• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1036
  • Last Modified:

Problem removing unused DNS nameservers

We are using Active Directory DNS and have a few unused IP addresses showing up under Forward Lookup Zones > internal domain name > Properties > Name Servers tab of the PDC. If these entries are removed from the PDC and other AD boxes w/ DNS the usused IPs will readd themselves to the Name Servers tab as well as the (same as parent folder) in the listing.  I have also attempted stopping DNS service on the other AD boxes while removing these entries on the PDC.  I must be missing a step here... any help would be appreciated.
0
skinneeJ
Asked:
skinneeJ
  • 7
  • 6
  • 2
  • +1
2 Solutions
 
kaskhedikar_tusharCommented:
Hello,

When you are removing IP address from forward lookup.
So make sure that please remove that unused IP address from reverse lookup.
Then please restart your server once & then check.

Regards,
Tushar Kaskhedikar
0
 
skinneeJAuthor Commented:
Tushar
These entries do not show up under reverse lookup zone.

thanks
0
 
kaskhedikar_tusharCommented:
Hi,

Open Active Directory console & first of all delete unused computers from Active Directory computer.
Then delete the unused IP address from DNS forward & reversse lookup zones.
Make sure that if you are using a DHCP server of windows or router DHCP is enabled, then check the  workstation TCP/IP setting. Assign a static IP address to the workstation.

Regards,
Tushar Kaskhedikar
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
ChiefITCommented:
">>Open Active Directory console & first of all delete unused computers from Active Directory computer."

I agree with this statement above kaskhedikar. But, these were old Domain servers. There is a little more to it that deleting the GUI for the old server.

If these old servers were not gracefully demoted. They will continue to show up in AD. So, you now have to perform AD, DNS, and FRS metadata cleanup. To do this, one of your servers has to be the holder of FSMO roles. If those roles were not transfered prior to taking the old DCs off line, then you will not be able to make AD object edits, like DNS.

To perform a metadata cleanup, this article will run through it with you step-by-step. You will have to do this on all remaining Domain controllers.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
skinneeJAuthor Commented:
ChiefIT,
I attempted to perform a metadata cleanup but our issue must be a different one because when I get to the step "list servers in site" 2 servers are returned and both of these are still in use. The issue is the first server listed has 2 additional IP addresses assigned to it on the Name Server tab in DNS and this causes problems with DNS occasionally.

thanks
0
 
ChiefITCommented:
You might want to start off with FRS metadata cleanup. These DNS objects re-appear because they are being replicated back to the server you remove them from. If the servers don't exist as AD objects, then move on to FRS, then DNS.
0
 
skinneeJAuthor Commented:
"the servers don't exist as AD object, then move on to FRS, then DNS"

I assume you're refering to the unused IP addresses. If so, what is the FRS metadata cleanup? I thought that's what you referred me to in your original post.
0
 
ChiefITCommented:
Those steps are within the article I provided. It's within Active Directory Sites and Services.
0
 
skinneeJAuthor Commented:
Found out that these entries are caused by VMware network adapters.  There are two and they are assigned the unused IP addresses.  Changed the settings on the TCP/IP > Advanced > DNS tab by unchecking "Register this connection's addresses in DNS" but the entries reappear after doing this.

Also, tried stopping DNS services on other servers and removing these entres to make sure DNS is not replicating from another box, but the same issue occurs. What is the reason for these adapters and can they be removed or how do I change them so they dont show up as nameservers?

0
 
ChiefITCommented:
2003 server has a quirk in it. When the netlogon service is restarted it registers the SRV record of both NICs on the DNS server. As you know DNS is the service that provides the DNS translation to the Authenticating server. If DNS sees two SRV records, Cityofabbeville,int picks up on the NIC that shouldn't be providing DNS to the clients, you may get "no netlogon servers can be found" for your authentication server and see the errors above.

The quirk in 2003 server is regardless of deselecting the option registering the SRV record when netlogon is restarted, it will still register the SRV record. There is a patch to resolve this. But, let's make sure this is the problem. Go into DNS and see if your multihomed DNS server has two SRV records. One will be internal and the other external of your LAN. If you have an SRV record that doesn't belong, you should remove these records. This is only a temp fix for troubleshooting because upon a restart of the netlogon service will put those records back in DNS.  

Then, I would go to the XP clients and check out the IPconfig /all. See if you have picked up on a DNS server that is not correct. If so, you will not be able to get the DNS query for the Authenticating server to propogate back. So, you will not be able to communicate with the Authenticating server. Hence, you will not be able to authenticate and recieve errors like you are seeing. Flush the DNS cache and manually configure your list of preferred DNS servers to the correct NICS.

There is a fix to the 2003 server. It is a patch.
Have a look at this:
 -- http://support.microsoft.com/?id=832478
0
 
skinneeJAuthor Commented:
Yes, that's the issue we're having but the fix you referred to is included in the latest service pack and I have newer versions of the files listed in the hotfix.

I also tried disabling DNS dynamic updates and restarting the Netlogon service but the records continue to reappear.
0
 
ChiefITCommented:
Go to all DNS server's command prompt and type:

DCdiag /test:DNS

What errors do you see?
0
 
aoakeleyCommented:
Try this http://support.microsoft.com/kb/292822 designed for RRAS but should also work to stop your vmware ip addresses from registering

Then Properties of the forward lookup zone, check the name servers tab, clear out old entries. Delete any other old entries from dns zone

Reboot server for good measure
0
 
skinneeJAuthor Commented:
Received errors below:

               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)

         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 202.12.27.33

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 198.41.0.4

            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 198.32.64.12

            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 193.0.14.129

            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 192.58.128.30

            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 192.5.5.241

            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 192.36.148.17

            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 192.33.4.12

            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 192.228.79.201

            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 192.203.230.10

            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 192.112.36.4

            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 128.9.0.107

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 128.8.10.90

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the
DNS server 128.63.2.53

0
 
ChiefITCommented:
Check this file:
%SystemRoot%\System32\Config\Netlogon.dns

There is a list of interfaces that will register when the netlogon service is restarted, within that file.
==================================
We will get to your root servers in a minute. Have you considered forwarding servers?
0
 
skinneeJAuthor Commented:
I checked that file previously and it has the 2 unused IP address listed in it as well as the valid IP address of the DNS server.

The problems that we have with DNS name resolution are most noticable when users (on the network with the nameserver issue) are trying to connect to a shared drive on a second network and vice versa.  The second network is a trusted network in AD.  I heard a workaround for this would be to create an Inter-Site Transport under AD Sites and Services.  Preferably we want to correct the source issue instead of a workaround.

Would setting up a DNS forwarding server be a better solution?
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 7
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now