Link to home
Start Free TrialLog in
Avatar of Gibo
Gibo

asked on

Windows domain DNS issues!

Multiple Host A records on the same IP address in domain DNS servers? Is that valid?
Avatar of Hello There
Hello There

No. You shouldn't see this.

Open DHCP console -> right-click the IPv4 -> DNS tab -> make sure that "Allways dynamically update DNS records" and "Discard A and PTR records..." options are checked.
Avatar of Gibo

ASKER

May I know why?

BTW this is actually a DNS server with TWO(2) different Host A records pointing to TWO(2) different domain names or FQDN but with the same static IP address

Something is not right?
Avatar of Gibo

ASKER

under the forward lookup zones
Avatar of Gibo

ASKER

Those DHCP Options were already configured that way before

Should we delete the duplicate Host A DNS record? & which one?
Are both records in the same forward lookup zone? Also, are they static or dynamic records? If they're dynamic, do they have wildly different timestamps?
Avatar of Gibo

ASKER

Well under forward lookup zones they have 2 Host A entries with the same IP address on different domains, .local & .com
Basically, the IP address should be unique in the network so if you see multiple entries in DNS, something might be wrong.

this is actually a DNS server with TWO(2) different Host A records pointing to TWO(2) different domain names or FQDN but with the same static IP address
You should have mentioned this in the original post. In this case, I understand why two hostnames are assigned to one IP address. That's ok.
Do you mean that you have something like this in your forward zone?

host1  a 10.10.10.10
host2  a 10.10.10.10

Yes, that is fine. It could be a little weird in the reverse zone, but you can do it no problem in the forward zone.

It might be better to have

host1 a 10.10.10.10
host2 cname host1.ad.yourdomain.com.

but that wouldn't be valid for servers with MX records, so use two A records instead.
That may be perfectly fine. The .com entry could be there to allow your internal users to access an internal server by its public DNS name for certificate purposes.
Avatar of Gibo

ASKER

host.com A 10.10.10.10
host.local A 10.10.10.10

Is that okay?
Avatar of Gibo

ASKER

please take note, there are ADs

one .local & the other .com
Do not delete any DNS records. This is fine. However, I agree with kevinhsieh... The best practice is to use a CNAME record to point to the A record.
domain.com      A             10.10.10.10
domain.local     CNAME   domain.com
ASKER CERTIFIED SOLUTION
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
host.com A 10.10.10.10
host.local A 10.10.10.10

Is that okay?

Probably. (I can't really give a definite answer without knowing a lot about your environment.) This is a sort of split DNS scenario that allows internal users to browse to the server at 10.10.10.10 using its public DNS name (the same name external users would use to browse to it). This is done so that an SSL/TLS certificate with that name installed on that server will be seen as valid by those internal users; their browsers won't give scary warnings about visiting a possible phishing site.
Avatar of Gibo

ASKER

So why then we had DNS issues like IP address from some servers or machines not resolving their host names? Outdated DNS entry errors using RDPs?

Any ideas?
Avatar of Gibo

ASKER

Are these DNS stale records creating those issues?

Sometimes UNC paths does not work too?
If you've got problems with stale DNS entries, you should look into enabling aging and scavenging on one of your DNS servers. Here's a great article on how it works:

https://web.archive.org/web/20150110071847/http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx?PageIndex=3

(Retrieved from archive.org after Microsoft's disastrous migration of their old blogs made most of the information contained within them essentially inaccessible.)
Avatar of Gibo

ASKER

Is it safe to enable aging & scavenging in DNS? Any repercussions?
There can be risks associated with enabling it (you can end up with valid records disappearing, for example), so I encourage you to read the linked article carefully, as it goes into a fair amount of detail on how scavenging works.
Avatar of Gibo

ASKER

Or probably try to clear first the DNS server cache?
Clearing the cache is simple enough, but the server only caches records that aren't in its own database; records that you see in the forward lookup zones on the server won't be affected by clearing the server cache. (Clients will likely have some of those records cached, but clearing the server cache also won't affect records that are cached on the client side.)
Avatar of Gibo

ASKER

& is it correct or wrong to make your DNS forwarding to 8.8.8.8 or Google DNS?

Aren’t we supposed to forward DNS to our ISPs?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Gibo

ASKER

Probably use our ISP external DNS as forwarder instead of Google Public DNS in the DNS servers
Avatar of Gibo

ASKER

Have someone used MS DNS Best Practice Analyzer in Windows Server  Manager?
You can safely run the tool. It scans the server and checks the configuration and as an output, you get the list of potential problems or configuration issues.

If you are interested in this topic... DNS Best Practices
https://activedirectorypro.com/dns-best-practices/#dns-analyzer
Can you lease explain what problems you're having? As we said, it's fine to have 2 different hosts names pointing to same IP addresses.

Now, you seem to be bringing up actual problems, what are they? Do you have multiple AD domains, or one?

Are you seeing issues where the information in the DNS zone is actually incorrect?

Could there be issues with accessing something that isn's in the same DNS namespace as the AD domain? For example, if you are in domain.local, and you're trying to access host2 in domain.com, that will only work if host2 doesn't exist in domain.local, and you have a search domain for domain.com. Otherwise, you need to access \\host.domain.com .

If you are accessing host2.domain.com via a Microsoft protocol such as SMB, and host2 is in domain.local, then even if DNS is okay you could have Service Principal Name issues.
You already got answers to your questions. And much more.

If you want to troubleshoot an issue, it's better to ask a new question.
Avatar of Gibo

ASKER

Yes 2 AD Domains, .local & .com

Actual DNS server is in .local but has 2 DNS Host A records in both domains under the same forward lookup zones

I find it strange?
Avatar of Gibo

ASKER

Perhaps a DNS stub zone should have been used for 2 domains instead of creating multiple Host A DNS records with the same IP address?
Perhaps a DNS stub zone should have been used for 2 domains instead of creating multiple Host A DNS records with the same IP address?

Again, without extensive knowledge of your environment, I can only speculate, but a stub zone is probably not what you want. If you're trying to resolve DNS records across domains, then yes, a stub zone can work well for that, as can conditional forwarders. It doesn't sound like that's what you're trying to do, though.
Use the below script to list all of the other static DNS records in your DNS zone.

Note: In Windows DNS, a record is defined as static if it doesn't have a timestamp; thus, the answer you are looking for is "get all those records with timestamp set to 0".

Clear-Host
$PathToReport = "C:\Temp"
$To = Read-Host "Please enter the email address you wish to send this report to:"
$From = Read-Host "Please enter the sending email address for this report:"
$SMTPServer = Read-Host "Please enter your SMTP server name:"
$ZoneName = Read-Host "Please enter the zone name for which you wish to retrieve static DNS records.  This may be your DNS suffix, for instance:"
$DomainController = Read-Host "Enter name of one of your domain controllers that stores DNS records:"

#Get Current date for input into report
$CurrentDate = Get-Date -Format "MMMM, yyyy"
#region Functions

Function Set-AlternatingRows {
    [CmdletBinding()]
         Param(
             [Parameter(Mandatory=$True,ValueFromPipeline=$True)]
             [object[]]$HTMLDocument,

             [Parameter(Mandatory=$True)]
             [string]$CSSEvenClass,

             [Parameter(Mandatory=$True)]
             [string]$CSSOddClass
         )
     Begin {
         $ClassName = $CSSEvenClass
     }
     Process {
         [string]$Line = $HTMLDocument
         $Line = $Line.Replace("<tr>","<tr $ClassName"">")
         If ($ClassName -eq $CSSEvenClass) {
             $ClassName = $CSSOddClass
         }
         Else {
             $ClassName = $CSSEvenClass
         }
         $Line = $Line.Replace("<table>","<table width=""20%"">")
         Return $Line
     }
}
#endregion

$Header = @"
<style>
TABLE {border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}
TH {border-width: 1px;padding: 3px;border-style: solid;border-color: black;background-color: #D8E4FA;}
TD {border-width: 1px;padding: 3px;border-style: solid;border-color: black;}
.odd  { background-color:#ffffff; }
.even { background-color:#dddddd; }
</style>
<title>Static DNS A Records across all Nodes of $ZoneName Domain for $CurrentDate</title>
"@

$Report = Get-DnsServerResourceRecord -ZoneName $ZoneName -ComputerName $DomainController -RRType A | Where-Object Timestamp -eq $Null | Select-Object -Property HostName,RecordType -ExpandProperty RecordData
$NumberOfRecords = $Report | Measure-Object HostName | Select-Object -Property Count
$Report = $Report | Select-Object HostName,RecordType,IPv4Address |
            ConvertTo-Html -Head $Header -PreContent "<p><h2>Static DNS A Records across all Nodes of $ZoneName Domain for $CurrentDate</h2></p><br><p><h3>$NumberOfRecords Records listed</h3></p>" |
            Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd
$Report | Out-File $PathToReport\Output_AD_GetListStaticARecords.html
Send-MailMessage -To $To -From $From -Subject "Static DNS A Records across all Nodes of $ZoneName Domain for $CurrentDate" -Body ($Report | Out-String) -BodyAsHtml -SmtpServer $SMTPServer

Write-Host "Script completed!" -ForegroundColor Green

Open in new window

There are multiple answers that provide useful info. Also, there are three answers marked by others as "This is a solution". Points should be split between all these answers, not just two of them.