Hi, I am having trouble tosetup AD integratedDNS on the 3rd Domain Controller. Here are some background information: Environment: Single forest, Single domain. Domain name: abc.local (exmaple only of course) The domain are configured across 2 site. One site is called site-A, the other is called site-B. Two sites are in different subnet: Site-A 192.168.18.0/24 Site-B 192.168.16.0/24 The three domain controllers are: DC1 (Win 2003 R2 Enterprise), DC2 (Win 2003 R2 Standard), DC3 (Win 2003 R2 Standard). The network topology is look like this: Site-A contains DC1 Site-B contains DC2, DC3 DC1 holds all FSMO master roles. I've configured all three DC as Gobal Catalog server. DC3 used to be a DC with different name (installed by previous IT guy). It has the same issue cannot get DNS working. So I demoted it with ntdsutil. Removed from AD objects.Then completely re-install and promote it again. Somehow same issue occured. Issue: DC1 and DC2 are pre-existing DCs. Both has DNS, DHCP running without any problem. Recently we decide to add another DC at Site-B to eventually replace DC2. As I said DC3 was a DC before (say with nameDC-Trouble). It does not work properly and DNS not installed at all. So I disconnected it from network. demoted it with ntdsutil (normal demote failed). Remove AD objects and DNS CNAME records and then re-install the server. To promote DC3 as DC I've done following: 1. Congfigure static IP on the NIC, point perfered DNS to DC2. in DNS configure I checked "Append primary...", "Append parent..." and "register this connection..." 2. Join the server into domain ABC.Install DNS service on the server. 3. dcpromo to promote the server to AD. It finished without any errors. 4. After restart, Active Directory wascreated and I can see all objects are replicated. I checked DNS console and there was nothing created under Forward LookupZone. When try toreplicate from other DC, get DNS error. 5. Did a DCdiag with /TESTNS. Report SRV record is missing on other DCs. 6. I then manuallyadded SRV records onto DC1 and DC2 DNS configurations. 7. After that did a DCdiag /testns again. This time it says DNS passed the test. 8. Go back to DNS console, The Forward lookup zone still contains nothing. 9. So I demoted DC3 and re-promoted it again. 10. Still DNS does not replicate. The event loghas a information entry(Event ID 4514)says: The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.ABC.local. This prevents the zones that should be replicated to all DNS servers in the ABC.local forest from replicating to this DNS server. To create or repair the forest-wide DNS directory partition, open the the DNS console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. The error was 9002. I tried to follow the steps here, but it failed witherror"There was a server failure". 11. There is also a error entry (event ID 4015)in DNS event logsays: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152392, #1: 0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. 12. Based on this error, there may be a hotfix for it. I downloaded the hotfix. But obviously I've already got a newer version installed. 13. Did a DCdiag and the output are: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Site-B\DC3 Starting test: Connectivity .........................DC3 passed test Connectivity Doing primary tests Testing server: Site-B\DC3 Starting test: Replications REPLICATION LATENCY WARNING ERROR: Expected notification link is missing. SourceDC2 Replication of new changes along this path will be delayed. This problem should self-correct on the next periodic sync. REPLICATION LATENCY WARNING ERROR: Expected notification link is missing. Source DC2 Replication of new changes along this path will be delayed. This problem should self-correct on the next periodic sync. ......................... DC3 passed test Replications Starting test: NCSecDesc ......................... DC3 passed test NCSecDesc Starting test: NetLogons ......................... DC3 passed test NetLogons Starting test: Advertising ......................... DC3 passed test Advertising Starting test: KnowsOfRoleHolders ......................... DC3 passed test KnowsOfRoleHolders Starting test: RidManager Warning: rid set reference is deleted. ldap_search_sW of CN=RID Set\0ADEL:ef1c539d-33e7-4735-aa0b-3af64e5a2983,CN=Deleted Objects,DC=ABC,DC=local for rid info failed with 2: Win32 Error 2 ......................... DC3 failed test RidManager Starting test: MachineAccount ......................... DC3 passed test MachineAccount Starting test: Services ......................... DC3 passed test Services Starting test: ObjectsReplicated ......................... DC3 passed test ObjectsReplicated Starting test: frssysvol ......................... DC3 passed test frssysvol Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... DC3 failed test frsevent Starting test: kccevent ......................... DC3 passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0xC00038C2 Time Generated: 04/16/2008 13:48:33 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:29 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:29 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:29 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:30 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:30 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:30 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:30 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:31 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:31 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:31 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:32 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:32 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 13:51:32 (Event String could not be retrieved) An Error Event occured. EventID: 0x0000410B Time Generated: 04/16/2008 14:08:07 Event String: The request for a new account-identifier pool An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:10 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:10 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:11 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:11 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:11 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:11 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:12 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:12 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:12 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:12 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:13 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:13 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:11:15 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:21 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:21 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:22 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:22 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:22 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:22 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:23 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:23 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:23 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:23 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:24 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:24 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 04/16/2008 14:31:25 (Event String could not be retrieved) ......................... DC3 failed test systemlog Starting test: VerifyReferences ......................... DC3 passed test VerifyReferences Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : ABC Starting test: CrossRefValidation ......................... ABC passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ABC passed test CheckSDRefDom Running enterprise tests on : ABC.local Starting test: Intersite ......................... ABC.local passed test Intersite Starting test: FsmoCheck ......................... ABC.local passed test FsmoCheck From the log, I can see RID Manager is missing for DC3. Googled around seems like I have to seize it back?! Not sure how to do this. With ntdsutil.exe? I tried a NetDiag as well. Below are the output of it: Computer Name: DC3 DNS Host Name: DC3.ABC.local System info : Microsoft Windows Server 2003 R2 (Build 3790) Processor : x86 Family 6 Model 15 Stepping 6, GenuineIntel List of installed hotfixes : KB924667-v2 KB925398_WMP64 KB925902 KB926122 KB927891 KB929123 KB930178 KB931784 KB932168 KB933729 KB933854 KB935839 KB935840 KB936021 KB936357 KB936782 KB938127 KB941202 KB941568 KB941569 KB941644 KB941693 KB942615-IE7 KB942763 KB943055 KB943460 KB943485 KB944338 KB944533-IE7 KB944653 KB945553 KB946026 KB947864 KB947864-IE7 KB948496 KB948590 KB948881 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection Netcard queries test . . . : Passed Host Name. . . . . . . . . : DC3 IP Address . . . . . . . . : 192.168.16.245 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 192.168.16.250 Dns Servers. . . . . . . . : 192.168.16.247 (DC2) 192.168.18.248 (DC1) AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing. WINS service test. . . . . : Skipped There are no WINS servers configured for this interface. Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{8B3890BC-0345-4B65-905E-2B9B531807B3} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined. Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '192.168.16.247' and other DCs also have some of the names registered. [WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.18.248'. Please wait for 30 minutes for DNS server replication. Redir and Browser test . . . . . . : Passed List of NetBt transports currently bound to the Redir NetBT_Tcpip_{8B3890BC-0345-4B65-905E-2B9B531807B3} The redir is bound to 1 NetBt transport. List of NetBt transports currently bound to the browser NetBT_Tcpip_{8B3890BC-0345-4B65-905E-2B9B531807B3} The browser is bound to 1 NetBt transport. DC discovery test. . . . . . . . . : Passed DC list test . . . . . . . . . . . : Passed Trust relationship test. . . . . . : Failed Secure channel for domain 'ABC' is to '\\DC1.ABC.local'. [FATAL] Cannot set secure channel for domain 'ABC' to PDC emulator. [ERROR_NO_TRUST_SAM_ACCOUNT] Kerberos test. . . . . . . . . . . : Passed LDAP test. . . . . . . . . . . . . : Passed [WARNING] The default SPN registration for 'HOST/DC3.ABC.local' is missing on DC 'DC1.ABC.local'. [WARNING] The default SPN registration for 'HOST/DC3' is missing on DC 'DC1.ABC.local'. Bindings test. . . . . . . . . . . : Passed WAN configuration test . . . . . . : Skipped No active remote access connections. Modem diagnostics test . . . . . . : Passed IP Security test . . . . . . . . . : Skipped Note: run "netsh ipsec dynamic show /?" for more detailed information The command completed successfully No idea what SPN registration is. Maybe caused by DNS issue? I've been trying to fix this issue last couple of days. Bit lost to be honest. Any suggestions are welcomed. Thanks. Tom

Tom, Try the following: nltest /server:<ComputerName> /sc_query:<DomainName>, this will test the secure connection, if it fails then use this command to reset the secure connection nltest /server:<ComputerName> /sc_reset:<DomainName> If this doesn't work, remove the DC functionality from the server, then remove it from the domain and add it to the domain again. Johan

Johan thanks for the reply. The test comes out sucessfully as below. Flags: 30 HAS_IP HAS_TIMESERVTrusted DC Name \\DC1.ABC.localTrusted DC Connection Status Status = 0 0x0 NERR_SuccessThe command completed successfully Looks like this is not the cause of the problem.

Tom, Do I understand it right that the new DC is in another building ? Johan

Yes, Johan. It is exactly right. The new DC, DC3 is located inside Site-B with DC2. DC1 is located in Site-A which is another building. Tom

Hi Tom, Is DNS installed on your DC3-Trouble at all? By default DNS will not be installed on additional DC's if you allready have one or more DNS servers in your domain. Kind regards, Louis

Hi Gents, I got it sorted out. Zone transfer was disabled on the DC1 server. I manually created a forward DNS zone on DC3, enabled Zone Transfer on DC1, then after couple hours, the replication kicked in. Thanks for all your help. Tom