DNS Configuration Problem with Member Server in Existing Domain

[Keith Norris]

have two computers. One computer is a domain controller (Server A) and
the other computer is a member server (Server B). The operating system is
Windows Server 2000 and the domain is called Domain. I installed the
Adminpak on Server B but I cannot use Active Directory User and Computers to
manage domain accounts. When I click Active Directory Users and Computers
from Administrative Tools, I get a dialog box saying "Naming information
cannot be located because: The server is not operational. Contact your
system administrator to verify that your domain is properly configured and
is currently online." Does this mean that I have to do something with DNS
on Server B? I don't know anything about DNS at this point. When I go to
Configure Your Server from Administrative Tools and then Networking, DNS,
Manage, I'll see a DNS management console with DNS in a hierarchy display.
Under DNS, I see Server B. I do not also see Server A. Should I? If I
click Server B, I see a Forward Lookup Zone folder and a Reverse Lookup Zone
folder. There is nothing in the Forward or Reverse Lookup Zone folders.
Should there be something in either one of these folders or both? How
should I rectify the problem so I can interact with the domain from Server
B? Also, when I try to use Active Directory Domains and Trusts on Server B,
I get a dialog box saying "The configuration information describing the
enterprise is not available. The server is not
operational." How do I make it operational? I must be able to do something
to configure it properly but I don't know what that is. On Server A, the
domain controller, I do see that there is information in the Forward Lookup
Zone folder so I guess it is configured properly on Server A. Maybe Server
B was not correctly connected to the domain? What do I do to make sure
Server B is correctly connected to the domain and configured properly?

Thank you very much!
Keith

 

[Ace Fekay [MVP]]

Keith, this is long, so read carefully and please post any info that I ask.
It will be very helpful to help you out. Read below inline...

In

have two computers. One computer is a domain controller (Server A)
and
the other computer is a member server (Server B). The operating
system is Windows Server 2000 and the domain is called Domain. I
installed the Adminpak on Server B but I cannot use Active Directory
User and Computers to manage domain accounts. When I click Active
Directory Users and Computers from Administrative Tools, I get a
dialog box saying "Naming information cannot be located because: The
server is not operational. Contact your system administrator to
verify that your domain is properly configured and is currently
online."

This is because AD stores ALL of it's resource and service locations in DNS.
It is actually "looking" for it in DNS. Specifically in the SRV records.
They look like this and house all the records that AD automatically
registers into DNS by the netlogon service at periodic intervals:

_mscds
_sites
_udp
_tcp

More information:

241515 - How to Verify the Creation of SRV Records for a Domain Controller:
http://support.microsoft.com/?id=241515

239897 - SRV Resource Records May Not Be Created on Domain Controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;239897

Does this mean that I have to do something with DNS on
Server B? I don't know anything about DNS at this point.

Yes, you do have to create the zone on ServerA.
If ServerA has DNS and ServerB does not, then that's ok too.

This is *very* important:
If ServerA is supposed to be the DNS server for your domain, then ALL
machines (DCs, clients, memberservers, etc) need to ONLY point to this
server in their IP properties. If not, then all kinds of things can go
wrong. This pretty much means not to use your ISP's too.

For *efficient* Internet name resolution, it's suggested to use a Forwarder
on your own DNS server that points to the ISP's DNS. That's shown how to in
this article. If the option is grayed out, delete the Root zone, which this
article also shows how to.

300202 - HOW TO Configure DNS for Internet Access in Windows 2000:
http://support.microsoft.com/?id=300202

When I go
to Configure Your Server from Administrative Tools and then
Networking, DNS, Manage, I'll see a DNS management console with DNS
in a hierarchy display. Under DNS, I see Server B. I do not also see
Server A. Should I?

Only if you add it (rt-click, add server, type in the name) and will ONLY
add if DNS services is also running on ServerB.

If I click Server B, I see a Forward Lookup
Zone folder and a Reverse Lookup Zone folder. There is nothing in
the Forward or Reverse Lookup Zone folders. Should there be something
in either one of these folders or both?

That is not good at all. The name of your AD domain name (called a "zone")
should exist. That you need to create manually. In the properties of the
zone, set Dynamic Updates to "YES". The name to create is your Active
Directory Domain Name in the form of:

domain.com
domain.net
domain.local
domain.keith
etc

But NOT JUST "domain", which would be an invalid DNS domain name. Hopefully
when you installed AD you chose a valid DNS domain name. If not, let us
know.

If not sure how to create a zone, check this out:

General Link on DNS:
www.microsoft.com/dns

and

Create a New Zone on a DNS Server:
http://support.microsoft.com/?id=308201

How should I rectify the
problem so I can interact with the domain from Server B? Also, when
I try to use Active Directory Domains and Trusts on Server B, I get a
dialog box saying "The configuration information describing the
enterprise is not available. The server is not
operational." How do I make it operational?

Same reason as above. The zone needs to exist, and the SRV records need to
exist. Here's an article on how to confirm SRV creation:

241515 - How to Verify the Creation of SRV Records for a Domain Controller:
http://support.microsoft.com/?id=241515

I must be able to do
something to configure it properly but I don't know what that is. On
Server A, the domain controller, I do see that there is information
in the Forward Lookup Zone folder so I guess it is configured
properly on Server A. Maybe Server B was not correctly connected to
the domain? What do I do to make sure Server B is correctly
connected to the domain and configured properly?

AS mentioned, ALL machines must only point to your DNS server ONLY. The SRV
records need to exist. The domain must be of a valid DNS name.

One more thing, the Primary DNS Suffix on all machines that are part of this
domain, especially the domain controller, must be set to the AD DNS domain
name.

If you can post this information, it would also be very helpful:

1.ipconfig /all > c:\ipconfig,txt
2. The AD DNS domain name
3.

Thank you very much!
Keith

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Keith Norris]

Thank you very much for your reply! I've got the problem taken care of by
reading the first two Knowledge Base articles you listed. I needed to set
Server B's DNS entry in TCP/IP properties to the IP address of Server A.
Now Server B can manage Active Directory objects in the domain. However, I
could not verify that the SRV records were created. I expanded my domain
name in the forward lookup zone and there were four rows of data to the
right with name, type, and data fields but they were not folders called
_msdcs, _sites, _tcp, _udp. Do the _ before the folder names mean they are
hidden? Should I be able to see these folders? I think the second article
said that the SRV records are neccessary for any clients to connect to the
domain. Even though Server B is a member server, it connected to the domain
on Server A, so I guess Server B is a client in that respect and it did
connect so that must mean the SRV records exist. Do you agree?

Can you tell me how I can physically see that folders _msdcs, _sites, tcp,
and _udp exist?

Thanks again!
Keith

"Ace Fekay [MVP]"

 

[Keith Norris]

I thought I had the problem taken care of but I didn't. What I did (when I
thought it was corrected) at least allowed me to open the Active Directory
Users and Computers MMC and this faked me in to thinking it was corrected.
I was still not able to save a new user to the AD at the end of the process
though. It said something like the domain could not be contacted. I found
some instructions in a book about how to join a member server to a domain,
so I followed them. It did work but that required me to put static IP
addresses in and that unfortunately wiped out my ISP service. So that is
why I could not post or email sooner. I just got finished talking to a
member of the Technical Staff at my ISP (Comcast) and she got me connected
again on the member server (I was logged on locally).

I will tell you what I did since you originally replied. Note, Everything
I've been talking about up to this point has been regarding the member
server Server B. My domain is really electrosource.net.

I read 241515 - How to Verify the Creation of SRV Records for a Domain
Controller. I went to the domain controller Server A (note: I also received
mail from my ISP on Server A ) and typed NSLOOKUP at the command prompt.
The results I got were:

Default server: ns01.rtchrd01.md.comcast.net
Address: 68.48.0.5

I typed:

set type=all
_ldap._tcp.dc._msdcs.electrosource.net

The results I got are:

***ns01.rtchrd01.md.comcast.net can't find
_ldap._tcp.dc._msdcs.electrosource.net
et: Non-existent domain

The DNS tree viewed from the DNS MMC snap in looked like the following
(note: Server A that I have been referring to is really MIDATLANTICUS):

DNS
- MIDATLANTICUS
- Forward Lookup Zones
- electrosource.net
- Reverse Lookup Zones

If I clicked electrosource.net, I would see the following in the right
window pane:

Name Type Data
(same as parent folder) Start of Authority
[3],midatlanticus.electrosource.net.,admin.
(same as parent folder) Name Server
midatlanticus.electrosource.net
midatlanticus Host
192.168.1.102

If I clicked Reverse Lookup Zones, I would see the following in the right
window pane:

Add a zone
(and then more info about adding a zone)

I read 239897 - SRV Resource Records May Not Be Created on Remote Domain
Controller. I went to Server B which is actually KEITH-SERVER and added the
IP address 192.168.1.102 in The DNS server addresses in order of use box
under the DNS tab of the Advanced section in the Internet Protocol (TCP/IP)
properties of the Local Area Connection. At this point I thought I could
manage Active Directory objects because I could successfully get to the
Active Directory Users and Computers snap in and I did see domain accounts.
This is when I posted the errant message saying that the problem was taken
care of but I later found out that it wasn't when I tried to add a domain
dfs root and a domain user from KEITH-SERVER when I was logged in to the
domain. This is when I found the instructions of how to connect a member
server to a domain in a book. I did the following:

1) Went to MIDATLANTICUS and clicked Start, pointed to Settings and clicked
Network and Dial-Up Connections.
2) Clicked Local Area Connection and from the File menu, clicked
Properties.
3) In the Components Checked Are Used By This Connection box, clicked
Internet Protocol (TCP/IP).
4) Clicked Properties.
5) Clicked the Use The Following IP Address radio button.
6) In the IP Address box, typed 10.10.10.1.
7) In the Subnet Mask box, verified that 255.0.0.0 appeared.
8) Clicked the Use The Following DNS Server Addresses radio button.
9) In the Preferred DNS Server box, typed 10.10.10.1.
10) Clicked OK.
11) ClickedOK.
12) Went to KEITH-SERVER, clicked Start, pointed to Settings and clicked
Network and Dial-Up Connections.
13) Clicked Local Area Connection and from the File menu, clicked
Properties.
14) In the Components Checked Are Used By This Connection box, clicked
Internet Protocol (TCP/IP).
15) Clicked Properties.
16) Clicked the Use The Following IP Address radio button.
17) In the IP Address box, typed 10.10.10.2.
18) In the Subnet Mask box, verified that 255.0.0.0 appeared.
19) Clicked the Use The Following DNS Server Addresses radio button.
20) In the Preferred DNS Server box, typed 10.10.10.1.
21) Clicked OK.
22) ClickedOK.
23) Restarted both servers

This time I was able to successfully use the Active Directory Users and
Computers snap-in on KEITH-SERVER to create domain users and use the
Distributed File System snap-in to create DFS Roots and Links. Now, when I
go to MIDATLANTICUS and view the DNS tree in the DNS snap-in, I see the
following:

DNS
- MIDATLANTICUS
- Forward Lookup Zones
- electrosource.net
+_mcds
+_sites
+_tcp
+_udp
- Reverse Lookup Zones

If I click electrosource.net, I see the following in the right window pane:

Name Type Data
(same as parent folder) Start of Authority
[26],midatlanticus.electrosource.net.,admin.
(same as parent folder) Name Server
midatlanticus.electrosource.net
(same as parent folder) Host 10.10.10.1
keith-server Host 10.10.10.2
midatlanticus Host 10.10.10.1
_mcds
_sites
_tcp
_udp

This tells me the SRV records were created. What a relief! I've never seen
them before. If I click Reverse Lookup Zones, I see the following in the
right window pane:

Add a zone
(and then more info about adding a zone)

At this point, I was happy. I was successfully interacting with the Active
Directory from KEITH-SERVER. However, I noticed I could not get to the
internet. I talked to a member of the technical staff at Comcast. I was
logged on locally to KEITH-SERVER. She had me do the following:

1) Click Local Area Connection and from the File menu, clicked Properties.
2) In the Components Checked Are Used By This Connection box, clicked
Internet Protocol (TCP/IP).
3) Clicked Properties.
4) Clicked the Obtain an IP address automatically radio button.
5) Click the Obtain DNS server address automatically radio button.
6) Restart

This allows me to get back to the internet again, but since my TCP/IP and
DNS addresses have changed from what the book told me to enter, I cannot
interact with Active Directory from KEITH-SERVER. I would like to connect
to the internet through Comcast and interact with the Active Directory on my
domain from KEITH-SERVER. Is that possible? Would it be possible to create
another DNS Forward Lookup Zone and somehow go to Comcast's DNS server in
cases when I want to go to the internet but use the other Forward Lookup
Zone when I want to interact with the electrosource.net domain? If so, how
would the system know which Forward Lookup Zone to go to. I would imagine
the TCP/IP addresses and DNS addresses would have to be changed again, if I
could do this. What should I do? I will go on reading your original
message as I realize that my help me. I'm apprehensive about changing
things because I'm afraid I might mess things up. Please give me any
detailed help you can.

Thank you very much!!
Keith

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In Keith Norris <[email protected]> posted their thoughts, then I offered
mine

<snip>

Wow, what a detailed response! Thanks for outlining the steps you went
through.

I see the original problem is that you are using your Comcast DNS servers.
As you've found out, this is a NO-NO with AD. No external server addresses
can exist, only yours in your IP Properties.

Put it back to your internal server, and use a forwarder to get Internet
resolution. Shown how to here below Step 3. If the option is grayed out,
delete your Root zone, also shown below the Step3:
http://support.microsoft.com/?id=300202

For a forwarder, use 4.2.2.2. Comcast's may not be allowing forwarders.
Never know.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Keith Norris]

Since your last message I have done only the following:

1) Right-clicked MIDATLANTIC and clicked properties
2) Clicked the Fowarders tab
3) Clicked to select Enable forwarders check box
4) Typed 4.2.2.2 in the IP address text box and added it
(Note: The forward time-out seconds: text box has 5 in it and the Do not
use recursion check box is not selected)

I opened Internet Explorer and it tried to open to http://www.msn.com/ but
it cannot find server and the page cannot be displayed. I guess this means
that Comcast does not allow forwarders? Does this sound correct? Is there
any other way I can check to see if the forwarder is working (a ping
possibly, I don't understand that)? How did you know that I should use
4.2.2.2 as the IP forwarder address for Comcast? Is there any way I should
configure IE to use the server? I don't know how to set it up. I have not
changed the Local Area Connection properties. The Iternet Protocol (TCP/IP)
properties remain as follows.

The Use the following IP address radio button is selected.
The IP address: text box has 10.10.10.1.
The Subnet mask: text box has 255.0.0.0.
The Default gateway text box is blank
The Use the following DNS server addresses: radio button is selected.
The Preferred DNS server: text box has 10.10.10.1.
The Alternate DNS server: text box is blank

Do you see anything wrong with this? Everything I've been writing about to
this point has been concerning MIDATLANTICUS, the domain controller. I did
not change anything back on KEITH-SERVER yet because I want to make sure we
get MIDATLANTICUS working first.

Thanks,
Keith

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Since your last message I have done only the following:

1) Right-clicked MIDATLANTIC and clicked properties
2) Clicked the Fowarders tab
3) Clicked to select Enable forwarders check box
4) Typed 4.2.2.2 in the IP address text box and added it
(Note: The forward time-out seconds: text box has 5 in it and the Do
not use recursion check box is not selected)

I opened Internet Explorer and it tried to open to
http://www.msn.com/ but it cannot find server and the page cannot be
displayed. I guess this means that Comcast does not allow
forwarders? Does this sound correct? Is there any other way I can
check to see if the forwarder is working (a ping possibly, I don't
understand that)? How did you know that I should use
4.2.2.2 as the IP forwarder address for Comcast? Is there any way I
should configure IE to use the server? I don't know how to set it
up. I have not changed the Local Area Connection properties. The
Iternet Protocol (TCP/IP) properties remain as follows.

The Use the following IP address radio button is selected.
The IP address: text box has 10.10.10.1.
The Subnet mask: text box has 255.0.0.0.
The Default gateway text box is blank
The Use the following DNS server addresses: radio button is selected.
The Preferred DNS server: text box has 10.10.10.1.
The Alternate DNS server: text box is blank

Do you see anything wrong with this? Everything I've been writing
about to this point has been concerning MIDATLANTICUS, the domain
controller. I did not change anything back on KEITH-SERVER yet
because I want to make sure we get MIDATLANTICUS working first.

Thanks,
Keith

Hi Keith,

This is starting to sound like a simple network issue and rather not a DNS
issue. The reason why I say this is that you have no default gateway, as you
state it's blank. That's the IP of your router to be able to get off the
network to the outside world.

With all due respect, are you familiar with simple networking and how to set
it up?

I mentioned that Comcast's DNS servers may not allow forwarding. I did not
say that Comcast blocks all forwarding, which that can;t be done, since it
uses the same ports that DNS uses. 4.2.2.2 is a known server that offers
forwarding.

What is your network configuration? Are yuo using a Linksys router, or
something similar?

Can you ping:
4.2.2.2 ?
If not sure how to ping:
Click Start, Run, then type in cmd.
Then in the command window, type in:
ping 4.2.2.2
You should see a response such as:
========================
C:\>ping 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:

Reply from 4.2.2.2: bytes=32 time=16ms TTL=244
Reply from 4.2.2.2: bytes=32 time<10ms TTL=244
Reply from 4.2.2.2: bytes=32 time<10ms TTL=244
Reply from 4.2.2.2: bytes=32 time<10ms TTL=244

Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 16ms, Average = 4ms
=========================

If you get time outs, such as the below result, then we have a simple
networking configuration issue.
==========================
C:\>ping 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
============================


I would make sure you can ping first before anything else. Find out what the
IP of your router is and type that in your default gateway.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Keith Norris]

Unfortunately, I'm new to network configuration as you can tell. I entered
the IP address of my router as my default gateway as you suggested and now
it works fine. Internal resolution is done on my DNS server and external
resolution is forwarded.

Thank you very much!!!
Keith

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Unfortunately, I'm new to network configuration as you can tell. I
entered the IP address of my router as my default gateway as you
suggested and now it works fine. Internal resolution is done on my
DNS server and external resolution is forwarded.

Thank you very much!!!
Keith

I'm glad you got it working and figured out.

Here's a cool site to help you out with tutorials and how-to's for many
things. There's a link on the left for "Networking". Hope it helps you out
for future configurations.
http://www.labmice.net

Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory