Due to migration and tests between VMWare Workstation and Virtual Server 2005 R2SP1 I created two domain controllers for Networknet.nl domain. At some point I had issues with the DNS and than I assigned the IP address of my second DC of the domain to the primary one.
Right now all my domain clients are reporting the error message below. The kerberos client received a KRB_AP_ERR_MODIFIED for the domain controller account. I have seen this before and will fix it by deleting the complete DNS records for Active Directory.
Screen clipping taken: 12/2/2007, 2:18 PM
Open Computer Management console and scroll down to DNS snap-in. Locate your _msdcs zone and select all record except for the (same as parent folder). Right click and delete them.
Screen clipping taken: 12/2/2007, 2:21 PM
Go to your primary AD zone and select all other AD related records.
Screen clipping taken: 12/2/2007, 2:24 PM
As shown above; select and right click for deletion. Check the hostnames for the domain controllers with correct ip address.
Now the DNS zones are clean. To fix the recreation of all required records for Active Directory you can do the following.
- Stop and restart the Netlogon service. E.g. “net stop netlogon & net start netlogon” in a cmd box.
- Reboot the domain controller
Verify the records after the reboot if restart of the service.
These steps are executed in a lab environment and be careful when deleting the DNS AD related records in a production environment. If there are dozen of domain controllers; restart or reboot is also required on all of them to get the records back.
What happens in the background is that file C:\WINDOWS\system32\config\netlogon.dns is being imported into the DNS zones.