Announcement

Collapse
No announcement yet.

Specific AD DS / DNS Records missing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Specific AD DS / DNS Records missing

    EDITED VERSION

    In my previous post of this message I asked where to put these DNS Records Manually:

    SRV Record for _ldap._tcp.gc._msdcs.<DnsForestName>
    A record for _gc._msdcs.<DnsForestName>
    CNAME Record for <dsaGuid>._msdcs.<DnsForestName>

    These records need to exist under: Forward Lookup Zones\<servername>_msdcs.<domainname>
    Having added these records I get the same error when trying to connect XP/VISTA workstations to the domain, over the Internet - and that means now I am lost...
    I haev ran several testing programs incl. DCDiag all tests passed - no errors in event logs, or debug folder logs, Firewall is listening on ports needed for AD DNS services - help...

    Here is the error message that I received:

    DNS was successfully queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain <domain name>:
    The query was for the SRV record for _ldap._tcp.dc._msdcs.<domain name>

    The following AD DCs were identified by the query:
    <netbiosname>.<domain name>

    Common causes of this error include:
    - Host (A) records that map the name of the AD DCs to its IP addresses are missing or contain incorrect addresses.
    - Active Directory Domain Controllers registered in DNS are not connected to the network or are not running.


    TIA
    Last edited by Rugrat; 9th December 2008, 11:34.

  • #2
    Re: Specific AD DS / DNS Records missing

    A workstation that is logging on to an active Directory domain queries DNS for SRV records in the general form.
    _Service._protocol.DnsDomainName
    _ldap._tcp.DnsDomainName

    When a client logs on or joins the network, the client must be able to locate a domain controller. The client sends a DNS lookup query to DNS to find domain controller,preferably in the client's own subnet. Therefore, clients find a domain controller by querying DNS for a record of the form: _LDAP._TCP.dc._msdcs.domainname
    After the client locates a domain controller, the client establishes communtication by using LDAP to gain access to active directory.
    Use the nltest /dsgetdc:domainname command to verify that a domain controller can be located for a specific domain.
    Use the nslookup tool to verify that DNS enteries are correctly registered in DNS.
    for example:
    nslookup ServerName.child_of_root_domain.root_domain.com
    nslookup guid._msdcs.root_domain.com

    if either of the commands does not succeed, use one of the following methods to register records with DNS.
    1)To force host record registration "ipconfig /registerdns"
    2)To force DC SRV records registration, stop and start the NetLogon Service.

    If you suspect that a particular DC has problems , turn on NETLOGON debug logging. use the NLTest by typing nltest/dbflag:0x2000ffff. The information is logged in the debug folder in the netlogon.log file.

    Comment


    • #3
      Re: Specific AD DS / DNS Records missing

      Did DCDiag /test:dns and yep there are some errors. Again the AAAA records are missing and the IPV6 network connection is not configured (but is enabled) at the network adapter.

      Below are the results of the DCDiag Test. Question is where exactly do I manually add the missing records?
      C:\Users\Administrator.SERVER.000>dcdiag /test:dns

      Directory Server Diagnosis

      Performing initial setup:
      Trying to find home server...
      Home Server = dns
      * Identified AD Forest.
      Done gathering initial info.

      Doing initial required tests

      Testing server: Default-First-Site-Name\DNS
      Starting test: Connectivity
      ......................... DNS passed test Connectivity

      Doing primary tests

      Testing server: Default-First-Site-Name\DNS

      Starting test: DNS

      DNS Tests are running and not hung. Please wait a few minutes...
      ......................... DNS passed test DNS

      Running partition tests on : ForestDnsZones

      Running partition tests on : DomainDnsZones

      Running partition tests on : Schema

      Running partition tests on : Configuration

      Running partition tests on : <domain.com>

      Running enterprise tests on : <domain-name>
      Starting test: DNS
      Test results for domain controllers:

      DC: dns.<domain-name>
      Domain: <domain-name>


      TEST: Basic (Basc)
      Warning: The AAAA record for this DC was not found

      TEST: Dynamic update (Dyn)
      Warning: Failed to delete the test record _dcdiag_test_record in zone <domain-name>

      TEST: Records registration (RReg)
      Network Adapter [00000006] Intel(R) PRO/1000 PM Network Connection:
      Warning:
      Missing AAAA record at DNS server <ip-address>:
      dns.<domain-name>

      Warning:
      Missing AAAA record at DNS server <ip-address>:
      gc._msdcs.<domain-name>

      Warning:
      Missing AAAA record at DNS server ::1:
      dns.<domain-name>

      Warning:
      Missing AAAA record at DNS server ::1:
      gc._msdcs.<domain-name>

      Warning: Record Registrations not found in some network adapters

      dns PASS WARN PASS PASS WARN WARN n/a
      ......................... <domain-name> passed test DNS

      Comment


      • #4
        Re: Specific AD DS / DNS Records missing

        that might be your problem.
        Disable the IPV6 from the DC or at least disable the Registration of it's records to the DNS, that could be one by going to IPV6 -> properties ->Advance ->DNS ->Uncheck "Register this connection's addresses in DNS".
        make sure that on IPV4 the registration to the connection is marked.
        then restart DHCPClient service after that restart Netlogon Service.
        check your DNS and see if it registered all it needs there.
        NOTE: make sure that in the IPV4 you got the correct DNS settings (AD/DS DNS).
        BTW- follow my instructions I posted you earlier.
        Last edited by Akila; 9th December 2008, 17:08.

        Comment


        • #5
          Re: Specific AD DS / DNS Records missing

          Somehow the IPV6 addresses keep coming back into our DNS. I disabled IPV6 on both network adapters (hence disabled 1 adapter), and for the double cross check, I also removed the "register with DNS" tags.

          I even manually removed the IPV6 addresses from DNS (root and all sub categories) but they keep coming back after system reboot/netlogon restart.

          After running DCDiag again I get the same missing IPV6 RR's errors (also after system reboot, even after manually removing records.) - where do these records come from and why does DNS persist in having them... not that they bother...

          ...but what really freaks me out is that even though the _ldap._dc._msdcs.<domainname> record exists (IPV4) it keeps telling me that they are missing as IPV6 Records. Adding a workstation to domain tells me it queries the _ldap record and that it finds the DC. So it does find the _ldap else it wouldn't present me with the messages listed in my pervious post.

          Pinging or using nslookup works fine for the DsaGUID RR but not for IPV6 ldap records... and that is confirmed with DcDiag results. (see below) ... what do you think is there any change I can repair this without having to reinstall Windows Server 2008?
          Directory Server Diagnosis

          Performing initial setup:
          Trying to find home server...
          Home Server = dns
          * Identified AD Forest.
          Done gathering initial info.

          Doing initial required tests

          Testing server: Default-First-Site-Name\DNS
          Starting test: Connectivity
          ......................... DNS passed test Connectivity

          Doing primary tests

          Testing server: Default-First-Site-Name\DNS

          Starting test: DNS

          DNS Tests are running and not hung. Please wait a few minutes...
          ......................... DNS passed test DNS

          Running partition tests on : ForestDnsZones

          Running partition tests on : DomainDnsZones

          Running partition tests on : Schema

          Running partition tests on : Configuration

          Running partition tests on : <domain-name without tld ext.>

          Running enterprise tests on : <domain-name>
          Starting test: DNS
          Test results for domain controllers:

          DC: dns.<domain-name>
          Domain: <domain-name>


          TEST: Basic (Basc)
          Warning: The AAAA record for this DC was not found

          TEST: Dynamic update (Dyn)
          Warning: Failed to delete the test record _dcdiag_test_record in zone <domain-name>

          TEST: Records registration (RReg)
          Network Adapter [00000006] Intel(R) PRO/1000 PM Network Connection:
          Warning:
          Missing AAAA record at DNS server <ip-address>:
          dns.<domain-name>

          Warning:
          Missing AAAA record at DNS server <ip-address>:
          gc._msdcs.<domain-name>

          Warning: Record Registrations not found in some network adapters

          dns PASS WARN PASS PASS WARN WARN n/a
          ......................... <domain-name> passed test DNS

          Comment


          • #6
            Re: Specific AD DS / DNS Records missing

            Try running Netdiag /fix after disabling the IPv6.
            (I have to admit, I always use this when I've troubles with DNS )
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Specific AD DS / DNS Records missing

              Windows 2008 has no netdiag and no resource kit that contains it to my best knowledge

              Comment


              • #8
                Re: Specific AD DS / DNS Records missing

                Something very strange came up in the DNS event viewer after rebooting the system. This might be cause to all the problems aforementioned. I wrote that I had to demote and uninstall AD DS / and DNS Server 2x before our staff decided on the FDQN without site prefix.

                Our initial decision was to work by standard naking so we made the FDQN: corp.<domainname> (corp.xxxx.org).

                In DNS event manager, after a reboot suddenly I get this message:
                The DNS server was unable to open zone _msdcs.corp.<domainname> in the Active Directory from the application directory partition ForestDnsZones.corp.<domainname>.

                This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

                Where did the old settings come from?
                ----------
                I feel like a meerkat, always digging for trouble...

                Comment


                • #9
                  Re: Specific AD DS / DNS Records missing

                  I had noticed that you mentioned you got two network cards on the DC.
                  please disable the card that is not in use.

                  * If a NIC configured for DHCP is enabled but cannot contact a DHCP server, Windows will automatically assign itself a 169.254.x.x IP address. This is a concern for DCs, because the 169.254.x.x IP address will be registered into DNS (same idea is applied on IPV6). This will cause clients to try to contact the DC on that IP, but this will fail.
                  * Any NICs with 169.254.x.x addresses should be corrected by either disabling them or configuring them with a correct IP address. After the NIC is corrected, the Netlogon service may have to be restarted to refresh the netlogon.dns and netlogon.dnb files. This is a common step needed for Windows 200x DCs.

                  * If extra NICs are frequently enabled accidentally and cause the DCs to assign themselves a 169.254.x.x APIPA addresses, the customer can either unbind the TCP/IP protocol from those interfaces (uncheck the checkbox under the NIC properties) and/or disable APIPA completely. APIPA is a consumer feature, so home users do not have to know how to assign correct IP addresses to their computers. The following article discusses APIPA and how to disable it:
                  Windows 2000 Registry Reference -> IPAutoconfigurationEnabled
                  http://www.microsoft.com/resources/d...ntry/58861.asp
                  Last edited by Akila; 10th December 2008, 07:34.

                  Comment


                  • #10
                    Re: Specific AD DS / DNS Records missing

                    Well I didn't noticed it was 2008 otherwise I didn't mention netdiag.
                    I know netdiag is not available (those bastards) but in that case I would have written about the same as Akila's last post.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Specific AD DS / DNS Records missing

                      Yeah, that is a common mistake. But in our case the addresses are Static. The second adapter is disabled (hence even the setting I corrected to make sure - that under 'the skin', nothing can go wrong. Also that would ot be the problem because any workstation that is connected will find the computername.domainname.tld and mention that the query was successful for the _ldap record. But still mention that some A Records are not found. Also this still doesn't explain WHY the old-AD/DS FDQN configuration suddenly comes as an error in the DNS event viewer and on top of that WHY these IPV6 addresses re-occur in DNS every time (even after manually deleting them, and while IPV6 is disabled (also in the disabled NIC adapter) I have been busy all day analysing the registry, and files on the Raid to find where this oldname (corp.domainname.tld) would be registered... Technet is silent , Microsoft Herliya is of no help and googling this problem result in masses of other problems not or hardly close to thsi phenomena.. I guess I will drive to Rosh HaAyin and take the server out of the datacenter. i will try to log on via a network cable (without fancy routers and firewalls), just a dumb switch. Then see if I get the same crap. If so, I will need to re-format and re-install Windows 2008. I see no other solution.

                      Comment


                      • #12
                        Re: Specific AD DS / DNS Records missing

                        maybe on 2008 it works differently then 2000/2003?

                        Comment


                        • #13
                          Re: Specific AD DS / DNS Records missing

                          No, it doesn't. Existing features have been enhanced, better security overall and major integration of functionalities within the Server Manager. Some nifty extra's as Hyper-V, bitlocker and such but for AD/DS with DNS integration it is all same pie different version. That is why this is do frustrating.

                          Anyway I have been invited into the datacenter to do primary tests with a workstation and if not sucessfull I can format the server there, and as soon as RDC is up I will go home and have fun redoing the whole server and MS SQL.

                          I never thought that it would come to that - it brings back NT4 memories and Windows 2000 upgrade night mares... I will update this record with the results. Maybe after a fromat I can compare the changes, registry and such and come with an answer for this malfunction... and if not then I want to thank everonein advance for taking their time to try to help me.

                          Comment


                          • #14
                            Re: Specific AD DS / DNS Records missing

                            WOW, I formatted the Windows 2008 Server again. Barebone nothing , added AD/DS and Automatically DNS installed. I connect to the domain via Xp Workstation and by VISTA Workstation and...

                            Same problem, same errors...
                            DCDIAG says:

                            Missing AAAA Records for <netbios name>.<domainname>
                            gc._msdcs.<domainname>
                            ...
                            and to be funny sarcastic: the DNS records are all there!
                            Anyone out there that can help - even with a RDC?

                            Comment


                            • #15
                              Re: Specific AD DS / DNS Records missing

                              Just wondering:
                              I am connected to the public Internet via my provider, my workstation is behind a NAT Router. i have no special config on the NAT router.

                              My server however is on a different Subnet and in no way is my ISP network connected to the co-location host network (where my server is located). Any chance that this causes the errors?

                              Comment

                              Working...
                              X