Re: Add a new DC to a new branch
- From: Manoj <Manoj@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 May 2006 14:14:02 -0700
Thanks a lot Jorge for such a detailed procedure.
If you can avoid using your router as DHCP server because The DHCP serverYes I removed the DHCP server from my router and configured the DC/DNS
can be used to register and update the pointer (PTR) and host (A) resource
records on behalf of its DHCP-enabled clients, and if you use the router
this can't be done take a look at:
Using DNS servers with DHCP
http://technet2.microsoft.com/WindowsServer/en/Library/179d4f6c-9482-4dac-8f03-74bd78b7d2631033.mspx
server on main site as a DHCP server. I read that the DHCP server on a DC
should be a member of DnsUpdateProxy security group, but when I try to add my
DC to this group, it cannot recognize the DC object. Is there any catch here.
I created a user for DNS dynamic updates registration. What group should
this user be a member of. Or it can be just a regular user.
When I replicate AD and DNS, does the DHCP gets replicated to other site
DHCP server that is also a DC/DNS server. I guess since each DHCP server
handles its own scope, this would not be the case. Please confirm.
4 - If you can, rebuild the Dns on DC main Site:
*run on command prompt:
ipconfig /flushdns
dnscmd /clearcache
nbtstat -R
nbtstat -R
arp -d
* Delete the forward zone and the reverse lookup zone
*go to the %systemroot%\system32\dns - delete any old zone that you may have
there.
*delete the files netlogon.dnb and netlogon.dns from
%systemroot%\system32\config
*create the forward lookup zone and the reverse lookup zone make them AD
integrated, for security purposes make sure that the zones only accept
secure only - updates.
*restart the netlogon service, confirm the creation of the files
netlogon.dnb and netlogon.dns on %systemroot%\system32\config
*run ipconfig /registerdns
*run netdiag /fix
* Make sure that the zones that you created are configured to replicate
among Domain controllers on your domain.
I did all the above steps to rebuild DNs and all seemed fine.
STEP 2 - SITE 2
On the DC on SITE2
1 - Convert the Dns zones from AD integrated to Primary Zone.
*run on command prompt:
ipconfig /flushdns
dnscmd /clearcache
nbtstat -R
nbtstat -R
arp -d
*go to the %systemroot%\system32\dns - delete any zone that you may have
there.
*delete the files netlogon.dnb and netlogon.dns from
%systemroot%\system32\config
*make the primary Dns server pointing to the MAIN SITE DC - 192.168.1.100.
*make the Secondary Dns server pointing to the Itself - 192.168.2.100.
*restart the netlogon service, confirm the creation of the files
netlogon.dnb and netlogon.dns on %systemroot%\system32\config
*run ipconfig /registerdns
*run netdiag /fix
*confirm the creation of the records on the MAIN SITE DC.
2 - use repadmin to replicate:
repadmin /syncall /A /e /P
I did all these on my DC on SITE 2. Why the zones on this DC should be
converted to Primary Zone from AD Integrated. When I did this, the AD
Integrated zones on MAIN DC disappeared. I believe it will appear as Primary
Zone on Main Site DC. Should these zones not be AD Integrated?
You can Install the server using IFM on SITE2
How to use the Install from Media feature to promote Windows Server
2003-based domain controllers
http://support.microsoft.com/?id=311078
I read on MS documentation, that in order to promote a server from media,
the forest level should be raised to Windows server 2003. Is that required,
even when I promoted the DC on MAIN Site and then moved it to remote site. I
have a Windows 2000 forest level and 2000 Mixed domain level.
My main problem was a firewall blocking traffic between the two sites, in
addition to DNS configuration issues. I opened that up and AD replication and
all worked fine.
Regarding my remote site server not booting up and hanging up at "Preparing
Network Connections", I was able to boot by removing the network cable and
fixing the DNS problems on this server. I was not able to boot in Directory
Services Restore Mode. Can you point me to some resources on how to go about
doing that. I do not get any options for selecting OS on boot, nor F8
options. Any ideas?
I often see errors in event log and sometimes cannot get rid of its cause.
Are there any tools to do Health Check of AD, DNS, etc. other than DCDiag.
Its been a while and my MAIN DC zones are still missing. Should the zones on
Site 2 DC be primary? I thought they all should be AD Integrated. I am still
waiting for this to replicate to MAIN DC. Any comments.
Thanks
Manoj
"Jorge Silva" wrote:
CHECK - INLINE.
STEP 1 - MAIN SITE
Main Site 1 has 1 DC - 198.168.1.100, running Windows 2003 SP1, network
192.168.1.0
domain functional level is Windows 2000 mixed
forest functional level is Windows 2000.
DC is also the DNS server
A Cisco router serves as DHCP server
If you can avoid using your router as DHCP server because The DHCP server
can be used to register and update the pointer (PTR) and host (A) resource
records on behalf of its DHCP-enabled clients, and if you use the router
this can't be done take a look at:
Using DNS servers with DHCP
http://technet2.microsoft.com/WindowsServer/en/Library/179d4f6c-9482-4dac-8f03-74bd78b7d2631033.mspx
1 - Make sure that every domain controller has its DNS properties under NIC
configuration pointing to itself. (If DC IP Address is 10.0.0.1 then Dns
should be 10.0.0.1).
2 - Make sure that your clients only use their local DNS server in this case
the server is 198.168.1.100.
3 - Go to the Active Directory Sites and Services and make sure that the
sites have their corresponding subnets associated and respective servers in
place. Don't forget that you should have a GC per site.
4 - If you can, rebuild the Dns on DC main Site:
*run on command prompt:
ipconfig /flushdns
dnscmd /clearcache
nbtstat -R
nbtstat -R
arp -d
* Delete the forward zone and the reverse lookup zone
*go to the %systemroot%\system32\dns - delete any old zone that you may have
there.
*delete the files netlogon.dnb and netlogon.dns from
%systemroot%\system32\config
*create the forward lookup zone and the reverse lookup zone make them AD
integrated, for security purposes make sure that the zones only accept
secure only - updates.
*restart the netlogon service, confirm the creation of the files
netlogon.dnb and netlogon.dns on %systemroot%\system32\config
*run ipconfig /registerdns
*run netdiag /fix
* Make sure that the zones that you created are configured to replicate
among Domain controllers on your domain.
STEP 2 - SITE 2
On the DC on SITE2
1 - Convert the Dns zones from AD integrated to Primary Zone.
*run on command prompt:
ipconfig /flushdns
dnscmd /clearcache
nbtstat -R
nbtstat -R
arp -d
*go to the %systemroot%\system32\dns - delete any zone that you may have
there.
*delete the files netlogon.dnb and netlogon.dns from
%systemroot%\system32\config
*make the primary Dns server pointing to the MAIN SITE DC - 192.168.1.100.
*make the Secondary Dns server pointing to the Itself - 192.168.2.100.
*restart the netlogon service, confirm the creation of the files
netlogon.dnb and netlogon.dns on %systemroot%\system32\config
*run ipconfig /registerdns
*run netdiag /fix
*confirm the creation of the records on the MAIN SITE DC.
2 - use repadmin to replicate:
repadmin /syncall /A /e /P
3 - Wait a while For replication.
4 - Check if the DNS Zone was already transfered. If yes, then make the
primary Dns server 192.168.2.100
5 - Make sure that your clients only use their local DNS server in this case
the server is 198.168.1.100.
6 - Check for replicated objects:
Repadmin /REPLSUM /BYSRC /BYDEST /SORT:DELTA
---------------------------------------------------------------------------------------------------------------
If you're going to remove the old server don't forguet to remove the failed
DC FROM AD Database on the MAIN SITE DC.
- Remove all references to that Dc on AD database (Metadata cleanup).
- Remove any Dns references to the Dc.
- Verify that FRS member objects (FRS and DFS) are removed, and remove them
if they are present.
- If necessary seize any left Op Master roles that were hosted by that Dc.
- If the domain controller that you are demoting is a DNS server or global
catalog server, you must create a new GC or DNS server to satisfy load
balancing, fault tolerance, and configuration settings in the forest.
- When you use the remove selected server command in NTDSUTIL, the NTDSDSA
object, the parent object for incoming connections to the domain controller
that you forcibly demoted is removed. The command does not remove the parent
server objects that appear in the Sites and Services snap-in. Use the Active
Directory Sites and Services MMC snap-in to remove the server object if the
domain controller will not be promoted into the forest with the same
computer name
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/
Overview of Active Directory Objects That Are Used by FRS
http://support.microsoft.com/kb/296183/
Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/332199
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?scid=kb%3Ben-us%3B216498&x=6&y=11#XSLTH3140121122120121120120
You can Install the server using IFM on SITE2
How to use the Install from Media feature to promote Windows Server
2003-based domain controllers
http://support.microsoft.com/?id=311078
--
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
- Follow-Ups:
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- References:
- Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Add a new DC to a new branch
- Prev by Date: Re: Error after executing Repadmin
- Next by Date: Re: URGENT: synchronizing AD with multiple Novell servers
- Previous by thread: Re: Add a new DC to a new branch
- Next by thread: Re: Add a new DC to a new branch
- Index(es):
Relevant Pages
|
