locked
Remove phantom DNS Server - Windows Server 2003 RRS feed

  • Question

  • Hi,

    I am trying to clean up my DNS setup and have another question - I've just had some very helpful responses to my post about ADI, so, hopefully, I'm on a roll !

    Some time ago, I had a DC/DNS Server fail. I built another machine and added a replacement DC/DNS machine. I had a few problems along the way, but think things are back working much the same as before. (I had to sieze the FSMO roles, but things looks OK(ish).

    I'm not sure whether it was during that process, or when I installed SP2, but I am seeing a lot of 4521 Errors in Event Viewer ("The DNS Server encountered error 9002 when attempting to Load one . from Active Directory.....". I don't have the root . zone, but think that the error may have something to do with the old DNS Server ?

    In the MMC DNS Snap-in, under Forward Lookup Zones, below the Domain Name, the IP address of the old DNS Server (which has been removed and will never reappear) is shown as an A record in domaindnszones and forestdnszones.

    Questions.

    Could this be causing the 4521 Errors ?

    Either way, is it safe to delete these orphan A Records ?

    regards

    Dave

     

     

     

     

    Friday, July 30, 2010 10:22 AM

All replies

  • The IP address of the old DNS server is shown as an A record. This is perfectly normal because it is a member of your domain and each computer in your domain has a A record (You can delete it if you want but the old DNS server will send an update for its DNS records and the A record will appear again).

    Just a remark: If your old DNS server is still known as a DNS server, you will find a NS record for it.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    Friday, July 30, 2010 10:57 AM
  • Try to reinstall dynamic DNS AD-integrated zones following the procedure given by this link and check if the problem is persisting:

    http://support.microsoft.com/kb/294328/en

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards

    Friday, July 30, 2010 11:08 AM
  • Hi again Malek,

    The A record under the name of my domain didn't cause me any concern, that's where all of the other machines (past and present are shown), but I was a bit suprpised to see an A record under domaindnszones and forestdnszones. There are no other records under those sections at all, that's why I thought they may have had something to do with the error message.

    I'm just about to go ahead and change to ADI DNS, should I be worried about this error being present before I make that change, or do you think that I can go back and correct that after the change to ADI ?

    regards

    Dave

     

     

    Friday, July 30, 2010 11:25 AM
  • Remove all stale A records corresponding to the decommissioned DC. In addition, you might want to step through http://support.microsoft.com/kb/555846 to make sure all other references to it are deleted. Reload the zones, restart Netlogon on your DCs, and post the results of DCDIAG /v /c from the DC on which you are seeing 4521 errors

    hth
    Marcin

    Friday, July 30, 2010 12:07 PM
  • Ah OK. The problem is clear now, the problem is due to these two zones: domaindnszones and forestdnszones . These application zones are used in AD replications. Remove the wrong records and check if the problem is persisting. If it persists, remove your primary zones and re-create them. If even by doing this your problem is not solved, do what is mentioned in the article I gave you.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    Friday, July 30, 2010 12:36 PM
  • Marcin,

    before I "bite the bullet" and try Melek's suggestions of deleting the zone or reinstalling it as shown in KB 294328, I did a DCDIAG /v /c as you suggested.

    The only obvious error was :-

          Starting test: VerifyReplicas
             This NC (DC=DomainDnsZones,DC=daveathome,DC=org) is supposed to be

             replicated to this server, but has not been replicated yet. This could

             be because the replica set changes haven't replicated here yet.  If

             this problem persists, check replication of the Configuration

             Partition to this server.
             This NC (DC=ForestDnsZones,DC=daveathome,DC=org) is supposed to be

             replicated to this server, but has not been replicated yet. This could

             be because the replica set changes haven't replicated here yet.  If

             this problem persists, check replication of the Configuration

             Partition to this server.
             ......................... PROLIANT-DL360 failed test VerifyReplicas

    This suggests that the entries in the domaindnszones and forestdnszones branches of the MMC DNS snap-in were the cause of the problems. I have deleted those and stepped through KB555846 but the problem still reamins. Do you have any other suggestiions before I go to the steps that Malek suggested ?

    regards

    Dave

    Saturday, July 31, 2010 8:50 AM
  • Dave,

    post the output of repadmin /showrepl for the DC experiencing the problem

    For more info regarding the syntax of this command, refer to http://technet.microsoft.com/en-us/library/cc742066(WS.10).aspx

    hth
    Marcin

    Saturday, July 31, 2010 11:37 AM
  • Hi Marcin, thanks a lot !

    Both DCs have the error . . .

    ********************************************************

    (DC1)

    repadmin running command /showrepl against server localhost

     

    Default-First-Site-Name\PROLIANT-DL360

    DC Options: IS_GC

    Site Options: (none)

    DC object GUID: 87088f92-17ff-40bb-b740-c6e9b07cca56

    DC invocationID: 69a74c45-b09a-42d7-8003-0600753f16f9

     

    ==== INBOUND NEIGHBORS ======================================

     

    DC=daveathome,DC=org

        Default-First-Site-Name\POWERAPP120 via RPC

            DC object GUID: c45c936d-376f-4718-8fa9-afad0e2cbfb4

            Last attempt @ 2010-07-31 12:51:13 was successful.

     

    CN=Configuration,DC=daveathome,DC=org

        Default-First-Site-Name\POWERAPP120 via RPC

            DC object GUID: c45c936d-376f-4718-8fa9-afad0e2cbfb4

            Last attempt @ 2010-07-31 12:56:44 was successful.

     

    CN=Schema,CN=Configuration,DC=daveathome,DC=org

        Default-First-Site-Name\POWERAPP120 via RPC

            DC object GUID: c45c936d-376f-4718-8fa9-afad0e2cbfb4

            Last attempt @ 2010-07-31 12:50:55 was successful.

    ********************************************************

    (DC2)

    repadmin running command /showrepl against server localhost

     

    Default-First-Site-Name\POWERAPP120

    DC Options: IS_GC

    Site Options: (none)

    DC object GUID: c45c936d-376f-4718-8fa9-afad0e2cbfb4

    DC invocationID: d6f43f69-1272-4a54-b89e-0edcde63c962

     

    ==== INBOUND NEIGHBORS ======================================

     

    DC=daveathome,DC=org

        Default-First-Site-Name\PROLIANT-DL360 via RPC

            DC object GUID: 87088f92-17ff-40bb-b740-c6e9b07cca56

            Last attempt @ 2010-07-31 13:17:37 was successful.

     

    CN=Configuration,DC=daveathome,DC=org

        Default-First-Site-Name\PROLIANT-DL360 via RPC

            DC object GUID: 87088f92-17ff-40bb-b740-c6e9b07cca56

            Last attempt @ 2010-07-31 12:56:29 was successful.

     

    CN=Schema,CN=Configuration,DC=daveathome,DC=org

        Default-First-Site-Name\PROLIANT-DL360 via RPC

            DC object GUID: 87088f92-17ff-40bb-b740-c6e9b07cca56

            Last attempt @ 2010-07-31 12:47:48 was successful.

    ********************************************************

    No obvious errors - well, not to me anyway

    regards

    Dave

     

    Saturday, July 31, 2010 12:18 PM
  • In general, there are two ways to store DNS zones in AD - either in the domain naming context (DC=daveathome,DC=org) or in application partitions DomainDNSZones and ForestDNSZones(which, your case, would correspond to DC=DomainDNSZones,DC=daveathome,DC=org and ForestDNSZones,DC=daveathome,DC=org). The first mechanism was the only one available in Windows Server 2000-based DNS, the second was introduced in Windows Server 2003.

    To resolve the issue (i.e. switch to the second type of AD storage of DNS zones), implement the second of these mechanisms by following http://support.microsoft.com/kb/867464

    hth
    Marcin

    Saturday, July 31, 2010 1:19 PM
  • Hi Marcin,

    the kb article refers to deleting a DNS Zone which exists in multiple areas ?

    As far I can see, my DNS Zone does not exist in DomainDNSZones or ForestDNSZones, when I try to connect to the DomainDNSZones or ForestDNSZones as shown in the KB article, I get a "A referral was returned from the server" warning box" which I take to mean that it could not be found?

    I could not see a way to add the domain into DomainDNSZones or ForestDNSZones in the kb article,, just how to remove it if it already existed in multiple places ?

    regards

    Dave

    Saturday, July 31, 2010 4:13 PM
  • This is a link about how to add the DomainDNSZones partition:

    http://www.windowsitpro.com/article/dns/q-how-can-i-create-the-domaindnszones-directory-partition-.aspx

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    Saturday, July 31, 2010 4:17 PM
  • This is a link about how to add the ForestDNSZones partition:

    http://www.windowsitpro.com/article/dns/q-how-can-i-create-the-forestdnszones-directory-partition-.aspx

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

     

    Saturday, July 31, 2010 4:19 PM
  • Hi Malek,

    thanks a lot for the links - they describe creating the partitions if a server was migrated from Windows 2000. Both of these machines were built as Windows 2003 (mixed mode) servers. When I tried to execute the instructions in the articles, the system reported that the partitions already existed.

    The problem seems to be that they are not populated with the zone data and I can't move the current zone into one of these partitions ? 

    It looks like I'm going to have to take a deep breath and remove the primary zone and recreate it as per your previous suggestion, I was hoping that this would not be required though,

    regards

    Dave

    Saturday, July 31, 2010 5:48 PM
  • Ok, proceed by re-creating your current zones. This should solve your problem.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    Saturday, July 31, 2010 5:55 PM
  • Hi again!

    OK, sorry for being a pain !

    I'm just about to re-create the current zones following http://support.microsoft.com/kb/294328/en, but I'm afraid there are a couple of items not clear to me and I'd appreciate it if someone could clear them up for me before I take the plunge please ?

    1. The article is listed as appying to Windows 2000 Server, I assume that it is also valid for Windows 2003 Server?

    2. Section 1, Step 3 says "Delete the object in Active Directory Users and Computers."

    Which object is this talking about - is it the zone file objects described in Step 4?

    If so, would that include the reverse lookup zone too?

    3. Section 1, Step 4 says "For each Active Directory-integrated DNS server, repeat steps 1-3."

    I guess that this should be steps 1-4?

    4. Section 1, Step 8 says "Stop and restart DNS and the NetLogon service. Then, remove and re-add the DNS service."

    I'm not sure what this means - is it really asking for the DNS Service to be removed and re-added through Add/Remove Programs, Networking, DNS ?

    regards

    Dave

    Monday, August 2, 2010 4:20 PM
  • Don't follow this article. Go to the DNS snap-in, delete your zones and re-create them with the use of this article:

    http://support.microsoft.com/kb/323445

    Monday, August 2, 2010 4:24 PM
  • No joy !

    The article does not apply to ADI DNS Zones, so I changed both DNS Servers to Primary without ADI

    Deleted the zones from both DNS Servers

    Added back the zone to the first DC

    Added the Reverse Lookup Zone

    Changed back to ADI

    Zones replicated to the second DNS Server, but still getting the 4521 Errors ?

    AAArrghhhh

    Regards

    Dave

    Monday, August 2, 2010 5:03 PM
  • Have you tried to restart the DNS server?
    Monday, August 2, 2010 5:26 PM
  • I hadn't, but have just done so, restarted both DC/DNS Servers.

    Still the same, both machines report the 4521 error every three minutes.

    regards
    Dave

    Monday, August 2, 2010 6:05 PM
  • I've come across this subject in another thread in a locked list. I can't see teh details because I'm not a subscriber to that list, but I have seen a reference to the following command :-

    dnscmd /config /bootmethod

    I have just tried this, and not seen any errors for more than 6 minutes !
    (I would normally have seen 2 errors by now)

    I have not the faintest idea what this command does, but at the risk of speaking too soon, it may be a fix ?

    regards
    Dave

    • Marked as answer by dave_home Monday, August 2, 2010 7:46 PM
    • Unmarked as answer by dave_home Wednesday, August 4, 2010 11:39 AM
    Monday, August 2, 2010 6:20 PM
  • Dave - refer to http://technet.microsoft.com/en-us/library/cc756116(WS.10).aspx

    If you used the default (which appears to be the case), then you are effectively loading the DNS config from AD/registry...

    hth
    Marcin

    Monday, August 2, 2010 6:25 PM
  • Hi Marcin,

    thanks for the pointer to the dnscmd syntax page, yes, the default (AD/Registry) is what has been set up.

    Without issuing the dnscmd /config /bootmethod command, the system was continually reporting the errors.

    This seems to have fixed it (for the moment) but I have just found another thread which suggests that the error will come back if the server or DNS is restarted (I will try that shortly). The last post in that thread (http://forums.techarena.in/server-dns/708923-2.htm) suggests that I'll need to make the setting "Registry Only" to have a permenant fix.

    Can you see any issue with changing from the default (AD/Registry) to "Registry"?

    regards

    Dave

     

    Monday, August 2, 2010 6:36 PM
  • Fingers Crossed - > 6 minutes and no 4521 errors reported, so maybe I don't need to change the bootmethod after all.

    It's strange the I have not done anything other than to select the same (default) bootmethod option and that is seems to have fixed it.

    Hopefully, things are fixed now though.

    I guess the only problem through all of this is that I have lost the A records for most of the machiines in the domain, they are still present in "Active Directory Users and Computers", just not in the Zone or Reverse Lookup Zone. Will DNS ever rediscover them, or must I recreate the A records manually ?

    regards

    Dave

    Monday, August 2, 2010 7:03 PM
  • In general, this is not recommended.

    Refer to http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx for details

    hth
    Marcin

    Monday, August 2, 2010 7:05 PM
  • DNS will rediscover them. Don't worry.
    Monday, August 2, 2010 7:16 PM
  • Well guys, I'm hopeful that things are looking OK now.

    Thank you very much for all your assistance on this, particularly for bearing with my obvious lack of knowledge of DNS!

    (Those references to the various technet articles have been really useful, how do you manage to remember where they are ?)

    I'm not sure whether I'm supposed to do this, but I marked my own post about "dnscmd /config /bootmethod" as being the answer although I'm happy to unmark it either of you think that there was a more appropriate answer or want to write something else to help other searchers in future?

    regards

    Dave

    Monday, August 2, 2010 7:54 PM
  • Oh well - spoke too soon !

    Just rebooted the DC and the 4521 error returned !

    Cleared it again with the "dnscmd /config /bootmethod" command.

    As I mentioned previously, it seems like a change to load zone from "Registry" only may be required to permenantly fix this - is there a downside to this setting, rather than using "From Active Directory and Registry"?

    regards

    Dave

    Tuesday, August 3, 2010 7:47 PM
  • AFAIK, load from registry is OK. Check this http://technet.microsoft.com/en-us/library/cc959270.aspx
    Monday, August 9, 2010 11:40 AM
  • Hello,

    Hope you have removed the entry from below DNS Console.

    Dnsmgmt.msc [Dns Management]
    A.Expand the forward lookup zones\_msdcs folder
    i. Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
    ii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
    iii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
    iv. Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
    v. Select [forward lookup zones\_msdcs.domain.com\gc] – delete incorrect HostA records
    vi. Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] – delete incorrect _ldap entries
    vii.Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] – delete incorrect _ldap entries
    viii. Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] – delete incorrect _ldap entries
     
    B.Expand the forward lookup zones\domain.com folder
    i.Delete Host(A) records of dc’s which are non-existant.
    ii.Correct the NameServer (NS) records
    iii. Follow steps similar to ’ A ii ‘ >> ‘ A viii’
     
    · Dssite.msc [Sites and Services]
    A.Expand the [Sites\Sitename\Servers] – delete incorrect server’s
    B.Delete incorrect subnet configurations [Sites\Subnets]
    C.Delete incorrect site links [Sites\IP]
     
    · Make sure the domain controllers are pointing to the correct dns servers in tcp\ip settings.
    · Force replication – ‘repadmin /syncall’

    Wednesday, May 27, 2015 8:50 AM
  • Looks the thread is almost 5 year old :)

    Devaraj G | Technical solution architect

    Wednesday, May 27, 2015 11:03 AM
  • Hi,

    Any updates on above?

    Monday, June 1, 2015 12:01 PM