Naj Saqi
asked on
DNS Entries are missing but still can be NSLOOKUP
Hi,
I have five domain controllers running Windows Server 2008 R2. I have also enabled DNS scavenging on one of the DCs.
A few days ago I have noticed that lots of machines are missing in our DNS. But when you ping them, most of them are pingable with hostname, even I can NSLOOKUP as well.
What could be the issue? Is my DHCP not registering new entries. Interestingly, all old machines are missing. Old means, they are still active but they are on network for some time.
I have five domain controllers running Windows Server 2008 R2. I have also enabled DNS scavenging on one of the DCs.
A few days ago I have noticed that lots of machines are missing in our DNS. But when you ping them, most of them are pingable with hostname, even I can NSLOOKUP as well.
What could be the issue? Is my DHCP not registering new entries. Interestingly, all old machines are missing. Old means, they are still active but they are on network for some time.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Regarding Item 2, I would try all of the DNS in turn. If any of them have a given entry it may resolve.
Regarding Item 4, I would only check the DNS settings of the host from which you run your diagnostics. The others are not critical to your diagnostics.
I'm UTC/GMT -8.
- Tom
Regarding Item 4, I would only check the DNS settings of the host from which you run your diagnostics. The others are not critical to your diagnostics.
I'm UTC/GMT -8.
- Tom
Hi,
You had commented above stating able to perform NSLOOKUP and it resolves fine.
One of your AD integrated DNS server only resolves it right,
Then connect to the DNS server in the DNS management console, navigate to the corresponding zone name in which the DNS entry resides (as per nslookup result),
then use the Filter option to search the DNS entry in that particular zone. The record should exist there for sure..., :)
You are not able to view the record may be because of following reason,
Might have enabled Filter option by using some other DNS entry name in the DNS console.
You may need to increase the Display limit, click on View->Filter->Display limit tab in DNS console..,
You had commented above stating able to perform NSLOOKUP and it resolves fine.
One of your AD integrated DNS server only resolves it right,
Then connect to the DNS server in the DNS management console, navigate to the corresponding zone name in which the DNS entry resides (as per nslookup result),
then use the Filter option to search the DNS entry in that particular zone. The record should exist there for sure..., :)
You are not able to view the record may be because of following reason,
Might have enabled Filter option by using some other DNS entry name in the DNS console.
You may need to increase the Display limit, click on View->Filter->Display limit tab in DNS console..,
ASKER
Hi Again,
So I have checked again. I ran the ipconfig /all on the machine where I am pinging and looking up NS; it shows one of my DNS servers.
None of the DNS servers have those entries; I have checked manually all the DNS servers via their GUIs.
There is no filter option enabled.
Limit is already 10000. I have bumped it up to 20000.
I know, this is an amazing stuff but I am experiencing right now. I can understand that there could be reasons when entries are missing but how am I able to resolve them, this is confusing.
So I have checked again. I ran the ipconfig /all on the machine where I am pinging and looking up NS; it shows one of my DNS servers.
None of the DNS servers have those entries; I have checked manually all the DNS servers via their GUIs.
There is no filter option enabled.
Limit is already 10000. I have bumped it up to 20000.
I know, this is an amazing stuff but I am experiencing right now. I can understand that there could be reasons when entries are missing but how am I able to resolve them, this is confusing.
ASKER
So there is an update. I have checked it again. I guess not all dynamic registrations are being happened. I guess, DHCP couldn't register dynamic entries to DNS. How can I check that?
Then login to your DHCP server and check for option 006 which is meant for DNS server, in to which the dynamic registration will happen.
Check in both server option and scope option in the DHCP server also check you are able to ping or communicate the IPADDRESS configured in the 006 Option (in the DHCP server).
*Note: Also check the Dynamic registration is allowed in DNS server(which is configured in DHCP server 006 option).Hope it might be enabled just for heads up.
Check in both server option and scope option in the DHCP server also check you are able to ping or communicate the IPADDRESS configured in the 006 Option (in the DHCP server).
*Note: Also check the Dynamic registration is allowed in DNS server(which is configured in DHCP server 006 option).Hope it might be enabled just for heads up.
ASKER
Yes, it is enabled and I can ping that DNS server from DHCP server.
Can you share the namespace lookup result here...,
Also can you execute ipconfig /registerdns command in the problematic workstation and then check whether the IPADDRESS is registered dynamically or not.
Also check the IPADDRESS configured in 066 option in DHCP server, check you're able to ping the same from your DHCP server...,
You can use NETMON tool to check is there any packet drop happens between the DHCP and DNS server(IPADDRESS configured in 006 option in DHCP server).
Also can you execute ipconfig /registerdns command in the problematic workstation and then check whether the IPADDRESS is registered dynamically or not.
Also check the IPADDRESS configured in 066 option in DHCP server, check you're able to ping the same from your DHCP server...,
You can use NETMON tool to check is there any packet drop happens between the DHCP and DNS server(IPADDRESS configured in 006 option in DHCP server).
ASKER
What about DHCP credentials that is used to update dynamic entry. Should it have an permissions on DNS ACL?
I doubt it wont be an issue with DNS ACL. Can you check the number of days you had set in the Aging and scavenging period in the DNS server.
Share the no.of days configured in it. Also check is there any Time SYNC issue persist between DHCP server & DNS(just to ensure).
Share the no.of days configured in it. Also check is there any Time SYNC issue persist between DHCP server & DNS(just to ensure).
ASKER
Aging and scavenging period (no-refresh interval and refresh interval) = 3 days.
DHCP lease = 5 days.
DHCP and DNS servers are on same box which DC as well.
DHCP lease = 5 days.
DHCP and DNS servers are on same box which DC as well.
ASKER
There is another thing, I can't see dhcpuser or DHCP server in DNS zone's ACL. Does it make any difference?
Then check the DNS integrity in the DC using the below command,
dcdiag /test:dnscheck , analyze the result in the command and share the same here to proceed further..,
dcdiag /test:dnscheck , analyze the result in the command and share the same here to proceed further..,
Excuse me,
the command is dcdiag /test:dns while typing the above comment failed to give space inbetween dcdiag /test:dns and check ..,
the command is dcdiag /test:dns while typing the above comment failed to give space inbetween dcdiag /test:dns and check ..,
ASKER
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = xxxx-DS1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\xxxx-DS 1
Starting test: Connectivity
......................... xxxx-DS1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\xxxx-DS 1
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... xxxx-DS1 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : qatar
Running enterprise tests on : xxxx.xxxx.edu
Starting test: DNS
Test results for domain controllers:
DC: xxxx-DS1.xxxx.xxxx.edu
Domain: xxxx.xxxx.edu
TEST: Basic (Basc)
Warning: adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
has invalid DNS server: xxx.xxx.88.108 (<name unavailable>)
Warning: adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
has invalid DNS server: xxx.xxx.88.109 (<name unavailable>)
Warning: The AAAA record for this DC was not found
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record in zone xxxx.xxxx.edu
TEST: Records registration (RReg)
Network Adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
Warning:
Missing AAAA record at DNS server xxx.xxx.88.77:
xxxx-DS1.xxxx.xxxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.77:
gc._msdcs.xxxx.xxxx.edu
Warning: Record Registrations not found in some network adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: xxx.xxx.88.108 (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server xxx.xxx.88.108 Name resolution is not functional. _ldap._tcp.xxxx.xxxx.edu. failed on the DNS server xxx.xxx.88.108
DNS server: xxx.xxx.88.109 (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server xxx.xxx.88.109 Name resolution is not functional. _ldap._tcp.xxxx.xxxx.edu. failed on the DNS server xxx.xxx.88.109
xxxx-DS1 PASS WARN PASS PASS WARN WARN n/a
......................... xxxx.xxxx.edu passed test DNS
Performing initial setup:
Trying to find home server...
Home Server = xxxx-DS1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\xxxx-DS
Starting test: Connectivity
......................... xxxx-DS1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\xxxx-DS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... xxxx-DS1 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : qatar
Running enterprise tests on : xxxx.xxxx.edu
Starting test: DNS
Test results for domain controllers:
DC: xxxx-DS1.xxxx.xxxx.edu
Domain: xxxx.xxxx.edu
TEST: Basic (Basc)
Warning: adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
has invalid DNS server: xxx.xxx.88.108 (<name unavailable>)
Warning: adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
has invalid DNS server: xxx.xxx.88.109 (<name unavailable>)
Warning: The AAAA record for this DC was not found
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record in zone xxxx.xxxx.edu
TEST: Records registration (RReg)
Network Adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
Warning:
Missing AAAA record at DNS server xxx.xxx.88.77:
xxxx-DS1.xxxx.xxxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.77:
gc._msdcs.xxxx.xxxx.edu
Warning: Record Registrations not found in some network adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: xxx.xxx.88.108 (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server xxx.xxx.88.108 Name resolution is not functional. _ldap._tcp.xxxx.xxxx.edu. failed on the DNS server xxx.xxx.88.108
DNS server: xxx.xxx.88.109 (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server xxx.xxx.88.109 Name resolution is not functional. _ldap._tcp.xxxx.xxxx.edu. failed on the DNS server xxx.xxx.88.109
xxxx-DS1 PASS WARN PASS PASS WARN WARN n/a
......................... xxxx.xxxx.edu passed test DNS
ASKER
this is the latest one:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = XXXXX-DS1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\XXXXX-D S1
Starting test: Connectivity
......................... XXXXX-DS1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\XXXXX-D S1
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
ERROR: NO DNS servers for IPV6 stack was found
......................... XXXXX-DS1 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : qatar
Running enterprise tests on : xxx.xxx.edu
Starting test: DNS
Test results for domain controllers:
DC: XXXXX-DS1.xxx.xxx.edu
Domain: xxx.xxx.edu
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Records registration (RReg)
Network Adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
Warning:
Missing AAAA record at DNS server xxx.xxx88.77:
XXXXX-DS1.xxx.xxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.77:
gc._msdcs.xxx.xxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.26:
XXXXX-DS1.xxx.xxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.26:
gc._msdcs.xxx.xxx.edu
Warning: Record Registrations not found in some network adapters
XXXXX-DS1 PASS WARN PASS PASS PASS WARN n/a
......................... xxx.xxx.edu passed test DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = XXXXX-DS1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\XXXXX-D
Starting test: Connectivity
......................... XXXXX-DS1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\XXXXX-D
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
ERROR: NO DNS servers for IPV6 stack was found
......................... XXXXX-DS1 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : qatar
Running enterprise tests on : xxx.xxx.edu
Starting test: DNS
Test results for domain controllers:
DC: XXXXX-DS1.xxx.xxx.edu
Domain: xxx.xxx.edu
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Records registration (RReg)
Network Adapter
[00000007] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client):
Warning:
Missing AAAA record at DNS server xxx.xxx88.77:
XXXXX-DS1.xxx.xxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.77:
gc._msdcs.xxx.xxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.26:
XXXXX-DS1.xxx.xxx.edu
Warning:
Missing AAAA record at DNS server xxx.xxx.88.26:
gc._msdcs.xxx.xxx.edu
Warning: Record Registrations not found in some network adapters
XXXXX-DS1 PASS WARN PASS PASS PASS WARN n/a
......................... xxx.xxx.edu passed test DNS
ASKER
These are my settings.
Interestingly, I could not find anything in logs. It seems DHCP is not even trying to update DNS dynamically. If I release and renew addresses on clients, DHCP log just shows that new addresses registered but didn't try to update in DNS.
DHCPDNS.JPG
dns-nameProtection.JPG
Interestingly, I could not find anything in logs. It seems DHCP is not even trying to update DNS dynamically. If I release and renew addresses on clients, DHCP log just shows that new addresses registered but didn't try to update in DNS.
DHCPDNS.JPG
dns-nameProtection.JPG
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with Jaihunt, answer is there in your question. It is DNS Scavenginh settings that are causing issue. Check the links that Jaihunt gave you, also for reference check these links as well.
DNS Scavenging
DNS Best Practices
DNS Scavenging
DNS Best Practices
ASKER
I already read those links but I will check again. I don't think scavenging is the issue because it's happening but DHCP isn't registering the new ones.
I will try to un check name protection.
DHCP lease is 5 days. DNS scavenging and aging is 3 days (non-refresh and refresh). Scavenging is happening every 7 days.
I will try to un check name protection.
DHCP lease is 5 days. DNS scavenging and aging is 3 days (non-refresh and refresh). Scavenging is happening every 7 days.
ASKER
A part of the question still exists. How can I nslookup for some machines that don't exist in any of my DNS. Nslookup shows that it is bringing up that value from a specific DNS where that host entry doesn't exist.
We also have WINS in our network.
We also have WINS in our network.
ASKER
Alright guys, now DHCP has started updating DNS but only for few clients not all.
Interestingly, if I look at DHCP logs, it is updating some clients not all in the same zone.
What could be the reason?
Interestingly, if I look at DHCP logs, it is updating some clients not all in the same zone.
What could be the reason?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
2. Yes, nslookup is showing one of my dns servers.
3. Yes, i have run nslookup for all dns servers.
4. I didn't check the ipconfig all on clients but im sure they are configured with correct dns server.
5. I guess new dynamic entries are being registered but i will check tomorrow. I'm in GMT +3 zone.