?
Solved

Active Directory DNS test shows failure

Posted on 2012-08-21
13
Medium Priority
?
2,723 Views
Last Modified: 2012-08-21
Hello:

I was working on some DNS stuff and found references to a bunch of old domain controllers that are no longer.  I started cleaning them up and wondered if we are having performance issues due to all of these old entries.  I Google'd the issue and found the DCDIAG /TEST:DNS test.  I ran that and got this as a summary:

         Summary of DNS test results:

         
                                        Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: domain.com

               DC01                     PASS PASS PASS FAIL PASS PASS n/a  
               DC02                     PASS PASS PASS FAIL PASS PASS n/a  
               DC03                     PASS PASS PASS FAIL PASS PASS n/a  
               DC04                     PASS PASS PASS FAIL PASS PASS n/a  
               DC05                     PASS PASS PASS FAIL PASS WARN n/a  
               DC06                     PASS PASS PASS FAIL PASS WARN n/a  
         
         ......................... domain.com failed test DNS

Open in new window


I'm concerned about the "del" column, which has to do with Delegation.  I'm not sure what the implications of this failure are.  Can someone enlighten me?

Thanks,

Dan
0
Comment
Question by:ddotson
  • 5
  • 3
  • 3
  • +1
13 Comments
 
LVL 15

Expert Comment

by:achaldave
ID: 38317201
More on dcdiag can be found at

http://technet.microsoft.com/en-us/library/cc776854%28v=WS.10%29.aspx

Make sure all NS record has A record.
0
 

Author Comment

by:ddotson
ID: 38317225
So all of our DNS servers are domain controllers.  From your article I read:

The delegation test confirms that the delegated name server is a functioning DNS Server.

The delegation test checks for broken delegations by ensuring that all NS records in the Active Directory domain zone in which the target domain controller resides have corresponding glue A records.

Does this mean that we have broken delegations?  What does this mean?  What are the implications?
0
 
LVL 2

Expert Comment

by:gfilipe
ID: 38317273
Hi ddotson,

This means some of the zones you have configured in your DNS servers are not delegated. That in a more practical way means that those DNS servers are not giving any name answers regarding those zones.

If this is your internal domain you should create the appropriate delegations on your DNS servers, to create check out this document:

http://technet.microsoft.com/en-us/library/cc785881(v=ws.10).aspx


Regards,
GFilipe
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:ddotson
ID: 38317395
I saw this entry in the section for each domain controller (dns server):

TEST: Delegations (Del)
   Delegation information for the zone: domain.com.
      Delegated domain name: _msdcs.domain.com.
      Error: DNS server: lgedc.domain.com. IP:<Unavailable>

      [Missing glue A record]

     [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]

Open in new window


The entry "lgedc.domain.com" is an old domain controller.  There is nothing else in that subdomain.

I looked at the instructions for adding delegations, but it didn't make sense.  Here is a screen shot:

Picture of DNS window
This is for our internal active directory domain name.  I'm not sure what I would enter here.

Also, we use these DNS servers for our websites (split-brain).  So there are many many zones.

I hope that I'm making sense.
0
 
LVL 18

Accepted Solution

by:
Sarang Tinguria earned 1400 total points
ID: 38317472
There are 2 Parts you should focus on
1) You do not have any stale DC in your environment
2) You have configuered correct DNS Settings

Please go through below and check if both things are correct

Run "netdom query DC" and check if you see any DC which was previously removed or Demoted forcefull

If you find any old DC which is not present in your env please use below links
Metadata cleanup:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Seize FSMO role:
http://www.petri.co.il/seizing_fsmo_roles.htm

----------->> Verify If DNS is correctly Configuered on DC's<<----------

How we should Configuere DNS on our DC :-->

Every DNS server should Point to its own IP as a primary DNS and DNS located in remote site as a secondary DNS in TCP/IP properties
All the unused NIC's to be disabled
Valid DNS Ip from ISP to be configuered in DNS forwarders Do not configuere local DNS in forwarders
Public DNS IP's Should not be used at any NIC Card except Forwarders
Domain Controllers should not be multi-homed
Running VPN server and RRas server makes the DC multihomed refer http://support.microsoft.com/default.aspx?scid=kb;en-us;272294


If anything above is incorrect please correct it and run "ipconfig /flushdns & ipconfig /registerdns " and restart DNS service using "net stop dns & net start dns"

DNS best practices
http://technet.microsoft.com/en-us/library/cc778439(v=WS.10).aspx

Checklist: Deploying DNS for Active Directory
http://technet.microsoft.com/en-us/library/cc757116(v=ws.10)
0
 
LVL 2

Assisted Solution

by:gfilipe
gfilipe earned 400 total points
ID: 38317476
Hi,

In fact the glue record is the A record that resolves the domain controller's name to an IP address.

You should go to the domain controller and:
ipconfig /registerdns
This registers this record.
Make sure all communications are ok between domain controller and DNS server (a ping to the DNS server from the DC should do it)

To manually add this record open the zone for the AD domain name, right
click, select new host (A or AAA), name it the Domain Controller's host name and give
it the IP address of the domain controller.

This should correct that specific issue.

Hope this helps,
Regards,
GFilipe
0
 
LVL 15

Assisted Solution

by:achaldave
achaldave earned 200 total points
ID: 38317484
The errro means that some of your name servers listed for your zone doesn't ahve ip address associated with it.

Check your DNS server, under forward lookup zone -> domain.com check alll the recors for NS.

Based on the error you posted it says there is no A record for name server lgedc.domain.com, if it is old server just remove it from NS or if it is live server just add A record for it.
0
 

Author Comment

by:ddotson
ID: 38317745
OK - so to be clear, we don't *think* we are seeing any problems.  However, that could be manifested as something else, and DNS be the real culprit.  I don't know at this time.

I have made three changes based on what you've all posted:

1) I checked the domain controller's DNS settings.  Most were mis-configured to point to another domain controller.  I pointed the primary DNS to itself and then the secondary to a domain controller outside of the AD site.

2) I configured all forwarders to go to the Internet (8.8.8.8, etc) instead of another domain controller.  To be clear, these were forwarding to a single domain controller, which was then forwarding to the internet.  Now they all forward to the internet.

3) Checked for stale DC per the previous instructions.  Did not find any.

For clarification, here is an image of that strange entry:

Dns Window 2
The Zone listed is our AD domain.  The entry is for the old lgedc.domain.com domain controller.  I can delete this?  Should there be entries for the other domain controllers there?

Thanks,

Dan
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38317812
You may delete this and restart DNS server service
0
 

Author Comment

by:ddotson
ID: 38318345
I've rerun the test and everything passes!

I'm still a little foggy about the delegation.  If no zones are delegated, are we at some sort of risk?  Say one server goes down, etc?
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38318354
For such cases only we select secondary DNS servers in TCP/IP search orders in DC as well as member clients
0
 

Author Closing Comment

by:ddotson
ID: 38318387
Thank you everyone for your help.  I think things will be much cleaner going forward.

Thanks,

Dan
0
 
LVL 2

Expert Comment

by:gfilipe
ID: 38318593
Hi,

To understand zone delegation I believe this is a good doc:
http://technet.microsoft.com/en-us/library/cc771640.aspx

further to this:
"Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and (LDAP). Sometimes clients might need to contact a Microsoft-hosted service. For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers.
 
If you install a new forest on a system that runs Windows Server 2003 and let the Dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called _msdcs.&ltforest name&gt on the DNS server. This zone is configured to store its records in a forestwide application directory partition, ForestDNSZones, which is replicated to every DC in the forest that runs the DNS service. This replication makes the zone highly available anywhere in the forest."

Hope this answers your question,
Regards,
GFilipe
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question