I have an AD domain with two AD controllers, with only one running DNS. One needs to be decommissioned which means that DNS needs to be installed on the second. I've installed the DNS service, and created an AD integreated mydomain.local forward lookup zone, but it's not populating with the required AD information.
Looking in the DNS records on the first controller I can't see any enties for the second controller, and dcdiag in the new server shows
C:\Program Files (x86)\Support Tools>dcdiag
Domain Controller Diagnosis
Testing server: Default-First-Site-Name\ADSERVER2
Starting test: Connectivity
The host 9a23c77c-1234-1234-1234-123456789abc._msdcs.mydomain.local could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name (9a23c77c-1234-1234-1234-123456789abc._msdcs.mydomain.local) couldn't be
resolved, the server name (adserver2.mydomain.local) resolved to the IP address (203.10.100.23) and
was pingable. Check that the IP address is registered correctly with the DNS server.
......................... ADSERVER2 failed test Connectivity
Netdiag /fix on the new AD controller is not solving this:
C:\Program Files (x86)\Support Tools>netdiag.exe /fix
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working pro
perly as a DC.
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.
[FATAL] No DNS servers have the DNS records for this DC registered.
What do I need to do to force an update of the DNS records on the first server so they include the new AD controller? Netdiag and dcdiag on the first server do not report any errors.
[edit]
Removing the zone from the new server and restarting the netlogin service has correctly created the mydomain.local forward lookup zone, but the _msdcs.mydomain.local forward lookup zone is not on the new server and dcdiag & netdiag still return the same errors.
Best Answer
In the NIC properties for the "secondary server", see that it has specified as its only DNS server the "primary server". Reboot the "secondary server" and verify that AD replication is occurring (using REPLMON from the Windows Support Tools, for example). Since they're in the same AD site you should see replication within 5 minutes.
Once you're seeing good AD replication, verify that you're "seeing" RR's in the DNS management console in the domain's forward lookup zone on the "secondary server". Once you see good RR's there, you're safe to specify the "secondary server" as its own DNS server and begin the process of transferring FSMO roles and decommissioning the "primary server".