Unable to connect to new DC

z1551 · 2025-03-19T12:07:30.500Z

Hi

I have now created a new dc on windows server 2022.
I cannot ping the domain but can ping server name and IP.
when I am joining a machine to the new dc, it only joins if I put the DNS IP in network connections.
when doing ipconfig/all I get DNS as below on client pc

192.168.11.10 old dc
8.8.8.8 google
192.168.15.10 new dc

DHCP is handled by firewall so all these settings were done on the firewall.
Its a VM on server so not a physical machine
on the dc itself DNS is 127.0.0.1
IP details on both dc’s are same except the IP itself.
second dc is set to static IP and mac IP bound on firewall
I have flushed the DNS as well.
can you please guide what can I do.

HanSlo-mo · 2025-03-19T12:22:36.593Z

First thing is get rid of the external DNS on the client. All DNS should go through the DC/DNS server. Second, I see you have a new subnet by going from 192.168.11.X to 192.168.15.X Do you have your subnet mask allowing connectivity from 192.168.11 - .15? Or did you create a new IP schema and updated DHCP so that everything is on the same subnet? I’m not sure of your networking knowledge but remember that if your subnet mask is 255.255.255.0 that means all of the computers with 192.168.11.0-254 can talk to each other if you have a new server on 192.168.15.0-254 and it has a subnet mask of 255.255.255.0 the other computers won’t be able to talk with it unless you set the IP in that new subnet/IP Schema.

HanSlo-mo · 2025-03-19T12:25:31.460Z

I just noticed the DC is hosted on a VM. Can you list out what IPs and subnets you are working with? Firewall, VM host, VM client, and client PC? I have a feeling your issue is related to the network setup.

matt7863 · 2025-03-19T12:34:43.764Z

Is this a completely new AD Domain implementation?
Or a new additional DC on existing domain?

In both cases the 8.8.8.8 dns server should be removed from the dhcp scope settings and only active DC dns servers remain (so if new domain only the IP of new DC). the dns suffix should also be set to match the ad domain name.

If this is an additional DC then clients must be able to access it (and the existing DC) as it appears to be in a different IP network.

z1551 · 2025-03-19T14:38:54.634Z

Hi
I am sorry I made a mistake on the ip

Old and new dc’s are on same ip range 192.168.11.X
.10 is old .15 is new
the difference is old dc is a physical server and the new one is a VM within another dell server.
they are both on same network as DHCP is handled by firewall.

old dc IP is 192.168.11.10
sub mask 255.255.255.0
def gateway 10.90.1.254
DNS :: 1
127.0.0.1

new dc IP is 192.168.11.15
sub mask 255.255.255.0
def gateway 10.90.1.254
DNS :: 1
127.0.0.1

I have a sonicwall firewall
VM is hosted on hyper v
client PC is a dell laptop
I still have the old dc on and working, this is supposed to be a brand new dc as old one is on 2012r2.

matt7863 · 2025-03-19T14:42:53.300Z

if it is a new DC - then it needs to be added to the same domain.
Has this been done and succesfully working?

The process is:
new server (vm) domain joined (dns server set as old DC ip address). Then DC promo and reboot.
Next the old DC needs to have it’s DNS servers changed - 1st dns server IP is 192.168.11.15 (new dc) and then 2nd is 127.0.0.1. new DC dns settings changed to 192.168.11.10 (old) and then 127.0.0.1 itself.
Make sure replication is ok and dcdiag reports no errors on both.

Then you can set clients to use new DC. If you want to remove old DC, move the key roles and demote. update dns server settings to new DC only.

HanSlo-mo · 2025-03-19T15:14:03.284Z

How big is this network? why is the gateway in the 10.x.x.x subnet? shouldn’t be an issue just seems strange. Is the new DC running the same domain that the old DC was using, and you promoted it into the domain, or did you create a new domain as well? What DNS is your laptop client getting? it should be pointing at one of the two DCs. Depending on if it’s a new domain or you promoted into the existing one that may change how that works.

Other than the fact that the firewall is running DHCP it shouldn’t affect anything because all of your traffic should be on the LAN side. Is the firewall new or did it work with the old DC? Do you have the Hyper-V network setup to share the host nic or do bridging?

z1551 · 2025-03-19T16:13:58.730Z

sorry again, the gateway is 192.168.11.254 which is the firewall. i am working for two separate clients.
I don’t want to do anything with the old dc, it was only used for user authentication purposes to log into PC and get shared network files.

i just want to start using the new dc but when I try to add the user’s laptops to the new DC it gives me error.

I created a new VM, and in the server roles installed ADDS And DNS and promoted this.
Firewall is new and it works with old DC.
As I said If I put the new dc IP in DNS setting of any computer it joins and shows the computer in the server and authenticates the account too.

Error is below

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “MM1.dc”:

The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.MM1.dc

Common causes of this error include the following:

The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.11.15
8.8.8.8
192.168.11.10

One or more of the following zones do not include delegation to its child zone:

MM1.dc
dc
. (the root zone)

HanSlo-mo · 2025-03-19T16:24:51.952Z

Is MM1.dc a new domain or is it the original domain? Also, again you need to remove the 8.8.8.8 that’s going to break stuff.

z1551 · 2025-03-19T16:27:45.530Z

HanSlo-mo:

in you need to remove the 8.8.8.8 that’s going to break stuff.

mm1.dc is the new domain.
i can remove that from firewall
does it matter when you do ipconfig, i get under dns server
old DNS
8.8.8.8
new DNS
should it be the other way round?

HanSlo-mo · 2025-03-19T16:45:44.372Z

ok so you have two domains (not just two Domain Controllers). The firewall’s LAN/Wan setting can have 8.8.8.8 but your DHCP server needs to only point to one of your domain controllers. The issue you are going to have with having two Domains is that each DC (Domain Controller) wants to control its own DNS. You can setup your DHCP to point to the old domain controller so that all of the computers on that domain will continue to work. Then on your test laptop you are using manually set the DNS to point to the new DC do an IPconfig /flushdns && ipconfig /registerdns from an elevated command line. then try to add the test laptop to the new domain. Then when you are ready to migrate every over to the new domain in the firewall update the DHCP server to push all DNS to the new DC. Then you can reboot or do an IPconfig /release && ipconfig /renew to get the new DNS server and then try to connect to the new domain.

HanSlo-mo · 2025-03-19T17:28:36.583Z

Also just to explain the 8.8.8.8 issue a little further. Your DC(192.168.10.10) running a DNS server manages everything that is registered to AD.ExampleDomain.com. All Local PCS and any local websites you want to setup and run. When your laptop goes to join/talk to the domain it asks the server where is AD.ExampleDomain.com and the DC will reply with it’s here 192.168.10.10. Or where is Windows11pc.AD.ExampleDomain.com it will reply with its IP address 192.168.10.151. It knows (or should know) everything about AD.ExampleDomain.com. When you use 8.8.8.8 for lookup your computer goes hey 8.8.8.8 where is AD.ExampleDomain.com and if that isn’t a publicly known Domain 8.8.8.8 will reply with, “I’m sorry I have no idea where that domain is”. Causing local connectivity errors. Now all web searches (DNS request that is) going out to the public internet will work just fine because 8.8.8.8 knows all about the public world.

Now having a client computer talking to both DNS in theory shouldn’t be an issue because the computer should route all look ups to the first DNS entry in this example it’ll be 192.168.10.10 and the secondary is 8.8.8.8. So that if the computer cannot find something it’ll default over to the secondary. If you add in another DNS say 192.168.10.15. Now your computer will hit the primary DNS first and it’s going to reply back with what it knows. If you have AD.NewDomain.com and it’s not setup in 192.168.10.10. All of your lookups will fail since 192.168.10.10 have no information on that domain. Now you can add a lookup entry in the DNS server so that anything 192.168.10.10 can’t find is forwarded to 192.168.10.15 to lookup and reply back to 192.168.10.10 with where it’s for its client.

If you do have two new DCs and two Domains. You’ll need to either staticly set the DNS on the client computer so that it only knows which one you want it to talk to. Or setup your DHCP server to push only the DNS settings of which domain you want it to use. You could do the forwarders but depending on your client’s size that may not be worth it.

PatrickFarrell · 2025-03-20T06:11:08.129Z

If you create a new domain, all of your user profiles on your machines will need to be migrated if you join them to the new domain. That can be very time consuming.

As far as your DNS issues go, please read this:

Active Directory DNS Refresher Windows

It’s DNS. It’s always DNS. No, DNS is fine, it’s not DNS, trust me. It was DNS. I’m posting because in the last few weeks we’ve had a few posts that turned out to be misconfigurations with DNS in a domain environment. Things like Domain controllers pointing at themself first for DNS, or having a public DNS server on the NIC of the Domain Controller or the clients. Hopefully this will help some people get out in front of potential issues. The general rules for DNS in an AD E…