Not sure what I am doing wrong here. I have a moderately midrange server (16 cores, 2Ghz, 32GB ECC REG RAM, 6TB storage, nothing too extreme) where I am running Hyper-V (Server 2012 R2 Enterprise) in order to provision virtual machines. So why an AD separate from DNS? I want redundancy. I want to be able to move VMs and back them up individually and not have too many services on any one VM.

I have already provisioned a VM with DNS, and have set it up right -- essentially, I have:

1. Set up Static IP’s for everyone involved.
2. Installed the DNS service on the DNS VM.
3. Created a forward lookup zone and a reverse lookup zone (primary zone) xyz.ca
4. Configured the zones to use nonsecure and secure dynamic updates (i will change this to secure later after the domain controller is online).
5. Created a A record for the DC in the forward lookup zone (and a reverse ptr)
6. Changed DC’s DNS server (network settings) to the new DNS server.
7. Checked that I can ping the dns server from the new DC by hostname.

When I went ahead and did a DCpromo on the DC, and un-cheked the “install DNS” option, everything seemed to go well (no error messages), but I saw no changes on the DNS server whatsoever (no additional settings). Plus, the DNS server seems to be unable to join the domain, as it claims that the domain is not discoverable.

As a final note, I do run Symantec Endpoint Protection, which includes a firewall and most settings set as default. I have not yet tried turning this off, but my experience has been that if a service would open up a port on a Windows firewall, it would do the same through Symantec. There is pretty tight integration these days with corporate-class AV and Windows.

I have a template vhdx fully set up (just short of any special roles and features) that I can use to replace the current AD VM with, so doing this all over again is not too much skin off of my nose.