Solved

Win2K Active Directory / Domain Name Server ( AD / DNS ) Problem

Posted on 2001-06-11
13
297 Views
Last Modified: 2010-04-13
Hello,

I have a WIn2K Advanced Server in my home network. It is configured as:
a) My web server, running IIS
b) A router running full blown RRAS & NAT, on one side plugged to the internet (via DSL) and on the other to my home network.
c) The (ONLY) domain controller for my home network
d) DHCP Server for the home network
e) Domain Name Server for the home network.

Don't know if it makes any difference, but the way I set it up, I have a site (dcgames.com) hosted as a virtual site somewhere else. The ISP provides the domain name service for that site and has added an A record for "hdzlan.dcgames.com" pointing to my home IP address, so my home "domain" is "hdzlan.dcgames.com".

As part of an ill-considered attempt to fix some routing problems, I removed and added DNS, DHCP, NAT, RRAS multiple times, and at some point I actually went into active directory and DELETED some of the registered DNS entries.

Now that everything else is working, I believe that the connection between DNS and Active Directory is damaged. I get the following errors when I re-boot the Win2K server:

Note that most are SRV records, but one is a CNAME for what looks like a security string, and another is an A record for the internal addres 192.168.0.1

I have looked at the Microsoft support pages but have been unable to fix the problem. Notice the error "DNS server unable to interpret format".

The points are set to 200, but I will grant 100 points to each answer that gets me a bit closer to a final solution.

Specific questions:

a) Could it be that the that the dynamic DNS registration is being sent to a domain name server OTHER than my own?

The TCP/IP settings for my DSL NIC has 192.168.0.1 as the "primary DNS" and an external IP as a "secondary DNS".

Same thing for the internal IP address.

From my office, using NSLOOKUP (had to set timeout value higher than default 2 seconds) and setting hdzlan.dcgames.com as the name server for NSLOOKUP, I get this (with debug on):
> ls hdzlan.dcgames.com
[hdzlan.dcgames.com]
Received AXFR message:  questions=1, answers=27
 hdzlan.dcgames.com.  600 IN A  192.168.0.1
 hdzlan.dcgames.com.  600 IN A  209.196.83.11
 hdzlan.dcgames.com. 3600 IN NS server = dc-gateway89.hdzlan.dcgames.com
 gc._msdcs.hdzlan.dcgames.com. 600 IN A 192.168.0.1
 gc._msdcs.hdzlan.dcgames.com. 600 IN A 209.196.83.11
 dc-gateway89.hdzlan.dcgames.com. 1200 IN A 192.168.0.1
 dc-gateway89.hdzlan.dcgames.com. 1200 IN A 209.196.83.11

c) Should I add the error entries manually? If so, do I add them to the DNS? To the AD?

d) How do I re-sync my DNS and AD? Should I run dcpromo, remove the active directory domain and re-build the whole thing? If this is recommended, What are the exact steps and what are the risks?

e) Back before all this started, I did NOT have a reverse lookup zone in my system. Now I do, and it has entries like: 0.168.192.in-addr.arpa and 0.0.127.in-addr.arpa.
Since these are local, should I delete them? Should I delete the reverse lookup zone completely?

=== Log follows. ===

5/6/2001     8:58:58 PM     NETLOGON     Error     None     5774     N/A     DC-GATEWAY89     Registration of the DNS record '_gc._tcp.Default-First-Site._sites.hdzlan.dcgames.com.
600 IN SRV 0 100 3268 dc-gateway89.hdzlan.dcgames.com.' failed with the following error:
DNS server unable to interpret format.  

5/6/2001     8:58:57 PM     NETLOGON     Error     None     5774     N/A     DC-GATEWAY89     Registration of the DNS record '_kerberos._tcp.Default-First-Site._sites.hdzlan.dcgames.com.
600 IN SRV 0 100 88 dc-gateway89.hdzlan.dcgames.com.' failed with the following error:
DNS server unable to interpret format.  

5/6/2001     8:58:56 PM     NETLOGON     Error     None     5774     N/A     DC-GATEWAY89     Registration of the DNS record '_ldap._tcp.Default-First-Site._sites.dc._msdcs.hdzlan.dcgames.com.
600 IN SRV 0 100 389 dc-gateway89.hdzlan.dcgames.com.' failed with the following error:
DNS server unable to interpret format.  

5/6/2001     8:58:31 PM     NETLOGON     Error     None     5774     N/A     DC-GATEWAY89     Registration of the DNS record '_kpasswd._udp.hdzlan.dcgames.com.
600 IN SRV 0 100 464 dc-gateway89.hdzlan.dcgames.com.' failed with the following error:
DNS server unable to interpret format.  


5/6/2001     8:58:28 PM     NETLOGON     Error     None     5774     N/A     DC-GATEWAY89     Registration of the DNS record '_gc._tcp.hdzlan.dcgames.com.
600 IN SRV 0 100 3268 dc-gateway89.hdzlan.dcgames.com.' failed with the following error:
DNS server unable to interpret format.  

5/6/2001     8:58:24 PM     NETLOGON     Error     None     5774     N/A     DC-GATEWAY89     Registration of the DNS record 'e6e1e37f-f55f-41f3-a821-3a20d2bef3cc._msdcs.hdzlan.dcgames.com.
600 IN CNAME dc-gateway89.hdzlan.dcgames.com.' failed with the following error:
DNS server unable to interpret format.  

5/5/2001     7:01:19 PM     NETLOGON     Error     None     5774     N/A     DC-GATEWAY89     Registration of the DNS record 'hdzlan.dcgames.com.
600 IN A 192.168.0.1' failed with the following error:
DNS server unable to interpret format.  

I also get the following errors which I believe are UN-RELATED, but I post them here for completeness.

5/6/2001     8:58:38 PM     BROWSER     Information     None     8015     N/A     DC-GATEWAY89     The browser has forced an election
on network \Device\NetBT_Tcpip_{684F07DA-C16F-496D-97B1-3EDDFEDBCB60} because a Windows 2000 Server
(or domain master) browser is started.

5/6/2001     8:59:19 PM     RemoteAccess     Error     None     20106     N/A     DC-GATEWAY89     Unable to add the interface Internal
with the Router Manager for the IP protocol. The following error occurred: The parameter is incorrect.

0
Comment
Question by:dcgames
  • 4
  • 2
  • 2
  • +3
13 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 6178304
It's not all all clear to me HOW your DNS hierarchy (i.e. delegation) is supposed to be, much less how you have it configured in all this mess.  Queries of your DNS servers are inconsistent, there don't seem to be any NS records to query, and there is disagreement between your SOAs on who is responsible for what domains and subs...
0
 
LVL 32

Expert Comment

by:jhance
ID: 6178308
Oh, and it's pretty clear that one or more of your DNS zone files have syntax errors in them.
0
 
LVL 7

Expert Comment

by:franka
ID: 6178334
a)all DNS entries will get the DDNS request

d)ipconfig /registerdns
0
 
LVL 5

Author Comment

by:dcgames
ID: 6178443
Hello,

jhance:
>It's not all all clear to me HOW your DNS hierarchy (i.e.
>delegation) is supposed to be, much less how
>you have it configured in all this mess.

dcgames.com is virtual hosted somewhere else and has its own name servers. It's "server name" is reality.dcgames.com and has an alias (CNAME) for www.dcgames.com.

The dcgames.com has a HOST entry for hdzlan.dcgames.com meaning that hdzlan.dcgames.com is a HOST, not a domain.
In other words, hdzlan.dcgames.com is not seens by dcgames.com as a delegated sub-domain. It is just seen as a host.

From an internet perspective, hdzlan.dcgames.com should not normally be queried as a DNS. It exists primarily for the use as a DNS cache within my local network, but since I use my home network for "practice" (to learn more about networking, DNS, etc.) it is setup as a full blown DNS.

So, thinking of hdzlan.dcgames.com as it's OWN area, independent of dcgames.com.

> Queries of your DNS servers are inconsistent, there
> don't seem to be any NS records to query, and there is
> disagreement between your SOAs on who is responsible
> for what domains and subs...  

I don't understand the above.

>Oh, and it's pretty clear that one or more of your DNS
>zone files have syntax errors in them.

The postings I showed are returned by NSLOOKUP and are not the records in an actual zone file. In fact, the entries are stored in Active Directory (in theory) and thus don't exist in a text file the way they would in a unix system.

>franka
>a)all DNS entries will get the DDNS request

Ah.. So by listing the internal DNS and the external one, I'm sending DDNS to the external one (which isn't even a Win2K DNS, and doesn't accept Dynamic DNS updates).

Does this mean the updates are working internally but failing to the "secondary" DNS?

I'll remove the alternate DNS completely and see what happens.

BTW: Isn't there some way of specifying to DNS that if it fails to find a local / cached answer for a DNS request, it should search a given list of DNS servers (is that the "forwarder" ?  How do I setup this up?

> d)ipconfig /registerdns

Hmm.. According to IPCONFIG, the /registerdns keyword:
   "Refreshes all DHCP leases and re-registers DNS names"

Isn't this meant for a CLIENT machine?


 
0
 
LVL 7

Accepted Solution

by:
franka earned 200 total points
ID: 6178957
when your DC tries to register it's SRV records, it IS a client for your DNS even it is the same machine.
0
 
LVL 5

Author Comment

by:dcgames
ID: 6179132
I'm going to remove the secondary DNS entries tonight and then I'll do an IPCONFIG /REGISTERDNS to see what happens.

Then I'll shut down and re-start the server and check the event log again.

I'll let you know tomorrow what I've found.

Dave
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 63

Expert Comment

by:SysExpert
ID: 6179144
just listening...

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6179149
Could you also post ipconfig /all from your server and a client on the LAN.
This may be the fastest way to get a handle on some of your settings.

I hope this helps !
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6179355
BTW, if your local DNS server is configured property (and thus also resolving external addresses via root hints or forwarders), you do not need the secondary DNS.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6179449
-dcgames first of all, I saw your web page & it is terrible. That seems to be the most pressing issue.. I suggest you get a hold of home-site, swish & applet button factory a.s.a.p.

a) Could it be that the that the dynamic DNS registration is being sent to a domain name server OTHER
than my own?
-If you open DNS admin & right click the properties of your forward lookup zone & go to the zone transfers tab... Is the "allow zone transfers" checked?....uncheck it.. Why?
because you are not running a Wan, you have 1 server & your ISP resolves to IP of the host.
-On the root server name properties in DNS admin, click on the interfaces tab.. Choose "listen on" only the following IP's.. enter only the inside IP of your LAN(192.168.0.1)..
-Use forwarders to resolve internet queries..
-Leave the reverse zone...
 
0
 
LVL 5

Author Comment

by:dcgames
ID: 6181745
Ok. Last night I went and removed the secondary DNS entry from both TCP/IP settings. I rebooted and I no longer get the errors, so it looks like the errors were because my system was sending dynamic registration requests to the ISP's DNS.

I also saw something wierd. One event said that the DNS had completed a zone transfer to the DNS at 192.168.0.1.
Another said that the DNS had received a request for a zone transfer for dcgames.com but that was an unknown domain.

HOUSENET mentions:
>-If you open DNS admin & right click the properties of >your forward lookup zone & go to the zone transfers
>tab... Is the "allow zone transfers" checked?....uncheck >it.. Why?
>because you are not running a Wan, you have 1 server & >your ISP resolves to IP of the host.

I assumet this will take care of the zone transfer attemts..

>-On the root server name properties in DNS admin, click >on the interfaces tab.. Choose "listen on" only
>the following IP's.. enter only the inside IP of your LAN>(192.168.0.1)..

Hmm.. Yep this shouldn't cause a problem.

>-Use forwarders to resolve internet queries..

I think I should configure my DNS to attempt resolution through the ISP provided DNS servers. How do I configure this?

>-Leave the reverse zone...

You mean alone? As in "looks ok, leave it alone?"

The current setup I have is:

DSL NIC: IP=209.196.83.11   DNS=192.168.0.1
LAN NIC: IP=192.168.0.1     DNS=192.168.0.1

Some cleanup questions:

a) Should I have set the DNS entrie to 209.196.83.11 (i.e. the public IP address) instead of 192.168.0.1? Does it make any difference?

b) What should the clients inside the LAN use for their DNS? 192.168.0.1? 209.196.83.11?

c) Should the client PCs have secondary DNS entries? Would it serve any purpose?

0
 
LVL 12

Expert Comment

by:Housenet
ID: 6181829
a) Should I have set the DNS entrie to 209.196.83.11 (i.e. the public IP address) instead of 192.168.0.1?
Does it make any difference? Yes it does make a difference... Dns is how a 2000 resolves domain info... You have to somewhat seperate this for the idea that DNS is for internet queries to find web sites & mail servers...
Why? Your internal LAN dns zone is to resolve local private host info...You do now want this to be exposedon the internet... This means your primary forward lookup zone that is active directory enabled & accepting only secure dynamic updates but be bound to the inside IP of the server... Not the 206 IP...

b) What should the clients inside the LAN use for their DNS? 192.168.0.1? 209.196.83.11?  ... Answer =192.168.0.1 ...This includes the server itself... The only place for other DNS server IP's is the forwarders tab in the dns server properties..

c) Should the client PCs have secondary DNS entries? Would it serve any purpose? NO... The forwarders should include 2-3 known good internet DNS server IP's... Ideally your Isp's DNS server IP's at the top of the list..


0
 
LVL 5

Author Comment

by:dcgames
ID: 6181937
Thanks.

Franka: Your brief and too-the-point answer gets the points.

Housenet: Post a comment here and you'll get 100 points for your assistance with the cleanup issues:

http://www.experts-exchange.com/jsp/qManageQuestion.jsp?qid=20133238&jsessionid=49529992358270725

I'll be posting some related but independent easy issues soon.

Dave
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now