DCPromo answer file - DNS Problem?

A

Andy Spencer

I am creating my first DC from an unattended CD and once I come up I'm
calling a script to promote it. I want to create a DNS structure with
a private root, where my FQDN is something like:

MyDom.MyLocation.MyCompany.net

At this point I have an isolated network and will never attach the
domain to the Internet. Some day I hope to combine the domains into a
large forest so that there are child domains under MyCompany.net, but
that will be much later.

My DCPromo answer file creates a DNS server on my one and only DC with
my (AD Integrated) zone, but the structure isn't what I expected.
What is created looks like:

DNS
--FirstDC
..--Forward Zones
..--_msdcs.MyDom.MyLocation.MyCompany.net
....+-dc
....+-domains
....+-gc
....+-pdc
..--MyDom.MyLocation.MyCompany.net
....--_msdcs
....+-_sites
....+-_tcp
....+-_udp
....+-DomainDNSZones
....+-ForestDNSZones
..+-Reverse Zones

To make this a private root I also (later after the dcpromo) create a
forward zone of '.'. While the domain works, I don't beleive this is
correct and I get an error from dnslint saying that one of my zones
isn't authoritative. I don't see this structure when I hand build
DNS.

I'm concerned because I'm having access problems getting to sysvol
(events 1058 & 1030).

Can someone help me in regards to:
- Is this a problem or not?
- Anyone else seen this structure w/ DCPromo & autoanswer?
- Is there a scriptabile way to move the _msdcs structure back under
the domain?


TIA - Andy
 
A

Ace Fekay [MVP]

In
Andy Spencer said:
I am creating my first DC from an unattended CD and once I come up I'm
calling a script to promote it. I want to create a DNS structure with
a private root, where my FQDN is something like:

MyDom.MyLocation.MyCompany.net

At this point I have an isolated network and will never attach the
domain to the Internet. Some day I hope to combine the domains into a
large forest so that there are child domains under MyCompany.net, but
that will be much later.

My DCPromo answer file creates a DNS server on my one and only DC with
my (AD Integrated) zone, but the structure isn't what I expected.
What is created looks like:

DNS
--FirstDC
.--Forward Zones
.--_msdcs.MyDom.MyLocation.MyCompany.net
...+-dc
...+-domains
...+-gc
...+-pdc
.--MyDom.MyLocation.MyCompany.net
...--_msdcs
...+-_sites
...+-_tcp
...+-_udp
...+-DomainDNSZones
...+-ForestDNSZones
.+-Reverse Zones

To make this a private root I also (later after the dcpromo) create a
forward zone of '.'. While the domain works, I don't beleive this is
correct and I get an error from dnslint saying that one of my zones
isn't authoritative. I don't see this structure when I hand build
DNS.

I'm concerned because I'm having access problems getting to sysvol
(events 1058 & 1030).

Can someone help me in regards to:
- Is this a problem or not?
- Anyone else seen this structure w/ DCPromo & autoanswer?
- Is there a scriptabile way to move the _msdcs structure back under
the domain?


TIA - Andy


If this is W2k3, you don't want to move the _msdcs zone under the domain.
This is the way it sets it up and the way it should be.

For the 1058, look for Jeff's and Tobias' comments:
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

For the 1030, look at Daniel's comments and make sure no services are turned
off, such as the DHCP Client service and the DFS service:
http://www.eventid.net/display.asp?eventid=1030&eventno=1542&source=Userenv&phase=1

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
A

Andy Spencer

Thanks Ace! I'll go over these articles again. I'd checked out the
article on 1058 previously and didn't get anywhere but I'll look
again. My DC is multi-homed and that might be the cause, but the
articles I've reviewed so far didn't give me the feeling that there
was a clear answer (yet). I suspected DNS because the problem starts
to occur several hours after a reboot. (PurgeMUP didn't help). First
you can do a dir on:
- \\mydomain.mylocn.myco.net\sysvol
- \\mydomain\sysvol
- \\Server\sysvol
but after awhile you get the error from #1, then still later #2 fails
and only \\Server\sysvol works. The error is:
Configuration information could not be read from the domain
controller, either because the machine is unavailable, or access has
been denied.

Given this I suspected DNS (thinking it was getting the wrong NIC) and
because dnslint gives warnings. The lint error looks like:

DNSLint Report

System Date: Fri May 14 08:52:48 2004

Command run:

dnslint -d MyDomain -s 152.221.200.57

Domain name tested:

MyDomain

The following 1 DNS servers were identified as authoritative for the
domain:

DNS server: Server.MyDomain.locn.Co.net
IP Address: 152.221.200.57
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

This DNS server may be a root server as it answered authoritatively,
but DNS records for the specified domain did not exist on the server.

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown
 
A

Ace Fekay [MVP]

In
Andy Spencer said:
Thanks Ace! I'll go over these articles again. I'd checked out the
article on 1058 previously and didn't get anywhere but I'll look
again. My DC is multi-homed and that might be the cause, but the
articles I've reviewed so far didn't give me the feeling that there
was a clear answer (yet). I suspected DNS because the problem starts
to occur several hours after a reboot. (PurgeMUP didn't help). First
you can do a dir on:
- \\mydomain.mylocn.myco.net\sysvol
- \\mydomain\sysvol
- \\Server\sysvol
but after awhile you get the error from #1, then still later #2 fails
and only \\Server\sysvol works. The error is:
Configuration information could not be read from the domain
controller, either because the machine is unavailable, or access has
been denied.

Given this I suspected DNS (thinking it was getting the wrong NIC) and
because dnslint gives warnings. The lint error looks like:

DNSLint Report

System Date: Fri May 14 08:52:48 2004

Command run:

dnslint -d MyDomain -s 152.221.200.57

Domain name tested:

MyDomain

The following 1 DNS servers were identified as authoritative for the
domain:

DNS server: Server.MyDomain.locn.Co.net
IP Address: 152.221.200.57
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

This DNS server may be a root server as it answered authoritatively,
but DNS records for the specified domain did not exist on the server.

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown




"Ace Fekay [MVP]"


Multihomed DNS/DC/RRAS machines ARE VERY PROBLEMATIC. I would suggest to use
a just a plain jane vanilla member server is you are multihoming for
Internet access for your network, or just get a Linksys, Cisco PIX ,
Netgear, etc, to perform that.

THere are a few registry entries that you need to utilize to fix this. I can
post them, but it is extra extra administrative overhead to take care of
this.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top