Restoring Active Directory domain

[Joe Befumo]

My problem is with a Windows 2003 installation, but this is the closest
newsgroup I could find. Here's the issue:

My 2003 Server (active directory) domain controller was experiencing some
difficulties, and when it became clear that it was going to have to be
rebuilt, I put a second machine on the network, installed active directory,
and configured it as another domain controller on the original domain. My
thought was that I could then rebuild the first machine, repeat the process,
then take the temporary machine off line without losing the domain setup.

The rebuilt machine joined the domain without a problem, but when I try to
install active directory on the existing domain, I get the following error:

An error occurred when DNS was queried for the service location (SRV)
resource record used to locate a domain controller for domain befumo.com.

The error was: "No records found for given DNS query."
(error code 0x0000251D DNS_INFO_NO_RECORDS)

Is there any way to get where I want to go from here, or am I going to have
to bite the bullet and create a whole new domain?

Thanks.

Joe

 

[Jorge de Almeida Pinto [MVP]]

does that temp DC have DNS installed? Does it host the DNS zone for the AD
domain? Make sure the temp DC points to itself for DNS. That way it will
register the SRV RRs

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Joe Befumo]

Thanks Jorge,

Yes, I installed DNS on the temp. I'll investigat that angle.

Joe

"Jorge de Almeida Pinto [MVP]"

does that temp DC have DNS installed? Does it host the DNS zone for the AD
domain? Make sure the temp DC points to itself for DNS. That way it will
register the SRV RRs

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Jorge de Almeida Pinto [MVP]]

make sure DDNS is enabled (preferrably secure) and also make sure the TEMP
DC is a GC!

Enable DDNS on the zones (unsecure)
make it a GC
net stop netlogon and net start netlogon
Enable DDNS on the zones (secure)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Thanks Jorge,

Yes, I installed DNS on the temp. I'll investigat that angle.

Joe

"Jorge de Almeida Pinto [MVP]"

 

[Joe Befumo]

Okay, first -- what's a GC? DDNS?

Here's some more info:

I believe you're right and the problem is in my DNS setup.



When I try to ping [MY_DNS_SERVER] from an XP Professional workstation on
the domain, I get a reply from my external [internet] IP address, not from
the internal address [192.168.0.11]. I can't recall if it was like this
before.



When I ping 192.168.0.11 from this workstation, I get a reply from
192.168.0.11, which is what I expect, however, when I do the same thing on
the new temp server, I get this:



[mydomain]

Primary name server - NS1.WORLDNIC.com

responsible mail addr = namehost.WORLDNIC.com





When I do ping [MY_DNS_SERVER_NAME] from my new temp server, I get the
following:

Address [my EXTERNAL IP address].



...

Which is pretty confusing to me.





On the new server (192.168.0.11), I have the DNS entry in the TCP/IP setup
pointing to 192.168.0.11. In the DNS setup, I have the forwarding pointing
to two DNS servers at my ISP.



On both the new temp server and the workstations, the DNS entry in the
TCP/IP setup points to 192.168.0.11



Oh yeah, on the DNS server, I have the following in my event log:



The DNS server was unable to connect to the domain naming FSMO
viking.befumo.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.

(Viking was the name of the original domain controller, which has now been
rebuilt and renamed)



Any hints?



"Jorge de Almeida Pinto [MVP]"

make sure DDNS is enabled (preferrably secure) and also make sure the TEMP
DC is a GC!

Enable DDNS on the zones (unsecure)
make it a GC
net stop netlogon and net start netlogon
Enable DDNS on the zones (secure)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Jorge de Almeida Pinto [MVP]]

Is that temp DC multihomed? (multiple NICs)?

can you explain more how your infrastructure is setup?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay, first -- what's a GC? DDNS?

Here's some more info:

I believe you're right and the problem is in my DNS setup.



When I try to ping [MY_DNS_SERVER] from an XP Professional workstation on
the domain, I get a reply from my external [internet] IP address, not from
the internal address [192.168.0.11]. I can't recall if it was like this
before.



When I ping 192.168.0.11 from this workstation, I get a reply from
192.168.0.11, which is what I expect, however, when I do the same thing on
the new temp server, I get this:



[mydomain]

Primary name server - NS1.WORLDNIC.com

responsible mail addr = namehost.WORLDNIC.com





When I do ping [MY_DNS_SERVER_NAME] from my new temp server, I get the
following:

Address [my EXTERNAL IP address].



...

Which is pretty confusing to me.





On the new server (192.168.0.11), I have the DNS entry in the TCP/IP setup
pointing to 192.168.0.11. In the DNS setup, I have the forwarding pointing
to two DNS servers at my ISP.



On both the new temp server and the workstations, the DNS entry in the
TCP/IP setup points to 192.168.0.11



Oh yeah, on the DNS server, I have the following in my event log:



The DNS server was unable to connect to the domain naming FSMO
viking.befumo.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.

(Viking was the name of the original domain controller, which has now been
rebuilt and renamed)



Any hints?



"Jorge de Almeida Pinto [MVP]"

 

[Kurt]

As Jorge says, make sure the DC is a Global Catalog server ("GC"). Also,
test DNS with nslookup, make sure you can resolve the domain name. Make sure
your clients and new server point to the new server for DNS reolution. If
you didn't do it at the time, you'll need to transfer the "Flexible Single
Master Operations" (FSMO)roles to the new server - the old DC will need to
be on-line to do a transfer. If you can't get the old one back on-line, you
can seize the roles, but that process assumes the old DC is gone forever and
you will have conflicts if both think they have the same FSMO roles. Google
for "moving FSMO roles on W2K3". 2K3 has gui tools for doing this, or you
can use the command line tools - either way, it's not difficult. After
rebuilding the old server, you'll need to transfer the roles back, or just
keep 2 DCs and assign the roles for best performance.

....kurt

Okay, first -- what's a GC? DDNS?

Here's some more info:

I believe you're right and the problem is in my DNS setup.



When I try to ping [MY_DNS_SERVER] from an XP Professional workstation on
the domain, I get a reply from my external [internet] IP address, not from
the internal address [192.168.0.11]. I can't recall if it was like this
before.



When I ping 192.168.0.11 from this workstation, I get a reply from
192.168.0.11, which is what I expect, however, when I do the same thing on
the new temp server, I get this:



[mydomain]

Primary name server - NS1.WORLDNIC.com

responsible mail addr = namehost.WORLDNIC.com





When I do ping [MY_DNS_SERVER_NAME] from my new temp server, I get the
following:

Address [my EXTERNAL IP address].



...

Which is pretty confusing to me.





On the new server (192.168.0.11), I have the DNS entry in the TCP/IP setup
pointing to 192.168.0.11. In the DNS setup, I have the forwarding pointing
to two DNS servers at my ISP.



On both the new temp server and the workstations, the DNS entry in the
TCP/IP setup points to 192.168.0.11



Oh yeah, on the DNS server, I have the following in my event log:



The DNS server was unable to connect to the domain naming FSMO
viking.befumo.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.

(Viking was the name of the original domain controller, which has now been
rebuilt and renamed)



Any hints?



"Jorge de Almeida Pinto [MVP]"

 

[Joe Befumo]

Nope -- just one.

Joe

"Jorge de Almeida Pinto [MVP]"

Is that temp DC multihomed? (multiple NICs)?

can you explain more how your infrastructure is setup?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay, first -- what's a GC? DDNS?

Here's some more info:

I believe you're right and the problem is in my DNS setup.



When I try to ping [MY_DNS_SERVER] from an XP Professional workstation on
the domain, I get a reply from my external [internet] IP address, not
from the internal address [192.168.0.11]. I can't recall if it was like
this before.



When I ping 192.168.0.11 from this workstation, I get a reply from
192.168.0.11, which is what I expect, however, when I do the same thing
on the new temp server, I get this:



[mydomain]

Primary name server - NS1.WORLDNIC.com

responsible mail addr = namehost.WORLDNIC.com





When I do ping [MY_DNS_SERVER_NAME] from my new temp server, I get the
following:

Address [my EXTERNAL IP address].



...

Which is pretty confusing to me.





On the new server (192.168.0.11), I have the DNS entry in the TCP/IP
setup pointing to 192.168.0.11. In the DNS setup, I have the forwarding
pointing to two DNS servers at my ISP.



On both the new temp server and the workstations, the DNS entry in the
TCP/IP setup points to 192.168.0.11



Oh yeah, on the DNS server, I have the following in my event log:



The DNS server was unable to connect to the domain naming FSMO
viking.befumo.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.

(Viking was the name of the original domain controller, which has now
been rebuilt and renamed)



Any hints?



"Jorge de Almeida Pinto [MVP]"

make sure DDNS is enabled (preferrably secure) and also make sure the
TEMP DC is a GC!

Enable DDNS on the zones (unsecure)
make it a GC
net stop netlogon and net start netlogon
Enable DDNS on the zones (secure)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Thanks Jorge,

Yes, I installed DNS on the temp. I'll investigat that angle.

Joe

"Jorge de Almeida Pinto [MVP]"
message does that temp DC have DNS installed? Does it host the DNS zone for
the AD domain? Make sure the temp DC points to itself for DNS. That
way it will register the SRV RRs

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
My problem is with a Windows 2003 installation, but this is the
closest newsgroup I could find. Here's the issue:

My 2003 Server (active directory) domain controller was experiencing
some difficulties, and when it became clear that it was going to have
to be rebuilt, I put a second machine on the network, installed
active directory, and configured it as another domain controller on
the original domain. My thought was that I could then rebuild the
first machine, repeat the process, then take the temporary machine
off line without losing the domain setup.

The rebuilt machine joined the domain without a problem, but when I
try to install active directory on the existing domain, I get the
following error:

An error occurred when DNS was queried for the service location (SRV)
resource record used to locate a domain controller for domain
befumo.com.

The error was: "No records found for given DNS query."
(error code 0x0000251D DNS_INFO_NO_RECORDS)

Is there any way to get where I want to go from here, or am I going
to have to bite the bullet and create a whole new domain?

Thanks.

Joe

 

[Fran]

GC = Global Catalog
DDNS = Dynamic DNS
DC = Domain Controller (where Active Directory [AD] is installed)

It sounds like your AD setup is just plain wrong. For AD to work ,
there must be a DNS server on the network (usually the DC itself) and
this can explain why you're having the errors to begin with. Your
example shows you using your ISP's DNS servers. Those servers don't
know squat about your internal domain and this will cause all sorts of
issues with Active Directory.

Install (if not already done) DNS on the DC (use Add/Remove programs
and click on Windows Components on the left, go to Networking Services
and click details, select Domain Name System.) Create a zone that is
the SAME NAME as your domain name inside the LAN
e.g. if, when you installed AD you named your internal doman
MyCompany.local
then your primary DNS zone should be MyCompany.local
*** it must be EXACTLY THE SAME NAME ***

(note-always a good idea to create a reverse lookup zone, too but not
a critical issue in a small network.)

After DNS is created set your DC's IP information accordingly:
IP address: [whatever your INTERNAL LAN uses] but make it STATIC
(i.e. enter the address yourself, not through DHCP so change "Obtain
an IP address automatically" to "Use the following IP address". and
enter a valid address...like 10.10.10.5 as an example) If this is new
to you then let me know...there are deeper issues we'll need to
discuss

Set your default gateway to your internal router, NOT your ISP's
router (you should have a router between your modem and your
network...even if it's the DC itself.) if you do not have a
router/gateway you need to get one. Even a cheapie Linksys will do the
trick [in this example I used 10.10.10.5]

Set the primary DNS server to this server's address. As stated
earlier, AD will create the SRV records (this tells the DC where to go
to lookup the location of clients on your internal LAN) For DNS, use
ONLY your server's address. It will automatically forwared requests
for external addresses outslde through your gateway and cache the
internally.

Last note: If you're new to Active Directry these are all common
mistakes. Don't worry about it. Once you configure your DC properly
set the workstations to get their DNS info from this DC (if you're
using DHCP on this DC then set the scope options to use this server as
your DNS server.)

Hope this helps somewhat. We've all been here before. Fortunately the
contributors of these groups are very helpful!

-Fran-

Okay, first -- what's a GC? DDNS?

Here's some more info:

I believe you're right and the problem is in my DNS setup.



When I try to ping [MY_DNS_SERVER] from an XP Professional workstation on
the domain, I get a reply from my external [internet] IP address, not from
the internal address [192.168.0.11]. I can't recall if it was like this
before.



When I ping 192.168.0.11 from this workstation, I get a reply from
192.168.0.11, which is what I expect, however, when I do the same thing on
the new temp server, I get this:



[mydomain]

Primary name server - NS1.WORLDNIC.com

responsible mail addr = namehost.WORLDNIC.com





When I do ping [MY_DNS_SERVER_NAME] from my new temp server, I get the
following:

Address [my EXTERNAL IP address].



...

Which is pretty confusing to me.





On the new server (192.168.0.11), I have the DNS entry in the TCP/IP setup
pointing to 192.168.0.11. In the DNS setup, I have the forwarding pointing
to two DNS servers at my ISP.



On both the new temp server and the workstations, the DNS entry in the
TCP/IP setup points to 192.168.0.11



Oh yeah, on the DNS server, I have the following in my event log:



The DNS server was unable to connect to the domain naming FSMO
viking.befumo.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.

(Viking was the name of the original domain controller, which has now been
rebuilt and renamed)



Any hints?



"Jorge de Almeida Pinto [MVP]"

 

[Jorge de Almeida Pinto [MVP]]

reason I ask is because you are talking about the DNS server and its
internal and external IPs..

How things should be configured concerning DNS

Make sure the DCs point to internal only DNS servers. If DNS is on the DCs
then point each DC to itself for preferred DNS server and to another DNS as
alternate

On the internal DNS servers configure forwarding to the ISP DNS servers

Make sure DHCP assign the INTERNAL DNS servers to the clients as options.

If DNS is on the DCs (preferred) create AD integrated zones
(yourdomain.something AND _MSDCS.yourdomain.something). Configure the first
with the scope "all DC/DNS in the domain" and configure the second with the
scope "all DC/DNS in the forest"
Configure all zones with secure dynamic DNS
If you only have one domain make all DCs in the domain a GC.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Nope -- just one.

Joe

"Jorge de Almeida Pinto [MVP]"

Is that temp DC multihomed? (multiple NICs)?

can you explain more how your infrastructure is setup?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay, first -- what's a GC? DDNS?

Here's some more info:

I believe you're right and the problem is in my DNS setup.



When I try to ping [MY_DNS_SERVER] from an XP Professional workstation
on the domain, I get a reply from my external [internet] IP address, not
from the internal address [192.168.0.11]. I can't recall if it was like
this before.



When I ping 192.168.0.11 from this workstation, I get a reply from
192.168.0.11, which is what I expect, however, when I do the same thing
on the new temp server, I get this:



[mydomain]

Primary name server - NS1.WORLDNIC.com

responsible mail addr = namehost.WORLDNIC.com





When I do ping [MY_DNS_SERVER_NAME] from my new temp server, I get the
following:

Address [my EXTERNAL IP address].



...

Which is pretty confusing to me.





On the new server (192.168.0.11), I have the DNS entry in the TCP/IP
setup pointing to 192.168.0.11. In the DNS setup, I have the forwarding
pointing to two DNS servers at my ISP.



On both the new temp server and the workstations, the DNS entry in the
TCP/IP setup points to 192.168.0.11



Oh yeah, on the DNS server, I have the following in my event log:



The DNS server was unable to connect to the domain naming FSMO
viking.befumo.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.

(Viking was the name of the original domain controller, which has now
been rebuilt and renamed)



Any hints?



"Jorge de Almeida Pinto [MVP]"
make sure DDNS is enabled (preferrably secure) and also make sure the
TEMP DC is a GC!

Enable DDNS on the zones (unsecure)
make it a GC
net stop netlogon and net start netlogon
Enable DDNS on the zones (secure)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Thanks Jorge,

Yes, I installed DNS on the temp. I'll investigat that angle.

Joe

"Jorge de Almeida Pinto [MVP]"
message does that temp DC have DNS installed? Does it host the DNS zone for
the AD domain? Make sure the temp DC points to itself for DNS. That
way it will register the SRV RRs

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
My problem is with a Windows 2003 installation, but this is the
closest newsgroup I could find. Here's the issue:

My 2003 Server (active directory) domain controller was experiencing
some difficulties, and when it became clear that it was going to
have to be rebuilt, I put a second machine on the network, installed
active directory, and configured it as another domain controller on
the original domain. My thought was that I could then rebuild the
first machine, repeat the process, then take the temporary machine
off line without losing the domain setup.

The rebuilt machine joined the domain without a problem, but when I
try to install active directory on the existing domain, I get the
following error:

An error occurred when DNS was queried for the service location
(SRV) resource record used to locate a domain controller for domain
befumo.com.

The error was: "No records found for given DNS query."
(error code 0x0000251D DNS_INFO_NO_RECORDS)

Is there any way to get where I want to go from here, or am I going
to have to bite the bullet and create a whole new domain?

Thanks.

Joe

 

[Joe Befumo]

Okay,

DC is a DNS server

I've confirmed that the DC is a global catalog server.

I seized all of the FSMO Roles

Dns forward-lookup zone is named exactly what my domain is named.

In my TCP/IP setup, the "Use the following IP address is checked, and the
static IP 192.168.0.11 is entered.

Default gateway points to my firewall/router

The "Use the following DNS server addresses" is checked

The Preferred DNS Server is pointed to 192.168.0.11 (the system's own IP).

All of my workstations and the rebuilt/renamed server point to 192.168.0.11
as the Preferred DNS server.

In the "Administrative Tools | DNS" snap-in, I right-click on the server's
name, and select "Properties".

On the "Forwarders" tab, I have under DNS Domain: "All other DNS Domains",
and below that Under "Selected domain's forwarder IP_Address List, I have
the address of my firewall|Router (which, in turn, points to my ISP's two
DNS addresses.)

Now, my limited understanding of DNS is that the DNS server on my machine
(192.168.0.11) should first try to resolve any requests for resources within
its zones, and then, if it can't resolve a request, forwards it to the
machine(s) listed in the forwarders list

The "Do not use recursion for this domain" check box is unchecked.

nslookup still fails with the following error:

Can't find server for address 192.168.0.11: Non-existent domain Address:
192.168.0.11

The following error occurred when DNS was queried for the service location
(SRV) resource record used to locate a domain controller for domain
befumo.com:

Now, back on the new server, I run the Active Directory Installation wizard.
For Domain Controller Type, I spelect "Additional domain controller for an
existing domain."

When the Network Credentials dialog comes up, it is already populated with
the domain name, so it would seem that SOME part of the system knows about
the server. (Also, I log into the domain on the new server, and it
recognizes all of the domain shares, etc.)

I enter user name "administrator" and the administrator's password.

When I press "Next," I get the following:

An active Directory Domain controller for the domain [mydomain].com could
not be contacted. Ensure that the DNS domain name is typed correctly.

When I expand the Details, they contain the following:


The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.befumo.com

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the domain
are not registered in DNS. These records are registered with a DNS server
automatically when a domain controller is added to a domain. They are
updated by the domain controller at set intervals. This computer is
configured to use DNS servers with following IP addresses:

192.168.0.11

- One or more of the following zones do not include delegation to its child
zone:

befumo.com
com
.. (the root zone)

For information about correcting this problem, click Help.

One thing that has changed at this point, however, is that now when I ping
the DNS server by name, I get a reply from it's internal IP - before I was
getting replies from my EXTERNAL ip address.

Have I done anything obviously amiss?

I'm surmising that the The DNS SRV records may be the key to my problem.

 

[Jorge de Almeida Pinto [MVP]]

why not point your DNS server (in the forwarding TAB) to the ISP instead of
the firewall?

this error occurs because you do not have a reverse lookup zone. not that
important. you can ignore it or you can create a reverse lookup zone if you
want to.

Do you have a ._msdcs.befumo.com DNS ZONE or does a _MSDCS subdomain exist
within the befumo.com DNS ZONE???

Is dynamic DNS enabled on the zones? Make sure it is!

from the command prompt run:
IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON



--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay,

DC is a DNS server

I've confirmed that the DC is a global catalog server.

I seized all of the FSMO Roles

Dns forward-lookup zone is named exactly what my domain is named.

In my TCP/IP setup, the "Use the following IP address is checked, and the
static IP 192.168.0.11 is entered.

Default gateway points to my firewall/router

The "Use the following DNS server addresses" is checked

The Preferred DNS Server is pointed to 192.168.0.11 (the system's own IP).

All of my workstations and the rebuilt/renamed server point to
192.168.0.11 as the Preferred DNS server.

In the "Administrative Tools | DNS" snap-in, I right-click on the server's
name, and select "Properties".

On the "Forwarders" tab, I have under DNS Domain: "All other DNS Domains",
and below that Under "Selected domain's forwarder IP_Address List, I have
the address of my firewall|Router (which, in turn, points to my ISP's two
DNS addresses.)

Now, my limited understanding of DNS is that the DNS server on my machine
(192.168.0.11) should first try to resolve any requests for resources
within its zones, and then, if it can't resolve a request, forwards it to
the machine(s) listed in the forwarders list

The "Do not use recursion for this domain" check box is unchecked.

nslookup still fails with the following error:

Can't find server for address 192.168.0.11: Non-existent domain Address:
192.168.0.11

The following error occurred when DNS was queried for the service location
(SRV) resource record used to locate a domain controller for domain
befumo.com:

Now, back on the new server, I run the Active Directory Installation
wizard. For Domain Controller Type, I spelect "Additional domain
controller for an existing domain."

When the Network Credentials dialog comes up, it is already populated with
the domain name, so it would seem that SOME part of the system knows about
the server. (Also, I log into the domain on the new server, and it
recognizes all of the domain shares, etc.)

I enter user name "administrator" and the administrator's password.

When I press "Next," I get the following:

An active Directory Domain controller for the domain [mydomain].com could
not be contacted. Ensure that the DNS domain name is typed correctly.

When I expand the Details, they contain the following:


The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.befumo.com

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the
domain are not registered in DNS. These records are registered with a DNS
server automatically when a domain controller is added to a domain. They
are updated by the domain controller at set intervals. This computer is
configured to use DNS servers with following IP addresses:

192.168.0.11

- One or more of the following zones do not include delegation to its
child zone:

befumo.com
com
. (the root zone)

For information about correcting this problem, click Help.

One thing that has changed at this point, however, is that now when I ping
the DNS server by name, I get a reply from it's internal IP - before I was
getting replies from my EXTERNAL ip address.

Have I done anything obviously amiss?

I'm surmising that the The DNS SRV records may be the key to my problem.

 

[Enkidu]

One thing that has changed at this point, however, is that now when I ping
the DNS server by name, I get a reply from it's internal IP - before I was
getting replies from my EXTERNAL ip address.

Have I done anything obviously amiss?

I'm surmising that the The DNS SRV records may be the key to my problem.

Joe, this may have been covered, but I haven't seen mention of the
Netmask. Ensure that the netmask is the same on all machine,
particularly the new one. Ok, it's a long shot......

Cheers,

Cliff

 

[Joe Befumo]

Thanks -- I'll follow this up -- in the morning 8^)

Joe

"Jorge de Almeida Pinto [MVP]"

why not point your DNS server (in the forwarding TAB) to the ISP instead
of the firewall?

this error occurs because you do not have a reverse lookup zone. not that
important. you can ignore it or you can create a reverse lookup zone if
you want to.

Do you have a ._msdcs.befumo.com DNS ZONE or does a _MSDCS subdomain exist
within the befumo.com DNS ZONE???

Is dynamic DNS enabled on the zones? Make sure it is!

from the command prompt run:
IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON



--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay,

DC is a DNS server

I've confirmed that the DC is a global catalog server.

I seized all of the FSMO Roles

Dns forward-lookup zone is named exactly what my domain is named.

In my TCP/IP setup, the "Use the following IP address is checked, and the
static IP 192.168.0.11 is entered.

Default gateway points to my firewall/router

The "Use the following DNS server addresses" is checked

The Preferred DNS Server is pointed to 192.168.0.11 (the system's own
IP).

All of my workstations and the rebuilt/renamed server point to
192.168.0.11 as the Preferred DNS server.

In the "Administrative Tools | DNS" snap-in, I right-click on the
server's name, and select "Properties".

On the "Forwarders" tab, I have under DNS Domain: "All other DNS
Domains", and below that Under "Selected domain's forwarder IP_Address
List, I have the address of my firewall|Router (which, in turn, points to
my ISP's two DNS addresses.)

Now, my limited understanding of DNS is that the DNS server on my machine
(192.168.0.11) should first try to resolve any requests for resources
within its zones, and then, if it can't resolve a request, forwards it to
the machine(s) listed in the forwarders list

The "Do not use recursion for this domain" check box is unchecked.

nslookup still fails with the following error:

Can't find server for address 192.168.0.11: Non-existent domain Address:
192.168.0.11

The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate a domain controller for
domain befumo.com:

Now, back on the new server, I run the Active Directory Installation
wizard. For Domain Controller Type, I spelect "Additional domain
controller for an existing domain."

When the Network Credentials dialog comes up, it is already populated
with the domain name, so it would seem that SOME part of the system knows
about the server. (Also, I log into the domain on the new server, and it
recognizes all of the domain shares, etc.)

I enter user name "administrator" and the administrator's password.

When I press "Next," I get the following:

An active Directory Domain controller for the domain [mydomain].com could
not be contacted. Ensure that the DNS domain name is typed correctly.

When I expand the Details, they contain the following:


The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.befumo.com

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the
domain are not registered in DNS. These records are registered with a DNS
server automatically when a domain controller is added to a domain. They
are updated by the domain controller at set intervals. This computer is
configured to use DNS servers with following IP addresses:

192.168.0.11

- One or more of the following zones do not include delegation to its
child zone:

befumo.com
com
. (the root zone)

For information about correcting this problem, click Help.

One thing that has changed at this point, however, is that now when I
ping the DNS server by name, I get a reply from it's internal IP - before
I was getting replies from my EXTERNAL ip address.

Have I done anything obviously amiss?

I'm surmising that the The DNS SRV records may be the key to my problem.

 

[Joe Befumo]

Yeah, the netmasks are all 255.255.255.0

Joe

Joe, this may have been covered, but I haven't seen mention of the
Netmask. Ensure that the netmask is the same on all machine, particularly
the new one. Ok, it's a long shot......

Cheers,

Cliff

 

[Joe Befumo]

why not point your DNS server (in the forwarding TAB) to the ISP instead

of the firewall?

Oh -- at one point I thought someone said that nothing should be pointed at
the IP's DNS servers, so I figured that was the only way I could think of to
still see outside my little world -- guess I can go ahead and change it back
.. . . 8^)

 

[Fran]

Net masks won't affect DNS, only broadcast range of the network.

The SRV record does not appear to be in the DNS server. Easy to fix
(think I already saw a reply but just in case...on the DNS server type
in (at the command prompt)
ipconfig /registerdns

this will register a SRV record in the DNS database that points to
itself as the DNS server of choice.

The NSLOOKUP issue is simply a reverse zone issue. If you do NSLOOKUP
[servername] for your DNS server you should get an address since the
forward lookup zone exists (this resolves names to addresses and you
have a forward lookup record for the server.) The reverse lookup zone
handles just to opposite...address to name so to resolve
NSLOOKUP 192.168.0.11

you would need a reverse lookup zone to handle this. Reverse lookup
zones are easier to do that forward lookups. They only pertain to the
network address, not the domain so your reverse lookup would look like
0.168.192.in-addr.arpa

As for your forwarders...I would remove them. Your DNS server is smart
enough to go this route already. And having these forwarders could
actually hinder performance should one of your ISP's DNS servers go
down. I don't use forwarders in our LAN for outside resolutions and it
works great. Forewarders are primarily used for subdomains to find
records in other subdomains in a larger network topology.

-Fran-

 

[Joe Befumo]

YES!

IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON

did it. Thanks for ALL the patience and advice. This has definitely been a
learning experience.

Joe


"Jorge de Almeida Pinto [MVP]"

why not point your DNS server (in the forwarding TAB) to the ISP instead
of the firewall?

this error occurs because you do not have a reverse lookup zone. not that
important. you can ignore it or you can create a reverse lookup zone if
you want to.

Do you have a ._msdcs.befumo.com DNS ZONE or does a _MSDCS subdomain exist
within the befumo.com DNS ZONE???

Is dynamic DNS enabled on the zones? Make sure it is!

from the command prompt run:
IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON



--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay,

DC is a DNS server

I've confirmed that the DC is a global catalog server.

I seized all of the FSMO Roles

Dns forward-lookup zone is named exactly what my domain is named.

In my TCP/IP setup, the "Use the following IP address is checked, and the
static IP 192.168.0.11 is entered.

Default gateway points to my firewall/router

The "Use the following DNS server addresses" is checked

The Preferred DNS Server is pointed to 192.168.0.11 (the system's own
IP).

All of my workstations and the rebuilt/renamed server point to
192.168.0.11 as the Preferred DNS server.

In the "Administrative Tools | DNS" snap-in, I right-click on the
server's name, and select "Properties".

On the "Forwarders" tab, I have under DNS Domain: "All other DNS
Domains", and below that Under "Selected domain's forwarder IP_Address
List, I have the address of my firewall|Router (which, in turn, points to
my ISP's two DNS addresses.)

Now, my limited understanding of DNS is that the DNS server on my machine
(192.168.0.11) should first try to resolve any requests for resources
within its zones, and then, if it can't resolve a request, forwards it to
the machine(s) listed in the forwarders list

The "Do not use recursion for this domain" check box is unchecked.

nslookup still fails with the following error:

Can't find server for address 192.168.0.11: Non-existent domain Address:
192.168.0.11

The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate a domain controller for
domain befumo.com:

Now, back on the new server, I run the Active Directory Installation
wizard. For Domain Controller Type, I spelect "Additional domain
controller for an existing domain."

When the Network Credentials dialog comes up, it is already populated
with the domain name, so it would seem that SOME part of the system knows
about the server. (Also, I log into the domain on the new server, and it
recognizes all of the domain shares, etc.)

I enter user name "administrator" and the administrator's password.

When I press "Next," I get the following:

An active Directory Domain controller for the domain [mydomain].com could
not be contacted. Ensure that the DNS domain name is typed correctly.

When I expand the Details, they contain the following:


The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.befumo.com

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the
domain are not registered in DNS. These records are registered with a DNS
server automatically when a domain controller is added to a domain. They
are updated by the domain controller at set intervals. This computer is
configured to use DNS servers with following IP addresses:

192.168.0.11

- One or more of the following zones do not include delegation to its
child zone:

befumo.com
com
. (the root zone)

For information about correcting this problem, click Help.

One thing that has changed at this point, however, is that now when I
ping the DNS server by name, I get a reply from it's internal IP - before
I was getting replies from my EXTERNAL ip address.

Have I done anything obviously amiss?

I'm surmising that the The DNS SRV records may be the key to my problem.

 

[Hank Arnold]

Cool... That's why the ng is here......

BTW, the point about the forwarder is correct. Set it for the external DNS
server(s).

--
Regards,
Hank Arnold

YES!

IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON

did it. Thanks for ALL the patience and advice. This has definitely been
a learning experience.

Joe


"Jorge de Almeida Pinto [MVP]"

why not point your DNS server (in the forwarding TAB) to the ISP instead
of the firewall?

Can't find server for address 192.168.0.11: Non-existent domain
Address: 192.168.0.11

this error occurs because you do not have a reverse lookup zone. not that
important. you can ignore it or you can create a reverse lookup zone if
you want to.

Do you have a ._msdcs.befumo.com DNS ZONE or does a _MSDCS subdomain
exist within the befumo.com DNS ZONE???

Is dynamic DNS enabled on the zones? Make sure it is!

from the command prompt run:
IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON



--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay,

DC is a DNS server

I've confirmed that the DC is a global catalog server.

I seized all of the FSMO Roles

Dns forward-lookup zone is named exactly what my domain is named.

In my TCP/IP setup, the "Use the following IP address is checked, and
the static IP 192.168.0.11 is entered.

Default gateway points to my firewall/router

The "Use the following DNS server addresses" is checked

The Preferred DNS Server is pointed to 192.168.0.11 (the system's own
IP).

All of my workstations and the rebuilt/renamed server point to
192.168.0.11 as the Preferred DNS server.

In the "Administrative Tools | DNS" snap-in, I right-click on the
server's name, and select "Properties".

On the "Forwarders" tab, I have under DNS Domain: "All other DNS
Domains", and below that Under "Selected domain's forwarder IP_Address
List, I have the address of my firewall|Router (which, in turn, points
to my ISP's two DNS addresses.)

Now, my limited understanding of DNS is that the DNS server on my
machine (192.168.0.11) should first try to resolve any requests for
resources within its zones, and then, if it can't resolve a request,
forwards it to the machine(s) listed in the forwarders list

The "Do not use recursion for this domain" check box is unchecked.

nslookup still fails with the following error:

Can't find server for address 192.168.0.11: Non-existent domain Address:
192.168.0.11

The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate a domain controller for
domain befumo.com:

Now, back on the new server, I run the Active Directory Installation
wizard. For Domain Controller Type, I spelect "Additional domain
controller for an existing domain."

When the Network Credentials dialog comes up, it is already populated
with the domain name, so it would seem that SOME part of the system
knows about the server. (Also, I log into the domain on the new server,
and it recognizes all of the domain shares, etc.)

I enter user name "administrator" and the administrator's password.

When I press "Next," I get the following:

An active Directory Domain controller for the domain [mydomain].com
could not be contacted. Ensure that the DNS domain name is typed
correctly.

When I expand the Details, they contain the following:


The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.befumo.com

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the
domain are not registered in DNS. These records are registered with a
DNS server automatically when a domain controller is added to a domain.
They are updated by the domain controller at set intervals. This
computer is configured to use DNS servers with following IP addresses:

192.168.0.11

- One or more of the following zones do not include delegation to its
child zone:

befumo.com
com
. (the root zone)

For information about correcting this problem, click Help.

One thing that has changed at this point, however, is that now when I
ping the DNS server by name, I get a reply from it's internal IP -
before I was getting replies from my EXTERNAL ip address.

Have I done anything obviously amiss?

I'm surmising that the The DNS SRV records may be the key to my problem.

 

[Jorge de Almeida Pinto [MVP]]

are you saying it worked? great! congrats!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

YES!

IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON

did it. Thanks for ALL the patience and advice. This has definitely been
a learning experience.

Joe


"Jorge de Almeida Pinto [MVP]"

why not point your DNS server (in the forwarding TAB) to the ISP instead
of the firewall?

Can't find server for address 192.168.0.11: Non-existent domain
Address: 192.168.0.11

this error occurs because you do not have a reverse lookup zone. not that
important. you can ignore it or you can create a reverse lookup zone if
you want to.

Do you have a ._msdcs.befumo.com DNS ZONE or does a _MSDCS subdomain
exist within the befumo.com DNS ZONE???

Is dynamic DNS enabled on the zones? Make sure it is!

from the command prompt run:
IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON



--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Okay,

DC is a DNS server

I've confirmed that the DC is a global catalog server.

I seized all of the FSMO Roles

Dns forward-lookup zone is named exactly what my domain is named.

In my TCP/IP setup, the "Use the following IP address is checked, and
the static IP 192.168.0.11 is entered.

Default gateway points to my firewall/router

The "Use the following DNS server addresses" is checked

The Preferred DNS Server is pointed to 192.168.0.11 (the system's own
IP).

All of my workstations and the rebuilt/renamed server point to
192.168.0.11 as the Preferred DNS server.

In the "Administrative Tools | DNS" snap-in, I right-click on the
server's name, and select "Properties".

On the "Forwarders" tab, I have under DNS Domain: "All other DNS
Domains", and below that Under "Selected domain's forwarder IP_Address
List, I have the address of my firewall|Router (which, in turn, points
to my ISP's two DNS addresses.)

Now, my limited understanding of DNS is that the DNS server on my
machine (192.168.0.11) should first try to resolve any requests for
resources within its zones, and then, if it can't resolve a request,
forwards it to the machine(s) listed in the forwarders list

The "Do not use recursion for this domain" check box is unchecked.

nslookup still fails with the following error:

Can't find server for address 192.168.0.11: Non-existent domain Address:
192.168.0.11

The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate a domain controller for
domain befumo.com:

Now, back on the new server, I run the Active Directory Installation
wizard. For Domain Controller Type, I spelect "Additional domain
controller for an existing domain."

When the Network Credentials dialog comes up, it is already populated
with the domain name, so it would seem that SOME part of the system
knows about the server. (Also, I log into the domain on the new server,
and it recognizes all of the domain shares, etc.)

I enter user name "administrator" and the administrator's password.

When I press "Next," I get the following:

An active Directory Domain controller for the domain [mydomain].com
could not be contacted. Ensure that the DNS domain name is typed
correctly.

When I expand the Details, they contain the following:


The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.befumo.com

Common causes of this error include the following:

- The DNS SRV records required to locate a domain controller for the
domain are not registered in DNS. These records are registered with a
DNS server automatically when a domain controller is added to a domain.
They are updated by the domain controller at set intervals. This
computer is configured to use DNS servers with following IP addresses:

192.168.0.11

- One or more of the following zones do not include delegation to its
child zone:

befumo.com
com
. (the root zone)

For information about correcting this problem, click Help.

One thing that has changed at this point, however, is that now when I
ping the DNS server by name, I get a reply from it's internal IP -
before I was getting replies from my EXTERNAL ip address.

Have I done anything obviously amiss?

I'm surmising that the The DNS SRV records may be the key to my problem.