Move DNS (AD)
-
Thursday, July 19, 2012 12:22 PM
Long story short, the DNS service isn't working correctly.
What I want to do is set up another DNS Service (DNS Only, no AD Service) that will run all the zones currently being handled on the Active Directory Server. The Active Directory Server currently handles everything.
This is what the network services currently looks like.
SERVER 1
AD DS, AD FS 2.0, DHCP, DNS, IIS (Running Web Services for management).
---
This is how I want it to look
SERVER 1
AD DS, AD FS 2.0, DHCP, IIS
SERVER 2
DNS
---
I've always managed networks where DNS was being served from the same server as AD DS. I've never seperated them before. I'm assuming it's possible. I'm also assuming that all I need to do is bring up a Win2008 R2 server, attach it as a Member Server to the domain, and add it as a secondary DNS to do a domain transfer. Then I need to upgrade it to be a primary DNS, move all the clients to use the new DNS then uninstall DNS from SERVER 1. Am I correct?
Owner, Quilnet Solutions
- Changed Type Tiger LiModerator Tuesday, July 24, 2012 2:14 AM
All Replies
-
Thursday, July 19, 2012 5:00 PM
Sure, you can do that, and I would rather see the new DC also have DNS installed and replicate the zone. But the question is, why do you believe that DNS is not working correctly? DNS simply just works, and works fine, on a DC, and is especially designed to do so, taking advantage of the security (Secure updates, not stored in a text file, and replicates to other DCs for fault tolerance), and robustness of AD integrated zones.
There are a number of things that can cause DNS to have problems on a DC. One of the most popular reasons is a multihomed DC (more than one IP, more than one unteamed NIC, RRAS installed, IP routing enabled, WINS Proxy enabled, iSCSI adapater on it, etc). There can be other issues, and if DNS is not running properly, it *will* affect AD functionality. SInce your DC is up and running and clients are able to log on and access resources, it may be a simpler issue.
.
Let's see an ipconfig /all from the current DC and any event log errors, so we can assist to fix whatever is ailing the DC.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Thursday, July 19, 2012 10:23 PM
We are not interested in further trouble-shooting. We have been on this for 3 weeks. This isn't a multihomed server, it's not a RRAS server, We don't use WINS or WINS proxy and I've never heard of iSCSI. We have been thru everything. This includes resetting the entire DNS database file and re-populating it. After we pulled this DNS server from rotation everything went back to normal. We know it's the DNS service. What we are going to do is pull in a new DNS service to run with this server's AD DS system. Once we know the new DNS server is working correctly we will uninstall this DNS Server. At a later time we will either attempt to reinstall the DNS Service on the AD DS system or we will remove this AD DS system completely and flatten the machine for a rebulk.
I just need to be sure we can seperate the DNS service from the AD DS system.
Owner, Quilnet Solutions
-
Friday, July 20, 2012 2:24 AM
Yes, you can.
I/we are offering to assist to troubleshoot it, but I understand if you don't want to take it further.
Another option is to simply just zone transfer it over to the other server as you're doing, but taking it further, since you believe DNS on the DC is corrupted, then uninstall DNS off the DC, restart, then reinstall it, zone transfer it back, then change the zone to AD integrated.
Please let us know how things work out afterwards, whichever method you use.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Friday, July 20, 2012 2:51 AMThat is the plan. We already transfered the zone to the newly created DNS server and already uninstalled the DNS service from the AD server. We are going to hold for a few days to be sure everything else continues to work before we reinstall DNS. If reinstalling DNS doesn't work, I've been authorized to flatten the machine. I'll let you know what the results are next week.
Owner, Quilnet Solutions
-
Friday, July 20, 2012 4:30 AMLooking forward to your results.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Monday, July 23, 2012 1:31 PMWe re-installed DNS services on the AD server and have been running it for 2 days now. The issue isn't resolved BUT it's not as bad as it was. I'm probably restarting DNS about once a day instead of 4 times an hour. We will probably rebulk this system next month.
Owner, Quilnet Solutions
-
Tuesday, July 24, 2012 1:35 AM
Thank you for the update. Interesting this is still occuring. Apparently there must be a corrupted or modified system DLL.
If interested in pursuing this possibility, you can run the System File Checker.
How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)
http://support.microsoft.com/kb/310747Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Tuesday, July 24, 2012 1:42 AM
Yeah, we thought of that over the weekend and ran a SFC. It didn't come up with anything though. We think the problem lies in a registry setting.
I got word earlier today that before this system was given to me for AD DS, it was used in another department for RRAS. RRAS was removed from the system prior to my department receiving it but the OS wasn't wiped. I'm wondering if MAYBE there is a registry setting that got set when RRAS was on it that wasn't reverted when RRAS was removed.
The only problem with my theory however is that this system has been running AD DS without problems for 9 months. The issue only recently surfaced.
Now that I have a backup DNS that I can use in the event of a problem, we can probably do more TS if you have more for me.
Owner, Quilnet Solutions
-
Tuesday, July 24, 2012 2:17 AM
Maybe a TCP reset? Have you done that?
Basically, it's:
netsh int ip reset logfile.txt
Then restart.How to reset "Internet Protocol (TCP/IP)" in Windows Server 2003
http://support.microsoft.com/kb/317518Or use the Mr.FixIt script in the following KB:
How to reset Internet Protocol (TCP/IP)
http://support.microsoft.com/kb/299357
.
.
One more thing, if RRAS was installed, and there was a RRAS filter in conjunction with a corrupted reg key, that could cause it, too. If the above doesn't help, then take a look at resetting the Winsock, since it's a DC:
netsh winsock resetAnd this article gives you all the TCP registry keys to delete and reset. It's pretty comprehensive.
How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller
http://support.microsoft.com/kb/325356More info on the above:
Technet thread: RRAS doesn't start. Error 8007042a. EventID 20103
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/14c70bd9-3db8-4cae-b63f-361df4b7b939.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Tuesday, July 24, 2012 8:46 PMNo, we haven't tried that yet. I'm going to wait until the issue occurs again as I don't want to "stir the pot" until we really need to. I'll let you know what the results are when we run it.
Owner, Quilnet Solutions
-
Wednesday, July 25, 2012 3:45 AMSounds good.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Thursday, July 26, 2012 3:21 AMWe are trying to TCP/IP reset. I'll let you know the results. I didn't reset Winsock just yet. I'm gonna wait and see if the TCP/IP reset does anything first.
Owner, Quilnet Solutions
-
Thursday, July 26, 2012 6:00 AMAnd the plot thickens...
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Thursday, July 26, 2012 4:13 PM
Ok so, we did the Winsock reset when the TCP/IP failed. Restarting the server after running the netsh winsock reset how has the DNS service stopped. When attempting to manually restart the DNS service I get "An address incompatible with the requested protocol was used." I also receive this error when looking at DHCP. What's interesting is that the server still has an internet connection even when it's using itself as the only DNS source.
I'm not familar with this error message so hopefully you have something. I thought maybe I needed to reset the interfaces in DNS but without having the service running I cannot access the Interfaces page on the DNS settings.
Owner, Quilnet Solutions
-
Thursday, July 26, 2012 4:27 PM
That's under an Event ID 7023, right? Let's re-run netsh winsock reset, then reboot.
Ref:
Scroll down or search for the string to "an address "
http://eventid.net/display-eventid-7023-source-Service%20Control%20Manager-eventno-345-phase-1.htmCould not start the windows firewall/internet
http://www.techspot.com/community/topics/could-not-start-the-windows-firewall-internet.16323/Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Thursday, July 26, 2012 9:20 PM
To confirm, netsh winsock reset is what caused the "An address incompatible with the requested protocol was used." error. Are you saying you want me to run it a second time?
Owner, Quilnet Solutions
-
Thursday, July 26, 2012 9:44 PMSo, we ran the netsh winsock reset command a second time and rebooting and we are getting the same result. One of other IT guys said "Hey, lets uninstall and reinstall DNS" so we tried that. Uninstalled ok, restarted, but when we attempted to reinstall DNS we got the following failure code: 0x80070643.
Owner, Quilnet Solutions
-
Thursday, July 26, 2012 10:07 PM
I saw your other post before it was deleted. I was suggesting to retry it. I see you did. At least now with this error, we are getting closer to whatever is going on. See if this helps - applies to 2003, too.
.
Error code when you try to install the DNS server role if all network adapters are disabled or unplugged on a computer that is running Windows Server 2008: "0x80070643"
http://support.microsoft.com/kb/975654.
Thread: "Attempt to install DNS Server failed with error code 0x80070643. Fatal error during installation"
http://social.technet.microsoft.com/Forums/en/winservergen/thread/17198d26-7ffb-4214-9d9f-f8e1e2818e14.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Thursday, July 26, 2012 10:23 PMI was already ahead of you but when I ran the pkgmgr I got error code 0x80070643.
Owner, Quilnet Solutions
-
Thursday, July 26, 2012 11:54 PMI'm being told we are not pursuing this issue further. They don't want to spend any more resources on this since we've hit the 4 week mark. They are reverting the server state back two days and are going to install a temporary server to host what this server hosts, then wipe and reload.
Owner, Quilnet Solutions
-
Friday, July 27, 2012 12:46 AM
Sorry to hear that. But since this is a DC, you don't want to do a revert., assuming you're referring to the virtualization revert feature and not a true System State restore, or you will introduce another complexity.
Check out this thread that a guy did just that and is now beleaguered with a USN rollback and an unusable DC.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/209bc176-2213-4db0-a561-28c8c9d9a6bf/.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
.png)
