MMC freezes when trying to delete glue record in DNS
-
Monday, June 21, 2010 1:10 AM
Ever since my switch to 2008 R2 when it was first released, I have been unable to delete glue records. MMC asks if I really want to delete the glue record ("Do you want to delete the glue records ______?"), but freezes before I can click Yes or No. Alt + Y/Alt + N doesn't get past it; the only way to continue is to end the process with the task manager/procexplorer, then open a new instance of MMC. The glue record remains, undeleted, seemingly impossible to remove.
All Replies
-
Monday, June 21, 2010 4:12 AM
Ever since my switch to 2008 R2 when it was first released, I have been unable to delete glue records. MMC asks if I really want to delete the glue record ("Do you want to delete the glue records ______?"), but freezes before I can click Yes or No. Alt + Y/Alt + N doesn't get past it; the only way to continue is to end the process with the task manager/procexplorer, then open a new instance of MMC. The glue record remains, undeleted, seemingly impossible to remove.
Hello Zenexer,Are you opening the console with a Right-Click, Run as Administrator?
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Thursday, June 24, 2010 9:49 AMModerator
Hi,
Thank you for your post here.
How it works if you delete the glue records via DNSCMD in command line? For detailed information about how to delete records in command line, please refer to:
Delete a resource record from a zone
http://technet.microsoft.com/en-us/library/cc759561(WS.10).aspx
-
Thursday, June 24, 2010 10:27 PM
Yes, I always run the console as an administrator.
Deleting records via DNSCMD works fine.
I probably should have mentioned that this error does not occur when I'm deleting actual glue records. Rather, it occurs when I'm deleting an NS record that isn't a hostname, but an IP address. It is, of course, illegal to have an IP as an NS record in the first place, but adding it apparently works just fine.
-
Monday, July 05, 2010 6:58 PM
You are trying to delete the NS records from the DNS console records entries under the zone? The nameservers records can only be deleted from the zone properties, Nameservers tab. Unless I'm misunderstanding how you are doing it?
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Friday, September 17, 2010 10:17 AM
Are you using the console on your client or on the server itself?
I had the same problem running the DNS console from the admin tools on my client system, but didn't have the problem when using the mmc on the DNS server itself.
-
Wednesday, September 22, 2010 8:59 AM
I am having the same issue.
this is my scenario.
Single Forest, 1 root domain, 26 child domains. All root DCs are now 2008 R2. Child domains still 2003 with some exceptions of two domains already migrated to 2008 R2
Whenever I need to delete a NS server from one delegation of a child domain (because of dismission of 2003), I have the same freeze after the question of deleting the glue record. (the record is correctly deleted !!! but mmc freezes)
This happens on ALL of my 6 DCs with 2008 R2... it seems to be a bug. I can actually reproduce the problem.
Waiting for SP1 :-)
-
Thursday, September 23, 2010 1:42 AM
Assuming you created the delegation using the 2003 DNS MMC, if you do it from the 2003 DNS MMC, does the same thing occur?I am having the same issue.
this is my scenario.
Single Forest, 1 root domain, 26 child domains. All root DCs are now 2008 R2. Child domains still 2003 with some exceptions of two domains already migrated to 2008 R2
Whenever I need to delete a NS server from one delegation of a child domain (because of dismission of 2003), I have the same freeze after the question of deleting the glue record. (the record is correctly deleted !!! but mmc freezes)
This happens on ALL of my 6 DCs with 2008 R2... it seems to be a bug. I can actually reproduce the problem.
Waiting for SP1 :-)
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services.This posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Thursday, September 23, 2010 7:31 AM
Assuming you created the delegation using the 2003 DNS MMC, if you do it from the 2003 DNS MMC, does the same thing occur?
Good point Ace. The records were created with 2003 some years agoI have tried that after reading your message. No, it does not occour! If I delete the Glue NS Record from 2003 MMC (I have tried from a child with Enterprise Admin credentials, because I have no more 2003 servers in the root domain) the record is immediately deleted and the MMC does not freeze.
It only freezes when the record is deleted from 2008R2 mmc (sorry I dont have 2008 "R1" to test)
A good try could be creating a new NS Glue from 2008 R2 and try to delete it after is replicated among DCs... As soon as I get connected to that network I'll try it out :-)
-
Tuesday, October 05, 2010 6:47 PMThe MMC will lock up on you while attempting to remove or modify the glue record if you are attempting to make the change remotely through the DNS MMC. If you connect to the server running DNS you can successfully update or remove the glue record without the MMC locking up on the confirmation prompt.
-
Wednesday, October 06, 2010 4:44 AM
Momaweb,
How did you ever make out with this issue? Did Longstone's suggestion work?
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services.This posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Saturday, October 09, 2010 7:58 AM
The MMC will lock up on you while attempting to remove or modify the glue record if you are attempting to make the change remotely through the DNS MMC. If you connect to the server running DNS you can successfully update or remove the glue record without the MMC locking up on the confirmation prompt.
Just let me try out and I'll be back to youActually, I'm not sure that I was trying to do it remotely because I use VisionAPP RDP to always connect locally before modifying any configuration. By the way I'll try it out next week!.
I'll keep you posted
-
Monday, October 11, 2010 5:46 PM
The MMC will lock up on you while attempting to remove or modify the glue record if you are attempting to make the change remotely through the DNS MMC. If you connect to the server running DNS you can successfully update or remove the glue record without the MMC locking up on the confirmation prompt.
Just let me try out and I'll be back to youActually, I'm not sure that I was trying to do it remotely because I use VisionAPP RDP to always connect locally before modifying any configuration. By the way I'll try it out next week!.
I'll keep you posted
VisionApp is a remote tool. VisionApp is the purchaseable version of the free mRemote tool, with additional features. I use mRemote. These tools are all RDP based remote tools.Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory ServicesThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Wednesday, October 27, 2010 11:06 PM
I skirted this problem directly editing the zone files, it´s stored in c:\windows\system32\dns.
However I did not find the root cause of the problem.
-
Tuesday, November 23, 2010 12:48 PM
I'm also having this problem. Of course I can do this manually, but then I might as well move all my DNS to Linux servers. This is a nasty problem and Id like to see some response that MS at least acknowledges'this.
Jan
Jan Z -
Wednesday, November 24, 2010 3:17 PM
I'm also having this problem. Of course I can do this manually, but then I might as well move all my DNS to Linux servers. This is a nasty problem and Id like to see some response that MS at least acknowledges'this.
Jan
Are you directly logging on to the DC to administer DNS, or are you doing it from an RDP session, or using an MMC on your workstation using the RunAs feature to run the MMC?
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory ServicesThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Wednesday, November 24, 2010 3:18 PM
I skirted this problem directly editing the zone files, it´s stored in c:\windows\system32\dns.
However I did not find the root cause of the problem.
This solution will not work with AD Integrated zones. How are you administering DNS? RDP, MMC or directly logging on to the DC/DNS server?Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory ServicesThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Thursday, January 27, 2011 3:11 PM Agreed. This one is frustrating me already for a VERY LONG TIME. TIme someone at MS fixes this. Can't be too difficult.
Jan Z- Proposed As Answer by CAT-21 Friday, February 25, 2011 2:01 PM
-
Saturday, February 26, 2011 12:24 AM
Jan,
Sorry for the late response. I'm not sure what you mean about the frustrations. The dns.exe file is different on Windows 2003 and 2008/2008 R2. The latter has increased RPC security built-in besides new and different features the older one does not support, which make it difficult to cross-administer DNS when the two co-exist in an infrastructure. Assuming you're moving forward, the idea is to stick with the latest version, and if there's something that needs to be administered that the new version can't, such as what's been going on here, you can use the older version, but just as previous Windows 2000 to 2003, you have to be careful with administering the properties of the zones due to feature differences.
Here are my notes on it gathered and compiled from a number of sources:
=======
To run the DNS console on an XP/2003 server to view a 2008 DNS server:Quoted from KB2027440:
Windows Server 2008 R2 DNS Servers require that DNS management tools perform RPC integrity and to avoid sniffing and “man-in-the-middle” attacks while performing DNS administrative tasks. Windows Server 2008 and Windows Server 2008 R2 DNSMGT.MSC and DNSCMD.EXE support RPC Integrity and request RPC Privacy to interoperate with W2K8 R2 DNS Servers.
1. RPC Integrity required by Windows Server 2008 R2 DNS Servers are not supported by the versions of DNSMGMT.MSC or DNSCMD.EXE that run on Windows 2000, Windows XP and Windows Server 2003 computers.
2. RPC over Named Pipes communication favored by pre-W2K8 DNS admin tools when referencing remote DNS Servers by their single label host names is disabled on Windows Server 2008 R2 DNS ServersFor the most secure and seamless experience, W2K8 R2 DNS Servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE listed in the table located in the "More Information" section of this article. If compatible client operating systems are not immediately available, consider the following workarounds:
· Administer Windows 2008 R2 DNS Servers directly from the console
OR
· Administer Windows 2008 R2 DNS Servers via Remote Desktop / Terminal Services.
OR
· Temporarily disable RPC Integrity by executing the following command within an admin-privileged CMD prompt from the console of each Windows Server 2008 R2 DNS Server that you want to manage from a down-level operating system.dnscmd /config /RpcAuthLevel 0
Warning: Microsoft recommends that you (1.) administer Windows Server 2008 R2 DNS Servers exclusively from computers that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE and (2.) not enable RPC over named pipes.
Summary: DNS security enhancements do not prevent Windows Server 2008, or Server 2008 R2 versions of DNSMGMT.MSC and DNSCMD.EXE from administering remote Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 computers and Windows 2000 DNS Servers.
RPC over Named Pipes was disabled on Windows Server 2008 R2 DNS Servers because it is inherently less secure.
Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later
http://support.microsoft.com/kb/2027440
======
In order to use DNSMGMT.MSC to manage DNS on a Windows 2008 R2 server from WinXP/2003, you have to run the following commands on the Windows 2008 R2 DNS server and restart the DNS Server service.dnscmd.exe /Config /RpcRrotocol 7
dnscmd.exe /Config /RpcAuthLevel 0RpcProtocol needs to be set to 7 in order to run DNSMGMT from Windows XP/2003/2008 remotely AND to run on Windows 2008 R2 locally.
To view your current settings, run the following commands.
dnscmd.exe /Info /RpcAuthLevel
dnscmd.exe /Info /RpcProtocol
Disclaimer: Setting RpcAuthLevel to 0 is not recommended due to security concerns with DNS man in the middle attacks. However, this security concern natively exists in Windows 2000 and 2003 servers with no remedy. Use at your own risk!However, the drawbacks are unsubstantial with this solution.
1.Setting RpcAuthLevel to 0 makes RPC authentication (only for DNS) compatible with prior operating systems. While this is not recommended due to security risks, MS has left us with no choice. Perhaps MS should have released an update for RPC on 2003 and XP as the risk still exists for those OSs, then we wouldn't have to lower the RPC authentication for DNS on 2008.
2. Comparing both the 2003 and 2008 DNS consoles, the only apparent feature differences are Trust Anchors Tab, and how you access/modify conditional forwarders. Prior to R2, one could use Windows 2003 DNS to manage a 2008 DNS server to a point. The RpcAuthLevel simply change the authentication due to increased security.More on the RPCProtocol switches:
dnscmd /rpcprotocol [0x0|0x1|0x2|0x4|0xFFFFFFFF]
Specifies the protocol that remote procedure call (RPC) uses when it makes a connection from the DNS server.0x0 Disables RPC for DNS.
0x1 Uses TCP/IP.
0x2 Uses named pipes.
0x4 Uses local procedure call (LPC).
0xFFFFFFFF All protocols. This is the default setting.To fine out what level 7 means:
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/3093425f-464d-491d-aaff-fa1f7e639e8d/
==================================================================
AceAce Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory ServicesThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Tuesday, May 17, 2011 9:00 AM
i am experiencing the same issue on a 2008R2 machine while logged onto the console (or using the MMC remotely, doesnt make a difference).
Only comment to add is that the zones have previously been imported from a 2003 server. When deleting glue records the confirmation screen hangs.
It should be about time that MS brings out a hotfix for this!
MCITP:SA:EA:EMA2010:VA2008R2 -
Tuesday, June 14, 2011 9:31 AMWe do have the same problem. We migrated from 2003 DNS Servers to 2008R2. When we want to remove the old 2003 Server it asks to remove the GlueRoccords and then the MMC freezes. MS, please provide a HotFix for this.
-
Tuesday, August 09, 2011 6:39 AMI have the same problem. I'm not migrated from w2k3 - just create zone in w2k8r2.
-
Thursday, August 18, 2011 4:29 PM
Just wanted to note that i just completed a migration from sbs 2003 to sbs 2011 and received them same error....
i closed the dns console right clicked "run as Administrator" on sbs2011 (s2008 R2) and was able to remove the sbs 2003 server from the name server tab...no glue msg appeared...
this was my third migration and this is the first time that i have seen this
That's no moon, It's a space station... -
Tuesday, September 13, 2011 4:44 PMI am also having this issue. Any troubleshooting information or resolution from Microsoft yet? I haven't had any luck with searching the www yet.
-
Tuesday, October 04, 2011 1:56 PM
Im facing the same problem but trying to delete NS records and modifying SOA records
The MMC hangs after the "are you sure" dialogo box. I have to end task.
Using DNSCMD.EXE it reports the record was deleted but the record still there.
I´m using the console in the machine itself, win2008R2SP1, Standard, English
Description:
A problem caused this program to stop interacting with Windows.
Problem signature:
Problem Event Name: AppHangB1
Application Name: mmc.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc808
Hang Signature: 7ecc
Hang Type: 6144
OS Version: 6.1.7601.2.1.0.272.7
Locale ID: 1033
Additional Hang Signature 1: 7ecc6ed84a6c57c8205e33013c1d2bc0
Additional Hang Signature 2: 4d5e
Additional Hang Signature 3: 4d5e6f856ae20036636607b6e40a6bc5
Additional Hang Signature 4: 7ecc
Additional Hang Signature 5: 7ecc6ed84a6c57c8205e33013c1d2bc0
Additional Hang Signature 6: 4d5e
Additional Hang Signature 7: 4d5e6f856ae20036636607b6e40a6bc5
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt -
Monday, October 10, 2011 11:02 AM
Today I still have this problem with many DCs of my forest (26 domains, 70 DCs, all migrated to Windows Server 2008 R2 SP1 with all fixes post-sp1.)
The strangest things I noticed during these months of errors are:
1. The same server, in the same zone, sometimes presents the HANGS on message, and sometimes deletes the record correctly without even asking to remove the glue record. Selecting a remote server via RPC or logging via RDP to the local DNS server and performing the change locally, does not affect the problem: I still get it, in both ways.
2. it seems that I have the problem only when I remove a NS record from the root zone _msdcs.domain.com (in my infrastructure, the forest root DCs host primary zone for _msdcs.domain.com in Domain Partition. All child domain controllers host standard secondary zone for _msdcs.domain.com.)
3. when dismissing a 2003 DC, I logon to a root domain controller, I expand domain.com zone, then I select the child zone delegation (xx.domain.com) then I remove the 2003 NS server. In this zone I never got the error!
4. when using DNSCMD to delete NS from _msdcs.domain.com, no errors appear and the record is deleted successfully.
I think I can safely talk about "BUG" :-)
Let us know when you get any news
-
Monday, October 10, 2011 2:55 PM
For you folks experiencing this problem and require a faster resolution, if you haven't already done so, I would highly suggest to contact Microsoft Support. Here's the link to get you started:
http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;select&target=assistanceAce Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Tuesday, October 11, 2011 7:06 PM
I have same problem. Windows 2008R2 Standalone server. Seems like this problem not correlate with Domain Services. And I don't remember how I had created my zones (from 2003 registry or from files).
Problem appears when I close Name Servers tab after deleting of old name server.
I wonder that such simple console as DNS have such serious bugs and errors (this one is not one that I have seen in today session).
PS. And seems like Ace Fekay is master of trolling with his silly advices :(.
-
Tuesday, October 11, 2011 10:08 PM
I have same problem. Windows 2008R2 Standalone server. Seems like this problem not correlate with Domain Services. And I don't remember how I had created my zones (from 2003 registry or from files).
Problem appears when I close Name Servers tab after deleting of old name server.
I wonder that such simple console as DNS have such serious bugs and errors (this one is not one that I have seen in today session).
PS. And seems like Ace Fekay is master of trolling with his silly advices :(.
Surprised to hear that, as well as surprised you reported my post offering a suggestion to call Microsoft Supprt as an abusive post? However, I do appreciate and respect your opinion.Since there hasn't been any resolution offered by anyone in this thread or elsewhere, I would highly suggest to call Microsoft Support to assist you with this problem, as suggested earlier.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Tuesday, October 18, 2011 7:59 AM
this is a stupid bug that needs to be fixed. i can repeat it on my systems as well.
-
Friday, October 21, 2011 5:19 PMExact same issue here....
-
Thursday, November 10, 2011 5:12 AM
try the following hotfix:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2581690
Looking for hot issues and resolutions? We reduce your efforts. http://blogs.technet.com/b/asiasupp/- Proposed As Answer by danma_ Thursday, November 10, 2011 5:12 AM
-
Thursday, November 10, 2011 7:38 PMTo bad there doesn't seem to be one for Win7 yet. The same thing happens there when trying to manage the DNS across the network.
-
Friday, December 09, 2011 2:33 AMExactly same issue here. A delegated zone listed an invalid IP address in one of its glue records (retired DC in child domain). I checked all DNS servers for child domain and didn't find that IP. When I tried to remove it from parent domain, it freezes.
http://strongline.blogspot.com -
Thursday, December 15, 2011 8:26 AM
try the following hotfix:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2581690
I had exactly the same problem described in this thread.
I applied the above hot-fix (although the hot-fix description didn't really fit my symptoms exactly) and it cured the problem for me.
I am now able to delete NS glue records for delegated zones migrated from Win2K3 DNS servers from a Win2k8r2 DNS MMC snap-in, whilst running it on the DNS server via RDP :-)
Thanks, danma_
- Proposed As Answer by strongline Wednesday, January 25, 2012 9:06 PM
- Unproposed As Answer by strongline Wednesday, January 25, 2012 9:06 PM
-
Thursday, December 29, 2011 4:06 PM
For the completeness of this post -
Contacted MS support, it was resolved by going into ADSIedit, located the delegated zone in parent domain, open the name server record, and removed the wrong IP from there.
I originally thought that "Name Server" records store names only , then the system gets IP through A records, but I was wrong.
http://strongline.blogspot.com- Proposed As Answer by strongline Wednesday, January 25, 2012 9:06 PM
.png){kind=spacer}
