locked
How to fix missing CNAME record: <guid>._msdcs.mydomain RRS feed

  • Question

  • After setting up our domain, replication appears to be working but some of the tests, eg "dcdiag /test:dns" report an error that a DNS record related to our second domain controller failed to look up properly:

    Alternate server name
     xxx.xxxx.xxxx
    Failing DNS host name:
     <guid>._msdcs.<mydomain.net>

    When I look in DNS on our domain controllers I find one CNAME record <guid>._msdcs.<mydomain.net> for our first DC, but not the second.

    After retracing steps I believe that this was caused by an error when running dcpromo on the second DC: we had failed to configure DNS and/or join the second server to the domain before running dcpromo. Dcpromo printed an error that it could not contact our domain and failed. After we configured DNS on the server and successfully promoted it as a DC it appears that some partially completed DNS records were left in DNS.

    My question is: what is the appropriate way to fix this? In my test environment I tried various fixes returned through google: restarting netlogon service, demoting/re-promoting the second DC, but the second CNAME record was never regenerated.

    I finally, reluctantly manually created the CNAME record as I could see what the guid was probably supposed to be through running dcdiat/repadmin and that appeared to make dcdiag happy, but my concern is that perhaps the manual fix left out other configuration that was necessary somewhere.

    We're running WS 2008 R2 in WS 2008 R2 functional mode.

    thanks!

    Sunday, February 27, 2011 9:41 PM

Answers

  • You can restart the netlogon service & it should refresh all the records in dns & create the missing records like cname, srv etc.

    You can recreate the missing cname manually & GUID of DC can be used from AD sites & service, click the site, server,server name, right click Ntds settings you will see the GUID name & create it.

    If, you have two _msdcs folder listed in dns, delete the greyed one & even if you delete both & restarting netlogon & dns server service will recreate _msdcs folder followed by dcdiag /fix & netdiag /fix.

    You can also use ipconfig /flushdns & ipconfig /registerdns

    Post the result of dcdiag /test:dns

    Below is the long thread & you can refer.

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/8c192f67-b9d9-4bae-80a4-b3e9eabd3612

     

    Regards

    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Bruce-Liu Monday, March 7, 2011 2:55 AM
    • Edited by Awinish Tuesday, March 8, 2011 1:45 PM
    Wednesday, March 2, 2011 2:08 PM

All replies

  • Post result of dcdiag /test:DNS

    Make sure DC is poiting the the local DNS in their NIC not any other IP like public or APIPA IP.

    Run Dcdiag /fix

    Take a look at below DNS best practices.

    http://blogs.technet.com/b/askds/archive/2010/08/02/new-dns-and-ad-ds-bpa-s-released-or-the-most-accurate-list-of-dns-recommendations-you-will-ever-find-from-microsoft.aspx

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, February 28, 2011 4:41 AM
  • Hello,

    please use the support tools and povide the following output files:

    ipconfig /all >c:\ipconfig.txt [all DCs]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) http://explore.live.com/windows-live-skydrive and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Guido Rundel Friday, April 20, 2018 3:30 PM
    Monday, February 28, 2011 7:01 AM
  • Thanks for the suggestions.

    I did try running dcdiag /fix. That didn't seem to take care of the problem.

    Regarding posting of the output of ipconfig/dcdiag/repadmin, etc. Unfortunately the machines are in a closed, internet-disconnected environment and I am not permitted to bring media or even printouts out. So all I'm able to do was run those commands and summarize from hand-copied notes about the output that appeared interesting or unusual.

    repadmin /showrepl dc* /verbose /all /intersite - did not appear to indicate that there was a problem, and in fact replication between the two DCs we have set up does appear to work.

    dcdiag /v /c /d /e /s:dcname - overall seemed to indicate that things were OK with the the exception of the DReg test, that one indicated

    a bunch of warnings one DC:

      "Missing SRV record at DNS server x.x.x.x" for a bunch of entries, I've typed in examples of some of them below:

      _ldap._tcp.mydomain

      _ldap._tcp.<guid>.domains._msdcs.mydomain

      _kerberos._tcp.dc._msdcs.mydomain

      _ldap._tcp.dc._msdcs

      The list goes on to include about 15 missing SRV entries.

    Part of the warnings from DCDIAG seem to come from the fact that my DNS servers can't contact the internet. I deleted all of the root hints as I had read somewhere that was how to handle a disconnected DNS environment.

    Also, we do not have dynamic updates enabled in DNS, would enabling that allow these missing SRV records to be populated?

    Hope this provides a bit more information.

    thanks.

    • Proposed as answer by LeoNichele Thursday, February 9, 2017 8:15 PM
    Wednesday, March 2, 2011 12:33 PM
  • Please try with netdiag /fix.
    Wednesday, March 2, 2011 1:17 PM
  • You can restart the netlogon service & it should refresh all the records in dns & create the missing records like cname, srv etc.

    You can recreate the missing cname manually & GUID of DC can be used from AD sites & service, click the site, server,server name, right click Ntds settings you will see the GUID name & create it.

    If, you have two _msdcs folder listed in dns, delete the greyed one & even if you delete both & restarting netlogon & dns server service will recreate _msdcs folder followed by dcdiag /fix & netdiag /fix.

    You can also use ipconfig /flushdns & ipconfig /registerdns

    Post the result of dcdiag /test:dns

    Below is the long thread & you can refer.

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/8c192f67-b9d9-4bae-80a4-b3e9eabd3612

     

    Regards

    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Bruce-Liu Monday, March 7, 2011 2:55 AM
    • Edited by Awinish Tuesday, March 8, 2011 1:45 PM
    Wednesday, March 2, 2011 2:08 PM
  • OK I have it fixed now. Thanks everyone for the help.

    I'll post the details of how I got it fixed. My situation was complicated, I believe, by the fact that my DNS servers were configured to accept "Secure only" DNS updates. That apparently was preventing the restart of netlogon from updating/fixing my SRV records. I eventually got a clue from this KB article:

    http://support.microsoft.com/kb/316239

    So my steps to fix were:

    1. on both DCs enabled "secure and non-secure" updates for my Forwarding domains (as described in the KB article above).

    2. Restart DNS and netlogon services also as described in the article.

    3. A re-run of dcdiag /test:dns showed that an A record was missing from gc._msdcs.my.domain. This was much better than before, I decided to just fix that one by manually creating the A record.

    4. A re-run of dcdiag /test:dns finally showed no errors.

    5. I set my DNS domains back to "Secure only".

    There may have been cleaner ways to fix this one, but I'm calling this one done.

    Tuesday, March 8, 2011 1:37 PM
  • ohhhh thank you man i have been dealing with this issue for hours and hours and tried everything and deleting the greyed out _msdcs folder was the trick. I restarted the netlogon service and everything back to normal on foundation 2008 r2 thank you so much I have put hours into this!!
    Thursday, October 20, 2011 3:36 AM
  • restarting the netlogon service is one way, executing NLTEST /DSREGDNS is another way
     

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "sjusto77" wrote in message news:8c4872dd-8219-4dbe-bfe1-ef89cf8d6e05@communitybridge.codeplex.com...
    ohhhh thank you man i have been dealing with this issue for hours and hours and tried everything and deleting the greyed out _msdcs folder was the trick. I restarted the netlogon service and everything back to normal on foundation 2008 r2 thank you so much I have put hours into this!!

    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Friday, October 21, 2011 6:52 AM
  • Just adding an additional note to of further steps that I took to resolve the above problem:

    I also changed the Local Area Connection properties of each of my domain controllers so that the "Register this connection's addresses in DNS" was selected.

    I don't know whether this step is required or not, but I may have determined that I had to do this in order for all of these SRV records be updated when I did a restart of the netlogon service.

    I initially did not have this property selected for my DC's network connections as the DCs have static IPs so I wasn't sure what the point was. However after realizing that DC's insert so much information into DNS, I thought that perhaps this setting made a difference.

    Saturday, October 22, 2011 12:55 AM
  • None of this fixed my problem. (cant dcpromo a new 2008R2 server into a 2008 domain)

    And deleting the gray msdcs folder didnt turn out good, because the steps specified here didnt recreate it. Now onto a new problem.

    Wednesday, July 11, 2012 10:37 PM
  • You may try to rename the netlogon.dnb and netlogon.dns files under c:\winnt\system32\config.

    Restart Netlogon and DNS server services in the order and the _msdcs folder should get recreated..


    Pramod

    Monday, July 16, 2012 9:10 AM
  • Hello,

    as until now nothing seems to help please upload the already requested files to Windows Sky drive and post the link here so we get an overview about the domain in detail.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, July 16, 2012 9:15 AM
  • Excellant.  This worked great for what I needed.

    I did one extra step, though.  I have two sites with four DCs (two at each site).  I created the _msdcs.my.domain folder and after the intra-site replication, I added the two DCs of the other site.  After that, replication resumed and the dcdiag /test:dns successfully completed with no errors.

    Thanks for the info.

    --------Mark

    Friday, November 8, 2013 7:06 PM