Link to home
Start Free TrialLog in
Avatar of Scott Jackson
Scott Jackson

asked on

DNS entries missing from DNS manager but NSLOOKUP works perfectly

Single Windows 2012 Server R2 as a DC with DHCP and DNS running - no other servers on the network. NSLOOKUP works perfectly resolving to correct client IP addresses and reverse works as well, but no entries are populating in the DNS Manager GUI.  Event viewer mentions event ID 800 stating the A record for the primary server in the zone's SOA record is not available on this DNS server.
Avatar of Mahesh
Flag of India image

ensure that server is pointing to own real IP as preferred DNS under tcp/ip and then restart netlogon service followed by DNS service and check if records are visible
Avatar of Scott Jackson
Scott Jackson


Server has it's own real IP as preferred DNS.  I restarted netlogon service and then DNS service - no change.  There is no A record in the forward lookup zone.  When I try to add it, it says "Warning: The associated pointer (PTR) record cannot be created, probably because the referenced reverse lookup zone cannot be found." Well, the reverse lookup zone is there.  When I click "Okay" and refresh the forward zone, the entry I just created is gone.
Oh, and when I uncheck the box for "Create associated pointer (PTR) record" and attempt to create the A record without a PTR, it says, "The host record *********** cannot be created. The record already exists."  

However, it's clearly not there.
can you try create another ad integrated zone with any other domain name and check if you can create entries there and it stays there forever..?
I created a test zone and added an A record and it behaves the same as the other zone.  One thing I failed to mention is the first time it is created, it says it was successful, but then upon refresh, it's gone.
This is something I never faced / heard before

Can you run dcdiag /v from elevated cmd and post output here


run dcdiag /fix and check what happens

if still issue persists,

what you can do, you can uninstall dns role from server and reinstall same and check

The zone should load automatically after reinstall role, if not, you can create zone with same name as domain name, make it ad integrated and restart netlogon service
dcdiag /v returned a lot of info.  Passed on most all tests, but issues identified with and failed test SystemLog.  Issues are all related to DNS EventID: 0x00001695

I uninstalled dns role a couple days ago and reinstalled it hoping that would fix the issues, but it didn't.  I'll gladly do it again if you think that will work.
I removed and reinstalled dns role, and the problem persists.  Funny thing now though... reverse lookups for the server ip address come back with the servername.testforwardlookupzone instead of the servername.properdomainname.  I just deleted the test zone that I had previously created that got added back when I readded the DNS role.
So, I checked the reverse lookup zone and there was no entries.  So, I just deleted the reverse lookup zone associated with the subnet the server is on and recreated it and did a ipconfig /registerdns on the server and now it resolves fine again from anywhere, but I'm back where I started from - no entries in the dns manager under the forward or reverse zones.
Have u ran dcdiag /fix from elevated cmd
Yes, that was one of the last things I tried last night.
I also came across a blog post by Ace Fekay about similar problems as a symptom of duplicate dns zones in AD. It suggested using ADSI edit to check for duplicate zones. Well, I’ve never used ADSI edit before, but I was able to follow the steps and at least locate the zones in AD, and guess what? I didn’t see any duplicates, but the ones that are there look like they have several records that do not appear in DNS Manager. So, this is really weird. I create a zone in DNS Manager, it shows in DNS Manager, but no records show there. I can even create records there, but they are gone upon refresh. All the while, everything I do in DNS Manager apparently is being stored correctly in AD and DNS is working correctly, but the records just don’t show in DNS Manager. Almost seems like a permission based issue where it can write records but can’t view them??? Or it seems like DNS Manager is reading from one place where it isn’t finding anything but writing to the correct location.
This is a client’s server, so unfortunately I don’t personally know the history of what may have caused this situation, but I suspect it was an improper migration of non-AD DNS to Windows 2012 AD integrated DNS. My gut is telling me it’s something out of whack in AD because I’ve removed the DNS role twice now and added it back and it doesn’t seem to change anything (all the zones reappear with no records, but yet nslookup works perfectly). I even tested nslookup after stopping dns in DNS Manager, and while the role was removed and surprise! It can’t find a DNS server in either case (because it’s either turned off or removed) confirming that it is indeed this DNS server that is doing the work.
the possible issue in your case is corrupted application directory partitions (domain dns zones and forest dns zones) where dns zones are stored

You can try by changing dns zone replication scope from "all dns servers in this domain" to "all domain controllers with 2000 compatibility" which is last in list and hopefully your issue should go away

If above is successful, later point of time you can fix application directory partition issue.
you can delete application directory partition from AD and recreate it with dnscmd built-in DNS tool, if you are not comfortable with that u may hire some AD specialist to do that or even Microsoft support can help you

I tried changing dns zone replication to "all domain controllers with 2000 capatibility" like suggested, but it made no difference.
Avatar of DrDave242
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Sometimes the strangest, most mind-boggling problems have just the simplest solution.  Thank you!  I didn't think of having a filter on in the console because it wasn't a system I setup or have worked on in the past, but apparently somebody before me had used a filter (probably searching for something that isn't there now) and left it turned on.
I have to also thank Mahesh for helping me think through the complicated stuff that could have caused something like this.  As with every problem that makes you pull your hair out, I learned a lot on this one.