Link to home
Start Free TrialLog in
Avatar of sswmoore
sswmoore

asked on

All DNS Records Disappeared

We've adopted a network that includes one Windows Server 2003 domain controller and about 70 workstaions of varying types. Mostly XP, a few W2Ks and a few Window 7s.  There are also a couple of member servers. The domain controller is running DNS as well as AD. I immediately noticed a lot of strange behaviour on the network.  Things like workstations and member servers being able to join the domin properly but not being able to log on after joining, citing reasons like "a domain controller for this domain cannot be found".  I then discovered about a dozen regularly occuring error (red) and warning (yellow) events in the system, applicaion, directory and dns logs that suggest communicaion issues between AD and DNS.  Then when I looked at the DNS applicaiton I discoverd that there are no forward lookup zones.  Obviously there are no DNS records in those forward lookup zones because the forward lookkup zones dont exist.  There are three reverse lookup zones each with two records in them. The strange thing is that the network is still reasonably functional.  Alot of staff members can log on wth their domain accounts and those that cant just log on with local workstation acoounts.  The bottom line is that I need to get rid of this strange behaviour, fix the errors, and get the DNS server working as it should.  Any help would be appricated.
SOLUTION
Avatar of Tomislavj
Tomislavj
Flag of Croatia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sswmoore
sswmoore

ASKER

Thanks Pac1B, Actually, I can confirm that the DC and most other computers DO refer to an external DNS server as well as the internal DNS server. Should this be changed so that only the internal DNS server, the DC, is refered to? More specifically, on the DC, when I check the TCPIP settings on the NIC, the IP address of the primary DNS server is the same as the IP address of the DC, and the secondary is set to an external DNS server, not on our network.  And this is the case for almost all of the workstations and the few member servers we have as the DHCP server is configured to supply the DNS settings to each DHCP client in that manner.  By the way, the DC does not perform DHCP services. DHCP is done by a different device.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks very much Pac1B for the highly detailed comment. You obviously spent alot of time on that and there's some great information there that I didn't know.  I will change the TCPIP settings on the DCs NIC so that there is no refrence to external DNS server and I will configure several workstations in the same manner and see what results I get.  I'll run the IPCONFIG /FLUSH as well.  I will point out that whoever set this up did add forwarders and they are present in the DNS manager.

In my original question I mentioned that there are about a dozen errors in the event logs that seem to indicate AD and/or DNS issues.  I have them listed in an excel spread sheet which i will attach.

Thanks Tomislavj for the script.  I will run it. I'm hoping that it will at least shed light on these errors.
palladinlog.xlsx
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
We have some new information.  There is currently only one DC in this network and now I'm told that there used to be two.  The second domain controller had a bad motherboard and was taken off line and not reconnected.  Isn't there a procedure used to extract an abandoned DC from AD?  I think I've found instructions for that and I'll proceed with that but before I do are there any comments regarding that issue?

Also, in order for AD and a to function properly does the DNS server that AD uses have to be on the DC.?  I don't think it does.  Does it even have to be on the same network.?   is it possible that the DNS servers that our DC uses and that our AD uses is not the DNS server on our DC but some other DNS server, perhaps the  external DNS servers specified as forwarders? If so, how do I tell for sure?  Those DNS servers are operated by anotther agency related to ours and they may have set this up originally.  We've asked them but nobody seems to know anything.  The reason I ask is just the lack of any foreward lookup zones in the DNS manager on the DC. No forward lookup zones, no A records, no records of any kind.

Thanks.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
As I think I mentioned before, in the DNS manager, the folder titled "forward lookup zones" is empty.  There is nothing in it.

So if I just right click the forward lookup zones folder and create a new zone and follow the promts to create a new zone with the connrect name and correct settings such as primary zone, store in active directory, replicate to all domain controllers, allow only secure dynamic updates, etc, I should be OK.

I should reboot the DC.  In the NIC's TCPIP settings the IP address of the primary DNS server is the same as the IP address of the DC and when it finishes rebooting I should see the correct DNS records for the DC under Forward Lookup zones. Then as the workstations register, some may register on their own or I can use ipconfig /registerdns,  as they register, I should see their records under forward lookup zones.

As this happens I should then be able to log on to the domain using domain accounts.

Is this an accurate description of how it should play out.  Will I make anything worse by doing this.

By the way I read your article.  It was great. I really enjoyed it.


Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When attempting to create the forwared look up zone, the system pauses for a 30 seconds and then returns the following message....

The zone cannot be created - the data is invalid.

I also have some new information.  As I mentioned earlier,  there used to be two domain controllers on this network.  It was a very old machine and its motherboard died.  Its warranty had expired long ago and a replacement motherboard was assumed to be too hard to find and too expensive.  It was rarely used, there wasn't much of anything on it, so it was decidded that it would be abandoned.

Also the other DC was never removed from the domain.  Isn't there something called a "metadata cleanup" that properly removes an abandoned DC from a domaim?  That was never done.

So with the forward lookup zone gone, I decided to take a look at the domain.dns file in the c:\windows\system32\dns folder.  It's full of DNS infomaion and I've attached it here. One thing that got my attention was that there is one SOA record and it has the name of the other, now abandoned, DC.  Doesn't the SOA record mean that not only was it a DNS server in addition to a DC, but also the primary DNS server for the zone.

Perhaps it was the first DC created in this domain. Perhaps is was the PDC FSMO.

By the way, does the DNS server that Active Directory uses have to be a member of the domain?
dnstxt1.txt
If I go to Active Directory Users and Computes, right click on the domain and choose operations masters, I get a dialog box with a tab for RID, PDC, and Infastructure.  Each tab specifies the name of the DC.  So from that I presume that the current DC has the PDC FMSO role. It is not the case that the the old DC, the one that died, had the PDC FMSO role.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The DNS at first could not be recreated because we discovered that the Kerberos service was disabled.  Once enabled, we did as Tomislavj suggested and forward lookup zone returned. We seized the PDC emulator role and the other four FSMO roles and ran a metadata cleanup. We then did as Pac1B suggested and ran NETDIAG /FIX and added forwarder.  Next we fixed the remaing workstations and servers.  Thanks for your help.