SBS 2003 DNS issues

Running SBS 2003

I'm seeing the following in my Event log for DNS

The zone 1.168.192.in-addr.arpa is configured to accept updates but the A record for the primary server in the zone's SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot  be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause
DNS clients to be unable to perform DNS updates.

On domain workstations can no longer connect to Exchange server - I know I've got a DNS issue I just can't figure out how to troubleshoot it.
I'm having some DNS problems - netdiag results attached.

Netdiag results attached - i'm standing by to supply anything else that may be useful
Lisaa_GAsked:
Who is Participating?
 
Henrik JohanssonSystems engineerCommented:
I understand http:#26156584 as _msdcs.mydomain.com is its own DNS zone? Not necessary if having mydomain.com as DNS zone on same DNS server.
Check that mydomain.com allows (secure only) dynamic updates, delete the delegation of _msdcs inside the mydomain.com zone and delete the additional DNS zone _msdcs.mydomain.com. netdiag/fix will re-create the _msdcs-structure inside the mydomain.com if DNS zone allows dynamic updates.
0
 
Lisaa_GAuthor Commented:
Also seeing this error message in system log

The dynamic registration of the DNS record '_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 myserver.mydomaincom.' failed on the following DNS server:  

DNS server IP address: 206.191.0.140  
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about  DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows  Server Resource Kit CD.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS bad key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
Lisaa_GAuthor Commented:
Results of DCdiag also attached - I definitely have problems!
dcdiag-results.txt
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Henrik JohanssonSystems engineerCommented:
In the output of dcdiag, it looks like DNS configuration is ok as the SRV-record in _msdcs is resolving, but verify with ipconfig/all that you're only using internal DNS servers (no ISP or routers for direct DNS resolving)

>>   Testing server: Default-First-Site-Name\myserver
>>      Skipping all tests, because server myserver is
>>      not responding to directory service requests


In the output of dcdiag, it looks like netlogon service isn't running.

Is firewall enabled? If so, disable it to see if it's the reason. Firewall can be enabled, but you nead to configure some port exceptions to get it work as described in http://support.microsoft.com/kb/555381.
0
 
Henrik JohanssonSystems engineerCommented:
Sorry, I misread that DNS was resolving

>>         Although the Guid DNS name
>>         (1393c5ad-2940-4d7f-aeb3-ac22acf7982d._msdcs.mydomain.com)
>>         couldn't be resolved, the server name (myserver.mydomain.com)
>>         resolved to the IP address (192.168.1.10) and was pingable.

Check in DNS MMC if _msdcs is a subdomain under the mydomain.com zone or a delegation (different folder icon compared to the other subdomains inside the zone) and has its own zone. If delegation and having additional zone on same DNS server, delete both delegation+additional zone and let it be re-populated inside the normal DNS zone by either running netdiag/fix or restarting netlogon service.
Check that the DNS zone allows dynamic updates to let the records be registered.
0
 
Lisaa_GAuthor Commented:
OK - bear with me....  I'm not sure exactly what I'm looking at

From DNS MMC I see my server name with the following subfolders - Cached Lookups, Forward Lookup zones,  Reverse Lookup zones and Event viewer.

I'm assuming you want me to expand / look at Forward lookup zones?
0
 
Lisaa_GAuthor Commented:
I have no sub-domains but I did seem to be missing A records  - I've added them (correctly I hope) but I'm still not getting good results on netdiag
0
 
Lisaa_GAuthor Commented:
Results from netdiag /fix attached - obviously if the A records were my issue I have not added them in correctly....
netdiag-fix-results.txt
0
 
Henrik JohanssonSystems engineerCommented:
They're normally added automatically when netlogon service is started, but the DNS zone neads to allow dynamic updates.
Use DNS MMC and see the setting for 'Dynamic Updates' in the DNS zone properties for mydomain.com. Set it to 'Secure only' to only allow AD-members to update records. If the option isn't available, change the type (button in same dialog) and select the option that the zone data shall be stored in Active Directory.
0
 
Lisaa_GAuthor Commented:
Ok for reference (I'm typing rather than sending a screenshot to keep domain names private)

Forward Lookup Zone - one folder _msdcs.mydomain.com ; four sub-folders - DC, domains, GC, PDC, and four records -

Name                                              Type                                    Data
same as parent folder                   SOA                                      [24] myserver.mydomain.com., hostmaster
same as parent folder                    NS                                        myserver.mydomain.com
same as parent folder                    Host(A)                                192.168.1.10
1393c5ad-.......                               Alias (CNAME)                      myserver.mydomain.com
0
 
Lisaa_GAuthor Commented:
Done - still getting the same results on netdiag - will try netdiag / fix
0
 
Lisaa_GAuthor Commented:
Re-registration on dns server failed!
0
 
Lisaa_GAuthor Commented:
Sorry to sound dumb - not sure if I'm understanding you.

I delete -msdcs.mydomain.com under Forward Lookup Zones?
0
 
Lisaa_GAuthor Commented:
While I'm waiting to hear back.... does this tell you anything further about what might be wrong.

Results from an nslookup
nslookup-results.txt
0
 
Henrik JohanssonSystems engineerCommented:
In Windows2003, _msdcs is by default created as additional zone and is delegated out of the normal zone. I read somewhere that the reason is to make it easier to move it away to another DNS server than the the parent DNS zone. Another reason is to have zone property options (dynamic updates, aging, AD-integrated etc) configured different compared to the parent zone.

It's not necessary to have it as its own DNS zone, and can in that case be deleted. If so, also delete the delegation inside the parent DNS zone. Delegation can cause issues if it becomes incorrect configured (additional DC/DNS servers nead for example to be added to the delegation)
If the _msdcs delegation+zone and subdomain doesn't exist, netdiag/fix will re-create it as subdomain inside the DNS zone if the DNS zone allows dynamic updates.
If not deleting the delegation+additional zone, make sure that the _msdcs.mydomain.com zone allows dynamic updates to let system creates its necessary records. You will still nead to allow dynamic updates on the parent DNS zone if not moving out the other special subdomains like _tcp etc to be their own zones with dynamic updates enabled (netdiag/fix also updates SRV-records inside _tcp etc as displayed in the output of the command).
0
 
Henrik JohanssonSystems engineerCommented:
For the followup about 'nslookup mydomain', it's normal that it can't resolve 'mydomain' as you haven't added the top domain suffix .com
One thing that isn't really normal is that the reverse lookup of the DNS server IP resolves to dc._msdcs.mydomain.com. The server line should be the actual servername resolved through the PTR record for 192.168.1.10
0
 
Lisaa_GAuthor Commented:
OK - still feeling pretty dumb here (i'm glad you know what you're talking about but I'm really worried about making this worse!)

So I'm going to delete _msdcs  under Forward lookup zones despite the warnings from the o/s that tells me this is an Active Directory Integrated Primary....
0
 
Lisaa_GAuthor Commented:
I added A records - may have screwed them up ....  That may explain the nslookup issue.
0
 
Henrik JohanssonSystems engineerCommented:
Yes, creating the records manually explains the incorrect PTR if the DNS MMC had the option to create associated PTR record selected. Creating manual records normally creates static records preventing dynamic update to update them.
netdiag/fix or restarting netlogon service will create the necessary structure below _msdcs and register the necessary records automatically if zone allows dynamic updates.

You shouldn't nead to be worried about deleting the _msdcs-zone as netdiag/fix will re-create _msdcs as subdomain inside the parent zone if it allows dynamic updates.

The confirm dialog with warning about deleting AD-integrated zone is normal when having AD-integrated zones.
If it isn't a AD-integrated zone, the zone data is stored in file system as zone files and the zone file will be left when deleting the zone through the MMC
0
 
Lisaa_GAuthor Commented:
Thanks for the reply back - I shutdown the server overnight while contemplating next steps - I should be back in later today or first thing tomorrow and I'll try what you suggested.

Appreciate you taking the time to further my DNS education - I'll let you know how it turns out (and Happy New Year!)
0
 
Lisaa_GAuthor Commented:
No luck - folders with the domain controllers were not recreated - results of netdiag /fix attached
2010-01-01-netdiag-fix-results.txt
0
 
Lisaa_GAuthor Commented:
Hold on - followed up by restarting the following services and things are looking better

DHCP client and DHCP server
DNS client and DNS server
Netlogon

Not out of the woods yet - new netdiag fix results attached.
2010-01-01-pass-2-netdiag-fix-re.txt
0
 
Lisaa_GAuthor Commented:
Also updated dcdiag / fix results - this looks entirely different.

Am I getting close to being out of the woods?
2010-01-01-dcdiag-fix-results.txt
0
 
Henrik JohanssonSystems engineerCommented:
Yes, it looks better. The DNS zone should look better now after the last netdiag/fix

netdiag isn't always able to retrieve the eventlog details, so check the eventlog manual for the details. They're propably caused by the necessary services hadn't started in correct order.
When having AD-integrated DNS zones, a single DC can cause error logging because AD relies on DNS and the DNS zone relies at the same time on AD when it nead to be loaded from AD. To avoid this, have multiple DCs installed as DNS servers and configure each DC to use both itself and a remote DC as DNS servers. When using multiple DNS servers, the DC will failover to the other DNS/DC for resolving when it isn't able to handle queries on its own.
0
 
ChiefITCommented:
I think you might still have delegation records that might expire:

Please look over the following article. (((This is and illustration of what henjo was trying to relay to you:)))
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

0
 
Lisaa_GAuthor Commented:
Thanks gentlemen - on my way back in to work further - will let you know how it goes!
0
 
Lisaa_GAuthor Commented:
Thanks gentlemen - looks like all is well again - much appreciated.  The picture was worth a thousand words.

Your patience and knowledge much appreciated - Happy New Year!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.