none
Broken delegated domain errors in DCDIAG /test:DNS for all DCs in domain and DCs of all trusting domains RRS feed

  • Question

  • Hello,

    Please help resolve errors od dcdiag /test:dns

    ====================================

    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = dc39-01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: CentralSite\DC39-01

          Starting test: Connectivity

             ......................... DC39-01 passed test Connectivity



    Doing primary tests

      
       Testing server: CentralSite\DC39-VIP01

      
          Starting test: DNS

            

             DNS Tests are running and not hung. Please wait a few minutes...

             ......................... DC39-01 passed test DNS

      
       Running partition tests on : DomainDnsZones

      
       Running partition tests on : ForestDnsZones

      
       Running partition tests on : domainname

      
       Running partition tests on : Schema

      
       Running partition tests on : Configuration

      
       Running enterprise tests on :company.ru

          Starting test: DNS

             Test results for domain controllers:

               
                DC: dc39-01.domainname.company.ru

                Domain: domainname.company.ru

               

                     
                   TEST: Delegations (Del)

                      [Broken delegated domain domainname.company.ru.domainname.company.ru.]

                      Error: DNS server: cb2.company.ru IP:xx.xx.xx.xx

                      [Broken delegated domain domainname.company.ru.domainname.company.ru.]

                      Error: DNS server: dc01-m02.domainname.company.ru IP:xx.xx.xx.xx

                      [Broken delegated domain domainname.company.ru.domainname.company.ru.]

                      Error: DNS server: dc01-m04.domainname.company.ru. IP:xx.xx.xx.xx

                      [Broken delegated domain domainname.company.ru.domainname.company.ru.]

                      ......
                     

                   TEST: Dynamic update (Dyn)
                      Warning: Failed to delete the test record dcdiag-test-record in zone domainname.ru

             Summary of test results for DNS servers used by the above domain

             controllers:



                DNS server: 10.xx.xx.xx (cb2.company.ru.)

                   1 test failure on this DNS server


                  DNS server: 10.xx.xx.xx (dc01-m02.domainname.company.ru)

                   1 test failure on this DNS server


                DNS server: 10.xx.xx.xx (dc01-m04.domainname.company.ru)

                   1 test failure on this DNS server



                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server xx.xx.xx.xx              
             Summary of DNS test results:


                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: domainname.company.ru

                   dc39-01                   PASS PASS PASS FAIL WARN PASS n/a 

    =============

    Thank you for any help!

                                                                                        
     

    Wednesday, November 6, 2013 6:02 AM

Answers

  • the old domain controllers have been deleted? if so it looks like you may have some metadata left for them, you should go through and clean out all your DNS entries for DC's that no longer exist and make sure no metadata remains.

    what colour is the folder in the dns tree for the second db.domainname.companyname.ru


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, November 6, 2013 8:57 AM

All replies

  • First of all is this the only domain controller having this issue or do all domain controllers show this error?

    The test checks the to make sure that for each NS record there is a corresponding glue record .

    check to see if two folders are present in DNS for your domain name - as you (or someone) may have created an additional one for the same domain, if so you should be able to delete this one. This would be under the forward lookup zone for domainname.companyname.ru you may have another domainname.company.ru under that zone.


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    • Proposed as answer by Reno Mardo Thursday, July 19, 2018 5:20 AM
    Wednesday, November 6, 2013 6:26 AM
  • Thank you for reply.

    Yes, I have checked on several DCs - the same results.

    I have the next structure of Forward Lookup zone:

    domainname.companyname.ru

     _msdcs

                - dc

                     -_sites

                     -_tcp

                -pdc

                    -_tcp

    _sites

              -sitename1

              -sitename2

              -sitename3

    _tcp

    _udp

    DomainDNSZones

               -_sites

               -_tcp

    ru

               -rootdomainName

                           -domainname

    ===========================

    Is there something in structure of forward lookup zone wrong?

    Should I have glue records for all dcs in domain? Or maybe only for external trasting domains?


    Wednesday, November 6, 2013 8:16 AM
  • I have found db.domainname.companyname.ru zone below Forward Lookup Zones.

    Inside I see NS records of current and old domain controllers of my domain.

    Will it cause problems?

    Wednesday, November 6, 2013 8:25 AM
  • the old domain controllers have been deleted? if so it looks like you may have some metadata left for them, you should go through and clean out all your DNS entries for DC's that no longer exist and make sure no metadata remains.

    what colour is the folder in the dns tree for the second db.domainname.companyname.ru


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, November 6, 2013 8:57 AM
  • Can you run the following command where you replace <DC> with the actual name of the DC you performed DCDIAG on, and post back the results.

    dnscmd <DC> /EnumZones


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 6, 2013 10:20 AM
  • Sorry for long delay - I have tried to find and delete all old domain controllers in all DNS. No result. Still have broken delegated domain errors (see above).

    The result of the command dnscmd/EnumZones is:

    Enumerated zone list:

    Zone count = 32

     Zone name                      Type       Storage         Properties

     .                              Cache      AD-Domain       
     _msdcs.company.ru                  Primary    AD-Forest       Secure Aging 
     _sites.company.ru                  Primary    AD-Forest       Secure Aging 
     _tcp.company.ru                    Primary    AD-Forest       Secure Aging 
     _udp.company.ru                   Primary    AD-Forest       Secure Aging 
     125.xxx.in-addr.arpa            Primary    AD-Domain       Update Rev 
     194.xxx.xxx.in-addr.arpa         Primary    AD-Forest       Secure Rev Aging 
     250.xxx.xxx.in-addr.arpa        Primary    AD-Forest       Secure Rev Aging 
     5.64.xxx.xxx-addr.arpa           Primary    AD-Domain       Secure Rev 
     64.xxx.xxx.in-addr.arpa         Primary    AD-Forest       Secure Rev Aging 
     67.xxx.xxx.in-addr.arpa          Primary    AD-Domain       Update Rev 
     70.xxx.xxx.in-addr.arpa          Primary    AD-Domain       Secure Rev 
     74xxx.xxx.in-addr.arpa          Primary    AD-Domain       Secure Rev 
     75.xxx.xxx.in-addr.arpa          Primary    AD-Forest       Secure Rev Aging 
     77.xxx.xxx.in-addr.arpa          Primary    AD-Forest       Secure Rev 
     85.xx.in-addr.arpa             Primary    AD-Legacy       Update Rev Aging 
     86.xxx.xxx.in-addr.arpa         Primary    AD-Domain       Update Rev 
     87.xxx.xxx.in-addr.arpa         Primary    AD-Domain       Secure Rev 
     90.xxx.in-addr.arpa             Primary    AD-Domain       Secure Rev 
     91.xxx.in-addr.arpa             Primary    AD-Domain       Update Rev Aging 
     93.xxx.in-addr.arpa             Primary    AD-Domain       Update Rev Aging 
    BANK.company2.ru            Secondary  File            
     crtcentr                       Primary    AD-Domain       
     ENTERPRISE.company2.ru          Secondary  File            
     ForestDNSZones.company.ru          Primary    AD-Forest       Secure Aging 
     company2.ru                     Stub       AD-Domain       
     infosource.company2.ru          Stub       AD-Legacy       
     nov.company.ru                 Primary    AD-Forest       Secure Aging 
     spb.company.ru                  Primary    AD-Forest       Secure Aging 
     portal.company.ru                  Primary    AD-Forest       Update Aging 
     TrustAnchors                   Primary    AD-Forest       
     domain.company.ru                     Primary    AD-Legacy       Update Aging 

    Command completed successfully.

    Friday, November 15, 2013 10:06 AM
  • This is a very strange setup - why not just have one zone for company.ru?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, November 15, 2013 10:13 AM
  • I guess the portal.ru and spb.company.ru etc are zones with a single same as parent record to prevent the need for full splitbrain DNS

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Friday, November 15, 2013 10:37 AM
  • I have read all DNS records with Powershell script and found that all A-records has double domaine name:


    __GENUS            : 2

    __CLASS            : MicrosoftDNS_AType

    __SUPERCLASS      : MicrosoftDNS_ResourceRecord

    __DYNASTY          : CIM_ManagedSystemElement

    __RELPATH          : MicrosoftDNS_AType.ContainerName="domainname.company.ru",DnsServerName="d39-01.domainname.company.ru",DomainName="
    domainname.company.ru.domainname.company.ru

    ",OwnerName="cdb.domainname.company.ru.domainname.company.ru",RecordClass=1,RecordData="10.xxx.xxx.xxx

                        "

    __PROPERTY_COUNT  : 15

    __DERIVATION      : {MicrosoftDNS_ResourceRecord, CIM_LogicalElement, CIM_ManagedSystemElement}

    __SERVER          : D39-01

    __NAMESPACE        : root\MicrosoftDNS

    __PATH            : \\D39-01\root\MicrosoftDNS:MicrosoftDNS_AType.ContainerName="domainname.company.ru",DnsServerName="dc39-

                     01.domainname.company.ru",DomainName="domainname.company.ru.domainname.company.ru",OwnerName="cdb.omainname.company.ru.domainname.company.ru",RecordCl

                        ass=1,RecordData="10.xxx.xxx.xxx"

    Caption            :

    ContainerName      : domainname.company.ru

    Description        :

    DnsServerName      : d39-01.domainname.company.ru

    DomainName        : domainname.company.ru.domainname.company.ru

    InstallDate        :

    IPAddress          : 10.xxx.xxx.xxx

    Name              :

    OwnerName          : cdb.domainname.company.ru.domainname.company.ru

    RecordClass        : 1

    RecordData        : 10.xxx.xxx.xxx

    Status            :

    TextRepresentation : cdb.domainname.company.ru.domainname.company.ru IN A 10.xxx.xxx.xxx

    Timestamp          : 0

    TTL                : 3600
    Saturday, November 16, 2013 3:42 PM
  • Hey Yurly - Did you ever figure anything out on this?  I have the same issue as each DC/DNS server thinks all the others are broken, but we never have any DNS problems.  I do not think it is a metadata problem, but if you figured anything out please post.


    Dave


    • Edited by DaveBryan37 Monday, February 19, 2018 5:37 PM
    Monday, February 19, 2018 5:37 PM
  • the reply by Denis regarding a domain under my domain zone fixed it. there was an entry there for a server still in use with static IP but i don't know why it is there.

    you see pic below. the extra domain name was under that "com".

    Thursday, July 19, 2018 5:24 AM
  • I have the same issues where my workstation running windows 10 and the server running windows server 2016 and 2019 are not joining the domain.

    I have tried different approaches of the forum and went through different reading but I did n`t find any solution.

    This last week I tried with the command :dcdiag /test:dns and I got the response saying;

    Broken delegated domain mydomain.com mydomain.com.

    Some forums say that they might be a folder which contains domain reference records under my domain;However there is nothing instead under forest zones in DNS Manager there is a folder .com which have some domain records(full DC FQDN).

    Could any one help me to find the right solution for my issue?

    I have tried dcdiag /e /v from all of 6 DCs I have and got some error(mainly event log error).

    Would anybody advise from where I could check for error?Recently demoted DC were all clean from the functional DCs and also each DC has the primary DNS IP and its IP is set as secondary DNS.

    Kindly advise,thank you in advance

    Friday, July 19, 2019 6:49 AM