locked
Broken DNS Delegation RRS feed

  • Question

  • Help!! I am seeing broken DNS delegation when running :

    dcdiag /test:dns /v /s:torsrvdc05.int.tucows.com

    Also of note, this appears to be affecting the "Replicate Now" under Trusted Sites & Services for 1 of our 3 servers.

    Here is the output of the dcdiag command above :

    Summary of test results for DNS servers used by the above domain controllers:

            
                DNS server: 10.0.70.15 (torsrvdc02.int.tucows.com.)

                   1 test failure on this DNS server

                   DNS delegation for the domain int.tucows.com.int.tucows.com. is broken on IP 10.0.70.15

                   [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                   
                DNS server: 10.0.70.20 (torsrvdc05.int.tucows.com.)

                   1 test failure on this DNS server

                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
                   DNS delegation for the domain int.tucows.com.int.tucows.com. is broken on IP 10.0.70.20

                   [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                   
                DNS server: 10.0.70.56 (torsrvdc04.int.tucows.com.)

                   1 test failure on this DNS server

                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
                   DNS delegation for the domain int.tucows.com.int.tucows.com. is broken on IP 10.0.70.56

                   [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                   
                DNS server: 10.0.71.100 (<name unavailable>)

                   All tests passed on this DNS server

                   
                DNS server: 10.0.71.101 (<name unavailable>)

                   All tests passed on this DNS server

                   
             Summary of DNS test results:

             
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: int.tucows.com

                   TORSRVDC05                   PASS FAIL PASS FAIL WARN FAIL n/a  
             
             ......................... int.tucows.com failed test DNS

    Thursday, May 31, 2012 1:52 PM

Answers

  • Ed,

    Please post the following to help us diagnose this issue:

    1. Post any event log errors. Check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.an
    2. Unedited ipconfig /all 
    3. If updates are enabled on the zone (Secure ONly or Unsecure and Secure)

    Keep in mind, we may need additional information. It may be something simple that's causing the DC to not register into your zone.

    .

    Keep in mind, multihoming a DC is NOT recommended.

    As for unchecking the 'register this connection" checkbox, unchecking this does not work on a DC and/or DNS server.

    DNS registers itself as an NS (nameserver) record whether this box is checked or not. This is because a DC's Netlogon service will register its SRV records whether this box is checked or not. That box is just for the network card info, but if it's a DC or DNS server, it ignores the check/uncheck setting.

    Hence, if all is working properly, and multiple NICs, IP addresses, RRAS installed (VPN), and/or iSCSI interface is configured, it makes the DC a "Multihomed DC," which is extremely problematic. It's recommended to not multihome a DC. Here's more info:

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure a DC with some registry mods:
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx 

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Monday, June 4, 2012 2:33 AM - added one more request in the list to post
    • Proposed as answer by Aiden_Cao Tuesday, June 5, 2012 1:31 AM
    • Marked as answer by Aiden_Cao Thursday, June 7, 2012 1:30 AM
    Monday, June 4, 2012 2:27 AM

All replies

  • Put a period on the end of the FQDN and re-run the dcdiag:

    dcdiag /test:dns /v /s:torsrvdc05.int.tucows.com.   <------ Period on the end

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, June 1, 2012 5:16 AM
  • Thank you Ace, unfortunately the results were the same adding a period at the end of the command. With following command, here are the results, what puzzles me is, I am not seeing any issues that are affecting users (thankfully) :

             Summary of test results for DNS servers used by the above domain

             controllers:
            

                DNS server: 10.0.70.15 (torsrvdc02.int.tucows.com.)

                   1 test failure on this DNS server

                   DNS delegation for the domain int.tucows.com.int.tucows.com. is broken on IP 10.0.70.15

                   [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                   
                DNS server: 10.0.70.20 (torsrvdc05.int.tucows.com.)

                   1 test failure on this DNS server

                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
                   DNS delegation for the domain int.tucows.com.int.tucows.com. is broken on IP 10.0.70.20

                   [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                   
                DNS server: 10.0.70.56 (torsrvdc04.int.tucows.com.)

                   1 test failure on this DNS server

                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
                   DNS delegation for the domain int.tucows.com.int.tucows.com. is broken on IP 10.0.70.56

                   [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                   
                DNS server: 10.0.71.100 (<name unavailable>)

                   All tests passed on this DNS server

                   
                DNS server: 10.0.71.101 (<name unavailable>)

                   All tests passed on this DNS server

                   
             Summary of DNS test results:

             
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: int.tucows.com

                   TORSRVDC05                   PASS FAIL PASS FAIL WARN FAIL n/a                                                                                              

    Ed Gray

    Friday, June 1, 2012 11:10 AM
  • Some details that may offer important clues.

    Recently we added a 2nd NIC to this server and had the "Register this connection's addresses in DNS" disabled/unchecked (but the 1st NIC still has that enabled).

    The server, torsrvdc05.int.tucows.com appears to be missing all of the SRV records in DNS so I believe this is where the real problem lies.

    We want the 2nd NIC for speedy backups on a secondary network vlan.


    Ed Gray

    Friday, June 1, 2012 11:49 AM
  • Ed,

    Please post the following to help us diagnose this issue:

    1. Post any event log errors. Check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.an
    2. Unedited ipconfig /all 
    3. If updates are enabled on the zone (Secure ONly or Unsecure and Secure)

    Keep in mind, we may need additional information. It may be something simple that's causing the DC to not register into your zone.

    .

    Keep in mind, multihoming a DC is NOT recommended.

    As for unchecking the 'register this connection" checkbox, unchecking this does not work on a DC and/or DNS server.

    DNS registers itself as an NS (nameserver) record whether this box is checked or not. This is because a DC's Netlogon service will register its SRV records whether this box is checked or not. That box is just for the network card info, but if it's a DC or DNS server, it ignores the check/uncheck setting.

    Hence, if all is working properly, and multiple NICs, IP addresses, RRAS installed (VPN), and/or iSCSI interface is configured, it makes the DC a "Multihomed DC," which is extremely problematic. It's recommended to not multihome a DC. Here's more info:

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure a DC with some registry mods:
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx 

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Monday, June 4, 2012 2:33 AM - added one more request in the list to post
    • Proposed as answer by Aiden_Cao Tuesday, June 5, 2012 1:31 AM
    • Marked as answer by Aiden_Cao Thursday, June 7, 2012 1:30 AM
    Monday, June 4, 2012 2:27 AM
  • Hello, we are manually restoring the SRV records that were lost and I am working with a tech. who knows AD quite well so expect this to be fully resolved. Thank you.

    Ed Gray

    Friday, June 8, 2012 10:02 AM
  • Sounds good. If you have any qusetions, please don't hesitate to ask. Also, please let us know of the outcome.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, June 8, 2012 6:27 PM