DNS and Active Directory - one final issue to fix

[Shark]

hi all - Long story short.

Migrated from NT to 2003 enterprise last week, and I have one more DNS issue to resolve before I am satisfied that everything is working 100%

From the MS support tools on the CD I run the util DNSLint.exe from the command line:

dnslint /ad /s 192.168.100.30 /v

and the last lines that are displayed on the screen are as follows :

......
attempting to find authoritative DNS servers and
to check them for records related to forest GUIDs...

Checking SOA record on:
terra.rfdhq.rfdinc.com (192.168.100.30)...
Checking if _msdcs subdomain has been delegated to 192.168.100.30...
SOA record does not exist on name server
No delegation...

Can anyone help me fix this, because as far as I can tell the SOA in DNS is correct.
Thanks

 

[Saltin]

Assuming your FQDN is rfdhq.rfdinc.com, and that you have a server running DNS and hosting the zone rfdinc.com, have you made a delegation record in the rfdinc.com zone to the server hosting the rfhq.rfdinc.com zone?

 

[Shark]

Originally posted by: Saltin
Assuming your FQDN is rfdhq.rfdinc.com, and that you have a server running DNS and hosting the zone rfdinc.com, have you made a delegation record in the rfdinc.com zone to the server hosting the rfhq.rfdinc.com zone?

Assuming your FQDN is rfdhq.rfdinc.com - Yes

and that you have a server running DNS and hosting the zone rfdinc.com - Yes, terra, IP 192.168.100.30 (as well as a secondary)

have you made a delegation record in the rfdinc.com zone to the server hosting the rfhq.rfdinc.com zone - An SOA to terra.rfdhq.rfdinc.com? yes.

 

[cleverhandle]

Originally posted by: Shark_II
Checking SOA record on:
terra.rfdhq.rfdinc.com (192.168.100.30)...
Checking if _msdcs subdomain has been delegated to 192.168.100.30...
SOA record does not exist on name server
No delegation...

_msdcs is a subdomain of your primary domain name that is used by various Active Directory functions. In a fresh setup, it's automatically created and delegated appropriately by the Active Directory setup routines. So it looks like it was left out during the upgrade. I'm not sure exactly why it's looking for an SOA - subdomains should naturally fall under the primary domain. But I'm a Unix DNS guy, not MS. I guess I'd try creating an an RR in the primary zone like

_msdcs IN NS terra.rfdhq.rfdinc.com.

...which handles the delegation. Then create a new forward zone for _msdcs.rfdhq.rfdinc.com, which would have the appropriate SOA, and allow secure AD updates. That might solve the problem.

If he doesn't chime in here, ask Stash - he's the guy to talk to for AD issues.

 

[stash]

I'm pretty sure this is not an error...it's actually telling you that your DNS is OK.

It checks to see if the _msdcs has been delegated to the server you specified. I think it does this by looking for an SOA record for that domain. It doesnt find one, meaning the _msdcs wasnt delegated to this server.

In any case, the most important part of dnslint is the htm report this generated. If you dont see any yellow or red, you are golden.

 

[Shark]

Originally posted by: cleverhandle
_msdcs is a subdomain of your primary domain name that is used by various Active Directory functions. In a fresh setup, it's automatically created and delegated appropriately by the Active Directory setup routines. So it looks like it was left out during the upgrade. I'm not sure exactly why it's looking for an SOA - subdomains should naturally fall under the primary domain. But I'm a Unix DNS guy, not MS. I guess I'd try creating an an RR in the primary zone like

_msdcs IN NS terra.rfdhq.rfdinc.com.

...which handles the delegation. Then create a new forward zone for _msdcs.rfdhq.rfdinc.com, which would have the appropriate SOA, and allow secure AD updates. That might solve the problem.

If he doesn't chime in here, ask Stash - he's the guy to talk to for AD issues.

_msdcs was created and is there... all the AD stuff is there.

 

[Shark]

Originally posted by: STaSh
I'm pretty sure this is not an error...it's actually telling you that your DNS is OK.

It checks to see if the _msdcs has been delegated to the server you specified. I think it does this by looking for an SOA record for that domain. It doesnt find one, meaning the _msdcs wasnt delegated to this server.

In any case, the most important part of dnslint is the htm report this generated. If you dont see any yellow or red, you are golden.

I have to use the "/v" switch because otherwise when I run the command nothing happens, no report.

IF I run the other command dnslint /d rfdinc I get a report that says everything is aok. But not this way, hence my concern.

 

[stash]

How many DCs do you have?

Honestly, I dont play around with dnslint all that much, even though the guy who wrote it sits a little ways away from me. Usually, when I want to see how healthy a domain is, I look at 'dcdiag /v' and 'netdiag /v' first. They will tell you a lot, and if there is something failing that shows up there, it will usually point you to which test to run next, or what things to look at.

 

[stash]

 

[stash]

double post

 

[Shark]

Originally posted by: STaSh
How many DCs do you have?

Honestly, I dont play around with dnslint all that much, even though the guy who wrote it sits a little ways away from me. Usually, when I want to see how healthy a domain is, I look at 'dcdiag /v' and 'netdiag /v' first. They will tell you a lot, and if there is something failing that shows up there, it will usually point you to which test to run next, or what things to look at.

-------------------------
even though the guy who wrote it sits a little ways away from me wow, small world

Well, every time I run it this way I get an error in the event log, and when I reboot the machine I get a pop up asking to send a report to MS for every time it "crashed" so if this report fails 5 times, next reboot I get 5 pop-ups asking to send messages to MS -wierd.

-------------------------
My two 2003 boxes are our two DC's. Each of which are running WINS against each other. I plan to move the DNS functionality off of our 2000 servers, to these two 2003 boxes next, and adding the DNS into active directory ------ But first I want to make sure DNS is right, hence this mess

I will run those two commands tomorrow at work and see what I get. Thanks for all the help so far, mucho appreciated.

 

[stash]

Whats the WINS for? Do you have NT or 9x machines on the network?

If you seeing errors in the logs, I would run a dcdiag /v...there may be something going on.

 

[Shark]

Originally posted by: STaSh
Whats the WINS for? Do you have NT or 9x machines on the network?

If you seeing errors in the logs, I would run a dcdiag /v...there may be something going on.

WINS is for the NT boxes we have in house to do some dev on for some agencies that still have it.

I see errors from the DNSLint failing, almost like an execution or memory bug, cant recall the exact error right now.

 

[Shark]

crap

 

[Shark]

ok:

dcdiag /v - everything passed

netdiag /v - a couple of things showed up:

--------------------------------------------------
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
--------------------------------------------------

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.100.30'. Please wait for 30
minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.100.21'. Please wait for 30
minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
--------------------------------------------------


As far as the last error is concerned I already knew about this due to the erros I see in the event log, When these 2 DC's go to register themselves they through an error because there is already a DNS entry for them on the DNS server, and there shouldnt be.

Not sure how to fix that.

UPDATE:

I just noticed that the RAS/VPN server I implemented yesterday on the secondary 2003 DC is also having troubles registering the VPN'D users into DNS..... hmmmmm.

 

[stash]

Thats strange that you get those DNS errors in netdiag but nothing in dcdiag.

Are dynamic updates enabled on the DNS server? Do you have the dhcp client service enabled on all the machines?

 

[Shark]

The error in the System event log is as follows (exact same error on the other DC for itself and the VPN clients, just different IP's):

The dynamic registration of the DNS record 'rfdhq.rfdinc.com. 600 IN A 192.168.100.31' failed on the following DNS server:

DNS server IP address: 192.168.100.30
Returned Response Code (RCODE): 7
Returned Status Code: 9007

For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.

ADDITIONAL DATA
Error Value: DNS RR set that ought not exist, does exist.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The additional data section is what is throwing me off. and all machines have DHCP service as started with Automatic setting.

 

[stash]

Do this:

Stop the netlogon service. Then go to c:\windows\system32\config. Delete the netlogon.dns and netlogon.dnb files. Then restart the netlogon service and check the logs.

 

[Shark]

On which machines should I do this?

The 2 DC's and the 2 DNS servers?

 

[stash]

Are the DNS servers also DCs?

 

[Shark]

no.
-------------------------------
2 DNS (secondary & Primary) run on Windows 2000 Server

2 DC's are the new 2003 boxes.
-------------------------------
Once DNS is working 100% I will be moving the DNS over to my 2 DC's however.

 

[Shark]

dont know where this post came from .... wierd - deleted.

 

[stash]

Do you have a CNAME (or any other type of record) for this hostname:

'rfdhq.rfdinc.com. 600 IN A 192.168.100.31'

that you manually entered?

 

[Shark]

well - something new now.

I found some dns entries for the previous DC I got rid of yesterday afternoon, one of which was a CNAME for the domain, so I deleted all of them, and rebooted the primary DC.

Ran dnslint with the same command and this time I got a report with some info that I can use:

The following 1 DNS servers were checked for records related to AD forest replication:

DNS server: terra.rfdhq.rfdinc.com
IP Address: 192.168.100.30
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

This DNS server may be a root server as it answered authoritatively, but DNS records for the specified domain did not exist on the server.

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown
....
Notes:
One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS servers

So, I guess if I fix this now, I'll be good to go. man... what an ordeal.
Thanks, as usual, for the help.

 

[stash]

How did you get rid of that old DC...did you run dcpromo to demote it first?

Also, if you look at your DNS, do you have a root (.) zone anywhere?