none
DNS restart errors

    Question

  • windows server 2008 r2

    when I restart any of my dns services on any of my integrated secure dns servers on my DC's I get this error 4010 errors:

    The DNS server was unable to create a resource record for  efd33727-15d9-428d-b8f1-acc1b70910bf._msdcs.xyz.local. in zone xyz.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

    I trace this down to a domain controller that is NOT running DNS, because its running all my domain master roles.

    Should I ignore this or should there it be there?

    Tuesday, February 05, 2013 4:50 PM

Answers

  • There are a number of reasons that a DCGUID record won't register. It can be something simple as what DNS address is condfigured in the NIC, to a multihomed DC (problematic anyway on numerous levels), duplicate zones, misonfigured DNS infrastructure design especially in a parent/child or tree infrastructure, permissions altered on the DNS zone, netlogon register alterations, and more.

    Without config or other info, we're kind of guessing.

    If you can post the following, it will help diagnose it:

    • An unedited ipconfig /all from each DC
    • Single domain Forest, or parent and child/tree forest?
    • Number of DCs
    • Number of AD Sites
    • Does the zone allow Secure Only or Unsecured and Secured updates?
    • Other Event log errors on the DCs. Please check for any event log errors. check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.

    .

    Just to eliminate a dupe zone possibility, check this out (must run on each DC to see what each DC "thinks" it sees what's in the AD database):

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 07, 2013 12:08 AM
  • Sorry, been busy. Must have let this slip through the cracks. Remember, we're volunteers :-)

    As long as the non-used NICs are disabled, we're ok. But RRAS/NPS is another story. None of the DCs should be multihomed, including NPS, which is the new version of RRAS. If you must keep them mutihomed, they need to be configured properly to not register the unwanted adapters and IPs that RRAS/NPS gives a VPN client once they connect, otherwise the DC will try to register that as one of its IPs. Read more to see why:

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

    .

    If it says CNF or InProgress, use your trusty DELETE key. Highlight it, click delete. The CNFs (means conflict) and InProgress (means it;s stuck trying to replicate due to being a dupe) are useless and counter productive. I thought I mentioned that earlier?

    .

    Go through each szone properties, check the Nameservers tab, make sure no old stuff is in there. Delete them if there are. On the RRAS DCs, try to remove that role and put it on a member server. It's to your benefit.

    .

    .

    Now evaluate replication:

    You can use the following to check your replication topology and status before and after (these two tools, along with event log entries, PortQry GUI, and dcdiags, help me all the time figuring out replication issues).

    1. ReplDIAG:  (run it as repldiag > c:\repldiag.txt, then open it as a CSV in Excel choosing comma separated, to be able to clearly read the formatting)
       Explained here:
         Troubleshooting replication with ReplDiag.exe [part 1 of 4], Rob Bolbotowski [MSFT], Microsoft Corp, 13 Oct 2010 12:04 PM
         http://blogs.technet.com/b/robertbo/archive/2010/10/13/troubleshooting-replication-with-repldiag-exe-part-1-of-4.aspx
            Downloadable from:
            http://activedirectoryutils.codeplex.com/releases/view/13664

    2. Download The Active Directory Replication Status Tool:
       http://www.microsoft.com/en-us/download/details.aspx?id=30005
         Requires .Net Framework 4:
           Microsoft .NET Framework 4 (Web Installer)
           http://www.microsoft.com/en-us/download/details.aspx?id=17851.
     
    3. Run PortQry GUI choosing Domains & Trusts between each other (DCs). Post only errors existing with 0x00000002.
           PortQryUI - GUI - Version 2.0 8/2/2004
           http://www.microsoft.com/download/en/details.aspx?id=24009

    .

    .

    If the issue still continues, then there's something else we're not seeing or picking up on, then it's time to call either Microsoft PSS, or higher a qualified engineer that is very familiar with this stuff to evaluate and nail it down. Who knows, it could be a simple GPO causing the problem.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 12, 2013 6:36 PM
  • Thanks for the tools, very nice.

    Everything came back clean as a whisle, I'm very happy about that but the error remains on the DNS restart :-(

    The DNS server was unable to create a resource record for  efd33727-15d9-428d-b8f1-acc1b70910bf._msdcs.xyz.local. in zone xyz.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

    Doesn't seem to be bothering anything I just hate seeing red in my logs.

    Thanks for all your help Ace.

    Wednesday, February 13, 2013 1:47 AM
  • The idea is all DCs to have a single NIC and IP, and to have no services create additional IPs, such as RRAS/VPN.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 13, 2013 4:42 PM
  • Well the last 700+ servers I bought from Dell all came with multiple NIC's, we only use one and disable the rest. NPS uses that single active NIC for internal private wireless authentication, not remote access.
    I'm beginning to think that it may be normal on dns restart only because an NS record was attempted but failed as it "should" since that Domain Controller is NOT a DNS server? All other record are wriiten and all diag tests are successful.

    Wednesday, February 13, 2013 4:49 PM

All replies

  • Follow the troubleshooting advice mentioned here: http://technet.microsoft.com/en-us/library/cc735667(v=ws.10).aspx and remove the record if it exists in the zone. (The domain controller will re-register the record automatically - if you want to push that you can logon to the domain controller in question that owns the record and run 'nltest /dsregdns')

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by VenkatSP Thursday, February 07, 2013 2:03 AM
    Tuesday, February 05, 2013 5:00 PM
  • Hi,

    Ensure the DNS pointing is correct on all DC, you may refer this article : http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Additionally see this similar thread for troubleshooting.
    DNS Event 4010
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/60fa4c9c-1772-4858-a8e1-c8cc719cfc5d/

    You may ping to the efd33727-15d9-428d-b8f1-acc1b70910bf._msdcs.xyz.local to find out DC name.


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by VenkatSP Thursday, February 07, 2013 2:03 AM
    Tuesday, February 05, 2013 5:17 PM
  • yes it does register itself but only as the CNAME not the static (in reference to _msdcs. I'm wondering since this DC does not have DNS if thats normal?
    Tuesday, February 05, 2013 6:15 PM
  • The main question here is this....

    Should the DC w/o DNS installed have a CNAME and Name Server (NS) STATIC entry under DNS zone _msdcs.domain.local?

    Because from all I can see thats the only thing missing. BUt its not a NS as it does not have DNS installed



    • Edited by jamicon Tuesday, February 05, 2013 6:35 PM
    Tuesday, February 05, 2013 6:27 PM
  • CNAME, not a statical record if it's not a DNS Server hosting the zone itself - I guess you're mixing up NS records with A-records here. (and of coruse it should have registered a couple of SRV records)

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog


    Tuesday, February 05, 2013 6:30 PM
  • no, not mixing up anything only stating what I see missing. Let me rephrase.

    1.) I'm getting this error: The DNS server was unable to create a resource record for  efd33727-15d9-428d-b8f1-acc1b70910bf._msdcs.xyz.local. in zone xyz.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

    2.) Using AD Sites and Services NTDS Settings I am able to trace efd33727-15d9-428d-b8f1-acc1b70910bf to a valid Domain Controller that holds our Domain Operations Master Roles. It is NOT a Global Catalog, it is NOT a DNS server.

    3.) When I click on _msdcs.xyz.local I see a list of all my NS servers and a list of Alias(CNAME) records with GUID Names. Every DNS Server has one of each EXCEPT the one I'm talking about, it does not have teh NS record. Which it shouldn't right?

    4.) Then under the sub folders of _msdcs.xyz.local I DO see _kerberos and _ldap records.

    So, why am I getting this error?

    Hope that helps.

    Tuesday, February 05, 2013 6:49 PM
  • Yes that is correct - However manually delete the CNAME 'efd33727-15d9-428d-b8f1-acc1b70910bf' from DNS - Let the domain controller automatically re-create it. Dose the same error message appear again?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Tuesday, February 05, 2013 6:53 PM
  • tried that, yes.

    Tuesday, February 05, 2013 7:53 PM
  • In addition see this for SRV troubleshooting,

    http://social.technet.microsoft.com/wiki/contents/articles/15223.troubleshooting-srv-record-registration.aspx


    HTH
    Biswajit Biswas

    My Blogs|MCC | TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Tuesday, February 05, 2013 8:00 PM
  • How frequently is it logged?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Tuesday, February 05, 2013 10:24 PM
  • Have a look at below link too.

    DNS Event 4010
    http://social.technet.microsoft.com/Forums/en-AU/winserverDS/thread/60fa4c9c-1772-4858-a8e1-c8cc719cfc5d


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by VenkatSP Thursday, February 07, 2013 2:05 AM
    Wednesday, February 06, 2013 12:19 AM
  • only when I restart the DNS service
    Wednesday, February 06, 2013 6:20 PM
  • There are a number of reasons that a DCGUID record won't register. It can be something simple as what DNS address is condfigured in the NIC, to a multihomed DC (problematic anyway on numerous levels), duplicate zones, misonfigured DNS infrastructure design especially in a parent/child or tree infrastructure, permissions altered on the DNS zone, netlogon register alterations, and more.

    Without config or other info, we're kind of guessing.

    If you can post the following, it will help diagnose it:

    • An unedited ipconfig /all from each DC
    • Single domain Forest, or parent and child/tree forest?
    • Number of DCs
    • Number of AD Sites
    • Does the zone allow Secure Only or Unsecured and Secured updates?
    • Other Event log errors on the DCs. Please check for any event log errors. check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.

    .

    Just to eliminate a dupe zone possibility, check this out (must run on each DC to see what each DC "thinks" it sees what's in the AD database):

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 07, 2013 12:08 AM
  • I agree with Chris, Abhijith and Ace. As you said on all DCs, I assume that you have more than 1 DC in the domain. If so, in DNS server console do you see _msdcs.xyz.local  just above to xyz.local under Forward Lookup Zones. If your answer is yes, then I would suggest you to run this command and check the status. From elivated CMD run net stop dns & net stop netlogon & ipconfig /flushdns & net start dns & net start netlogon & ipconfig /registerdns

    Note: Also compare DCGUID of DNS server console and sites and services\NTDS Settings properties and DCGUID, check whether these 2 are same or not.

    • Edited by VenkatSP Thursday, February 07, 2013 2:03 AM
    Thursday, February 07, 2013 1:58 AM
  • Thanks - I am working my way through this ADSI article, I found something just not sure what to do.

    Under ADSI Default naming context (dc.xyz.local) CN=System CN=MicrosoftDNS I have 2 sub folders. First one says DC=xyz.localCNF:1cd9b026-d076-4638-81b6-5250cd42c641 which contains a whole boat load of OACNG files then the other folder is what we expected DC=RootDNSServers which contains what looks like root hints.

    Under DomainDnsZones Partition I see no inProgress or CNF files

    Under ForestDnsZones Partition all I see is DC=..TrustAnchors, I do not see Dc=_msdsc.xyz.local

    I do see DC=_msdsc.xyz.local und DomainDnsZones nothing inProgress or no CNF's

    please advise and thanks for hangin in there with me.


    • Edited by jamicon Thursday, February 07, 2013 6:48 PM
    Thursday, February 07, 2013 6:34 PM
  • Thanks - I am working my way through this ADSI article, I found something just not sure what to do.

    Under ADSI Default naming context (dc.xyz.local) CN=System CN=MicrosoftDNS I have 2 sub folders. First one says DC=xyz.localCNF:1cd9b026-d076-4638-81b6-5250cd42c641 which contains a whole boat load of OACNG files then the other folder is what we expected DC=RootDNSServers which contains what looks like root hints.

    Under DomainDnsZones Partition I see no inProgress or CNF files

    Under ForestDnsZones Partition all I see is DC=..TrustAnchors, I do not see Dc=_msdsc.xyz.local

    I do see DC=_msdsc.xyz.local und DomainDnsZones nothing inProgress or no CNF's

    please advise and thanks for hangin in there with me.


    The CNF entries are duplicates. Delete them. They're useless and non-productive for AD.

    As my blog indicates, there are a number of ways they could have come about, from an incorrect DNS resolution design or someone trying to create the zone on a new DC not waiting for replication to happen and automatically populate.

    As for _Msdcs zone not under the ForestDNsZones, that could be because the original DC installed in the domain was a Windows 2000 DC, so it's not a delegated zone under the domain.local. zone.

    Can you respond to my other questions regarding the environment, please? That will help understand your environment to further assist.

    .

    In the meantime, if the environment is a parent-child forest, please read the DNS design options to properly support such an environment.

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, February 08, 2013 4:30 AM
  • I'm happy to do the list its just a little daunting as I am typically very busy and constant interruptions :-) and I have 37 Domain Controllers

    •An unedited ipconfig /all from each DC

    I'll work on this and get it to you

    •Single domain Forest, or parent and child/tree forest?

    Single Domain

    •Number of DCs

    37

    •Number of AD Sites

    34

    •Does the zone allow Secure Only or Unsecured and Secured updates?

    Secure Only

    •Other Event log errors on the DCs. Please check for any event log errors. check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.

    No other errors in DNS, apps clean, occassional NETLOGON error due to some computer authentication, very rare considering 8,000 clients, no AD errors. Operations amanger logs clean. Its a very clean environement. Teh only other thing I have to report is when I do a DCDIAG /TEST: DNS the only error it reurns is  Test omitted by user request: CheckSecurityError

    Active Directory BPA returns are clean

    Thanks again for your help.


    • Edited by jamicon Friday, February 08, 2013 1:06 PM
    Friday, February 08, 2013 1:04 PM
  • Thank you. You don't have to get the ipconfigs from 37 DCs. What we're looking:

    • None of them are multihomed (more than one NIC or IP)
    • They don't have RRAS installed
    • They don't have an active iSCSI adapter.
    • No unplugged NICs that are not disabled
    • They should point to a partner DC as the first entry, and themselves or loopback as the second entry
    • IP routing shows up as "No"
    • WINS proxy shows up as "No"

    .

    In regards to the 34 sites, is the site topology meshed, meaning they can all intercommunicate with each other, or hub and spoke?

    If hub and spoke, have you:

    • Disabled BASL (Bridge all site links)?
    • Created individual IP links for each site and configuredf them between the hub and their respective site?

    .

    • How many admins do you have?
    • Have any of them manually created any of the zones?
    • When was the first DC put in place?

    .

    Thank you.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, February 08, 2013 1:14 PM
  • A few are multihomed but only 1 NIC is active,  efd33727-15d9-428d-b8f1-acc1b70910bf._msdcs.xyz.local is not multi-homed

    No RRAS but they do have NPS

    No active iSCSI

    No unplugged NIC's that are disabled

    Yes, primary points to a remote and secondary points to itsself, not using loopback

    not sure what you mean on the next 2, we do not use WINs

    Sites are hub and spoke and yes BASL is disabled, yes each site has its own link

    I took admins down from 54 to 5, all changes in this area are made by me.

    I did have a problem with a bad delegated zone which showed up in my DIAG /TES:DNS but I have corrected that and DIAG is cleared

    Hard to say, this company started in 1968 and I ahve only been here 3 years.

    The only thing different about this server error is that this server (DC) is the only one withOUT DNS.

    Also, when you say I can remove the CNF do you mean the entire hive; the whole thing below?

    DC=xyz.localCNF:1cd9b026-d076-4638-81b6-5250cd42c641



    • Edited by jamicon Monday, February 11, 2013 2:42 PM
    Friday, February 08, 2013 1:37 PM
  • give up on me :-(
    Tuesday, February 12, 2013 5:26 PM
  • Sorry, been busy. Must have let this slip through the cracks. Remember, we're volunteers :-)

    As long as the non-used NICs are disabled, we're ok. But RRAS/NPS is another story. None of the DCs should be multihomed, including NPS, which is the new version of RRAS. If you must keep them mutihomed, they need to be configured properly to not register the unwanted adapters and IPs that RRAS/NPS gives a VPN client once they connect, otherwise the DC will try to register that as one of its IPs. Read more to see why:

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

    .

    If it says CNF or InProgress, use your trusty DELETE key. Highlight it, click delete. The CNFs (means conflict) and InProgress (means it;s stuck trying to replicate due to being a dupe) are useless and counter productive. I thought I mentioned that earlier?

    .

    Go through each szone properties, check the Nameservers tab, make sure no old stuff is in there. Delete them if there are. On the RRAS DCs, try to remove that role and put it on a member server. It's to your benefit.

    .

    .

    Now evaluate replication:

    You can use the following to check your replication topology and status before and after (these two tools, along with event log entries, PortQry GUI, and dcdiags, help me all the time figuring out replication issues).

    1. ReplDIAG:  (run it as repldiag > c:\repldiag.txt, then open it as a CSV in Excel choosing comma separated, to be able to clearly read the formatting)
       Explained here:
         Troubleshooting replication with ReplDiag.exe [part 1 of 4], Rob Bolbotowski [MSFT], Microsoft Corp, 13 Oct 2010 12:04 PM
         http://blogs.technet.com/b/robertbo/archive/2010/10/13/troubleshooting-replication-with-repldiag-exe-part-1-of-4.aspx
            Downloadable from:
            http://activedirectoryutils.codeplex.com/releases/view/13664

    2. Download The Active Directory Replication Status Tool:
       http://www.microsoft.com/en-us/download/details.aspx?id=30005
         Requires .Net Framework 4:
           Microsoft .NET Framework 4 (Web Installer)
           http://www.microsoft.com/en-us/download/details.aspx?id=17851.
     
    3. Run PortQry GUI choosing Domains & Trusts between each other (DCs). Post only errors existing with 0x00000002.
           PortQryUI - GUI - Version 2.0 8/2/2004
           http://www.microsoft.com/download/en/details.aspx?id=24009

    .

    .

    If the issue still continues, then there's something else we're not seeing or picking up on, then it's time to call either Microsoft PSS, or higher a qualified engineer that is very familiar with this stuff to evaluate and nail it down. Who knows, it could be a simple GPO causing the problem.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 12, 2013 6:36 PM
  • Thanks for the tools, very nice.

    Everything came back clean as a whisle, I'm very happy about that but the error remains on the DNS restart :-(

    The DNS server was unable to create a resource record for  efd33727-15d9-428d-b8f1-acc1b70910bf._msdcs.xyz.local. in zone xyz.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

    Doesn't seem to be bothering anything I just hate seeing red in my logs.

    Thanks for all your help Ace.

    Wednesday, February 13, 2013 1:47 AM
  • The idea is all DCs to have a single NIC and IP, and to have no services create additional IPs, such as RRAS/VPN.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 13, 2013 4:42 PM
  • Well the last 700+ servers I bought from Dell all came with multiple NIC's, we only use one and disable the rest. NPS uses that single active NIC for internal private wireless authentication, not remote access.
    I'm beginning to think that it may be normal on dns restart only because an NS record was attempted but failed as it "should" since that Domain Controller is NOT a DNS server? All other record are wriiten and all diag tests are successful.

    Wednesday, February 13, 2013 4:49 PM