Lisaa_G
asked on
SBS 2003 DNS issues
Running SBS 2003
I'm seeing the following in my Event log for DNS
The zone 1.168.192.in-addr.arpa is configured to accept updates but the A record for the primary server in the zone's SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause
DNS clients to be unable to perform DNS updates.
On domain workstations can no longer connect to Exchange server - I know I've got a DNS issue I just can't figure out how to troubleshoot it.
I'm having some DNS problems - netdiag results attached.
Netdiag results attached - i'm standing by to supply anything else that may be useful
I'm seeing the following in my Event log for DNS
The zone 1.168.192.in-addr.arpa is configured to accept updates but the A record for the primary server in the zone's SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause
DNS clients to be unable to perform DNS updates.
On domain workstations can no longer connect to Exchange server - I know I've got a DNS issue I just can't figure out how to troubleshoot it.
I'm having some DNS problems - netdiag results attached.
Netdiag results attached - i'm standing by to supply anything else that may be useful
ASKER
Results of DCdiag also attached - I definitely have problems!
dcdiag-results.txt
dcdiag-results.txt
In the output of dcdiag, it looks like DNS configuration is ok as the SRV-record in _msdcs is resolving, but verify with ipconfig/all that you're only using internal DNS servers (no ISP or routers for direct DNS resolving)
>> Testing server: Default-First-Site-Name\my server
>> Skipping all tests, because server myserver is
>> not responding to directory service requests
In the output of dcdiag, it looks like netlogon service isn't running.
Is firewall enabled? If so, disable it to see if it's the reason. Firewall can be enabled, but you nead to configure some port exceptions to get it work as described in http://support.microsoft.com/kb/555381.
>> Testing server: Default-First-Site-Name\my
>> Skipping all tests, because server myserver is
>> not responding to directory service requests
In the output of dcdiag, it looks like netlogon service isn't running.
Is firewall enabled? If so, disable it to see if it's the reason. Firewall can be enabled, but you nead to configure some port exceptions to get it work as described in http://support.microsoft.com/kb/555381.
Sorry, I misread that DNS was resolving
>> Although the Guid DNS name
>> (1393c5ad-2940-4d7f-aeb3-a c22acf7982 d._msdcs.m ydomain.co m)
>> couldn't be resolved, the server name (myserver.mydomain.com)
>> resolved to the IP address (192.168.1.10) and was pingable.
Check in DNS MMC if _msdcs is a subdomain under the mydomain.com zone or a delegation (different folder icon compared to the other subdomains inside the zone) and has its own zone. If delegation and having additional zone on same DNS server, delete both delegation+additional zone and let it be re-populated inside the normal DNS zone by either running netdiag/fix or restarting netlogon service.
Check that the DNS zone allows dynamic updates to let the records be registered.
>> Although the Guid DNS name
>> (1393c5ad-2940-4d7f-aeb3-a
>> couldn't be resolved, the server name (myserver.mydomain.com)
>> resolved to the IP address (192.168.1.10) and was pingable.
Check in DNS MMC if _msdcs is a subdomain under the mydomain.com zone or a delegation (different folder icon compared to the other subdomains inside the zone) and has its own zone. If delegation and having additional zone on same DNS server, delete both delegation+additional zone and let it be re-populated inside the normal DNS zone by either running netdiag/fix or restarting netlogon service.
Check that the DNS zone allows dynamic updates to let the records be registered.
ASKER
OK - bear with me.... I'm not sure exactly what I'm looking at
From DNS MMC I see my server name with the following subfolders - Cached Lookups, Forward Lookup zones, Reverse Lookup zones and Event viewer.
I'm assuming you want me to expand / look at Forward lookup zones?
From DNS MMC I see my server name with the following subfolders - Cached Lookups, Forward Lookup zones, Reverse Lookup zones and Event viewer.
I'm assuming you want me to expand / look at Forward lookup zones?
ASKER
I have no sub-domains but I did seem to be missing A records - I've added them (correctly I hope) but I'm still not getting good results on netdiag
ASKER
Results from netdiag /fix attached - obviously if the A records were my issue I have not added them in correctly....
netdiag-fix-results.txt
netdiag-fix-results.txt
They're normally added automatically when netlogon service is started, but the DNS zone neads to allow dynamic updates.
Use DNS MMC and see the setting for 'Dynamic Updates' in the DNS zone properties for mydomain.com. Set it to 'Secure only' to only allow AD-members to update records. If the option isn't available, change the type (button in same dialog) and select the option that the zone data shall be stored in Active Directory.
Use DNS MMC and see the setting for 'Dynamic Updates' in the DNS zone properties for mydomain.com. Set it to 'Secure only' to only allow AD-members to update records. If the option isn't available, change the type (button in same dialog) and select the option that the zone data shall be stored in Active Directory.
ASKER
Ok for reference (I'm typing rather than sending a screenshot to keep domain names private)
Forward Lookup Zone - one folder _msdcs.mydomain.com ; four sub-folders - DC, domains, GC, PDC, and four records -
Name Type Data
same as parent folder SOA [24] myserver.mydomain.com., hostmaster
same as parent folder NS myserver.mydomain.com
same as parent folder Host(A) 192.168.1.10
1393c5ad-....... Alias (CNAME) myserver.mydomain.com
Forward Lookup Zone - one folder _msdcs.mydomain.com ; four sub-folders - DC, domains, GC, PDC, and four records -
Name Type Data
same as parent folder SOA [24] myserver.mydomain.com., hostmaster
same as parent folder NS myserver.mydomain.com
same as parent folder Host(A) 192.168.1.10
1393c5ad-....... Alias (CNAME) myserver.mydomain.com
ASKER
Done - still getting the same results on netdiag - will try netdiag / fix
ASKER
Re-registration on dns server failed!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry to sound dumb - not sure if I'm understanding you.
I delete -msdcs.mydomain.com under Forward Lookup Zones?
I delete -msdcs.mydomain.com under Forward Lookup Zones?
ASKER
While I'm waiting to hear back.... does this tell you anything further about what might be wrong.
Results from an nslookup
nslookup-results.txt
Results from an nslookup
nslookup-results.txt
In Windows2003, _msdcs is by default created as additional zone and is delegated out of the normal zone. I read somewhere that the reason is to make it easier to move it away to another DNS server than the the parent DNS zone. Another reason is to have zone property options (dynamic updates, aging, AD-integrated etc) configured different compared to the parent zone.
It's not necessary to have it as its own DNS zone, and can in that case be deleted. If so, also delete the delegation inside the parent DNS zone. Delegation can cause issues if it becomes incorrect configured (additional DC/DNS servers nead for example to be added to the delegation)
If the _msdcs delegation+zone and subdomain doesn't exist, netdiag/fix will re-create it as subdomain inside the DNS zone if the DNS zone allows dynamic updates.
If not deleting the delegation+additional zone, make sure that the _msdcs.mydomain.com zone allows dynamic updates to let system creates its necessary records. You will still nead to allow dynamic updates on the parent DNS zone if not moving out the other special subdomains like _tcp etc to be their own zones with dynamic updates enabled (netdiag/fix also updates SRV-records inside _tcp etc as displayed in the output of the command).
It's not necessary to have it as its own DNS zone, and can in that case be deleted. If so, also delete the delegation inside the parent DNS zone. Delegation can cause issues if it becomes incorrect configured (additional DC/DNS servers nead for example to be added to the delegation)
If the _msdcs delegation+zone and subdomain doesn't exist, netdiag/fix will re-create it as subdomain inside the DNS zone if the DNS zone allows dynamic updates.
If not deleting the delegation+additional zone, make sure that the _msdcs.mydomain.com zone allows dynamic updates to let system creates its necessary records. You will still nead to allow dynamic updates on the parent DNS zone if not moving out the other special subdomains like _tcp etc to be their own zones with dynamic updates enabled (netdiag/fix also updates SRV-records inside _tcp etc as displayed in the output of the command).
For the followup about 'nslookup mydomain', it's normal that it can't resolve 'mydomain' as you haven't added the top domain suffix .com
One thing that isn't really normal is that the reverse lookup of the DNS server IP resolves to dc._msdcs.mydomain.com. The server line should be the actual servername resolved through the PTR record for 192.168.1.10
One thing that isn't really normal is that the reverse lookup of the DNS server IP resolves to dc._msdcs.mydomain.com. The server line should be the actual servername resolved through the PTR record for 192.168.1.10
ASKER
OK - still feeling pretty dumb here (i'm glad you know what you're talking about but I'm really worried about making this worse!)
So I'm going to delete _msdcs under Forward lookup zones despite the warnings from the o/s that tells me this is an Active Directory Integrated Primary....
So I'm going to delete _msdcs under Forward lookup zones despite the warnings from the o/s that tells me this is an Active Directory Integrated Primary....
ASKER
I added A records - may have screwed them up .... That may explain the nslookup issue.
Yes, creating the records manually explains the incorrect PTR if the DNS MMC had the option to create associated PTR record selected. Creating manual records normally creates static records preventing dynamic update to update them.
netdiag/fix or restarting netlogon service will create the necessary structure below _msdcs and register the necessary records automatically if zone allows dynamic updates.
You shouldn't nead to be worried about deleting the _msdcs-zone as netdiag/fix will re-create _msdcs as subdomain inside the parent zone if it allows dynamic updates.
The confirm dialog with warning about deleting AD-integrated zone is normal when having AD-integrated zones.
If it isn't a AD-integrated zone, the zone data is stored in file system as zone files and the zone file will be left when deleting the zone through the MMC
netdiag/fix or restarting netlogon service will create the necessary structure below _msdcs and register the necessary records automatically if zone allows dynamic updates.
You shouldn't nead to be worried about deleting the _msdcs-zone as netdiag/fix will re-create _msdcs as subdomain inside the parent zone if it allows dynamic updates.
The confirm dialog with warning about deleting AD-integrated zone is normal when having AD-integrated zones.
If it isn't a AD-integrated zone, the zone data is stored in file system as zone files and the zone file will be left when deleting the zone through the MMC
ASKER
Thanks for the reply back - I shutdown the server overnight while contemplating next steps - I should be back in later today or first thing tomorrow and I'll try what you suggested.
Appreciate you taking the time to further my DNS education - I'll let you know how it turns out (and Happy New Year!)
Appreciate you taking the time to further my DNS education - I'll let you know how it turns out (and Happy New Year!)
ASKER
No luck - folders with the domain controllers were not recreated - results of netdiag /fix attached
2010-01-01-netdiag-fix-results.txt
2010-01-01-netdiag-fix-results.txt
ASKER
Hold on - followed up by restarting the following services and things are looking better
DHCP client and DHCP server
DNS client and DNS server
Netlogon
Not out of the woods yet - new netdiag fix results attached.
2010-01-01-pass-2-netdiag-fix-re.txt
DHCP client and DHCP server
DNS client and DNS server
Netlogon
Not out of the woods yet - new netdiag fix results attached.
2010-01-01-pass-2-netdiag-fix-re.txt
ASKER
Also updated dcdiag / fix results - this looks entirely different.
Am I getting close to being out of the woods?
2010-01-01-dcdiag-fix-results.txt
Am I getting close to being out of the woods?
2010-01-01-dcdiag-fix-results.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks gentlemen - on my way back in to work further - will let you know how it goes!
ASKER
Thanks gentlemen - looks like all is well again - much appreciated. The picture was worth a thousand words.
Your patience and knowledge much appreciated - Happy New Year!
Your patience and knowledge much appreciated - Happy New Year!
ASKER
The dynamic registration of the DNS record '_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 myserver.mydomaincom.' failed on the following DNS server:
DNS server IP address: 206.191.0.140
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.