none
Folders and records missing from DNS

    Question

  • I have a client with a small domain. He has a single server running Server 2003. Of course it's the DC, DNS, DHCP, File, Print, you name it.

    A few weeks ago something happened during Windows Updates and now DNS is messed up and I believe it's due to AD being messed up. When you look in DNS at the forward lookup zone _msdcs.domain.local, there are no folders in it such as DC, PDC, GC, and domains. Also under the Domain.local forward lookup zone there are no folders. No _tcp, _udp, _sites, etc. _msdcs was there until I deleted it followed by netdiag /fix as I read that should restore everything.

    Netdiag turns up a bunch of errors as does DCDiag. Netdiag /fix doesn't fix anything. I believe this is because AD is messed up. Since DNS is AD integrated, if AD is missing the info, then there's not way to repopulate DNS.

    The DNS error log has 4004 and 4015 errors. The system log is filled with 5774 Netlogon errors.

    I've searched quite a bit but haven't run across anything that has helped to fix this situation. Does anyone have any ideas on what to do to fix this?


    Jonathan

    Friday, July 26, 2013 9:37 PM

All replies

  • Hi,

    This behavior can occur when the DNS server that is authoritative for the Active Directory domain name is not listed on the DNS tab of the Advanced TCP/IP Settings dialog box.

    For more information, please refer to the following links:

    Domain Controller Generates a Netlogon Error Event ID 5774

    http://support.microsoft.com/kb/284963/en-us

    Windows Server 2008: Troubleshoot Event ID 4015 — DNS Server Active Directory Integration

    http://social.technet.microsoft.com/wiki/contents/articles/1364.windows-server-2008-troubleshoot-event-id-4015-dns-server-active-directory-integration.aspx

    Event ID 4004 — DNS Server Active Directory Integration

    http://technet.microsoft.com/en-us/library/cc735696(v=WS.10).aspx

    Regards,


    Arthur Li

    TechNet Community Support

    Saturday, July 27, 2013 7:16 AM
    Moderator
  • Hello,

    if the already given information doesn't help please post an unedited ipconfig /all from the server so we can verify some settings.

    Keep in mind that it is always recommended to run at least 2 DC/DDNS/GC per domain for failover and redundancy.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, July 28, 2013 5:31 PM
  • Hi,

    This behavior can occur when the DNS server that is authoritative for the Active Directory domain name is not listed on the DNS tab of the Advanced TCP/IP Settings dialog box.

    For more information, please refer to the following links:

    Domain Controller Generates a Netlogon Error Event ID 5774

    http://support.microsoft.com/kb/284963/en-us

    Windows Server 2008: Troubleshoot Event ID 4015 — DNS Server Active Directory Integration

    http://social.technet.microsoft.com/wiki/contents/articles/1364.windows-server-2008-troubleshoot-event-id-4015-dns-server-active-directory-integration.aspx

    Event ID 4004 — DNS Server Active Directory Integration

    http://technet.microsoft.com/en-us/library/cc735696(v=WS.10).aspx

    Regards,


    Arthur Li

    TechNet Community Support

    In this case that's not the cause unfortunately, since it would be an easy fix. The server is listed as the first and only DNS server in the NIC's IPv4 settings.


    Jonathan

    Monday, July 29, 2013 1:45 PM
  • Hello,

    if the already given information doesn't help please post an unedited ipconfig /all from the server so we can verify some settings.

    Keep in mind that it is always recommended to run at least 2 DC/DDNS/GC per domain for failover and redundancy.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Here are the surprisingly short results of the ipconfig /all (yes it is /all) run on the server. Sorry but I did edit the server name and the domain name to protect the customer. While I run 2 DCs on my own network, most small businesses won't do that because of the cost of having 2 servers.

    Windows IP Configuration

     

       Host Name . . . . . . . . . . . . : SERVER01

       Primary Dns Suffix  . . . . . . . : DomainName.local

       Node Type . . . . . . . . . . . . : Unknown

       IP Routing Enabled. . . . . . . . : Yes

       WINS Proxy Enabled. . . . . . . . : Yes

       DNS Suffix Search List. . . . . . : DomainName.local

     

    Ethernet adapter Local Area Connection:

     

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

       Physical Address. . . . . . . . . : 00-10-18-19-8C-EA

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 192.168.50.100

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 192.168.50.1

       DNS Servers . . . . . . . . . . . : 192.168.50.100

     

    PPP adapter RAS Server (Dial In) Interface:

     

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

       Physical Address. . . . . . . . . : 00-53-45-00-00-00

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 192.168.50.71

       Subnet Mask . . . . . . . . . . . : 255.255.255.255

       Default Gateway . . . . . . . . . :

     


    Jonathan

    Monday, July 29, 2013 1:52 PM
  • Have you tried to run these commands in command-line on that DC with DNS role installed

    ipconfig /flushdns
    dcdiag /fix
    nltest /dsregdns
    net stop netlogon
    net start netlogon
    ipconfig /registerdns

    do you have any recent System State backup of your Domain Controller ? If so, you may follow with this artilce for DNS zone restoration

    http://blogs.technet.com/b/networking/archive/2007/05/10/oops-our-ad-integrated-dns-zone-s-are-missing-in-windows-2003.aspx


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com


    • Edited by iSiek Monday, July 29, 2013 1:56 PM Update
    Monday, July 29, 2013 1:53 PM
  • Have you tried to run these commands in command-line on that DC with DNS role installed

    ipconfig /flushdns
    dcdiag /fix
    nltest /dsregdns
    net stop netlogon
    net start netlogon
    ipconfig /registerdns

    do you have any recent System State backup of your Domain Controller ? If so, you may follow with this artilce for DNS zone restoration

    http://blogs.technet.com/b/networking/archive/2007/05/10/oops-our-ad-integrated-dns-zone-s-are-missing-in-windows-2003.aspx


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com


    I've run all of those (plus a few others), except for nltest /dsregdns, multiple times. As for backup, while the customer is getting good backups, they go back 1 month and it looks like their problem started just prior to that. So I don't think restoring the system state from the oldest backup will help unfortunately.


    Jonathan

    Monday, July 29, 2013 3:13 PM
  • Anyone else have any ideas? I have this article, http://www.resole.nl/dns-_msdcs-folder-does-not-contain-primary-records/, but I'm a little shy about deleting the _MSDCS.<domain>.local folder from the Forward Lookup Zones folder since I'm not positive the info is there in AD to re-create it. But it's the most likely solution I've found so far since I've tried all the below listed commands and they didn't help. Unfortunately the server is not backed up with a product that allows System State backups and restores otherwise I'd do that.

    ipconfig /flushdns
    dcdiag /fix
    nltest /dsregdns
    net stop netlogon
    net start netlogon
    ipconfig /registerdns


    Jonathan

    Wednesday, August 07, 2013 8:22 PM
  • Hello,

    please disable RRAS and WINS proxy on the DC, this is NOT recommended configuration and result in multiple problems.

    IP Routing Enabled. . . . . . . . : Yes

    INS Proxy Enabled. . . . . . . . : Yes

    A DC should NEVER have more then one ip address or NIC used. After disabling please run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service.

    Then check again with the support tools for errors. If you still have problems please upload the following files for review:

    ipconfig /all >c:\ipconfig.log [all DCs AND one client with problems]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
    ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, August 08, 2013 7:56 AM
  • Sorry but those can't be disabled because the owner wants to have VPN capability and doesn't want to spend any money on any other hardware, so the server had RRAS setup. Everything was working fine until the C drive ran out of space while the owner was installing Windows Updates. I don't know just how that did it, but it messed up DNS and I think it messed up AD as well.

    I read one place that suggested uninstalling and then reinstalling DNS without a reboot between them. Once it was reinstalled, then the server would be rebooted. That sounds like it might fix this problem, but I'm hesitant to do it because I don't want to make things any worse than they are now.


    Jonathan

    Thursday, August 08, 2013 2:45 PM
  • Uninstalling and reinstalling DNS did nothing. After thinking about it, I don't understand why the author of the article says it should fix a problem like this. Removing the DNS role just means the server stops servicing DNS requests from clients. It's not actually deleting any data.

    So I'm back at square one. But it did help me to realize that the problem isn't actually with DNS, but with AD. DNS is just a symptom. The missing folders (_sites, _tcp, _udp, DomainDnsZones, ForestDnsZone) under the domain.local forward lookup zone are actually objects stored in AD and DNS simply utilizes them.

    You can't manually create those folders in DNS. You might be able to it in AD, I don't know. But I certainly don't want to try.

    So AD is actually what is messed up. Unfortunately the backup software this company uses doesn't do System State backups. You back up a whole drive. You can restore the entire drive, even to bare metal, or specific files/folders. But you can't backup or restore just the system state.

    I think he's going to pay for a Microsoft support call to see if there's anything they can do.


    Jonathan


    Friday, August 23, 2013 8:07 PM