test dcdiag fails delegation: missing (glue) record for removed host

Posted on 2009-04-13
Medium Priority
Last Modified: 2012-05-06
A small domain with primary and secondary DC, when I run dcdiag on each of the controllers, I get a delegation failure,

"Warning: DNS server: dc-01.domain.local. IP <Unavailable> Failure:Missing glue A record"

The problem is that this server "dc-01" no longer exists, and I can't find any reference to it in AD or DNS. dcdiag passes all other tests.
Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\EWS-DC-01
      Starting test: Connectivity
         ......................... EWS-DC-01 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\EWS-DC-01
DNS Tests are running and not hung. Please wait a few minutes...
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : ews
   Running enterprise tests on : ews.local
      Starting test: DNS
         Test results for domain controllers:
            DC: ews-dc-01.ews.local
            Domain: ews.local
               TEST: Delegations (Del)
                  Warning: DNS server: dc-01.ews.local. IP: <Unavailable> Failure:Missing glue A record
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext  
            Domain: ews.local
               ews-dc-01                    PASS PASS PASS FAIL PASS PASS n/a  
         ......................... ews.local failed test DNS

Open in new window

Question by:aolong62
  • 2

Expert Comment

ID: 24135784
1. It looks like there is no host record for the domain controller in question.
I would also run DNSLINT in addition to dcdiag tests. Sometimes the
information is a bit clearer

2. I assume that dc-01.ews.local is a DC which was not properly demoted/promoted. So i think you should try to remove data associated to it in AD: http://support.microsoft.com/kb/216498

Author Comment

ID: 24139407
I ran dnlslint and the report indicates no problems. The are two CNAME records, as there should be, one each for the two live DC's. No missing records.

I then ran ntdsutil (metadata cleanup) and found no dead servers in the domain, just the two live ones. Nothing to clean up. BTW - the dead server was properly demoted and removed with dcpropmo before it was decommissioned.

Then checked all local domains in DNS for any references to dead name servers: I found and deleted one, and deleted some entries for the dead server under _mcds and restarted DNS.

After this, dcdiag still fails the Delegation test, stating there is no glue record for dc-01.ews.local, the non-existant server. Is there some other means to find where this object is hiding so I can remove it?

Accepted Solution

aolong62 earned 0 total points
ID: 24139552
Found it! There was an _mcds object under ews.local with a sole entry (dc-01.ews.local). Deleting this object fixed the issue. Human oversight again. Thank you for the tips.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question