[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SBS 2003 DNS issues

Posted on 2009-12-31
27
Medium Priority
?
714 Views
Last Modified: 2012-05-08
Running SBS 2003

I'm seeing the following in my Event log for DNS

The zone 1.168.192.in-addr.arpa is configured to accept updates but the A record for the primary server in the zone's SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot  be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause
DNS clients to be unable to perform DNS updates.

On domain workstations can no longer connect to Exchange server - I know I've got a DNS issue I just can't figure out how to troubleshoot it.
I'm having some DNS problems - netdiag results attached.

Netdiag results attached - i'm standing by to supply anything else that may be useful
0
Comment
Question by:Lisaa_G
  • 18
  • 8
27 Comments
 

Author Comment

by:Lisaa_G
ID: 26156395
Also seeing this error message in system log

The dynamic registration of the DNS record '_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 myserver.mydomaincom.' failed on the following DNS server:  

DNS server IP address: 206.191.0.140  
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about  DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows  Server Resource Kit CD.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS bad key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:Lisaa_G
ID: 26156406
Results of DCdiag also attached - I definitely have problems!
dcdiag-results.txt
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26156511
In the output of dcdiag, it looks like DNS configuration is ok as the SRV-record in _msdcs is resolving, but verify with ipconfig/all that you're only using internal DNS servers (no ISP or routers for direct DNS resolving)

>>   Testing server: Default-First-Site-Name\myserver
>>      Skipping all tests, because server myserver is
>>      not responding to directory service requests


In the output of dcdiag, it looks like netlogon service isn't running.

Is firewall enabled? If so, disable it to see if it's the reason. Firewall can be enabled, but you nead to configure some port exceptions to get it work as described in http://support.microsoft.com/kb/555381.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26156532
Sorry, I misread that DNS was resolving

>>         Although the Guid DNS name
>>         (1393c5ad-2940-4d7f-aeb3-ac22acf7982d._msdcs.mydomain.com)
>>         couldn't be resolved, the server name (myserver.mydomain.com)
>>         resolved to the IP address (192.168.1.10) and was pingable.

Check in DNS MMC if _msdcs is a subdomain under the mydomain.com zone or a delegation (different folder icon compared to the other subdomains inside the zone) and has its own zone. If delegation and having additional zone on same DNS server, delete both delegation+additional zone and let it be re-populated inside the normal DNS zone by either running netdiag/fix or restarting netlogon service.
Check that the DNS zone allows dynamic updates to let the records be registered.
0
 

Author Comment

by:Lisaa_G
ID: 26156544
OK - bear with me....  I'm not sure exactly what I'm looking at

From DNS MMC I see my server name with the following subfolders - Cached Lookups, Forward Lookup zones,  Reverse Lookup zones and Event viewer.

I'm assuming you want me to expand / look at Forward lookup zones?
0
 

Author Comment

by:Lisaa_G
ID: 26156548
I have no sub-domains but I did seem to be missing A records  - I've added them (correctly I hope) but I'm still not getting good results on netdiag
0
 

Author Comment

by:Lisaa_G
ID: 26156560
Results from netdiag /fix attached - obviously if the A records were my issue I have not added them in correctly....
netdiag-fix-results.txt
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26156577
They're normally added automatically when netlogon service is started, but the DNS zone neads to allow dynamic updates.
Use DNS MMC and see the setting for 'Dynamic Updates' in the DNS zone properties for mydomain.com. Set it to 'Secure only' to only allow AD-members to update records. If the option isn't available, change the type (button in same dialog) and select the option that the zone data shall be stored in Active Directory.
0
 

Author Comment

by:Lisaa_G
ID: 26156584
Ok for reference (I'm typing rather than sending a screenshot to keep domain names private)

Forward Lookup Zone - one folder _msdcs.mydomain.com ; four sub-folders - DC, domains, GC, PDC, and four records -

Name                                              Type                                    Data
same as parent folder                   SOA                                      [24] myserver.mydomain.com., hostmaster
same as parent folder                    NS                                        myserver.mydomain.com
same as parent folder                    Host(A)                                192.168.1.10
1393c5ad-.......                               Alias (CNAME)                      myserver.mydomain.com
0
 

Author Comment

by:Lisaa_G
ID: 26156598
Done - still getting the same results on netdiag - will try netdiag / fix
0
 

Author Comment

by:Lisaa_G
ID: 26156601
Re-registration on dns server failed!
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 1600 total points
ID: 26156620
I understand http:#26156584 as _msdcs.mydomain.com is its own DNS zone? Not necessary if having mydomain.com as DNS zone on same DNS server.
Check that mydomain.com allows (secure only) dynamic updates, delete the delegation of _msdcs inside the mydomain.com zone and delete the additional DNS zone _msdcs.mydomain.com. netdiag/fix will re-create the _msdcs-structure inside the mydomain.com if DNS zone allows dynamic updates.
0
 

Author Comment

by:Lisaa_G
ID: 26156651
Sorry to sound dumb - not sure if I'm understanding you.

I delete -msdcs.mydomain.com under Forward Lookup Zones?
0
 

Author Comment

by:Lisaa_G
ID: 26156695
While I'm waiting to hear back.... does this tell you anything further about what might be wrong.

Results from an nslookup
nslookup-results.txt
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26156702
In Windows2003, _msdcs is by default created as additional zone and is delegated out of the normal zone. I read somewhere that the reason is to make it easier to move it away to another DNS server than the the parent DNS zone. Another reason is to have zone property options (dynamic updates, aging, AD-integrated etc) configured different compared to the parent zone.

It's not necessary to have it as its own DNS zone, and can in that case be deleted. If so, also delete the delegation inside the parent DNS zone. Delegation can cause issues if it becomes incorrect configured (additional DC/DNS servers nead for example to be added to the delegation)
If the _msdcs delegation+zone and subdomain doesn't exist, netdiag/fix will re-create it as subdomain inside the DNS zone if the DNS zone allows dynamic updates.
If not deleting the delegation+additional zone, make sure that the _msdcs.mydomain.com zone allows dynamic updates to let system creates its necessary records. You will still nead to allow dynamic updates on the parent DNS zone if not moving out the other special subdomains like _tcp etc to be their own zones with dynamic updates enabled (netdiag/fix also updates SRV-records inside _tcp etc as displayed in the output of the command).
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26156711
For the followup about 'nslookup mydomain', it's normal that it can't resolve 'mydomain' as you haven't added the top domain suffix .com
One thing that isn't really normal is that the reverse lookup of the DNS server IP resolves to dc._msdcs.mydomain.com. The server line should be the actual servername resolved through the PTR record for 192.168.1.10
0
 

Author Comment

by:Lisaa_G
ID: 26156716
OK - still feeling pretty dumb here (i'm glad you know what you're talking about but I'm really worried about making this worse!)

So I'm going to delete _msdcs  under Forward lookup zones despite the warnings from the o/s that tells me this is an Active Directory Integrated Primary....
0
 

Author Comment

by:Lisaa_G
ID: 26156731
I added A records - may have screwed them up ....  That may explain the nslookup issue.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26157959
Yes, creating the records manually explains the incorrect PTR if the DNS MMC had the option to create associated PTR record selected. Creating manual records normally creates static records preventing dynamic update to update them.
netdiag/fix or restarting netlogon service will create the necessary structure below _msdcs and register the necessary records automatically if zone allows dynamic updates.

You shouldn't nead to be worried about deleting the _msdcs-zone as netdiag/fix will re-create _msdcs as subdomain inside the parent zone if it allows dynamic updates.

The confirm dialog with warning about deleting AD-integrated zone is normal when having AD-integrated zones.
If it isn't a AD-integrated zone, the zone data is stored in file system as zone files and the zone file will be left when deleting the zone through the MMC
0
 

Author Comment

by:Lisaa_G
ID: 26158628
Thanks for the reply back - I shutdown the server overnight while contemplating next steps - I should be back in later today or first thing tomorrow and I'll try what you suggested.

Appreciate you taking the time to further my DNS education - I'll let you know how it turns out (and Happy New Year!)
0
 

Author Comment

by:Lisaa_G
ID: 26158794
No luck - folders with the domain controllers were not recreated - results of netdiag /fix attached
2010-01-01-netdiag-fix-results.txt
0
 

Author Comment

by:Lisaa_G
ID: 26158868
Hold on - followed up by restarting the following services and things are looking better

DHCP client and DHCP server
DNS client and DNS server
Netlogon

Not out of the woods yet - new netdiag fix results attached.
2010-01-01-pass-2-netdiag-fix-re.txt
0
 

Author Comment

by:Lisaa_G
ID: 26158879
Also updated dcdiag / fix results - this looks entirely different.

Am I getting close to being out of the woods?
2010-01-01-dcdiag-fix-results.txt
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 1600 total points
ID: 26159000
Yes, it looks better. The DNS zone should look better now after the last netdiag/fix

netdiag isn't always able to retrieve the eventlog details, so check the eventlog manual for the details. They're propably caused by the necessary services hadn't started in correct order.
When having AD-integrated DNS zones, a single DC can cause error logging because AD relies on DNS and the DNS zone relies at the same time on AD when it nead to be loaded from AD. To avoid this, have multiple DCs installed as DNS servers and configure each DC to use both itself and a remote DC as DNS servers. When using multiple DNS servers, the DC will failover to the other DNS/DC for resolving when it isn't able to handle queries on its own.
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 400 total points
ID: 26161303
I think you might still have delegation records that might expire:

Please look over the following article. (((This is and illustration of what henjo was trying to relay to you:)))
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

0
 

Author Comment

by:Lisaa_G
ID: 26161602
Thanks gentlemen - on my way back in to work further - will let you know how it goes!
0
 

Author Closing Comment

by:Lisaa_G
ID: 31671698
Thanks gentlemen - looks like all is well again - much appreciated.  The picture was worth a thousand words.

Your patience and knowledge much appreciated - Happy New Year!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question