DNS entries with accents keeps reappearing, how to fix (and bug report) RRS feed

  • General discussion

  • I had some fun with something I consider a Bug, I'll let you judge :

    I have a domain, multiple site, 8DC, 2012R2 and a few DNS domain hosted in AD integrated zones, nothing complicated.

    we have a record "test" that is resolved for some computer, and not for other, local support identify it "only works when we set DNS primary on "server X"

    and server X has in fact the record "test". other DC, don't have the record. After a check replication, deleting and recreating the record on server X, still nothing on the other DC.

    we proceed to try and create "test" on "Server Y" and it says the record already exists...

    after a WTF moment we realized that after all the records, there is a "tést" (there is an accent on the "e")

    we delete this one (a french must have ripped on his keyboard, I know I am and it happens), and wait resync, serial is ok, "tést" has disappeared everywhere.... except "test" is still present on "Server X". (we remove it, and the serial does NOT change!)

    everything should be clean, we recreate the "test" record, this time on "Server Y", ok.

    we check other servers : No Test record, but "Tést" is there

    The record with accent keeps reappearing whatever the method use to create "test". be it massively on each DC in the same instant, changing DC, using repadmin to stop replications!, even logs don't give informations and owner of the record with accents in "SYSTEM"

    after a lot of tries and fun with command to force a few synchronisation around AD and DNS, we finally realized there must have been a trace somewhere outside the DNS and where else could it be other than the LDAP partition containing the DNS Zone.

    using ADSIedit we managed to find the "DC=tést" record that was simply tombstoned and un-tombstoned each time we deleted or recreated the test record (using ADSIEdit.msc, connect to, use "connexion point" : DC=DomainDnsZones,DC=contoso,DC=com, then browse "CN=MicrosoftDNS" and look for your dns zone, if not here, then change DomainDNSZones by ForestDnsZones)

    That means that the process of the DNS that "create" the entry completely ignore the accent (it considers e and é identical) but still passes the information untouched to LDAP since the object DC is accented

    @Microsoft : I consider this a bug, and quite an annoying one to debug, I think you should either prevent accent in DNS manager, or allow the accent sensitivity all the way ( I don't like accent since you can't query them using nslookup...)

    A few command to help check things, with c:\list.txt containing your dns server hostname

    • checking if all the zone are at the same version

    for /f %a in (c:\list.txt) do @nslookup -type=soa toto.local %a|findstr serial

    • force violently a sync over ldap and dns (you may want to adapt the repadmin /syncall)

    for /f %a in (c:\list.txt) do @repadmin /syncall %a DC=DomainDnsZones,DC=contoso,DC=com /d /e

    for /f %a in (c:\list.txt) do @dnscmd %a /clearcache
    for /f %a in (c:\list.txt) do @dnscmd %a /zoneupdatefromds toto.local

    • check presence record across multiple server at once

    for /f %a in (c:\list.txt) do nslookup test.toto.local %a

    Thursday, August 25, 2016 6:27 PM