Fixing Disjointed DNS Namespace

[jwgoerlich]

Hello,

We are having a problem with a Active Directory domain. When installed,
they used the DNS name "domain." rather than "domain.local" or what
have you. During a recent upgrade, the administrators deleted the
"domain." forward zone from DNS. No backups exist and this zone was a
Standard Primary, not AD-integrated.

We have recreated the DNS zone and attempted to repair it following KB
260371.

Troubleshooting Common Active Directory Setup Issues
http://support.microsoft.com/kb/q260371/

Netdiag /Fix does not work. I suspect that the DNS settings were
incorrect when AD was installed, and that what we have here is a
disjointed DNS namespace.

Any recommendations on how to fix this, short of removing and
rebuilding Active Directory? Thanks in advance.

J Wolfgang Goerlich

Environment: Win2000 S SP4, Active Directory Mixed, one DC with one
member server, 60+ WinXP clients.

 

[Herb Martin]

Troubleshooting Common Active Directory Setup Issues

http://support.microsoft.com/kb/q260371/

Netdiag /Fix does not work. I suspect that the DNS settings were
incorrect when AD was installed, and that what we have here is a
disjointed DNS namespace.

Any recommendations on how to fix this, short of removing and
rebuilding Active Directory? Thanks in advance.

Well, definitely do NOT do that.

Before trying to fix the DC records make sure you DNS is properly configued:

DNS
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.


THEN try these on each DC:

Net stop netlogon
net start netlogon
dcdiag /fix

NetDiag /fix is not designed to do all of the DC things.
(Neither is DCDiag but it comes closer.)

Also send the output of DCDiag to a text file and search for
FAIL, WARN, ERROR -- fix those or try reporting them here.

 

[jwgoerlich]

Hello Herb,

Appreciate the quick reply. Here is an update:

1) Dynamic for the zone supporting AD

Done. Active Directory-integrated, dynamic yes (unsecure at the moment)

2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
Check.

3) DCs and even DNS servers are DNS clients too -- see #2

The single domain controller hosts DNS. The DC points to itself for
DNS.

THEN try these on each DC ... dcdiag /fix

Done on the one and only DC. First error is DNS, which we know about
because populating the DNS is what we are trying to do. Second error is
about the GC, which we have checked. The GC is active on the DC and,
thus, I am reasonably certain that this is a DNS-related problem, too.

(5e97a6d4-ed58-4d3b-92f1-f8bec097e738._msdcs.domain) couldn't be
resolved, the server name (server.domain) resolved to the IP address
(192.168.10.2) and was pingable.

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Next step?

J Wolfgang Goerlich

 

[Herb Martin]

Did you restart the Net Logon service?
(Rebooting the DC should be equivalent).

 

[jwgoerlich]

Yes, rebooted the computer.

 

[Herb Martin]

You know I forgot to mention that your SINGLE label
domain name is likely part of your problem.

Start here:

http://support.microsoft.com/Default.aspx?kbid=826743

Or Google this:

[ single label domain name dns site:microsoft.com ]

or

[ single label domain name dns microsoft: ]

 

[jwgoerlich]

Good information. Much obliged for your help, Herb. We are proceeding
to rebuild Active Directory. The article 826743 and other symptoms (too
numerous to mention) have convinced us that the implementation is wrong
on several levels. Better to start fresh and do it right then to track
down bugs and chase our tails for the next several months.
Thanks again for your time, it was very helpful.

J Wolfgang Goerlich

 

[Herb Martin]

Good information. Much obliged for your help, Herb. We are proceeding
to rebuild Active Directory. The article 826743 and other symptoms (too
numerous to mention) have convinced us that the implementation is wrong
on several levels. Better to start fresh and do it right then to track
down bugs and chase our tails for the next several months.
Thanks again for your time, it was very helpful.

Glad to help.

You know perhaps, that generally I am against re-installing
domains, or even regular machines just to "clean them up"
as many people suggest as a near matter of course, BUT....

This is one of the exceptions, I usually make. That darn
single label domain name is so irritating that it is probably
worth it.