|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
In tracking down a different problem, I've come across some odd behavior
regarding the DNS records for our Domain Controllers.
A few weeks ago, we added new servers with Win 2003 R2 as domain
controllers. We also run DNS, DHCP and WINS on these servers. Both servers
only have one of their NICs enabled at this point. There were no problems
encountered while migrating the domain or these services to the new servers.
DNS on these servers is AD Integrated. Currently, Aging/Scavenging is
disabled, however I had been looking into enabling this - which is what made
me find this odd behavior.
When checking the Forward lookup zone host record for the DCs, I always find
that the box is checked to 'Delete this record when it becomes stale'. I
uncheck this box; close DNS MMC; open DNS MMC and the box is checked again.
I tried logging on DCs and unchecking box for the enabled NIC so that it
doesn't register in DNS, but this didn't change anything. The box to
Delete-when-stale is always checked.
Similarly, the PTR records for these servers are removed constantly. I add
the Reverse record manually, making sure to uncheck the box to 'Delete this
record...'
Several minutes later, the records are gone.
The first issue makes me wary of enabling Aging/Scavenging, as I think this
would remove the records for the DCs with every cleanup and cause havoc in
the domain. I've also had to go through and uncheck the Delete-when-stale
box on every SRV record for every local zone.
The second issue is already causing problems. If I try NSLookup from my PC,
I'm getting the "Can't find server name for address <IP>: Non-existent
domain" message.
Can anyone shed some light on why these things are occurring and how to make
the PTR records permanent in DNS?
TIA
Rick
|
|
In news:1AC8440F-6207-498B-98CC-33DFA0ACD3A7[ at ]microsoft.com,
Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed:
[Quoted Text] > In tracking down a different problem, I've come across some odd
> behavior regarding the DNS records for our Domain Controllers.
>
> A few weeks ago, we added new servers with Win 2003 R2 as domain
> controllers. We also run DNS, DHCP and WINS on these servers. Both
> servers only have one of their NICs enabled at this point. There
> were no problems encountered while migrating the domain or these
> services to the new servers.
>
> DNS on these servers is AD Integrated. Currently, Aging/Scavenging is
> disabled, however I had been looking into enabling this - which is
> what made me find this odd behavior.
>
> When checking the Forward lookup zone host record for the DCs, I
> always find that the box is checked to 'Delete this record when it
> becomes stale'. I uncheck this box; close DNS MMC; open DNS MMC and
> the box is checked again. I tried logging on DCs and unchecking box
> for the enabled NIC so that it doesn't register in DNS, but this
> didn't change anything. The box to Delete-when-stale is always
> checked.
>
> Similarly, the PTR records for these servers are removed constantly.
> I add the Reverse record manually, making sure to uncheck the box to
> 'Delete this record...'
> Several minutes later, the records are gone.
>
> The first issue makes me wary of enabling Aging/Scavenging, as I
> think this would remove the records for the DCs with every cleanup
> and cause havoc in the domain. I've also had to go through and
> uncheck the Delete-when-stale box on every SRV record for every local
> zone.
>
> The second issue is already causing problems. If I try NSLookup from
> my PC, I'm getting the "Can't find server name for address <IP>:
> Non-existent domain" message.
>
> Can anyone shed some light on why these things are occurring and how
> to make the PTR records permanent in DNS?
> TIA
>
> Rick
When you added the new DCs and installed DNS on them, did you manually
create the zones?
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
"Quitting smoking is easy. I've done it a thousand times." - Mark Twain
|
|
Ace,
No, I didn't enter the zones manually. I followed a Knowledge Base article
that described a migration process, where the original Win2000 DNS primary is
not AD Integrated and you want the new Win2003 DNS to be AD Integrated:
Add DNS on then new Win2003 server as a secondary;
Transfer the zone data to the new DNS server from the old master;
Deactivate DNS on the old Win2000 primary;
Change the new 2003 secondary to be the primary and AD Integrated.
After this was completed, I added the second Win2003 DNS server.
This process worked fine for me, with no errors or problems.
"Ace Fekay [MVP]" wrote:
[Quoted Text] > In news:1AC8440F-6207-498B-98CC-33DFA0ACD3A7[ at ]microsoft.com, > Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed: > > In tracking down a different problem, I've come across some odd > > behavior regarding the DNS records for our Domain Controllers. > > > > A few weeks ago, we added new servers with Win 2003 R2 as domain > > controllers. We also run DNS, DHCP and WINS on these servers. Both > > servers only have one of their NICs enabled at this point. There > > were no problems encountered while migrating the domain or these > > services to the new servers. > > > > DNS on these servers is AD Integrated. Currently, Aging/Scavenging is > > disabled, however I had been looking into enabling this - which is > > what made me find this odd behavior. > > > > When checking the Forward lookup zone host record for the DCs, I > > always find that the box is checked to 'Delete this record when it > > becomes stale'. I uncheck this box; close DNS MMC; open DNS MMC and > > the box is checked again. I tried logging on DCs and unchecking box > > for the enabled NIC so that it doesn't register in DNS, but this > > didn't change anything. The box to Delete-when-stale is always > > checked. > > > > Similarly, the PTR records for these servers are removed constantly. > > I add the Reverse record manually, making sure to uncheck the box to > > 'Delete this record...' > > Several minutes later, the records are gone. > > > > The first issue makes me wary of enabling Aging/Scavenging, as I > > think this would remove the records for the DCs with every cleanup > > and cause havoc in the domain. I've also had to go through and > > uncheck the Delete-when-stale box on every SRV record for every local > > zone. > > > > The second issue is already causing problems. If I try NSLookup from > > my PC, I'm getting the "Can't find server name for address <IP>: > > Non-existent domain" message. > > > > Can anyone shed some light on why these things are occurring and how > > to make the PTR records permanent in DNS? > > TIA > > > > Rick > > When you added the new DCs and installed DNS on them, did you manually > create the zones? > > -- > Regards, > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP > Microsoft MVP - Directory Services > Microsoft Certified Trainer > > Infinite Diversities in Infinite Combinations > > Having difficulty reading or finding responses to your post? > Instead of the website you're using, try using OEx (Outlook Express > or any other newsreader), and configure a news account, pointing to > news.microsoft.com. Anonymous access. It's free - no username or password > required nor do you need a Newsgroup Usenet account with your ISP. It > connects directly to the Microsoft Public Newsgroups. OEx allows you > o easily find, track threads, cross-post, sort by date, poster's name, > watched threads or subject. It's easy: > > How to Configure OEx for Internet News > http://support.microsoft.com/?id=171164> > "Quitting smoking is easy. I've done it a thousand times." - Mark Twain > > > |
|
In news:22D05F27-13C1-4E2D-847A-6D88F983F0BF[ at ]microsoft.com,
Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed:
[Quoted Text] > Ace,
>
> No, I didn't enter the zones manually. I followed a Knowledge Base
> article that described a migration process, where the original
> Win2000 DNS primary is not AD Integrated and you want the new Win2003
> DNS to be AD Integrated:
>
> Add DNS on then new Win2003 server as a secondary;
> Transfer the zone data to the new DNS server from the old master;
> Deactivate DNS on the old Win2000 primary;
> Change the new 2003 secondary to be the primary and AD Integrated.
> After this was completed, I added the second Win2003 DNS server.
>
> This process worked fine for me, with no errors or problems.
Those steps are fine if the new server is not a DC. If it is a DC, just
install DNS and sit back and wait. The zone will auto-appear. I believe what
happened is that since you created the zone as a secondary on a DC, it may
have caused a dupe error. The only way to find out and clean it up is to
look in two places: ADUC (advanced view\system container) and in ADSI Edit.
If you see anything with a CNF as a prefix, that indicates a conflict based
on a dupe zone and needs to be deleted. Follow the steps below to either
determine if this is the case, and if so, to fix it. Post back with your
findings please.
==================================
==================================
Conflicting AD Integrated zones if they exist in both the Domain NC and
one of the Application Partitions or if you get a weird error message
stating:
"The name limit for the local computer network adapter card was exceeded."
Under Windows 2000, the physcial AD database is broken up into 3 logical
partitions, the DomainNC (Domain Name Context, or some call the Domain Name
Container), the Configuration Partition, and the Schema Partition. The
Schema and Config partitions replicate to all DCs in a forest. However, the
DomainNC is specific only to the domain the DC belongs to. That's where a
user, domain local or global group is stored. The DomainNC only replicates
to the DCs of that specific domain. When you create an AD INtegrated zone in
Win 2000, it gets stored in the DomainNC. This causes a limitation if you
want this zone to be available on a DC/DNS server that belongs to a
different domain. The only way to get around that is for a little creative
designing using either delegation, or secondary zones. This was a challenge
for the _msdcs zone, which must be available forest wide to resolve the
forest root domain, which contains the Schema and Domain Name Masters FSMO
roles.
In Windows 2003, there were two additional partitions added, they are called
the DomainDnsZones and ForestDnsZones Application Partitions, specifically
to store DNS data. They were conceived to overcome the limitation of Windows
2000's AD Integrated zones. Now you can store an AD Integrated zone in
either of these new partitions instead of the DomainNC. If stored in the
DomainDnsZones app partition, it is available only in that domain's
DomainDnsZones partition. If you store it in the ForestDnsZones app
partition, it will be available to any DC/DNS server in the whole forest.
This opens many more design options. It also ensures the availability of the
_msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
zone is stored in the ForestDnsZones application partition.
When selecting a zone replication scope in Win2003, in the zone's
properties, click on the "Change" button. Under that you will see 3 options:
To choose the ForestDnsZones:
"To all DNS serer in the AD forest example.com"
To choose DomainDnsZones:
"To all DNS serer in the AD domain example.com"
To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"
If you have a duplicate, that's telling me that there is a zone that exists
in the DomainNC and in the DomainDnsZones Application partition. This means
at one time, or currently, you have a mixed Win2000/2003 environment and you
have DNS installed on both operating systems. On Win2000, if the zone is AD
Integrated, it is in the DomainNC, and should be set the same in Win2003's
DC/DNS server to keep compatible. Someone must have attempted to change it
in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
implications, hence the duplicate. In a scenario such as this where you want
to use the Win2003 app partitions, you then must insure the zone on the
Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
then once that's done, you can then go to the Win2003 DNS and change the
partition's replication scope to one of the app partitions.
In ADSI Edit, you can view all five partitions. You were viewing the app
partitions, but not the main partitions. You need to add the DomainNC
partition in order to delete that zone. But you must uninstall DNS off the
Win2000 server first, unless you want to keep the zone in the DomainNC. But
that wouldn't make much sense if you want to take advantage of the _msdcs
zone being available forest wide in the ForestDnsZones partition, which you
should absolutley NOT delete. I would just use the Win2003 DNS servers only.
In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
on "Well known Naming Context", then in the drop-down box, select "Domain".
Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
see the zone in there.
But make sure to decide FIRST which way to go before you delete anything.
Some reading for you...
Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp
kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
issues:
http://www.kbalertz.com/kb_867464.aspx
How to fix it?
-------------
What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of a phrase that
says
"In Progress...." or "CNF" with a long GUID number after it, delete them
too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.
Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.
Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.
It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.
I hope that helped!
==================================
==================================
Ace
|
|
Ace,
Thanks for the response.
I'm afraid I got lost in the fix portion that you described, but that may
not be important, as I don't see any duplicates anywhere that I can tell.
There are no CNF... records in ADUC.
Using ADSIEdit, I don't see five partitions. I only see the Domain,
Configuraiton and Schema partitions. I can't connect to the DomainDSNZones
or ForestDNSZones, using ADSIEdit, either. Following the instruction in the
kbAlertz article you linked, when I attempt the connection I just receive a
message box saying that a "referral" was returned from the server. I can see
these containers in dnsmgmt.msc under the zone <domain>.local (which is the
name of our default first site) This is also the only place I can see the
_msdcs container, which is also carried under the <domain>.local zone. Your
description seemed to indicate this is a separate zone that is on its own
somewhere and shouldn't be touched or moved, but from what I can see, this
isn't a DNS zone, but a container and any change to <domain>.local zone
woiuld affect the _msdcs container.
Much of what you outlined assumed that I still had Win2000 DNS servers
active. I don't. After the migration, the Win2000 DNS servers were
deactivated. This leaves me with one forest, with one domain and two DCs/DNS
servers that are Win 2003 R2 and the DNS is AD-Integrated.
In reading through the information on the differences in the Replication
parameter for the zones, I'm not sure there is any advantage to us in
selecting any of these over the other. These are the only two DCs/DNS
servers in the forest and domain, so replicating the AD Integrated zones to
all domain controllers should be sufficient. This is the replication setting
on our DNS zones. There was mention that there would be less network traffic
using one of the first two, so I attempted changing a zone's replication
parameter to the 'all DNS servers in the forest' parameter. There were
warning boxes in the Event log that the zone was removed from Active
Directory, even though the zone was still defined as an AD Integrated zone.
I didn't want this, because these are AD Integrated, so I changed it back to
the 'all domain controllers' replication setting and it was restored in
Active Directory.
So, I guess that I'm still back where I started.
The A and PTR DNS records for the DCs/DNS cannot be changed so that the
"Delete when stale" checkbox is cleared.
What would be the effect of enabling Aging/Scavenging when these records
will most assuredly be deleted routinely from DNS?
TIA
Rick
|
|
In news:5DB75EF0-806F-4060-883F-61E152BBA825[ at ]microsoft.com,
Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed:
[Quoted Text] > Ace,
>
> Thanks for the response.
> I'm afraid I got lost in the fix portion that you described, but that
> may not be important, as I don't see any duplicates anywhere that I
> can tell.
>
> There are no CNF... records in ADUC.
> Using ADSIEdit, I don't see five partitions. I only see the Domain,
> Configuraiton and Schema partitions. I can't connect to the
> DomainDSNZones or ForestDNSZones, using ADSIEdit, either. Following
> the instruction in the kbAlertz article you linked, when I attempt
> the connection I just receive a message box saying that a "referral"
> was returned from the server. I can see these containers in
> dnsmgmt.msc under the zone <domain>.local (which is the name of our
> default first site) This is also the only place I can see the _msdcs
> container, which is also carried under the <domain>.local zone. Your
> description seemed to indicate this is a separate zone that is on its
> own somewhere and shouldn't be touched or moved, but from what I can
> see, this isn't a DNS zone, but a container and any change to
> <domain>.local zone woiuld affect the _msdcs container.
>
> Much of what you outlined assumed that I still had Win2000 DNS servers
> active. I don't. After the migration, the Win2000 DNS servers were
> deactivated. This leaves me with one forest, with one domain and two
> DCs/DNS servers that are Win 2003 R2 and the DNS is AD-Integrated.
>
> In reading through the information on the differences in the
> Replication parameter for the zones, I'm not sure there is any
> advantage to us in selecting any of these over the other. These are
> the only two DCs/DNS servers in the forest and domain, so replicating
> the AD Integrated zones to all domain controllers should be
> sufficient. This is the replication setting on our DNS zones. There
> was mention that there would be less network traffic using one of the
> first two, so I attempted changing a zone's replication parameter to
> the 'all DNS servers in the forest' parameter. There were warning
> boxes in the Event log that the zone was removed from Active
> Directory, even though the zone was still defined as an AD Integrated
> zone. I didn't want this, because these are AD Integrated, so I
> changed it back to the 'all domain controllers' replication setting
> and it was restored in Active Directory.
>
> So, I guess that I'm still back where I started.
> The A and PTR DNS records for the DCs/DNS cannot be changed so that
> the "Delete when stale" checkbox is cleared.
> What would be the effect of enabling Aging/Scavenging when these
> records will most assuredly be deleted routinely from DNS?
>
> TIA
> Rick
A referral means it was mistyped.
Click in the custom context box and type in:
For DomainDnsZones"
dc=domaindnszones,dc=yourdomainname,dc=com
For ForestDnsZones:
dc=forestdnszones,dc=yourdomainname,dc=com
Don't forget to givce it a unique name in the top name box.
Ace
|
|
In news:5DB75EF0-806F-4060-883F-61E152BBA825[ at ]microsoft.com,
Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed:
[Quoted Text] > Ace,
>
> Thanks for the response.
> I'm afraid I got lost in the fix portion that you described, but that
> may not be important, as I don't see any duplicates anywhere that I
> can tell.
>
> There are no CNF... records in ADUC.
> Using ADSIEdit, I don't see five partitions. I only see the Domain,
> Configuraiton and Schema partitions. I can't connect to the
> DomainDSNZones or ForestDNSZones, using ADSIEdit, either. Following
> the instruction in the kbAlertz article you linked, when I attempt
> the connection I just receive a message box saying that a "referral"
> was returned from the server. I can see these containers in
> dnsmgmt.msc under the zone <domain>.local (which is the name of our
> default first site) This is also the only place I can see the _msdcs
> container, which is also carried under the <domain>.local zone. Your
> description seemed to indicate this is a separate zone that is on its
> own somewhere and shouldn't be touched or moved, but from what I can
> see, this isn't a DNS zone, but a container and any change to
> <domain>.local zone woiuld affect the _msdcs container.
>
> Much of what you outlined assumed that I still had Win2000 DNS servers
> active. I don't. After the migration, the Win2000 DNS servers were
> deactivated. This leaves me with one forest, with one domain and two
> DCs/DNS servers that are Win 2003 R2 and the DNS is AD-Integrated.
>
> In reading through the information on the differences in the
> Replication parameter for the zones, I'm not sure there is any
> advantage to us in selecting any of these over the other. These are
> the only two DCs/DNS servers in the forest and domain, so replicating
> the AD Integrated zones to all domain controllers should be
> sufficient. This is the replication setting on our DNS zones. There
> was mention that there would be less network traffic using one of the
> first two, so I attempted changing a zone's replication parameter to
> the 'all DNS servers in the forest' parameter. There were warning
> boxes in the Event log that the zone was removed from Active
> Directory, even though the zone was still defined as an AD Integrated
> zone. I didn't want this, because these are AD Integrated, so I
> changed it back to the 'all domain controllers' replication setting
> and it was restored in Active Directory.
>
> So, I guess that I'm still back where I started.
> The A and PTR DNS records for the DCs/DNS cannot be changed so that
> the "Delete when stale" checkbox is cleared.
> What would be the effect of enabling Aging/Scavenging when these
> records will most assuredly be deleted routinely from DNS?
>
> TIA
> Rick
Sorry, meant to address the other stuff.
Even though you are all 2003, there still may be a zone mismatch causing a
conflict or dupe. Only way to tell is to use ADSI Edit. Please follow the
directions very closely to get to those partitions. If you changed it and
changed it back, depending on the timing, it could have left a dupe, which
will cause this. If you did it really fast thinking 'if i click no real
quick it will go away', that may have caused it. Usually you will need to
wait to allow replication to happen, then go back and change it back.
If you are creating data and it is disappearing, either the DC updating
itself is doing it or there is a conflict. I am guessing beause I do not
know your config. If you can, please post the following to get me up to
speed. I really need you to get into ADSI Edit to see as well into both the
forestdnszones and domaindnszones partitions. This is IMPORTANT. Remember to
not edit the results. You have private subnets and a private domain name so
don't worry about security.
1. Unedited ipconfig /all from two of your DCs, and one of your clients..
2. The exact zone name spellng in DNS and whether updates are allowed on the
zone.
3. The AD DNS domain name as it shows up in ADUC.
4. If the SRV records exist under your zone.
5. Any errors in the Event logs on the DC under System, Replication Service
and Directory Services (post the Event ID# and source please)
6. Dcdiag /v /fix > c:\dcdiag.txt (post the dcdiag.txt as an attachment)
7. Netdiag /v /fix > c:\netdiag.txt (post the dcdiag.txt as an attachment)
8. More than one subnet?
9. Forwarder(s) configured?
Thanks,
Ace
|
|
|