Unable to select DNS Server role when adding a domain controller into an existing Active Directory domain

Symptoms

When promoting a Windows Server 2008 or Windows Server 2008 R2 replica domain controller, the option to auto-install the DNS Server role is disabled or grayed out in the Active Directory Installation Wizard (DCPROMO).

Text in the Additional information field states:

DNS cannot be installed on this domain controller because this domain does not host DNS.

A screenshot of this condition is shown below:

 
The %windir%\debug\dcpromoui.log file on the replica domain controller being promoted shows the following: 

 Enter DoesDomainHostDns SLD
dcpromoui A74.A78 046C 14:07:18.800                 Dns_DoesDomainHostDns testing domain name SLD
dcpromoui A74.A78 046D 14:07:19.113                 SOA query returned 9003 so the domain does not host DNS
dcpromoui A74.A78 046E 14:07:19.113                 Dns_DoesDomainHostDns returning false
dcpromoui A74.A78 046F 14:07:19.113                 HRESULT = 0x00000000
dcpromoui A74.A78 0470 14:07:19.113                 The domain does not host DNS.

Cause

  1. A code defect prevents the DNS Server checkbox from being enabled when promoting replica domain controllers into existing domains with single-label DNS names like "contoso" instead of best-practice fully qualified DNS name like "contoso.com" or "corp.contoso.com". This condition exists even when Microsoft DNS is installed on a domain controller and hosts Active Directory-integrated forward lookup zones for the target domain.

    For more information regarding single label domains, visit the following Microsoft web site:
    Microsoft DNS Namespace Planning Solution Center

    OR

  2. DCPromo checks to see if the DNS zone for the target Active Directory forest is hosted in Active Directory. If the DNS zone for the target domain is not hosted on an existing domain controller in the target forest, DCPROMO does not allow the user to install DNS during the replica promotion.

    The goal of this behavior is to prevent administrators from creating duplicate copies of DNS zones with different replication scopes (i.e. file-based zones on Microsoft or third-party DNS Servers and Active Directory integrated DNS zones on domain controllers on the newly promoted domain controller).

Resolution

For the first root cause, continue the promotion and install the DNS Server role after it is promoted.

For the second root cause, the DNS client and server configuration on the replica domain controller being promoted was sufficient to discover a helper domain controller in the target domain but DCPROMO has determined that the DNS zone for the domain was not Active Directory integrated.  

Determine which DNS servers are going to host the zone for your Active Directory domain and what replication scopes those zones will use (Microsoft DNS versus third-party DNS, forest-wide application partition, domain-wide application partition, file-based primary, etc.)

Do not let the inability to auto-install the DNS Server role during DCPROMO block the promotion of Windows Server 2008 replica domain controllers in the domain. Server Manager can be used to install the Microsoft DNS Server role on existing domain controllers, as well as computers functioning as member or workgroup computers. DNS zones and their records can be replicated or copied between DNS servers.

Specific workarounds include:

  1. If the DNS zones exist on DNS servers outside the domain, consider moving the zones to an existing domain controller in the domain that hosts the DNS Server role.

  2. If zone data needs to be moved, configure the Microsoft DNS server to host a secondary copy of the zone, then convert that zone to be a file-based primary, then transition the zone to be Active Directory integrated as required. You can ignore this step if you have no interest in saving the DNS zone data.

  3. Configure the new replica domain controller being promoted to point exclusively to DNS servers hosting Active Directory integrated copies of the zone.

  4. Use the following command to force Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 computers to dynamically register Host A or AAAA records:

    ipconfig /registerdns

  5. Use the following command to force Windows 2000, Windows Server 2003 and Windows Server 2008 domain controllers to dynamically register SRV records

    net stop netlogon & net start netlogon 

  6. Restart DCPROMO on the replica domain controller.

More Information

 
NOTE:  The following information is MSInternal and should not be shared with customers.

Explanation from Jeff Westhead via email on 2008.10.10.

Installing DNS during DCPROMO auto-creates DNS application partitions

If the first DC in the domain does not host DNS then neither should any replica. The time to decide to re-architect your DNS deployment is not while you are promoting a replica!

Informal testing has shown that AD-integrated DNS may be installed on DC's other than the 1st DC in the domain and replicas will STILL have the option to install DNS Server role during DCPROMO. <end Arrenc edit>

I don’t believe this is actually a check for a third-party DNS server. This might actually not be stringent enough but it most likely works well most of the time. I believe dcpromo calls Dns_DoesDomainHostDns, which performs a SOA query for the domain name and ensures that the response asserts that the start of authority for the name is the name itself rather than some parent name. This is testing that there is, on some DNS server somewhere in the infrastructure, a DNS zone that exactly matches the name of the domain.

For example, if I am promoting a replica for "child.corp.contoso.com" but the only zone that exists is "corp.contoso.com" then this check will fail and dcpromo will assume that installing DNS on this replica is the wrong thing to do.

What dcpromo is trying to determine is whether or not DNS is required to support AD. If it is not, then dcpromo should not offer the option to install DNS. The admin should be forced to install the DNS server role manually after dcpromo if he intends to run a DNS server on this DC for some purpose that is not related to serving DNS for the Active Directory domain.

Sample Customer Experience:

SRX0808XXXXX495. 19 logs in 7.52 hours of labor. Customer type: Partner. Customer name: <removed>. Case Title: DNS Server option is grayed out during DCPROMO. L7: Customer calls when DCPROMO doesn't give the option to install DNS. L8: EasyAssist. PSS finds customer using single-label DNS domain name. PSS says promote DC and add DNS after the fact.

SRX0809XXXXX240. 6.63 hours in 16 logs. Partner. <customer name removed>. Title: DNS Role cannot be installed. Problem statement IS that checkbox to install DNS cannot be enabled in DCPROMO. PSS says DNS zone for child domain resides on parent domain DNS Servers vs. delegating to DNS Servers in child domain.

Keywords:

gray grey grayed greyed unselected deselected unchecked checked enabled enable disable disabled checkbox check checkmark

Microsoft Internal Support Information

Steps to reproduce:

Using forest root domain CONTOSO.COM:

  1. Install a Windows Server 2008 workgroup computer.

  2. Install the DNS Server role on the Windows Server 2008 workgroup computer.

  3. Create the standard primary forward lookup zone CONTOSO.COM.

  4. Configure the CONTOSO.COM DNS zone to accept secure and non-secure dynamic updates.

  5. Add a host "A" record in the CONTOSO.COM forward lookup zone containing DNS servers local IP address, otherwise, name resolution will fail.

  6. Configure the DNS server to point to itself for name resolution (Start -> Run -> NCPA.CPL->). Right-click My Computer -> Properties -> Advanced System Settings -> Computer Name tab -> Change button -> More... -> Type "CONTOSO.COM" in the Primary DNS suffix field, otherwise dynamic DNS updates to the CONTOSO.COM DNS zone will fail to register with error 0x000005b4 (ERROR_TIMEOUT).

  7. Reboot the DNS server for the change to the primary DNS suffix to take effect.

  8. Promote a Windows Server 2008 or Windows Server 2008 R2 Domain controller as the first domain controller in a new forest (i.e. PDC in forest root domain).

  9. On the Additional domain controller options page of Active Directory Domain Services Installation (DCPROMO) Wizard, uncheck DNS Server which causes the following pop-up warning text to be displayed.

    "You have chosen not to install DNS on this domain controller, so your existing DNS infrastructure will be used. However, if you will want any other domain controllers in this new domain to host DNS, you should install DNS on this first domain controller in the domain. Do you want to continue without installing DNS?"

  10. Complete the promotion of the first domain controller in forest root domain and reboot.

  11. Promote a Windows Server 2008 or Windows Server 2008 R2 replica domain controller into the CONTOSO.COM domain. Start -> Run -> DCPROMO -> Additional DC in existing domain. Note that the checkbox to install DNS Server role is disabled/grayed out. The Additional information box contains the following text:

    "DNS cannot be installed on this domain controller because this domain does not host DNS"

Product Bug Number:
Author ID (email alias): Arren Conner / Arrenc
Writer ID(email alias):
Tech Review ID (email alias):
Confirm Article has been Tech Reviewed: Yes
Confirm Article released for Publishing: Yes
Свойства

Номер статьи: 2002584 — последний просмотр: 14 сент. 2010 г. — редакция: 1

Отзывы и предложения