I am creating my first DC from an unattended CD and once I come up I'm
calling a script to promote it. I want to create a DNS structure with
a private root, where my FQDN is something like:

MyDom.MyLocation.MyCompany.net

At this point I have an isolated network and will never attach the
domain to the Internet. Some day I hope to combine the domains into a
large forest so that there are child domains under MyCompany.net, but
that will be much later.

My DCPromo answer file creates a DNS server on my one and only DC with
my (AD Integrated) zone, but the structure isn't what I expected.
What is created looks like:

DNS
--FirstDC
..--Forward Zones
..--_msdcs.MyDom.MyLocation.MyCompany.net
....+-dc
....+-domains
....+-gc
....+-pdc
..--MyDom.MyLocation.MyCompany.net
....--_msdcs
....+-_sites
....+-_tcp
....+-_udp
....+-DomainDNSZones
....+-ForestDNSZones
..+-Reverse Zones

To make this a private root I also (later after the dcpromo) create a
forward zone of '.'. While the domain works, I don't beleive this is
correct and I get an error from dnslint saying that one of my zones
isn't authoritative. I don't see this structure when I hand build
DNS.

I'm concerned because I'm having access problems getting to sysvol
(events 1058 & 1030).

Can someone help me in regards to:
- Is this a problem or not?
- Anyone else seen this structure w/ DCPromo & autoanswer?
- Is there a scriptabile way to move the _msdcs structure back under
the domain?


TIA - Andy

In news:(E-Mail Removed),
Andy Spencer <(E-Mail Removed)> posted their thoughts, then I offered
mine
> I am creating my first DC from an unattended CD and once I come up I'm
> calling a script to promote it. I want to create a DNS structure with
> a private root, where my FQDN is something like:
>
> MyDom.MyLocation.MyCompany.net
>
> At this point I have an isolated network and will never attach the
> domain to the Internet. Some day I hope to combine the domains into a
> large forest so that there are child domains under MyCompany.net, but
> that will be much later.
>
> My DCPromo answer file creates a DNS server on my one and only DC with
> my (AD Integrated) zone, but the structure isn't what I expected.
> What is created looks like:
>
> DNS
> --FirstDC
> .--Forward Zones
> .--_msdcs.MyDom.MyLocation.MyCompany.net
> ...+-dc
> ...+-domains
> ...+-gc
> ...+-pdc
> .--MyDom.MyLocation.MyCompany.net
> ...--_msdcs
> ...+-_sites
> ...+-_tcp
> ...+-_udp
> ...+-DomainDNSZones
> ...+-ForestDNSZones
> .+-Reverse Zones
>
> To make this a private root I also (later after the dcpromo) create a
> forward zone of '.'. While the domain works, I don't beleive this is
> correct and I get an error from dnslint saying that one of my zones
> isn't authoritative. I don't see this structure when I hand build
> DNS.
>
> I'm concerned because I'm having access problems getting to sysvol
> (events 1058 & 1030).
>
> Can someone help me in regards to:
> - Is this a problem or not?
> - Anyone else seen this structure w/ DCPromo & autoanswer?
> - Is there a scriptabile way to move the _msdcs structure back under
> the domain?
>
>
> TIA - Andy


If this is W2k3, you don't want to move the _msdcs zone under the domain.
This is the way it sets it up and the way it should be.

For the 1058, look for Jeff's and Tobias' comments:
http://www.eventid.net/display.asp?e...serenv&phase=1

For the 1030, look at Daniel's comments and make sure no services are turned
off, such as the DHCP Client service and the DFS service:
http://www.eventid.net/display.asp?e...serenv&phase=1

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

Thanks Ace! I'll go over these articles again. I'd checked out the
article on 1058 previously and didn't get anywhere but I'll look
again. My DC is multi-homed and that might be the cause, but the
articles I've reviewed so far didn't give me the feeling that there
was a clear answer (yet). I suspected DNS because the problem starts
to occur several hours after a reboot. (PurgeMUP didn't help). First
you can do a dir on:
- \\mydomain.mylocn.myco.net\sysvol
- \\mydomain\sysvol
- \\Server\sysvol
but after awhile you get the error from #1, then still later #2 fails
and only \\Server\sysvol works. The error is:
Configuration information could not be read from the domain
controller, either because the machine is unavailable, or access has
been denied.

Given this I suspected DNS (thinking it was getting the wrong NIC) and
because dnslint gives warnings. The lint error looks like:

DNSLint Report

System Date: Fri May 14 08:52:48 2004

Command run:

dnslint -d MyDomain -s 152.221.200.57

Domain name tested:

MyDomain

The following 1 DNS servers were identified as authoritative for the
domain:

DNS server: Server.MyDomain.locn.Co.net
IP Address: 152.221.200.57
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

This DNS server may be a root server as it answered authoritatively,
but DNS records for the specified domain did not exist on the server.

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown




"Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> In news:(E-Mail Removed),
> Andy Spencer <(E-Mail Removed)> posted their thoughts, then I offered
> mine
> > I am creating my first DC from an unattended CD and once I come up I'm
> > calling a script to promote it. I want to create a DNS structure with
> > a private root, where my FQDN is something like:
> >
> > MyDom.MyLocation.MyCompany.net
> >
> > At this point I have an isolated network and will never attach the
> > domain to the Internet. Some day I hope to combine the domains into a
> > large forest so that there are child domains under MyCompany.net, but
> > that will be much later.
> >
> > My DCPromo answer file creates a DNS server on my one and only DC with
> > my (AD Integrated) zone, but the structure isn't what I expected.
> > What is created looks like:
> >
> > DNS
> > --FirstDC
> > .--Forward Zones
> > .--_msdcs.MyDom.MyLocation.MyCompany.net
> > ...+-dc
> > ...+-domains
> > ...+-gc
> > ...+-pdc
> > .--MyDom.MyLocation.MyCompany.net
> > ...--_msdcs
> > ...+-_sites
> > ...+-_tcp
> > ...+-_udp
> > ...+-DomainDNSZones
> > ...+-ForestDNSZones
> > .+-Reverse Zones
> >
> > To make this a private root I also (later after the dcpromo) create a
> > forward zone of '.'. While the domain works, I don't beleive this is
> > correct and I get an error from dnslint saying that one of my zones
> > isn't authoritative. I don't see this structure when I hand build
> > DNS.
> >
> > I'm concerned because I'm having access problems getting to sysvol
> > (events 1058 & 1030).
> >
> > Can someone help me in regards to:
> > - Is this a problem or not?
> > - Anyone else seen this structure w/ DCPromo & autoanswer?
> > - Is there a scriptabile way to move the _msdcs structure back under
> > the domain?
> >
> >
> > TIA - Andy
>
>
> If this is W2k3, you don't want to move the _msdcs zone under the domain.
> This is the way it sets it up and the way it should be.
>
> For the 1058, look for Jeff's and Tobias' comments:
> http://www.eventid.net/display.asp?e...serenv&phase=1
>
> For the 1030, look at Daniel's comments and make sure no services are turned
> off, such as the DHCP Client service and the DFS service:
> http://www.eventid.net/display.asp?e...serenv&phase=1
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
> This posting is provided "AS-IS" with no warranties and confers no
> rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================

In news:(E-Mail Removed),
Andy Spencer <(E-Mail Removed)> posted their thoughts, then I offered
mine
> Thanks Ace! I'll go over these articles again. I'd checked out the
> article on 1058 previously and didn't get anywhere but I'll look
> again. My DC is multi-homed and that might be the cause, but the
> articles I've reviewed so far didn't give me the feeling that there
> was a clear answer (yet). I suspected DNS because the problem starts
> to occur several hours after a reboot. (PurgeMUP didn't help). First
> you can do a dir on:
> - \\mydomain.mylocn.myco.net\sysvol
> - \\mydomain\sysvol
> - \\Server\sysvol
> but after awhile you get the error from #1, then still later #2 fails
> and only \\Server\sysvol works. The error is:
> Configuration information could not be read from the domain
> controller, either because the machine is unavailable, or access has
> been denied.
>
> Given this I suspected DNS (thinking it was getting the wrong NIC) and
> because dnslint gives warnings. The lint error looks like:
>
> DNSLint Report
>
> System Date: Fri May 14 08:52:48 2004
>
> Command run:
>
> dnslint -d MyDomain -s 152.221.200.57
>
> Domain name tested:
>
> MyDomain
>
> The following 1 DNS servers were identified as authoritative for the
> domain:
>
> DNS server: Server.MyDomain.locn.Co.net
> IP Address: 152.221.200.57
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
>
> This DNS server may be a root server as it answered authoritatively,
> but DNS records for the specified domain did not exist on the server.
>
> SOA record data from server:
> Authoritative name server: Unknown
> Hostmaster: Unknown
> Zone serial number: Unknown
> Zone expires in: Unknown
> Refresh period: Unknown
> Retry delay: Unknown
> Default (minimum) TTL: Unknown
>
>
>
>
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
> message news:<(E-Mail Removed)>...
>> In news:(E-Mail Removed),
>> Andy Spencer <(E-Mail Removed)> posted their thoughts, then I
>> offered
>> mine
>>> I am creating my first DC from an unattended CD and once I come up
>>> I'm
>>> calling a script to promote it. I want to create a DNS structure
>>> with
>>> a private root, where my FQDN is something like:
>>>
>>> MyDom.MyLocation.MyCompany.net
>>>
>>> At this point I have an isolated network and will never attach the
>>> domain to the Internet. Some day I hope to combine the domains
>>> into a
>>> large forest so that there are child domains under MyCompany.net,
>>> but
>>> that will be much later.
>>>
>>> My DCPromo answer file creates a DNS server on my one and only DC
>>> with
>>> my (AD Integrated) zone, but the structure isn't what I expected.
>>> What is created looks like:
>>>
>>> DNS
>>> --FirstDC
>>> .--Forward Zones
>>> .--_msdcs.MyDom.MyLocation.MyCompany.net
>>> ...+-dc
>>> ...+-domains
>>> ...+-gc
>>> ...+-pdc
>>> .--MyDom.MyLocation.MyCompany.net
>>> ...--_msdcs
>>> ...+-_sites
>>> ...+-_tcp
>>> ...+-_udp
>>> ...+-DomainDNSZones
>>> ...+-ForestDNSZones
>>> .+-Reverse Zones
>>>
>>> To make this a private root I also (later after the dcpromo) create
>>> a
>>> forward zone of '.'. While the domain works, I don't beleive this
>>> is
>>> correct and I get an error from dnslint saying that one of my zones
>>> isn't authoritative. I don't see this structure when I hand build
>>> DNS.
>>>
>>> I'm concerned because I'm having access problems getting to sysvol
>>> (events 1058 & 1030).
>>>
>>> Can someone help me in regards to:
>>> - Is this a problem or not?
>>> - Anyone else seen this structure w/ DCPromo & autoanswer?
>>> - Is there a scriptabile way to move the _msdcs structure back
>>> under
>>> the domain?
>>>
>>>
>>> TIA - Andy
>>
>>
>> If this is W2k3, you don't want to move the _msdcs zone under the
>> domain.
>> This is the way it sets it up and the way it should be.
>>
>> For the 1058, look for Jeff's and Tobias' comments:
>>
http://www.eventid.net/display.asp?e...serenv&phase=1
>>
>> For the 1030, look at Daniel's comments and make sure no services
>> are turned
>> off, such as the DHCP Client service and the DFS service:
>>
http://www.eventid.net/display.asp?e...serenv&phase=1
>>
>> --
>> Regards,
>> Ace
>>
>> Please direct all replies to the newsgroup so all can benefit.
>> This posting is provided "AS-IS" with no warranties and confers no
>> rights.
>>
>> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
>> Microsoft Windows MVP - Active Directory
>>
>> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
>> pig. --
>> =================================


Multihomed DNS/DC/RRAS machines ARE VERY PROBLEMATIC. I would suggest to use
a just a plain jane vanilla member server is you are multihoming for
Internet access for your network, or just get a Linksys, Cisco PIX ,
Netgear, etc, to perform that.

THere are a few registry entries that you need to utilize to fix this. I can
post them, but it is extra extra administrative overhead to take care of
this.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================