Verifying DNS Configuration
DNS testing is one of the most important steps in preparing a server for promotion. Any undetected errors in DNS configuration may result in an inoperable domain controller. The following DNS related faults are possible:
■ The computer has no settings for the preferred DNS server.
■ The specified DNS server does not host the specified authoritative zone (domain name).
■ The authoritative zone exists, but is not updatable.
Microsoft has done a great job in extending the initial functionality of the DCdiag and NetDiag utilities from the Support Tools to allow an administrator to verify the DNS configuration in a few seconds. (For a Windows 2000 environment, you can download updated versions from the Microsoft website. For additional information on these tools, see Chapter 10, "Diagnosing and Maintaining Domain Controllers" and Chapter 11, "Verifying Network and Distributed Services.")
A further step has been taken in the Windows .NET Server family: the Active Directory Installation Wizard diagnoses DNS-related and forest configuration issues and stops server promotion if any problems exist. Nevertheless, you can use the DCdiag and NetDiag utilities on computers running Windows .NET, too.
Important All tests described below verify DNS only; connectivity with existing domain controllers is not checked. The Active Directory Installation Wizard verifies both DNS and connectivity (including authentication) issues.
If a preferred DNS server's IP address is not specified on the tested computer in the TCP/IP Properties window, the dcdiag /test:DcPromo or dcdiag /test:RegisterInDNS command outputs a message with the error 9852, which means "No DNS servers configured for local system."
The following command reports that you can safely create an additional domain controller in an existing Windows 2000 or Windows .NET domain (net.dom in this example):
C:\>dcdiag /test:DcPromo /DnsDomain:net.dom /ReplicaDC
Starting test: DcPromo The DNS configuration is sufficient to allow this computer to be promoted as a replica domain controller in the net.dom domain.
DNS configuration is sufficient to allow this domain controller to dynamically register the domain controller Locator records in DNS.
The DNS configuration is sufficient to allow this computer to dynamically register the A record corresponding to its DNS name.
netdc4 passed test DcPromo
In such a case, you can begin to promote the server. (For compactness, some lines are skipped in this output. When the Windows 2000 version of the tool is used, all tests executed (both successful and failed) end with the same "passed test" line. The Windows .NET version reports results more correctly.)
The following output indicates that the authoritative zone (w2000.dom) exists, but there are no SRV records registered by the existing domain controller(s):
C:\> dcdiag /test:DcPromo /DnsDomain:w2000.dom /ReplicaDC
Starting test: DcPromo This computer cannot be promoted as a domain controller of the w2000.dom domain. This is because either the DNS SRV record for _ldap._tcp.dc._msdcs.w2000.dom is not registered in DNS, or some zone from the following list of DNS zones doesn't include delegation to its child zone: w2000.dom, dom and the root zone. Ask your network/DNS administrator to perform the following actions: To find out why the SRV record for _ldap._tcp.dc._msdcs.w2000.dom is not registered in DNS, run the dcdiag command prompt tool with the command RegisterInDNS on the domain controller that did not perform the registration.
DNS configuration is sufficient to allow this domain controller to dynamically register the domain controller Locator records in DNS.
The DNS configuration is sufficient to allow this computer to dynamically register the A record corresponding to its DNS name.
.........................netdc4 failed test DcPromo
This might be a serious problem: the existing DC for the specified domain could be promoted incorrectly. You should verify the DNS configuration and make the DC reregister all its SRV records. Then run DCdiag on that DC.
In all cases when updating of an authoritative zone is not enabled on the DNS server (or the server does not support dynamic updates), the command output will be similar to the following:
C:\>dcdiag /test:DcPromo /DnsDomain:dotnet.dom /ReplicaDC Starting test: DcPromo The DNS configuration is sufficient to allow this computer to be promoted as a replica domain controller in the dotnet.dom domain.
Messages logged below this line indicate whether this domain controller will be able to dynamically register DNS records required for the location of this DC by other devices on the network. If any misconfiguration is detected, it might prevent dynamic DNS registration of some records, but does not prevent successful completion of the Active Directory Installation Wizard. However, we recommend fixing the reported problems now, unless you plan to manually update the DNS database.
This domain controller cannot register domain controller Locator DNS records. This is because either the DNS server with IP address 192.168.1.2 does not support dynamic updates or the zone dotnet.dom is configured to prevent dynamic updates.
Detailed instructions on configuring the DNS server are also displayed. You must follow them. To check whether a zone is updatable, it is also possible to use the command dcdiag /test:RegisterInDNS /DnsDomain:dotnet.dom which produces a similar output.
Other parameters of the dcdiag /test:DcPromo command allow you to test whether you can create a child domain, new tree, or new forest in the current domain structure. The command's messages are clear, and it is not necessary to place them all here.
If the preferred DNS server is specified incorrectly or not accessible, or if the authoritative zone did not configure on the server, the following command will discover the problem and instruct you on what to do:
C:\>dcdiag /test:RegisterInDNS /DnsDomain: net2.dom Starting test: RegisterlnDNS Please verify that the network connections of this computer are configured with correct IP addresses of the DNS servers to be used for name resolution. If the DNS resolver is configured with its own IP address and the DNS server is not running locally, the DcPromo will be able to install and configure local DNS server, but it will be isolated from the existing DNS infrastructure (if any). To prevent this, either configure local DNS resolver to point to existing DNS server or manually configure the local DNS server (when running) with correct root hints.
If the DNS resolver is configured with its own IP address and the DNS server is not running locally, the Active Directory Installation Wizard can install and configure the local DNS server. However, if this server is not connected to the network during domain controller promotion then admin needs to appropriately configure root hints of the local DNS server after the completion of the domain controller promotion.
DnsUpdateTest returned 1460. The A record test is thus inconclusive.
.........................netdc4 passed test RegisterlnDNS
Do not forget that you should also test the DNS configuration (registration of the SRV records) after the server promotion has been completed.
Post a comment