?
Solved

Please Help Fix my DNS Errors:

Posted on 2012-08-30
45
Medium Priority
?
1,104 Views
Last Modified: 2012-09-24
Hi all.
I'd really like to optimize our DNS.
I feel like we've been having errors in the event logs and name resolution issues for years now.

Here's our setup:

NNJ is the main branch. We have 2 domain controllers. Once of them (NNJ1) is the primary.
NNJ2 is our print server but also has the DNS role installed.

SNJ has 2 domain controllers (SNJ1 and SNJ2). Both with the DNS role installed.

NYC has 2 domain controllers (NYC1 and NYC2).  Both with the DNS role installed.

PA has 1 domain controller (PA1).  This also has the DNS role installed.

Can someone work with me in setting up / configuring this the RIGHT way?

They are all running Windows Server 2003.

I'll do my best to answer any questions you might need in order to get this resolved.

Regarding errors, I get constant 4515 warnings and 4004 errors on all DNS servers.

Any help would be appreciated.
0
Comment
Question by:homerslmpson
  • 19
  • 11
  • 7
  • +2
45 Comments
 
LVL 9

Expert Comment

by:Mike
ID: 38351294
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38351319
Honestly, I'm not looking to an outside forum for help.  I'm looking for you guys at EE to help.
The steps shown in the link are confusing and not very well-written.
It is also a bit concerning that the original poster didn't reply back with any feedback as to whether or not these steps solved his problem.
I need someone I can bounce ideas off of and someone who can explain to me in logical English what needs to be done and why.
If that link is all you can provide, I can't take that chance following it as I may very well make the problem worse.
0
 
LVL 9

Expert Comment

by:Mike
ID: 38351427
if 4004 appears when the server is started, chances are the DNS service has started prior to AD fully initializing thus giving you this error.  This can be ignored or you can edit the registry and delay DNS service from starting immediately.

The 4515 is from a duplicate DNS zone somewhere in AD.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Author Comment

by:homerslmpson
ID: 38351467
The errors are all over the place. Not just when the server starts.
DNS Event Log
0
 
LVL 9

Expert Comment

by:Mike
ID: 38351808
Check your Windows Time Service configuration. Check if there are any errors in the event log from the W32Time Service. When logging on, it seems that a badly configured W32Time Service is causing an overload, and your DNS cannot reach the Active Directory at this time, reporting event 4004 (and more) in the event log. After disabling "NTPClient" in the registry and restarting the server the problem may be resolved. (Go to HKLM/System/CurrentControlSet/Services/W32Time/NTPClient, Open/Edit the "Enabled" key, set it to 0 (zero) and restart).

Or It could be that the DC either is not configured to use a DNS server that has as valid copy of the DNS zone, or the zone does not have the needed SRV records. Running DCDiag may provide some information about the source of the errors. Also, NETDiag can be run for additional information.

Another option could be that the DNS server is bound to the wrong NIC, but since you are having this problem across multiple sites/DC's I doubt that's the case.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38351967
I just checked one of the servers application logs and saw quite a few of these:

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to
function and will use the existing security settings. Error Specifics: %1

I'm not sure what that's about.

I don't see any time issues in the log.

You mention the following:
Or It could be that the DC either is not configured to use a DNS server that has as valid copy of the DNS zone, or the zone does not have the needed SRV records.

Which DC are you referring to?  We are getting these issues on ALL domain controllers.
Not one in particular.

I agree that I doubt it's the NIC binding.

I will run a NETDiag and see what comes up.
0
 
LVL 9

Expert Comment

by:Mike
ID: 38352024
Are all your DC's pointing to the same primary DNS server?

For the other issue, try the following:

Click Start -> Administrative Tools -> Component Services.
Right click “My Computer” in the window pane and select Properties.
Click the MSDTC Tab.
Click the “Security Configuration” button, a dialog box appears. Click “OK”.
Click “OK” on the “My Computer Properties” box; this will take you back to the console.
Right click “My Computer” and select “Stop MS DTC” (this stops the MSDTC service.
Again, right click “My Computer” and select “Start MS DTC”.
0
 
LVL 41

Expert Comment

by:footech
ID: 38356689
This is most likely from duplicate DNS zones.  The link that Shadowless127 first provided does give some info, but the best resource I've found to understand this is:
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

Using ADSI Edit connect to the DomainDNSZones, ForestDNSZones, and the default naming context.  For example, to connect to the DomainDNSZones you would use something like DC=DomainDnsZones,DC=DOMAINNAME,DC=LOCAL.  Compare what you find in the MicrosoftDNS container for each of these to find any duplicate entries or ones that start with CNF.  Your 4515 error will give you a clue where to look.

You must be using AD-integrated zones, correct?  Depending on how you want the zone to replicate (e.g. to all DNS servers in domain, all in forest, or all DCs) will determine where it should be stored.  The link I gave provides much more info than I can give here.  So read through it a couple times, in particular the part about determining if there are duplicate zones, and then post back if you have specific questions.  Determining doesn't require making any changes, but fixing it does.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38356717
You got a lot of work to do, brother.

-Take it ONE site at a time and then fix your DNS zone transfers between sites.

Since DNS related problems have appeared for months, you now have to determine the health of domain features, like replications, Active Directory, tombstoned servers, etc..

What site are YOU at? Let's start with that one.

Go to the command prompt of your Primary Domain Controller Emulator (PDCe) and type:
DcDiag /test:DNS > C:\DNSlog.txt

Post the DNSlog.txt, found on the root of C, here on EE.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38360402
You don't mention if you're running seperate forests/domains for each site, which affects your design. If you're in a single forest then check the replication of the DNS zones, easiest option is to set replication of DNS zones to all DNS servers in the forest.

You can check the configuration of the DNS zones by opening DNS manager, right-click the Forward lookup Zone, then click properties.
Check the values for "Type" and "Replication".

Additionally you have a non-Domain Controller as a DNS server. The roles are different and I wouldn't suggest mixing them if you're not more experienced.

Using DNS on Domain Controllers only, enables you to have AD integrated DNS zones, this means that the DNS data is stored in AD, whereas the stand-alone DNS server will keep a zonefile locally.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38363388
@ChieftIT:
The output of the log is below.
Take a look and let me know what you think.

I'm located at the main branch (NNJ) and the main DC is BonlandDC1 which is the server I ran this test on.

@dvt_localboy:
We only have one domain.

You also mention the following:
"Additionally you have a non-Domain Controller as a DNS server..."

Are you telling me that I have a non-DC setup for DNS or are you asking?
As far as I know, all DCs are setup for DNS and no additional servers are.

-------------------------------------------
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: NNJ\BONLANDDC1
      Starting test: Connectivity
         ......................... BONLANDDC1 passed test Connectivity

Doing primary tests
   
   Testing server: NNJ\BONLANDDC1

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : Bonland
   
   Running enterprise tests on : Bonland.local
      Starting test: DNS
         Test results for domain controllers:
           
            DC: bonlanddc1.Bonland.local
            Domain: Bonland.local

                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 4.2.2.2 (<name unavailable>)
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 4.2.2.2 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 4.2.2.2
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: Bonland.local
               bonlanddc1                   PASS PASS FAIL PASS PASS PASS n/a  
         
         ......................... Bonland.local failed test DNS
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38363419
@dvt_localboy
I checked the settings and included them below.
DNS Properties
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38363560
From your original post:
NNJ2 is our print server but also has the DNS role installed.

Did you check if that server 4.2.2.2 is actually answering DNS queries?
I tried to query it now and it didn't respond for me.
I did find this interesting article about 4.2.2.2
http://www.tummy.com/Community/Articles/famous-dns-server

See similar questions relating to your /test:DNS results
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_25094797.html
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24604203.html

Although in honesty, the issue with your /test:DNS results have nothing to do with the Event ID 4004 and 4515 issues.

Please see the following links:
http://technet.microsoft.com/en-us/library/cc735696(v=ws.10).aspx
http://support.microsoft.com/kb/867464
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38363591
NNJ2 is our print server but also has the DNS role installed.
This server is also a DC.  I should have mentioned that.

I don't know how to query 4.2.2.2 and in all honesty I'm not sure where that entry came from or whether it is needed.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38363738
Check your DNS forwarder:
Open DNS console
Right-click on the DNS Server Name
Click Properties
Click the "Forwarders" Tab
Ideally you should only have the DNS servers of your Internet Service Provider lists.
You can delete 4.2.2.2 if it is in there.

See similar question
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_26600919.html
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38363772
I checked and I had 4.2.2.1 and 4.2.2.2 so i deleted them both and added the 2 DNS servers my ISP gave us (167.206.112.138 and 167.206.007.004).
The first one doesn't even reply back from a ping but the 2nd one does so I switched the order.  I don't know if this will help at all.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38363809
So this is what I found using ADSI Edit.
Can I remove these "InProgress" items?
ADSI Edit
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38363908
If you see anything that starts with an "In Progress...." or "CNF..." with a long GUID number after it, that's a duplicate zone. The  "CNF..." means it's in conflict, and the "In Progress...." means it is trying to replicate, but it can't because there's another identical zone name but with a different USN version number (USNs are used for replication control between DCs) on another domain controller.

From an MVP's blog:
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

Follow his instructions and you should be fine.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38363946
Yeah I was looking through that earlier.
I just deleted the ones that appeared to be duplicates and restarted DNS.
I guess we will see what happens...
0
 
LVL 41

Expert Comment

by:footech
ID: 38364447
So you deleted all the "InProgress..." entries as well as the bonland.local entry in the DomainDNSZones application partition?  I'm thinking that's the right course of action since from the other screenshot you provided you have the bonland.local zone set to replicate to all DCs, which would place it in the default naming context.  If you haven't deleted any bonland.local entry, then I would compare the ones you find default naming context and the DomainDNSZones to see which is the correct one that you want to keep before deleting the other.

As a side note, if I were you, after the errors are cleaned up, I would have the zone replicate to all DNS servers in the domain instead of all DCs.  It could cut down on unneeded replication traffic.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38364613
I removed all of the duplicates but I didn't delete the bonland.local entry.
Was I supposed to?
0
 
LVL 41

Expert Comment

by:footech
ID: 38364745
If you have an entry called "bonland.local" that is present in more than one partition, then yes you must choose which one you want.

I'm guessing you have one in both CN=MicrosoftDNS,DC=DomainDnsZones,DC=bonland,DC=local and CN=MicrosoftDNS,CN=System,DC=bonland,DC=local
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38364810
Yeah there are 2 different ones showing up.
How do I know which one to remove?
The one in DomainDnsZones has a few additional folders listed that show the different branch locations and their subnet (see image).
ADSI Edit
0
 
LVL 41

Expert Comment

by:footech
ID: 38365191
You're going to have to dig into each one to determine which one has the info that you need or expect to see.  I would also use ADSI Edit on each DC to see if the information is the same on each.

You've got some choices for removing the duplicate zone (further explained in the link I provided).
1) Just delete it.
2) Convert it non-AD integrated, wait for replication, then delete, then convert to AD-integrated again.
3) Mentioned in the comments; rename the zone and allow that to replicate, after a period of time when you're sure everything is working correctly you can delete the renamed zone.

The last time I had to deal with this personally, I could easily see that the copy that was being loaded (your 4515 error will tell you which this is) had the info I needed, so I just deleted the other one.  You'll have to evaluate for yourself, and standard advice for any edits to your AD - plan what you'll do if something goes wrong.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38365291
Well one of them was created on 6/16/2011 and the other one was created 12/10/2011.

The event ID 4515 error states the following:
The zone bonland.local was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.Bonland.local. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
 
I'm thinking the one in DomainDnsZones.Bonland.local is the accurate one.

So are you saying I can just rename the one in MicrosoftDNS, wait a week or so and if no errors show up or nothing catastrophic happens, I can safely delete it?
0
 
LVL 41

Expert Comment

by:footech
ID: 38365433
Sounds right to me.  From the error you are currently using the zone in the default naming context.  Before renaming it I would certainly make sure the zone in DomainDNSZones (which will become active) has the info you need.  If it hasn't been used in some time it's likely to contain some stale info that will need to be updated.  Right now, if you were to delete the zone in DomainDNSZones, you wouldn't notice anything different, since that zone is being ignored.  I've never done it this way, but if you rename a zone, you should then notice both zones (the renamed and the correctly-named) in the DNS console.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38367457
I went ahead and renamed the one in SYSTEM and went ahead and restarted DNS.
I don't see the renamed zone in DNS.
Am I missing something?
DNS2
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38369696
Yah, I see a couple issues: (you are in process to resolve one).

I think you should read this, so we can be on the same sheet of music:
http://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html

So, I want you to look at some of the errors you are seeing:
1) 2.2.2.4 is a bad forwarding server <<<
You started to resolve this, BUT you have to do this ON ALL DNS SERVERS.
DCdiag /test:DNS  at the command prompt will test your servers when done, as you have seen.

2) I see a reference to a loopback IP addres for DNS server. (127.0.0.1) is the loopback. I don't recommend ever using the loopback address because the loopback is known by other computers as its own IP loopback address. Always hard code the proper IP address in the NIC card so, the loopback address is never registered within DNS as a go to IP address. Once done, delete all Reverse DNS, Forward DNS and especially MSDCS records for the loopback addresses. Then re-register that NIC by using these commands on the DNS server's command prompt:

Net Stop Netlogon
Net Start Netlogon
IPconfig /flushdns
IPconfig /registerdns

2) I also see a reference to an Inaddress_ARPA address pointing to an invalid forwarding server, 2.2.2.4 and an in addres Arpa of 127.0.0.1 (reverse lookup). In other words two discrepancies, these records in the reverse lookup zone needs to be deleted. When referencing the INADDRESS_ARPA, you are actually looking at a reverse DNS record. This needs to be deleted.

What I want to know is where are you seeing discrepancies and performance issues:
--Do you see local lan problems? (Host A and MSDCS problems locally, or improperly configured NICs of the client PCs passed by DHCP or manually configured)
--Do you see forest resolution problems? (Zone transfers)
--Do you see outside of your forest problems? (forwarding or root hint servers)

It appears as if your problems are outside DNS resolution and contacting outside web sites. These forwarding edits and eliminating the loopback addresses will change your performance considerably.
0
 
LVL 41

Expert Comment

by:footech
ID: 38370597
When I did it (renamed one), after I relaunched the DNS console both zones showed up.

Are you seeing the 4515 errors any longer?

It would be a good idea to run dcdiag /test:dns /v to check for any issues.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38371986
OK so we have 7 DCs in total.
2 in NNJ
2 in SNJ
2 in NYC
1 in PA

The change I made to the forwarder IPs could only be done on SOME DCs.
For instance, BonlandDC1 which is the main DC is where I originally made the change.
BonlandDC2 and some of the other servers don't show any forwarders (see image 1 below).

The PA server looks different (see image 2 below).  
It has the 2 NNJ DCs listed as forwarders.  
It also had those 4.2.2.2 addresses but I removed them.  
2 things that are worth asking:
   A - should those 2 NNJ DCs be listed on this server?
   B - this branch (PA) has a different ISP and therefore is likely going to have different outside DNS addresses than the ones in NNJ.  Should I be inserting the PA DNS IPs or the NNJ ones?

The second SNJ DC has the first SNJ DC listed as a forwarded along with BonlandDC1 (NNJ).
No additional IPs were listed on this server.
   C - is this even close to acceptable?  Or should it be pointing to the ISP's external DNS?
 
Where did you see the loopback address of 127.0.0.1?

Regarding ACTUAL issues, I don't think we have any.  It's not as if we can't connect or see other branch locations, etc.  We ran into one strange issue where we couldn't connect to a particular branch DC remotely from here but we could remotely access the other DC in that same branch (and then remotely access the problem DC).  
This was noticed because of a particular program housed here in NNJ wasn't accessible for some of the users in that branch.  Rebooting the problem server didn't seem to fix the issue but the next day everything was working as it should.  
I don't know if this was DNS related or not but this is what led me to look into DNS throughout the company.

I've also included the ouput from the command (dcdiag /test:dns /v) which was ran on BonlandDC1.  It looks like the forwarders portion still doesn't PASS.
Why would the NNJ ISP give me 2 DNS server IPs when only one works?

No forwardersDifferent forwardersOutput.txt
0
 
LVL 41

Expert Comment

by:footech
ID: 38373842
A - should those 2 NNJ DCs be listed on this server?
This would only be needed if the NNJ DCs held DNS information that the PA DC didn't.
B - ...Should I be inserting the PA DNS IPs or the NNJ ones?
Either use PA ISP's DNS, other public DNS (like Google's), or none (will use root hints instead).
C - is this even close to acceptable?  Or should it be pointing to the ISP's external DNS?
Same situation as A above.  If all your DCs at a site have the same DNS information, there is no need for one to forward to another.  The only exception to this that I can think of is if you want all queries for external DNS information to go through a specific server.  It's possible there could be some caching benefit as well, but I couldn't say for certain.  DNS servers only need to forward to others when the other DNS servers have information the local one doesn't.  If that missing information is just public DNS records (i.e. used for the internet), then either; 1) ISP's DNS servers can be used as forwarders, or 2) root hints can be used.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38374382
Don't get confused on what a forwarding server is.

Windows update services has microsoft servers that are upstream from your internal server. Like this update service, a DNS forwarder is an upstream server to perform OUTSIDE resolution to DNS queries.

Your problem is you are forwarding to your internal servers. Your DNS query hops from one server to another, until finally, it gets a DNS forwarder that's OUTSIDE your domain.

Unless you are in a FOREST environment and your forest admins host a DNS forwarding server, I recommend that you CONFIGURE ALL DNS SERVER FORWARDERS TO EITHER YOUR ISP OR GOOGLE DNS SERVERS FOR OUTSIDE RESOLUTION.

Once again, please read this:
http://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38375850
Thanks guys!!
I noticed yesterday I had to remotely access a computer in PA but the computer was previously in NNJ so the IP address wasn't up to date.
I had to ask the user for his IP and then I connected.
I pinged that PC today and it's now correct.
All of this of course, took place from my own computer.
If in fact the zone I renamed was the up to date one and the one I left alone was old and outdated, will it correct itself over time?
0
 
LVL 41

Expert Comment

by:footech
ID: 38376943
If dynamic DNS updates are happening correctly in conjunction with DHCP, then for this, yes.  But you might also have static records that need to be updated manually, and/or records that need to be deleted.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38377131
My main concern are the DHCP users.  The static IPs rarely, if ever change.
Hopefully the updates are taking place when they should.
I see all these options for scavenging, stale records, etc and who knows what else.
I never adjusted these but wonder if they would be of any use...
0
 
LVL 41

Expert Comment

by:footech
ID: 38377218
Scavenging can definitely be useful.  It's too long to get into here, but a good guide is at
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38378460
I wouldn't worry about scavaging until all your DNS discrepancies are fixed. I would concentrate of forwarders. Those should all be outside DNS servers (not  your internal DNS) unless the forest admin requires it.

Worry about scavaging later.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38383142
OK so the servers were rebooted over the weekend.
I checked all of the DNS servers and for some reason, one of the DCs in the NYC branch is showing a few 4004 errors in the event viewer stating the following:

"The DNS server was unable to complete directory service enumeration of zone bonland.local_RENAMED.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error."

Any ideas what this is about?  Granted, that is the zone I renamed but why is it having an issue?
0
 
LVL 41

Assisted Solution

by:footech
footech earned 1000 total points
ID: 38384396
You could see the 4004 errors after a reboot if the DC is pointing to itself as the primary DNS.  There are some other possible causes but if it's limited to referencing the renamed zone I wouldn't worry about it.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38385387
Don't worry about a few 4004 errors. These can happen at boot up if AD starts before DNS. So, you can ignore a couple of these at boot. Concentrate of forwarders. That seems to be the majority of your discrepancies.

Remove ALL of your DNS servers out of Forwarders and put these IPs in all DNS servers as forwarders:

8.8.8.8
8.8.4.4

These are google outside servers. Currently you are forwarding to internal servers for outside resolution. That will not get you anywhere except performance issues and sites you can't contact.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38386557
@ChiefIT:
All of the DNS servers have been removed out of the Forwarders section as of 9/6 or so.
I added the ISPs DNS servers in some cases and in other cases, I used one of the Google addresses.

I still haven't deleted the renamed zone.  I guess I'll wait a few more days just to be safe.
At that point, I'll probably just close this out and assign points, etc.

Thanks everyone for your help!  I really do appreciate it.
If I could assign a billion points to each of you, I would ; )
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38387353
Dcdiag /test:DNS

is your best friend when troubleshooting DNS related issues.

Prior to closing this out, run this command at the command prompt for all DCs/DNS servers. It WILL find all discrepancies, except internal settings passed down by the DHCP server. That's where you want to go NEXT. Go into DHCP scope options and make sure all your DHCP servers are passing down INTERNAL to your network DNS servers. That means all DHCP clients will get the DHCP assignment, and also get your DNS servers as valid DNS servers.

After that, concentrate on Scavaging DNS resource records for DNS metadata cleanup.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38387401
I have removed this comment.
0
 
LVL 41

Expert Comment

by:footech
ID: 38393215
Sorry, I don't know why you would be getting this error.  It would seem to indicate that it can't contact the LDAP (AD) servers.  But if your dcdiag tests are returning normal I don't think I would be inclined to worry about it.
Perhaps others have other advice.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1000 total points
ID: 38393504
Tell us how your performance seems when working on things like internet and internal mail servers and internal web pages.

As well, we might want to make sure ZONE TRANSFERS between sites are good.

-You might post a second question to ensure zone transfers between sites works well (in the DNS zone of EE)

-Also, check your FRS / Replication logs for errors/warnings on all DCs.

I think you are on the right track.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Resolve DNS query failed errors for Exchange
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question