W2K3 AD/DNS server in W2K Domain

  • Thread starter Thread starter Brian
  • Start date Start date
B

Brian

Hi,

I'm in the progress of updating our domain to W2K3. We have 2 W2K combined
AD and DNS servers. I have now installed 2 W2K3 combined AD and DNS servers
and promoted them. When I set the DNS to point at itself (just like it is
configured on the old W2K servers) I get several errors.

First it takes about 5 minutes to get a logonprompt. It is just displaying
"Preparing Network Connections". Then after 5 minutes I can log on. There is
then several errors in the event log.

The Systemlog starts with a Netlogon error - 3096. "The primary Domain
Controller for this domain could not be located"

Then there are several LSASRV errors - 40960
BROWSER errors - 8021 and 8032

Also the Directory Service log gets an error - NTDS Replication - 2088.

If I set the DNS to point at one of the other DNS servers there is no
problems. But Microsoft Best Practice explain that you should point DNS to
the servers own IP address.

I hope someone can help me out.

Thanks in advance.

Best Regards

Brian
 
Brian said:
The Systemlog starts with a Netlogon error - 3096. "The primary Domain
Controller for this domain could not be located" Also the Directory
Service log gets an error - NTDS Replication - 2088.
Click to expand...

All those are symptoms of the same thing, which in your case is probably
caused by your DNS zone not being replicated to the new servers. Check that
they have the zone and that it is being replicated properly.
 
Brian said:
Hi,

I'm in the progress of updating our domain to W2K3. We have 2 W2K
combined AD and DNS servers. I have now installed 2 W2K3 combined AD
and DNS servers and promoted them. When I set the DNS to point at
itself (just like it is configured on the old W2K servers) I get
several errors.

First it takes about 5 minutes to get a logonprompt. It is just
displaying "Preparing Network Connections". Then after 5 minutes I
can log on. There is then several errors in the event log.

The Systemlog starts with a Netlogon error - 3096. "The primary Domain
Controller for this domain could not be located"

Then there are several LSASRV errors - 40960
BROWSER errors - 8021 and 8032

Also the Directory Service log gets an error - NTDS Replication -
2088.

If I set the DNS to point at one of the other DNS servers there is no
problems. But Microsoft Best Practice explain that you should point
DNS to the servers own IP address.
Click to expand...

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

What is the zone type on the Win2k DCs?
If AD integrated the zones should have replicated to the Win2k3 DCs


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Hi,

the new servers have the zone and all the same records as the old servers.
I'm also able to replicate the NTDS settings from AD Sites and Services.

Dcdiag reports everything okay
netdiag reports:


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messeng
r Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{285EA366-AD86-4BEE-8A8A-F64824958AF2}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Serv
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on
DNS s
rver 'xx.xx.xx.xx'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{285EA366-AD86-4BEE-8A8A-F64824958AF2}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{285EA366-AD86-4BEE-8A8A-F64824958AF2}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'DOMAIN' is broken.
[ERROR_NO_LOGON_SERV
RS]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully


When the DNS point at itself "only" the NetBT test is listed with a warning.


What else can I do to check?

Regards

Brian
 
Hi,

I will check the link.

It is AD integrated both on the W2K and on the W2K3 servers.

Regards

Brian
 
How many of your DNS servers are root servers? If any, which ones?

Do any/all have forwarders configured? If so, what forwarders?

-Frank
 
Hello,

All DNS servers is internal DNS servers. None are root servers i guess - how
do I check that?. All is GC Servers. All have forwarders configured which is
DNS of our Internet service provider.

-Brian
 
Okay, if you have configured forwarders on all your DNS servers then you do
not have root servers. Root servers do not allow a forwarder to be
configured. Normally this forwarder IP would be your router's internal IP.
Then, the router would have your ISPs DNS IPs configured in its TCP/IP
properties.

Next, I would make sure that your ISPs DNS server IPs are NOT in any of your
DNS servers TCP/IP properties as well as make sure that your ISPs DNS
servers are NOT in any of your client machine's TCP/IP properties. All
local LAN machines (including your internal DNS servers) should only have
internal DNS IPs in their TCP/IP config. The internal DNS should forward
all unresolved requests to your router which will then query your ISP DNS.

Don't make the common mistake of putting both internal and external DNS IPs
in any LAN machine's TCP/IP properties, thinking if it can't get resolution
from internal it will go external. It will NOT! That behavior (forwarding
requests) is the job of the forwarder, not the TCP/IP properties list of DNS
servers.

-Frank
 
Hi,

None of the DNS servers is pointing to my ISPs DNS servers. Also no clients
are pointing directly - they all point to my internal DNS servers.

But the problem only resides on the AD/DNS server itself - none of the
clients gets the "Preparing Network Connections" for several minutes. It is
only on the two W2K3 Domain servers, but not on the two W2K Domain servers.
All four of them are configured the same.

Regards

Brian
 
Brian said:
Hi,

I will check the link.

It is AD integrated both on the W2K and on the W2K3 servers.
Click to expand...

You shouldn't have a problem with AD zones replicating from the Win2k to the
Win2k3 DCs if you promoted them as replica DCs. Before you can promote an
additional Windows Server 2003 domain controller into a Windows 2000 forest,
an administrator must successfully run adprep /forestprep on the schema
operations master and run adprep /domainprep on the infrastructure master in
the Windows 2000 forest. Was this done?
 
Yes, everything was done - both forestprep and domainprep.

I have checked the link you sent - I cannot find anything to be
misconfigured.

-Brian
 
Brian said:
Yes, everything was done - both forestprep and domainprep.

I have checked the link you sent - I cannot find anything to be
misconfigured.
Click to expand...

Have you tried Dcdiag and Netdiag? (server support tools on the CD)
 
Brian said:
yes - look at one of the previous posts - there is a printout of the
result.
Click to expand...

You have edited out important data in the Netdiag you posted and it appears
you may have a single-label domain name.
Repost the unedited netdiag using the /test:dns /v switches with an unedited
ipconfig /all.
 
Back
Top