IP address associated with the given NS record cannot be found --- Pri DNS + VPN server

[Joe]

In the Pri DNS server NO AD and NOT DC.
On the "Name Server" tab of any zone files the IP address of ns1.csi.com
(pri DNS) is unkown and when try to do resolve the error msg comes up "An IP
address associated with the given NS record cannot be found". How to solve?

FYI the pri DNS is dual NIC behind firewall that open port for DNS. No error
in the dns log and system log
VPN server also installed. The other NIC is connected to other network so
when remote user connect through VPN, they are able to browse to other
network also.
Please help me ASAP because already a week I try to figure out but canot
solve it. The Pri is working unstable sometimes the query to this ns1 works
fine sometimes timeout.


******* Below is the result of netdiag /test:dns *******

Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working because it
has not received any packets.

Per interface results:

Adapter : Dim

Netcard queries test . . . : Passed

Adapter : CSI

Netcard queries test . . . : Passed

Adapter : {E663C8E8-BB51-435C-97E6-422DA8525C1A}

Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed
Dns domain name is not specified.
Dns forest name is not specified.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{BD4E015A-C8FA-4AB2-B1BE-27D673A5CFDB}
NetBT_Tcpip_{E663C8E8-BB51-435C-97E6-422DA8525C1A}
2 NetBt transports currently configured.


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'ns1.csi.com.'. [RCODE_SERVER_FAILURE]
The name 'ns1.csi.com.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server for the
name
'ns1.csi.com.'. [RCODE_SERVER_FAILURE]
The name 'ns1.csi.com.' may not be registered in DNS.

The command completed successfully


######### Below is the csi.com Zone File ###########

;
; Database file csi.com.dns for csi.com zone.
; Zone version: 13
;

@ IN SOA ns1.csi.com. admin.csi.com. (
13 ; serial number
3600 ; refresh
600 ; retry
604800 ; expire
90000 ) ; minimum TTL

;
; Zone NS records
;

@ NS ns1.csi.com.
@ NS ns2.csi.com.

;
; Zone records
;

@ A 205.150.xxx.aaa
@ MX 10 mail.csi.com.
admin A 205.150.xxx.bbb
mail A 205.150.xxx.bbb
ns2 A 205.150.xxx.yyy
www A 205.150.xxx.ccc


Best regards,
Yohannes

 

[Ace Fekay [MVP]]

In

In the Pri DNS server NO AD and NOT DC.
On the "Name Server" tab of any zone files the IP address of
ns1.csi.com (pri DNS) is unkown and when try to do resolve the error
msg comes up "An IP address associated with the given NS record
cannot be found". How to solve?

FYI the pri DNS is dual NIC behind firewall that open port for DNS.
No error in the dns log and system log
VPN server also installed. The other NIC is connected to other
network so when remote user connect through VPN, they are able to
browse to other network also.
Please help me ASAP because already a week I try to figure out but
canot solve it. The Pri is working unstable sometimes the query to
this ns1 works fine sometimes timeout.


******* Below is the result of netdiag /test:dns *******

Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working
because it has not received any packets.

Per interface results:

Adapter : Dim

Netcard queries test . . . : Passed

Adapter : CSI

Netcard queries test . . . : Passed

Adapter : {E663C8E8-BB51-435C-97E6-422DA8525C1A}

Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed
Dns domain name is not specified.
Dns forest name is not specified.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{BD4E015A-C8FA-4AB2-B1BE-27D673A5CFDB}
NetBT_Tcpip_{E663C8E8-BB51-435C-97E6-422DA8525C1A}
2 NetBt transports currently configured.


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server
for the name
'ns1.csi.com.'. [RCODE_SERVER_FAILURE]
The name 'ns1.csi.com.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server
for the name
'ns1.csi.com.'. [RCODE_SERVER_FAILURE]
The name 'ns1.csi.com.' may not be registered in DNS.

The command completed successfully


######### Below is the csi.com Zone File ###########

;
; Database file csi.com.dns for csi.com zone.
; Zone version: 13
;

@ IN SOA ns1.csi.com. admin.csi.com. (
13 ; serial number
3600 ; refresh
600 ; retry
604800 ; expire
90000 ) ; minimum TTL

;
; Zone NS records
;

@ NS ns1.csi.com.
@ NS ns2.csi.com.

;
; Zone records
;

@ A 205.150.xxx.aaa
@ MX 10 mail.csi.com.
admin A 205.150.xxx.bbb
mail A 205.150.xxx.bbb
ns2 A 205.150.xxx.yyy
www A 205.150.xxx.ccc


Best regards,
Yohannes

It seems that ns1.csi.com is not resolving because you didn't create that
record in your zone file. I do see an 'ns2' host ('A') record, but I don't
see an ns1 host ('A') record.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Joe]

Thanks Ace, it works well.
I read about DNS design and security somewhere and it is suggested that the
zone files for external/public DNS like mine, doesn't use dynamic update.
Dynamic update ok for internal dns, is that true?
Please clarify and explain why if that the case, thanks a lot.

--
Regards,
Joe


"Ace Fekay [MVP]"

In

In the Pri DNS server NO AD and NOT DC.
On the "Name Server" tab of any zone files the IP address of
ns1.csi.com (pri DNS) is unkown and when try to do resolve the error
msg comes up "An IP address associated with the given NS record
cannot be found". How to solve?

FYI the pri DNS is dual NIC behind firewall that open port for DNS.
No error in the dns log and system log
VPN server also installed. The other NIC is connected to other
network so when remote user connect through VPN, they are able to
browse to other network also.
Please help me ASAP because already a week I try to figure out but
canot solve it. The Pri is working unstable sometimes the query to
this ns1 works fine sometimes timeout.


******* Below is the result of netdiag /test:dns *******

Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working
because it has not received any packets.

Per interface results:

Adapter : Dim

Netcard queries test . . . : Passed

Adapter : CSI

Netcard queries test . . . : Passed

Adapter : {E663C8E8-BB51-435C-97E6-422DA8525C1A}

Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed
Dns domain name is not specified.
Dns forest name is not specified.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{BD4E015A-C8FA-4AB2-B1BE-27D673A5CFDB}
NetBT_Tcpip_{E663C8E8-BB51-435C-97E6-422DA8525C1A}
2 NetBt transports currently configured.


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server
for the name
'ns1.csi.com.'. [RCODE_SERVER_FAILURE]
The name 'ns1.csi.com.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server
for the name
'ns1.csi.com.'. [RCODE_SERVER_FAILURE]
The name 'ns1.csi.com.' may not be registered in DNS.

The command completed successfully


######### Below is the csi.com Zone File ###########

;
; Database file csi.com.dns for csi.com zone.
; Zone version: 13
;

@ IN SOA ns1.csi.com. admin.csi.com. (
13 ; serial number
3600 ; refresh
600 ; retry
604800 ; expire
90000 ) ; minimum TTL

;
; Zone NS records
;

@ NS ns1.csi.com.
@ NS ns2.csi.com.

;
; Zone records
;

@ A 205.150.xxx.aaa
@ MX 10 mail.csi.com.
admin A 205.150.xxx.bbb
mail A 205.150.xxx.bbb
ns2 A 205.150.xxx.yyy
www A 205.150.xxx.ccc


Best regards,
Yohannes

It seems that ns1.csi.com is not resolving because you didn't create that
record in your zone file. I do see an 'ns2' host ('A') record, but I don't
see an ns1 host ('A') record.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Ace Fekay [MVP]]

In

Thanks Ace, it works well.
I read about DNS design and security somewhere and it is suggested
that the zone files for external/public DNS like mine, doesn't use
dynamic update. Dynamic update ok for internal dns, is that true?
Please clarify and explain why if that the case, thanks a lot.

That's pretty much the extent of it. No need to have dynamic updates for DNS
servers hosting external public data. That's used mainly for AD machines
(DCs and clients). Clients don't necessarily need to update, especially in a
university situation, but thats up to the admins. DCs do, and if disabled,
they need to be entered manually since AD relies on those records that it
registers.

Hope that explains it!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Joe]

Thanks Ace, it helps although not 100%

--
Regards,
Joe


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Thanks Ace, it helps although not 100%

If external, why allow updates? Do you want Inernet users to register into
your zone?

Internal is not totally a requirement to have dynamic updates enabled, but
at least DC MUST have their records registered, so you'll have to do it
manually. Does that part make sense and helpful? If not, please let me know
what part is doesn't make sense or understand.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Joe]

Just to confirm, so let say for external DNS, I allow dynamic update.
So when someone query the domain that has zone in our ext DNS and then their
computer will be registered inside my zone?
Is that what you meant?

--
Regards,
Joe


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Just to confirm, so let say for external DNS, I allow dynamic update.
So when someone query the domain that has zone in our ext DNS and
then their computer will be registered inside my zone?
Is that what you meant?

No. I think a little background in Active Directory and DNS may help to
understand how dynamic updates work and why.

With Active Directory, the domain controllers register their service and
resource locations in DNS in the form of SRV (service) records. These
records help clients, DCs and member servers and any other directory enabled
application (such as Exchange 2000 & 2003) "find" the domain resources and
the domain controllers. Clients don't necessarily need to be registered
unless there's a specific app that requires their resource records to exist.

For registration to happen, the client machine (whether it's a DC, member
server, client or even a DNS server, and yes, even a DNS server needs to be
configured to use itself for DNS resolution) is configured with the DNS
server (that you want to register in) in it's IP properties. The Primary DNS
Suffix spelling that is set on the machine must also match the zone name
that you created in DNS, which you enabled updates on. The zone must also
not be a single label name. If these 4 things are not set properly, then
registration will not happen.

The only time I can see on the Internet with external clients is if they
only use your DNS address, set their PRimary DNS Suffix to your zone name
and set to allow dynamic updates, will they register. Otherwise, no. This is
more for internal functionality, as you can see based on the explanation.
For external stuff, not needed!

Is that better?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Joe]

A lot better
Thanks a lot.
From all kinds of MS general servers, I think DNS & w/AD is the most
confusing one incomparison. And from this newsgroup looks like many people
confuse and have quite many problems also.

--
Regards,
Joe


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

A lot better
Thanks a lot.
From all kinds of MS general servers, I think DNS & w/AD is the most
confusing one incomparison. And from this newsgroup looks like many
people confuse and have quite many problems also.

True, but then again, boiling water can be confusing to some (ask my
wife!)... just kidding! She's actually a great cook, but I do most of it...
I was a cook at a fine restaurant at one point many years ago.

Its less confusing if you work with it day to day. After teaching this stuff
for years, and since working with it from the Win2k beta days back in 1999,
pretty much can sleep walk the stuff. (pretty much).

I always encourage people to ask if they're not sure. Since you weren't that
sure, as indicative of your previous post, I thought it would be helpful to
explain why and how, which helped put more light on it. Anytime you're not
sure of anything, please do post back and ask. That's what were here for, to
help in lessening the confusion and get things working again.



Ace

 

[Joe]

Thanks a lot Ace.
You all are really helpfull.
Sure I am gonna ask if don't understand, just prepare to answer 10 questions
or more then lol... j/k

Joe ^_^


"Ace Fekay [MVP]"

 

[Joe]

Hmm....I just remember the other thread of mine which I still have the same
problem after 2-4 weeks troubleshooting with you guys especially Kevin. I
also send him all the 'unedited' all files that he needs it to analyze and
troubleshoot (like netdiag result, whole event log, ipconfig, etc).
So probably you could help him, if you don't mind I will send you to your
email directly also the emails which i discuss with Kevin so you know what
we were talking about and the solution so far.
The other thread that I mean is "Dual home DNS w/ AD doesn't work after..."
July 26

I think this one more challenging to be solve especially you said "pretty
much can sleep walk the stuff", I exp also if do solving the same thing
again & again, not challenging & excited anymore, but when something 'new'
to solve that's good, push the knowledge to the limit.
Hopefully you guys can solve this problem.

If you agree, I could send all the files you needed (unedited at all) and
the email I have send/reply with Kevin private email. Please let me know if
you interested or not.

Joe


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Hmm....I just remember the other thread of mine which I still have
the same problem after 2-4 weeks troubleshooting with you guys
especially Kevin. I also send him all the 'unedited' all files that
he needs it to analyze and troubleshoot (like netdiag result, whole
event log, ipconfig, etc).
So probably you could help him, if you don't mind I will send you to
your email directly also the emails which i discuss with Kevin so you
know what we were talking about and the solution so far.
The other thread that I mean is "Dual home DNS w/ AD doesn't work
after..." July 26

I think this one more challenging to be solve especially you said
"pretty much can sleep walk the stuff", I exp also if do solving the
same thing again & again, not challenging & excited anymore, but when
something 'new' to solve that's good, push the knowledge to the limit.
Hopefully you guys can solve this problem.

If you agree, I could send all the files you needed (unedited at all)
and the email I have send/reply with Kevin private email. Please let
me know if you interested or not.

Joe


"Ace Fekay [MVP]"

I replied to you privately asking for the info. I'm sure Kevin can take care
of this anyway, but Kevin and I collaborate for the most part... we usually
do. I thought it was taken care of and assumed so since you havent replied
to my email.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Ace Fekay [MVP]]

In Joe <[email protected]> made a post then I commented below
<snip>

Maybe remoting in may help. Did Kevin already remote into your machine to
fix this?

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hmm....I just remember the other thread of mine which I
still have the same problem after 2-4 weeks
troubleshooting with you guys especially Kevin. I also
send him all the 'unedited' all files that he needs it to
analyze and troubleshoot (like netdiag result, whole
event log, ipconfig, etc).
So probably you could help him, if you don't mind I will
send you to your email directly also the emails which i
discuss with Kevin so you know what we were talking about
and the solution so far.
The other thread that I mean is "Dual home DNS w/ AD
doesn't work after..." July 26

I think this one more challenging to be solve especially
you said "pretty much can sleep walk the stuff", I exp
also if do solving the same thing again & again, not
challenging & excited anymore, but when something 'new'
to solve that's good, push the knowledge to the limit.
Hopefully you guys can solve this problem.

If you agree, I could send all the files you needed
(unedited at all) and the email I have send/reply with
Kevin private email. Please let me know if you interested
or not.

Joe


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&[email protected]>
wrote in message

I'm trying to recall this but it just doesn't ring a bell. I looked back
into my archives and still can't recall maybe you used a different name in
your email?

BTW, if this discussion is over this:
On the "Name Server" tab of any zone files the IP address of ns1.csi.com
(pri DNS) is unkown and when try to do resolve the error msg comes up "An IP
address associated with the given NS record cannot be found". How to solve?

This one is easy to solve, anytime you get this when trying to resolve an NS
record it points to one thing, no glue record. You don't have glue for this
NS record on the DNS server, and if this is going to be a public nameserver,
there is no glue at the .com gTLD servers either.

<snip>
Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for nameserver "NS1.CSI.COM".

<end snip>

To fix this create glue for this record by creating an "A" record for
ns1.csi.com on this server and one at the .com gTLD servers.

 

[Joe]

How to give access for you guys to remote in, please let me know how to?

--
Regards,
Joe


"Ace Fekay [MVP]"

 

[Joe]

I am sending you the private email, also I am gonna send to Kevin also.
Because I sent use different email (e-mail address removed) not
(e-mail address removed) so Kevin doesn't recall I gues.

--
Regards,
Joe


"Ace Fekay [MVP]"

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I am sending you the private email, also I am gonna send
to Kevin also. Because I sent use different email
(e-mail address removed) not (e-mail address removed) so Kevin
doesn't recall I gues.

I do now, I'm sorry I didn't recognize the name. I've been covered up this
week and the computer I work from doesn't have enough memory to open such a
large html file. I tried opening it and it had to page over 700 Mb and It
just couldn't handle it. I just asked my 13 year old son if he could stay
off Battle Net long enough for me to open the file and take a peak. Yes my
son has a much newer computer than me, this one handle most of the tasks I
ask of it, but not that one. The only problem is I haven't installed Office
on his yet for the Excel file.

I guess I have no choice but to get "A Round Tuit" today.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

How to give access for you guys to remote in, please let
me know how to?

On Win2k, install Terminal Services in Administrative mode. In Win2k3 you
turn on the remote Desktop (on the System control panel) Either of these
require an administrator account, but you can temporarily change the
Administrator account password.

 

[Ace Fekay [MVP]]

In

I do now, I'm sorry I didn't recognize the name. I've been covered up
this week and the computer I work from doesn't have enough memory to
open such a large html file. I tried opening it and it had to page
over 700 Mb and It just couldn't handle it. I just asked my 13 year
old son if he could stay off Battle Net long enough for me to open
the file and take a peak. Yes my son has a much newer computer than
me, this one handle most of the tasks I ask of it, but not that one.
The only problem is I haven't installed Office on his yet for the
Excel file.

I guess I have no choice but to get "A Round Tuit" today.

A 700 meg file? Joe emailed me with two different email addresses. I didn't
recognize them at first, no knowing who they were and the fact they showed
up in my junk mail folder. Hotmail does that since they use Reverse DNS.

Anyway, what was the 700 meg file?

Ace