[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 114
  • Last Modified:

DNS Issues Exch Svr DC/DNS (Svr 2008 r2 Std)

Because were unable to view our external website w/o editing the HOSTS file, I ran this on the server (dcdiag /test:dns) and got the info below but I dont know how to correct it. Can anyone help me with correcting the errors? Thanks!

C:\Users\services>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ex2010
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\EX2010
      Starting test: Connectivity
         ......................... EX2010 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\EX2010

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... EX2010 passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : dirtech

   Running enterprise tests on : dirtech.com
      Starting test: DNS
         Test results for domain controllers:

            DC: ex2010.dirtech.com
            Domain: dirtech.com


               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record i
n zone dirtech.com

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
            DNS server: 2001:500:1::53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::53

            DNS server: 2001:500:2::c (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c

            DNS server: 2001:500:2d::d (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d

            DNS server: 2001:500:2f::f (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f

            DNS server: 2001:500:84::b (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b

            DNS server: 2001:500:9f::42 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:9f::42

            DNS server: 2001:500:a8::e (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:a8::e

            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30

            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30

            DNS server: 2001:7fd::1 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1

            DNS server: 2001:7fe::53 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53

            DNS server: 2001:dc3::35 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35

               ex2010                       PASS PASS PASS PASS WARN PASS n/a
         ......................... dirtech.com passed test DNS
0
LemonCalvin
Asked:
LemonCalvin
  • 6
  • 5
1 Solution
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
This warning occurred because both of the methods of Dynamic updates selected on the DNS Server is “Nonsecure and Secure”, please convert the zone to “Secure only” on Dynamic updates and then have a test again.

In addition, if the Dynamic updates add/delete test record process works properly, we can ignore this warning without issue.

Please refer to the link below for more information:

dcdiag failed to delete test record

http://social.technet.microsoft.com/Forums/windowsserver/en-US/f99e7099-b861-4400-a891-5f0a9492921e/dcdiag-failed-to-delete-test-record?forum=winserverDS

Dcdiag

http://technet.microsoft.com/en-us/library/cc731968.aspx

Hope this helps

Best regards

Michael

It was from a previous case reported on: https://social.technet.microsoft.com/Forums/en-US/334a638f-337b-4b26-930e-148157704394/failed-to-delete-the-test-record-dcdiagtestrecord-in-zone-testcom?forum=winserverDS

DC Diag failed to delete test record: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f99e7099-b861-4400-a891-5f0a9492921e/dcdiag-failed-to-delete-test-record?forum=winserverDS
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
Here is the process to configure secure updates:

If you can apply it in your environment (Cases were all the devices that update with your server are windows computers joined to the same domain than your AD, or a trusted domain from it):

To configure secure dynamic update:

1. In the DNS console, right-click the zone for which you want to configure dynamic update, and then click Properties .
2. In the Allow dynamic updates? box, select Only secure updates .
0
 
LemonCalvinAuthor Commented:
Thanks for responding. The only place in the DNS console where I see "Properties" is when I r-click on the name of my DNS server, otherwise Properties is not an option and when I click on properties dynamic or secure updates is not listed. See attachment
DNS-Manager.png
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Schnell SolutionsSystems Infrastructure EngineerCommented:
Cool... Let's do this...

1. Expand Forward LoopUp zones, there you will see a list of DNS zones inside it.

2. Right click on one of these DNS zones.

Note: make the right click on the left side of the window (not the central view).

Additionally, that Reverse Zone of your picture 16.172.in-arpa. is a reverse zone that you can also right click (use the left side of the window) and open their properties.

Let me know the results please.
0
 
LemonCalvinAuthor Commented:
Okay, The Reverse Zone was Secure and the Fwd Zone was Unsecure - I changed it to Secure. After doing that and running the dcdiag test again,  the DNS test passes but all querys above it still fails.

-------------------------------------------- START TEST----------------------------------------------
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\services>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ex2010
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\EX2010
      Starting test: Connectivity
         ......................... EX2010 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\EX2010

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... EX2010 passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : dirtech

   Running enterprise tests on : dirtech.com
      Starting test: DNS
         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
            DNS server: 2001:500:1::53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::53

            DNS server: 2001:500:2::c (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c

            DNS server: 2001:500:2d::d (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d

            DNS server: 2001:500:2f::f (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f

            DNS server: 2001:500:84::b (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b

            DNS server: 2001:500:9f::42 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:9f::42

            DNS server: 2001:500:a8::e (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:a8::e

            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30

            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30

            DNS server: 2001:7fd::1 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1

            DNS server: 2001:7fe::53 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53

            DNS server: 2001:dc3::35 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35

         ......................... dirtech.com passed test DNS

C:\Users\services>
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
does that DNS connects directly to the Internet?
0
 
LemonCalvinAuthor Commented:
It connects to the internet via Cisco ASA 5512 FW
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
These warnings are telling the following...

1. You are using root hints on your DNS server. (It can be verified if you right click your DNS server, click properties and open the Root Hints Tab. And here there is one important point. If you are using DNS forwarders ORrrrrr you do not use internet name resolution, you can delete that list of root hints. If these root hints are necessary because you are using external name resolution ANDdddd it is not based on DNS forwarders, then they can stay there.

2. (And it applies if the root hints are staying there). From a communication perspective, your server is not able to query or receive the answers of the queries sent from your servers to the root hints. It means that it is necessary to check if there is any rule blocking this connection (it uses UDP 53) or if you are using an IP stack not supported in your environment (IPv4 or IPv6) to communicate to the Internet.

Additionally, it is important that you know that these warnings are nog going to cause you an operative failure in your system. However, if you want to make that they do not appear the options are the two previously points specified (Remove the root hints from your server if they are not required, or ensure that your server communicate and get the answers from those root hints.)

Note: If you do not have any operational problem right now, it is likely a situation where you can remove them (Because anyway their name resolution is not working for the listed IP/names).
0
 
LemonCalvinAuthor Commented:
First I must say that I failed to mention previously that after following your steps, the "Failed to delete the test record dcdiag-test-record" did go away.
Secondly, I will remove the root hints as you stated because they're obviously not working. Thanks for all of your patience and help with this!
0
 
LemonCalvinAuthor Commented:
Thank you for your patience and help with resolving this issue!
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
Welcome
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now