We help IT Professionals succeed at work.

How to test for a healthy DNS?

I have a domain with 1 DC called "Servant" which runs Windows 2000 Advanced Server SP4

I would like to add a second DC running Windows 2003 Standard Edition which I want to promote as a DC and eventually take over all roles from SERVANT.

When I have tried to do this before there were replication issues caused by Access Denied errors on SERVANT. The two DCs in the domain couldn't replicate properly and the new server couldn't be demoted gracefully.  After a forced demotion via dcpromo I cleaned up the metadata with ntdsutils and ADSIEdit.

I suspect that the root of the problem was that my DNS or system permissions on SERVANT wasn't very healthy to start off with. How can I check / ensure that everything is healthy on SERVANT so that I can avoid the problems I encountered? I also have the option to build a new domain and join all 10 client PCs to the new server, but the transition will be much more disruptive.

Thanks for any help.
Comment
Watch Question

Toni UranjekConsultant/Trainer

Commented:
Hi!

Correctly configured DNS server should contain appropriate A nd SRV resource records. Host (A) record is registered in DNS which support dynamic DNS with the follownig command: "ipconfig /registerdns".
Servicel locator (SRV) records are registered by Netlogon service on restart. Go to Administrative tools, Services and restart Netlogon service.

The follwing article explains how to check if all SRV records were registered:

"How to verify that SRV DNS records have been created for a domain controller"
http://support.microsoft.com/kb/816587

In short: every record in netlogon.dns file should be in your _msdcs.domain.com zone.

HTH

Toni

Author

Commented:
HA! Good info, Toni. All the records listed in netlogon.dns shows in the DNS console, but I still don't feel 100% at ease yet.

Can you (or anyone else) please cast your expert eye on this snapshot of my DNS tree:

http://www.kanokbannasan.org/relocation/dns-tree.png

Apart from the A records showing in the forward lookup zone's domain name root (one dynamic registered client looking odd), we have the

service records as indicated in pink. There is also one CNAME record in the _msdcs root that is not showing.

Does this look normal / healthy?

Thanks,
Jannie
Toni UranjekConsultant/Trainer

Commented:
Which roles does prod-ws01 hold? Is it DNS server? Then (same as parent) folder entries are correct. One identifies DNS domain, another (SOA) identifies prod-ws01 as Start Of Authourity DNS for your domain.

Author

Commented:
prod-ws01 is a PC client and has been offline for more than a week. Up to now I had DHCP update DNS records (which I just discovered isn't the best practice and have just disabled). It looks like my DHCP has assigned this lease to servant during a remote logon. See:

http://www.kanokbannasan.org/relocation/dhcp_tree.png

Author

Commented:
When I originally cleaned up the DNS after I forced the second DC demotion, I deleted these two zones from the DNS, because they were refering exclusively to the demoted server:

ForestDNSZones.omf-publishers.local
DomainDNSZones.omf-publishers.local

Would this be a concern?
Toni UranjekConsultant/Trainer

Commented:
You've deleted application partitons, this is not critical at the moment.

Delete host record for prod-ws01, go to every domain controller, go to command prompt and run this commands, and the post picture of your DNS console.
ipconfig /registerdns
net stop netlogon
net start netlogon

Open in new window

Author

Commented:
Hi Toni, sorry for my slow answer. I am supervising a building project and trying to set up a new server at the same time.

Snapshot of my DNS console after doing the above:
http://www.kanokbannasan.org/relocation/dns_tree_01-02-2008.png

I ran netdiag on the DC (we only have one, the new one is offline and not promoted yet) and it seems to think that the machine has two NICs. The 'virtual' one is assigned the IP address in the dynamic range and the real NIC is static set to 192.168.0.2

---------------------------
    Computer Name: SERVANT
    DNS Host Name: Servant.OMF-Publishers.local
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 6 Model 10 Stepping 0, AuthenticAMD
    List of installed hotfixes :
        KB329115
 ...
        Q828026
        Update Rollup 1


Netcard queries test . . . . . . . : Passed
    [WARNING] The net card 'RAS Async Adapter' may not be working because it has not received any packets.



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Servant
        IP Address . . . . . . . . : 192.168.0.2
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.0.1
        Primary WINS Server. . . . : 192.168.0.2
        Dns Servers. . . . . . . . : 192.168.0.2


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed

        WINS service test. . . . . : Passed

    Adapter : {6EB2B373-D79A-4C09-8FEF-BB3167675382}

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Servant
        IP Address . . . . . . . . : 192.168.0.67
        Subnet Mask. . . . . . . . : 255.255.255.255
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 127.0.0.1


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{0FC2A3AD-46A6-4680-BE46-CE6DED09DDAB}
        NetBT_Tcpip_{6EB2B373-D79A-4C09-8FEF-BB3167675382}
    2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.2' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{0FC2A3AD-46A6-4680-BE46-CE6DED09DDAB}
        NetBT_Tcpip_{6EB2B373-D79A-4C09-8FEF-BB3167675382}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{0FC2A3AD-46A6-4680-BE46-CE6DED09DDAB}
        NetBT_Tcpip_{6EB2B373-D79A-4C09-8FEF-BB3167675382}
    The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


The command completed successfully

Author

Commented:
ipconfig /all dump:

-------------------------------------------------------------------------------------------

Windows 2000 IP Configuration



      Host Name . . . . . . . . . . . . : Servant
      Primary DNS Suffix  . . . . . . . : OMF-Publishers.local
      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : Yes

      WINS Proxy Enabled. . . . . . . . : No

      DNS Suffix Search List. . . . . . : OMF-Publishers.local

Ethernet adapter Local Area Connection:



      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
      Physical Address. . . . . . . . . : 00-11-2F-D6-7A-AC

      DHCP Enabled. . . . . . . . . . . : No

      IP Address. . . . . . . . . . . . : 192.168.0.2

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Default Gateway . . . . . . . . . : 192.168.0.1

      DNS Servers . . . . . . . . . . . : 192.168.0.2
      Primary WINS Server . . . . . . . : 192.168.0.2


PPP adapter RAS Server (Dial In) Interface:



      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

      Physical Address. . . . . . . . . : 00-53-45-00-00-00

      DHCP Enabled. . . . . . . . . . . : No

      IP Address. . . . . . . . . . . . : 192.168.0.67

      Subnet Mask . . . . . . . . . . . : 255.255.255.255

      Default Gateway . . . . . . . . . :

      DNS Servers . . . . . . . . . . . : 127.0.0.1
Toni UranjekConsultant/Trainer

Commented:
You have RRAS or modem installed on your DC? And if the answer is yes, question is: why? ;)

Author

Commented:
Hmmm, we have both. The DC doubles as a fax server (thus the modem) and the RRAS is for a VPN connection from home if I need to look up something on the server. We are a small team and the DC is the only machine that is allways on.

Author

Commented:
I found a MS KB article called "Name resolution and connectivity issues on a Routing and Remote Access Server that also runs DNS or WINS" at http://support.microsoft.com/kb/292822 that seems to fix this specific problem.

Toni, if you can't see anything else that looks strange can you please post something that says so so that I can give you the points and close the question.

Also, if you have a suggestion how we can avoid having RRAS and a modem on the server, that would be very helpful.
Consultant/Trainer
Commented:
Hi!

Sorry for the delay, mutltihomed DC are in general bad idea, but the following article should help you to configure your server so that it won't register modem's IP in DNS.

"The Host's "A" Record Is Registered in DNS After You Choose Not to Register the Connection's Address"
http://support.microsoft.com/kb/275554

HTH

Toni

Author

Commented:
Thanks for you help, Toni!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.