none
Get-DnsServerResourceRecord shows more then MMC RRS feed

  • Question

  • I was checking something on our DNS, to eventually cleans things up a bit, and I used PowerShell to show me where IP addresses in a subnet were used in the zones we have.

    I noticed that in our root domain it shows some extra records that should not exist anymore, plus they do not show in the DNS management console using MMC.

    Oddly enough, the records all have .sub-domain behind their name.
    But in the sub-domain those records do not exist either.

    What could cause this?

    Tuesday, November 14, 2017 5:02 PM

Answers

  • Hi Tom,

    >>In a different zone I had two records that I deleted using the MMC yesterday that kept coming back with a refresh... 

    Please check if some systems automatically update these records after you delete them via MMC.

    Can I get these records corresponding systems? A-FQDN-Hostname. For example: 1.1.1.1 – test.contoso.com—test(machine name)

    >>I did the "dnscmd /zoneexport root.lan   root.lan.dns" and it shows things how I expect them

    Besides, as stated, we could use dnscmd successfully get these records except using PowerShell. Can we upgrade Powershell to the latest then try again?

    For instance, upgrade PS to 5.1: https://www.microsoft.com/en-us/download/details.aspx?id=54616

    In addition, as this issue is more related to PowerShell, I would also suggest post it on PS user voice to get more feedback: https://windowsserver.uservoice.com/forums/301869-powershell

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Tom Weustink Wednesday, November 22, 2017 7:47 AM
    Monday, November 20, 2017 6:39 AM

All replies

  • Hi ,

    >>Oddly enough, the records all have .sub-domain behind their name.

    Could you please upload the screenshots to identify the problem?

    Please check the event logs to see if there are something related for us to troubleshooting.

    In addition ,if you use Active Directory–integrated DNS, please use ADSI edit to resolve conflicting or duplicate AD Integrated DNS zones.

    When  using ADSI Edit, the duplicate zones show up in the partitions with names that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number. You will be checking EACH DC. When you find them, you will simply delete them. because they are useless and cause substantial problems. 

    For your reference:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

    https://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 15, 2017 6:33 AM
  • Hello Candy,

    I've had to blank out a lot in the screenshot. Local government.
    The left-middle is showing "hostname.sub-domain", whlie the last two entries show the two root.lan Domain Controllers.

    The below screenshot is showing the MMC using the DNS snap-in, and clearly misses the hostname.sub-domain entries.

    We use AD intregrated DNS, but we don't seem to have duplocate DNS zones that I can see.

    Wednesday, November 15, 2017 9:43 AM
  • Hi ,

    Thanks for your updating.

    Please refer to the following steps:

    1.On current DNS server, run: dnscmd /clearcache
    2.Open cmd or powershell console with elevated privilege, run: dnscmd /zoneexport root.lan   root.lan.dns. 

    Open root.lan.dns file then compare to prior PowerShell query results to see if there are any more A records.

    3.See figure below:

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 16, 2017 6:44 AM
  • I will run that code when I get to work.

    The red arrow points to the sub-domain's zone. (not sure if you call that child or sub in this case)
    The screenshot, and PowerShell screenshot, are both made on the Child Domain Controller I work on.
    root.lan therefore shows up in the Child Domain Controller's DNS zone list.

    Maybe the clarify a bit more, the Name Serves in the above screenshot show the four Child Domain Controllers, and the two Root Domain Controllers.

    Thursday, November 16, 2017 6:55 AM
  • Hi ,

    Please check if these dirty DNS A records belongs to which DNS servers before?

    Other DNS servers? If yes, please confirm if these records still persists. As these DNS servers are AD based, their database will be replicated to other partner DNS servers via AD application partition.

    After clear the DNS  caches on current DNS server, please restart the DNS service or your system then check again if this issue still exists.

    Besides, can we nslookup these dirty records from our DNS clients?

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 16, 2017 8:25 AM
  • I did the "dnscmd /zoneexport root.lan   root.lan.dns" and it shows things how I expect them. Without the rogue records. Checked both Child and Root Domain Controllers.

    Checking the other three Child Domain Controllers shows the rogue records as well.
    Checking the two Root Domain Controllers shows the rogue records too.

    Ran the dnscmd zoneexport after restarting the DNS services on both Child and Root Domain Controller (not all, just one per domain) and it still shows no rogue record.

    PowerShell does still show the records.

    nslookup can't resolve any of those four records.

    I showed this to a collegue yesterday, and based on the names I thought those servers were from the NT4 era. They went to AD in 2005...

    What I could try is to use PowerShell to remove the records. If that is even possible, which I won't know till I try.
    In a different zone I had two records that I deleted using the MMC yesterday that kept coming back with a refresh... Using Remove-
    DnsServerResourceRecord I was able to permanently remove them.

    Thanks for your help so far, btw.

    Thursday, November 16, 2017 9:55 AM
  • Hi Tom,

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, November 17, 2017 8:00 AM
  • No problem. I will leave the records alone for now.
    They don't seem to do any harm.

    If you like to like to have a look yourself, I think we can arrange something.

    Friday, November 17, 2017 9:35 AM
  • Hi Tom,

    >>In a different zone I had two records that I deleted using the MMC yesterday that kept coming back with a refresh... 

    Please check if some systems automatically update these records after you delete them via MMC.

    Can I get these records corresponding systems? A-FQDN-Hostname. For example: 1.1.1.1 – test.contoso.com—test(machine name)

    >>I did the "dnscmd /zoneexport root.lan   root.lan.dns" and it shows things how I expect them

    Besides, as stated, we could use dnscmd successfully get these records except using PowerShell. Can we upgrade Powershell to the latest then try again?

    For instance, upgrade PS to 5.1: https://www.microsoft.com/en-us/download/details.aspx?id=54616

    In addition, as this issue is more related to PowerShell, I would also suggest post it on PS user voice to get more feedback: https://windowsserver.uservoice.com/forums/301869-powershell

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Tom Weustink Wednesday, November 22, 2017 7:47 AM
    Monday, November 20, 2017 6:39 AM
  • Hi Tom,

    Just to check if the above reply could be of help, if yes, you may mark useful reply as answer, if you have other concerns, welcome to feedback.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 21, 2017 8:28 AM
  • Hi Candy,

    I am off on mondays, so will check your post now.
    Will get back with a reply shortly.

    Tuesday, November 21, 2017 10:10 AM
  • I updated WMF to 5.1.

    There is nothing that updates these records anymore. They are ancient.

    Tricky thing here is that in the past they bought a complete public /16 subnet, and use that internally.
    And since it's local government I'm not reluctant putting those addresses on a public forum. Sorry.

    PS 5.1 still shows the records. Since they reside in the root.lan zone, I am assuming they are old PDC and BDC server records from the NT4 period here.
    At least, a colleague here thinks they are.

    I will post on the uservoice forum as well. Never been there before.

    Tuesday, November 21, 2017 12:07 PM
  • Hi Tom,

    >>Since they reside in the root.lan zone, I am assuming they are old PDC and BDC server records from the NT4 period here.

    >>nslookup can't resolve any of those four records

    I’m totally agree. Since only PowerShell still shows these rogue records while dnscmd and MMC doesn’t.

    I suppose this issue probably was caused due to powershell. So, the PowerShell use voice forum would be a better place for this issue.

    Thanks again for your time and efforts.

    In addition , if the above reply could be of help, you might mark useful reply as answer.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 22, 2017 2:30 AM
  • Hi Candy,

    I completely forgot to check the dnscmd output. Bit chaotic here atm.

    Doing a /zoneprint does show the four rogue records. So, only the MMC snap-in is not showing them.

    My post over at uservoice hasn't resulted in a reply yet.

    Since it's not a big deal, I will try to remove the records using PS later today.
    Just got in, and already busy again.

    I will mark you previous comment as an answer.

    Thanks for the help in finding out the issue.

    Wednesday, November 22, 2017 7:46 AM
  • Hi Tom,

    If you need more assistance from us, welcome to post here.

    Thanks again for your time and efforts. 

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 22, 2017 7:56 AM