Troubleshooting Common Active Directory Setup Issues in Windows 2000

Some common issues that you may encounter with Active Directory installation and configuration can cause a partial or complete loss of functionality in Active Directory. These issues may include, but not be limited to:

• Domain Name System (DNS) configuration errors
• Network configuration problems
• Difficulties when you upgrade from Microsoft Windows NT

This article describes how to troubleshoot Active Directory issues by identifying common configuration issues. For more information about any of the issues described in this article, consult the Help system in Windows 2000.

For more information about Active Directory Logical Structure, refer to the following Microsoft web site

Consider the following items when you are investigating Active Directory Setup issues.

Domain Name System (DNS)

You must configure DNS correctly to ensure that Active Directory will function properly. For a more in-depth treatment of DNS configuration for Active Directory, see the following Microsoft Knowledge Base article: Review the following configuration items to ensure that DNS is healthy and that the Active Directory DNS entries will be registered correctly:

• DNS IP configuration
• Active Directory DNS registration
• Dynamic zone updates
• DNS forwarders

DNS IP Configuration

An Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP on an Active Directory DNS server must be configured to point to itself to allow the server to register with its own DNS server. To view the current IP configuration, open a command window and type ipconfig /all to display the details. You can modify the DNS configuration by following these steps:

1. Right-click My Network Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, and then click the DNS tab. Configure the DNS information as follows:
   1. Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if no dedicated DNS server will be configured.
   2. If the resolution of unqualified names setting is set to Append these DNS suffixes (in order), the Active Directory DNS domain name should be listed first (at the top of the list).
   3. Verify that the DNS Suffix for this connection setting is the same as the Active Directory domain name.
   4. Verify that the Register this connection's addresses in DNS check box is selected.
5. At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache, and then type ipconfig /registerdns to register the DNS resource records.

Start the DNS Management console. There should be a host record (an "A" record in Advanced view) for the computer name. There should also be a Start of Authority (SOA in Advanced view) record pointing to the domain controller (DC) as well as a Name Server record (NS in Advanced view).

Active Directory DNS Registration

The Active Directory DNS records must be registering in DNS. The DNS zone can be either a standard primary or an Active Directory-integrated zone. An Active Directory-integrated zone is different from a standard primary zone in several ways. An Active Directory-integrated zone provides the following benefits:

• The Windows 2000 DNS service stores zone data in Active Directory. This causes DNS replication to create multiple masters, and it allows any DNS server to accept updates for a directory service-integrated zone. Using Active Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology.
• Secure dynamic updates are integrated with Windows security. This allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from obtaining existing names from DNS.

Use the following steps to ensure that DNS is registering the Active Directory DNS records:

1. Start the DNS Management console.
2. Expand the zone information under the server name.
3. Expand Forward Lookup Zones, right-click the name of the Active Directory domain's DNS zone, click Properties, and then verify that Allow Dynamic Updates is set to Yes.
4. Four folders with the following names are present when DNS is correctly registering the Active Directory DNS records. These folders are labeled:
   _msdcs
   _sites
   _tcp
   _udp
   If these folders do not exist, DNS is not registering the Active Directory DNS records. These records are critical to Active Directory functionality and must appear within the DNS zone. You should repair the Active Directory DNS record registration.

To repair the Active Directory DNS record registration:

• Check for the existence of a Root Zone entry. View the Forward Lookup zones in the DNS Management console. There should be an entry for the domain. Other zone entries may exist. There should not be a dot (".") zone. If the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone identifies the DNS server as a root server. Typically, an Active Directory domain that needs external (Internet) access should not be configured as a root DNS server.
  
  The server probably needs to reregister its IP configuration (by using Ipconfig) after you delete the dot ("."). The Netlogon service may also need to be restarted. Further details about this step are listed later in this article.
• Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command prompt, type netdiag /fix.
  
  To install the Windows 2000 Support tools:
  1. Insert the Windows 2000 CD-ROM.
  2. Browse to Support\Tools.
  3. Run Setup.exe in this folder.
  4. Select a typical installation. The default installation path is Systemdrive:\Program Files\Support Tools.
  After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS records should then be listed.
  
  NOTE: The server may need to reregister its IP configuration (by using Ipconfig) after you run Netdiag. The Netlogon service may also need to be restarted.
  
  If the Active Directory DNS records do not appear, you may need to manually re-create the DNS zone.
  
  
• After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS records should then be listed.Manually re-create the DNS zone:
  1. Start the DNS Management console.
  2. Right-click the name of the zone, and then click Delete.
  3. Click OK to acknowledge any warnings. The Forward Lookup zones no longer list the deleted zone.
  4. Right-click Forward Lookup Zones, and then click New Zone.
  5. The New Zone Wizard starts. Click Next to continue.
  6. Click the appropriate zone type (either Active Directory-integrated or Standard primary, and then click Next.
  7. Type the name of the zone exactly as it appears in Network Identification, and then click Next.
  8. Click the appropriate zone file, or a new zone file. Click Next, and then click Finish to finish the New Zone Wizard. The newly created zone appears in the DNS Management console.
  9. Right-click the newly created zone, click Properties, and then change Allow Dynamic Updates to Yes.
  10. At a command prompt, type net stop netlogon, and then press ENTER. The Netlogon service is stopped.
  11. Type net start netlogon, and then press ENTER. The Netlogon service is restarted.
  12. Refresh the view in the DNS Management console. The Active Directory DNS records should be listed under the zone.

If the Active Directory DNS records still do not exist, there may be a disjointed DNS namespace. If you suspect that there is a disjointed DNS namespace, see the "Disjointed DNS Namespace" section in this article.

Dynamic Zone Updates

Microsoft recommends that the DNS Lookup zone accept dynamic updates. You can configure this by right-clicking the name of the zone, and then clicking Properties. On the General tab, the Allow Updates setting should be set to Yes, or for an Active Directory-integrated zone, either Yes or Only secure updates. If dynamic updates are not allowed, all host registration must be completed manually.

DNS Forwarders

To ensure network functionality outside of the Active Directory domain (such as browser requests for Internet addresses), configure the DNS server to forward DNS requests to the appropriate Internet service provider (ISP) or corporate DNS servers. To configure forwarders on the DNS server:

1. Start the DNS Management console.
2. Right-click the name of the server, and then click Properties.
3. Click the Forwarders tab.
4. Click to select the Enable Forwarders check box.
   
   NOTE: If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone (usually identified by a zone named only with a period, or dot ("."). You must delete this zone to enable the DNS server to forward DNS requests. In a configuration in which the DNS server does not rely on an ISP DNS server or a corporate DNS server, you can use a root zone entry.
5. Type the appropriate IP addresses for the DNS servers that will accept forwarded requests from this DNS server. The list reads from the top down in order; if there is a preferred DNS server, place it at the top of the list.
6. Click OK to accept the changes.

For more troubleshooting information about DNS configuration for Active Directory, see the following Microsoft Knowledge Base articles:

Network Configuration

You must configure specific network components properly to ensure proper operation of Active Directory on the network, and to ensure that computers will be able to join the domain.

File and Printer Sharing Must Be Enabled

If the File and Printer Sharing component is disabled on the Windows 2000-based domain controller, error messages occur when attempts are made to join the domain. For more information, see the following Microsoft Knowledge Base article: Note that there are situations in which it is preferable to disable File and Printer Sharing on a Windows 2000-based computer. For example, when a Windows 2000-based computer is accessible over the Internet. In this case, you should disable File and Printer Sharing only on the network adapter that is accessible on the Internet.

NetBIOS over TCP/IP Must Be Enabled for Other Clients

If clients that are not running Windows 2000 (for example, clients that are running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows NT) will participate in the Active Directory domain, they should be able to perform NetBIOS name resolution. NetBIOS name resolution does not work if NetBIOS over TCP/IP is disabled.

Upgrade Installation Considerations

Earlier (Legacy) DNS Server

DNS servers that run Windows NT 4.0 cannot dynamically register the Active Directory DNS records. The best solution in this case is to install DNS on the Active Directory domain controller to ensure that Active Directory DNS records will be registered for the domain.

Disjointed DNS Namespace

You must configure the correct DNS suffix information before you begin a Windows 2000 upgrade installation. You cannot change the server name and DNS domain information after Active Directory is installed.

To configure the DNS suffix information in Windows NT before you upgrade the computer to a Windows 2000-based Active Directory domain controller:

1. Right-click Network Neighborhood, and then click Properties.
2. Click the Protocols tab, click TCP/IP Protocol, and then click Properties.
3. Click the DNS tab.
4. In the Domain box, type the complete Active Directory domain name.
5. Click Apply, and then click OK.
6. Click OK to quit the Network tool.
7. Restart the computer.
8. To verify the settings, open a command window, and then type ipconfig /all. The Host Name line shows the fully qualified domain name.

If you must change the DNS domain information after you install Active Directory, you must run the Dcpromo utility on the computer to remove it from the domain and make it a stand-alone server.

To determine if a disjointed namespace exists on an existing Windows 2000-based domain controller:

1. Right-click My Computer, and then click Properties.
2. Click the Network Identification tab.
3. Compare the DNS suffix section of the full computer name to that of the domain name listing. The full computer name reads as follows: hostname.dns_suffix. These two entries should contain identical suffix information.

If these two entries do not contain identical suffix information, a disjointed DNS namespace exists. This condition prevents proper registration of any Active Directory DNS records.

NOTE: The only supported method to recover from a disjointed namespace is to use Dcpromo to remove the computer from the domain and make it a stand-alone server. You can then correct the DNS namespace information and run Dcpromo again to promote the computer back to a domain controller.

WARNING: Exercise caution if you determine that this process is necessary on an existing Windows 2000-based domain. The process of running Dcpromo to remove the computer from a domain, and then re-creating an Active Directory domain results in a total loss of all the computer account information and user account information for the domain. You must manually re-create all user account information and computer account information after using this process.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: