Server 2003 R2 Additional Domain Controller DNS Error
I have a freshly setup AD forest with a single DC. I have successfully joined many clients to the DC. I am wanting to add an additional DC that is connected to the first network via IPSec. The IPSec is handled by the routers at each site. All
traffic is trusted between these networks.
I have set the primary DNS of the new server to the IP address of the established DC. I am able to ping by both FQDN, and IP to and from both servers. DCDIAG and NETDIAG both report no errors on the DC.
I have tried reinstalling DNS on the primary DC, and it was successful, and once again passed DCDIAG and NETDIAG. Have also restarted both servers multiple times after this.
There is a working reverse zone setup as well on the primary DC.
When I try to add the additional DC I receive this error:
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain domain.com:
The query was for the SRV record for _ldap._tcp.dc._msdcs.domain.com
The following domain controllers were identified by the query:
fortmyers.domain.com
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
The A record does exist, and is setup properly. Can anyone assist with this issue? Thanks.
May 9th, 2010 10:34am
- are both networks definied and assigned in "sites and services"?
- can you ping the hostname of each server (not fqdn)?
- are you able to access the admin shares of both servers? e.g.
\\server\c$
- have you tried dcdiag /test:dns for a deeper dns check? on both systems? (and could you post its output here?)
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2010 11:38am
I haven't configured sites and services yet because the second server has not joined the domain yet. However, I did just try configuring the proper subnets of each network with no change in the error.
I can ping hostnames from each side after manually creating an A record on the first DC pointing to the second server.
I can access the admin shares on each side by using the correct passwords as the second server isn't part of the domain yet.
Here are the results of the DNS check you requested:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: FortMyers\FORTMYERS
Starting test: Connectivity
......................... FORTMYERS passed test Connectivity
Doing primary tests
Testing server: FortMyers\FORTMYERS
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : domain
Running enterprise tests on : domain.com
Starting test: DNS
......................... domain.com passed test DNS
I also have tried joining the domain from the second server with the same error. Prior I was just running dcpromo trying to add the domain as an additional directly.
May 9th, 2010 2:21pm
Are you sure you can resolve _ldap._tcp.dc._msdcs.domain.com on the new/remote server? If true, try to connect to the the ldap port via
telnet or portqry. (Default Port is
389)? Does it succeed?
You can also run rping to verify that rpc communication is working between these two machines.
downloads:
Portqry:
http://www.microsoft.com/downloads/details.aspx?familyid=89811747-c74b-4638-a2d5-ac828bdc6983&displaylang=en
rping:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2010 2:35pm
portqry responded with the following:
C:\PortQryV2>PortQry.exe -n domain.com -e 389
Querying target system called:
domain.com
Attempting to resolve name to IP address...
Name resolved to 59.5.0.5
querying...
TCP port 389 (ldap service): LISTENING
Using ephemeral source port
Sending LDAP query to TCP port 389...
LDAP query response:
currentdate: 05/09/2010 13:13:53 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain,DC=com
dsServiceName: CN=NTDS Settings,CN=FORTMYERS,CN=Servers,CN=FortMyers,CN=Sites,CN=Configuration,DC=domain,DC=com
namingContexts: DC=domain,DC=com
defaultNamingContext: DC=domain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=domain,DC=com
configurationNamingContext: CN=Configuration,DC=domain,DC=com
rootDomainNamingContext: DC=domain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 442503
supportedSASLMechanisms: GSSAPI
dnsHostName: fortmyers.domain.com
ldapServiceName: domain.com:fortmyers$@DOMAIN.COM
serverName: CN=FORTMYERS,CN=Servers,CN=FortMyers,CN=Sites,CN=Configuration,DC=domain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 2
domainControllerFunctionality: 2
======== End of LDAP query response ========
Also note I tried dcpromo from another server on the second network, and it all looked good. I believe there might be something else to play on this second server.
May 9th, 2010 4:20pm
Since I wasn't to far into this server setup, and had a colleague setup the OS initially I decided to reformat, and reinstall over KVM/IP. After the reinstall everything is working as expected. I am guessing something might of been corrupted during the
initial install. Thanks for your suggestions!
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2010 6:16pm