Solved

Windows 2003 Active Directory DNS issues with HP-UX BIND 4.7

Posted on 2004-09-01
5
386 Views
Last Modified: 2010-03-18
Please HELP!!! We are incorporating Windows 2K3 with Active Directory and DNS in a legacy environment, with the intention of running all all DNS under AD.  We have a Win 2K3 Server Master DC, and a Win 2K DC.  The Win 2K3 server is running DNS and Active directory, the WIN 2K DC is running active directory only. We intend to make it a backup to the 2K3 master.  When we installed the server, we realized that the UNIX boxes were running DNS, and we began recieving some strange errors.  First of all, the _msdcs icon under the root domain is greyed out. Then, in the application log we saw the following:Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5774
Date:            9/1/2004
Time:            4:42:30 PM
User:            N/A
Computer:      domain controller
Description:The dynamic registration of the DNS record 'a434c548-1234-4846-a42d-03e4b6492a1a._msdcs.mexmil.com. 600 IN CNAME mexmil-fileserv.mexmil.com.' failed on the following DNS server:  DNS server IP address: x.x.x.x
Returned Response Code (RCODE): 5
Returned Status Code: 9017  
For computers and users to locate this domain
controller, this record must be registered in DNS.  
USER ACTION  
Determine what might have caused this failure, resolve
the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe.  To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft
Windows  Server Resource Kit CD.   Or, you can manually add this record to DNS, but it is not recommended.  ADDITIONAL DATA Error Value: DNS bad key. Data:0000: 05 00                     ..

DCDiag shows that replication attempts with the Win2K DC have failed because DSA operation cannot proceed:DNS lookup failure, and <GUID>._msdcs.domain.com is not registered on one or more DNS servers.   Systemlog failed due to W32TM errors, but we have sinced corrected that. The other event was in the Application log, and it states that "The DNS server recv() function failed." Question is how to verify that my Active directory DNS is working properly, and that my UNIX DNS servers are not getting in the way of my AD installation. We read that BIND 4.7 could cause problems because it doesn't support SRV records and dynamic updates.  Has anyone experienced this issue, or could this be causing with our DNS issues?  We would like to do a DNS migration from the UNIX servers, without shutting them down...if possible.  PLEASE HELP!!!
0
Comment
Question by:Mindfungus
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:infotrader
ID: 11961193
For starters, have you make sure that all of your workstations and servers (ESPECIALLY THE SERVERS) are pointing to the AD-Integrated, 2k3 DNS servers?  If your servers happen to be using the Unix DNS server, you will have all kind of problems.

- Info
0
 

Author Comment

by:Mindfungus
ID: 11965633
We are in the process of changing all the workstation s and server to point to the Win2K3 DC running the DNS.  I noticed that most machines pointed to the UNIX nameservers first, then the Win 2K3 server.  I noticed that some were configured with the firewall listed as a DNS server!!  Doesn't that present a security risk?  I will reply when we have completed the reconfiguration and hopefully that fixes the problem.
0
 
LVL 11

Accepted Solution

by:
infotrader earned 500 total points
ID: 11966432
Yes, it could be.  At least make sure you lock down the DNS replications for the zones, so that Active Directory DNS does not replicate with unwanted non-authorized DNS server.

Good luck!!

P.S. Yes..  If your primary DNS is pointing to the UNIX DNS servers it very well can cause all kind of AD problems.

- Info
0
 

Author Comment

by:Mindfungus
ID: 12012454
We are almost through demoting the last UNIX nameserver.  The first nameserver was running BIND 4.7, and was giving us issues with promoting the 1st DC, and the other 2 nameservers are running BIND 4.9, but have not generated specific errors, but best to take them offline.  While bringing these down, I took the advice of a friend, and added the follwing zones to the DNS in the interim, and I have some concerns about the way my DNS appears.  I added a _sites.mydomain,com, _tcp.mydomain.com, _udp.mydomain.com.  Originally, the _msdcs container was greyed out, now _msdcs, _tcp, _sites, nad _udp are grey, and their records moved to the new zone containers.  The DNS now appears as follows:
DNS
     -DC1
          +Cached Lookups
          -Forward Lookup Zones
               -_msdcs.mydomain.com
                    +dc
                    +domains
                    +gc
                    +pdc
              +_sites.mydomain.com
                _tcp.mydomain.com
                _upd.mydomain.com
                -mydomain.com
                     _msdcs (greyed out since the beginning)
                     _sites (greyed out)
                     _tcp (greyed out)
                     _udp (greyed out)
                     +DomainDNSZones
                     +ForestDNSZones
              +Reverse Lookup Zones

After adding these entries, I am wondering what a healthy DNS looks like, because i would suspect that we have some issues caused by attempting to install a DNS server while other incompatible versions of BIND were running.  I have also noticed that DC1(DNS, Win2K3) can see itself, DC2, and my test laptop(XP).  DC2 can see everything in mydomain.com.  The XP laptop cannot see anything in the domain(just joined), and other newly added XP and 98 boxes have either all the items in mydomain.com or no access to mydomain.com.  I will let you know when we have removed the last nameserver.  
0
 

Author Comment

by:Mindfungus
ID: 12176636
Infotrader - thanks for the good advice, and that was most definitely the problem.  As a result, I thin I have a much better understanding of active directory and DNS, and a lot more respect for it.  

P.S.  Make sure that when you set up your other domain controllers as DNS servers, and you use the wizard, you will still see the annoying "configure your DNS server" message anytime you highlight the server name.  Don't delete your DNS entries on your secondary just to get rid of the message thinking you can just replicate with the Master domain controller and get rid of that message.  It is literally the same directory as your master...and you WILL lose your DNS.  backup, Backup, Backup!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Resolve DNS query failed errors for Exchange
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now