DCPROMO in remote office

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a site-to-site VPN connection between my main office and a remote
office. I want to setup a DC (DC2) in the remote office to join the existing
domain in my main office. I have set DC2's Local Area Network DNS settings
to point to the DNS server (DC1) at my main office. From DC2 I can ping
DC1's DNS name but when I try to run dcpromo on DC2 I get an error
indicating there is likely a DNS problem. DNS in my main office is working
fine. I have found articles discussing moving a DC to a remote site or
staging a DC in a main site then moving to a remote site but not any about
setting up the first DC in a remote site.

Any assistance is appreciated. Thanks!
 
What type of firewall do you have between the two? You have probably
blocked needed ports.
 
The sites are connected via Cisco Pix 515E and 501. What ports are needed?
As I mentioned in the original message, I can ping from DC2 using the DNS
name of DC1 and it works but nslookup from DC2 to DC1 does not work.
 
The sites are connected via Cisco 515E(main office) and 501(remote). What
ports do I need to open? Like I said my original post, I can ping both ways
using the DNS names of the servers at both the remote site and the main
office site.
 
Does the machine's host (A) record show up in the zone? Does the machine
have a statice ip address(no offense intended)? If not, on DC2 enter a
static ip address, go to a comand prompt and type: ipconfig /registerdns.
Next, join the machine to the domain and restart. When the DC2 is backup,
try dcpromo again. It may be possible that the f/w is blocking something,
but start simple then try difficult. Not sure what ports may be used to
communicate...139, 389, or 443?

Chris
 
No, there isn't an host record because at this point the machine (DC2) isn't
part of the domain. I wasn't sure if I should try to have it join at this
point but I will. And, yes, it has a static ip in it's network.

Thanks (and No offense taken Chris. )

Hugh
 
Hugh,

In my experience, it's been best to make sure the dns server has a host
record for the server joining the domain first and have the server join the
domain before dcpromo. It just seems to go more smoothly.

Good luck!
Chris
 
Chris,

After your last reply I "joined" the server to my domain without incident.
I waited about an hour then ran dcpromo. I'm still getting the same error,
it can't contact the active directory domain controller for the domain.
Seems weird since it was able to "join" the domain. NSLOOKUP ON DC2 (remote
office) gives the same results, "Can't find server name for address (of my
main office dns servers). Yet, if i run NSLOOKUP on my main office domain
controller (DC1) which is one of my DNS servers it finds DC2. I think it's
got to be a DNS issue on the remote site side. Should I configure DNS on the
server that I am trying to run dcpromo on (DC2)? If so, should I copy from
an existing file on another dns server in my domain?

Thanks for your help Chris,

Hugh
 
Hmmmm...you did say that DC2 has DC1 as the only DNS server, correct? This
isn't really the solution, but while we're talking about DNS....on DC1, do
you have it pointing to itself as the DNS server? And only itself...ie. no
ISP dns servers...

On DC2, CMD.EXE > ipconfig /flushdns. On DC1, stop and start the DNS service
and the NETLOGON server. Try nslookup again on DC2.

Chris
 
Chris,

First I should add that I have 2 domain controllers in the main office for
redundancy and both also run DNS. Neither have an ISP DNS configured on
them, they point to themselves. My ISP DNS is setup as Forwarders.

I did the dns flush and stop/start DNS Server and Netlogon (on both DC's at
the main office). Problem still exist on DC2. Since you are a "Cisco"
certified guy, do you know if I need to open any special ports on the Pix
even if I'm using a VPN Tunnel? (You know everything about cisco stuff,
right? ...sorry, couldn't resist)

Thanks,
Hugh
 
Actually, I'm not Cisco certified...but will get there sometime this year...

I saw in another post a packet capture of a server being promoted to a dc
and the initial communication is dns. A query is sent to the dns server and
a reply returned from there. I would have to say I'm stumped at this point.
What do your logs say? Errors in event viewer? Post dns logs and if you have
any errors in event viewer, post those as well--in particular, look in
Directory Services and DNS. I could be wrong, but it seems to me if you have
the ports open mentioned below, you should be fine. I didn't mention it
below, but 53 is another port that should be open, which normally is...it's
for dns.
 
In
Hugh Norsworthy said:
Chris,

After your last reply I "joined" the server to my domain
without incident.
Click to expand...

Try netdiag /fix & dcdiag /fix on the current DC.
I waited about an hour then ran dcpromo. I'm still
getting the same error, it can't contact the active
directory domain controller for the domain. Seems weird
since it was able to "join" the domain. NSLOOKUP ON DC2
(remote office) gives the same results, "Can't find
server name for address (of my main office dns servers).
Yet, if i run NSLOOKUP on my main office domain
controller (DC1) which is one of my DNS servers it finds
DC2. I think it's got to be a DNS issue on the remote
site side. Should I configure DNS on the server that I
am trying to run dcpromo on (DC2)?
Click to expand...

You can install DNS but don't point the machine to itself until the AD zone
has replicated
If so, should I copy
from an existing file on another dns server in my domain?
Click to expand...
No, the zone will replicate after it is promoted, which will cause a zone
conflict if you have a secondary zone already on the server.
 
Back
Top