none
DNS - six forward zones have SOA record pointing to long gone domain controller - how to fix safely? RRS feed

  • Question

  • Hi All,

    I would appreciate advice on how to safely change the SOA record on several forward lookup zones, that point to a long ago retired DC. Thank you for sharing your expertise.

    Environment:
    7 domain controllers all with integrated DNS - 2008, 2012, 2016 OS
    25 forward lookup zones - 6 zones identified as 'bad'
    1 domain controller only, is 2008 server - DNS breaks from June 2017 windows updates - KB4019263

    KB4019264 causes DNS service to not start.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/fe692fec-a14e-44c6-92fa-6863bf4550da/kb4019264-causes-dns-service-to-not-start?forum=winservergen 

    Loading DNS zones fails on a Windows Server 2008 R2-based DNS server
    https://support.microsoft.com/en-us/help/3145126/loading-dns-zones-fails-on-a-windows-server-2008-r2-based-dns-server

    The powershell to identify bad DNS zones shows that six zones are 'bad'.
    The SOA record in each of these zones, on the 2008 DNS/DC server only, points to a DC that was long ago retired.
    The other DC/DNS server show no SOA record at all.
    All six bad zones use CNAME records.

    On the 2008 DC/DNS:
    a)SOA tab or the SOA record itself - attempt to update the SOA to a valid server returns error: The start of authority (SOA) record cannot be updated. Node is a CNAME DNS record.
    b) Name Servers tab: attempt to add missing 4 servers returns error: Failure to write NS records <FQDN>. Node is a CNAME DNS record.
    c) Zone Transfers - was not on, but recently turned on to allow to any server (since we can't add the name servers yet)

    History:
    All 25 forward lookup zones were pointing to the long retired DC, however portqry.exe revealed port 53 was not open properly between the servers.
    Firewalls were updated and all zones, but the six CNAME zones, automatically updated the SOA correctly.

    Next steps:
    Is it safe to delete the SOA record on the offending server and allow the DNS servers 15 minutes to work out the SOA record?

    I would expect the SOA value to be the name of the server I am viewing...
    ie: Server1 sees itself as the SOA when looking at DNS there, but Server2 sees itself as the SOA when looking there...etc etc.

    Someone recommended DNSLinked.exe to fix....anyone have experience with this problem?
    Thank you very much

    Andy

    Tuesday, November 28, 2017 5:32 PM

Answers

  • Well thank you for your suggestions.

    We seem unable to fix this and have decided to not waste any further time attempting to do so.

    Our proposed solution is to demote the 2008 DC and remove the DNS role at the same time.

    Andy


    Andy

    • Marked as answer by AndySpecial Wednesday, January 10, 2018 7:54 PM
    Wednesday, January 10, 2018 7:54 PM
  • Resolved: 

    deleted the five bad DNS zones

    waited for replication to other DC/DNS servers

    rebuilt zones 

    waited for replication to other DC/DNS servers

    One more question:

    Do servers added to the Name Servers tab even matter when DNS is integrated with AD?

    Reason I ask is i left the 2008 R2 server off the name servers list, and allowed zone transfers to 'only name servers'.

    The 2008 R2 server has the rebuilt DNS zones and they look fine with the SOA pointing to itself.



    Andy

    • Marked as answer by AndySpecial Wednesday, July 4, 2018 4:35 PM
    Wednesday, July 4, 2018 4:23 PM

All replies

  • Hi,
    Based on the complexity and the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.
    Sorry for the inconvenience and thank you for your understanding and patience.

    Best Regards,
    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 29, 2017 9:29 AM
  • Hi,

    >> Is it safe to delete the SOA record on the offending server and allow the DNS servers 15 minutes to work out the SOA record?

    Based on my understanding, if the DNS server retired, we need to do a metadata cleanup on DC and followed up with an AD replication to ensure our other DNS servers get correctly DNS records.

    Since the DNS server was already retired, we need to manually cleanup the dirty data in other DNS servers. Additionally, we could use ADSI tool to delete the old DNS servers.

    On DNS server, Click Start, click Run, type adsiedit.msc, and then click OK.

    1.        1.In the console tree, right-click ADSI Edit, and then click “Connect To.”
    2.       
    3.        2.Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:    DC=ForestDNSZones/ DomainDNSZones, DC=contoso, DC=com
    4.       
    5.        3.In the console tree, double-click DC=ForestDNSZones/ DomainDNSZones, DC=contoso, DC=com.    Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
    6.       
    7.        You should now be able to view the DNS records which exist in this DNS partition.

    If you see old DNS server, please delete it. please ensure no other DNS clients using it before deleting.

    Best Regards,
    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 1, 2017 10:08 AM
  • Hi,
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 7, 2017 2:40 AM
  • Hi,

    Was your issue resolved? 

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,
    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 11, 2017 1:36 AM
  • Hello, I apologize for the delay and am just getting back to this issue.

    I can not connect to the naming Context you mentioned.

    I can only guess there is further substitution for the values below?

    Yours: DC=ForestDNSZones/ DomainDNSZones, DC=contoso, DC=com

    Mine: DC=ForestDNSZones/ DomainDNSZones, DC=mydomainname, DC=com

    Error: Operation failed: Error code: 0x80005000. An invalid directory pathname was passed.

    So I fished around under the Default Naming Context and see under CN=System there is a subfolder called: CN=MicrosoftDNS,
    then :
    DC=mydomainname.comCFG:xxxxxxxxxx-xxxxxxx-xxx etc..
    there are 405 objects that look like this:
    Name: DC=sqlsandbox  Class: dnsNode   DistinguishedName: DC=sqlsandbox, DC=mydomainname\0ACNF:long string of numbers, CN=MicrosoftDNS, CN=System, DC=mydomainname,DC=com

          You should now be able to view the DNS records which exist in this DNS partition.

    If you see old DNS server, please delete it. please ensure no other DNS clients using it before deleting.

    None of my DNS servers are in the list of 405 objects, so I can only guess the specific connection string is required...do I need to substitute further values in this string?

    Yours: DC=ForestDNSZones/ DomainDNSZones, DC=contoso, DC=com

    Mine: DC=ForestDNSZones/ DomainDNSZones, DC=mydomainname, DC=com

    Thank you

    Andy


    Andy

    Friday, December 15, 2017 7:16 PM
  • Hi ,

    Sorry for not clarify my explanation.

    Yours: DC=ForestDNSZones/ DomainDNSZones, DC=contoso, DC=com

    Mine: DC=ForestDNSZones/ DomainDNSZones, DC=mydomainname, DC=com

    Should be:

    DC=ForestDNSZones, DC=mydomainname, DC=com

    DC= DomainDNSZones, DC=mydomainname, DC=com

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 18, 2017 5:57 AM
  • Hello  Frank, this only gets more interesting as I dig into it, as the scope of the problem is changing.

    Instead of six bad zones we now have five.

    No one knows how the one zone was fixed...all we know is that the customer migrated from on-prem to Cloud based servers recently...someone did something they can not recall. :)

    Of the 5 remaining bad zones 3 are missing SOA entry entirely and 2 have SOA that points the retired DC.

    Where missing the SOA entry, the SOA tab is blank with message: The data is not available.

    Where SOA is pointing to retired DC...unable to change the primary server value...same error: The SOA record cannot be updated. Node is a DNAME DNS record.

    The ADSIEdit tool on the 2008 DC/DNS server had only one entry for DC=AlreadyRetiredDC....and that entry was not even in one of the 'bad' zones.  Deleted it anyways.

    To be thorough I compared DNS vs ADSIEdit on three other DC/DNS servers and they all appear the same as described above.

    I don't get it...I can only guess there is a reference to the 'AlreadyRetiredDC' somewhere.

    I will search for  KB on how to clean up that long gone server....if you can recommend a KB for that, perhaps it would get me some traction on this DNS issue

    Thank you!

    Andy


    Andy

    Monday, December 18, 2017 9:24 PM
  • Hi ,

    Please refer to KB below:

    https://support.microsoft.com/en-us/help/216498/how-to-remove-data-in-active-directory-after-an-unsuccessful-domain-co

    Do an metadata cleanup.

    Best regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 19, 2017 2:02 AM
  • Hi Frank,

    I am pleased to report that there were no traces of the 'retiredDC/DNS' anywhere in the metadata.

    This is based on ntdsutil.exe, adsiedit.msc and ldp.exe.

    The comparison was made in all three interfaces on the 2008 DC/DNS server and on a different 2012 server.

    So now back to my five bad DNS zones...status is the same...

    ..on the 2008 DC/DNS server, the SOA points to 'retiredDC/DNS' and can not be changed.

    ..on the 2012/2016 DC/DNS servers, the SOA is either missing entirely or also points to the 'retiredDC'>
    There is no discernable pattern.

    I tried this today with no changes seen:

    Function to Modify SOA records through Powershell
    https://gallery.technet.microsoft.com/scriptcenter/Function-to-Modify-SOA-a2d49a99

    .\updatesoa "zone.domain.my.ca" "domain.my.ca" "primaryserver" "fqdnOfDesiredSOAHolder"

    Do you have any further suggestions?

    Thank you so much for your ideas so far.

    Andy


    Andy

    Wednesday, December 20, 2017 5:18 PM
  • Well thank you for your suggestions.

    We seem unable to fix this and have decided to not waste any further time attempting to do so.

    Our proposed solution is to demote the 2008 DC and remove the DNS role at the same time.

    Andy


    Andy

    • Marked as answer by AndySpecial Wednesday, January 10, 2018 7:54 PM
    Wednesday, January 10, 2018 7:54 PM
  • A quick update on status....about the same.

    On a 2008 R2 DC/DNS server....of 25 zones...six zones have SOA records pointing to a long ago retired DC/DNS server.

    This matters as windows updates dating back to May/June 2017 kept breaking DNS and the service would not start. Investigation showed the incorrect SOA was causing the DNS failure...updates rolled back.
    Attempt to change SOA returns error:
    The start of authority (SOA) record cannot be updated. Node is a CNAME DNS record.

    What has changed since the January update...

    a) these AD integrated zones are now all properly replicating with each other, as a combination of port 53 not being open everywhere, and missing name servers on the related tab, have now all been corrected. The incorrect SOA record has happily replicated itself to all DNS servers now...at least that is consistent.

    b) new servers to replace old....2016 servers now in place

    The 2008 R2 DC/DNS server will soon be demoted/retired and I will update this thread to let you know if the 2012 & 2016 servers allow the SOA to be corrected..in other words...is this a 2008 server specific problem.

    Andy


    Andy

    Tuesday, May 22, 2018 8:34 PM
  • Resolved: 

    deleted the five bad DNS zones

    waited for replication to other DC/DNS servers

    rebuilt zones 

    waited for replication to other DC/DNS servers

    One more question:

    Do servers added to the Name Servers tab even matter when DNS is integrated with AD?

    Reason I ask is i left the 2008 R2 server off the name servers list, and allowed zone transfers to 'only name servers'.

    The 2008 R2 server has the rebuilt DNS zones and they look fine with the SOA pointing to itself.



    Andy

    • Marked as answer by AndySpecial Wednesday, July 4, 2018 4:35 PM
    Wednesday, July 4, 2018 4:23 PM