DNS Entries

  • Thread starter Thread starter Adrian Marsh (NNTP)
  • Start date Start date
A

Adrian Marsh (NNTP)

I'm setting up a DC to work with a QIP DNS server, prior to moving a
domain across to that DNS network. Dynamic DNS updates from the DC
aren't an option, as our admin enfore strict update rules which prohibit it.

At the moment my test server (netdiag -v output) reports the below DNS
entries missing.

My question is:

If I enter these entries into QIP DNS as below, are there any others
that the clients might need to be able to authenticate/login etc ? Or
is this a complete list?

For example, I'm sure I'd read somewhere that the SID of the domain was
needed, eg :

7c5ecb37-e59f-406d-96d3-75f0fac16cba. SRV 0 0 389

on its own, but its not complaining about that one in the list below.

Second, how can I translate SIDs back to machine names in the AD
Network. I'm curious to find out what the SID (2ef5f965...) is below.

Adrian


Query for DC DNS entry
_ldap._tcp.7c5ecb37-e59f-406d-96d3-75f0fac16cba.domains._msdcs.uk-lab.lucent.com.
on DNS server 135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry
2ef5f965-03c1-452b-9cd7-7d3d25eebad6._msdcs.uk-lab.lucent.com. on DNS
server 135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry _kerberos._tcp.dc._msdcs.uk-lab.lucent.com. on
DNS server 135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry _ldap._tcp.dc._msdcs.uk-lab.lucent.com. on DNS
server 135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry _kerberos._tcp.uk-lab.lucent.com. on DNS server
135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry _kerberos._udp.uk-lab.lucent.com. on DNS server
135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry _kpasswd._tcp.uk-lab.lucent.com. on DNS server
135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry _kpasswd._udp.uk-lab.lucent.com. on DNS server
135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry uk-lab.lucent.com. on DNS server 135.86.199.246
failed.
DNS Error code: 0x0000251D
Query for DC DNS entry _ldap._tcp.OptimusLab._sites.uk-lab.lucent.com.
on DNS server 135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry
_kerberos._tcp.OptimusLab._sites.dc._msdcs.uk-lab.lucent.com. on DNS
server 135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry
_ldap._tcp.OptimusLab._sites.dc._msdcs.uk-lab.lucent.com. on DNS server
135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
Query for DC DNS entry
_kerberos._tcp.OptimusLab._sites.uk-lab.lucent.com. on DNS server
135.86.199.246 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS
server)
[WARNING] The DNS entries for this DC are not registered correctly
on DNS server '135.86.199.246'. Please wait for 30 minutes for DNS
server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
 
In
Adrian Marsh (NNTP) said:
I'm setting up a DC to work with a QIP DNS server, prior to moving a
domain across to that DNS network. Dynamic DNS updates from the DC
aren't an option, as our admin enfore strict update rules which
prohibit it.
At the moment my test server (netdiag -v output) reports the below DNS
entries missing.

My question is:

If I enter these entries into QIP DNS as below, are there any others
that the clients might need to be able to authenticate/login etc ? Or
is this a complete list?

For example, I'm sure I'd read somewhere that the SID of the domain
was needed, eg :

7c5ecb37-e59f-406d-96d3-75f0fac16cba. SRV 0 0 389

on its own, but its not complaining about that one in the list below.

Second, how can I translate SIDs back to machine names in the AD
Network. I'm curious to find out what the SID (2ef5f965...) is below.

Adrian
Click to expand...

This record:
2ef5f965-03c1-452b-9cd7-7d3d25eebad6._msdcs.uk-lab.lucent.com
Actually is not a SID, but rather the domain GUID. That is the identifier in
DNS and in the physical AD database identifying that domain. You can use
NTDSUtil to grab that data. As the record states, you can look under the
_msdcs zone in DNS to see that record. Each domain has one. To resolve it to
an IP, according to this output, it will look for this record in DNS under
the "uk-lab.lucent.com" zone:
(same as parent) Host 135.86.199.246

Now, according to this output, your AD DNS domain name is lucent.com or is
it "uk-lab.lucent.com"?? Which zone exists in DNS? What name are you using?

AD requires the SRV records, which get auto dynamically registered. If they
will NOT allow you to register, that is a tough one. You can provide them
the netlogon.dns file located in the system32\config folder, which has all
the records. You need to provide them this record from all DCs.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Back
Top