none
The dynamic registration of the DNS record - Problems

    Question

  • I inherited a system someone else built.  We're a MS shop and have a AD 2003 domain.  The domain controllers constantly complain that they can't update some external IP with dynamic DNS changes.  I've read up on dynamic dns and I understand how it works internally but I can't for the life of me find this setting where someone told our DNS to update with an external IP.  We do have external DNS as well but that's hosted by an upstream provider and of course uses routable IP associations to get public traffic to our NAT.

    Internally we set different DNS using unroutable space for the internal users to get to the same server farms.

    I want dynamic dns used with internal DHCP but I see no reason at all to try to dynamically update any external dns servers with this internal information.  Here are the errors..

     

    The dynamic registration of the DNS record '_kpasswd._udp.ncsbcs.org. 600 IN SRV 0 100 464 IBTSDC2008.ibts.org.' failed on the following DNS server: 

    DNS server IP address: 65.18.193.98
    Returned Response Code (RCODE): 5
    Returned Status Code: 9017 

    The dynamic registration of the DNS record '_kerberos._udp.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 

    DNS server IP address: 65.18.193.98
    Returned Response Code (RCODE): 5
    Returned Status Code: 9017 

    The dynamic registration of the DNS record '_gc._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 

    DNS server IP address: 65.18.193.98
    Returned Response Code (RCODE): 5
    Returned Status Code: 9017 

    The dynamic registration of the DNS record '_ldap._tcp.HERNDON._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 

    DNS server IP address: 65.18.193.98
    Returned Response Code (RCODE): 5
    Returned Status Code: 9017 

    The dynamic registration of the DNS record 'd3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ncsbcs.org. 600 IN CNAME IBTSDC2008.ibts.org.' failed on the following DNS server: 

    DNS server IP address: 65.18.193.98
    Returned Response Code (RCODE): 5
    Returned Status Code: 9017 

    ncsbcs.org is an old domain that no longer exists here.  Someone upgraded this domain and didn't do it right so i find weird places where ncsbcs.org come up, I even found old DC's in AD that don't exist anymore but i managed to clean that up.

    Any help is greatly appreciated..

    Thursday, April 07, 2011 7:13 PM

All replies

  • Hi

    If you have an old domain that is not removed correctly I would look up How to remove orphaned domains from Active Directory.

     

     


    Oscar Virot
    • Proposed as answer by Guowen Su Thursday, April 21, 2011 5:31 PM
    Thursday, April 07, 2011 8:48 PM
  • Statistic,

    Is 65.18.193.98 configured as a DNS address in the machine's NIC properties? Can we seen an ipconfig /all from this machine?

    Also check the nameservers tab of the ibts.org zone to make sure the list reflects your current DC/DNS servers, that is assuming only your DCs are your DNS servers.

    I also concur with Oscar to perform a metadata cleanup to remove any old domains and DCs from the AD database.

    YOu mentioned that you managed to clean up the old DCs. Did you use the metadata cleaup procedure, or just delete them from ADUC and Sites & Services? If not, the procedure to remove old DCs is pretty much the same as in the article that he posted using the metadata cleanup procedure with ntdsutil. Just in case you didn't use that procedure, here's another link showing how to remove the old DCs or at least making sure they were removed.

    Complete Step by Step Guideline to Remove an Orphaned Domain controller
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, April 08, 2011 5:38 AM
  • Since this is an AD domain controller, the dns settings in the nic are to itself and another DC.

    I've checked the DC section of each site in DNS in the _msdcs Forward lookup zone and all domain controllers are correct.

    I did use the metadata cleanup procedure to clean the old dc's.  However I don't remember using that for cleaning up an old "domain" so i'll look back in to that.

    Where exactly would you set it up in the domain, to forward dynamic updates to an external IP?  I can't even find that setting.

    Friday, April 08, 2011 2:15 PM
  • Good to hear you did a metadata cleanup for the old DCs. Definitely take care of the old domain reference.

    As for the failed registrations for that 65.18.193.98 IP, the only thing that really would cause that is if that IP is being referenced in NIC properties as a DNS address. However, you've confirmed that all of your DCs are only configured to use itself as 1st, and another DC as 2nd. Let's take a look at NIC properties again, IP4, click on Advanced, then DNS tab. Is there any other DNS addresses configured?

    Are there any disconnected NICs (not disabled) that sho Disconnected in Network Sharing or Network Connections window in COntrol panel? If so, make sure they are disabled so you only have the one current NIC as active.

    Is RRAS on this machine?

    Did you also check the Nameserver Tab for both zones (_msdcs.ncsbcs.org and ncsbcs.org zones) for any old DC or any other IP reference for anything else other than you current DCs?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, April 08, 2011 7:14 PM
  •   Here is the actual output.


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : IBTSDC2008
       Primary Dns Suffix  . . . . . . . : ibts.org
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ibts.org

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) 82567LM-3 Gigabit Network Connection
       Physical Address. . . . . . . . . : F0-4D-A2-23-91-0B
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.40.34(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.40.1
       DNS Servers . . . . . . . . . . . : 192.168.40.34
                                           192.168.40.83
                                           127.0.0.1
       Primary WINS Server . . . . . . . : 192.168.40.34
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{9D2B7431-C487-4547-828D-93F3307CDB66}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Windows IP Configuration

     

       Host Name . . . . . . . . . . . . : IBTS_5

       Primary Dns Suffix  . . . . . . . : ibts.org

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : ibts.org

     

    Ethernet adapter Local Area Connection:

     

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)

       Physical Address. . . . . . . . . : 00-19-B9-DA-9E-49

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 192.168.40.2

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 192.168.40.1

       DNS Servers . . . . . . . . . . . : 192.168.40.34

                                           192.168.40.83

       Primary WINS Server . . . . . . . : 192.168.40.2

    Windows IP Configuration

     

       Host Name . . . . . . . . . . . . : IBTS_6

       Primary Dns Suffix  . . . . . . . : ibts.org

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : ibts.org

     

    Ethernet adapter Local Area Connection:

     

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)

       Physical Address. . . . . . . . . : 00-1E-C9-B9-38-B9

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 192.168.40.83

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 192.168.40.1

       DNS Servers . . . . . . . . . . . : 192.168.40.83

                                           192.168.40.34

       Primary WINS Server . . . . . . . : 192.168.40.2

     

    I checked every NIC manually even disabled one's and I find nothing with that IP.

    2 of the servers have disabled nic's but I checked them anyway.

    RRAS is not running on any of the 3 DC's.

    As far as the zones, there is no zone for ncsbcs.org.  I ran that cleanup procedure but in ntdsutil it only lists my one domain so mothing to clean up.

    server connections: connect to server ibtsdc2008
    Binding to ibtsdc2008 ...
    Connected to ibtsdc2008 using credentials of locally logged on user.
    server connections: quit
    metadata cleanup: select operation target
    select operation target: list domains
    Found 1 domain(s)
    0 - DC=ibts,DC=org
    select operation target:

    So, nothing there..

    In the DNS console I can't find anything.  I don't see a nameservers "tab" in the console but I did open every single submenu under every item in the list starting with forward Lookup Zones \ ibts.org

     

    Back to square 1

    Friday, April 08, 2011 7:42 PM
  • The ipconfigs look clean. The Nameserver tab would be in each specific zone's properties for _msdcs.ibts.org and ibts.org.

    Is that 65 address referenced anywhere, possibly as a forwarder on any of the machines? Not that a forwarder will do it, but just curious.

    Ok, more work for you to do... check each DC's registry, HKLM\System\CCs\Service\TCPIP\Parameters\Interfaces, and check each interface for that DNS adderess.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, April 08, 2011 8:28 PM
  • There is one forwarder set up but it's to one of the existing servers, ibts_6

    Nothing in the name servers tab for ibts.org

    No conditional forwarders

    Nothing in the registry on all 3 DC's for either ncsbcs.org nor 65.18.193.98

    I also did a search in adsiedit.msc in both the configuration and the default naming contexts of the AD database for ibts.org and couldn't find anything.

     

    Friday, April 08, 2011 8:38 PM
  • Hmm, interesting.

    As for the forwarders, you have a forwarder set from one DC to another? Unless there's a DNS delegation, you don't want to set forwarding between DCs or it can create a forwarding loop.

    I'm running out of ideas. ...

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, April 08, 2011 8:47 PM
  • That's ok thanks for the help.  I'm removing the forwarder not sure why my predecessors put that in there.  I'm slowly but surely running analyzers and finding problems with Exchange and the domain on and on, and fixing them.  BEST PRACTICES!
    Friday, April 08, 2011 8:51 PM
  • I found allot of interesting items here.  i'm going to try some of them.

    http://www.eventid.net/display.asp?eventid=5774&eventno=353&source=NETLOGON&phase=1

    Friday, April 08, 2011 9:06 PM
  • Be careful with some of them, such as delaying the netlogon start value, which wouldn't apply to your case. The issue is something within this specific DC is sending a registration request to 65.18.193.98. That was why I was focusing on the NIC properties.

    I ran an nslookup on it, and came up with this:

    Name:    dns1.serverhost.net
    Address:  65.18.193.98

    Does the name serverhost.net sound familiar? Is it a web hosting service or a server hosting company your company is using or once used? I tried www.serverhost.net, but no good, but www.serverhost.com works. It's in the UK.

    Something, somewhere is configured with this address.

     

    For Exchange, run the Exchange Best Practice Analyzer (ExBPA). If this is Exchange 2003, download the latest from Microsoft's site. If it's Exchange 2007 or 2010, it's builtin in the Tools section.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, April 08, 2011 9:30 PM
  • It is familiar and they were our primary external DNS provider until revcently.  That still doesn't help me though, I can't find the setting someone put in that's trying to dynamically update an external server with internal information.
    Friday, April 08, 2011 11:00 PM
  • Thinking further about this, nothing else that I can think of will register SRV records other than the netlogon service. Check the Netlogon service registry entries. Matter of fact at this point, may as well just search the whole registry for that IP.

    Curious - use notepad to look at the system32\config\netlogon.dns file. Do you see the IP anywhere in it?

    Is it possible that in both zone's properties, Start of Authority tab, that IP's actual name, dns1.serverhost.net, was put in as the SOA?

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, April 09, 2011 3:08 AM
  • I had already searched both the registy and AD for instances of that IP, or the domain.  I think you hit on something though.  I just checked that netlogon.dns file and it has these entries.

    _ldap._tcp.DC._sites.DomainDnsZones.ibts.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.
    ncsbcs.org. 600 IN A 192.168.40.34

    _ldap._tcp.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.

    _ldap._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.
    _ldap._tcp.pdc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.
    _ldap._tcp.gc._msdcs.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.
    _ldap._tcp.HERNDON._sites.gc._msdcs.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.
    _ldap._tcp.82e701ca-666f-4d74-8a83-5e73e184d53b.domains._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.
    gc._msdcs.ncsbcs.org. 600 IN A 192.168.40.34
    d3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ncsbcs.org. 600 IN CNAME IBTSDC2008.ibts.org.
    _kerberos._tcp.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.
    _kerberos._tcp.HERNDON._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.
    _ldap._tcp.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.
    _ldap._tcp.HERNDON._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.
    _kerberos._tcp.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.
    _kerberos._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.
    _gc._tcp.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.
    _gc._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.
    _kerberos._udp.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.
    _kpasswd._tcp.ncsbcs.org. 600 IN SRV 0 100 464 IBTSDC2008.ibts.org.
    _kpasswd._udp.ncsbcs.org. 600 IN SRV 0 100 464 IBTSDC2008.ibts.org.

    _ldap._tcp.Bossier._sites.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.

    _ldap._tcp.Bossier._sites.gc._msdcs.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.

    _kerberos._tcp.Bossier._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.

     

    and a couple more lines.  I still don't see that 65.18.193.98 address but I see ncsbcs.org all over the place.  That's an old domain we used to host but we changed to ibts.org before i started working here.  I keep finding trash references like this.  Someone didn't do the changeover correctly.

     

    Can I just remove the lines from this file that reference ncsbcs?  I would imagine I need to shut down dns first then change it then start dns the force replication from the local server?  Or something like that..

     

    I checked every one of them starting with the ibts.org

    In one PTR zone I found this as the "Responsible Person"

    hostmaster.ncsbcs.org.

    But that was for only one PTR recerd and obviously that's just the contact field.

     

    In the Advanced tab of the top level dns server property in server options "Bind Secondaries" is checked.  Shoudln't that be off?

    Monday, April 11, 2011 2:40 PM
  • That may be how it's trying to register into that IP address. It's finding the SOA for ncsbcs.org. In that PTR zone, delete the reference to hostmaster.ncsbcs.org, and change the domain name to your currrent domain. Check all other zone NS and SOA properties, too.

    As far as the netlogon.dns. file, rename this file to netlogon.dns.old and rename the netlogon.dnb to netlogon.dnb.old, then run:

    • ipconfig /registerdns
    • net stop netlogon
    • net start netlogon

    It will recreate the file. Now open it again. If you are still seeing the old reference, then it is picking it up from DNS settings and/or AD database. That's how that file is created. The system will take the file, once netlogon creates it, then registers it into DNS under the AD zone name.

    If it still exists, and you can't find it anywhere on any zone in DNS, search the reg again this time for ncsbcs.org.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, April 11, 2011 7:11 PM
  • Well the hostmaster record was just the email portion but i changed it and couldn't find any others.

    I did the procedure for the netlogon files but when they regenerated and the ncsbcs.org data was there again.

    Unfortunately I already searched both AD using the adsi util and regedit for both that ip and ncsbcs.org and can't find any references.

    I just manually dug through every dns configuration but i can't find anything.  However MS dns is new to me and there is one item that i'm curious about but i'm afraid to remove it.  I'm thinking it might be the problem though because it looks like a SID so I can't tell what it is.

    Under DNS, then my domain controller then forward lookup zones\ibts.org\_msdcs\domains there is a folder with a SID instead of a normal name.  It's a folder called 82e701ca-666f-4d74-8a83-5e73e184d53b

    Underneath that is a _tcp folder and in that are 3 _ldap srv records which resolve to the 3 current ibts.org domain controllers.

    I searched the registry and AD for that SID and I can't find anything.  i' afraid to delete that though if that's important for the ibts.org domain.

    I just manually scoured every record and every properties page in for every item in the DNS management console and I can find no references to ncsbcs.org nor that ip.

     

     

    Monday, April 11, 2011 8:47 PM
  • Those are CNAME GUIDS, one for each DC. You'll want to leave them alone.

    It sounds like you'll need to go through ADSI Edit, zone properties for each zone, and see if the ncsbcs.org is referenced. Thsi should help to understand ADSI Edit to find the info in the AD database:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    I don't know what the previous person did, and I bet they were getting the same errors even when that domain was up, because we normally do not try to register into any ISP's DNS, but whatever the person die, it sure made this challenging for you!!

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Rick TanModerator Thursday, April 14, 2011 7:54 AM
    • Unmarked as answer by Statistic Monday, April 18, 2011 9:49 PM
    Monday, April 11, 2011 10:22 PM
  •  

    The dynamic registration of the DNS record '_ldap._tcp.Galveston._sites.gc._msdcs.ncsbcs.org.' for the remote domain controller 'Saigon.ibts.org' failed on the following DNS server: 

    DNS server IP address: 65.18.193.98
    Returned Response Code (RCODE): 5
    Returned Status Code: 9017 

     

    I went through that whole procedure and I can still find no trace of either ncsbcs.org in either the registry nor AD yet i still keep getting these alerts..

    The saddest part is I've added a few more RODC's to our network like "Galveston" and i'm seeing new messages for the new DC's in the event logs.
    Monday, April 18, 2011 9:53 PM
  • Trying to refresh my memory, and this thread has grown - were there any references to this external IP or ncsbcs.org under any of the zone properties, under the SOA entry, Nameservers tab, or as a Zone transfer? How about forwarders?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, April 18, 2011 10:24 PM
  • I've checked everywhere.  I went in to every property in DNS.  It's almost like there is an invisible zone ncsbcs.org with it's own replication properties but it doesn't show up in the DNS console.  I've followed those procedures looking at

    DC=ForestDNSZones, DC=contoso, DC=com
    DC=DomainDNSZones,DC=contoso,DC=com

    Default Naming Context

    NIC preperties on every NIC interface on every DC

    Registry on every DC

    Other places in AD

    I looked for flat files in the system32\dns folders on every DC (even though it's obvious my problem is with dynamic dns and an integrated zone)

    I've checked every single properties page in DNS.

    It has to be coming from AD because I added about 4 RODC's in the last 6 months at remote offices, and now those are showing up with the replicated data errors.  Like Galveston is a new site that doesn't even have it's RODC yet i'm about to build it, but yet this error is now showing up on one of my DC's

    The dynamic registration of the DNS record '_ldap._tcp.Galveston._sites.gc._msdcs.ncsbcs.org.' for the remote domain controller 'Saigon.ibts.org' failed on the following DNS server: 

    Galveston is a new site with no RODC, Saigon is a new RODC in another office.

    ncsbcs was the name of this company before we split off of them (long before i came here).  So I find references to ncsbcs allot.  Like Our primary mail server is called ncsbcs2.  Also when we log in to our Deltek time collection system the domain to log in is ncsbcs (not active directory though just what they named it).

    When whomever upgraded or split off from the old ncsbcs domain they didn't do it right becuase I found ghost references in AD to some domain controllers that didn't exist.  I removed them using the technet procedure.

    The problem is I can't find any trace in the registry nor AD for that ip or ncsbcs.org.  I've searched all of the default parts of ad like conguration, schema, etc.. then I also followed the procedures in that link and searched the

    DC=ForestDNSZones, DC=contoso, DC=com
    DC=DomainDNSZones,DC=contoso,DC=com

    portions.  nothing..

    Monday, April 18, 2011 11:21 PM
  • Does the netlogon.dns file still show that domain name?

    If so, it is DEFINITELY coming from a configuration somewhere in the AD database. The netlogon service assembles that file from what it finds in AD. If this is the case, you may want to break out ntdsutil with the Metadata Cleanup process again and take a deeper look.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, April 19, 2011 5:53 AM
  • Yes, you had me rename and rebuild it and that stuff reappears.
    Tuesday, April 19, 2011 1:28 PM
  • Then it's still definitely in the AD database if it is still showing up in the netlogon.dns file. Maybe at this point, it may be better to contact Microsoft PSS to assist and take a look at your AD database for things that you may be missing. They charge a one shot fee arount USD $250 no matter how long it takes.

    If you choose this option, here's the link to get you started. You may want to refer them to the link to this thread, too, in your problem description:
    http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;select&target=assistance

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, April 19, 2011 3:40 PM
  • Thanks, we've used them from time to time for SharePoint issues so we're familiar.  This would be the first thing i haven't been able to figure out on my own but i don't feel too bad since someone else arfed it up before i got here :)

     

    I'm not even sure what the implications are if i just leave it be.  I may just take my time and learn new and better ways to dig though the AD database.   That can't be bad experience to have.


    You've been very helpful and I agree it's in the AD db somewhere.
    Tuesday, April 19, 2011 5:25 PM
  • No problem for the help. I'm trying!

    Another thought - Try under AD Domains and Trusts, see if it's configured as a trust (it shouldn't be) or as an additional Suffix.

    What's the long term? Not sure, but it shouldn't be there.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, April 19, 2011 7:54 PM
  • Also, I assume you searched using ADSI Editt?

    How to edit an LDAP query in custom search by using ADSI Edit
    http://support.microsoft.com/kb/312299

    I need a better utility than ADSIedit to deep-search my Active Directory
    http://www.winserverkb.com/Uwe/Forum.aspx/windows-server-dns/1543/I-need-a-better-utility-than-ADSIedit-to-deep-search

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, April 19, 2011 7:59 PM
  • No problem for the help. I'm trying!

    Another thought - Try under AD Domains and Trusts, see if it's configured as a trust (it shouldn't be) or as an additional Suffix.

    What's the long term? Not sure, but it shouldn't be there.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    We have no trusts, 1 domain 1 forest (for now) but good thinking.
    Tuesday, April 19, 2011 8:22 PM
  • I just ran a repadmin /syncall and got this error..

     

    CALLBACK MESSAGE: Error contacting server d3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ibts.org (network error): 5 (0x5):

    Access is denied.

    SyncAll exited with fatal Win32 error: 8440 (0x20f8):

    The naming context specified for this replication operation is invalid.

     

    To me this is a new yet further implication that this DNS is "hosed" for lack of a better way to put it.  I researched this error and found this suggested fix.

    "On the PDC Emulator:

    1) You need to re-create the _msdcs.<forest root domain name> zone. Make it
    AD INtegrated - and assuming that you are running W2k3 - make it forest-wide
    as an application partition.

    2) Run net stop netlogon and net start netlogon

    On each DC - point to the PDC Emulator as the Preferred DNS

    Run net stop netlogon and net start netlogon

    This will replicate DNS Zone to DC.

    Repoint client back to original Preferred DNS.

    You have basically deleted all your replication GUID records."

     

    This sound like something that may fix all of my problems in one shot.  Do you think this is dangerous in any way?

     

    Wednesday, April 20, 2011 5:24 PM
  • Wow I ran a dcdiag and everything passed except this portions..

     

    Starting test: SystemLog

             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record 'ncsbcs.org. 600 IN A 192.168.40.34' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.Bossier._sites.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.pdc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.gc._msdcs.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.Bossier._sites.gc._msdcs.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.HERNDON._sites.gc._msdcs.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.82e701ca-666f-4d74-8a83-5e73e184d53b.domains._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record 'gc._msdcs.ncsbcs.org. 600 IN A 192.168.40.34' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record 'd3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ncsbcs.org. 600 IN CNAME IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_kerberos._tcp.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_kerberos._tcp.Bossier._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_kerberos._tcp.HERNDON._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.Bossier._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_ldap._tcp.HERNDON._sites.dc._msdcs.ncsbcs.org. 600 IN SRV 0 100 389 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_kerberos._tcp.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_kerberos._tcp.Bossier._sites.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_kerberos._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:04

                Event String:

                The dynamic deletion of the DNS record '_gc._tcp.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:10

                Event String:

                The dynamic deletion of the DNS record '_gc._tcp.Bossier._sites.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:10

                Event String:

                The dynamic deletion of the DNS record '_gc._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:10

                Event String:

                The dynamic deletion of the DNS record '_kerberos._udp.ncsbcs.org. 600 IN SRV 0 100 88 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:10

                Event String:

                The dynamic deletion of the DNS record '_kpasswd._tcp.ncsbcs.org. 600 IN SRV 0 100 464 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Error Event occurred.  EventID: 0x0000168F

                Time Generated: 04/20/2011   12:45:10

                Event String:

                The dynamic deletion of the DNS record '_kpasswd._udp.ncsbcs.org. 600 IN SRV 0 100 464 IBTSDC2008.ibts.org.' failed on the following DNS server: 


             An Warning Event occurred.  EventID: 0x000003FC

                Time Generated: 04/20/2011   12:59:33

                Event String:

                Scope, 192.168.40.0, is 81 percent full with only 32 IP addresses remaining.

             An Warning Event occurred.  EventID: 0x80001795

                Time Generated: 04/20/2011   13:10:53

                Event String:

                The program lsass.exe, with the assigned process ID 616, could not authenticate locally by using the target name LDAP/d3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ibts.org. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.


             ......................... IBTSDC2008 failed test SystemLog

          Starting test: VerifyReferences

             ......................... IBTSDC2008 passed test VerifyReferences

    Wednesday, April 20, 2011 5:32 PM
  • BTW I did run a rendom /clean command which gave me an ok.  I did that because I think the ncsbcs.org domain used to be the primary domain and it was renamed to ibts.org.  I think that's what started this whole mess.  I used to be able to run a syncall now i can't.  I think i'm finding the problem here.  I really feel like I need to wipe dns and rebuild it but that seems a daunting task and dangerous.  We have so many systems running.
    Wednesday, April 20, 2011 5:36 PM
  • Wow I ran a dcdiag and everything passed except this portions..

     

    [snipped]

                The dynamic deletion of the DNS record '_gc._tcp.HERNDON._sites.ncsbcs.org. 600 IN SRV 0 100 3268 IBTSDC2008.ibts.org.' failed on the following DNS server: 

                The dynamic deletion of the DNS record '_kpasswd._tcp.ncsbcs.org. 600 IN SRV 0 100 464 IBTSDC2008.ibts.org.' failed on the following DNS server: 


            

    Well, it looks like a server called ITBTSDC2008 and a Site name called HERNDON still exist in the AD database. The Metadata Cleanup process should show them to allow you to remove them.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Wednesday, April 20, 2011 8:26 PM
  • I just ran a repadmin /syncall and got this error..

     

    CALLBACK MESSAGE: Error contacting server d3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ibts.org (network error): 5 (0x5):

    Access is denied.

    SyncAll exited with fatal Win32 error: 8440 (0x20f8):

    The naming context specified for this replication operation is invalid.

     

    To me this is a new yet further implication that this DNS is "hosed" for lack of a better way to put it.  I researched this error and found this suggested fix.

    "On the PDC Emulator:

    1) You need to re-create the _msdcs.<forest root domain name> zone. Make it
    AD INtegrated - and assuming that you are running W2k3 - make it forest-wide
    as an application partition.

    2) Run net stop netlogon and net start netlogon

    On each DC - point to the PDC Emulator as the Preferred DNS

    Run net stop netlogon and net start netlogon

    This will replicate DNS Zone to DC.

    Repoint client back to original Preferred DNS.

    You have basically deleted all your replication GUID records."

     

    This sound like something that may fix all of my problems in one shot.  Do you think this is dangerous in any way?

     


    You don't necessarily have to recreate the _msdcs zone.

    Does a record called d3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ibts.org  exist in DNS under the _msdcs.ibts.org zone? If not, create it and give it the IP of that DC.

    If it does exist, are there any firewalls, AV or security apps present? Symantec has been coming up lately in the forums that the "protect remote network" setting is hurting DC replicaiton and other DC traffic.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, April 20, 2011 8:29 PM
  • I think I hosed somet5hing up when I ran that command.  All of our SharePoint sites went down with problems connecting to the primary SQL cluster.  That cluster was using ibtsdc2008 as a homeserver.  When I ran nslookup commands on ibtsdc2008 i wasn't getting internal dns, I was getting external when querrying (we have both but internal should come up first).  I rebooted ibtsdc2008, then rebooted sql and it all started working again.

     

    So back to your other post.  Herndon is our primary site so that's valid, ibtsdc2008 is the primary DC with all of the FSMO roles on it, so that's valid.  So those don't need to be cleaned up.

     

    I just though it was interesting that when I tried to run the dcdiag, it looks like the domain is trying to delete those very records I can't find, and failing.  I'm pretty sure at this point that ibts.org is an upgraded domain from ncsbcs.org, and that job whomever did it before me wasn't completed successfully.


    btw  d3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ibts.org  is a cname record for ibtsdc2008
    Monday, April 25, 2011 8:03 PM
  • I think I hosed somet5hing up when I ran that command.  All of our SharePoint sites went down with problems connecting to the primary SQL cluster.  That cluster was using ibtsdc2008 as a homeserver.  When I ran nslookup commands on ibtsdc2008 i wasn't getting internal dns, I was getting external when querrying (we have both but internal should come up first).  I rebooted ibtsdc2008, then rebooted sql and it all started working again.

     

    I'm confused. You are using an external DNS server on your AD machines?

     

    So back to your other post.  Herndon is our primary site so that's valid, ibtsdc2008 is the primary DC with all of the FSMO roles on it, so that's valid.  So those don't need to be cleaned up.

    I just though it was interesting that when I tried to run the dcdiag, it looks like the domain is trying to delete those very records I can't find, and failing.  I'm pretty sure at this point that ibts.org is an upgraded domain from ncsbcs.org, and that job whomever did it before me wasn't completed successfully.


    btw  d3e6bd0f-f82b-4e03-aa9d-5b20f4d07cbf._msdcs.ibts.org  is a cname record for ibtsdc2008

     

    Domain rename. Hmm, that could explain part or all of it. Maybe they didn't run a rendom /clean after the rename procedure? I'm not saying to run it, just surmizing.

    Maybe you can find what was left out going through the docs below.

    [DOC] Step-by-Step Guide to Implementing Domain Rename - Microsoft ...File Format: Microsoft Word - Quick View
    The steps to prepare for and perform the domain rename procedure are described in this document. All preliminary steps must be completed before any steps in ...
    http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2a2e2/Domain-Rename-Procedure.doc

    Supplemental steps for using the Exchange Server Domain Rename ...Nov 27, 2007 ... The "After the Domain Rename Procedure" topic in the Step ...
    http://support.microsoft.com/kb/842116

     

    Or possibly it may be time to get Microsoft PSS involved to clean it up.
    http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;select&target=assistance

     

    Ace

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, April 26, 2011 4:47 AM
  • Yes I ran the rendom /clean and that's when my DNS and SharePoint sites went crazy (I think).  After that I couldn't do a directory sync and saw those deletion errors in the post above.  So I'm pretty sure the leftover DNS junk is from a domain rename that happened somewhere in the past.

     

    We use external dns from a 3rd party provider to provide routable resolution for some of our externally facing sites, but have our own internal records for those same sites which are served by AD and point to unroutable IP's.  Everything externally facing here is NAT'd.

    So when I had my mini outage i did some dns lookups from the DC I had ran the rendom /clean on, and it wasn't resolving local ip's anymore, but rather the external versions (probably using root hints).

    Luckily I got that fixed with some restarts.  ANYWAY, thanks for the links, I'll check them out.

    Tuesday, April 26, 2011 2:05 PM
  • Yes I ran the rendom /clean and that's when my DNS and SharePoint sites went crazy (I think).  After that I couldn't do a directory sync and saw those deletion errors in the post above.  So I'm pretty sure the leftover DNS junk is from a domain rename that happened somewhere in the past.

    We use external dns from a 3rd party provider to provide routable resolution for some of our externally facing sites, but have our own internal records for those same sites which are served by AD and point to unroutable IP's.  Everything externally facing here is NAT'd.

    So when I had my mini outage i did some dns lookups from the DC I had ran the rendom /clean on, and it wasn't resolving local ip's anymore, but rather the external versions (probably using root hints).

    Luckily I got that fixed with some restarts.  ANYWAY, thanks for the links, I'll check them out.

     

    I really think that getting Microsoft's assistance on this would be beneficial at this point.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by jeirix Friday, September 02, 2011 5:46 PM
    • Unproposed as answer by jeirix Friday, September 02, 2011 5:46 PM
    Wednesday, April 27, 2011 6:43 AM
  • Hello I had the same problem actually after migrating my 2k3 server to 2k8r2.

    I could solve this issue by deleting all TOMBSTONE RECORDS in WINS server and then Scavenge database.

    Then Run dcdiag /c /v

    All Test passed.

     

    Ihope this can help.

    Regards.

     

     

     

    Friday, September 02, 2011 5:54 PM
  • I'm curious to know how this turned out. May or may not be going through the same thing.

    -Jake

    Thursday, February 26, 2015 6:32 AM
  • I ended up opening a Microsoft ticket and having them help me clean up many things in AD.
    Thursday, February 26, 2015 3:51 PM