Solved

Windows 2003 DNS server will not automatically build its folder structure/update

Posted on 2010-09-13
20
627 Views
Last Modified: 2012-08-14
Note: Domain names and GUID have been changed for security reasons.

This is a basic DNS "huh?" situation that I've run into before and don't recall how I fixed it. (I think it's the same one)

Anyone who has installed DNS on a DC knows it starts up and populates with a bunch of folders, most notably the msdcs, which, without will cause the notorious error in dcdiag:

 
  Testing server: Default-First-Site-Name\defaultPDC
      Starting test: Connectivity
         The host deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.com 
         could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.com)
         couldn't be resolved, the server name (defaultPDC.contoso.com)
         resolved to the IP address (192.168.1.105) and was pingable.  Check
         that the IP address is registered correctly with the DNS server.
         ......................... defaultPDC failed test Connectivity

Open in new window

All this server is creating is itself, the SOA and the "Same as parent" folder.

So, I deleted them and recreated them. I deleted them and removed the DNS server, and reinstalled it. I tried primary, secondary/linked to AD or not. Secure Updates or both. I ran ADSI Edit to scan the MicrosoftDNS entries to see what was in there (Nothing but root servers) yet I still occasionally get Event ID 4010 stating:

The DNS server encountered error deadbeef-9a74-4597-a702-2212969ee56e attempting to load zone _msdcs.contoso.com from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle.

Frequently. So it is as though it is trying to do its job, it just can't.

There is only one NIC. It is pointed solely at itself (its IP, not the loopback address) as the only DNS server.

At the moment the HOSTS file in system32/drivers/etc/ does have a pointer to itself, just so critical services don't go nuts about not being able to find AD while trying to do something, but this being removed doesn't seem to fix the problem. (Or it would have already)

I've done the following, many times:
ipconfig /dnsflush
ipconfig /registerdns
net stop netlogon
net start netlogon
net stop dns
net start dns
(It's in a batch file now)

I've reset dns with dnscmd /Config /BootMethod

I've checked and unchecked AD integration on the zone.

I've killed the zones and recreated them, creating _msdcs as a Forest level zone, and contosco.com as the Domain level zone; unfortunately even manually entering this didn't fix the failure to replicate.

I've tried to "Create Default Application Directory Partitions" but it tells me it already exists.

At this point I have no qualms resetting all of DNS (which I think I've done) to setup DNS from scratch. (We have a SUSE box running DNS on the network at the moment, but this one is not using it as a reference. The Windows 2003 box will become the new DNS server if it can be made functional)

Assumption I shouldn't be making but I've tried everything else: Everything seems to point to a problem within AD with faulty DNS records, but I cannot find them. I'm a novice with ADSIedit and there isn't much information regarding "What you should be deleting to fix DNS problems" available online.

Thanks you for any and all assistance,
--Fox
0
Comment
Question by:FoxKeegan
  • 12
  • 7
20 Comments
 

Author Comment

by:FoxKeegan
ID: 33665492
It should be noted that this machine is running as a PDC (the only DC on the domain) and is running Exchange. (No, this is not SBS)

I inherited this machine, and due to a SNAFU before I got there, an array was rebuilt backwards that had degraded a year ago. the NTDS.dit files were on that array, and I was forced to reset the local machine account. I thought this worth mentioning, but given that the other system services are functioning without issue I'm not sure if it is relevant.

(Yes, it should just be rebuilt, but unfortunately it's not an option at the moment)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33665882
Delete all DNS zones recreate the domain.com zone only allow the msdcs folder to be listed under the domain.com zone do not create a delegation. Allow the zone to be a primary Active Directory integrated zone.

Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix
0
 

Author Comment

by:FoxKeegan
ID: 33667454
1. Both Zones Deleted. They were AD-Integrated and supposedly removed from AD.
2. New Zone creation: Primary Zone. AD-Integrated. Creating "To All DNS servers in the Active Directory domain Contoso.com" Name: Contoso.com. Security: Secure updates only. Lookup-type: Foward
3. Created "New Domain" under "Contoso.com" named "_msdcs"
4. Ran "ipconfig /flushdns"; "ipconfig /registerdns"; "dcdiag /fix"

PDC failed connectivity test

Added defaultPDC host record with IP address 192.168.100.16 (Correct address) within the _msdcs folder and repeated step 4. No change.

Deleted record and repeated step 4. Will leave it a bit. How quickly should it build the directory? It's always been instantaneous when I first created a DNS server, but I never really watched it.

During this process I got this warning:

Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4521
Date:            9/13/2010
Time:            6:38:26 PM
User:            N/A
Computer:      defaultPDC
Description:
The DNS server encountered error 32 attempting to load zone contoso.com from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:FoxKeegan
ID: 33667477
Note: In the past I've added "deadbeef-9a74-4597-a702-2212969ee56e" within the _msdcs folder under contoso.com and it will change the dcdiag report to the following:

[code]
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\defaultPDC
      Starting test: Connectivity
            *** Warning: could not confirm the identity of this server in
               the directory versus the names returned by DNS servers.
               If there are problems accessing this directory server then
               you may need to check that this server is correctly registered
               with DNS
         ......................... defaultPDC passed test Connectivity
[/code]

However it still will not update, and does not seem to be communicating with AD. No delegation is ever created.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33670818

Good use of DEADBEEF there :-D

> 3. Created "New Domain" under "Contoso.com" named "_msdcs"

As a delegation? Or just a folder in DNS?

You can try killing of the zone from AD. Condisidering the replication scope you've used that means:

1. Stop the DNS Server service everywhere
2. Start up AD Users and Computers, then View, Advanced Features
3. Expand System
4. Expand MicrosoftDNS
5. Check for and delete the entry for your domain name

Once you've done that, we'll go for as simple as possible:

1. Create a new Forward Lookup Zone. It should be Primary, but *not* AD Integrated
2. Enable all dynamic updates (you don't get a choice for secure here)

Then run:

ipconfig /registerdns
net stop netlogon && net start netlogon

The _msdcs folder should auto-create within the zone. Otherwise you'll be checking the event log (Application, I think) for errors regarding DNS registration.

If that works, we can change the zone to AD Integrated (still all updates), delete a couple of records then see if they re-populate. Changing to Secure Only will be the final step.

HTH

Chris
0
 

Author Comment

by:FoxKeegan
ID: 33671377
deadbeef :D

> As a delegation? Or just a folder in DNS?

"New Domain" option was selected, not "New Delegation". I hope this was the correct option?

Also: "View > Advanced Features" is cool. I wasn't aware of viewing AD this way. I had always used ADSIedit.
It got my hopes up, but unfortunately it shows the same thing in MicrosoftDNS:

"RootDNSServers" folder, with '@' and "a" through "m". No zones to delete.

I'm going to be furious if this turns out to be something incredibly simple that I managed to miss somehow.  (Relieved it's fixed, but furious at myself)

Not sure if it makes a difference but I also have 0, 127 and 255 reverse lookup zones that it won't let me delete. I don't believe I've had these in the past when I setup small DNS servers.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33671419

> Not sure if it makes a difference but I also have 0, 127 and 255 reverse lookup zones that it won't let me delete.

You'll only see those Reverse Lookup Zones with View / Advanced on, they should stay, they're necessary (used to suppress queries for localhost, etc).

> I hope this was the correct option?

Yep, it was :)

How's it doing at the moment? Are you running as Primary / DS Integrated?

The location I've described above correlates to "All Domain Controllers in the AD Domain", if it's anything else it'll be stored somewhere else. And, looking again, I see that it's all DNS servers in the AD Domain, so I apologise for my mis-direction.

You will have to pull out ADSIEdit for this one, you've loaded the DomainDnsZones partition before? If not:

1. Open ADSIEdit.msc
2. Right click and select Connect To
3. Select or type a distinguished name or naming context and enter:
  DC=DomainDnsZones,DC=yourdomain,DC=com
4. Expand DomainDnsZones, then MicrosoftDns
5. Check for your zone name. If it's not working perfectly I would still advocate deleting that and starting again.

Of course, if it's all working you don't have to do that at all :)

Chris
0
 

Author Comment

by:FoxKeegan
ID: 33673482
Alright, I've tried recreating our domain zone in DNS as both AD-integrated and file based.  I've even really started creating a zone called "contoso.com" to see if that one would replicate either. No luck.

Within ADSIedit I get CN=Microsoft...eh, its easier to attach an image. (Sanitized) It's just root servers.

Sorry about the delay, fires to put out at work.

If I'm understanding this correctly, it isn't the way I'm configuring the zone, and there isn't anything being built in AD, so it seems to be something preventing the system from adding it to AD. The DNS server service is indeed running as the Local System account.

Got this, as I always do: "The DNS server encountered error 32 attempting to load zone contoso.com from Active Directory." and ran with it. Noticed your posting over yonder, Chris: http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24094790.html

Started reviewing all of that. DNS server does not have LDAP connectivity.  I've attached a dcdiag /c /v report.

...

Alright, after some putzing and creating a new zone, I now have "DC=@" and "DC=defaultPDC" within a folder "contoso.com" under MicrosoftDNS in ASDIedit.  Hasn't rebuilt the DNS server's issues though. Deleted the entries; deleted zone. Recreated, the entries come back. I don't recall that happening in the past, so that's something anyway.

I'll be able to look at this off and on, but I'll be out of the office the next two days. I wanted to get everything I did written down at least.  I can VPN in to work on it if you've other ideas, Chris.

(Plus, I don't tend to let problems like this go. I'll be thinking about it while I'm off work anyway)
A:\>dcdiag /c /v

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine defaultPDC, is a DC.
   * Connecting to directory service on server defaultPDC.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\defaultPDC
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.co
m could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.com)
         couldn't be resolved, the server name (defaultPDC.contoso.com)
         resolved to the IP address (192.168.100.105) and was pingable.  Check
         that the IP address is registered correctly with the DNS server.
         ......................... defaultPDC failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\defaultPDC
      Skipping all tests, because server defaultPDC is
      not responding to directory service requests

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : contoso
      Starting test: CrossRefValidation
         ......................... contoso passed test CrossRefValidatio
n
      Starting test: CheckSDRefDom
         ......................... contoso passed test CheckSDRefDom

   Running enterprise tests on : contoso.com
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... contoso.com passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\defaultPDC.contoso.com
         Locator Flags: 0xe00003fd
         PDC Name: \\defaultPDC.contoso.com
         Locator Flags: 0xe00003fd
         Time Server Name: \\defaultPDC.contoso.com
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\defaultPDC.contoso.com
         Locator Flags: 0xe00003fd
         KDC Name: \\defaultPDC.contoso.com
         Locator Flags: 0xe00003fd
         ......................... contoso.com passed test FsmoCheck
      Starting test: DNS
         Test results for domain controllers:

            DC: defaultPDC.contoso.com
            Domain: contoso.com


               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                   Microsoft(R) Windows(R) Server 2003, Standard Edition (Servic
e Pack level: 2.0) is supported
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000008] Broadcom NetXtreme 5751 Gigabit Controller:

                     MAC address is 00:11:11:CC:69:E8
                     IP address is static
                     IP address: 192.168.100.105
                     DNS servers:
                        Warning: 192.168.100.105 (<name unavailable>) [Invalid]
                  Error: all DNS servers are invalid
                  The A record for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found (pri
mary)
                  Root zone on this DC/DNS server was not found

               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     192.168.100.1 (<name unavailable>) [Valid]
                     192.168.100.103 (<name unavailable>) [Valid]

               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server

               TEST: Dynamic update (Dyn)
                  Dynamic update is enabled on the zone contoso.com.
                  Test record _dcdiag_test_record added successfully in zone contoso.com.
                  Test record _dcdiag_test_record deleted successfully in zone contoso.com.

            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network a
dapters

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 192.168.100.105 (<name unavailable>)
               1 test failure on this DNS server
               This is a valid DNS server
               Name resolution is not functional. _ldap._tcp.contoso.com
. failed on the DNS server 192.168.100.105
               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 192.168.100.1 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server

            DNS server: 192.168.100.103 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: contoso.com
               defaultPDC                        PASS FAIL PASS PASS PASS FAIL n/a

         ......................... contoso.com failed test DNS

Open in new window

dns.bmp
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33680182

What replication scope do you have set for the zone (in the DNS Console) at the moment? It'd be nice to find it in AD :)

Chris
0
 

Author Comment

by:FoxKeegan
ID: 33685041
I usually do AD. (as it is the goal here and because it is the default setting, thus easier to recreate) Right now it is AD.
0
 

Author Comment

by:FoxKeegan
ID: 33685044
Is there something I should know about when it attempts to update? Is there a maintenance process that runs overnight, or something similar? Will it only then update? This should happen instantaneously, shouldn't it?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33685263

Updates are generally once every 24 hours, for A and PTR records the DHCP client does it. Service Records and a few others for AD are the responsibility of the NetLogon service.

In AD as in AD Users and Computers?

These are the replication areas:

All Domain Controllers in the AD Domain = AD Users and Computers \ System \ MicrosoftDNS
All DNS Servers in the AD Domain = DC=DomainDnsZones,DC=yourdomain,DC=com
All DNS Servers in the AD Forest = DC=ForestDnsZones,DC=yourdomain,DC=com

If it's not working while held in AD I would switch to Standard Primary (not AD Integrated). Doing so lets us investigate the state of AD without it dying at the DNS / Connectivity test stage.

Chris
0
 

Author Comment

by:FoxKeegan
ID: 33702206
Didn't replicate. (Was out sick yesterday) Setting it to standard.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33703755
Hey,

I hope you're feeling better. Let me know how you get on with the change to standard.

Cheers,

Chris
0
 

Author Comment

by:FoxKeegan
ID: 33703879
Is there a way I can force the updates or do you really have to wait 24 hours per test? I'm going to guess that's not the same as "Reloading" the zone? (Since that does nothing for me)
0
 

Author Comment

by:FoxKeegan
ID: 33723927
Well, it's still not building the folders by itself, but I've been mimicking a fresh install with a new DNS server on it, and as I create the values it clears more and more DCDiag problems. I was operating under the hope that if I setup enough it would take over once whatever is broken was restored. No such luck. I'm looking up ways to import to AD so I can import much of the folder structure from the other (after modifying appropriately of course) so testing is a bit easier.

I have found that if I create new zones with the third option "For all Domain controllers" it winds up in Active directory, but if I set the first or second, referring to "DNS servers" it will not. The system doesn't seem to consider itself a DNS server?

I keep coming back to the idea that there's some wonky setting in AD somewhere that's preventing normal operation.

I'm assuming there's no "Sledgehammer" solution to resolve DNS issues like this? (Since removing and reinstalling "DNS Server" with the wizard didn't help.)  Ya know, apart from the reinstall this system should undergo.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33724014

Sorry, I was trying to finish off an assignment.

I would take AD out of the equation entirely for DNS, delete the AD Integrated zone and create a new Primary without ticking Store in AD.

Can you post the contents of this file:

%SystemRoot%\System32\config\netlogon.dns

Cheers,

Chris
0
 

Accepted Solution

by:
FoxKeegan earned 0 total points
ID: 33725072
$#!&*@&

Well, it finished building itself.  Unfortunately I have no idea which of my solutions did the trick.

Either populating a portion of the folder tree manually, resolving a journal wrap error with NTFRS, or ensuring something as simple as the "DNS" tab under "Advanced TCP/IP Settings" is set properly.

I have no idea what it was set to before I started all this, but I believe I glanced at it and it seemed alright.  I'm providing images of both my present server config, and that of a clean server for reference in hopes it may help someone in the future.

I cannot say for certain that this resolved the problem, but perhaps someone can state that another combination of these settings will cause it. If so, then it can be verified.
dnsfix3.bmp
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33725154

Hmm neither should have made any difference. But no matter, as long as you're working now :)

Chris
0
 

Author Comment

by:FoxKeegan
ID: 33725692
On my server, I do recall that "Append these DNS suffixes (in order)" was selected, with "contoso.com" within the box. I removed that I'm certain.  I'm not sure which of the two bottom boxes were checked but I believe the bottom one was not.
0

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now