A: When you run DCPromo, it performs several checks to make sure that a suitable Domain Name System (DNS) server is available on the network to handle the new domain controller that is about to be created. If you’re installing the first domain controller in a new forest, and any of the checks fail, DCPromo will offer to install and configure DNS for you on the domain
controller as a part of the promotion process. However, if you’re promoting a domain controller into an existing domain, DNS must be up and functional first.
Basic Checks
DCPromo starts by querying your configured DNS server (as listed in the computer’s TCP/IP configuration) to find a zone that matches the domain name you’ve typed into the DCPromo wizard. So, for example, if you attempted to promote a server into the braincore.net domain, DCPromo looks for a DNS zone named braincore.net. DCPromo needs to find an authoritative zone, or one containing an SOA record.
For more information about SOA and other records and how DNS works in general, see Question 21.
If these checks fail but you know you have an appropriate DNS zone, check the following:
• Ensure that the server is configured with the proper DNS IP address
• Ensure that the server can contact its DNS server and resolve other DNS names
• Ensure that the DNS server supports SRV records and is configured to support dynamic DNS (DDNS). AD doesn’t require DDNS, but DCPromo looks for it to determine whether it will be able to create the necessary DNS records.
SRV Record Checks
DCPromo needs to be able to find certain SRV records in DNS. Doing so allows DCPromo to locate a domain controller in the domain to which the new domain controller will belong. In the case of a new domain in an existing forest, DCPromo needs to be able to locate a domain controller in the forest. If the machine on which DCPromo is running isn’t configured to look at a DNS server with the proper records, DCPromo either won’t be able to proceed or will insist that you install DNS first.
Here’s what to check:
• If you’re installing a new domain controller in an existing domain, DCPromo queries the DNS record _ldap._tcp.dc_msdcs.domainaname, where domainname is the domain to which the new domain controller will belong.
• If you’re installing the first domain controller in a new child domain, DCPromo queries the DNS record _ldap._tcp.dc._msdcs.parentdomain, where parentdomain is the domain of the new domain’s parent.
• If you’re installing the first domain controller in a new root domain in an existing forest, DCPromo queries the DNS record _ldap._tcp.dc._msdcs.forestroot, where forestroot is the name of the forest root domain.
Finally, make a note of each host name referenced in these SRV records and ensure that a corresponding correct A record exists in the DNS zone. Then make one more check to ensure that the machine running DCPromo can ping each of the hosts listed in an SRV record by using their DNS name. If all of these checks succeed, DCPromo should have no problems with that portion of its checks.
DDNS
Ensure that the DNS zones for the domain are configured to support DDNS updates. Although AD can technically function in a non-dynamic zone, assuming that you manually create the large number of required SRV records, DCPromo prefers a DDNS-enabled zone in order to run
correctly. On Windows DNS, the dynamic updates option is easy to enable through the properties of the zone. For Windows Server 2003, DDNS is enabled by default for secure updates, as Figure 30.1 shows.
Figure 30.1: Dynamic updates enabled in a DNS zone.
Checking DNS with Network Monitor
One way to see what DCPromo is doing is to use Network Monitor. You can install the version of Network Monitor that comes with Windows, and use it to capture all traffic sent to and from the machine running DCPromo. Run the capture while DCPromo is running; after DCPromo displays an error message, stop the capture. While viewing the capture, use Network Monitor’s filter to display only DNS records, as Figure 30.2 shows.
Figure 30.2: Filtering Network Monitor to show only DNS traffic.
Next, as Figure 30.3 shows, look for a Std Qry entry coming from the machine running DCPromo (Figure 30.3 shows a typical DNS query, which is what DCPromo will produce).
Open the packet and look at the Question Section, which is highlighted in Figure 30.3. Doing so will show you which record DCPromo is trying to locate in DNS.
Figure 30.3: A DNS query packet in Network Monitor.
Finally, look for the corresponding Std Qry Resp packet, and open it. As Figure 30.4 illustrates, look for the Answer section (highlighted in Figure 30.4, but will vary depending upon the type of record DCPromo queried). In this example, the answer response is for a host (A) record. The answer section will show you the IP address or addresses returned by DNS; DCPromo will generally use the first address listed. Notice that in Figure 30.4, there are actually two Resource Records returned; clients will use the first of these.
Figure 30.4: A DNS response packet in Network Monitor.
I’ve often used Network Monitor to troubleshoot DNS problems. Usually, the DNS client was querying a record I wasn’t expecting, getting back a response, and was unable to contact that server. This happens more frequently on a large WAN, where the client is perhaps querying for a forest root domain controller and getting a response for a domain controller located across several WAN links.