The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

Share tech news, updates, or what's on your mind.

Sign up to Post

Good morning,
                  I need to configure an exchange 2010 (SBS 2011 product) with two ISP providers to send and recieve mails from. Send part is easy because i add a second A record on my AD DNS and it works. But i don't know how i can recieve from second ISP because i can't use 587 port for both ISP. Should i create a FW rule on my router? External record are created with both MX records.

Thank you very much,
Martín Averame

We have a domain abc.local and a website that is not hosted by ourselves as abc.co.uk. We have an internal server running a web based platform that is working fine, however we would like it to be accessible via a more user friendly name 9URL) as server.abc.co.uk. When we add the name server.abc.co.uk to our local dns, the user friendly name works fine, however we then cannot access our website abc.co.uk internally. How do we add the entry so that the web server and our external website are both accessible?

Incidentally we will be publishing the web server externally. Once this has been done do we even need the internal dns entry to give it a more user friendly url?

(I posted this at Reddit, but am still searching for an answer so I wanted to post here too. Hoping one of you might know what I'm facing and be able to help me get past the hurdle I'm encountering. Thanks. )

I've implemented AAD Connect in preparation for an O365 Hybrid migration project.

MSOL is sending me Identity Synchronization Error Reports every 30-minute cycle, complaining about an object with the Identity "EventConfig_xxx" (where xxx = an old server name).

The Error Description states "Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:EventConfig_xxx@{organization}.onmicrosoft.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values."

How could I possibly have a duplicate address in local AD that uses @___.onmicrosoft.com ? There is nothing in the local domain with that domain name.

ADUC doesn't find an object with that name. I managed to find it myself, in Exchange System Objects, under the Events Root folder. There were 3 entries there with the same name. In ADSIEdit I found the objects, one with the name EventConfig_xxx. one with EventConfig_xxx-1, and one as EventConfig_xxx-2. The objects are of Object Type 'Public Folder'

The environment …
Over the last few weeks I've noticed our DNS filter blocking the same address many times and the address is similar to our domain which is a little concerning.  I'm seeing blocked attempts to access mwear.mcdir.ru.  From what I can tell that looks like a Russian hosting service.  DNS Lookup shows the ip as ran by Webazilla B.V. which from what I can find is in the Netherlands.  We do have a techy Russian employee who was my first thought and after investigating he was using Yandex which is a Russian browser of some sort.  I thought the issue was tied to Yandex which was installed on three different computers.  I removed all instances and DNS filter logs were clean for a couple days.  Before I went on leave I setup local DNS logging and when I returned I'm seeing alot of blocked attempts to the same source.  I tried looking through logs on the Cisco firewall but I couldn't recreate the issue to help point me to the culprit.  The firewall was reporting our DNS filter IP instead of the questionable IP when I try recreating the issue.  Moving on to the DNS logs, I will attach a sample of the logs but i'm seeing this from multiple IP addresses on our network now.  One computer I re-imaged right before my leave and another laptop that i'm pretty certain the user practices above average password and security policies. All of the computers on the network are running Kaspersky Endpoint.  Any help would be much appreciated!

Notes about computer IPs shown in the logs.
Good evening, first time here so go easy on me!  We recently had a one of two DC's go down (not holding FSMO roles).  Got another one up and all worked fine for a few days.  When I went in to remove metadata, things started falling apart.  To the point that now, I have multiple DNS/AD issues.  The domain is unavailable and force replication via NTDS fails though gpresult /r shows that it has replicated group policy, I can see DNS replicating and LDAP appears to be working.  However, in short, my network is down hard.  When I run dcdiag /test:dns I get:

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = MAETSDC01

   * Identified AD Forest. 
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MAETSDC01

      Starting test: Connectivity

         The host c18ae1d9-1b05-46ee-b2f8-2e13ee647ac3._msdcs.maets.net could

         not be resolved to an IP address. Check the DNS server, DHCP, server

         name, etc.

         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... MAETSDC01 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MAETSDC01

      Starting test: DNS


         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... MAETSDC01 passed test DNS


Open in new window

Need to confirm that a text record change in our DNS for the purpose of domain ownership verification will not affect our current email flow.   This is for Exchange Online purposes.  When you add a domain you own to Exchange online, they generate a TXT record that you can add to your domain's DNS records that verifies you own it.  I assume this is safe to do without affecting the domain in any way, correct?
I'm hosting a new website on a Windows 2012 sever using IIS and I purchased the URL from register.com and through register.com I updated the "A" record with the outside IP address of my new site.  It's been over 48 hours so enough time for it to cycle through.  I'm unable to use the URL name to get the site, but if I use the outside IP address then I'm successfully browsing to it.  Is this a DNS issue?  Thoughts???
How do I move from using a conditional forwarder to a forward lookup zone for a limited number of host records?

To expand, I host AD integrated DNS for our domain (xyz.com), but we also need to lookup addresses for our parent company (abc.com). I currently have a conditional forwarder for them pointing to their internal DNS servers, which works fine. They now need me to add a A record for a service that has both an internal and external IP address (i.e. internal and external). When my users resolve the address, they get the internal IP address of the server, but we want them to connect to the external IP address.

I was thinking of just deleting the conditional forwarder reference and adding a forward lookup zone for abc.com, and then adding the A record for that server with the external address, but I am concerned that it will stop all other resolution for other abc.com services (due to the loss of the conditional forwarders pointing to their internal DNS server). Do I resolve this problem by adding their internal DNS server to the Forward lookup zone>Properties>Name Servers tab?
Any recommendation on how to fix manually created connection in AD Sites and Services?  All my connections are automatically generated.  One however, created manually for known reasons.  I don't want to remove it in case it breaks something.   How would you normally fix that.   I want all connection sites to be healthy auto-generated.
Thank you!!
As users come to work every morning, I'm noticing that on a few systems, there are duplicate IP entries in DNS with the same time stamp as system connect to the network. They can access internal network resources but have no external connection to the internet (web browsing, etc.). They are connecting to wireless AP, receive an IP, but for some reason, they receive a duplicate IP. Deleting one of the duplicates in DNS resolves the issue. I have scavenging set to remove stale resources on the hour. What am I doing wrong?

If relevant, this issue primarily happens with Apple computers connecting to the network.
Today my server died today which was also my DNS, AD, DC and DHCP.

I set my Fortinet to do DHCP so users can work since we are basically fully migrated to the cloud and no data on the servers.

Question is rather than buying a new server can’t Azure just be my new DC, AD and DNS while keeping DHCP on the Fortinet firewall?

How would I setup this up? I would need to create user profiles from scratch because we can’t migrate anything from the server since it’s toast. We are on office 365 if that info helps.
We have a website that uses a CNAME record to point www to another host name.  It has to be done using a CNAME record because of the platform that it's before sent to.  There is no access to add folders or pages on that remote platform.  What we can customize is extremely limited.  Some marketing was done that used www.domain.com/myoffer.  But because we don't have access to add the /myoffer folder on the remote side, it doesn't go anywhere.  We do have access to our name server.  Would it be possible to use an .htaccess file accomplish the same thing the CNAME record is accomplishing but somehow make the www.domain.com/myoffer point to a local folder at our name server?  Or is their any other way to do this?
Allot of received emails are being spoofed from Gmail and sent emails to Gmail ending up in recipients spam folder. Due to this I want to confirm SPF records are correct.

I'm referencing these two articles.

The first one is from Google itself

The second from

I want to make sure my clients sending to Gmail are not bounced back or going to the Gmail recipients spam. I also want to decrease the amount of spoofed emails coming from Gmail.

I created the following SPF record:
v=spf1 mx a:mail.domain.com include:aspmx.googlemail.com -all
My understanding is this points to our IP address on record that the A MAIL record points to, our MX record. Also allows communication to googlemail.com and the -all prevents any other IP's to be blocked. Am I correct on this assumption?

I also have a smart host configured using Proofpoint (Spam filter) so when I go to MXToolbox it doesn't show my servers IP address rather it shows Proofpoints. Should I include these IP addresses in the SPF record?
Considering HA for company's DNS infrastructure.  We have hybrid on-prem and cloud Azure setup.  Thinking off having a primary DNS on-prem Domain Controller and secondary on Azure as a failover.  Anyone has a similar setup and can suggest something.
 Please do.
We recently acquired a new domain and it has been setup internally and working fine.  But can't get external mail to come in.  What am I doing wrong?

Here is the external DNS setup:
A record mail.newdomain.com points to existing mail server IP with 30 min. ttl
MX record of newdomain.com points to mail.existingdomain.com priority 10 with 30 min. ttl

Receive connector created to accept all mail with basic authentication from anonymous users just to test.
I got rate limited by letsencrypt and i had to change a domain from olddomain.ca to newdomain.com.

I now have everything working on newdomain.com and im trying to redirect traffic from newdomain.ca to newdomain.com so on cloudflare i created a page rule to redirect all traffic to olddomain.ca to newdomain.com but when users go to olddomain.ca they get a certificate warning for privacy error.

I have this redirect setup on the DNS, how is it even showing this error if i want to bypass it completely and just redirect to the new site?

I get this error in my browser:

Subject: newdomain.com

Issuer: Let's Encrypt Authority X3

EDIT -- so i guess the issue is certificate handshake happens BEFORE redirect, sh*t how can i get rid of this message if i got rate limited by LetsEncrypt??? Should i purchase a valid SSL and apply it to this domain?

EDIT AGAIN -- can i just add the old domains to the new certificate?
I have 2 sites connected with a site to site VPN. HQ is using SonicWall TZ400 and Branch has a Soniwall TZ 300. The HQ has 2x Windows 2019 DC's and the branch office had its own domain. This branch domain was taken down yesterday as it was only there after a company take over. I Joined and re purposed a window 2016 server as a Domain controller at the branch site joined to the HQ domain and it went through the install wizards fine then it rebooted and it just hung for about 2hrs. Eventually i did a manual reboot but things were not right so i demoted the server and ran the process again. Normally i would change the server name but didn't. This time it appeared to be floor less and the DNS and everything was all replicated.

When i moved a user though i realized it was not be replicated at HQ and various other things like password resets and user creations. So i went to the DNS on the branch office and it had 3 DC's / NS and everything appeared to be fine.
I looked at both DC's at HQ and none of them had the NEW DC listed as a NS but just an A record entry. When i went to Sites and Services the Replicate Now failed (the naming context is in the process of being removed or is not replicated from the specified server.

I went back to the Branch office server which seem to have 3 NS entries in DNS and initially looked fine and i ran dcdiag/tes:dns at the branch office and there were a lot of missing record failures
         Summary of DNS test results:

What is the command line command for listing which servers run the different Active Directory FSMO roles:

•      PDC Emulator (One per domain)
•      RID Master (One per domain)
•      Schema Master (One per forest)
•      Domain Naming Master (One per forest)
•      Infrastructure Master (One per domain)
•      Domain DNS Zone Master role (one per domain)
•      Forest DNS Zone Master role (one per forest)

I have been told that there is a single command line command that will list which servers are assigned these roles and I would like to know what this command line command is.
we have a exchange 2013 deployment with ironport appliances in the DMZ. we are having an issue that started two days before that we are not receiving mails from one specific domain. I have retrieved the logs from ironport as attached. I have change the domain names. the messages are bouncing back and the message that is being returned to the sender is failing delivery as the mail-demon address is from a local domain and not the external domain.

we don't know why the mail is bouncing back. its not for one user, its for all users from the abc.com domain as listed in the log attached. this is a very important partner we need to send and receive mails form.

we have tried with attachment, without attachment and all combinations but mails are not being delivered from abc.com to xyz.com (Names changes)

appreciate if I can get some direction in the way forward

07 Feb 2019 11:55:46 (GMT +03:00) Protocol SMTP interface Data 1 (IP on incoming connection (ICID 179048) from sender IP Reverse DNS host esa11.abc.com verified yes.
07 Feb 2019 11:55:46 (GMT +03:00) (ICID 179048) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 3.5
07 Feb 2019 11:55:46 (GMT +03:00) Start message 206881 on incoming connection (ICID 179048).
07 Feb 2019 11:55:46 (GMT +03:00) Message 206881 enqueued on incoming connection (ICID 179048) from User1@abc.com.
07 Feb 2019 11:55:47 (GMT +03:00) Message 206881 on incoming connection (ICID 179048) added 

Open in new window

 We have sharepoint 2013 environment and we are planning to implement SSL (http to https) on load balance. Before we implement on Prod we are planning to test with our QA environment. We don't have Load Balance on QA environment  so what is the best way to test and validate?

Should we have another DNS or should we use same DNS with different DNS name?

Please advice
I am in the process of deploying a new server, running Server 2016 Standard, to replace our SBS 2011.  Exchange is long gone, in favor of Office 365, so I'm down to applications, data and some AD infrastructure, most significantly DNS, DHCP and CA.  I have promoted to new machine to a DC and moved the FSMO roles to it, which means I now have 2 DC's (at least until my SBS melts down from the licensing issue).  Last weekend, I attempted to shut down the SBS as a name server, so DNS would only run on the new server.  I configured the zones to be identical on the new box to the old, reconfigured the new machine to point to itself as the name server and disabled DNS on the old one. My clients are configured to "Obtain DNS server address automatically."  After disabling the service on the old server, the clients were unable to find a DNS server, unless I configured them with the IP address of the new server.  I did not switch DHCP to the new server yet.  I have a few questions.  Must DHCP be running on the same server as DNS, in order for clients to find the DNS server?  Is there any real relationship between the two? Based on the process I describe, does it appear I missed any obvious steps?  The grace period on my SBS license is rapidly disappearing.  Thanks in advance!
We recently moved from an in-house Exchange 2010 to Office 365 and I'm wondering if there is anything special I need to do with the exchange server before shutting it completely down? All the mail flow is now being routed to office 365 and I had a small auto discover process but I have corrected that issue. I have had the mail server shut down for about 3 weeks now and have not noticed any issues, but wasn't sure if I needed to go anything before wiping and repurposing that server?
Dear All,

Our company has AD and DNS server on the same server using Windows 2008 R2 (server1) are running fine, until the dept. which managed the Windows AD changed to Windows 2016 (server 2).  The problem was quite strange, when we ping and nslookup looked it could resolved the name to IP but when we are using the web browser, it took very long sometimes we can connect some timeout, if we put the server and IP on the ..\etc\hosts the problem disappeared. Also when we pointed to the old DNS server (server1) there was no problem, even if I dont' put the web server on the ..\etc\hosts.

Is there any know problem using DNS server on the Windows 2016?

BTW we cannot changed anything on the DNS servers since not managed by us. We only manage application server, but lots of connection problem after they changed to Windows 2016.

Notes: I only want to know the possible caused.

Thank you.

Iwan T
Running BIND9 on FreeBSD. rndc status says server is running. However, after a rndc freeze, I edited a zone file and removed some no longer needed entries. I updated the serial number so it would update the secondary server. I received an out of range error when I tried to reload the zone....and even if I try to rndc thaw the zone...I get the same out of range error.  After research on the web, It was recommended to delete the jnl file associated to the zone. Again even after that step, the reload returned an out of range error. Very cautious with updating the DNS as it's the primary for our network....

Please help. Also...It does NOT seem that my DNS is updating the secondary server.

Thank you
On two separate projects in two separate companies I have become aware of an issue where AD information from a long time ago, seems to revert back into AD.  In case A, a DC had been removed several months prior, and then Bam!   it looked like there references in AD to the "flying dutchman" AD server.  In case b, the event seems to revolve around a switch reboot.   In this case AD information from YEARS ago returned (We think the information coincides to the point when the systems were imaged and first brought into the domain (like 6 years ago))  I did note that one of the DC was not responding to dns queries via nslookup, and workstations on a specific subnet seemed to revert from DHCP subnet IP to a 169 address.  Immediately after the event rebooting the workstations still left the system with the 169 addresses.  The switches involved are Cisco switches and the subnet has an IP helper for the interface.

I don't have specifics on what happened, I am just trying to understand what causes an event like this.






The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.