence all the errors.
| > | > | > | >
| > | > | > | > So there's a double bubble going on.
| > | > | > | >
| > | > | > | > Theres is a reg entry you can implement to overcome the
single
| > label
| > | > | > name.
| > | > | > | > It's nmore of a "bandaid". Not recommended. Actually
| > recommended to
| > | > | fix
| > | > | > it
| > | > | > | > somehow first. Unfortunately, if the AD name is SDI_DOMAIN,
and
| > not
| > | > of
| > | > | > the
| > | > | > | > proper form, then it's a tough one. If the actual AD domain
| > name was
| > | > | of
| > | > | > | > proper form, I have a script that can fix it, but since AD
is
| > single
| > | > | > label
| > | > | > | > named, it doesn't look good.
| > | > | > | >
| > | > | > | > To remove the underscore, renaming the machine name is
almost
| > | > | impossible
| > | > | > | > too.
| > | > | > | >
| > | > | > | > Tell you what, if your domain is still in mixed mode, and
if
| > you
| > | > still
| > | > | > | have
| > | > | > | > any NT4 BDCs around or a machine that you can install an
NT4
| > BDC
| > | > into
| > | > | > the
| > | > | > | AD
| > | > | > | > domain, then we can make this work. We can use that for a
swing
| > | > | > | > operation/migration as to not lose your user accounts.
| > | > | > | >
| > | > | > | > Install the BDC, dump the W2k box flat out.
| > | > | > | > Promote the BDC to a PDC.
| > | > | > | > Install NT4 on the original w2k box,
| > | > | > | > Promote that to a PDC,
| > | > | > | > Properly set the DNS suffix first. That's done in NT4's
TCP/IP
| > | > | > properties.
| > | > | > | > This domain name will be transformed into the Primary DNS
| > Suffix.
| > | > Make
| > | > | > | sure
| > | > | > | > the name is a proper DNS domain name, as mentioned above.
| > | > | > | > Then upgrade it to W2k. When DCPROMO runs during the
upgrade,
| > choose
| > | > | the
| > | > | > | > proper domain name that you set above.
| > | > | > | >
| > | > | > | > Ok, here's a link that explains this swing method:
| > | > | > | >
| > | > | > | > Q292541 - How to Rename the DNS name of a Windows 2000
Domain:
| > | > | > | >
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541
| > | > | > | >
| > | > | > | > If you want the bandaid for the single label name, here;s
the
| > link.
| > | > | > | >
| > | > | > | > 300684 - Information About Configuring Windows 2000 for
Domains
| > with
| > | > | > | > Single-Label DNS Names:
| > | > | > | > http://support.microsoft.com/?id=300684
| > | > | > | >
| > | > | > | > BUT this ain't going to help the underscores and you're
faced
| > with
| > | > | > trying
| > | > | > | > the method I outlined and that artcile 292541 outlines.
| > | > | > | >
| > | > | > | > Sorry to be the bear of bad news...
| > | > | > | >
| > | > | > | >
| > | > | > | > --
| > | > | > | > Regards,
| > | > | > | > Ace
| > | > | > | >
| > | > | > | > Please direct all replies to the newsgroup so all can
benefit.
| > | > | > | >
| > | > | > | > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
| > | > | > | > Microsoft Windows MVP - Active Directory
| > | > | > | > --
| > | > | > | > =================================
| > | > | > | >
| > | > | > | >
| > | > | > | >
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > | > Sincerely,
| > | > | >
| > | > | > Vivien Wu
| > | > | > MCSA, MCSE2000 and MCDBA2000
| > | > | > Microsoft Partner Online Support
| > | > | >
| > | > | >
| > | > | > Get Secure! - www.microsoft.com/security
| > | > | >
| > | > | > ====================================================
| > | > | > When responding to posts, please Reply to Group via your
newsreader
| > so
| > | > | > that others may learn and benefit from your issue.
| > | > | > ====================================================
| > | > | > This posting is provided AS IS with no warranties, and confers
no
| > | > rights.
| > |


Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.
 
Viven,

Thanks! Great stuff. This script solved the main problem. The NETLOGON errors were solved by stopping the NET LOGON service and then deleting both %systemroot%/system32/config/netlogon.dnb & netlogon.dns, which both had entries from the old domain. When NET LOGON was started again, these files were re-created properly. The errors therefore disappeared.

In the short run, I am glad I chose to solve my initial two issues (underscores in the computer name and a malformed domain name) by going through this process, as it was a good learning experience. It was many years ago that I first configured this domain (as a Windows NT 3.5 server). Had I had a better grasp of things way back in the day, I would not have had to solve these problems today.

Thanks for the support!

Regards,
Joel Finkel
(e-mail address removed)


Vivien Wu said:
Hello,

The full compute name should be computername.domain.suffix. SDI-SERVER-1 is
considered a disjoint or disjointed name space.

You can use the FixDomainSuffix.vbs script to correct the problem on the
Domain Controller and then reboot the Domain Controller.

For more information about FixDomainSuffix.vbs, I have sent email to you.

Thanks.

--------------------
| From: "Joel Finkel" <[email protected]>
|| Subject: Re: Cannot find a primary authoritative DNS server
| Date: Thu, 7 Aug 2003 18:42:29 -0500
| Newsgroups: microsoft.public.win2000.dns
|
| What a fascinating little adventure THIS has been! Without going into
all of the gory details, I am almost set. But almost is not quite
error-free. First of all, I decided that the domain should be sd-il.com,
as that is already registered. I am not going to transfer the Zone
records, so this should not be a problem.
| Therefore, when I promoted the machine to a PDC, I specified this domain.
Because I had followed the instructions in Q237675, and installed and
configured a DNS server before I promoted the server, the process of
actually promoting it generated an error, which, (ha!) I simply ignored,
because the promotion continued.
| Everything seemed wonderful, and I was able to re-create my main user
login. After that I was able to login to my workstation as Admin, join the
domain, and, viola, everything was great. I was able to login with my main
user login and actually restore all my desktop and application settings.
| Within an hour, all communication between the workstation and the server
failed. They could not even ping each other. The server log files showed
inordinate number of DNS errors, as well as errors from support
applications I had never seen before.
| I destroyed the domain once again, and rebuilt it, using the exact same
agenda. Except this time I did not install or configure DNS before
promoting the server. This time there were no errors. The forward and
reverse zones were created corrected. After I established the workstation
as a member of the domain, I was able to ping in both directions.
| This time, however, when I created the main login, jfinkel, it created it
quite differently. The first time it created a directory: jfinkel.SD-IL
but this time it simply created jfinkel. I have only spent the past 10
hours recovering everything. I am at a complete loss to explain why.
| The only problem is that I am now seeing two types of errors on the PDC:
| 1) Every hour, I get a series of 3 System error logs. Interestingly, the
Network Identification tab of System Properties show the Full Computer Name
to be "SDI-SERVER-1." and the Domain to be "sd-il.com"
| Event Type: Error
| Event Source: NTDS Replication
| Event Category: Replication
| Event ID: 1411
| Date: 8/7/2003
| Time: 5:43:03 PM
| User: Everyone
| Computer: SDI-SERVER-1
| Description:
| The Directory Service failed to construct a mutual authentication Service
Principal Name (SPN) for server SDI-SERVER-1. The call is denied. The
error was:
| A Service Principal Name (SPN) could not be constructed because the
provided hostname is not in the necessary format.
|
| The record data is the status code.
| Data:
| 0000: 6a 21 00 00 j!..
| ---------
| Event Type: Warning
| Event Source: NTDS General
| Event Category: Global Catalog
| Event ID: 1655
| Date: 8/7/2003
| Time: 5:43:03 PM
| User: Everyone
| Computer: SDI-SERVER-1
| Description:
| The attempt to communicate with global catalog \\SDI-SERVER-1 failed with
the following status:
|
| A Service Principal Name (SPN) could not be constructed because the
provided hostname is not in the necessary format.
|
| The operation in progress might be unable to continue. The directory
service will use the locator to try find an available global catalog server
for the next operation that requires one.
|
| The record data is the status code.
| Data:
| 0000: 6a 21 00 00 j!..
| ---------
| Event Type: Error
| Event Source: NTDS General
| Event Category: Global Catalog
| Event ID: 1126
| Date: 8/7/2003
| Time: 5:43:03 PM
| User: Everyone
| Computer: SDI-SERVER-1
| Description:
| Unable to establish connection with global catalog.
| 2) These errors are begin generated constantly:
| Event Type: Error
| Event Source: NETLOGON
| Event Category: None
| Event ID: 5775
| Date: 8/7/2003
| Time: 4:58:54 PM
| User: N/A
| Computer: SDI-SERVER-1
| Description:
| Deregistration of the DNS record 'gc._msdcs.sdi_domain. 600 IN A
64.81.139.116' failed with the following error:
| DNS name does not exist.
| Data:
| 0000: 2b 23 00 00 +#..
| I wonder why there is still any record with "sdi_domain" hanging around!!
| Any thoughts?
| Regards,
| Joel Finkel
| (e-mail address removed)
| > Hello,
| >
| > I have listed the answers to your questions below.
| >
| > 1. The step 7 in 237675 is used to establish the Forward Zone,
sd-il.corp.
| >
| > 2. You need to specify the domain name when you run dcpromo.
| >
| > Thanks.
| >
| > --------------------
| > | From: "Joel Finkel" <[email protected]>
| > | Subject: Re: Cannot find a primary authoritative DNS server
| > | Date: Wed, 6 Aug 2003 09:57:01 -0500
| > | Newsgroups: microsoft.public.win2000.dns
| > |
| > | Vivien,
| > | I want the name of the machine to be: sdi-server-1
| > | I want the name of the domain to be: sd-il.corp
| > | Looking at 237675 Setting Up the Domain Name System for Active
| > | Directory
| > (http://support.microsoft.com/default.aspx?scid=kb;en-us;237675)
| > | In the section: Configure the DNS Server Using DNS Manager
| > | Step # 7:
| > | a.. The new zone contains the locator records for this Active
Directory
| > domain. The name of the zone must be the same as the name of the Active
| > Directory domain, or be a logical DNS container for that name.
| > | For example, if the Active Directory domain is named
| > "support.microsoft.com", legal zone names are "support.microsoft.com",
"microsoft.com", or "com". Type the name of the zone, and then click Next.
Click to expand...
| > | NOTE: If you name the zone "com" we will believe that we are
| > authoritative for the "com" domain and never forward any requests that
we
| > can not answer out to the real "com" domain servers. The same would be
true
| > if you named it "microsoft.com", you would never use your forwarder to
resolve requests from the real "microsoft.com" servers.
Click to expand...
| > | QUESTION: I this not the step I first establish the new domain,
| > sd-il.corp, that is, when I perfom this step to establish the Forward
Zone,
| > sd-il.corp?
| > | QUESTION: I will have to specifiy this domain again when I run
dcpromo,
| > correct?
| > | Thanks for the warning about the encrypted files. That is not a
problem
| > I will encountner.
| > | -Joel
| > | > | > Hello Joel,
| > | >
| > | > It is right that you configure DNS and then promote it to a PDC.
| > However, I
| > | > am not sure how you rename the domain at step 4. Do you mean that
you
| > want
| > | > to change the computer name?
| > | >
| > | > We can only enter the desired domain name during the dcpromo
process.
| > When
| > | > you configure the DNS server, we need to configure the name of the
| > forward
| > | > lookup zone, and make sure the zone name is the same as the desired
| > domain
| > | > name or be a logical DNS container for that name.
| > | >
| > | > *****
| > | >
| > | > The domain account is invalid after you rebuild the domain. When
you
| > log on
| > | > the workstation as Administrator, you can take ownership of the
domain
| > > users' folders even if the domain is invalid.
| > | >
| > | > NOTE: Make sure that you have decrypted all the EFS files before
demote
| > the
| > | > DC. For related information, check the article below.
| > | >
| > | > 276239 Unable to Recover Encrypted Files After the Domain
Controller Is
| > | > Demoted
| > | > http://support.microsoft.com/?id=276239
| > | >
| > | > --------------------
| > | > | From: "Joel Finkel" <[email protected]>
| > | > | Subject: Re: Cannot find a primary authoritative DNS server
| > | > | Date: Wed, 6 Aug 2003 00:55:47 -0500
| > | > | Newsgroups: microsoft.public.win2000.dns
| > | > |
| > | > | Vivien,
| > | > | Now you have me a bit confused. I am prepared to sacrifice my
| > netowrk
| > | > logins to save my installed programs. Therefore, rather than start
| > with a
| > | > brand-new installation of Windows 2003 Server (at this time) I will
| > simply
| > | > break apart the domain and rebuild it.
| > | > | According to 237675 Setting Up the Domain Name System for Active
| > Directory
Click to expand...
| > (http://support.microsoft.com/default.aspx?scid=kb;en-us;237675)
| > | > the proper way to do this is to configure DNS and then promote to a
| > PDC.
| > | > This is why I put the steps in the order I did.
| > | > | Therefore, I do not understand your point #2:
| > | > | > 2. You need to enter the correct domain name when DCPROMO runs.
You
| > | > cannot
| > | > | > rename the domain at step 4).
| > | > | Thanks for clearing this up for me.
| > | > | One more question concerning my main login account that I use on
my
| > | > workstation(s). Since it is a domain account, I assume that when
the
| > | > domain is rebuilt it will no longer be valid. Is this correct?
What
| > are
| > | > the implications? For example, what happens to all the settings in
the
| > | > Documents and Settings for that login? The folder is NOT owned by
the
| > > domain user, but by the workstation Administrator account. I assume
I >
| > should ensure that nothng on any workstation is owned by any domain
object,
| > | > correct?
| > | > | Thanks,
| > | > | Joel Finkel
message
| > | > | > | > | > Hello,
| > | > | >
| > | > | > The process below is almost OK.
| > | > | >
| > | > | > You may want to pay attention to the following points:
| > | > | >
| > | > | > 1. When you configure the DNS server, the name of the forward
| > lookup
| > | > zone
| > | > | > must be the same as the name of the Active Directory domain or
be a
| > | > logical
| > | > | > DNS container for that name
| > | > | >
| > | > | > 2. You need to enter the correct domain name when DCPROMO runs.
You
| > | > cannot
| > | > | > rename the domain at step 4).
| > | > | >
| > | > | > Thanks.
| > | > | >
| > | > | > --------------------
| > | > | > | From: "Joel Finkel" <[email protected]>
| > | > | > | Subject: Re: Cannot find a primary authoritative DNS server
| > | > | > | Date: Tue, 5 Aug 2003 09:57:09 -0500
| > | > | > | Newsgroups: microsoft.public.win2000.dns
| > | > | > |
| > | > | > | Vivien,
| > | > | > |
| > | > | > | Thank you for the very helpful resources. What is your
opinion
| > of the
| > | > | > | following short-term strategy:
| > | > | > |
| > | > | > | 1) Remove all workstations from the domain "SDI_DOMAIN"
| > | > | > | 2) Demote my Windows 2000 Server from a PDC
| > | > | > | 3) Uninstall DNS
| > | > | > | 4) Rename the domain to "SD-IL.CORP"
| > | > | > | 5) Install DNS and re-configure it
| > | > | > | 6) Promote the Windows 2000 Server to a PDC
| > | > | > | 7) Recreate my main user login
| > | > | > | 8) Rejoin workstations to domain "SD-IL.CORP"
| > | > | > |
| > | > | > | Thanks again.
| > | > | > |
| > | > | > | /Joel
| > | > | > |
| > | > | > |
| > | > | > |
message
| > | > | > | | > | > | > | > Hello,
| > | > | > | >
| > | > | > | > If you would like to build up a fresh Windows Server 2003
| > system,
| > | > please
| > | > | > | > refer to the articles below.
| > | > | > | >
| > | > | > | > 816584 HOW TO: Set Up the Domain Name System for Active
| > Directory in
| > | > | > | Windows
| > | > | > | > http://support.microsoft.com/?id=816584
| > | > | > | >
| > | > | > | > 324753 HOW TO: Create an Active Directory Server in Windows
| > Server
| > | > 2003
| > | > | > | > http://support.microsoft.com/?id=324753
| > | > | > | >
| > | > | > | > 816106 How to Verify an Active Directory Installation in
| > Windows
| > | > Server
| > | > | > | 2003
| > | > | > | > http://support.microsoft.com/?id=816106
| > | > | > | >
| > | > | > | > Active Directory Migration tool (ADMT) can be used to
migrate
| > users,
| > | > | > | > groups, and computers.
| > | > | > | >
| > | > | > | > For more information about ADMT, visit the following
Microsoft
| > Web
| > | > site:
| > | > | > | >
| > | > | > | > Active Directory Migration Tool Overview
| > | > | > | >
| > | > | > |
| > | > | >
| > | >
| >
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adm
| > | > | > | > t.asp
| > | > | > | >
| > | > | > | > 326480 How to Use Active Directory Migration Tool Version 2
to
| > > Migrate
| > | > | > | from
| > | > | > | > http://support.microsoft.com/?id=326480
| > | > | > | >
| > | > | > | > Thanks.
| > | > | > | >
| > | > | > | > --------------------
| > | > | > | > | From: "Joel Finkel" <[email protected]>
| > | > | > | > | Subject: Re: Cannot find a primary authoritative DNS
server
| > | > | > | > | Date: Tue, 5 Aug 2003 01:00:14 -0500
| > | > | > | > | Newsgroups: microsoft.public.win2000.dns
| > | > | > | >
| > | > | > | > | Ace,
| > | > | > | > |
| > | > | > | > | Thanks. This is quite hilarious. Fortunately, I have a
very
| > | > small
| > | > | > set
| > | > | > | of
| > | > | > | > | logins. In addition, the server does not have an
inordinate
| > > number of
| > | > | > | > | applications that I would have to reinstall if I simply
| > started
| > | > over.
| > | > | > | > |
| > | > | > | > | Could you please explain the ramifications of simply
| > installing a
| > | > | > fresh
| > | > | > | > | Windows 2003 Server, setting it up properly to begin
with.
| > What
| > | > do I
| > | > | > | > have
| > | > | > | > | to do to my XP Pro workstation, for example,
"sdi-work-1,"
| > which
| > | > is a
| > | > | > | > member
| > | > | > | > | of the current domain? Do I remove it from the domain
before
| > I
| > | > | > rebuild
| > | > | > | > the
| > | > | > | > | server?
| > | > | > | > |
| > | > | > | > | BTW, I am running in mixed mode, so I could execute this
little
Click to expand...
| > | > (or
| > | > | > not
| > | > | > | so
| > | > | > | > | little) trick. But this is actually an NT3.4 -> NT4.0 ->
| > Windows
| > | > 2000
| > | > | > | OS.
| > | > | > | > | It's probably time I rebuilt it all, anyway.
| > | > | > | > |
| > | > | > | > | Thanks for you help!
| > | > | > | > |
| > | > | > | > | /Joel
| > | > | > | > | (e-mail address removed)
| > | > | > | > |
| > | > | > | > |
| > | > | > | > | "Ace Fekay [MVP]"
| > | > | > <PleaseSubstituteMyFirstName&[email protected]>
| > | > | > | > | wrote in message
| > | > | > | > | > In | > | > | > | > | > Joel Finkel <[email protected]>, posted their thoughts,
then I
| > | > offered
| > | > | > my
| > | > | > | > | > thoughts down below:
| > | > | > | > | > > I have a small LAN. It has a single Windows 2000
Server,
| > | > which is
| > | > | > | > | > > set up as a PDC, DNS server, DHCP server, and the
gateway
| > to
| > | > the
| > | > | > | > | > > internet. I have several internal workstations.
| > | > | > | > | > >
| > | > | > | > | > > The domain name is SDI_DOMAIN. This is an internal
name
| > only.
| > | > | > | > | > >
| > | > | > | > | > > The PDC is, unfortunately, named SDI_SERVER_1.
| > | > | > | > | > >
| > | > | > | > | > > In order to remove the underscores from the server
name
| > of a
| > | > > Windows
| > | > | > | > | > > 2000 PDC, one has to demote it. To save the AD
settings,
| > I
| > | > need
| > | > | > to
| > | > | > | > | > > establish a BDC. After installing Windows 2000
Server on
| > a
| > | > new
| > | > | > | > | > > machine, I attempted to promote it, but it could not
| > successfully
Click to expand...
| > | > | > | > | > > attach to the PDC.
| > | > | > | > | > >
| > | > | > | > | > > This led me investigate the DNS on the PDC.
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > > I am unable to resolve the following error:
| > | > | > | > | > >
| > | > | > | > | > > DNS test . . . . . . . . . . . . . : Failed
| > | > | > | > | > > [WARNING] The DNS host name
'SDI_SERVER_1.SDI_DOMAIN'
| > | > valid
| > | > | > only
| > | > | > | > | > > on Windows 2000 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
| > | > | > | > | > > [WARNING] Cannot find a primary
authoritative
| > DNS
| > | > server
| > | > | > | > | > > for the name
| > | > | > | > | > > 'SDI_SERVER_1.SDI_DOMAIN.'.
| > [RCODE_SERVER_FAILURE]
| > | > | > | > | > > The name 'SDI_SERVER_1.SDI_DOMAIN.' may
not be
| > | > | > | registered
| > | > | > | > | > > in DNS.
| > | > | > | > | > > [FATAL] File \config\netlogon.dns contains
invalid
| > DNS
| > | > | > | > | > > entries. [FATAL] File \config\netlogon.dns
contains
| > | > invalid
| > | > | > | DNS
| > | > | > | > | > > entries. [WARNING] The DNS entries for this DC
cannot be
Click to expand...
| > | > | > | > | > > verified right now on DNS server 216.231.41.2,
| > ERROR_TIMEOUT.
| > | > | > | > | > > [FATAL] No DNS servers have the DNS records for
this
| > DC
| > | > | > | > | > > registered.
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > > This is the log from net config rdr:
| > | > | > | > | > >
| > | > | > | > | > > Computer name \\SDI_SERVER_1
| > | > | > | > | > > Full Computer name
| > SDI_SERVER_1.SDI_DOMAIN
| > | > | > | > | > > User name Administrator
| > | > | > | > | > >
| > | > | > | > | > > Workstation active on
| > | > | > | > | > > NetbiosSmb (000000000000)
| > | > | > | > | > > NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B}
| > | > (00A0CC62262A)
| > | > | > | > | > >
| > | > | > | > | > > Software version Windows 2000
| > | > | > | > | > >
| > | > | > | > | > > Workstation domain SDI_DOMAIN
| > | > | > | > | > > Workstation Domain DNS Name sdi_domain
| > | > | > | > | > > Logon domain SDI_DOMAIN
| > | > | > | > | > >
| > | > | > | > | > > COM Open Timeout (sec) 0
| > | > | > | > | > > COM Send Count (byte) 16
| > | > | > | > | > > COM Send Timeout (msec) 250
| > | > | > | > | > > The command completed successfully.
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > > All application level protocols work fine. I can
ping
| > every
| > | > > machine
| > | > | > | > | > > from every machine.
| > | > | > | > | > >
| > | > | > | > | > > The PDC has an IP of 192.168.0.1
| > | > | > | > | > >
| > | > | > | > | > > On its NIC, I have set up TCP/IP:
| > | > | > | > | > > - it uses the DNS server at 192.168.0.1
| > | > | > | > | > > - it appends primary and connection specific DNS
suffixes
Click to expand...
| > | > | > | > | > > - it appends parent suffixes of the primary DNS
suffix
| > | > | > | > | > > - it has no list of additional DNS suffixes
| > | > | > | > | > > - it registers this connection's address in DNS
| > | > | > | > | > >
| > | > | > | > | > > DNS is configured:
| > | > | > | > | > > - the only Forward Lookup Zone is "sdi_domain"
| > | > | > | > | > > - NS Record: "sdi_server_1.sdi_domain."
| > | > | > | > | > > - A records: one for each node in the network
| > | > | > (192.168.0.1 -
| > | > | > | > | > > 192.168.0.5)
| > | > | > | > | > >
| > | > | > | > | > > - there is only one AD-integrated Reverse Lookup
Zone
| > | > | > | > | > > - I had to add the nodes manually, the
pointer
| > | > records did
| > | > | > | > | > > not propagate.
| > | > | > | > | > > I understand that this may be a known bug.
| > | > | > | > | > > It may, however, be associated with my
problem.
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > >
| > | > | > | > | > > I tried to run DcDiag.exe, but it gave me an error:
| > "Entry
| > | > point
| > | > | > | > | > > DSIsMangledDnW could not be located in dynamic link
| > library
| > | > | > | > | > > NTDSAPI.dll"
| > | > | > | > | > >
| > | > | > | > | > > My head hurts, and my wall has a fairly large hole in
it.
| > I
| > | > am
| > | > | > | > | > > hoping someone can assist me in solving this issue.
| > | > | > | > | > >
| > | > | > | > | > > Thanks in advance for all suggestions.
| > | > | > | > | > >
| > | > | > | > | > > -Joel Finkel
| > | > | > | > | > > (e-mail address removed)
| > | > | > | > | >
| > | > | > | > | > There are two issues here Joel, one minor, one major.
| > | > | > | > | >
| > | > | > | > | > First, the minor issue.
| > | > | > | > | > The nslookup error is benign. All it's doing is trying
to
| > tell
| > | > you
| > | > | > | what
| > | > | > | > | the
| > | > | > | > | > name of the DNS server it's using is. That's it.
Otherwise,
| > it
| > | > still
| > | > | > | > works
| > | > | > | > | > with subsequent commands. The way it finds it, is it
looks
| > in
| > | > your
| > | > | > | > reverse
| > | > | > | > | > zone (based on your subnet) that you have created,
looks up
| > the
| > | > IP,
| > | > | > | and
| > | > | > | > | > tells you what the name is. That's it. Now if you don;t
| > have a
| > | > > reverse
| > | > | > | > | zone,
| > | > | > | > | > or if you do have a reverse zone, but you don't have a
PTR
| > > entry for
| > | > | > | the
| > | > | > | > | DNS
| > | > | > | > | > address, then the error.
| > | > | > | > | >
| > | > | > | > | > Second, the major issue.
| > | > | > | > | > You have a single label domain name, on top of which
you
| > have
| > | > | > | > underscores.
| > | > | > | > | > The domain name: SDI_DOMAIN is of invalid DNS format.
| > | > | > | > | > It should be something to the effect of:
| > | > | > | > | > sdi-domain.com
| > | > | > | > | > sdi-domain.net
| > | > | > | > | > sdi-domain.corp
| > | > | > | > | > sdi-domain.joel
| > | > | > | > | > etc...
| > | > | > | > | >
| > | > | > | > | > Hence all the errors.
| > | > | > | > | >
| > | > | > | > | > So there's a double bubble going on.
| > | > | > | > | >
| > | > | > | > | > Theres is a reg entry you can implement to overcome the
| > single
| > | > label
| > | > | > | > name.
| > | > | > | > | > It's nmore of a "bandaid". Not recommended. Actually
| > | > recommended to
| > | > | > | fix
| > | > | > | > it
| > | > | > | > | > somehow first. Unfortunately, if the AD name is
SDI_DOMAIN,
| > and
| > | > not
| > | > | > of
| > | > | > | > the
| > | > | > | > | > proper form, then it's a tough one. If the actual AD
domain
| > | > name was
| > | > | > | of
| > | > | > | > | > proper form, I have a script that can fix it, but since
AD
| > is
| > | > single
| > | > | > | > label
| > | > | > | > | > named, it doesn't look good.
| > | > | > | > | >
| > | > | > | > | > To remove the underscore, renaming the machine name is
almost
Click to expand...
| > | > | > | impossible
| > | > | > | > | > too.
| > | > | > | > | >
| > | > | > | > | > Tell you what, if your domain is still in mixed mode,
and
| > if
| > | > you
| > | > | > still
| > | > | > | > | have
| > | > | > | > | > any NT4 BDCs around or a machine that you can install
an
| > NT4
| > | > BDC
| > | > | > into
| > | > | > | > the
| > | > | > | > | AD
| > | > | > | > | > domain, then we can make this work. We can use that for
a
| > swing
| > | > | > | > | > operation/migration as to not lose your user accounts.
| > | > | > | > | >
| > | > | > | > | > Install the BDC, dump the W2k box flat out.
| > | > | > | > | > Promote the BDC to a PDC.
| > | > | > | > | > Install NT4 on the original w2k box,
| > | > | > | > | > Promote that to a PDC,
| > | > | > | > | > Properly set the DNS suffix first. That's done in NT4's
| > TCP/IP
| > | > | > | > properties.
| > | > | > | > | > This domain name will be transformed into the Primary
DNS
| > | > Suffix.
| > | > | > Make
| > | > | > | > | sure
| > | > | > | > | > the name is a proper DNS domain name, as mentioned
above.
| > | > | > | > | > Then upgrade it to W2k. When DCPROMO runs during the
| > upgrade,
| > | > choose
| > | > | > | the
| > | > | > | > | > proper domain name that you set above.
| > | > | > | > | >
| > | > | > | > | > Ok, here's a link that explains this swing method:
| > | > | > | > | >
| > | > | > | > | > Q292541 - How to Rename the DNS name of a Windows 2000
Domain:
Click to expand...
| > | > | > | > | >
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541
| > | > | > | > | >
| > | > | > | > | > If you want the bandaid for the single label name,
here;s
| > the
| > | > link.
| > | > | > | > | >
| > | > | > | > | > 300684 - Information About Configuring Windows 2000 for
| > Domains
| > | > with
| > | > | > | > | > Single-Label DNS Names:
| > | > | > | > | > http://support.microsoft.com/?id=300684
| > | > | > | > | >
| > | > | > | > | > BUT this ain't going to help the underscores and you're
| > faced
| > | > with
| > | > | > | > trying
| > | > | > | > | > the method I outlined and that artcile 292541 outlines.
| > | > | > | > | >
| > | > | > | > | > Sorry to be the bear of bad news...
| > | > | > | > | >
| > | > | > | > | >
| > | > | > | > | > --
| > | > | > | > | > Regards,
| > | > | > | > | > Ace
| > | > | > | > | >
| > | > | > | > | > Please direct all replies to the newsgroup so all can
| > benefit.
| > | > | > | > | >
| > | > | > | > | > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
| > | > | > | > | > Microsoft Windows MVP - Active Directory
| > | > | > | > | > --
| > | > | > | > | > =================================
| > | > | > | > | >
| > | > | > | > | >
| > | > | > | > | >
| > | > | > | > |
| > | > | > | > |
| > | > | > | > |
| > | > | > | >
| > | > | > | > Sincerely,
| > | > | > | >
| > | > | > | > Vivien Wu
| > | > | > | > MCSA, MCSE2000 and MCDBA2000
| > | > | > | > Microsoft Partner Online Support
| > | > | > | >
| > | > | > | >
| > | > | > | > Get Secure! - www.microsoft.com/security
| > | > | > | >
| > | > | > | > ====================================================
| > | > | > | > When responding to posts, please Reply to Group via your
| > newsreader
| > | > so
| > | > | > | > that others may learn and benefit from your issue.
| > | > | > | > ====================================================
| > | > | > | > This posting is provided AS IS with no warranties, and
confers
| > no
| > | > | > rights.
| > | > |
| >
| >
| > Sincerely,
| >
| > Vivien Wu
| > MCSA, MCSE2000 and MCDBA2000
| > Microsoft Partner Online Support
| >
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ====================================================
| > When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
Click to expand...
| > ====================================================
| > This posting is provided AS IS with no warranties, and confers no
rights.
| >
|

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.
Click to expand...
 
Hello,

Thanks for posting your results and good news here. It is a pleasure to
work with you and we look forward to seeing you in the newsgroups again.

--------------------
| From: "Joel Finkel" <[email protected]>
| Subject: Re: Cannot find a primary authoritative DNS server
| Date: Fri, 8 Aug 2003 10:42:43 -0500
| Newsgroups: microsoft.public.win2000.dns
|
| Viven,
| Thanks! Great stuff. This script solved the main problem. The NETLOGON
errors were solved by stopping the NET LOGON service and then deleting both
%systemroot%/system32/config/netlogon.dnb & netlogon.dns, which both had
entries from the old domain. When NET LOGON was started again, these files
were re-created properly. The errors therefore disappeared.
| In the short run, I am glad I chose to solve my initial two issues
(underscores in the computer name and a malformed domain name) by going
through this process, as it was a good learning experience. It was many
years ago that I first configured this domain (as a Windows NT 3.5 server).
Had I had a better grasp of things way back in the day, I would not have
had to solve these problems today.
| Thanks for the support!
| Regards,
| Joel Finkel
| (e-mail address removed)
| > Hello,
| >
| > The full compute name should be computername.domain.suffix.
SDI-SERVER-1 is
| > considered a disjoint or disjointed name space.
| >
| > You can use the FixDomainSuffix.vbs script to correct the problem on
the
| > Domain Controller and then reboot the Domain Controller.
| >
| > For more information about FixDomainSuffix.vbs, I have sent email to
you.
| >
| > Thanks.
| >
| > --------------------
| > | From: "Joel Finkel" <[email protected]>
| > || Subject: Re: Cannot find a primary authoritative DNS server
| > | Date: Thu, 7 Aug 2003 18:42:29 -0500
| > | Newsgroups: microsoft.public.win2000.dns
| > |
| > | What a fascinating little adventure THIS has been! Without going
into
| > all of the gory details, I am almost set. But almost is not quite
| > error-free. First of all, I decided that the domain should be
sd-il.com,
| > as that is already registered. I am not going to transfer the Zone
| > records, so this should not be a problem.
| > | Therefore, when I promoted the machine to a PDC, I specified this
domain.
| > Because I had followed the instructions in Q237675, and installed and
configured a DNS server before I promoted the server, the process of
Click to expand...
| > actually promoting it generated an error, which, (ha!) I simply
ignored,
| > because the promotion continued.
| > | Everything seemed wonderful, and I was able to re-create my main user
| > login. After that I was able to login to my workstation as Admin, join
the
| > domain, and, viola, everything was great. I was able to login with my
main
| > user login and actually restore all my desktop and application settings.
| > | Within an hour, all communication between the workstation and the
server
| > failed. They could not even ping each other. The server log files
showed
| > inordinate number of DNS errors, as well as errors from support
| > applications I had never seen before.
| > | I destroyed the domain once again, and rebuilt it, using the exact
same
| > agenda. Except this time I did not install or configure DNS before
| > promoting the server. This time there were no errors. The forward and
| > reverse zones were created corrected. After I established the
workstation
| > as a member of the domain, I was able to ping in both directions.
| > | This time, however, when I created the main login, jfinkel, it
created it
| > quite differently. The first time it created a directory:
jfinkel.SD-IL
| > but this time it simply created jfinkel. I have only spent the past 10
| > hours recovering everything. I am at a complete loss to explain why.
| > | The only problem is that I am now seeing two types of errors on the
PDC:
| > | 1) Every hour, I get a series of 3 System error logs. Interestingly,
the
| > Network Identification tab of System Properties show the Full Computer
Name
| > to be "SDI-SERVER-1." and the Domain to be "sd-il.com"
| > | Event Type: Error
| > | Event Source: NTDS Replication
| > | Event Category: Replication
| > | Event ID: 1411
| > | Date: 8/7/2003
| > | Time: 5:43:03 PM
| > | User: Everyone
| > | Computer: SDI-SERVER-1
| > | Description:
| > | The Directory Service failed to construct a mutual authentication
Service
| > Principal Name (SPN) for server SDI-SERVER-1. The call is denied. The
error was:
Click to expand...
| > | A Service Principal Name (SPN) could not be constructed because the
| > provided hostname is not in the necessary format.
| > |
| > | The record data is the status code.
| > | Data:
| > | 0000: 6a 21 00 00 j!..
| > | ---------
| > | Event Type: Warning
| > | Event Source: NTDS General
| > | Event Category: Global Catalog
| > | Event ID: 1655
| > | Date: 8/7/2003
| > | Time: 5:43:03 PM
| > | User: Everyone
| > | Computer: SDI-SERVER-1
| > | Description:
| > | The attempt to communicate with global catalog \\SDI-SERVER-1 failed
with
| > the following status:
| > |
| > | A Service Principal Name (SPN) could not be constructed because the
| > provided hostname is not in the necessary format.
| > |
| > | The operation in progress might be unable to continue. The directory
| > service will use the locator to try find an available global catalog
server
| > for the next operation that requires one.
| > |
| > | The record data is the status code.
| > | Data:
| > | 0000: 6a 21 00 00 j!..
| > | ---------
| > | Event Type: Error
| > | Event Source: NTDS General
| > | Event Category: Global Catalog
| > | Event ID: 1126
| > | Date: 8/7/2003
| > | Time: 5:43:03 PM
| > | User: Everyone
| > | Computer: SDI-SERVER-1
| > | Description:
| > | Unable to establish connection with global catalog.
| > | 2) These errors are begin generated constantly:
| > | Event Type: Error
| > | Event Source: NETLOGON
| > | Event Category: None
| > | Event ID: 5775
| > | Date: 8/7/2003
| > | Time: 4:58:54 PM
| > | User: N/A
| > | Computer: SDI-SERVER-1
| > | Description:
| > | Deregistration of the DNS record 'gc._msdcs.sdi_domain. 600 IN A
| > 64.81.139.116' failed with the following error:
| > | DNS name does not exist.
| > | Data:
| > | 0000: 2b 23 00 00 +#..
| > | I wonder why there is still any record with "sdi_domain" hanging
around!!
| > | Any thoughts?
| > | Regards,
| > | Joel Finkel
| > | (e-mail address removed)
| > | > | > Hello,
| > | >
| > | > I have listed the answers to your questions below.
| > | >
| > | > 1. The step 7 in 237675 is used to establish the Forward Zone,
| > sd-il.corp.
| > | >
| > | > 2. You need to specify the domain name when you run dcpromo.
| > | >
| > | > Thanks.
| > | >
| > | > --------------------
| > | > | From: "Joel Finkel" <[email protected]>
| > | > | Subject: Re: Cannot find a primary authoritative DNS server
| > | > | Date: Wed, 6 Aug 2003 09:57:01 -0500
| > | > | Newsgroups: microsoft.public.win2000.dns
| > | > |
| > | > | Vivien,
| > | > | I want the name of the machine to be: sdi-server-1
| > | > | I want the name of the domain to be: sd-il.corp
| > | > | Looking at 237675 Setting Up the Domain Name System for Active
| > | > | Directory
| > | > (http://support.microsoft.com/default.aspx?scid=kb;en-us;237675) >
| > | In the section: Configure the DNS Server Using DNS Manager
| > | > | Step # 7:
| > | > | a.. The new zone contains the locator records for this Active
| > Directory
| > | > domain. The name of the zone must be the same as the name of the
Active
| > | > Directory domain, or be a logical DNS container for that name.
| > | > | For example, if the Active Directory domain is named
| > | > "support.microsoft.com", legal zone names are
"support.microsoft.com",
| > > "microsoft.com", or "com". Type the name of the zone, and then click
Next.
| > | > | NOTE: If you name the zone "com" we will believe that we are
| > | > authoritative for the "com" domain and never forward any requests
that
| > we
| > | > can not answer out to the real "com" domain servers. The same would
be
| > true
| > | > if you named it "microsoft.com", you would never use your forwarder
to
| > > resolve requests from the real "microsoft.com" servers.
| > | > | QUESTION: I this not the step I first establish the new domain,
| > sd-il.corp, that is, when I perfom this step to establish the Forward
Click to expand...
| > Zone,
| > | > sd-il.corp?
| > | > | QUESTION: I will have to specifiy this domain again when I run
| > dcpromo,
| > | > correct?
| > | > | Thanks for the warning about the encrypted files. That is not a
problem
Click to expand...
| > | > I will encountner.
| > | > | -Joel
message
| > | > | > | > | > Hello Joel,
| > | > | >
| > | > | > It is right that you configure DNS and then promote it to a
PDC.
| > | > However, I
| > | > | > am not sure how you rename the domain at step 4. Do you mean
that
| > you
| > | > want
| > | > | > to change the computer name?
| > | > | >
| > | > | > We can only enter the desired domain name during the dcpromo
| > process.
| > | > When
| > | > | > you configure the DNS server, we need to configure the name of
the
| > | > forward
| > | > | > lookup zone, and make sure the zone name is the same as the
desired
| > | > domain
| > | > | > name or be a logical DNS container for that name.
| > | > | >
| > | > | > *****
| > | > | >
| > | > | > The domain account is invalid after you rebuild the domain.
When
| > you
| > | > log on
| > | > | > the workstation as Administrator, you can take ownership of the
| > domain
| > | > > users' folders even if the domain is invalid.
| > | > | >
| > | > | > NOTE: Make sure that you have decrypted all the EFS files
before
| > demote
| > | > the
| > | > | > DC. For related information, check the article below.
| > | > | >
| > | > | > 276239 Unable to Recover Encrypted Files After the Domain
| > Controller Is
| > | > | > Demoted
| > | > | > http://support.microsoft.com/?id=276239
| > | > | >
| > | > | > --------------------
| > | > | > | From: "Joel Finkel" <[email protected]>
| > | > | > | Subject: Re: Cannot find a primary authoritative DNS server
| > | > | > | Date: Wed, 6 Aug 2003 00:55:47 -0500
| > | > | > | Newsgroups: microsoft.public.win2000.dns
| > | > | > |
| > | > | > | Vivien,
| > | > | > | Now you have me a bit confused. I am prepared to sacrifice
my
| > | > netowrk
| > | > | > logins to save my installed programs. Therefore, rather than
start
| > | > with a
| > | > | > brand-new installation of Windows 2003 Server (at this time) I
will
| > | > simply
| > | > | > break apart the domain and rebuild it.
| > | > | > | According to 237675 Setting Up the Domain Name System for
Active
| > > | > Directory
| > | > (http://support.microsoft.com/default.aspx?scid=kb;en-us;237675) >
| > | > the proper way to do this is to configure DNS and then promote to a
| > | > PDC.
| > | > | > This is why I put the steps in the order I did.
| > | > | > | Therefore, I do not understand your point #2:
| > | > | > | > 2. You need to enter the correct domain name when DCPROMO
runs.
| > You
| > | > | > cannot
| > | > | > | > rename the domain at step 4).
| > | > | > | Thanks for clearing this up for me.
| > | > | > | One more question concerning my main login account that I use
on
| > my
| > | > | > workstation(s). Since it is a domain account, I assume that
when
| > the
| > | > | > domain is rebuilt it will no longer be valid. Is this correct?

| > What
| > | > are
| > | > | > the implications? For example, what happens to all the
settings in
| > the
| > | > | > Documents and Settings for that login? The folder is NOT owned
by
| > the
| > | > > domain user, but by the workstation Administrator account. I
assume
| > I >
| > | > should ensure that nothng on any workstation is owned by any domain
| > object,
| > | > | > correct?
| > | > | > | Thanks,
| > | > | > | Joel Finkel
| > message
| > | > | > | > | > | > | > Hello,
| > | > | > | >
| > | > | > | > The process below is almost OK.
| > | > | > | >
| > | > | > | > You may want to pay attention to the following points:
| > | > | > | >
| > | > | > | > 1. When you configure the DNS server, the name of the
forward
| > | > lookup
| > | > | > zone
| > | > | > | > must be the same as the name of the Active Directory domain
or
| > be a
| > | > | > logical
| > | > | > | > DNS container for that name
| > | > | > | >
| > | > | > | > 2. You need to enter the correct domain name when DCPROMO
runs.
| > You
| > | > | > cannot
| > | > | > | > rename the domain at step 4).
| > | > | > | >
| > | > | > | > Thanks.
| > | > | > | >
| > | > | > | > --------------------
| > | > | > | > | From: "Joel Finkel" <[email protected]>
| > | > | > | > | Subject: Re: Cannot find a primary authoritative DNS
server
| > | > | > | > | Date: Tue, 5 Aug 2003 09:57:09 -0500
| > | > | > | > | Newsgroups: microsoft.public.win2000.dns
| > | > | > | > |
| > | > | > | > | Vivien,
| > | > | > | > |
| > | > | > | > | Thank you for the very helpful resources. What is your
| > opinion
| > | > of the
| > | > | > | > | following short-term strategy:
| > | > | > | > |
| > | > | > | > | 1) Remove all workstations from the domain "SDI_DOMAIN"
| > | > | > | > | 2) Demote my Windows 2000 Server from a PDC
| > | > | > | > | 3) Uninstall DNS
| > | > | > | > | 4) Rename the domain to "SD-IL.CORP"
| > | > | > | > | 5) Install DNS and re-configure it
| > | > | > | > | 6) Promote the Windows 2000 Server to a PDC
| > | > | > | > | 7) Recreate my main user login
| > | > | > | > | 8) Rejoin workstations to domain "SD-IL.CORP"
| > | > | > | > |
| > | > | > | > | Thanks again.
| > | > | > | > |
| > | > | > | > | /Joel
| > | > | > | > |
| > | > | > | > |
| > | > | > | > |
in
| > message
| > | > | > | > | | > | > | > | > | > Hello,
| > | > | > | > | >
| > | > | > | > | > If you would like to build up a fresh Windows Server
2003
| > | > system,
| > | > | > please
| > | > | > | > | > refer to the articles below.
| > | > | > | > | >
| > | > | > | > | > 816584 HOW TO: Set Up the Domain Name System for Active
| > | > Directory in
| > | > | > | > | Windows
| > | > | > | > | > http://support.microsoft.com/?id=816584
| > | > | > | > | >
| > | > | > | > | > 324753 HOW TO: Create an Active Directory Server in
Windows
| > | > Server
| > | > | > 2003
| > | > | > | > | > http://support.microsoft.com/?id=324753
| > | > | > | > | >
| > | > | > | > | > 816106 How to Verify an Active Directory Installation
in
| > | > Windows
| > | > | > Server
| > | > | > | > | 2003
| > | > | > | > | > http://support.microsoft.com/?id=816106
| > | > | > | > | >
| > | > | > | > | > Active Directory Migration tool (ADMT) can be used to
| > migrate
| > | > users,
| > | > | > | > | > groups, and computers.
| > | > | > | > | >
| > | > | > | > | > For more information about ADMT, visit the following
| > Microsoft
| > | > Web
| > | > | > site:
| > | > | > | > | >
| > | > | > | > | > Active Directory Migration Tool Overview
| > | > | > | > | >
| > | > | > | > |
| > | > | > | >
| > | > | >
| > | >
| >
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adm
| > | > | > | > | > t.asp
| > | > | > | > | >
| > | > | > | > | > 326480 How to Use Active Directory Migration Tool
Version 2
| > to
| > | > > Migrate
| > | > | > | > | from
| > | > | > | > | > http://support.microsoft.com/?id=326480
| > | > | > | > | >
| > | > | > | > | > Thanks.
| > | > | > | > | >
| > | > | > | > | > --------------------
| > | > | > | > | > | From: "Joel Finkel said:
server
Click to expand...
| > | > | > | > | > | Date: Tue, 5 Aug 2003 01:00:14 -0500
| > | > | > | > | > | Newsgroups: microsoft.public.win2000.dns
| > | > | > | > | >
| > | > | > | > | > | Ace,
| > | > | > | > | > |
| > | > | > | > | > | Thanks. This is quite hilarious. Fortunately, I
have a
| > very
| > | > | > small
| > | > | > | > set
| > | > | > | > | of
| > | > | > | > | > | logins. In addition, the server does not have an
| > inordinate
| > | > > number of
| > | > | > | > | > | applications that I would have to reinstall if I
simply
| > | > started
| > | > | > over.
| > | > | > | > | > |
| > | > | > | > | > | Could you please explain the ramifications of simply
| > installing a
Click to expand...
| > | > | > | > fresh
| > | > | > | > | > | Windows 2003 Server, setting it up properly to begin
with.
Click to expand...
| > | > What
| > | > | > do I
| > | > | > | > | > have
| > | > | > | > | > | to do to my XP Pro workstation, for example,
| > "sdi-work-1,"
| > | > which
| > | > | > is a
| > | > | > | > | > member
| > | > | > | > | > | of the current domain? Do I remove it from the
domain
| > before
| > | > I
| > | > | > | > rebuild
| > | > | > | > | > the
| > | > | > | > | > | server?
| > | > | > | > | > |
| > | > | > | > | > | BTW, I am running in mixed mode, so I could execute
this
| > > little
| > | > | > (or
| > | > | > | > not
| > | > | > | > | so
| > | > | > | > | > | little) trick. But this is actually an NT3.4 ->
NT4.0 ->
| > | > Windows
| > | > | > 2000
| > | > | > | > | OS.
| > | > | > | > | > | It's probably time I rebuilt it all, anyway.
| > | > | > | > | > |
| > | > | > | > | > | Thanks for you help!
| > | > | > | > | > |
| > | > | > | > | > | /Joel
| > | > | > | > | > | (e-mail address removed)
| > | > | > | > | > |
| > | > | > | > | > |
| > | > | > | > | > | "Ace Fekay [MVP]"
| > | > | > | > <PleaseSubstituteMyFirstName&[email protected]>
| > | > | > | > | > | wrote in message
| > | > | > | > | > | > | > In | > | > | > | > | > | > Joel Finkel <[email protected]>, posted their
thoughts,
| > then I
| > | > | > offered
| > | > | > | > my
| > | > | > | > | > | > thoughts down below:
| > | > | > | > | > | > > I have a small LAN. It has a single Windows 2000
| > Server,
| > | > | > which is
| > | > | > | > | > | > > set up as a PDC, DNS server, DHCP server, and the
| > gateway
| > | > to
| > | > | > the
| > | > | > | > | > | > > internet. I have several internal workstations.
| > | > | > | > | > | > >
| > | > | > | > | > | > > The domain name is SDI_DOMAIN. This is an
internal
| > name
| > | > only.
| > | > | > | > | > | > >
| > | > | > | > | > | > > The PDC is, unfortunately, named SDI_SERVER_1.
| > | > | > | > | > | > >
| > | > | > | > | > | > > In order to remove the underscores from the
server
| > name
| > | > of a
| > | > | > > Windows
| > | > | > | > | > | > > 2000 PDC, one has to demote it. To save the AD
| > settings,
| > | > I
| > | > | > need
| > | > | > | > to
| > | > | > | > | > | > > establish a BDC. After installing Windows 2000
| > Server on
| > | > a
| > | > | > new
| > | > | > | > | > | > > machine, I attempted to promote it, but it could
not
| > > | > successfully
| > | > | > | > | > | > > attach to the PDC.
| > | > | > | > | > | > >
| > | > | > | > | > | > > This led me investigate the DNS on the PDC.
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > > I am unable to resolve the following error:
| > | > | > | > | > | > >
| > | > | > | > | > | > > DNS test . . . . . . . . . . . . . : Failed
| > | > | > | > | > | > > [WARNING] The DNS host name
| > 'SDI_SERVER_1.SDI_DOMAIN'
| > | > | > valid
| > | > | > | > only
| > | > | > | > | > | > > on Windows 2000 DNS Servers.
[DNS_ERROR_NON_RFC_NAME]
| > | > | > | > | > | > > [WARNING] Cannot find a primary
| > authoritative
| > | > DNS
| > | > | > server
| > | > | > | > | > | > > for the name
| > | > | > | > | > | > > 'SDI_SERVER_1.SDI_DOMAIN.'.
| > | > [RCODE_SERVER_FAILURE]
| > | > | > | > | > | > > The name 'SDI_SERVER_1.SDI_DOMAIN.'
may
| > not be
| > | > | > | > | registered
| > | > | > | > | > | > > in DNS.
| > | > | > | > | > | > > [FATAL] File \config\netlogon.dns contains
| > invalid
| > | > DNS
| > | > | > | > | > | > > entries. [FATAL] File \config\netlogon.dns
contains
Click to expand...
| > | > | > invalid
| > | > | > | > | DNS
| > | > | > | > | > | > > entries. [WARNING] The DNS entries for this
DC
| > > cannot be
| > | > | > | > | > | > > verified right now on DNS server 216.231.41.2,
| > | > ERROR_TIMEOUT.
| > | > | > | > | > | > > [FATAL] No DNS servers have the DNS records
for
| > this
| > | > DC
| > | > | > | > | > | > > registered.
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > > This is the log from net config rdr:
| > | > | > | > | > | > >
| > | > | > | > | > | > > Computer name
\\SDI_SERVER_1
| > | > | > | > | > | > > Full Computer name
| > | > SDI_SERVER_1.SDI_DOMAIN
| > | > | > | > | > | > > User name Administrator
| > | > | > | > | > | > >
| > | > | > | > | > | > > Workstation active on
| > | > | > | > | > | > > NetbiosSmb (000000000000)
| > | > | > | > | > | > >
NetBT_Tcpip_{EC6D6F96-BEFE-47AF-BF1E-107A427CAF1B}
| > | > | > (00A0CC62262A)
| > | > | > | > | > | > >
| > | > | > | > | > | > > Software version Windows 2000
| > | > | > | > | > | > >
| > | > | > | > | > | > > Workstation domain SDI_DOMAIN
| > | > | > | > | > | > > Workstation Domain DNS Name sdi_domain
| > | > | > | > | > | > > Logon domain SDI_DOMAIN
| > | > | > | > | > | > >
| > | > | > | > | > | > > COM Open Timeout (sec) 0
| > | > | > | > | > | > > COM Send Count (byte) 16
| > | > | > | > | > | > > COM Send Timeout (msec) 250
| > | > | > | > | > | > > The command completed successfully.
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > > All application level protocols work fine. I can
| > ping
| > | > every
| > | > | > > machine
| > | > | > | > | > | > > from every machine.
| > | > | > | > | > | > >
| > | > | > | > | > | > > The PDC has an IP of 192.168.0.1
| > | > | > | > | > | > >
| > | > | > | > | > | > > On its NIC, I have set up TCP/IP:
| > | > | > | > | > | > > - it uses the DNS server at 192.168.0.1
| > | > | > | > | > | > > - it appends primary and connection specific
DNS
| > > suffixes
| > | > | > | > | > | > > - it appends parent suffixes of the primary
DNS
| > suffix
| > | > | > | > | > | > > - it has no list of additional DNS suffixes
| > | > | > | > | > | > > - it registers this connection's address in
DNS
| > | > | > | > | > | > >
| > | > | > | > | > | > > DNS is configured:
| > | > | > | > | > | > > - the only Forward Lookup Zone is "sdi_domain"
| > | > | > | > | > | > > - NS Record: "sdi_server_1.sdi_domain."
| > | > | > | > | > | > > - A records: one for each node in the
network
| > | > | > | > (192.168.0.1 -
| > | > | > | > | > | > > 192.168.0.5)
| > | > | > | > | > | > >
| > | > | > | > | > | > > - there is only one AD-integrated Reverse
Lookup
| > Zone
| > | > | > | > | > | > > - I had to add the nodes manually, the
| > pointer
| > | > | > records did
| > | > | > | > | > | > > not propagate.
| > | > | > | > | > | > > I understand that this may be a known
bug.
| > | > | > | > | > | > > It may, however, be associated with my
problem.
Click to expand...
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > >
| > | > | > | > | > | > > I tried to run DcDiag.exe, but it gave me an
error:
| > | > "Entry
| > | > | > point
| > | > | > | > | > | > > DSIsMangledDnW could not be located in dynamic
link
| > | > library
| > | > | > | > | > | > > NTDSAPI.dll"
| > | > | > | > | > | > >
| > | > | > | > | > | > > My head hurts, and my wall has a fairly large
hole in
| > it.
| > | > I
| > | > | > am
| > | > | > | > | > | > > hoping someone can assist me in solving this
issue.
| > | > | > | > | > | > >
| > | > | > | > | > | > > Thanks in advance for all suggestions.
| > | > | > | > | > | > >
| > | > | > | > | > | > > -Joel Finkel
| > | > | > | > | > | > > (e-mail address removed)
| > | > | > | > | > | >
| > | > | > | > | > | > There are two issues here Joel, one minor, one
major.
| > | > | > | > | > | >
| > | > | > | > | > | > First, the minor issue.
| > | > | > | > | > | > The nslookup error is benign. All it's doing is
trying
| > to
| > | > tell
| > | > | > you
| > | > | > | > | what
| > | > | > | > | > | the
| > | > | > | > | > | > name of the DNS server it's using is. That's it.
| > Otherwise,
| > | > it
| > | > | > still
| > | > | > | > | > works
| > | > | > | > | > | > with subsequent commands. The way it finds it, is
it
| > looks
| > | > in
| > | > | > your
| > | > | > | > | > reverse
| > | > | > | > | > | > zone (based on your subnet) that you have created,
looks up
Click to expand...
| > | > the
| > | > | > IP,
| > | > | > | > | and
| > | > | > | > | > | > tells you what the name is. That's it. Now if you
don;t
| > | > have a
| > | > | > > reverse
| > | > | > | > | > | zone,
| > | > | > | > | > | > or if you do have a reverse zone, but you don't
have a
| > PTR
| > | > > entry for
| > | > | > | > | the
| > | > | > | > | > | DNS
| > | > | > | > | > | > address, then the error.
| > | > | > | > | > | >
| > | > | > | > | > | > Second, the major issue.
| > | > | > | > | > | > You have a single label domain name, on top of
which
| > you
| > | > have
| > | > | > | > | > underscores.
| > | > | > | > | > | > The domain name: SDI_DOMAIN is of invalid DNS
format.
| > | > | > | > | > | > It should be something to the effect of:
| > | > | > | > | > | > sdi-domain.com
| > | > | > | > | > | > sdi-domain.net
| > | > | > | > | > | > sdi-domain.corp
| > | > | > | > | > | > sdi-domain.joel
| > | > | > | > | > | > etc...
| > | > | > | > | > | >
| > | > | > | > | > | > Hence all the errors.
| > | > | > | > | > | >
| > | > | > | > | > | > So there's a double bubble going on.
| > | > | > | > | > | >
| > | > | > | > | > | > Theres is a reg entry you can implement to overcome
the
| > | > single
| > | > | > label
| > | > | > | > | > name.
| > | > | > | > | > | > It's nmore of a "bandaid". Not recommended.
Actually
| > | > | > recommended to
| > | > | > | > | fix
| > | > | > | > | > it
| > | > | > | > | > | > somehow first. Unfortunately, if the AD name is
| > SDI_DOMAIN,
| > | > and
| > | > | > not
| > | > | > | > of
| > | > | > | > | > the
| > | > | > | > | > | > proper form, then it's a tough one. If the actual
AD
| > domain
| > | > | > name was
| > | > | > | > | of
| > | > | > | > | > | > proper form, I have a script that can fix it, but
since
| > AD
| > | > is
| > | > | > single
| > | > | > | > | > label
| > | > | > | > | > | > named, it doesn't look good.
| > | > | > | > | > | >
| > | > | > | > | > | > To remove the underscore, renaming the machine name
is
| > > almost
| > | > | > | > | impossible
| > | > | > | > | > | > too.
| > | > | > | > | > | >
| > | > | > | > | > | > Tell you what, if your domain is still in mixed
mode,
| > and
| > | > if
| > | > | > you
| > | > | > | > still
| > | > | > | > | > | have
| > | > | > | > | > | > any NT4 BDCs around or a machine that you can
install
| > an
| > | > NT4
| > | > | > BDC
| > | > | > | > into
| > | > | > | > | > the
| > | > | > | > | > | AD
| > | > | > | > | > | > domain, then we can make this work. We can use that
for
| > a
| > | > swing
| > | > | > | > | > | > operation/migration as to not lose your user
accounts.
| > | > | > | > | > | >
| > | > | > | > | > | > Install the BDC, dump the W2k box flat out.
| > | > | > | > | > | > Promote the BDC to a PDC.
| > | > | > | > | > | > Install NT4 on the original w2k box,
| > | > | > | > | > | > Promote that to a PDC,
| > | > | > | > | > | > Properly set the DNS suffix first. That's done in
NT4's
| > | > TCP/IP
| > | > | > | > | > properties.
| > | > | > | > | > | > This domain name will be transformed into the
Primary
| > DNS
| > | > | > Suffix.
| > | > | > | > Make
| > | > | > | > | > | sure
| > | > | > | > | > | > the name is a proper DNS domain name, as mentioned
above.
Click to expand...
| > | > | > | > | > | > Then upgrade it to W2k. When DCPROMO runs during
the
| > | > upgrade,
| > | > | > choose
| > | > | > | > | the
| > | > | > | > | > | > proper domain name that you set above.
| > | > | > | > | > | >
| > | > | > | > | > | > Ok, here's a link that explains this swing method:
| > | > | > | > | > | >
| > | > | > | > | > | > Q292541 - How to Rename the DNS name of a Windows
2000
| > > Domain:
| > | > | > | > | > | >
| > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541
| > | > | > | > | > | >
| > | > | > | > | > | > If you want the bandaid for the single label name,
here;s
Click to expand...
| > | > the
| > | > | > link.
| > | > | > | > | > | >
| > | > | > | > | > | > 300684 - Information About Configuring Windows 2000
for
| > | > Domains
| > | > | > with
| > | > | > | > | > | > Single-Label DNS Names:
| > | > | > | > | > | > http://support.microsoft.com/?id=300684
| > | > | > | > | > | >
| > | > | > | > | > | > BUT this ain't going to help the underscores and
you're
| > | > faced
| > | > | > with
| > | > | > | > | > trying
| > | > | > | > | > | > the method I outlined and that artcile 292541
outlines.
| > | > | > | > | > | >
| > | > | > | > | > | > Sorry to be the bear of bad news...
| > | > | > | > | > | >
| > | > | > | > | > | >
| > | > | > | > | > | > --
| > | > | > | > | > | > Regards,
| > | > | > | > | > | > Ace
| > | > | > | > | > | >
| > | > | > | > | > | > Please direct all replies to the newsgroup so all
can
| > | > benefit.
| > | > | > | > | > | >
| > | > | > | > | > | > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
| > | > | > | > | > | > Microsoft Windows MVP - Active Directory
| > | > | > | > | > | > --
| > | > | > | > | > | > =================================
| > | > | > | > | > | >
| > | > | > | > | > | >
| > | > | > | > | > | >
| > | > | > | > | > |
| > | > | > | > | > |
| > | > | > | > | > |
| > | > | > | > | >
| > | > | > | > | > Sincerely,
| > | > | > | > | >
| > | > | > | > | > Vivien Wu
| > | > | > | > | > MCSA, MCSE2000 and MCDBA2000
| > | > | > | > | > Microsoft Partner Online Support
| > | > | > | > | >
| > | > | > | > | >
| > | > | > | > | > Get Secure! - www.microsoft.com/security
| > | > | > | > | >
| > | > | > | > | > ====================================================
| > | > | > | > | > When responding to posts, please Reply to Group via
your
| > | > newsreader
| > | > | > so
| > | > | > | > | > that others may learn and benefit from your issue.
| > | > | > | > | > ====================================================
| > | > | > | > | > This posting is provided AS IS with no warranties, and
confers
Click to expand...
| > | > no
| > | > | > | > rights.
| > | > | > |
| > | >
| > | >
| > | > Sincerely,
| > | >
| > | > Vivien Wu
| > | > MCSA, MCSE2000 and MCDBA2000
| > | > Microsoft Partner Online Support
| > | >
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > ====================================================
| > | > When responding to posts, please Reply to Group via your newsreader
so
| > > that others may learn and benefit from your issue.
| > | > ====================================================
| > | > This posting is provided AS IS with no warranties, and confers no
| > rights.
| > | >
| > |
| >
| > Sincerely,
| >
| > Vivien Wu
| > MCSA, MCSE2000 and MCDBA2000
| > Microsoft Partner Online Support
| >
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ====================================================
| > When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
Click to expand...
| > ====================================================
| > This posting is provided AS IS with no warranties, and confers no
rights.
| >
|

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.
 
Back
Top