Solved

DNS does not resolve soa record

Posted on 2014-10-26
6
384 Views
Last Modified: 2014-11-04
Hi Experts,
I've a DC server (DC1) and ISP server (ISP1) in my environment. DNS in DC1 is AD-integrated and in ISP1 is secondary.
The issue now is some of the zones in the ISP1 server are unable to reload  from master DC1 and the serial number is not updated. It returns error "zone not loaded by DNS server". I've checked the zone transfers setting in DC1 and it's configured properly. I've tried to re-create the problematic zones in ISP1 but it did not resolved the issue.  I've asked my infra team and they suspected it's due to the SOA record not configured properly in master server DC1. I checked the SOA record is exists in DC1 but I'm unable to nslookup the SOA. Any ideas on how to further check on this issue?

C:\>nslookup
Default Server:  dc1.abc.com
Address:  x.x.x.x

> set type=soa
> fish.com.cn
Server:  dc1.abc.com
Address:  x.x.x.x

fish.com.cn       canonical name = www.fish.com.cn
0
Comment
Question by:SuzenJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 40405870
You need to go fish.com.cn, then delete the CNAME you've created going to www.fish.com.cn.

You cannot create CNAME  records if there's another record at the same level. At the zone apex you'll have NS and SOA at the very least.

Chris
0
 

Author Comment

by:SuzenJ
ID: 40406087
Thanks Chris for the reply..
So you're suggesting me to delete the CNAME record in DC1 for fish.com.cn going to www.fish.com.cn?? 

But why there is no issue for replication from DC1 with other ad-integrated primary DC servers (for ex: DC2) but the issue only happened in secondary zone server which is ISP1.
In addition, only some zones in ISP1 are having issue to reload from master and not all.

From DC1 AD integrated Primary DNS, I've 1 SOA record, 5 CNAME records, and 100 NS records.
Please confirm if I need to delete the first CNAME records as per below details?

SOA:
Name: (same as parent folder) Type: SOA Data: xxx

CNAME:
Name: (same as parent folder)  Type: Alias (CNAME)  Data: www.fish.com.cn
Name: ibe  Type: Alias (CNAME)  Data: ibe.fish.com
Name: m  Type: Alias (CNAME)  Data: vweb.abc.com
Name: mobile  Type: Alias (CNAME)  Data: vweb.abc.com
Name: www Type: Alias (CNAME) Data: vweb.abc.com
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 40406102
> But why there is no issue for replication from DC1 with other ad-integrated primary DC servers (for ex: DC2) but

Because that replication mechanism doesn't use the DNS protocol at all, instead it replicates using Active Directory.

> In addition, only some zones in ISP1 are having issue to reload from master and not all.

Your usage of the CNAME is illegal (that is, it contravenes all RFCs which dictate how DNS is supposed to work), nothing can be guaranteed while it's in that state.

You are correct that this is the one in error:

Name: (same as parent folder)  Type: Alias (CNAME)  Data: www.fish.com.cn

Chris
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:SuzenJ
ID: 40406155
Thanks Chris..

Sorry as I has missed out some info for the nslookup result earlier. There are 2 CNAME records found not one as per my earlier comment.

C:\>nslookup
Default Server:  dc1.abc.com
Address:  x.x.x.x

> set type=soa
> fish.com.cn
Server:  dc1.abc.com
Address:  x.x.x.x

fish.com.cn       canonical name = www.fish.com.cn
www.fish.com.cn       canonical name = vweb.abc.com

Do i need to remove the record for Name: www Type: Alias (CNAME) Data: vweb.abc.com as well?

I saw one successful zone transfer in ISP1 with 2 host (A) records, 1 SOA, 100 NS for fish.info

Host A:
Name: (same as parent folder)  Type: Host (A)  Data: x.x.x.x  ---->> IP for vweb.abc.com
Name: www  Type: Host (A)  Data: x.x.x.x  ---->> IP for vweb.abc.com

Do I need to create the same Host A record for fish.com.cn?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40406215
Nope, you only need remove the first one (fish.com.cn -> www.fish.com.cn). The other is harmless.

And yes, if you wish that to resolve you will have to replace the CNAME with an A record. It's only the CNAME that's prohibited.

Chris
0
 

Author Closing Comment

by:SuzenJ
ID: 40423378
Thank you very much Chris!! Once I deleted the CNAME record I'm able to nslookup the SOA record and the zone transfer is working fine now.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question