missing _ldap DNS entry related to _msdcs.xxx.local in zone event 4010

I am getting error 4010 The DNS server was unable to create a resource record for  fdc394f4-e3d4-4bdc-abfd-bd1f34f91056._msdcs.xxx.local. in zone xxx.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

I have traced this to what i believe is a missing _ldap SRV record somehere in DNS. as per MS article http://support.microsoft.com/kb/816587 I performed the test.

The out put of the test is:

C:\Users\administrator.xxx>nslookup
Default Server:  dc-02.xxx.local
Address:  192.168.10.11

> set type=all
> _ldap._tcp._dc.xxx.local
Server:  dc-02.xxx.local
Address:  192.168.10.11

*** dc-02.xxx.local can't find _ldap._tcp._dc.xxx.local: Non-existent domain
>

My question is where is this entry located and how do I correct it?

Environment is server 2008r2 and windows 7
villageengineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

villageengineerAuthor Commented:
update:

I get the same results dc-name.xxx.local can't find _ldap._tcp._dc.xxx.local: Non-existent domain
when the nslookup test is run from all domain controllers and workstations.
0
mwheeler1982Commented:
From each of your domain controllers, try running the following command
dcdiag /fix

Open in new window

0
EnigoCommented:
What version of Server are you using (2003, 2008, standard, enterprise etc) ...
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

villageengineerAuthor Commented:
Environment is server 2008 r2 and windows 7
0
mwheeler1982Commented:
Also, for what it's worth, dcdiag can perform the DNS tests for you.

See the full dcdiag documentation at: http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx
0
villageengineerAuthor Commented:
C:\Users\administrator.xxxx>dcdiag
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server....Home Server = DC-02
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests
   Testing server: Default-First-Site\DC-02
      Starting test: Connectivity
         ......................... DC-02 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site\DC-02
      Starting test: Advertising
         ......................... DC-02 passed test Advertising
      Starting test: FrsEvent
         ......................... DC-02 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC-02 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC-02 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC-02 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC-02 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC-02 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=xxxx,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=xxxx,DC=local
         ......................... DC-02 failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-02 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC-02 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC-02 passed test Replications
      Starting test: RidManager
         ......................... DC-02 passed test RidManager
      Starting test: Services
         ......................... DC-02 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000079
            Time Generated: 07/16/2012   09:27:05
            Event String:
            The firewall exception to allow Internet Storage Name Server (iSNS)
client functionality is not enabled. iSNS client functionality is not available.
         An error event occurred.  EventID: 0x00000067
            Time Generated: 07/16/2012   09:27:58
            Event String:
            Timeout waiting for iSCSI persistently bound volumes. If there are a
ny services or applications that use information stored on these volumes then th
ey may not start or may report errors.
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 07/16/2012   09:27:59
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         An error event occurred.  EventID: 0xC0001B70
            Time Generated: 07/16/2012   09:28:25
            Event String:
            The File Server Resource Manager service terminated with service-spe
cific error %%-2147200234.
         A warning event occurred.  EventID: 0x800003EA
            Time Generated: 07/16/2012   09:30:26
            Event String:
            HP WBEM data was captured and compressed as a raw data format.
         A warning event occurred.  EventID: 0x000727AA
            Time Generated: 07/16/2012   09:30:40
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/DC-02.V
FP.local; WSMAN/DC-02.
         A warning event occurred.  EventID: 0x80000434
            Time Generated: 07/16/2012   09:41:10
            Event String:
            The reason supplied by user xxxx\Administrator for the last unexpecte
d shutdown of this computer is: Other (Unplanned)
         An error event occurred.  EventID: 0x00000456
            Time Generated: 07/16/2012   09:43:47
            Event String:
            An error occurred during processing of ntprint.inf. The file might b
e corrupted. Run Setup again to reinstall the file.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 07/16/2012   09:43:50
            Event String:
            Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
         ......................... DC-02 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC-02 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Configuration passed test CrossRefValidation
   Running partition tests on : xxxx
      Starting test: CheckSDRefDom
         ......................... xxxx passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... xxxx passed test CrossRefValidation
   Running enterprise tests on : xxxx.local
      Starting test: LocatorCheck
         ......................... xxxx.local passed test LocatorCheck
      Starting test: Intersite
         ......................... xxxx.local passed test Intersite
C:\Users\administrator.xxxx
0
villageengineerAuthor Commented:
controller is not a RODC
0
peelersCommented:
Go to each of your DC's, and restart the NetLogon service.  Then check DNS again.
0
EnigoCommented:
With your regard to your nslookup, once you type in nslookup, I think the next line should be:

_ldap._tcp.dc._msdcs.DOMAIN.LOCAL

In your original question, you typed:

_ldap._tcp.dc.DOMAIN.LOCAL

I just tested this on my servers and the one you typed gave me the exact same errors but when I added _msdcs , I got the correct results ...
0
EnigoCommented:
Also, no "_" before "dc"
0
peelersCommented:
Do not manually create the entries, this risks having incorrect ACLs.  Please restart netlogon on all DCs first and see if that works.
0
villageengineerAuthor Commented:
Your right I should not have enetered set type=all before _ldap._tcp.dc._msdcs

so I still have to figure out why im getting event error 4010

The DNS server was unable to create a resource record for  fdc394f4-e3d4-4bdc-abfd-bd1f34f91056._msdcs.xxx.local. in zone xxx.local.
The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.
0
EnigoCommented:
Try the following:

1. go to a command prompt
2. type - cd\windows\system32\config
3. type - net stop netlogon
4. type - ren netlogon.dns netlogon.dns.old
5. type - ren netlogon.dnb netlogon.dnb.old
6. type - net start netlogon - this will take a minute or so
7. type ipconfig /flushdns
8. type ipconfig /registerdns

Check your event viewer.  You may need to restart DNS as well.
0
villageengineerAuthor Commented:
do I need to do this for all DC's?
0
EnigoCommented:
Are all the DC's getting the error?
0
villageengineerAuthor Commented:
Yes all Dc's are getting the same error.

The fix above did not resolve the issue..even after a reboot.
0
villageengineerAuthor Commented:
Update....I have found a corrosponding error, now I have (i think) a cause and effect

Event ID 2087 - Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
 
Source domain controller:
 DC-01
Failing DNS host name:
 54fdf1f3-cf2f-44fe-8758-83d6d1be4095._msdcs.xxxx.local

and

Event ID 4010 - The DNS server was unable to create a resource record for  fdc394f4-e3d4-4bdc-abfd-bd1f34f91056._msdcs.xxxx.local. in zone xxxx.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.
0
EnigoCommented:
Are your DC's also DNS servers?  Are the NICs pointing to the internal DNS servers? Do you have reverse lookup zones?
0
villageengineerAuthor Commented:
Yes, the DC's are DNS servers

Yes, the NIC's point to their own IP address for primary DNS, and the secondary IP address is the opposite internal DNS server. We found that pointing the the NIC to it's own IP address vs. the loopback address works better.

Yes, there are reverse lookup zones for all internal networks and loopback appear to be working well. We manually created these networks except for three entries that appeared on their own:

0.in-addr.arpa
127.in-addr.arpa
255.in-addr.arpa
0
villageengineerAuthor Commented:
DNS zone screen shot attached
0
EnigoCommented:
I don't see the screenshot but good on the reverse lookup zone.  Since I can't see the screenshot, I would check in the reverse lookup zone and make sure that my 2 DC/DNS server's IP addresses are there.  If either or both are missing, add it/them.

Next, I would try what I typed above on both servers.

Another suggestion I would have (if the above doesn't work) would be to uncheck the box on the zones that says "Store the zone in Active Directory", click apply then re-check the box.  Do this on both servers.

1. Right click on the _msdcs.DOMAIN.LOCAL forward lookup zone and select properties
2. On the General tab, make sure that the "Replication:" All DNS servers in this domain is what is showing.  If it is something else, click the "Change" button and change it to "All DNS servers in this domain"
3. On the General tab beside "Type: Active Directory-Integrated" is a "Change" button; click it
4. Un-check the box that says "Store the zone in Active Directory ..." and click the OK button
5. Repeat steps 1 through 4 on the "DOMAIN.local" forward lookup zone and the reverse lookup zone (not the 3 that you showed in your post).

Once you have removed all the zones from the Active Directory, place them all back by re-checking the "Store the zone in Active Directory..." check box starting with the _msdcs.DOMAIN.local then the DOMAIN.local forward lookup zone then the reverse lookup zone.

"DOMAIN.local" will be the name of your domain.extension
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
villageengineerAuthor Commented:
The steps above corrected the issue with event id 4010 and 2087 however, after performing the steps all DNS zone transfer information was reset to defaults for both forward and reverse entries.
settings had to be entered and reentered multiple times before they "stuck". This occurred on all DNS servers.

Restart DNS services double check entries and also restart DNS servers and double check entries after following the steps above.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.