• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1511
  • Last Modified:

DCDIAG /test:DNS results. How do I fix Forwarders

I did a test using DCDIAG on the DNS and it is telling me the forwarder is wrong.  I provided screen shot of current setup of DNS forwarders.   What do I need to do... where can I find instructions?

The DNS is correct according to ISP DNS they provided me:

66.28.0.45  
66.28.0.61
66.28.0.14
66.28.0.30



Here are the results of the test:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINNT\Profiles\Administrator>DCDIAG /test:DNS

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MORPHEUS
      Starting test: Connectivity
         ......................... MORPHEUS passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MORPHEUS

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : log-on

   Running enterprise tests on : log-on.local
      Starting test: DNS
         Test results for domain controllers:

            DC: morpheus.log-on.local
            Domain: log-on.local


               TEST: Basic (Basc)
                  Warning: adapter [00000001] HP NC7781 Gigabit Server Adapter h
as invalid DNS server: 66.28.0.61 (<name unavailable>)

               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 66.28.0.61 (<nam
e unavailable>)

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
log-on.local.

               TEST: Records registration (RReg)
                  Network Adapter [00000001] HP NC7781 Gigabit Server Adapter:
                     Error: Missing A record at DNS server 66.28.0.61 :
                     morpheus.log-on.local

                     Error: Missing CNAME record at DNS server 66.28.0.61 :
                     85b92463-74aa-4866-bf54-cd587562477e._msdcs.log-on.local

                     Error: Missing DC SRV record at DNS server 66.28.0.61 :
                     _ldap._tcp.dc._msdcs.log-on.local

                     Error: Missing GC SRV record at DNS server 66.28.0.61 :
                     _ldap._tcp.gc._msdcs.log-on.local

                     Error: Missing PDC SRV record at DNS server 66.28.0.61 :
                     _ldap._tcp.pdc._msdcs.log-on.local

               Error: Record registrations cannot be found for all the network a
dapters

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 66.28.0.61 (<name unavailable>)
               2 test failures on this DNS server
               Name resolution is not functional. _ldap._tcp.log-on.local. faile
d on the DNS server 66.28.0.61

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: log-on.local
               morpheus                     PASS WARN FAIL PASS WARN FAIL n/a

         ......................... log-on.local failed test DNS







Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINNT\Profiles\Administrator>DCDIAG /test:DNS

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MORPHEUS
      Starting test: Connectivity
         ......................... MORPHEUS passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MORPHEUS

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : log-on

   Running enterprise tests on : log-on.local
      Starting test: DNS
         Test results for domain controllers:

            DC: morpheus.log-on.local
            Domain: log-on.local


               TEST: Basic (Basc)
                  Warning: adapter [00000001] HP NC7781 Gigabit Server Adapter h
as invalid DNS server: 66.28.0.61 (<name unavailable>)

               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 66.28.0.61 (<nam
e unavailable>)

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
log-on.local.

               TEST: Records registration (RReg)
                  Network Adapter [00000001] HP NC7781 Gigabit Server Adapter:
                     Error: Missing A record at DNS server 66.28.0.61 :
                     morpheus.log-on.local

                     Error: Missing CNAME record at DNS server 66.28.0.61 :
                     85b92463-74aa-4866-bf54-cd587562477e._msdcs.log-on.local

                     Error: Missing DC SRV record at DNS server 66.28.0.61 :
                     _ldap._tcp.dc._msdcs.log-on.local

                     Error: Missing GC SRV record at DNS server 66.28.0.61 :
                     _ldap._tcp.gc._msdcs.log-on.local

                     Error: Missing PDC SRV record at DNS server 66.28.0.61 :
                     _ldap._tcp.pdc._msdcs.log-on.local

               Error: Record registrations cannot be found for all the network a
dapters

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 66.28.0.61 (<name unavailable>)
               2 test failures on this DNS server
               Name resolution is not functional. _ldap._tcp.log-on.local. faile
d on the DNS server 66.28.0.61

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: log-on.local
               morpheus                     PASS WARN FAIL PASS WARN FAIL n/a

         ......................... log-on.local failed test DNS

C:\WINNT\Profiles\Administrator>

Open in new window

forwarder.JPG
0
handyjay
Asked:
handyjay
  • 5
  • 3
1 Solution
 
Justin OwensITIL Problem ManagerCommented:
Your DC/DNS server should be pointing to ITSELF in the NIC settings, not to your ISP.  There should be only INTERNAL DNS server IP addresses on your NIC settings anywhere in your domain.  Good rule of thumb is this:

Each DC/DNS server points to itself as primary and another DC as secondary.
Each client points to two of your internal DNS servers as primary and secondary.

DNS server then forwards all non-domain traffic to the IP addresses you have placed in there.

DrUltima
0
 
handyjayAuthor Commented:
Thanks, that much I was able to figure out regarding the NIC and server pointing from some videos I watched this morning... Im glad you confirmed my original thought.

How about the Fowarders depicted in the image.  Is that where I put my ISP DNS info?
0
 
Justin OwensITIL Problem ManagerCommented:
Yes.  Those four addresses would go in there.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
handyjayAuthor Commented:
I removed the NIC IP like you suggested and now DCDIAG passes.  

It is now telling me to make my Dynamic update secure.  It is set for both secure and unsecure on Forward zone.  Why would someone not make it secure in the first place?
0
 
Justin OwensITIL Problem ManagerCommented:
Secure allows only authenticated updated to be made.  AD basically tells DNS "only allow people I know to update you."  Now, that is very simplistic, but it get's the point across.
0
 
Justin OwensITIL Problem ManagerCommented:
Silly tab.....

In unsecure updates, DNS allows just anyone who wants to update to update.  This might be needed in a mixed platform environment (linix, Mac OS, and Windows running on the same network), for example.

DrUltima
0
 
handyjayAuthor Commented:
Ok, I think this is my last question on this.  

You had mentioned once the quickest way to remove stale DNS is to delete a host entry.

There are still a bunch of host entries in the DNS that I feel should not be there, and running scavenger on it did not remove them... and it more bugs me then anything to see them there.

What happens if I just delete them and one turns out to be a "real" computer?
0
 
Justin OwensITIL Problem ManagerCommented:
Well, when then server or computer re-registers itself into DNS the record will appear again, or you can manually add it in a worst case scenario.

DrUltima
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now