I have just tried to replace one of my domain controllers in a single domain forest keeping the old IP (But a new computername). As this is an environment I have "inherited" from a previous sysadmin I don't have all the background facts for how it was setup. I think this might have been the first DC in the AD, but it's an old Windows 2003 which has been acting up in all manners of ways lately.
Before the change I had:
- 2 x Windows 2003 DC
- 2 x Windows 2008 R2 DC
- All but the remaining Win 2003 has GC
After the change I have a feeling the new DC's DNS service isn't working as it should. If I have that set as my primary DNS, I get a strange latency in my dns-queries for public sites. Queries for internal records seem to be working. I tried setting the timeout for forwarders down to 1 sec on the new DC, which got me a shorter latency for the public queries, which has me thinking all public site queries time-out on that server, and forwards it.
Before I demoted the old machine out of the AD, I made sure all FSMO-roles were on a different DC, and as stated before, there are several GCs.
Is there some DNS setting for the domain that I've missed, or do you have any ideas on where to look next?
Is the new computername using the same IP the culprit? Would it be wise to demote the new DC, leave the AD, change names, then join again?
In the server manager DNS-logs, I get a warning each restart saying:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed
But right after that, there's an information entry saying:
"The DNS server has started.
Running NSLOOKUP, and choosing server "new DC" works fine, and is instant, for internal, but times out for public queries. Running PING from the new DC to a public site resolves the public IP fine.
The firewall is turned off on the server, and the DNS Server-service is running.
All your DNS records for AD point to the old server with a different name, even if same IP. You should have added the new DC with a new IP. That's probably why you're having issues. Try doing an "ipconfig /registerdns" from your new DC if you haven't done so yet. Also GCs are mainly used for inter-forest/domain object searches. Since you only have 1 domain I don't suspect that being the main issue.
I think I have found out what the problem was. By default it seems the new server wants to use the other DCs as forwarders for queries not cached, which is why internal queries worked and public ones did not. I simply removed those posts and just left public DNS as forwarders, and it's running much smoother now. I'm guessing the timeout occured because I queried for name that none of the DCs had in cache, and therefor my new DC first had to wait for the other DC to resolve the name, and then get a response. With the 2 second timeout, this was never successful.
Thanks to Jon for your input!