Problems Reconfig DNS Server

douglasduke · 2025-02-28T15:25:48.400Z

My primary AD/DC went down after a bad OS upgrade. I promoted my backup DC to primary while I reloaded the OS fresh on the server. I have AD/DS up and running but I’m having trouble getting DNS to work. Every time I try and open DNS from Server Manager on DC2. I get a popup asking what server DNS is running on, and when I click “this server”, I get an access denied error.

This is my first time having to do this with AD/DS and I’m not sure how to get past this issue. FYI- The old PDC is a fresh install and I am unable to add it to the domain because neither server has DNS running. I might have been wrong but does DNS not replicate between servers? If it does, or is upposed to, something went wrong because neither server has a functional DNS server running.

I ran dcdiag commands and the backup (new primary) DC is still trying to replicate and get DNS from the old server that isn’t on the domain or running DNS right now. I have installed AD/DS on the old server, but I’m not sure if I should promote it and set it up since the backup server is running AD. If I set up the old server again, I’m worried that when it replicates, it will wipe out the existing AD.

So my question, how do I set up DNS on the backup server and tell that server to stop looking for DNS on the old server?
Sorry if this is confusing, but I’m over here pulling my hair out trying to figure this out.

phildrew · 2025-02-28T16:17:52.258Z

Clean up and repair AD before trying to promote a new DC. Your Active Directory MUST be healthy FIRST. It even potentially sounds like AD wasn’t replicating properly before.

Best practice is to have multiple Domain controllers per site. Each of those should have it’s DNS server set to another (working) Domain Controller first, and itself last (127.0.0.1).

Since you have lost what seems to be the sole DNS server in the environment, you’ll need to check that DHCP is assigning a correct DNS server to clients.

Anything that had DNS set statically (usually other servers) will need to have it’s settings adjusted.

There is no such concept as primary and backup domain controllers. They are equal peers (except for FSMO roles) that replicate to each other. Replication of changes is not uni-directional from a primary to a secondary/tertiary node.

If you cannot get anywhere with the “backup” domain controller in short order, I’d dump it, and restore your “primary” domain controller from the most recent backup. You do have a backup, right?

Any devices that rotated their machine password since then will have Domain trust failed, and need to have it reset (or rejoin to domain).

matt7863 · 2025-02-28T17:00:17.238Z

I agree with Phildrew.

Has the new DC successfully completed dc promo? that requires DNS.
demote this as a DC.

Make sure the remaining DC is working - DNS server must be running and healthy - the server must be set to use itself for dns.

Then sieze the FMSO roles to the remaining working DC (as the Primary will have been the role holder)
Then clean the old DC out of AD.

Only then proceed to add a new DC - first domain join the new server (it must be set to use the working dc for dns). Then promote to DC. Now update the existing DC to use new DC then itself for dns, do the same on new DC (current plus itself) reboot old DC, then new DC.

douglasduke · 2025-02-28T21:12:27.129Z

I was able to get the DNS working on the new DC. I had to change a bunch of pointers in the DHCP and I had to run some powershell commands that I found, but all is good now.

Rod-IT · 2025-02-28T21:28:48.710Z

douglasduke:

but all is good now

Famous last words.

Is this related to your other problem though?

“other user” gone from login screen - Windows - Spiceworks Community

As in, is this other device not talking to the domain because you had issues?