[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 748
  • Last Modified:

How to Solve event worning?

I have worning EventID 7062 in the event viewer which is the following:

The DNS server encountered a packet addressed to itself on IP address 192.168.10.2. The packet is for the DNS name "usb.mtmyza.net.". The packet will be discarded. This condition usually indicates a configuration error.
 
Check the following areas for possible self-send configuration errors:
  1) Forwarders list. (DNS servers should not forward to themselves).
  2) Master lists of secondary zones.
  3) Notify lists of primary zones.
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server.
  5) Root hints.
 
Example of self-delegation:
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
  (bar.example.microsoft.com NS dns1.example.microsoft.com)
  -> BUT the bar.example.microsoft.com zone is NOT on this server.
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record.
 
You can use the DNS server debug logging facility to track down the cause of this problem.

============

How can I debug and solve this worning?
0
aldahan
Asked:
aldahan
  • 24
  • 15
  • 4
  • +1
1 Solution
 
JohnGerhardtCommented:
Can you check what is configured as the DNS server on the IP address settings..?
It should not be the IP address of your DNS server but the 127.0.0.1 (loopback), This event can often suggest this problem..
0
 
aldahanAuthor Commented:
it was the IP of the Server and I changed it now. But still I have the same event after the change.
0
 
JohnGerhardtCommented:
You might just want to restart the DNS server service..
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
aldahanAuthor Commented:
still the same even after restarting the service of the DNS Server.
0
 
JohnGerhardtCommented:
0
 
JohnGerhardtCommented:
0
 
McKnifeCommented:
Do you run 2 DCs? In that case set the DNS server entries "crossed", so the primary DNS server for DC1 is DC2's IP and vice versa. That way we got rid of that event in our domain.
0
 
aldahanAuthor Commented:
Dear McKnife
yes I am running 2 DCs. I have tested now your solution but still I have the same events.
0
 
McKnifeCommented:
Maybe it's also required to restart the DNS-Server service.
0
 
aldahanAuthor Commented:
even after restart I have the same.
0
 
aldahanAuthor Commented:
I have removed one DC and I have now only one DC. and still I have the error. and also the server is slow in responding for active directory users and computers console.
0
 
Henrik JohanssonSystems engineerCommented:
Check the DNS-zone mtmyza.net for a delegation of usb pointing on the server without having a zone for usb.mtmyza.net making a deadend.
Delete the delegation.
0
 
aldahanAuthor Commented:
How can I check and delete the delegation?
0
 
Henrik JohanssonSystems engineerCommented:
Expand DNS-zone and look for the subdomain with a grayed zone icon.
Delete the delegation by pressing delete key and answer yes on the confirm question.
0
 
aldahanAuthor Commented:
I have deleted the subdomain in the DNS zone and restarted the DNS service but still I have the following event:


The DNS server encountered a packet addressed to itself on IP address 192.168.10.2. The packet is for the DNS name "domain.aldahan.". The packet will be discarded. This condition usually indicates a configuration error.
 
Check the following areas for possible self-send configuration errors:
  1) Forwarders list. (DNS servers should not forward to themselves).
  2) Master lists of secondary zones.
  3) Notify lists of primary zones.
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server.
  5) Root hints.
 
Example of self-delegation:
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
  (bar.example.microsoft.com NS dns1.example.microsoft.com)
  -> BUT the bar.example.microsoft.com zone is NOT on this server.
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record.
 
You can use the DNS server debug logging facility to track down the cause of this problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
Henrik JohanssonSystems engineerCommented:
Can you post a screenshot of the "Forward Lookup Zones" expanded?
0
 
aldahanAuthor Commented:
attached
dns.JPG
0
 
Henrik JohanssonSystems engineerCommented:
Thanks, but the thaught I had in last post isn't applicable here.

As stated in the eventlog message, check the forwarders configuration.
Right-click on server name and choose properties -> Forwarders
Ensure that the server isn't forwarding unresolved queries to itself.
Configure forwarders to send unresolved queries to ISP's servers.
0
 
aldahanAuthor Commented:
Yes, now the event is solved. but still when I click active directory users and computers, it take around 10 minuts to open the console.
0
 
Henrik JohanssonSystems engineerCommented:
What's the ipconfig/all for the DCs?
0
 
aldahanAuthor Commented:
attached
dns.JPG
0
 
Henrik JohanssonSystems engineerCommented:
Looking on the DNS-screenshot makes me wonder if there's another DC named domain?

(same as parent) NS domain.aldahanco.com
(same as parent) NS win2008.aldahanco.com
(same as parent) A 192.168.10.8
(same as parent) A 192.168.10.2

Configure DNS-server to be running on both DCs and that each DC uses the other server as its secondary DNS.

The timestamp in screenshot looks strange. How is aging/scavenging configured for the zone/server?
If domain is an old server that isn't available and aging is set to high value, you'll get orphan SRV-records that will not be scavenged.

Can you check if you have any errors in output from dcdiag or netdiag commands and post them?
0
 
aldahanAuthor Commented:
the domain.aldahanco.com (192.168.10.8) is an old DC and it is removed from the network. so the domain has one DC which is win2008. the time stamp is not a gregorian calendar thats why it seems to be very old but the oldest stamp is before 10 months.
the netdiag returns an error that it is not recognized command.
dns.JPG
0
 
Henrik JohanssonSystems engineerCommented:
Get rid of the old orphan data.
AD is relying on having current DNS-data and the aging should be minimized to avoid orphan data.
Run netdiag/fix to see if it can re-register necessary DNS-records.
0
 
aldahanAuthor Commented:
I cannot run netdiag it returns that it is not a recognized internal or external command. How can I get rid of old orfan data? also how can I minimize the aging?
0
 
Henrik JohanssonSystems engineerCommented:
The orphan data in DNS nead to be deleted, either doing it manual by going through _msdcs, _tcp etc structures and press delete for each old SRV-record or right-click on server and choose 'Scavenge Stale Resource Records'.
Aging is configured either on DNS zone properties->aging or server->right-click -> 'Set aging/scavenging for all zones'
Configure automatic Scavenging through server properties->advanced

I forgot that netdiag doesn't exist in 2008, sorry for the conusion. Use dcdiag/fix to see if it solves the error.
0
 
aldahanAuthor Commented:
I have set all the periods for Scavenging to 7 days as deffault. and i have run the dcdiag/fix. After i restarted the DNS service then when I click active directory users and computers, it take around 10 minuts to open the console also I found that the following worning:

Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 
Alternate server name:
 domain.aldahanco.com
Failing DNS host name:
 e669a2f1-27fe-4c0d-b71b-2dbb2130e6f5._msdcs.aldahanco.com
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11001 No such host is known.
0
 
Henrik JohanssonSystems engineerCommented:
It tries to reach the DC 'domain' that doesn't exist. All references in _msdcs, _tcp, _udp, _sites to that old server nead to be cleaned up.
As you're having ForestDnsZones and DomainDnsZones, it sounds like you're having AD-integrated zones. This gives better security when you can configure security on the records and have the secure only dynamic registrations. You also get better replication when DNS data replicates with AD.
A negative effect of having AD-integrated DNS-zones is that you can get a catch22 scenario when AD relies on DNS and DNS at the same time relies on AD if not having secondary DNS. Install a second DC to get redundancy of AD and also configure it as secondary DNS (cross reference both DCs to use the other as secondary and itself as primary) to get redundancy for DNS.

Is all FSMO roles transfered to win2008 and not having any FSMO-role pointing on the old server? Use ADUC and right-click on domain name-> 'Operation masters' to check the 3 domain FSMOs and do the same thing in ADDT (right-click on top node) for the 2 forest roles. If FSMOs are still on 'domain', you nead to seize them over to the win2008 by using ntdsutil.
0
 
aldahanAuthor Commented:
I had an old server which is domain and I transfer it to a new server win2008. then I have transfered all the FSMO then I have removed the searver domain from the network. so I think that i have to clean up all references in _msdcs, _tcp, _udp, _sites to that old server. if so how can i do it?
0
 
aldahanAuthor Commented:
I have deleted all the refrences except in _msdcs where it cannot be deleted.
0
 
Henrik JohanssonSystems engineerCommented:
What record can't be deleted?
0
 
aldahanAuthor Commented:
name: same as parent folder
data: domain.aldahan.
0
 
aldahanAuthor Commented:
Also the following worning appear:

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

For more information, see Help and Support Center at
0
 
Henrik JohanssonSystems engineerCommented:
The error is caused by AD-integrated DNS zones when DNS relies on AD and AD relies on DNS.
http://technet.microsoft.com/en-us/library/cc735842.aspx
0
 
aldahanAuthor Commented:
now I have 2 worning in the Active Directory and 1 error. Also one worning in the DNS.

the AD Error:

Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
 
Source domain controller:
 domain
Failing DNS host name:
 e669a2f1-27fe-4c0d-b71b-2dbb2130e6f5._msdcs.aldahanco.com
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11001 No such host is known.



AD worning1:

The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
 
Attempts:
125
Directory service:
CN=NTDS Settings,CN=DOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aldahanco,DC=com
Period of time (minutes):
7387
 
The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed.
 
Additional Data
Error value:
1256 The remote system is not available. For information about network troubleshooting, see Windows Help.


AD worning2:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.


DNS worning:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

0
 
Henrik JohanssonSystems engineerCommented:
The demoting of 'domain' seems to have not been completely successfully and nead to be cleaned up by doing a 'metadata cleanup'.

See technet-article for instructions:
http://technet.microsoft.com/en-us/library/cc816907.aspx
0
 
aldahanAuthor Commented:
It didnot work as attached screen shot
dns.JPG
0
 
Henrik JohanssonSystems engineerCommented:
The reason for the error is that with "delete selected server ... on ...", you nead to enter the DN (LDAP-path) of the server that you want to delete.
Copied from error in earlier post, it should be
"CN=DOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aldahanco,DC=com"


If unsure about the DN, use the following in ntdsutil:
metadata cleanup
select operating targets
connections
connect to server win2008
quit
list sites
select site 0
list servers in site
select server <number of server to delete>
quit
remove selected server
0
 
aldahanAuthor Commented:
I think it did not work. attached screen shot
dns.JPG
0
 
Henrik JohanssonSystems engineerCommented:
Sorry, I missed the step that you nead to select domain in "select operation targets", so go back down into that submenu and execute the following commands:
list domains
select domain 0
0
 
aldahanAuthor Commented:
list domains cannot be before connection, it did not work also after the connection (error parsing input - invalid syntax).
0
 
Henrik JohanssonSystems engineerCommented:
It sounds like you're trying to use "list domains" in connections submenu (missed quit).

metadata cleanup
select operating targets
connections
connect to server win2008
quit
list sites
select site 0
list domains
select domain 0
list servers in site
select server <number of server to delete>
quit
remove selected server
0
 
aldahanAuthor Commented:
it works. I have restarted the server and now there is one wornning only in the active directory that seems not related to the quistion which is the following:

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
0
 
aldahanAuthor Commented:
I recognize now that the active directory users and computers console is taking long time to open arround 10 minutes.
0
 
aldahanAuthor Commented:
Thank alot for the help.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 24
  • 15
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now