Manually adding the missing DNS entries for Active Directory Domain Controller ?

Hi People,

I need to fix my AD environment which is looking like a mess at the moment (lots of old entries of Win 2k3 DC that was not properly removed from AD), so based on the netdom query dc and netdom query fsmo command result, I can see that some of the DNS entries in the gc._msdcs.domain.com got missing entries.

My question is:

1. How can I add the missing Host (A) record automatically in the gc folder ? the rest of the entries got timestamp so I guess it is not manually typed.

2. Can I assume that for example, netdom query dc command returns 95 domain controllers/global catalog so the number of Host (A) record, _ldap records (SRV) must also be the same number which is 95 ? what if the number is different can I add it manually or is there any way to automatically adding it to each folder under the _msdcs container ?

Thanks.
LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
ntdsutils needs to be used to cleanup metadata.

You may need to use sites and trusts to see whether there are NTDS and entries within.

A reason why one might not be there is that there might be an issue with that system.

Manually adding, could make your environment distabilized I.e. Local systems will send requests to manually added entries who do not respond......

Use dcdiag/repadmin among other tools to check on the health of your AD.
I.e. Which DC is seen as the master RID, schema, etc. if the old 2003 is still reflected, you would need to use ntdsutil to seize those roles.
footechCommented:
A DC should register its own records when the Netlogon service on it starts (and a 2003 server tries to update them every 24 hours, and a 2008 server every hour as well).  Just make sure that it is using another DC/DNS server and itself (assuming it's running DNS) under its NIC settings for DNS.  Whether a GC record gets created depends on whether the DC is a Global Catalog server.  

1.  Since this is all supposed to happen automatically I wouldn't go around creating anything manually.
2.  There are _ldap records all over the structure, so not sure what you mean.  Again, I would correct the problem rather than creating anything manually.

Here's a good read about SRV records and how scavenging settings might affect them.  Could be what you're facing.
http://blogs.technet.com/b/askpfeplat/archive/2012/07/09/the-case-of-the-missing-srv-records.aspx
MaheshArchitectCommented:
1st of all check domain controllers OU for stale domain controllers account

You need to remove there if any

Then manually clean-up NS Records \ Host (A) records \ PTR Records \ (same as parent folder) records from dns

Also you need to clean-up stale CNAME entries from _msdcs.domain.com

Then you may restart netlogon service on each DC

Finally check AD replication across domain with below command:
repadmin /replsummary *  /bysrc /bydest /sort:delta
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Senior IT System EngineerIT ProfessionalAuthor Commented:
yeah, Automatically, that's what I thought so because yesterday when I created new DC/GC running Win 2012 R2, the records gets created automatically as can be seen from timestamp with the implementation time. While the rest of my DC/GC around 50 of them got static ?

I'm not sure what my predecessors did to this environment.

@Mahesh: "Then you may restart netlogon service on each DC" whoa, can I just restart the NETLOGON process on the DC with the missing entry only (some of my site offices) ? if I restart the main DC in my data center AD site, I'm worried that's gonna affect my Exchange Server email flow.
Senior IT System EngineerIT ProfessionalAuthor Commented:
@footech: yes, somehow DNS scavenging in all of my DNS servers is not enabled. What's the side effect of enabling it now considering there are some missing host (A) records in gc_._msdcs.domain.local container ?

Does it also helps me to automatically delete the old domain controller entries which is still lingering in the DNS ?
footechCommented:
Regardless of whether a particular server is set to scavenge records, aging/scavenging is enabled (or not) on the zone.  I don't recall offhand whether a record would even show a timestamp if aging wasn't enabled, or if the refresh/no-refresh periods apply.  I don't think (I'm guessing) they would apply, which would have the same effect as an extremely short period for the no-refresh setting.
I don't think I would call any of it side effects.  As with anything, incorrect (for the environment) settings can have a negative effect.  Missing records would have no impact on scavenging.  Scavenging would just help with cleaning up of stale records (but not NS records).  But if a record that is supposed to be being updated isn't, it could get deleted and then of course the name wouldn't be resolved until the record is recreated, either manually or automatically.  If you want to enable it you should take the time to understand what the refresh and no-refresh intervals are all about, how dynamic updates work, replication intervals in your environment, and take your time.  If you haven't read it yet, I'd suggest the following link.
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

I wouldn't say there's any need to restart the Netlogon service on any DC whose records are properly registered.

Run dcdiag and repadmin as previously suggested to check for any errors.
Will SzymkowskiSenior Solution ArchitectCommented:
@Mahesh: "Then you may restart netlogon service on each DC"

I would be going through all of the _msdcs.domain.com folder and ensure that all old DC's have in fact been removed. If there are still entries manually delete them. These changes will be replicated to other DC's through DNS replication. SRV records can create a lot of issues if you have old entries in these folders.

Will.
MaheshArchitectCommented:
You may delete stale srv records from _msdcs.domain.com manually

when you remove old \ stale DC servers via ntdsutil \ from 2008 server GUI as metadata cleanup, it should remove false srv records as well

Still you need to restart Netlogon service on all DCs to ensure that all SRV records are correctly registered for all DCs
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ok so restarting the netlogon service, does it requires to restart the exchange server service as well or not really affecting exchange server at all ?
Will SzymkowskiSenior Solution ArchitectCommented:
If you have restarted the netlogon service, I would also be restarting the Exchange services as well. If this is an Exchange server we are talking about.

Will.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Uhm. What if I don't restart the exchange netlogon service ?

Is there any impact to the mail flow when I restart some of the DC/GC netlogon service used by the exchange server ?

I have 3 listed so if I restart one by one would that be a problem or suggested way ?
Will SzymkowskiSenior Solution ArchitectCommented:
Restarting the Exchange services is not required but in case you experience any issues you might need to restart the services.

I say that it all depends because The Netlogon Service controls logon requests, authentication, Locates DC's etc. and if you are running in to issues with Exchange it would be directly related to the netlogon service being restarted.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
If Exchange is installed on DC, exchange will always point out \ lookup that DC 1st unless you specified other DC as configuration DC as far as I know.
Restarting Netlogon service will affect Exchange little bit for the time it take for restarting the service
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.