Solved

Wrong Name Server in DNS

Posted on 2009-07-16
18
268 Views
Last Modified: 2013-11-05
Is there any way that i can remove a name server entry from the active directory ?
everytime i remove it on the DNS site it gets added in again (i guess because this site is an integrated active directory  domain)  when i switch it andf make it a primary dns instead of active directory controlled. Server 2008 complains about that this site has to be active directory to function probperly.
I have 2 public NS records in there and the server (active directory) adds another private IP in  which then gets revealed when i do a NS lookup...

So maybe there is a way to have this NS record removed from the AD so it then no longer writes its private IP  in there.   Thanks for your guys help in advance.  
0
Comment
Question by:Andreas-NYC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869377
Hi

I hope you can do this select the zone first go to zone transfer tab and select to the option "only to the following servers" and type the ip address of the servers you want.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24869530

Reconfiguring Zone Transfers won't help at all.

Public DNS Zones should not be AD Integrated, nor should they allow Dynamic Updates. You lose control of the NS and SOA records as you've found.

Is the zone for the AD domain as well?

Chris
0
 

Author Comment

by:Andreas-NYC
ID: 24870416
I think so.  Bigapple. Is the domain and the server is svr. So the ns record that shows up is svr.bigapple.com
and it points to the internal ip of this server.  And on a nslookup it shows that nameserver as well. And it's internal ip.  Somehow all I need is to find a way remove this record from the ad.  
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 71

Expert Comment

by:Chris Dent
ID: 24870495

If it's used for AD you really should move that onto a different DNS server. Mixing public and private zones is painful. The requirements AD places on the zone tend to conflict with the requirements for a public zone.

If it's not used for AD (doesn't have _msdcs and the like) then it can be fixed but I would still strongly recommend moving it to another DNS server.

To fix it...

1. Disable Dynamic Updates (if enabled)
2. Change the Zone Type, remove the tick from Store in Active Directory
3. Head to the zone file in %SystemRoot%\System32\DNS and fix the NS and SOA records then increment the Serial Number in the SOA
4. Reload the zone in the DNS Console

Chris
0
 

Author Comment

by:Andreas-NYC
ID: 24870570
I had the same problem on my 2003 server. All I did was turn off ad in the DNs of that domain.  The server had no problem doing that.  But now 2008 server cries when I do that.  All I need is one record removed.  I can't switch to another server neither a DNS server.  The one I use is on the one I use is on the same svr.  
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24870598

If the zone is for your AD domain I can't blame it for becoming upset. That shouldn't stop it working though or does it? You could just ignore it's complaint.

Chris
0
 

Author Comment

by:Andreas-NYC
ID: 24870663
If rather find a way to change it where this record is coming from. If the active directory adds this automatically.  Can I not use a tool to change it there and remove it. The server only answered to outside requests. No internal ns needed. When I remove it it gets added again after a few minutes.  Turning ad of on there just because of one entry seems an overkill.  Nothing to change it at the root itself ?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24870763

Fair enough, give this a shot then:

DNSCMD YourServer /Config /DisableNSRecordsAutocreation 1

That should stop it.

Chris
0
 

Author Comment

by:Andreas-NYC
ID: 24870798
I assume that's in powershell ?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24870810

Nope, DNSCMD is one of the support tools, just a regular DOS command as long as you have that installed. It sets an entry in the registry for you.

Chris
0
 

Author Comment

by:Andreas-NYC
ID: 24870866
It will leave the othe ns entries intact ?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24870884

Yep, it just turns off automatic creation. You may have to restart the DNS server service after changing it, I forget if it reads the setting immediately nor not.

Chris
0
 

Author Comment

by:Andreas-NYC
ID: 24870943
Thanks chris.  Will try in a few minutes
0
 

Author Comment

by:Andreas-NYC
ID: 24871743
Yep this worked...  thanks a bunch ... just noticed that the same AD also add a host (A) record Domain.com also with a internal IP ... not sure if that messes things up as well. IF wanted how could i remove that from autocreation as well ?
0
 

Author Closing Comment

by:Andreas-NYC
ID: 31604226
The guy seems to know what he is doing. Thanks a bunch Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24873686

That one is (or should be) created by dynamic update. Does the zone allow that at the moment?

Chris
0
 

Author Comment

by:Andreas-NYC
ID: 24874193
yes... should it be turned off ?  i guess i'll try ...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24874248

It should for any public zone in my opinion.

It's going to be difficult to stop that one registering otherwise, it's one of the records created by NetLogon for AD. The set hide in %SystemRoot%\System32\config\netlogon.dns.

Chris
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question