DNS Lookup Problem

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Active Directory snap-ins and configuration wizards may display error messages that indicate potential Domain Name System (DNS) lookup problems. The following information can help you resolve such issues.

Note

Before you test whether a particular troubleshooting step resolved an issue, clear the DNS client resolver cache by running the ipconfig /flushdns command on the computer that is attempting to resolve the name, and clear the DNS server's names cache. For more information, see Clear the DNS Server Names Cache (https://go.microsoft.com/fwlink/?LinkId=105909).

Install Windows Support Tools

To obtain the troubleshooting tools for the following procedures, install Windows Support Tools. You can install Windows Support Tools from the product CD or from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=100114).

For more information about how to install Windows Support Tools, see Install Windows Support Tools (https://go.microsoft.com/fwlink/?LinkId=62270).

Which Operation Produced the Error Message?

Review the following list, and determine the operation that produced the error that you are trying to resolve:

  • If you received an error message while using the Active Directory Installation Wizard to attempt to create a child domain, see Child Domain Add Failure.

  • If you received an error message while attempting to replicate a connection using Active Directory Sites and Services, see Replication Failure.

  • If you received an error message while trying to add a computer to a domain, see Adding a Domain Member.

  • If you received an error message while performing a different operation, see Other Issues.

Child Domain Add Failure

This error may be related to missing DNS records; a firewall configuration; or, possibly, services that are not available or running on the existing domain controller that is facilitating the promotion request, the DNS server that is being queried, or the server that you are trying to promote.

Note

The text parentFQDN and childFQDN represents the fully qualified domain name (FQDN) of the parent domain. For example, when you create a child domain named "west" in the contoso.com domain, the parentFQDN is contoso.com and the childFQDN is west.contoso.com.

To troubleshoot this issue, verify the following:

  • The configuration of the existing domain controller

  • The configuration of the server to be promoted

  • DNS records

  • Firewall configuration

Verify the Existing Domain Controller Configuration

The configuration of the domain controller that is facilitating the promotion request can affect whether the request is successful. To determine the identity of domain controller that is facilitating the promotion request for the new child domain, run the command **nltest /dsgetdc:**parentFQDN. For example, if you are trying to create a child domain named west.contoso.com, run the command nltest /dsgetdc:contoso.com, and:

  • Ensure that File and Printer Sharing for Microsoft Networks is enabled on the network adapter. If the existing domain controller has multiple network adapters, ensure that File and Printer Sharing for Microsoft Networks is enabled on the network adapter to which the server you are trying to promote would connect. For additional information, see article 259374 in the Microsoft Knowledge Base. (https://go.microsoft.com/fwlink/?LinkId=105702).

  • Ensure that the Netlogon, TCP/IP NetBIOS Helper, and Server services are running.

  • Ensure that the Netlogon and SYSVOL shares are available. For more information, see Troubleshooting missing SYSVOL and NETLOGON shares on Windows 2000 domain controllers (https://go.microsoft.com/fwlink/?LinkId=105953).

  • Ensure that the host (A) resource record is properly registered, with the correct IP address in the DNS zone and on the DNS server for the parent domain. For more information, see Add a Host (A) Resource Record to a Zone (https://go.microsoft.com/fwlink/?LinkId=105954).

  • If the domain controller is running Windows Server 2003, ensure that the Remote Procedure Call (RPC) service is configured with a Startup Type of Manual but that the Service Status is Started. If you make any changes, restart the domain controller.

  • Ensure that the NTEmulator registry setting is not preventing domain controller promotion. For additional information, see article 284937 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=105955).

If you make corrections to the DNS records or to the configuration of the existing domain controller, you must ensure that those corrections are available and accurate for the server that you are trying to promote.

Verify the Configuration of the Server to Be Promoted

When you take steps resolve this issue, check the configuration of the server that you are trying to promote. Ensure that this server is able to get the necessary information to be promoted.

To verify the configuration of the server to be promoted

  1. Open a command prompt on the server that you are trying to promote, and complete the following steps. To open a command prompt, click Start, click Run, type cmd, and then press ENTER.

  2. At the command prompt, type nltest /dsgetdc:parentFQDN/force, and then press ENTER If that command does not work, substitute the NetBIOS name of the parent domain for parentFQDN. For example, if the parent domain is contoso.com, the NetBIOS name is likely to be CONTOSO. To determine the NetBIOS name for the domain, you can run the command net config rdr and then review the Workstation domain line of the command output.

  3. At the command prompt, type services.msc, and then press ENTER. Ensure that the TCP/IP NetBIOS Helper and the Workstation services are configured with a Startup Type of Automatic and that the Service Status is Started.

  4. At the command prompt, type ipconfig /flushdns, and then press ENTER.

  5. At the command prompt, type ipconfig /registerdns, and then press ENTER.

  6. Run the Dcpromo test using the dcdiag command. To run this test, type dcdiag /test:dcpromo /dnsdomain:childFQDN/childdomain, and then press ENTER.

    If the Dcpromo test fails, ensure that the Primary DNS Suffix of the computer is parentFQDN. To verify this setting, type sysdm.cpl, and then press ENTER. Click Change, and then click More. Configure the Primary DNS suffix appropriately, and then try the Dcpromo test again.

    If the Dcdiag dcpromo test succeeds, attempt to promote the server again to become a domain controller.

If the configuration of the server that you are trying to promote appears to be correct, continue the troubleshooting process by verifying the DNS records on the DNS server.

Verify DNS Records

When a server is promoted to domain controller of an existing forest, one of the existing domain controllers helps facilitate the promotion. The domain controller that facilitates the promotion is selected based on DNS records. The following DNS resource records must be available to complete a domain controller promotion request:

  • _ldap._tcp.dc._msdcs.parentFQDN service (SRV) resource record or records of the existing domain controllers in the parent Active Directory domain.

  • Host (A) resource records for the domain controllers in the primary DNS suffix zone for the domain controllers of the parent domain.

There are several methods for verifying DNS records. For descriptions of these methods, see the following documents:

Verify Firewall Configuration

If a firewall is enabled on either the domain controller that is facilitating the promotion or the server that you are trying to promote, verify that the firewall is configured appropriately. If there is a firewall between the two servers, check that firewall's configuration as well. You can use the Portqry tool to ensure that the appropriate network ports are open between the existing domain controller and the server that you want to promote to become a domain controller.

For more information about using Portqry, see article 310456 in the Microsoft Knowledge (https://go.microsoft.com/fwlink/?LinkId=111883). For information about configuring Windows Firewall to allow for replication, see article 55381 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=91224).

Replication Failure

The domain controller that is requesting data replication must be able to resolve the following DNS resource records:

  • The current fully qualified alias (CNAME) resource record for the domain controller with which it is trying to replicate

  • The current host (A) resource record as specified in the fully qualified alias (CNAME) resource record for the domain controller with which it is trying to replicate

The fully qualified alias (CNAME) resource record for a domain controller consists of the domain controller's NTDS Settings object globally unique identifier (GUID), the text _MSDCS, and the forest domain fully qualified domain name (ForestFQDN). For example, a domain controller in the contoso.com domain with an NTDS Settings GUID of25457b45-cfea-4b10-8506-518cf8baaeb2 has the following fully qualified alias (CNAME) resource record:

25457b45-cfea-4b10-8506-518cf8baaeb2._msdcs.contoso.com.

The domain controller that is initiating the replication must be able to contact the domain controller from which it requesting replication at the IP address as listed by the host (A) resource record.

Note

Ensure that you are using an account that has membership in the Enterprise Admins group or an account that is delegated the equivalent permissions when you try to replicate Active Directory data between different domains.

For troubleshooting information, see the following documents:

If you discover that DNS records are incorrect or missing, you can:

  • Run the command ipconfig /registerdns to register the host (A) resource record of a computer with its configured DNS server.

  • Register the service (SRV) resource records for the domain controller. For instructions, see article 556006 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=105958).

  • Manually create the missing records in the authoritative DNS servers for the domain. For instructions, see Manage Resource Records (https://go.microsoft.com/fwlink/?LinkId=105960)

If you discover that some DNS servers are not able to resolve the host names of domain controllers with which they need to replicate in other domains, see Using Forwarding (https://go.microsoft.com/fwlink/?LinkId=105966).

If you make corrections to the DNS records or configuration of the domain controller receiving the replication request, ensure that those corrections are available and accurate for the domain controller initiating replication.

Add a Domain Member

If you received this error message while attempting to add a computer to the domain, the computer that you are trying to add is not able to locate an appropriate domain controller. Verify that the computer you are trying to join to the domain has the appropriate DNS client configuration. You can run the ipconfig /all command from a command prompt to confirm that the IP address, subnet mask, gateway, and preferred and alternate DNS server entries are correct for the network. For additional steps for verifying the DNS client configuration, see Verifying Computer Settings for Domain Name System (https://go.microsoft.com/fwlink/?LinkId=132501).

If you determine that the DNS client settings are correct, ensure that the domain records are registered properly with DNS. For specific steps, see Verifying Computer Settings for Domain Name System (https://go.microsoft.com/fwlink/?LinkID=132501) and Solving Dynamic Update and Secure Dynamic Update Problems (https://go.microsoft.com/fwlink/?LinkId=132575).

If it appears that there are issues with the DNS server or registration of the domain records, see Troubleshooting DNS (https://go.microsoft.com/fwlink/?LinkID=48893) to resolve the issues.

Other Issues

If a particular name does not work in a snap-in or wizard the first time that you try it, try both the NetBIOS name and the fully qualified domain name (FQDN). For example, if Contoso.com is the FQDN of your domain and you type Contoso the first time and that fails, try using Contoso.com the second time. The same is true for servers. If you type server1 the first time and that fails, try using server1.contoso.com the second time.

If the information in this document does not resolve your issue, try the following resources:

Additional References