Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DNS Server problem with Forward & Reverse zone

Posted on 2009-04-20
11
Medium Priority
?
474 Views
Last Modified: 2012-05-06
This happened to a server that has been working fine for a couple of years. Suddenly the network become sluggish (day 1) and then on day 2, we werent able to find shared folders. After checking, I found that the forward & reverse lookup zones in my DNS server has disappeared. It is a Windows 2003 server, with DHCP, DNS and AD installed on the same box.

When re-creating the forward & reverse zones, I'm getting this error:

"The zone cannot be replicated to all DNS servers in the (null) Active Directory domain because the required application does not exist. Only Enterprise administrators have the appropriate permissions to create an application directory partition. To store this zone in a domain container until the partition is created, close this message, and then replicate to all domain controllers in the active directory domain option."

Which is documented on Microsoft website: http://support.microsoft.com/kb/938459
but it doesnt seem to be connected to my problem as I wasnt trying to create a new DNS/AD. ANyhow, I've tried it and was not successful.

Thank You for your help. I've been getting so many computer problems nowadays.... I may need a real network admin to do this...
0
Comment
Question by:SW111
  • 4
  • 4
  • 3
11 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24184115
Is this your only domain controller/DNS server or do you have another?
If it's a standalone, it may be time to break out a system state backup. If it's not, then you could possibly demote/re-promote the server to refresh it's copy of AD. I would say these are your simple options.
If you have another DNS server, can you see the zones on this?
0
 

Author Comment

by:SW111
ID: 24184141
On this network, this is the only DNS/DC. I do however have 2 other DNS/DC but they are on a separate vlan (using a hardware firewall) and are not supposed to interfere with one another. We did just install this hardware firewall but it's been working fine for 4-5 weeks. So I dont think that interference from the other DC/DNS is the cause.
0
 
LVL 7

Expert Comment

by:dphantom
ID: 24184208
Are all 3 of these DCs for the same domain or do you have 2 separate domains?  If they are 1 domain, were you sure all 3 were replicating properly after putting in the firewall?

If separate domains as seems to be implied by your "not supposed to interfere" statement, then I would look at a system state restore.  
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:SW111
ID: 24184251
yes dphantom. 3 separate domain, with 3 totally different domain address. well, 2 system restore recommendation out of 2 suggestions... its' giving me goosebumps.

Is there absolutely nothing else I can do to salvage the box? WIll I lose all users and settings by performing a "system restore"?
0
 
LVL 7

Expert Comment

by:dphantom
ID: 24184286
Can you post event viewer data showing event id and source regarding this problem?  I too want to avoid a system restore and this info would help.

Are the other 2 DCs ok?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24185986
Unfortunately, if your DC is the only one in it's domain, i.e. there are no other servers holding a copy of AD or that DNS zone, if this has become corrupt your only option is to restore a sys state backup. This is why it's recommended to have at least two DCs per domain - for fault tolerance purposes. Even if the other domain DCs are in the same forest, they won't be holding full copies of this domain's data.
With a single DC domain, a system state restore is pretty straightforward. Is this
Before we go down that route though, let us know any event logs like dphantom has said and we'll take it form there...
Could you also attached the results of a DCDIAG test from the problem server? You may need to install the support tools from the OS CD.
0
 

Author Comment

by:SW111
ID: 24186357
Yes.... and unfortunately too I havent prepared a raid/backup for this one.
I tried looking up system restore in Start>Accesories>System Tools> but there's no system restore there. How would I go about doing this?

Anyhow, here is the result of DCDIAG:

Testing server: Default-First-Site-Name\SERVERNAME
Starting test: connectivity
The host: (a lot of numbers & alphabets)._msdcs.DomainName could not be resolved to an IP Address.
Check DNS Server, DHCP, Server Name, etc. Altgough the Guid DNS Name (a lot of numbers & alphabets, same as above)._msdcs.DomainNamecould not be resolved, the server name <SERVERNAME.DOMAIN> resolved to the ip address 50.0.0.1 and was pingable. Check that the IP address is registered correctly with the DNS Server.
.....................................SERVERNAME failed test connectivity

Primary Test:
Testing server: Default-First-Site-Name\SERVERNAME
skipping all tests because server SERVERNAME is not responding to directory service requests.

Other tests: everything else is fine and passed the tests.

0
 
LVL 7

Accepted Solution

by:
dphantom earned 750 total points
ID: 24186451
Well, that is not good.  How about the event viewer?  Can you post some sample log entries showing DNS/AD errors?

Do you have a system state backup?  If not, I think you are going to have to demote and then promote the DC.  If you do have a system state backup, then reboot into directory services restore mode.
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 750 total points
ID: 24186453
A system state backup restore includes the system registry, active directory database (including DNS) and other elements. You would have had to perform a system state backup either using the built in backup utility or another product. Unfortunately if you haven't done this then you have no backup of AD or DNS to restore from.
First, try re-registering the server's DNS records. Ensure the server is looking to itself for DNS. Then, from the command line, run
ipconfig -flushdns
ipconfig -registerdns
net stop netlogon
net start netlogon
Then run DCDIAG again and see if this error is still appearing. Try rebooting the entire server, then check the event logs for errors on startup for failed service etc.
Can clients on this domain resolve DNS names? Try running an nslookup test from a client which is using the server for DNS (e.g. nslookup workstation1.domain.local). Is DNS actually functioning? It sounds like it's not completley lost as the DCDIAG was able to resolve a Host record.
Let us know how you get on...
0
 

Author Comment

by:SW111
ID: 24186627
bluntTony & DPhantom,  I've seen these commands also, on the web. I've tried it but it doesnt work. I think, since I dont have a backup, and time is of the essence, I'm going with a re-install. Luckily my network is not too big. It's a lot of chores, but at least I learn something along the way.

Can someone please point me to a guide for "best practices" though? I know I'm supposed to backup, but my backup failed to restore a while ago, so I didnt bother backing up again.But having 2 DC in a network is news to me. What else do I need to do to keep a healthy network?

Thanks all for your help.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24186809
Well, if you're sure :-)
The reason you want two DCs is because they will both hold a copy of the same database. That way if one fails, you've still gone the other. Then you can just rebuild the failed server, promote it and it will pull a fresh copy back from the other server. This is the single best practice to keep your domain fault tolerant as it is, in effect, a constantly running backup. Unfortunately, it does mean running another server so it's also quite pricey to do so, especially if you're buying another server just for that purpose.
Alternatively, or in addition, you should be performing system state backups to protect yourself. Even with two DCs, you could accidentally knacker something yourself, e.g. delete a load of user accounts. These changes would replicate to the other server, and then both servers will have lost the accounts. You would need a backup to fall back on to restore the lost accounts.
AD is quite big subject. MS Technet I find to be very helpful and concise. Have a look here as a starting point: http://technet.microsoft.com/en-us/library/cc759623.aspx
Tony
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question