Need help to clean up srv records

[Henry IT]

Hi all,

The srv records under a AD integrated zone are due for some clean up. When
I review details records under _msdcs, _site, _tcp folders, it looks like
thare are many cross-linked records under different structure. For example,
there is a _sites folder under _msdcs->dc, in which it shows some _ldap and
_kereros records. Yet subfolders under domainname->_sites also show the same
records. My understanding is that if we use the mmc to update some AD
records, the updates should be replicated to those srv records in DNS zones.
However, our environment does not seems to work that way. Changes (mainly
those about sites, DC, GC) we have made a while ago was not reflected in the
DNS srv records.

Could someone help me to understand where is the best place to manually make
some
changes for service records, for example, delete a ldap record of a DC, or
add a GC?

Thanks in advance for any leads.

Henry

 

[Ace Fekay [MVP]]

In

Hi all,

The srv records under a AD integrated zone are due for some clean up.
When I review details records under _msdcs, _site, _tcp folders, it
looks like thare are many cross-linked records under different
structure. For example, there is a _sites folder under _msdcs->dc,
in which it shows some _ldap and _kereros records. Yet subfolders
under domainname->_sites also show the same records. My
understanding is that if we use the mmc to update some AD records,
the updates should be replicated to those srv records in DNS zones.
However, our environment does not seems to work that way. Changes
(mainly those about sites, DC, GC) we have made a while ago was not
reflected in the DNS srv records.

Could someone help me to understand where is the best place to
manually make some
changes for service records, for example, delete a ldap record of a
DC, or add a GC?

Thanks in advance for any leads.

Henry

SRV dynamic entries are just that, fully automatic. If it's not working for
you, we need to find out why. Do not make manual entries.

Rules of engagement for dynamic updates to automatically work (which is
default): are below. But before that, I just want to let you know, as an
FYI, AD requires DNS. AD stores it's resource and service locations in the
form of SRV records in DNS. When any communication function occurs in AD
(logons, Kerberos authentication, replication intiation, GPOs getting
applied, and numerous other functions), DNS is queried for the location of
that respective service. If DNS doesn't have those records, then that
function will fail. The records get registered into DNS by the netlogon
service on the DCs. The main thing is required for registration are these
simple rules:

1. AD's DNS name can't be a single label name
2. The AD DNS name MUST match the name of the zone in DNS
3. Dynamic Updates are allowed in the zone properties
4. The Primary DNS Suffix MUST match the zone name and the AD DNS name
5. You must only use the DNS servers that host a copy of the AD zone name or
have a reference to get to them. Do not use your ISP's or some other DNS
that does not have a copy of the AD zone. Internet resolution for your
machines will be accomplished by the Root servers (Root Hints). It is
recommended to configure a forwarder for efficient Internet resolution. When
you attempt to configure a forwader and the forwarding option is grayed out,
you need to delete the Root zone (looks like a period), refresh the console
and try again. Forwarders and how to are all explained in:
http://support.microsoft.com/?id=300202

If none of the above is correct, we've got a problem.

IF everything is setup and *working* _properly_, you can actually easily
delete the SRVs and start from scratch in a moment's time. This can be done
by deleting all the SRV records, the LdapIpAddress (the 'same as parent'
records), and the A records for each DC under the zone, and then go to each
DC and:

1. Delete the system32\config\netlogon.dns and netlogon.bak files.
2. Run an ipconfig /registerdns.
3. Restart the netlogon service
4. Hit refresh on the zone files and you will see the LdapIpAddress return,
the A record return, and all the SRV popup clean as a whistle.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================