DNS Passed But Errors on New Domain Controller

Question

I had an old domain controller, that had been original for the domain, fail without opportunity for proper demotion. I cleaned up AD/DNS/etc... on remaining DC which is running Win Server 2008R2. Migrated DC/Domain to 2008R2 level and then promoted a new Win Server 2019 box as a second DC. Had to then resolve some DNS issues, but appear to have that sorted now and both DCs show proper info in DNS.
My question is, when I run dcdiag /test:dns it comes back quick and short and pass on the original DC, but although passed on new DC, have a lot of extra entries that appear to be external queries that stated failed. Again, overall says passed DNS test, but wonder what the extra is..?

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = DCAPCLD
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DCAPCLD
Starting test: Connectivity
......................... DCAPCLD passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DCAPCLD

  Starting test: DNS

     DNS Tests are running and not hung. Please wait a few minutes...
     ......................... DCAPCLD passed test DNS

Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : presenceus

Running enterprise tests on : presenceus.org
Starting test: DNS
Summary of test results for DNS servers used by the above domain controllers:

        DNS server: 128.63.2.53 (h.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
        DNS server: 128.8.10.90 (d.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
        DNS server: 128.9.0.107 (b.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
        DNS server: 198.32.64.12 (l.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
        DNS server: 2001:500:12::d0d (g.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:12::d0d
        DNS server: 2001:500:1::53 (h.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::53
        DNS server: 2001:500:200::b (b.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:200::b
        DNS server: 2001:500:2::c (c.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c
        DNS server: 2001:500:2d::d (d.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
        DNS server: 2001:500:2f::f (f.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
        DNS server: 2001:500:9f::42 (l.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:9f::42
        DNS server: 2001:500:a8::e (e.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:a8::e
        DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
        DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
        DNS server: 2001:7fd::1 (k.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
        DNS server: 2001:7fe::53 (i.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
        DNS server: 2001:dc3::35 (m.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
     ......................... presenceus.org passed test DNS

Answer 1

Domain controller's own address should be primary

you have duplicates so just remove the four invalid ones.

                 Name: a.root-servers.net. IP: 198.41.0.4 [Valid]
           ->  Name: b.root-servers.net. IP: 128.9.0.107 [Invalid (unreachable)]
                 Name: b.root-servers.net. IP: 199.9.14.201 [Valid]
                 Name: c.root-servers.net. IP: 192.33.4.12 [Valid]
           ->  Name: d.root-servers.net. IP: 128.8.10.90 [Invalid (unreachable)]
                 Name: d.root-servers.net. IP: 199.7.91.13 [Valid]
                 Name: e.root-servers.net. IP: 192.203.230.10 [Valid]
                 Name: f.root-servers.net. IP: 192.5.5.241 [Valid]
                 Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
           ->  Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
                 Name: h.root-servers.net. IP: 198.97.190.53 [Valid]
                 Name: i.root-servers.net. IP: 192.36.148.17 [Valid]
                 Name: j.root-servers.net. IP: 192.58.128.30 [Valid]
                 Name: k.root-servers.net. IP: 193.0.14.129 [Valid]
           ->  Name: l.root-servers.net. IP: 198.32.64.12 [Invalid (unreachable)]
                 Name: l.root-servers.net. IP: 199.7.83.42 [Valid]
                 Name: m.root-servers.net. IP: 202.12.27.33 [Valid]

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

There were DNS issues (8/18), but that was primarily due to incorrect DNS server settings in the TCP/IP adapter properties on both servers. Once I pointed them to themselves and each other (8/19), the DNS appeared to resolve themselves except for these external references. Can you please explain what you're seeing to need to to demote / decommision the new DC?

As an FYI, looked at the page you referenced and do see a SYSVOL discrepancy between the two DCs. The older DCAMPRES) DC, Windows Server 2008R2, has a C:\Windows\SYSVOL_DFSR folder, but the newer (DCAPCLD) DC, Windows Server 2019, has C:\Windows\SYSVOL.

Other items, the SYSVOL folder on older DC (DCAMPRES) is not empty, has "presenceus.org" listed in it.

So, are you thinking I just need to demote the newer DC (DCAPCLD), delete it from the domain, then re-join the domain, and re-promote it? Thanks

Answer 3

Also, attached is the DCDIAG from the older DC.

18846-dcdiag-log-dcampres.txt

Answer 4

After doing the non-authoritative sync, here are the most recent Event Viewer messages:

8/19/2020 3:15:46 PM
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner DCAMPRES.presenceus.org. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share".

Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 8AF467C5-CF15-41C0-A530-6F81E6A13CC4
Replication Group Name: Domain System Volume
Replication Group ID: 0BDD34DE-83B4-4ADC-B3E6-669821CF185F
Member ID: 43E3295D-1B39-4FA4-8FF8-376AD261C628

===================

8/19/2020 3:15:43 PM
The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.

Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 8AF467C5-CF15-41C0-A530-6F81E6A13CC4
Replication Group Name: Domain System Volume
Replication Group ID: 0BDD34DE-83B4-4ADC-B3E6-669821CF185F
Member ID: 43E3295D-1B39-4FA4-8FF8-376AD261C628

I've also attached an updated DCDIAG from DCAPCLD. Thanks

18799-dcdiag-log.txt

Answer 5

Cleared some logs, rebooted and attached is the new DCDIAG. Really appreciate your help with this.

18847-dcdiag-log.txt