Avatar of Gibo
Gibo
 asked on

Windows domain DNS issues!

Multiple Host A records on the same IP address in domain DNS servers? Is that valid?
Active DirectoryDNSWindows 10AzureWindows Server 2016

Avatar of undefined
Last Comment
Hello There

8/22/2022 - Mon
Hello There

No. You shouldn't see this.

Open DHCP console -> right-click the IPv4 -> DNS tab -> make sure that "Allways dynamically update DNS records" and "Discard A and PTR records..." options are checked.
Gibo

ASKER
May I know why?

BTW this is actually a DNS server with TWO(2) different Host A records pointing to TWO(2) different domain names or FQDN but with the same static IP address

Something is not right?
Gibo

ASKER
under the forward lookup zones
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Gibo

ASKER
Those DHCP Options were already configured that way before

Should we delete the duplicate Host A DNS record? & which one?
DrDave242

Are both records in the same forward lookup zone? Also, are they static or dynamic records? If they're dynamic, do they have wildly different timestamps?
Gibo

ASKER
Well under forward lookup zones they have 2 Host A entries with the same IP address on different domains, .local & .com
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Hello There

Basically, the IP address should be unique in the network so if you see multiple entries in DNS, something might be wrong.

this is actually a DNS server with TWO(2) different Host A records pointing to TWO(2) different domain names or FQDN but with the same static IP address
You should have mentioned this in the original post. In this case, I understand why two hostnames are assigned to one IP address. That's ok.
kevinhsieh

Do you mean that you have something like this in your forward zone?

host1  a 10.10.10.10
host2  a 10.10.10.10

Yes, that is fine. It could be a little weird in the reverse zone, but you can do it no problem in the forward zone.

It might be better to have

host1 a 10.10.10.10
host2 cname host1.ad.yourdomain.com.

but that wouldn't be valid for servers with MX records, so use two A records instead.
DrDave242

That may be perfectly fine. The .com entry could be there to allow your internal users to access an internal server by its public DNS name for certificate purposes.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Gibo

ASKER
host.com A 10.10.10.10
host.local A 10.10.10.10

Is that okay?
Gibo

ASKER
please take note, there are ADs

one .local & the other .com
Hello There

Do not delete any DNS records. This is fine. However, I agree with kevinhsieh... The best practice is to use a CNAME record to point to the A record.
domain.com      A             10.10.10.10
domain.local     CNAME   domain.com
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
kevinhsieh

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
DrDave242

host.com A 10.10.10.10
host.local A 10.10.10.10

Is that okay?

Probably. (I can't really give a definite answer without knowing a lot about your environment.) This is a sort of split DNS scenario that allows internal users to browse to the server at 10.10.10.10 using its public DNS name (the same name external users would use to browse to it). This is done so that an SSL/TLS certificate with that name installed on that server will be seen as valid by those internal users; their browsers won't give scary warnings about visiting a possible phishing site.
Gibo

ASKER
So why then we had DNS issues like IP address from some servers or machines not resolving their host names? Outdated DNS entry errors using RDPs?

Any ideas?
Gibo

ASKER
Are these DNS stale records creating those issues?

Sometimes UNC paths does not work too?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
DrDave242

If you've got problems with stale DNS entries, you should look into enabling aging and scavenging on one of your DNS servers. Here's a great article on how it works:

https://web.archive.org/web/20150110071847/http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx?PageIndex=3

(Retrieved from archive.org after Microsoft's disastrous migration of their old blogs made most of the information contained within them essentially inaccessible.)
Gibo

ASKER
Is it safe to enable aging & scavenging in DNS? Any repercussions?
DrDave242

There can be risks associated with enabling it (you can end up with valid records disappearing, for example), so I encourage you to read the linked article carefully, as it goes into a fair amount of detail on how scavenging works.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Gibo

ASKER
Or probably try to clear first the DNS server cache?
DrDave242

Clearing the cache is simple enough, but the server only caches records that aren't in its own database; records that you see in the forward lookup zones on the server won't be affected by clearing the server cache. (Clients will likely have some of those records cached, but clearing the server cache also won't affect records that are cached on the client side.)
Gibo

ASKER
& is it correct or wrong to make your DNS forwarding to 8.8.8.8 or Google DNS?

Aren’t we supposed to forward DNS to our ISPs?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
SOLUTION
Hello There

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Gibo

ASKER
Probably use our ISP external DNS as forwarder instead of Google Public DNS in the DNS servers
Gibo

ASKER
Have someone used MS DNS Best Practice Analyzer in Windows Server  Manager?
Hello There

You can safely run the tool. It scans the server and checks the configuration and as an output, you get the list of potential problems or configuration issues.

If you are interested in this topic... DNS Best Practices
https://activedirectorypro.com/dns-best-practices/#dns-analyzer
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
kevinhsieh

Can you lease explain what problems you're having? As we said, it's fine to have 2 different hosts names pointing to same IP addresses.

Now, you seem to be bringing up actual problems, what are they? Do you have multiple AD domains, or one?

Are you seeing issues where the information in the DNS zone is actually incorrect?

Could there be issues with accessing something that isn's in the same DNS namespace as the AD domain? For example, if you are in domain.local, and you're trying to access host2 in domain.com, that will only work if host2 doesn't exist in domain.local, and you have a search domain for domain.com. Otherwise, you need to access \\host.domain.com .

If you are accessing host2.domain.com via a Microsoft protocol such as SMB, and host2 is in domain.local, then even if DNS is okay you could have Service Principal Name issues.
Hello There

You already got answers to your questions. And much more.

If you want to troubleshoot an issue, it's better to ask a new question.
Gibo

ASKER
Yes 2 AD Domains, .local & .com

Actual DNS server is in .local but has 2 DNS Host A records in both domains under the same forward lookup zones

I find it strange?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Gibo

ASKER
Perhaps a DNS stub zone should have been used for 2 domains instead of creating multiple Host A DNS records with the same IP address?
DrDave242

Perhaps a DNS stub zone should have been used for 2 domains instead of creating multiple Host A DNS records with the same IP address?

Again, without extensive knowledge of your environment, I can only speculate, but a stub zone is probably not what you want. If you're trying to resolve DNS records across domains, then yes, a stub zone can work well for that, as can conditional forwarders. It doesn't sound like that's what you're trying to do, though.
Albert Widjaja

Use the below script to list all of the other static DNS records in your DNS zone.

Note: In Windows DNS, a record is defined as static if it doesn't have a timestamp; thus, the answer you are looking for is "get all those records with timestamp set to 0".

Clear-Host
$PathToReport = "C:\Temp"
$To = Read-Host "Please enter the email address you wish to send this report to:"
$From = Read-Host "Please enter the sending email address for this report:"
$SMTPServer = Read-Host "Please enter your SMTP server name:"
$ZoneName = Read-Host "Please enter the zone name for which you wish to retrieve static DNS records.  This may be your DNS suffix, for instance:"
$DomainController = Read-Host "Enter name of one of your domain controllers that stores DNS records:"

#Get Current date for input into report
$CurrentDate = Get-Date -Format "MMMM, yyyy"
#region Functions

Function Set-AlternatingRows {
    [CmdletBinding()]
         Param(
             [Parameter(Mandatory=$True,ValueFromPipeline=$True)]
             [object[]]$HTMLDocument,

             [Parameter(Mandatory=$True)]
             [string]$CSSEvenClass,

             [Parameter(Mandatory=$True)]
             [string]$CSSOddClass
         )
     Begin {
         $ClassName = $CSSEvenClass
     }
     Process {
         [string]$Line = $HTMLDocument
         $Line = $Line.Replace("<tr>","<tr $ClassName"">")
         If ($ClassName -eq $CSSEvenClass) {
             $ClassName = $CSSOddClass
         }
         Else {
             $ClassName = $CSSEvenClass
         }
         $Line = $Line.Replace("<table>","<table width=""20%"">")
         Return $Line
     }
}
#endregion

$Header = @"
<style>
TABLE {border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}
TH {border-width: 1px;padding: 3px;border-style: solid;border-color: black;background-color: #D8E4FA;}
TD {border-width: 1px;padding: 3px;border-style: solid;border-color: black;}
.odd  { background-color:#ffffff; }
.even { background-color:#dddddd; }
</style>
<title>Static DNS A Records across all Nodes of $ZoneName Domain for $CurrentDate</title>
"@

$Report = Get-DnsServerResourceRecord -ZoneName $ZoneName -ComputerName $DomainController -RRType A | Where-Object Timestamp -eq $Null | Select-Object -Property HostName,RecordType -ExpandProperty RecordData
$NumberOfRecords = $Report | Measure-Object HostName | Select-Object -Property Count
$Report = $Report | Select-Object HostName,RecordType,IPv4Address |
            ConvertTo-Html -Head $Header -PreContent "<p><h2>Static DNS A Records across all Nodes of $ZoneName Domain for $CurrentDate</h2></p><br><p><h3>$NumberOfRecords Records listed</h3></p>" |
            Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd
$Report | Out-File $PathToReport\Output_AD_GetListStaticARecords.html
Send-MailMessage -To $To -From $From -Subject "Static DNS A Records across all Nodes of $ZoneName Domain for $CurrentDate" -Body ($Report | Out-String) -BodyAsHtml -SmtpServer $SMTPServer

Write-Host "Script completed!" -ForegroundColor Green

Open in new window

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Hello There

There are multiple answers that provide useful info. Also, there are three answers marked by others as "This is a solution". Points should be split between all these answers, not just two of them.