Forest Root DC Single Label host name


C

Cabal10

Our network has 4 locations, but the main location is the only one that has
AD, the others have NT4. In our main site we have 3 DC's. The forest root
DC is in the nj1.com domain, but its fully qualified domain name is
server.nj1. There is no .com. This server is also our FSMO role holder.
The other two server are servername.nj1.com. I am trying to move the FSMO
roles and demote it, but when I tried to transfer the roles I get errors.
When I run dcdiag I get DNS guid errors. I am not sure how fix this server
so that it's fully qualified name is server.nj1.com? Any ideas?

Thanks in advance.
 
Ad

Advertisements

A

Ace Fekay [MVP]

In
Cabal10 said:
Our network has 4 locations, but the main location is the only one
that has AD, the others have NT4. In our main site we have 3 DC's.
The forest root DC is in the nj1.com domain, but its fully qualified
domain name is server.nj1. There is no .com. This server is also
our FSMO role holder. The other two server are servername.nj1.com. I
am trying to move the FSMO roles and demote it, but when I tried to
transfer the roles I get errors. When I run dcdiag I get DNS guid
errors. I am not sure how fix this server so that it's fully
qualified name is server.nj1.com? Any ideas?

Thanks in advance.

Well, this depends. YOu didn't provide any detail about the configuration
other than mentioning a couple of different names, I'll do my best to
explain your options.

I assume you upgraded your PDC to a Windows 2000, or is it a 2003 domain
controller? That would be the only way the BDCs are part of this domain.

If the AD DNS domain name is actually a single label name as you stated,
then to fix it you have a number of options:

1. Rebuild the AD domain from scratch. But this isn't so easy because you
will lose the NT4 BDCs as part of the domain. You can always promote one of
them to the PDC of the domain, and create a two way trust between that
domain and the new one. But I'm sure you don't want to do that.

2. If Windows 2003, you can possibly use the domain rename tool choosing the
correct name. Preserves the current domain. However if you have Exchange
2000, 2003 or 2007, it will complicate matters and require additional steps.

3. Since you only have the one DC, you can also simply unplug the DC,
promote one of the other NT4 BDCs to the PDC, then reinstall NT4 on the
machine as a BDC, then promote it to the PDC, then upgrade it to Windows
2003 this time choosing the correct name. Long out and drawn, but it
preserves the current domain.

However if the Primary DNS suffix is incorrect on the DC, and/or the FQDN in
the computername properties is incorrect, BUT the AD DNS domain name is not
single label, this is alot easier. This is called a disjointed namespace.
Eg. If Windows 2000, you can use a script to correct it. If 2003, you can
simply change it in Computer Properties, Computer Name tab.

So to better assist:

What is the actual Active Directory DNS domain name? This name shows up
under ADUC.

In addition, please provide the following information.

1. Unedited "ipconfig /all" of the AD domain controller
2. Same for one of your Windows 2000 and/or XP Pro machines that is joined
to the domain
3. Any errors in the event logs on the AD DC (post the EventID# and Source
name)
4. The name of the AD DNS zone name in DNS and if the SRV records exist
5. Re-run dcdiag with switches: 'dcdiag /v /fix' and post the whole result.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations
 
C

Cabal10

Thanks for taking the time to help and doing so much with so little info.
Let me see if I can fill in the gaps for you.

In the main site we have 3 W2K domain controllers. You made the correct
assumption that we did an inplace upgrade of an NT4 box (directory) which
became our first W2K AD forest root DC. There is no W2K3 servers in the
enviornment. Server1 is the one that has the problem. When I look at the
computer name tab the domain says NJ1.COM. This is correct. The full
computer name however says server1.NJ1.
So, I guess it is like you said a disjointed namespace. The other 2 servers
have the correct FQDN.

I don't have ready access to the servers/domain, but I will show you what
info I do have now. I tried running dcdiag /fix and stopping starting
netlogon, of course this did nothing. Here is more info.

The domain name is NJ1.COM
In the Eventviewer under direcotry service I get a lot of source: NTDS
replication event:1586
Under system log I get a ton of source: netlogon event:5781

dcdiag report on directory server
Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine directory, is a DC.
* Connecting to directory service on server directory.
* Collecting site info.
* Identifying all servers.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DIRECTORY
Starting test: Connectivity
* Active Directory LDAP Services Check
acd6524f-cc8e-4780-936a-449a2e53fcdc._msdcs.NJ1.com's server GUID
DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(acd6524f-cc8e-4780-936a-449a2e53fcdc._msdcs.NJ1.com) couldn't be
resolved, the server name (directory.NJ1) resolved to the IP address
(192.168.1.1) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... DIRECTORY failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DIRECTORY
Skipping all tests, because server DIRECTORY is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: OutboundSecureChannels

Running enterprise tests on : NJ1.com
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the
scope provided by the command line arguments provided.
......................... NJ1.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\directory.NJ1
Locator Flags: 0xe00001bd
PDC Name: \\directory.NJ1
Locator Flags: 0xe00001bd
Time Server Name: \\intranet.NJ1.COM
Locator Flags: 0xe00001f8
Preferred Time Server Name: \\finance1.NJ1.COM
Locator Flags: 0xe00001fc
KDC Name: \\directory.NJ1
Locator Flags: 0xe00001bd
......................... NJ1.com passed test FsmoCheck

On the Intranet server I ran a repamin /showreps
C:\Documents and Settings\Administrator.NJ1>repadmin /showreps
Default-First-Site-Name\INTRANET
DSA Options : (none)
objectGuid : 2029e23d-7268-4e30-8b17-629d8fde55be
invocationID: 0594e9f4-4e95-48a5-8f47-36e4b8937b7e

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=NJ1,DC=com
Default-First-Site-Name\FINANCE1 via RPC
objectGuid: c2400d4c-ef99-4f02-9048-aa6259d9ab5d
Last attempt @ 2008-03-03 11:52.23 was successful.
Default-First-Site-Name\DIRECTORY via RPC
objectGuid: acd6524f-cc8e-4780-936a-449a2e53fcdc
Last attempt @ 2008-03-03 12:14.34 failed, result 8524:
The DSA operation is unable to proceed because of a DNS lookup
failu
re.
Last success @ 2008-02-13 14:50.33.
466 consecutive failure(s).

CN=Configuration,DC=NJ1,DC=com
Default-First-Site-Name\DIRECTORY via RPC
objectGuid: acd6524f-cc8e-4780-936a-449a2e53fcdc
Last attempt @ 2008-03-03 12:23.10 failed, result 8524:
The DSA operation is unable to proceed because of a DNS lookup
failu
re.
Last success @ 2008-02-13 15:06.18.
4060 consecutive failure(s).
Default-First-Site-Name\FINANCE1 via RPC
objectGuid: c2400d4c-ef99-4f02-9048-aa6259d9ab5d
Last attempt @ 2008-03-03 12:30.37 was successful.

DC=NJ1,DC=com
Default-First-Site-Name\DIRECTORY via RPC
objectGuid: acd6524f-cc8e-4780-936a-449a2e53fcdc
Last attempt @ 2008-03-03 11:58.14 failed, result 8524:
The DSA operation is unable to proceed because of a DNS lookup
failu
re.
Last success @ 2008-02-13 15:05.33.
1191 consecutive failure(s).
Default-First-Site-Name\FINANCE1 via RPC
objectGuid: c2400d4c-ef99-4f02-9048-aa6259d9ab5d
Last attempt @ 2008-03-03 12:23.29 was successful.

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

CN=Schema,CN=Configuration,DC=NJ1,DC=com
Default-First-Site-Name\DIRECTORY via RPC
objectGuid: acd6524f-cc8e-4780-936a-449a2e53fcdc
Default-First-Site-Name\FINANCE1 via RPC
objectGuid: c2400d4c-ef99-4f02-9048-aa6259d9ab5d

CN=Configuration,DC=NJ1,DC=com
Default-First-Site-Name\DIRECTORY via RPC
objectGuid: acd6524f-cc8e-4780-936a-449a2e53fcdc
Default-First-Site-Name\FINANCE1 via RPC
objectGuid: c2400d4c-ef99-4f02-9048-aa6259d9ab5d

DC=NJ1,DC=com
Default-First-Site-Name\DIRECTORY via RPC
objectGuid: acd6524f-cc8e-4780-936a-449a2e53fcdc
Default-First-Site-Name\FINANCE1 via RPC
objectGuid: c2400d4c-ef99-4f02-9048-aa6259d9ab5d

Thanks again for all your help!
-Cabal
 
C

Cabal10

IPconfig Info:

C:\WINNT\Profiles\Administrator>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : directory
Primary DNS Suffix . . . . . . . : NJ1
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : NJ1

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : NJ1
Description . . . . . . . . . . . : Compaq NC3163 Fa
Physical Address. . . . . . . . . : 00-02-A5-0A-4E-3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.1
Primary WINS Server . . . . . . . : 192.168.1.1
 
A

Ace Fekay [MVP]

In
Cabal10 said:
I will get you that info on Monday. Thanks

By the way, you mentioned that you attached a text file that I was to
save as a .vbs. I do not see any attachment. Is it the same one
from this MS KB Article?

http://support.microsoft.com/?id=257623&sd=RMVP

Thanks again...

Hmm, you probably posted using the web access to the newsgroups. I didn't
realize they don't allow attachments. Sorry about the inconvenience.

Yes, that is the same one in the article.

Ace
 
Ad

Advertisements

C

Cabal10

a. The name of the AD DNS zone name in DNS

NJ1.COM

b. Do the SRV records exist? (The ones with the underscores)

Yes, I do see the service location type records for all DC's


c. Are updates allowed in the zone properties?

Only secure updates

Hope that helps. Let me know if you need more info. I am running the
script now and rebooting.
 
C

Cabal10

Ace,

I have one question/concern before I run the script. The server that I am
running the script on has a computer name of directory.nj1
The domain name is nj1.com. I am afraid that when I run the script it will
append the domain name to the computer name and it will end up being:
directory.nj1.nj1.com

Remember that the full computer name on that server says directory.nj1 and
the records in DNS say the same. Will the script know to remove or ignore
the nj1 in the computer name and just append nj1.com, so that I amleft with
directory.nj1.com??

Thanks!
 
A

Ace Fekay [MVP]

In
Cabal10 said:
Ace,

I have one question/concern before I run the script. The server that
I am running the script on has a computer name of directory.nj1
The domain name is nj1.com. I am afraid that when I run the script
it will append the domain name to the computer name and it will end
up being: directory.nj1.nj1.com

Remember that the full computer name on that server says
directory.nj1 and the records in DNS say the same. Will the script
know to remove or ignore the nj1 in the computer name and just append
nj1.com, so that I amleft with directory.nj1.com??

Thanks!

The FQDN you see is actually derived from prefixing the computer name to the
suffix. The machine thinks it's suffix is NJ1. The script will change that
to nj1.com. It will straighten it out.

You have nothing to worry about other than getting this thing working. Run
it please.

Ace
 
C

Cabal10

Ace,

You were right, the script worked! I just wanted to thank you for all your
help. It was MUCH appreciated.
 
Ad

Advertisements

A

Ace Fekay [MVP]

In
Cabal10 said:
Ace,

You were right, the script worked! I just wanted to thank you for
all your help. It was MUCH appreciated.

Exellent to hear!

It was my pleasure. :)
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top