Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1569
  • Last Modified:

DCDIAG /test:DNS error message explanations?

I have a Windows 2008 domain with 2 DCs. Many moons ago this was actually a Windows 2003 domain which was upgraded to 2008 as per MS's instructions. Pre-upgrade the 'main' DC/DNS server was a box called OLDSERVER.

Running DCDIAG /TEST:DNS on both 2008 DCs there are a couple of errors shown - same 2 on each server - and I don't know what they mean or how to resolve them.  They are

1.  Root zone on this DC/DNS server was not found

2. TEST: Delegations (Del)
Delegation information for the zone: domain.company.com.
Delegated domain name: _msdcs.domain.company.com.
Warning: Delegation of DNS server OLDSERVER.domain.company.com. is broken on IP:<OLDSERVER's IP>
Error: DNS server: OLDSERVER.domain.company.com.
IP:<OLDSERVER's IP>[Broken delegation]

I used ADSI Edit to take a look around and if I go to Properties of the folder 'DC=domain,DC=company,DC=com' under Default Naming Context I see that there is a value in the Attribute Editor tab called 'domainReplica' which has the value 'OLDSERvER' - I've no idea if that is a clue but I'm guessing it should be there as OLDSERvER is (or should be) an old server acting as a file store and nothing else.

I might be stating the obvious but in the registry under HKLM-System--CurrentControlSet--Services--NTDS--Parameters there is also a key labelled 'Src Root Domain Srv' with the value of the FQDN of the OLDSERVER.

Can anyone advise on a suitable course of action to tidy this up a bit safely?

Thanks in advance.
0
funasset
Asked:
funasset
  • 3
  • 2
1 Solution
 
footechCommented:
1.  That is not an error.  Unless you want your server to think it knows everything about the internet you shouldn't have a root zone.  If your DNS server is serving clients that are trying to reach the internet this is how it should be, it uses root hints or forwarders for names it has no knowledge of.

2. In the DNS Management console, right click the delegation (you will see the entry for _msdcs under the zone domain.company.com), and select properties.  Update the name servers listed there.

Don't worry about the domainReplica attribute.
http://msdn.microsoft.com/en-us/library/cc219870.aspx

Do you have any errors from running dcdiag /v or repadmin /showrepl?  If not, then there's probably nothing to clean up.
0
 
funassetAuthor Commented:
1. Thanks - one less thing for me to worry about!

2. I see the Name Servers and yes it does have that old server listed there. Should I just remove that or substitute it with the names of the 2 current DCs? What does that tab represent?

As for the tests you suggested the latter completed with all things Successful on both DCs. The former gave one error on both which is

Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC DCOne.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=domain,DC=company,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=domain,DC=company,DC=com
         * Security Permissions Check for
           DC=DomainDnsZones,DC=domain,DC=company,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=domain,DC=company,DC=com
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=domain,DC=company,DC=com
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=domain,DC=company,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=domain,DC=company,DC=com
            (Domain,Version 3)

Every other test on DCDIAG /V passed OK. I might be getting somewhere at last!

I appreciate the help.
0
 
footechCommented:
I would suggest updating the delegation to include all your current DNS servers and remove any that are invalid.  The tab shows which DNS servers have info about a zone.  Delegations are used more for child domains in a multi-domain forest, but it also applies to the _msdcs zone.
http://technet.microsoft.com/en-us/library/cc771640.aspx

The NCSecDesc error is expected if you haven't run adprep /rodcprep.  You can ignore it if you don't plan on introducing read-only domain controllers, or just run the command so you're not bothered by it.
0
 
funassetAuthor Commented:
Many thanks.

I've removed the old reference, replaced it with the current DCs and ran DCDIAG again - all would seem to be well.

Many thanks for the help.
0
 
footechCommented:
You're welcome.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now