Active Directory DNS test shows failure

Hello:

I was working on some DNS stuff and found references to a bunch of old domain controllers that are no longer.  I started cleaning them up and wondered if we are having performance issues due to all of these old entries.  I Google'd the issue and found the DCDIAG /TEST:DNS test.  I ran that and got this as a summary:

         Summary of DNS test results:

         
                                        Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: domain.com

               DC01                     PASS PASS PASS FAIL PASS PASS n/a  
               DC02                     PASS PASS PASS FAIL PASS PASS n/a  
               DC03                     PASS PASS PASS FAIL PASS PASS n/a  
               DC04                     PASS PASS PASS FAIL PASS PASS n/a  
               DC05                     PASS PASS PASS FAIL PASS WARN n/a  
               DC06                     PASS PASS PASS FAIL PASS WARN n/a  
         
         ......................... domain.com failed test DNS

Open in new window


I'm concerned about the "del" column, which has to do with Delegation.  I'm not sure what the implications of this failure are.  Can someone enlighten me?

Thanks,

Dan
ddotsonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

achaldaveCommented:
More on dcdiag can be found at

http://technet.microsoft.com/en-us/library/cc776854%28v=WS.10%29.aspx

Make sure all NS record has A record.
0
ddotsonAuthor Commented:
So all of our DNS servers are domain controllers.  From your article I read:

The delegation test confirms that the delegated name server is a functioning DNS Server.

The delegation test checks for broken delegations by ensuring that all NS records in the Active Directory domain zone in which the target domain controller resides have corresponding glue A records.

Does this mean that we have broken delegations?  What does this mean?  What are the implications?
0
gfilipeCommented:
Hi ddotson,

This means some of the zones you have configured in your DNS servers are not delegated. That in a more practical way means that those DNS servers are not giving any name answers regarding those zones.

If this is your internal domain you should create the appropriate delegations on your DNS servers, to create check out this document:

http://technet.microsoft.com/en-us/library/cc785881(v=ws.10).aspx


Regards,
GFilipe
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ddotsonAuthor Commented:
I saw this entry in the section for each domain controller (dns server):

TEST: Delegations (Del)
   Delegation information for the zone: domain.com.
      Delegated domain name: _msdcs.domain.com.
      Error: DNS server: lgedc.domain.com. IP:<Unavailable>

      [Missing glue A record]

     [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]

Open in new window


The entry "lgedc.domain.com" is an old domain controller.  There is nothing else in that subdomain.

I looked at the instructions for adding delegations, but it didn't make sense.  Here is a screen shot:

Picture of DNS window
This is for our internal active directory domain name.  I'm not sure what I would enter here.

Also, we use these DNS servers for our websites (split-brain).  So there are many many zones.

I hope that I'm making sense.
0
Life1430Commented:
There are 2 Parts you should focus on
1) You do not have any stale DC in your environment
2) You have configuered correct DNS Settings

Please go through below and check if both things are correct

Run "netdom query DC" and check if you see any DC which was previously removed or Demoted forcefull

If you find any old DC which is not present in your env please use below links
Metadata cleanup:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Seize FSMO role:
http://www.petri.co.il/seizing_fsmo_roles.htm

----------->> Verify If DNS is correctly Configuered on DC's<<----------

How we should Configuere DNS on our DC :-->

Every DNS server should Point to its own IP as a primary DNS and DNS located in remote site as a secondary DNS in TCP/IP properties
All the unused NIC's to be disabled
Valid DNS Ip from ISP to be configuered in DNS forwarders Do not configuere local DNS in forwarders
Public DNS IP's Should not be used at any NIC Card except Forwarders
Domain Controllers should not be multi-homed
Running VPN server and RRas server makes the DC multihomed refer http://support.microsoft.com/default.aspx?scid=kb;en-us;272294


If anything above is incorrect please correct it and run "ipconfig /flushdns & ipconfig /registerdns " and restart DNS service using "net stop dns & net start dns"

DNS best practices
http://technet.microsoft.com/en-us/library/cc778439(v=WS.10).aspx

Checklist: Deploying DNS for Active Directory
http://technet.microsoft.com/en-us/library/cc757116(v=ws.10)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gfilipeCommented:
Hi,

In fact the glue record is the A record that resolves the domain controller's name to an IP address.

You should go to the domain controller and:
ipconfig /registerdns
This registers this record.
Make sure all communications are ok between domain controller and DNS server (a ping to the DNS server from the DC should do it)

To manually add this record open the zone for the AD domain name, right
click, select new host (A or AAA), name it the Domain Controller's host name and give
it the IP address of the domain controller.

This should correct that specific issue.

Hope this helps,
Regards,
GFilipe
0
achaldaveCommented:
The errro means that some of your name servers listed for your zone doesn't ahve ip address associated with it.

Check your DNS server, under forward lookup zone -> domain.com check alll the recors for NS.

Based on the error you posted it says there is no A record for name server lgedc.domain.com, if it is old server just remove it from NS or if it is live server just add A record for it.
0
ddotsonAuthor Commented:
OK - so to be clear, we don't *think* we are seeing any problems.  However, that could be manifested as something else, and DNS be the real culprit.  I don't know at this time.

I have made three changes based on what you've all posted:

1) I checked the domain controller's DNS settings.  Most were mis-configured to point to another domain controller.  I pointed the primary DNS to itself and then the secondary to a domain controller outside of the AD site.

2) I configured all forwarders to go to the Internet (8.8.8.8, etc) instead of another domain controller.  To be clear, these were forwarding to a single domain controller, which was then forwarding to the internet.  Now they all forward to the internet.

3) Checked for stale DC per the previous instructions.  Did not find any.

For clarification, here is an image of that strange entry:

Dns Window 2
The Zone listed is our AD domain.  The entry is for the old lgedc.domain.com domain controller.  I can delete this?  Should there be entries for the other domain controllers there?

Thanks,

Dan
0
Life1430Commented:
You may delete this and restart DNS server service
0
ddotsonAuthor Commented:
I've rerun the test and everything passes!

I'm still a little foggy about the delegation.  If no zones are delegated, are we at some sort of risk?  Say one server goes down, etc?
0
Life1430Commented:
For such cases only we select secondary DNS servers in TCP/IP search orders in DC as well as member clients
0
ddotsonAuthor Commented:
Thank you everyone for your help.  I think things will be much cleaner going forward.

Thanks,

Dan
0
gfilipeCommented:
Hi,

To understand zone delegation I believe this is a good doc:
http://technet.microsoft.com/en-us/library/cc771640.aspx

further to this:
"Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and (LDAP). Sometimes clients might need to contact a Microsoft-hosted service. For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers.
 
If you install a new forest on a system that runs Windows Server 2003 and let the Dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called _msdcs.&ltforest name&gt on the DNS server. This zone is configured to store its records in a forestwide application directory partition, ForestDNSZones, which is replicated to every DC in the forest that runs the DNS service. This replication makes the zone highly available anywhere in the forest."

Hope this answers your question,
Regards,
GFilipe
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.