FoxKeegan
asked on
Windows 2003 DNS server will not automatically build its folder structure/update
Note: Domain names and GUID have been changed for security reasons.
This is a basic DNS "huh?" situation that I've run into before and don't recall how I fixed it. (I think it's the same one)
Anyone who has installed DNS on a DC knows it starts up and populates with a bunch of folders, most notably the msdcs, which, without will cause the notorious error in dcdiag:
So, I deleted them and recreated them. I deleted them and removed the DNS server, and reinstalled it. I tried primary, secondary/linked to AD or not. Secure Updates or both. I ran ADSI Edit to scan the MicrosoftDNS entries to see what was in there (Nothing but root servers) yet I still occasionally get Event ID 4010 stating:
The DNS server encountered error deadbeef-9a74-4597-a702-22 12969ee56e attempting to load zone _msdcs.contoso.com from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle.
Frequently. So it is as though it is trying to do its job, it just can't.
There is only one NIC. It is pointed solely at itself (its IP, not the loopback address) as the only DNS server.
At the moment the HOSTS file in system32/drivers/etc/ does have a pointer to itself, just so critical services don't go nuts about not being able to find AD while trying to do something, but this being removed doesn't seem to fix the problem. (Or it would have already)
I've done the following, many times:
ipconfig /dnsflush
ipconfig /registerdns
net stop netlogon
net start netlogon
net stop dns
net start dns
(It's in a batch file now)
I've reset dns with dnscmd /Config /BootMethod
I've checked and unchecked AD integration on the zone.
I've killed the zones and recreated them, creating _msdcs as a Forest level zone, and contosco.com as the Domain level zone; unfortunately even manually entering this didn't fix the failure to replicate.
I've tried to "Create Default Application Directory Partitions" but it tells me it already exists.
At this point I have no qualms resetting all of DNS (which I think I've done) to setup DNS from scratch. (We have a SUSE box running DNS on the network at the moment, but this one is not using it as a reference. The Windows 2003 box will become the new DNS server if it can be made functional)
Assumption I shouldn't be making but I've tried everything else: Everything seems to point to a problem within AD with faulty DNS records, but I cannot find them. I'm a novice with ADSIedit and there isn't much information regarding "What you should be deleting to fix DNS problems" available online.
Thanks you for any and all assistance,
--Fox
This is a basic DNS "huh?" situation that I've run into before and don't recall how I fixed it. (I think it's the same one)
Anyone who has installed DNS on a DC knows it starts up and populates with a bunch of folders, most notably the msdcs, which, without will cause the notorious error in dcdiag:
Testing server: Default-First-Site-Name\defaultPDC
Starting test: Connectivity
The host deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.com
could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.com)
couldn't be resolved, the server name (defaultPDC.contoso.com)
resolved to the IP address (192.168.1.105) and was pingable. Check
that the IP address is registered correctly with the DNS server.
......................... defaultPDC failed test Connectivity
All this server is creating is itself, the SOA and the "Same as parent" folder.So, I deleted them and recreated them. I deleted them and removed the DNS server, and reinstalled it. I tried primary, secondary/linked to AD or not. Secure Updates or both. I ran ADSI Edit to scan the MicrosoftDNS entries to see what was in there (Nothing but root servers) yet I still occasionally get Event ID 4010 stating:
The DNS server encountered error deadbeef-9a74-4597-a702-22
Frequently. So it is as though it is trying to do its job, it just can't.
There is only one NIC. It is pointed solely at itself (its IP, not the loopback address) as the only DNS server.
At the moment the HOSTS file in system32/drivers/etc/ does have a pointer to itself, just so critical services don't go nuts about not being able to find AD while trying to do something, but this being removed doesn't seem to fix the problem. (Or it would have already)
I've done the following, many times:
ipconfig /dnsflush
ipconfig /registerdns
net stop netlogon
net start netlogon
net stop dns
net start dns
(It's in a batch file now)
I've reset dns with dnscmd /Config /BootMethod
I've checked and unchecked AD integration on the zone.
I've killed the zones and recreated them, creating _msdcs as a Forest level zone, and contosco.com as the Domain level zone; unfortunately even manually entering this didn't fix the failure to replicate.
I've tried to "Create Default Application Directory Partitions" but it tells me it already exists.
At this point I have no qualms resetting all of DNS (which I think I've done) to setup DNS from scratch. (We have a SUSE box running DNS on the network at the moment, but this one is not using it as a reference. The Windows 2003 box will become the new DNS server if it can be made functional)
Assumption I shouldn't be making but I've tried everything else: Everything seems to point to a problem within AD with faulty DNS records, but I cannot find them. I'm a novice with ADSIedit and there isn't much information regarding "What you should be deleting to fix DNS problems" available online.
Thanks you for any and all assistance,
--Fox
Delete all DNS zones recreate the domain.com zone only allow the msdcs folder to be listed under the domain.com zone do not create a delegation. Allow the zone to be a primary Active Directory integrated zone.
Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix
Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix
ASKER
1. Both Zones Deleted. They were AD-Integrated and supposedly removed from AD.
2. New Zone creation: Primary Zone. AD-Integrated. Creating "To All DNS servers in the Active Directory domain Contoso.com" Name: Contoso.com. Security: Secure updates only. Lookup-type: Foward
3. Created "New Domain" under "Contoso.com" named "_msdcs"
4. Ran "ipconfig /flushdns"; "ipconfig /registerdns"; "dcdiag /fix"
PDC failed connectivity test
Added defaultPDC host record with IP address 192.168.100.16 (Correct address) within the _msdcs folder and repeated step 4. No change.
Deleted record and repeated step 4. Will leave it a bit. How quickly should it build the directory? It's always been instantaneous when I first created a DNS server, but I never really watched it.
During this process I got this warning:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4521
Date: 9/13/2010
Time: 6:38:26 PM
User: N/A
Computer: defaultPDC
Description:
The DNS server encountered error 32 attempting to load zone contoso.com from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
2. New Zone creation: Primary Zone. AD-Integrated. Creating "To All DNS servers in the Active Directory domain Contoso.com" Name: Contoso.com. Security: Secure updates only. Lookup-type: Foward
3. Created "New Domain" under "Contoso.com" named "_msdcs"
4. Ran "ipconfig /flushdns"; "ipconfig /registerdns"; "dcdiag /fix"
PDC failed connectivity test
Added defaultPDC host record with IP address 192.168.100.16 (Correct address) within the _msdcs folder and repeated step 4. No change.
Deleted record and repeated step 4. Will leave it a bit. How quickly should it build the directory? It's always been instantaneous when I first created a DNS server, but I never really watched it.
During this process I got this warning:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4521
Date: 9/13/2010
Time: 6:38:26 PM
User: N/A
Computer: defaultPDC
Description:
The DNS server encountered error 32 attempting to load zone contoso.com from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
Note: In the past I've added "deadbeef-9a74-4597-a702-2 212969ee56 e" within the _msdcs folder under contoso.com and it will change the dcdiag report to the following:
[code]
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\de faultPDC
Starting test: Connectivity
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
......................... defaultPDC passed test Connectivity
[/code]
However it still will not update, and does not seem to be communicating with AD. No delegation is ever created.
[code]
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\de
Starting test: Connectivity
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
......................... defaultPDC passed test Connectivity
[/code]
However it still will not update, and does not seem to be communicating with AD. No delegation is ever created.
Good use of DEADBEEF there :-D
> 3. Created "New Domain" under "Contoso.com" named "_msdcs"
As a delegation? Or just a folder in DNS?
You can try killing of the zone from AD. Condisidering the replication scope you've used that means:
1. Stop the DNS Server service everywhere
2. Start up AD Users and Computers, then View, Advanced Features
3. Expand System
4. Expand MicrosoftDNS
5. Check for and delete the entry for your domain name
Once you've done that, we'll go for as simple as possible:
1. Create a new Forward Lookup Zone. It should be Primary, but *not* AD Integrated
2. Enable all dynamic updates (you don't get a choice for secure here)
Then run:
ipconfig /registerdns
net stop netlogon && net start netlogon
The _msdcs folder should auto-create within the zone. Otherwise you'll be checking the event log (Application, I think) for errors regarding DNS registration.
If that works, we can change the zone to AD Integrated (still all updates), delete a couple of records then see if they re-populate. Changing to Secure Only will be the final step.
HTH
Chris
ASKER
deadbeef :D
> As a delegation? Or just a folder in DNS?
"New Domain" option was selected, not "New Delegation". I hope this was the correct option?
Also: "View > Advanced Features" is cool. I wasn't aware of viewing AD this way. I had always used ADSIedit.
It got my hopes up, but unfortunately it shows the same thing in MicrosoftDNS:
"RootDNSServers" folder, with '@' and "a" through "m". No zones to delete.
I'm going to be furious if this turns out to be something incredibly simple that I managed to miss somehow. (Relieved it's fixed, but furious at myself)
Not sure if it makes a difference but I also have 0, 127 and 255 reverse lookup zones that it won't let me delete. I don't believe I've had these in the past when I setup small DNS servers.
> As a delegation? Or just a folder in DNS?
"New Domain" option was selected, not "New Delegation". I hope this was the correct option?
Also: "View > Advanced Features" is cool. I wasn't aware of viewing AD this way. I had always used ADSIedit.
It got my hopes up, but unfortunately it shows the same thing in MicrosoftDNS:
"RootDNSServers" folder, with '@' and "a" through "m". No zones to delete.
I'm going to be furious if this turns out to be something incredibly simple that I managed to miss somehow. (Relieved it's fixed, but furious at myself)
Not sure if it makes a difference but I also have 0, 127 and 255 reverse lookup zones that it won't let me delete. I don't believe I've had these in the past when I setup small DNS servers.
> Not sure if it makes a difference but I also have 0, 127 and 255 reverse lookup zones that it won't let me delete.
You'll only see those Reverse Lookup Zones with View / Advanced on, they should stay, they're necessary (used to suppress queries for localhost, etc).
> I hope this was the correct option?
Yep, it was :)
How's it doing at the moment? Are you running as Primary / DS Integrated?
The location I've described above correlates to "All Domain Controllers in the AD Domain", if it's anything else it'll be stored somewhere else. And, looking again, I see that it's all DNS servers in the AD Domain, so I apologise for my mis-direction.
You will have to pull out ADSIEdit for this one, you've loaded the DomainDnsZones partition before? If not:
1. Open ADSIEdit.msc
2. Right click and select Connect To
3. Select or type a distinguished name or naming context and enter:
DC=DomainDnsZones,DC=yourd
4. Expand DomainDnsZones, then MicrosoftDns
5. Check for your zone name. If it's not working perfectly I would still advocate deleting that and starting again.
Of course, if it's all working you don't have to do that at all :)
Chris
ASKER
Alright, I've tried recreating our domain zone in DNS as both AD-integrated and file based. I've even really started creating a zone called "contoso.com" to see if that one would replicate either. No luck.
Within ADSIedit I get CN=Microsoft...eh, its easier to attach an image. (Sanitized) It's just root servers.
Sorry about the delay, fires to put out at work.
If I'm understanding this correctly, it isn't the way I'm configuring the zone, and there isn't anything being built in AD, so it seems to be something preventing the system from adding it to AD. The DNS server service is indeed running as the Local System account.
Got this, as I always do: "The DNS server encountered error 32 attempting to load zone contoso.com from Active Directory." and ran with it. Noticed your posting over yonder, Chris: https://www.experts-exchange.com/questions/24094790/Prolems-with-DNS-server-updating.html
Started reviewing all of that. DNS server does not have LDAP connectivity. I've attached a dcdiag /c /v report.
...
Alright, after some putzing and creating a new zone, I now have "DC=@" and "DC=defaultPDC" within a folder "contoso.com" under MicrosoftDNS in ASDIedit. Hasn't rebuilt the DNS server's issues though. Deleted the entries; deleted zone. Recreated, the entries come back. I don't recall that happening in the past, so that's something anyway.
I'll be able to look at this off and on, but I'll be out of the office the next two days. I wanted to get everything I did written down at least. I can VPN in to work on it if you've other ideas, Chris.
(Plus, I don't tend to let problems like this go. I'll be thinking about it while I'm off work anyway)
Within ADSIedit I get CN=Microsoft...eh, its easier to attach an image. (Sanitized) It's just root servers.
Sorry about the delay, fires to put out at work.
If I'm understanding this correctly, it isn't the way I'm configuring the zone, and there isn't anything being built in AD, so it seems to be something preventing the system from adding it to AD. The DNS server service is indeed running as the Local System account.
Got this, as I always do: "The DNS server encountered error 32 attempting to load zone contoso.com from Active Directory." and ran with it. Noticed your posting over yonder, Chris: https://www.experts-exchange.com/questions/24094790/Prolems-with-DNS-server-updating.html
Started reviewing all of that. DNS server does not have LDAP connectivity. I've attached a dcdiag /c /v report.
...
Alright, after some putzing and creating a new zone, I now have "DC=@" and "DC=defaultPDC" within a folder "contoso.com" under MicrosoftDNS in ASDIedit. Hasn't rebuilt the DNS server's issues though. Deleted the entries; deleted zone. Recreated, the entries come back. I don't recall that happening in the past, so that's something anyway.
I'll be able to look at this off and on, but I'll be out of the office the next two days. I wanted to get everything I did written down at least. I can VPN in to work on it if you've other ideas, Chris.
(Plus, I don't tend to let problems like this go. I'll be thinking about it while I'm off work anyway)
A:\>dcdiag /c /v
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine defaultPDC, is a DC.
* Connecting to directory service on server defaultPDC.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\defaultPDC
Starting test: Connectivity
* Active Directory LDAP Services Check
The host deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.co
m could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(deadbeef-9a74-4597-a702-2212969ee56e._msdcs.contoso.com)
couldn't be resolved, the server name (defaultPDC.contoso.com)
resolved to the IP address (192.168.100.105) and was pingable. Check
that the IP address is registered correctly with the DNS server.
......................... defaultPDC failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\defaultPDC
Skipping all tests, because server defaultPDC is
not responding to directory service requests
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : contoso
Starting test: CrossRefValidation
......................... contoso passed test CrossRefValidatio
n
Starting test: CheckSDRefDom
......................... contoso passed test CheckSDRefDom
Running enterprise tests on : contoso.com
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... contoso.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\defaultPDC.contoso.com
Locator Flags: 0xe00003fd
PDC Name: \\defaultPDC.contoso.com
Locator Flags: 0xe00003fd
Time Server Name: \\defaultPDC.contoso.com
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\defaultPDC.contoso.com
Locator Flags: 0xe00003fd
KDC Name: \\defaultPDC.contoso.com
Locator Flags: 0xe00003fd
......................... contoso.com passed test FsmoCheck
Starting test: DNS
Test results for domain controllers:
DC: defaultPDC.contoso.com
Domain: contoso.com
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Error: No LDAP connectivity
Microsoft(R) Windows(R) Server 2003, Standard Edition (Servic
e Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000008] Broadcom NetXtreme 5751 Gigabit Controller:
MAC address is 00:11:11:CC:69:E8
IP address is static
IP address: 192.168.100.105
DNS servers:
Warning: 192.168.100.105 (<name unavailable>) [Invalid]
Error: all DNS servers are invalid
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (pri
mary)
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
192.168.100.1 (<name unavailable>) [Valid]
192.168.100.103 (<name unavailable>) [Valid]
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Dynamic update is enabled on the zone contoso.com.
Test record _dcdiag_test_record added successfully in zone contoso.com.
Test record _dcdiag_test_record deleted successfully in zone contoso.com.
TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the network a
dapters
Summary of test results for DNS servers used by the above domain contro
llers:
DNS server: 192.168.100.105 (<name unavailable>)
1 test failure on this DNS server
This is a valid DNS server
Name resolution is not functional. _ldap._tcp.contoso.com
. failed on the DNS server 192.168.100.105
[Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]
DNS server: 192.168.100.1 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.168.100.103 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
________________________________________________________________
Domain: contoso.com
defaultPDC PASS FAIL PASS PASS PASS FAIL n/a
......................... contoso.com failed test DNS
dns.bmp
What replication scope do you have set for the zone (in the DNS Console) at the moment? It'd be nice to find it in AD :)
Chris
ASKER
I usually do AD. (as it is the goal here and because it is the default setting, thus easier to recreate) Right now it is AD.
ASKER
Is there something I should know about when it attempts to update? Is there a maintenance process that runs overnight, or something similar? Will it only then update? This should happen instantaneously, shouldn't it?
Updates are generally once every 24 hours, for A and PTR records the DHCP client does it. Service Records and a few others for AD are the responsibility of the NetLogon service.
In AD as in AD Users and Computers?
These are the replication areas:
All Domain Controllers in the AD Domain = AD Users and Computers \ System \ MicrosoftDNS
All DNS Servers in the AD Domain = DC=DomainDnsZones,DC=yourd
All DNS Servers in the AD Forest = DC=ForestDnsZones,DC=yourd
If it's not working while held in AD I would switch to Standard Primary (not AD Integrated). Doing so lets us investigate the state of AD without it dying at the DNS / Connectivity test stage.
Chris
ASKER
Didn't replicate. (Was out sick yesterday) Setting it to standard.
Hey,
I hope you're feeling better. Let me know how you get on with the change to standard.
Cheers,
Chris
I hope you're feeling better. Let me know how you get on with the change to standard.
Cheers,
Chris
ASKER
Is there a way I can force the updates or do you really have to wait 24 hours per test? I'm going to guess that's not the same as "Reloading" the zone? (Since that does nothing for me)
ASKER
Well, it's still not building the folders by itself, but I've been mimicking a fresh install with a new DNS server on it, and as I create the values it clears more and more DCDiag problems. I was operating under the hope that if I setup enough it would take over once whatever is broken was restored. No such luck. I'm looking up ways to import to AD so I can import much of the folder structure from the other (after modifying appropriately of course) so testing is a bit easier.
I have found that if I create new zones with the third option "For all Domain controllers" it winds up in Active directory, but if I set the first or second, referring to "DNS servers" it will not. The system doesn't seem to consider itself a DNS server?
I keep coming back to the idea that there's some wonky setting in AD somewhere that's preventing normal operation.
I'm assuming there's no "Sledgehammer" solution to resolve DNS issues like this? (Since removing and reinstalling "DNS Server" with the wizard didn't help.) Ya know, apart from the reinstall this system should undergo.
I have found that if I create new zones with the third option "For all Domain controllers" it winds up in Active directory, but if I set the first or second, referring to "DNS servers" it will not. The system doesn't seem to consider itself a DNS server?
I keep coming back to the idea that there's some wonky setting in AD somewhere that's preventing normal operation.
I'm assuming there's no "Sledgehammer" solution to resolve DNS issues like this? (Since removing and reinstalling "DNS Server" with the wizard didn't help.) Ya know, apart from the reinstall this system should undergo.
Sorry, I was trying to finish off an assignment.
I would take AD out of the equation entirely for DNS, delete the AD Integrated zone and create a new Primary without ticking Store in AD.
Can you post the contents of this file:
%SystemRoot%\System32\conf
Cheers,
Chris
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hmm neither should have made any difference. But no matter, as long as you're working now :)
Chris
ASKER
On my server, I do recall that "Append these DNS suffixes (in order)" was selected, with "contoso.com" within the box. I removed that I'm certain. I'm not sure which of the two bottom boxes were checked but I believe the bottom one was not.
ASKER
I inherited this machine, and due to a SNAFU before I got there, an array was rebuilt backwards that had degraded a year ago. the NTDS.dit files were on that array, and I was forced to reset the local machine account. I thought this worth mentioning, but given that the other system services are functioning without issue I'm not sure if it is relevant.
(Yes, it should just be rebuilt, but unfortunately it's not an option at the moment)