Internal DNS not functioning in AD

  • Thread starter Thread starter Ertugrul Ozurun
  • Start date Start date
E

Ertugrul Ozurun

Hello all,

I have a W2K AD LAN with 1 DC. Everything was allright until now
when DNS seemed to be not functioning. Clients cannot logon and
internal DNS on DC cannot resolve names (both monitoring test on DNS
server and nslookup fails. NSlookup says "Default servers does not
exist...". PTR records are okay and I restored DNS records from file
backups. DNS zone is active- directory integrated and allows dynamic
updates. DHCP server and client services are both started and
functioning.

Any help? ideas?

Ertug
 
In
Ertugrul Ozurun said:
Hello all,

I have a W2K AD LAN with 1 DC. Everything was allright until now
when DNS seemed to be not functioning. Clients cannot logon and
internal DNS on DC cannot resolve names (both monitoring test on DNS
server and nslookup fails. NSlookup says "Default servers does not
exist...". PTR records are okay and I restored DNS records from file
backups. DNS zone is active- directory integrated and allows dynamic
updates. DHCP server and client services are both started and
functioning.

Any help? ideas?

Ertug
Click to expand...


Can we see an ipconfig /all of the server you are testing this from please?

The nslookup mesage (not really an error) just says it can't find it's name
for that IP address of your DNS server in the reverse zone. If using your
ISP's DNS server in IP properties, it maybe trying to read that IP and
coming up with the error.

For the recursion test, make sure you are using a forwarder, then it will
pass.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Ace,

Thank your for your reply.
The result of ipconfig /all :
Host Name : ntsrv
Primary DNS Suffix : xxxxx.com
Node Type : hybrid
IP Routing Enabled : No
Wins Proxy Enabled : No
DNS Suffix Search List : xxxxx.com

Ethernet Adapter Local Area Connection:
Connection specific dns suffix : xxxxx.com
DHCP Enabled : No
Primary IP Address : 192.168.0.7
Subnet mask : 255.255.255.0
Default GAteway : 192.168.0.3
DNS Servers : 192.168.0.7
Primary WINS Server : 192.168.0.7

192.168.0.7 is IP of ntsrv (DC - then only DC on our LAN). 192.168.0.3
is the ip of ISA server (win2k standalone). External DNS resides on
192.168.0.3. Internal DNS is on ntsrv. External DNS is functioning
properly.

Also, I ran DCDIAG on NTSRV, here is the result:

NTSRV's server GUID address cannot resolved to an IP address. CHeck
dns, dhcp etc. Although the server name ntsrv.xxxx.com resolved to the
ip address (192.168.0.7) and was pingable..

Waiting your comments
 
In
Ertugrul Ozurun said:
Hello Ace,

Thank your for your reply.
The result of ipconfig /all :
Host Name : ntsrv
Primary DNS Suffix : xxxxx.com
Node Type : hybrid
IP Routing Enabled : No
Wins Proxy Enabled : No
DNS Suffix Search List : xxxxx.com

Ethernet Adapter Local Area Connection:
Connection specific dns suffix : xxxxx.com
DHCP Enabled : No
Primary IP Address : 192.168.0.7
Subnet mask : 255.255.255.0
Default GAteway : 192.168.0.3
DNS Servers : 192.168.0.7
Primary WINS Server : 192.168.0.7

192.168.0.7 is IP of ntsrv (DC - then only DC on our LAN). 192.168.0.3
is the ip of ISA server (win2k standalone). External DNS resides on
192.168.0.3. Internal DNS is on ntsrv. External DNS is functioning
properly.

Also, I ran DCDIAG on NTSRV, here is the result:

NTSRV's server GUID address cannot resolved to an IP address. CHeck
dns, dhcp etc. Although the server name ntsrv.xxxx.com resolved to the
ip address (192.168.0.7) and was pingable..

Waiting your comments
Click to expand...

Hello Ertugrul,

Thanks for posting that information. What concerns me is the server, NTSRV's
GUID addresss is not resolvable. If you look in DNS, under your xxxxx.xom
zonename, then under _msdcs folder, you will see a long name,which is the
GUID number. Is it there and does it have the correct name, ntsrv.xxxxx.com?

You said the clients cannot log in? Do all the clients only use 192.168.0.7
for DNS? If they do, then I believe the SRV records are not properly
registering into DNS.

If you have ISA server, then this changes the way things work with outside
access. So it depends:

1. If using just the web caching service, then I assume that any external
pings and nslookups will NOT work.

2. If using the web caching service and firewall service, then your machines
internally will need the firewall client.

3. You said that the 'external' DNS is on the ISA server, did you setup a
forwarder from 192.168.0.7 to 192.168.0.3?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Ace,

I forgot to mention that the GUID number._msdcs****** exists in
AD-integrated zone xxxxx.com under msdcs folder as "A" record.

All clients take ip configuration from DHCP server which is NTSRV and
DHCP server is configured as to give ip addresses from 192.168.0.20 -
50 , DG: none, DNS : 192.168.0.7; DNS primary suffix : xxxxxx.com .

So they cannot login or access network shares etc. Also all
applications which needs Wİndows Auth dont run .

Waiting to hear from you soon.
 
In
Ertugrul Ozurun said:
Hello Ace,

I forgot to mention that the GUID number._msdcs****** exists in
AD-integrated zone xxxxx.com under msdcs folder as "A" record.

All clients take ip configuration from DHCP server which is NTSRV and
DHCP server is configured as to give ip addresses from 192.168.0.20 -
50 , DG: none, DNS : 192.168.0.7; DNS primary suffix : xxxxxx.com .

So they cannot login or access network shares etc. Also all
applications which needs Wİndows Auth dont run .

Waiting to hear from you soon.
Click to expand...

Under the _msdcs._gc zone, is the GC listed?

What errors are you getting in the DC and/or the clients event logs if any?

Is the ISA firewall software installed?

Everything should work, from what you're describing.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Ace,

Answers to your questions:

1. Under _msdcs._gz zone Alias for GC is listed and I checked all SRV
records with another running LAN's internal DNS. It seems to be okay.

2. ISA Server is installed on another server, but no isa firewall
client is installed on this DC. This is a secure NAT client having ISA
Server's internal IP as DG.

3. In system logs, Netlogon Warning msgs are displayed having event id
5781. Dynamic registration or deregistration failed because of
non-existing DNS Servers.

4. Also find below netdiag and dcdiag results which was run on this
DC.

DC Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\NTSRV
Starting test: Connectivity
NTSRV's server GUID DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(e6d8e791-f9b3-4070-94f4-b769b83e5b20._msdcs.xxxxx.com)
couldn't be

resolved, the server name (ntsrv.xxxxx.com) resolved to the
IP

address (192.168.0.7) and was pingable. Check that the IP
address is

registered correctly with the DNS server.
......................... NTSRV failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\NTSRV
Skipping all tests, because server NTSRV is
not responding to directory service requests

Running enterprise tests on : xxxxx.com
Starting test: Intersite
......................... xxxxx.com passed test Intersite
Starting test: FsmoCheck
......................... xxxxx.com passed test FsmoCheck

and NETDIAG results:

........................................

Computer Name: NTSRV
DNS Host Name: ntsrv.xxxxx.com
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 3 Stepping 4, GenuineIntel
List of installed hotfixes :
KB329115
KB819696
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828749
KB830352
Q147222
Q816093
Q828026


Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : ntsrv.xxxxx.com
IP Address . . . . . . . . : 192.168.0.7
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.3
Primary WINS Server. . . . : 192.168.0.7
Dns Servers. . . . . . . . : 192.168.0.7


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed


Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{D88E1162-6A39-4F28-89A6-98F5FC428B41}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for
the name
'ntsrv.xxxxx.com.'. [ERROR_TIMEOUT]
The name 'ntsrv.xxxxx.com.' may not be registered in DNS.
[WARNING] The DNS entries for this DC cannot be verified right
now on DNS server 192.168.0.7, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC
registered.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{D88E1162-6A39-4F28-89A6-98F5FC428B41}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D88E1162-6A39-4F28-89A6-98F5FC428B41}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'ntsrv.xxxxx.com'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.

5. If removing and reinstalling DNS on this DC will be any good, would
you mind to advise me a "best practice" to backup DNS zones, remove &
install DNS, restore DNS zones?

Thanks in advance

Ertugrul
 
In
Ertugrul Ozurun said:
Hello Ace,

Answers to your questions:

1. Under _msdcs._gz zone Alias for GC is listed and I checked all SRV
records with another running LAN's internal DNS. It seems to be okay.

2. ISA Server is installed on another server, but no isa firewall
client is installed on this DC. This is a secure NAT client having ISA
Server's internal IP as DG.

3. In system logs, Netlogon Warning msgs are displayed having event id
5781. Dynamic registration or deregistration failed because of
non-existing DNS Servers.

4. Also find below netdiag and dcdiag results which was run on this
DC.

DC Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\NTSRV
Starting test: Connectivity
NTSRV's server GUID DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(e6d8e791-f9b3-4070-94f4-b769b83e5b20._msdcs.xxxxx.com)
couldn't be

resolved, the server name (ntsrv.xxxxx.com) resolved to the
IP

address (192.168.0.7) and was pingable. Check that the IP
address is

registered correctly with the DNS server.
......................... NTSRV failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\NTSRV
Skipping all tests, because server NTSRV is
not responding to directory service requests

Running enterprise tests on : xxxxx.com
Starting test: Intersite
......................... xxxxx.com passed test Intersite
Starting test: FsmoCheck
......................... xxxxx.com passed test FsmoCheck

and NETDIAG results:

.......................................

Computer Name: NTSRV
DNS Host Name: ntsrv.xxxxx.com
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 3 Stepping 4, GenuineIntel
List of installed hotfixes :
KB329115
KB819696
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828749
KB830352
Q147222
Q816093
Q828026


Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : ntsrv.xxxxx.com
IP Address . . . . . . . . : 192.168.0.7
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.3
Primary WINS Server. . . . : 192.168.0.7
Dns Servers. . . . . . . . : 192.168.0.7


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed


Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{D88E1162-6A39-4F28-89A6-98F5FC428B41}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for
the name
'ntsrv.xxxxx.com.'. [ERROR_TIMEOUT]
The name 'ntsrv.xxxxx.com.' may not be registered in DNS.
[WARNING] The DNS entries for this DC cannot be verified right
now on DNS server 192.168.0.7, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC
registered.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{D88E1162-6A39-4F28-89A6-98F5FC428B41}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D88E1162-6A39-4F28-89A6-98F5FC428B41}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'ntsrv.xxxxx.com'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.

5. If removing and reinstalling DNS on this DC will be any good, would
you mind to advise me a "best practice" to backup DNS zones, remove &
install DNS, restore DNS zones?

Thanks in advance

Ertugrul
"Ace Fekay [MVP]"
Under the _msdcs._gc zone, is the GC listed?

What errors are you getting in the DC and/or the clients event logs
if any?

Is the ISA firewall software installed?

Everything should work, from what you're describing.
Click to expand...
Click to expand...


Based on what you posted, the DNS server service should be responding. Are
Dynamic Updates enabled on the zone?

If you want to delete and reinstall DNS, sure, go ahead. But, the service
should be responding. If you only have the one DC and a handful of clients
(clients don't necessarily need to register unless a specific app requires
it), then go ahead and delete the zone, remove DNS, then reinstall it and
re-create the zone. Then to register the DC:
ipconfig /registerdns
net stop netlogon
net start netlogon



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Ace,

I have removed and reinstalled DNS and recreated the zone files. But
nothing changed. I followed KB article 294328 while removing and
reinstalling and I checked DNS using its monitoring feature and
nslookup but always failed. Any hardware problem can be the reason for
example a faulty ethernet adapter etc.? WINS is also installed on this
DC. Shall I remove WINS ?

As you can follow, I am helpless at this moment :(

For your info, all zones are configured to allow dynamic updates (not
only secure updates).

Ertug

"Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&[email protected]> wrote in message news:<uHl#[email protected]>...
 
Hello All,

Before we re-install DNS, lets look at a few things.

Examples of records that should be registered in the DNS zone are:
_ldap._tcp.dc._msdcs.<domain>

_ldap._tcp.<site>._sites.dc._msdcs.<domain>

_kerberos._tcp.<site>._sites.dc._msdcs.<domain>

If some or all of the previous records are missing, verify the following:
Verify that the Kerberos Key Distribution Center service is started
on the domain controller.
Verify that the domain controller has a host record registered (See
section for Dynamic Update Failures).
If Domain subfolders are missing, see KB article 310568 Domain
Subfolders Missing from Forward Lookup Zone
http://support.microsoft.com/?id=310568

If the domain controller is not registering a GUID. Netlogon event 5774 for
SRV record:

Check for Mail Exchange (MX) wildcard entry, see KB article:
325208 GUID Records Are Not Registered If MX Record with Wildcard Character
Is
http://support.microsoft.com/?id=325208

259277 Troubleshooting Netlogon Event 5774, 5775, and 5781
http://support.microsoft.com/?id=259277


Shane Brasher
MCSE (2003,2000,NT),MCSA Security, Network+, A+
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello all,

I have solved my DNS problem. I decided to reinstall DNS following all
comments in this thread and followed KB 294328 and KB 246304 articles.
Then all my problems solved and DC started to run properly.

I want to thank Ace and Shane for their valuable comments and
cooperations.

Thanks

Ertugrul
 
In
Ertugrul Ozurun said:
Hello all,

I have solved my DNS problem. I decided to reinstall DNS following all
comments in this thread and followed KB 294328 and KB 246304 articles.
Then all my problems solved and DC started to run properly.

I want to thank Ace and Shane for their valuable comments and
cooperations.

Thanks

Ertugrul
Click to expand...

No prob. One question, how did article 246304 help?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Back
Top