locked
dcdiag dns test error RRS feed

  • Question

  • Hi all,

    We have one forest with one empty root domain (dc=mycompany,dc=local) and one child domain (dc=corp,dc=mycompany,dc=local).

    We have multiple sites and multiple domain controllers (mixed Widnows 2003 and Widnwos 2008 R2).  Currently, every DC is GC;

    We decide that we are going to introduce Windows 2012 DC in the child domain.
    I just ran dcdiag /v /c /d /e /s:cd2 >c:\dcdiag.log
    checked the log and on the test:dns

    I got the following on the dnstest: DNS server: 192.168.10.3 (cd1.corp.mycompany.local.)
                   1 test failure on this DNS server
                   DNS delegation for the domain corp.mycompany.local.corp.mycompany.local. is broken on IP 192.168.10.3

     [Error details: 9003 (Type: Win32 - Description: DNS name does noexist.)]

    --------------

    I checked the root domain and I can tell _msdcs and corp are greyed out (delegated) in the root domain forward zone mycompany.local. 

    in the delegated _msdcs  , the name servers are those root domain controllers.

    in the delegated corp, the name server are those child domain controllers.  are these supposed to be? 

    Why does the report show "DNS delegation for the domain corp.mycompany.local.corp.mycompany.local"?

    How should I fix this error? 

    Thank you.



    • Edited by John JY Wednesday, May 8, 2013 10:02 PM
    Wednesday, May 8, 2013 7:08 PM

Answers

  • Good that no dupes or conflicting zones exist.

    -

    As for any AD DNS design, whether the corp.local zone is only replicated in the parent domain and there is a parent-child delegation to your AD child domains, or the corp.local zone is replicated forest wide replication, the _msdcs zone MUST ALWAYS be replicated forest wide. More info on AD DNS design options:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    -

    And yes, when you delegate a zone from a parent zone to a child zone, the zone under the parent domain WILL be grayed out. Properties will show the DNS server(s) you've delegated it to. If the grayed out folder is missing, then that's a problem.

    -

    As for what's supposed to be in the NS list, for example in a parent-child delegation design, the corp.local zone must ONLY have the DC/DNS servers in the corp.local zone, and the it.corp.local zone (assuming properly delegated) must only have the nameservers in the NS list of the DCs in the it.corp.local domain.

    For the _msdcs.corp.local zone, it must have all DC/DNS servers in the forest in the NS list.

    Anything else MUST be removed.

    -

    Don't forget in a delegation you must set a forwarder (general or conditional) from the child domains to the parent domain. This is not required if the corp.local is forestwide.

    In any design, you must set search suffixes of all child domains so they can resolve each other.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Yan Li_ Thursday, May 16, 2013 3:10 AM
    Monday, May 13, 2013 3:15 AM

All replies

  • Can you check the name server tab in the DNS there are no stale or entry w/o IP.

    http://neuralfibre.com/paul/it/nice-ad-2003-dns-delegation-gotcha

    What does DCDIAG actually… do?  


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by bshwjt Thursday, May 9, 2013 12:13 PM
    Thursday, May 9, 2013 3:29 AM
  • Check out all 'Name Servers tabs for all forward lookup zones and reverse lookup zones also don't foget about delegated zones (grey folders in DNS tree under main forward zone entry if any. Locate all servers with <unknown> in "IP Address" field and remove them if it is stale entry but if the server is online you need to resolve the record or remove the online server from delegation and readd.Most of the time it is in  <unknown> in delgation cuasing the mentioned errot.

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by bshwjt Thursday, May 9, 2013 12:13 PM
    Thursday, May 9, 2013 6:01 AM
  • Thanks for the tips and help.

    yes, three servers which had been removed before have 'unknown" in "IP address" in lookup and reverse lookup zone.

    In some reverse look up zones, "Allow zone transfers" are not checked?  Should I check this as we have multiple domain controllers?

    Still got the same message after removing unknown IP.  I guess it's due to our DNS set up.( see the image)

    Thank you.


    • Edited by John JY Thursday, May 9, 2013 7:54 PM
    Thursday, May 9, 2013 2:47 PM
  • Go through everything to make sure no references to the failed or orphaned DCs no longer exist anywhere. You would be surprised at how a failed or improperly removed DC leaves remnants all over the place - and yes, I suggest running the metadata cleanup process to make sure the DCs that are no longer there are really no longer in the AD database.

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameserver tab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
    Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    -

    I also recommend checking to make sure that no duplicate or conflicting DNS zones exist in the AD database - you would be surprised how easily this can occur:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    Published by acefekay on Sep 2, 2009 at 2:34 PM  7748  2
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    -

    And regarding no zone transfers allowed on AD integrated zones, NO, they do not need zone transfers allowed when the zone is AD integrated and there are no Secondaries, assuming that's your scenario. The zone data because it's stored in the AD database, is automatically replicated by the AD replication process to other DCs in the same replication scope. It's not a zone transfer thing. That's just there to support non-DC DNS servers, BIND or any other name brand DNS server that you want to allow zone transfers to a secondary on one of those servers.

    Read more on DNS AD integrated zones - hopefully this explanation will help:

    DNS Zone Types Explained, and their Significance in Active Directory
    http://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, May 10, 2013 3:46 AM
  • Check out all 'Name Servers tabs for all forward lookup zones and reverse lookup zones also don't foget about delegated zones (grey folders in DNS tree under main forward zone entry if any. Locate all servers with <unknown> in "IP Address" field and remove them if it is stale entry but if the server is online you need to resolve the record or remove the online server from delegation and readd.Most of the time it is in  <unknown> in delgation cuasing the mentioned errot.

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sandesh,

    This was copied word for word (copied/pasted) without providing due credit to the author, H4velock, posted 12/25/2009 in the following thread:

    Technet Thread: "Broken DNS delegations" 12/3/2007:
    ttp://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4ba11324-85df-491f-824d-8a1fa60e9d2c

    -

    In the future, please provide the professional courtesy to credit the original author, otherwise, some may view this as plagiarism:
    http://www.plagiarism.org/

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, May 10, 2013 3:53 AM
  • Hi Ace,

    Thanks for your great info and help.

    I doubled check and we do not have duplicate zones and orphaned domain controllers.
    I think that the issue is that delegation.  From the image, rd1.corp.local is the parent domain controller with DNS in the parent domain corp.local and _msdcs and it (child domain) are delegated(greyed out) in the parent domain.  cd1.it.corp.local is the domain controller in the child domain it.corp.local.  Just wonder why we need _msdcs.corp.local and corp.local zones(includes delegation child domain it)
    show in the child domain's DNs server?  is this supposed to be? (we have about 1700 users) Can we delete  "it" under zone corp.local in the cd1.it.corp.local server? (I guess that's main cause for the dcdiag dns error?)  

    ---

    I got the following on the dnstest: DNS server: 192.168.10.3 (cd1.it.corp.local.)
                   1 test failure on this DNS server
                   DNS delegation for the domain it.corp.local.it.corp.local. is broken on IP 192.168.10.3

     [Error details: 9003 (Type: Win32 - Description: DNS name does noexist.)]

    ---------------------

    the domain it.corp.local.it.corp.local. in the above?




    • Edited by John JY Friday, May 10, 2013 5:33 PM
    Friday, May 10, 2013 3:17 PM
  • Good that no dupes or conflicting zones exist.

    -

    As for any AD DNS design, whether the corp.local zone is only replicated in the parent domain and there is a parent-child delegation to your AD child domains, or the corp.local zone is replicated forest wide replication, the _msdcs zone MUST ALWAYS be replicated forest wide. More info on AD DNS design options:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    -

    And yes, when you delegate a zone from a parent zone to a child zone, the zone under the parent domain WILL be grayed out. Properties will show the DNS server(s) you've delegated it to. If the grayed out folder is missing, then that's a problem.

    -

    As for what's supposed to be in the NS list, for example in a parent-child delegation design, the corp.local zone must ONLY have the DC/DNS servers in the corp.local zone, and the it.corp.local zone (assuming properly delegated) must only have the nameservers in the NS list of the DCs in the it.corp.local domain.

    For the _msdcs.corp.local zone, it must have all DC/DNS servers in the forest in the NS list.

    Anything else MUST be removed.

    -

    Don't forget in a delegation you must set a forwarder (general or conditional) from the child domains to the parent domain. This is not required if the corp.local is forestwide.

    In any design, you must set search suffixes of all child domains so they can resolve each other.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Yan Li_ Thursday, May 16, 2013 3:10 AM
    Monday, May 13, 2013 3:15 AM