Domain Controller / DNS questions

I have a few questions but first bit of a background of my home lab. A DC (server1), member server (server2) and XP client (client1). So here goes:

1. I want to promote my member server to a second DC and also a secondary DNS server. Should I first give the member server the role of secondary server or dcpromo it first and then make it a secondary server?

2. When I do an ipconfig on server1, the Connection specific DNS suffix field is blank. Is that normal even though I have server1 as the primary DNS server?

3. I keep getting an error "DSRestore Filter could not connect to the local SAM server". I did reset the dsrm password to be the same as the admin password using ntdsutil but the error keeps coming back. Why?

4. I also get this NtpCLient errors saying that this machine is at the root of the domain and there is no machine above it. This server will continue to be the PDC emulator for the domain but there is no reliable time source configured. I do not have this server connected to the internet so there is no external time source to sync with. What should I do to remove this error?

5. Can someone please suggest me a good AV for this server? The only time though this server will be connected to the internet is when I study WSUS.

Help's appreciated!

Find more posts tagged with

Comments

royal

1. It's an AD-integrated zone. All of the servers will have a primary copy. Just DCpromo the second server. Once it's DCpromo'd, install DNS, and AD replication will automatically bring the DNS zone over and populate all the NS records and DNS zone information automatically.

2. Primary DNS Suffix is what is populated when joining a domain, not connection specific suffix.

3. Don't know and no time to look into it right now.

4. You could use another server/workstation to get external time source information and set the Root PDC Emulator to get time from your server/workstation.

5. I really like NOD32. Forefront Client Security is a good file level scanner as well. Be sure to this the following URL for setting up Antivirus Exclusions for a Domain Controller:
http://technet2.microsoft.com/windowsserver/en/library/3c0d26bc-b1bd-4502-a689-da8494d080f11033.mspx?mfr=true

Essendon

Thank you for the quick reply, Elan. Appreciated.

astorrs

Not sure about #2 if you've already re-synced the password.

For #4, make sue you have installed VMware Tools and enabled host time sync on server1.

To remove the error once that is done follow these steps on server1.

[quote=Microsoft TechNet]To configure the PDC emulator to synchronize from its internal hardware clock:

1. Open a Command Prompt.

2. Type the following command and then press ENTER:

w32tm /config /syncfromflags:domhier /reliable:yes /update

3. Type the following command and then press ENTER:

net stop w32time

4. Type the following command and then press ENTER:

net start w32time[/quote]

aordal

When I do an ipconfig on server1, the Connection specific DNS suffix field is blank. Is that normal even though I have server1 as the primary DNS server?

Sounds like you have a static primary DNS server of 127.0.0.1. I know you said your primary dns is set to your AD server but I'd check again.

At least that's what it sounds like

royal

royal wrote:

1. It's an AD-integrated zone. All of the servers will have a primary copy. Just DCpromo the second server. Once it's DCpromo'd, install DNS, and AD replication will automatically bring the DNS zone over and populate all the NS records and DNS zone information automatically.

Oh and just another FYI, when you first bring up the 2nd server and install DNS, it could take somewhere around 30 or so minutes for all this to happen. The reason why is you need to wait 15 minutes for the Knowledge Consistency checker to run and go through the process of setting up all the connection objects. Once those connection objects are created, replication will start going through properly and will then start to bring up a new server.

Considering I am impatient and don't like to wait around for this as I know how to force it, I go into AD Sites and Services and force the KCC to run (check topology). I do this on both servers to make sure the KCC is run. Once I see the connection objects created, I make sure the support tools are installed (you can do this from Sites and Services as well). I then do a repadmin /syncall to force replication. I do this on both servers.

Essendon

aordal wrote:

When I do an ipconfig on server1, the Connection specific DNS suffix field is blank. Is that normal even though I have server1 as the primary DNS server?

Sounds like you have a static primary DNS server of 127.0.0.1. I know you said your primary dns is set to your AD server but I'd check again.

At least that's what it sounds like

No it isnt set to a loopback address, primary DNS is set to the DC address.

And thanks for the other information, Elan!