• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

Windows 2003 Active Directory DNS issues with HP-UX BIND 4.7

Please HELP!!! We are incorporating Windows 2K3 with Active Directory and DNS in a legacy environment, with the intention of running all all DNS under AD.  We have a Win 2K3 Server Master DC, and a Win 2K DC.  The Win 2K3 server is running DNS and Active directory, the WIN 2K DC is running active directory only. We intend to make it a backup to the 2K3 master.  When we installed the server, we realized that the UNIX boxes were running DNS, and we began recieving some strange errors.  First of all, the _msdcs icon under the root domain is greyed out. Then, in the application log we saw the following:Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5774
Date:            9/1/2004
Time:            4:42:30 PM
User:            N/A
Computer:      domain controller
Description:The dynamic registration of the DNS record 'a434c548-1234-4846-a42d-03e4b6492a1a._msdcs.mexmil.com. 600 IN CNAME mexmil-fileserv.mexmil.com.' failed on the following DNS server:  DNS server IP address: x.x.x.x
Returned Response Code (RCODE): 5
Returned Status Code: 9017  
For computers and users to locate this domain
controller, this record must be registered in DNS.  
USER ACTION  
Determine what might have caused this failure, resolve
the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe.  To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft
Windows  Server Resource Kit CD.   Or, you can manually add this record to DNS, but it is not recommended.  ADDITIONAL DATA Error Value: DNS bad key. Data:0000: 05 00                     ..

DCDiag shows that replication attempts with the Win2K DC have failed because DSA operation cannot proceed:DNS lookup failure, and <GUID>._msdcs.domain.com is not registered on one or more DNS servers.   Systemlog failed due to W32TM errors, but we have sinced corrected that. The other event was in the Application log, and it states that "The DNS server recv() function failed." Question is how to verify that my Active directory DNS is working properly, and that my UNIX DNS servers are not getting in the way of my AD installation. We read that BIND 4.7 could cause problems because it doesn't support SRV records and dynamic updates.  Has anyone experienced this issue, or could this be causing with our DNS issues?  We would like to do a DNS migration from the UNIX servers, without shutting them down...if possible.  PLEASE HELP!!!
0
Mindfungus
Asked:
Mindfungus
  • 3
  • 2
1 Solution
 
infotraderCommented:
For starters, have you make sure that all of your workstations and servers (ESPECIALLY THE SERVERS) are pointing to the AD-Integrated, 2k3 DNS servers?  If your servers happen to be using the Unix DNS server, you will have all kind of problems.

- Info
0
 
MindfungusAuthor Commented:
We are in the process of changing all the workstation s and server to point to the Win2K3 DC running the DNS.  I noticed that most machines pointed to the UNIX nameservers first, then the Win 2K3 server.  I noticed that some were configured with the firewall listed as a DNS server!!  Doesn't that present a security risk?  I will reply when we have completed the reconfiguration and hopefully that fixes the problem.
0
 
infotraderCommented:
Yes, it could be.  At least make sure you lock down the DNS replications for the zones, so that Active Directory DNS does not replicate with unwanted non-authorized DNS server.

Good luck!!

P.S. Yes..  If your primary DNS is pointing to the UNIX DNS servers it very well can cause all kind of AD problems.

- Info
0
 
MindfungusAuthor Commented:
We are almost through demoting the last UNIX nameserver.  The first nameserver was running BIND 4.7, and was giving us issues with promoting the 1st DC, and the other 2 nameservers are running BIND 4.9, but have not generated specific errors, but best to take them offline.  While bringing these down, I took the advice of a friend, and added the follwing zones to the DNS in the interim, and I have some concerns about the way my DNS appears.  I added a _sites.mydomain,com, _tcp.mydomain.com, _udp.mydomain.com.  Originally, the _msdcs container was greyed out, now _msdcs, _tcp, _sites, nad _udp are grey, and their records moved to the new zone containers.  The DNS now appears as follows:
DNS
     -DC1
          +Cached Lookups
          -Forward Lookup Zones
               -_msdcs.mydomain.com
                    +dc
                    +domains
                    +gc
                    +pdc
              +_sites.mydomain.com
                _tcp.mydomain.com
                _upd.mydomain.com
                -mydomain.com
                     _msdcs (greyed out since the beginning)
                     _sites (greyed out)
                     _tcp (greyed out)
                     _udp (greyed out)
                     +DomainDNSZones
                     +ForestDNSZones
              +Reverse Lookup Zones

After adding these entries, I am wondering what a healthy DNS looks like, because i would suspect that we have some issues caused by attempting to install a DNS server while other incompatible versions of BIND were running.  I have also noticed that DC1(DNS, Win2K3) can see itself, DC2, and my test laptop(XP).  DC2 can see everything in mydomain.com.  The XP laptop cannot see anything in the domain(just joined), and other newly added XP and 98 boxes have either all the items in mydomain.com or no access to mydomain.com.  I will let you know when we have removed the last nameserver.  
0
 
MindfungusAuthor Commented:
Infotrader - thanks for the good advice, and that was most definitely the problem.  As a result, I thin I have a much better understanding of active directory and DNS, and a lot more respect for it.  

P.S.  Make sure that when you set up your other domain controllers as DNS servers, and you use the wizard, you will still see the annoying "configure your DNS server" message anytime you highlight the server name.  Don't delete your DNS entries on your secondary just to get rid of the message thinking you can just replicate with the Master domain controller and get rid of that message.  It is literally the same directory as your master...and you WILL lose your DNS.  backup, Backup, Backup!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now