K
Ken Merrigan
This weekend we completed an upgrade to W2K AD from a NT4 domain, and
have several issues we are trying to work through. Any help by the
all knowledgeable people on this board would be greatly appreciated.
First some background. We started with 2 NT domains, we will call
them the Kramden domain and the Norton domain. The Kramden Domain
contains the users and most of the resources on the network. The
Norton Domain contains a small number of servers that are accessible
from the internet, including e-mail servers (Exchange 5.5) and
Microsoft Proxy 2.0 (which is how users in the Kramden domain access
the internet). There is an explicit one way trust where Norton is the
trusting domain, and Kramden is the trusted domain.
The Norton domain also contains 2 NT4 boxes running DNS server that
hold A records for the mail servers. All hosts / clients in the
Kramden domain reference these 2 DNS servers in the Norton Domain.
There is also a zone for Kramden.com set up on the DNS servers. This
zone contains the A records that point to AS-400s, and a list of the
main file servers on the network. Besides providing name resolution
to the AS-400s, DNS is not widely used as the Kramden Domain clients
used WINS for name resolution under NT4.
This weekend we did an in place upgrade to W2K AD on the Kramden
domain only. The Norton domain remains NT4. There are currently 2
DCs running on Kramden.com. Kramden-AD-RT (the server that the
upgrade was run on) serves as the Operations Master, and ADserver,
which is a Global Catalog. Both are setup as DNS servers running
integrated DNS. There is also a third DC (KramdenW2K) that is not
replicating, but more on that later. We are experiencing the
following issues:
Issue 1 - DNS: The DNS event logs contain many warnings. On the
Kramden-AD-RT server, the DNS Server event log has more than a
thousand warning entries generated over the past 48 hours or so. The
most numerous is Event ID 7062. I have searched on this ID in the
Microsoft KB and here on Google. I have checked and made changes
following suggestions made in the articles. There are no forwarders
defined. This is a root server, aso we do not want it handling DNS
queries for servers on the internet (the proxy server will handle
this). I removed the cache.dns file from Winnt\System32\DNS folder.
In the properties of the NIC we have changed the IP properties so that
the DNS pointer was to its own IP address, 10.93.250.9 (it was
127.0.0.1 after the upgrade). This did not change anything, so we
changed the IP Properties for the Primary DNS to point to ADserver
(10.93.250.23). The 7062 errors persist.
We are also seeing Event ID 9999 for DNS, although not nearly as
frequently as 7062. In many cases, we see a pattern that after ten
7062 events, we see a 9999 event. Event ID 9999 reads:
The DNS Server has encountered numerous run time events. These are
usually caused by the reception of bad or unexpected packets, or from
problems with or excessive replication traffic. The data is the
number of suppressed events encountered in the last 15 minute
interval.
Issue 2 - DC wont replicate: After completing the upgrade, we ran
dcpromo on what had been a member server (KramdenW2K) on the Kramden
domain to create a second DC. Dcpromo completed, and everything
appeared to be working on this second DC. However, it did not
register properly in the integrated DNS on Kramden-AD-RT. The NS
record appeared, but not the A record. After looking at it, we
realize this happened because when we ran dcpromo, the machine still
had its old domain of Kramden, and not Kramden.com. (Microsoft KB
260371). Before we realized that we had a problem, we wanted to test
replication by making changes on each DC. Because of the DNS name
space issue, the DCs would not replicate. We decided to try to demote
KramdenW2K back to a member server. When we tried to run dcpromo to
demote it, we get the following error:
The operation failed because:
The Directory Service failed to replicate off changes made locally.
The DSA operation is unable to proceed because of a DNS lookup
failure"
So we are stuck with a DC that can not replicate to it partners,
because its partners do not see it. We can not demote it, because it
needs to replicate its changes off. At this point, we would like to
be able to demote it to a member server, or failing that, remove it
from the network completely. If we remove it, what steps will we need
to take so that all references to this server are removed from AD?
Issue – 3: W2K Pro clients not logging on to AD: It seems that all
of the Windows XP and Windows 98 clients have logged into AD as we see
their names registered in the integrated DNS. However, none of our
W2K Pro clients are logging on to AD. These PC names are not in the
integrated DNS, and when we look at the workstation and run "set" at
the command prompt, the logon server is listed as one of the NT4 BDCs.
In the Microsoft KB we found article 328570, but it was not very
clear on how to use the LDFIDE utility to get the information. I
would also hope that I will not have to apply a "hotfix" to every W2K
Pro client on the network.
I apologize to all for the length long windedness of this post, but
always try to give all the pertinent info I can. Any assistance or
direction that you could give me on any of these issues would be
greatly appreciated.
Thank you in advance
Ken Merrigan
Network Adminstrator
have several issues we are trying to work through. Any help by the
all knowledgeable people on this board would be greatly appreciated.
First some background. We started with 2 NT domains, we will call
them the Kramden domain and the Norton domain. The Kramden Domain
contains the users and most of the resources on the network. The
Norton Domain contains a small number of servers that are accessible
from the internet, including e-mail servers (Exchange 5.5) and
Microsoft Proxy 2.0 (which is how users in the Kramden domain access
the internet). There is an explicit one way trust where Norton is the
trusting domain, and Kramden is the trusted domain.
The Norton domain also contains 2 NT4 boxes running DNS server that
hold A records for the mail servers. All hosts / clients in the
Kramden domain reference these 2 DNS servers in the Norton Domain.
There is also a zone for Kramden.com set up on the DNS servers. This
zone contains the A records that point to AS-400s, and a list of the
main file servers on the network. Besides providing name resolution
to the AS-400s, DNS is not widely used as the Kramden Domain clients
used WINS for name resolution under NT4.
This weekend we did an in place upgrade to W2K AD on the Kramden
domain only. The Norton domain remains NT4. There are currently 2
DCs running on Kramden.com. Kramden-AD-RT (the server that the
upgrade was run on) serves as the Operations Master, and ADserver,
which is a Global Catalog. Both are setup as DNS servers running
integrated DNS. There is also a third DC (KramdenW2K) that is not
replicating, but more on that later. We are experiencing the
following issues:
Issue 1 - DNS: The DNS event logs contain many warnings. On the
Kramden-AD-RT server, the DNS Server event log has more than a
thousand warning entries generated over the past 48 hours or so. The
most numerous is Event ID 7062. I have searched on this ID in the
Microsoft KB and here on Google. I have checked and made changes
following suggestions made in the articles. There are no forwarders
defined. This is a root server, aso we do not want it handling DNS
queries for servers on the internet (the proxy server will handle
this). I removed the cache.dns file from Winnt\System32\DNS folder.
In the properties of the NIC we have changed the IP properties so that
the DNS pointer was to its own IP address, 10.93.250.9 (it was
127.0.0.1 after the upgrade). This did not change anything, so we
changed the IP Properties for the Primary DNS to point to ADserver
(10.93.250.23). The 7062 errors persist.
We are also seeing Event ID 9999 for DNS, although not nearly as
frequently as 7062. In many cases, we see a pattern that after ten
7062 events, we see a 9999 event. Event ID 9999 reads:
The DNS Server has encountered numerous run time events. These are
usually caused by the reception of bad or unexpected packets, or from
problems with or excessive replication traffic. The data is the
number of suppressed events encountered in the last 15 minute
interval.
Issue 2 - DC wont replicate: After completing the upgrade, we ran
dcpromo on what had been a member server (KramdenW2K) on the Kramden
domain to create a second DC. Dcpromo completed, and everything
appeared to be working on this second DC. However, it did not
register properly in the integrated DNS on Kramden-AD-RT. The NS
record appeared, but not the A record. After looking at it, we
realize this happened because when we ran dcpromo, the machine still
had its old domain of Kramden, and not Kramden.com. (Microsoft KB
260371). Before we realized that we had a problem, we wanted to test
replication by making changes on each DC. Because of the DNS name
space issue, the DCs would not replicate. We decided to try to demote
KramdenW2K back to a member server. When we tried to run dcpromo to
demote it, we get the following error:
The operation failed because:
The Directory Service failed to replicate off changes made locally.
The DSA operation is unable to proceed because of a DNS lookup
failure"
So we are stuck with a DC that can not replicate to it partners,
because its partners do not see it. We can not demote it, because it
needs to replicate its changes off. At this point, we would like to
be able to demote it to a member server, or failing that, remove it
from the network completely. If we remove it, what steps will we need
to take so that all references to this server are removed from AD?
Issue – 3: W2K Pro clients not logging on to AD: It seems that all
of the Windows XP and Windows 98 clients have logged into AD as we see
their names registered in the integrated DNS. However, none of our
W2K Pro clients are logging on to AD. These PC names are not in the
integrated DNS, and when we look at the workstation and run "set" at
the command prompt, the logon server is listed as one of the NT4 BDCs.
In the Microsoft KB we found article 328570, but it was not very
clear on how to use the LDFIDE utility to get the information. I
would also hope that I will not have to apply a "hotfix" to every W2K
Pro client on the network.
I apologize to all for the length long windedness of this post, but
always try to give all the pertinent info I can. Any assistance or
direction that you could give me on any of these issues would be
greatly appreciated.
Thank you in advance
Ken Merrigan
Network Adminstrator