• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 812
  • Last Modified:

DNS problems event ID 5774

I have a child domain that is getting event ID errors 5774 and 5719. Our DNS servers usually reach out to the parent domain name servers however our DNS servers are trying to access a public IP address. I don't have a public IP address anywhere in my TCP/IP settings. The public IP address appears to be one for our company. I ran DCDIAG and here is the error I received:

Testing server: DC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 8ce8e939-476b-49b8-ae46-f777bd0d232a._msdcs.xxxxl.org could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (8ce8e939-476b-49b8-ae46-f777bd0d232a._msdcs.xxxxxl.org)
         couldn't be resolved, the server name
         (DC1.xxx.xxxxxl.org) resolved to the IP address
         (192.168.x.x) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... DC1 failed test Connectivity

We have checked the DNS servers in the parent domain that are authoritative for our domain and the public IP is no where to be found.  Anyone have any ideas on how to resolve this?
0
valicon
Asked:
valicon
  • 10
  • 8
  • 3
  • +2
2 Solutions
 
MSE-JNegusCommented:
I assume from your post that your DC is in a child domain called xxx.xxxxxl.org.  It has 2 DNS records it needs to register. The first is its A record which it will register with the DNS server that houses the zone for the xxx.xxxxxl.org child domain and the second the GUID DNS name which is required for replication and is registered in the msdcs sub-domain of your forest root domain (xxxxxl.org) i.e., msdcs.xxxxxl.org.

You should verify that the DNS server that houses the child domain can resolve the DNS server that houses the forest root domain.  You might have to configure a forwarder or stub zone for this.
0
 
MSE-JNegusCommented:
I think what is happening is that your DNS server for the child domain is trying to locate the DNS server for the forest root domain and it is doing this using root hints and resloving a pulic addesss from the internet. Let me know if this is the case.
0
 
valiconAuthor Commented:
No, neither is the issue. This has worked for over 6 years.  We are not using root hints.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
MSE-JNegusCommented:
If you ping the FQDN of your forest root DNS server from you child DNS server do you get the internal address or the public one?
0
 
valiconAuthor Commented:
I get the internal IP
0
 
MSE-JNegusCommented:
How does your child dns servers locate the parent DNS server? Forwarders or stub zones?
0
 
valiconAuthor Commented:
We use conditional forwarding. The external IP address is that of the parent domains external DNS server. They say there was no change I their end but I beg to differ.
0
 
MSE-JNegusCommented:
You could enable debug loging, under Properties, on your DNS server.  Run DCDIAG again and check the dns.log file.  This will tell you where your DNS server is getting the public IP address from.
0
 
valiconAuthor Commented:
Yes I plan on doing that in the morning. Hopefully we can see why this is happening.
0
 
MSE-JNegusCommented:
Please let me know what you find out.
0
 
Jay_Jay70Commented:
Hello mate :)

Have you flushed your DNS caching on each DNS server? this is probably a wise place to start intially as if there is a cached record at the root, its going to be affecting all your child domain request as you have them pumping up to the root - i would start there, and then lets take a look at a clean diag...

Also restart your  netlogon services on each DC to register all the correct records for each DC

You dont run RRAS or anything strange like that at all? and this just started randomly happening?

James
0
 
mkaustubhCommented:
0
 
valiconAuthor Commented:
Hi Jay Jay,

I just flushed the cache again and restarted netlogon but the same issue. When netlogon starts the server is getting netlogon 5774 errors such as this one:

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5774
Date:            6/20/2008
Time:            8:13:57 AM
User:            N/A
Computer:      XXX
Description:
The dynamic registration of the DNS record '_ldap._tcp.xxx._sites.ForestDnsZones.xxxxxx.org. 600 IN SRV 0 100 389 xxxx.xxxx.xxxxxx.org.' failed on the following DNS server:  

DNS server IP address: 24.xx.xxx.xx <----my dns servers are trying to register with our parent ext. dns server!
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about  DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows  Server Resource Kit CD.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS bad key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00                     ..      



DCDiag is stating the following:

Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
 
   Testing server: xxx\xxxx
      Starting test: Connectivity
         The host 8ce8e939-476b-49b8-ae46-f777bd0d232a._msdcs.xxxxxxx.org could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (8ce8e939-476b-49b8-ae46-f777bd0d232a._msdcs.xxxxxxxxx.org)
         couldn't be resolved, the server name
         (xxxx.xxx.xxxxxxxxxx.org) resolved to the IP address
         (192.168.x.x) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... xxxx failed test Connectivity

Doing primary tests
   
   Testing server: xxxx\xxxx
      Skipping all tests, because server xxxx is
      not responding to directory service requests


What should I try next?  Is the problem on my end or on the parent domain's end?
0
 
MSE-JNegusCommented:
Did you enable debug logging?  It will tell you exactly where your server is getting the external IP address from.
0
 
valiconAuthor Commented:
I did.....it is not showing where it is coming from. For some reason my name resolution traffic is going out to the external DNS server.
0
 
MSE-JNegusCommented:
Can you run IP Config on your DNS server and see if it is resolving against itself (127.0.0.1) or is it pointing to the external server.
0
 
MSE-JNegusCommented:
Also verify that your secondary server is not pointing to the external server.
0
 
valiconAuthor Commented:
No need, none of our servers point to the external server, they point to themselves and one DNS in the parent domain...
0
 
MSE-JNegusCommented:
Can you remove the entry that points to the DNS server in the Parent domain to test if it is using that?
0
 
ChiefITCommented:
I don't know how you connect to the forest. Is it through VPN:

The following is only if you have managed switches:

You might want to look at this: ( I have seen portfast cause errors like the ones you state. However, these errors are somewhat intermittant. They are sometimes hard to diagnose because often they don't leave event errors.)
http://support.microsoft.com/kb/247922

0
 
ChiefITCommented:
BTW: 5719 errors can be DHCP, DNS, Netlogon, or any form of AD services. For some reason, the NIC floods and only shuts down certain IP ports. So, the fact that your error is a DNS error and the article is a Netlogon error are irrelevant. 5719 errors are usually because portfast is disabled.

Portfast skips the discovery to a port handshake this process takes 50 seconds. With it enabled it goes right to passing the data on. The fifty seconds is enought time to time out on that port and flood the switch port with data packets.  This is why any port can be affected. It just happens on the port that taxes it at that particular time.

You might still be able to ping between the two servers. That uses ICMP port 123. So, traffic may be passed over that port.

All of the above reasons, make this a very tough troubleshoot.
0
 
valiconAuthor Commented:
It turned out to be that someone placed an ISA script that was pushing all traffic out the ISA server, even DNS traffic. Thanks for the help guys. Enjoy the points :))))  Cheers Jay_Jay!
0
 
Jay_Jay70Commented:
what a nice one that must have been to try and find!

Cheers mate!

James
0
 
ChiefITCommented:
You know a tornado is measured by the amount of damage it can cause. I measure IT things like this on the hair scale. That one was measured Class V on the hair pulling scale.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 10
  • 8
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now