Announcement

Collapse
No announcement yet.

DNS configuration in AD environment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS configuration in AD environment

    Dear All,

    I am looking for something like Best Practice for DNS configuration in my AD.

    Some errors are logged in the event log after restarting the NETLOGON service. In a few words the the error is:

    Dynamic registration or deletion of one or more DNS records associated with DNS domain 'domain.dom.' failed (the same errors for DomainDnsZones.domain.dom and ForestDnsZones.domain.dom also). These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

    Also after restarting the second domain controller (W2K8 ) it can't apply the Group Policy.

    I have 2 domain controllers (2003 and 2008 ). Both are DNS servers.

    In the begging I had only one DC (2003) with DNS installed. I added another domain controller (2008 ) following the instructions to prepare the domain for 2008 Domain Controller.

    All was fine, but I had to rename the domain! After renaming the domain (following the instructions also) there is this error in the DNS server.

    And few more errors, but I suggest all is because of DNS or some rights...

    The configuration:

    DC1 2003 Server with DNS. DNS properties of the network adapter is configured to point to itself.

    DC2 2008 Server (also DNS server). DNS properties are configured to point to itself also.

    Both Domain Controllers have only one DNS configured (in TCP/IP properties) and every DC is pointing to itself.

    My question is... How the DNS (in the TCP/IP properties of network adapter) on the two Domain Controllers must be configures?

    Thanks in advance!

    Regards!
    Last edited by biggles77; 21st February 2010, 16:14. Reason: Fix smilie issue

  • #2
    Re: DNS configuration in AD environment

    DC's DNS settings should always point to themselves as primary and then secondard can be another DC. It sounds like your having issues since the rename of your domain controllers.

    Install netdiag from the windows 2003 support tools and look into netdiag. You could also try netdiag /fix:

    http://support.microsoft.com/kb/219289

    Hope this helps

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: DNS configuration in AD environment

      Thanks Michael for your reply.

      Yes, I am having issues after domain rename. I have installed netdiag tools on both servers (even if 2008 doesn't support this, I just copied it from 2003 Server).

      After restarting the Server 2008 (or just restarting the netlogon service) running the nltest /dsregdns on the Windows 2008 Server shows an error:

      ...something like no logon server is available...

      But running the command NETDIAG/FIX solves the problem until next reboot of the server or netlogon service:

      Connection Status = 0 0x0 NERR_Success
      The command completed successfully


      And all is working then...

      Also on both servers is logged this error (also after restarting the server, and sometimes later (Ones per 2-3 days):

      The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

      Do I have to worry about this error? I haven't smart card logon?

      I will be very thankful if you give me the direction for solving this issues.

      Thanks you very much!

      Kind regards!

      Comment


      • #4
        Re: DNS configuration in AD environment

        Hi,

        do you face any operation issues due to the errors locked? and can you upload event log for both system and application for w2k3 and w2k8. mention the timelines when the error started
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: DNS configuration in AD environment

          Dear all!
          Thanks for answers and excuse my delay!

          ... I am stuck in some magic circle...

          For sure the issue begins after domain rename (even if I do all regarding the Microsoft manual about domain rename).

          After restarting the servers few regrettable events are logged... (but after days of working all event log are clear and only informational events are logged in)

          I will try to be more specific...

          I have W2K3 and W2k8 are domain controllers.

          On WK28:

          After restarts it stuck about 5-10 min on a wait for the group policy...

          As I sow it is unable to reach the sysvol shared folder where the policies are located (I tried to access this folder manualy and received "access denied"). Then without any action by me it applies the policies, but after some period of time (10-15 min).

          On both servers there was an error on about a week ago:

          The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

          But now this error doesn't appear for now!


          The strangest thing and maybe here is the answers...

          After restarting on W2K8 I've got an error after running the command:

          C:\nltest /dsregdns

          Flags: 0
          Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS


          after running the netdiag /fix i receive:

          C:\nltest /dsregdns

          Flags: 0
          Connection Status = 0 0x0 NERR_Success



          What is netdiag /fix do with W2K8 to solve this issue?

          P.S. as I know the netdiag is not available in W2K8, but following the article I just copied the netdiag to temporary W2K8 folder and start it from there.

          P.S. DCDIAG tool doesn't report any errors! I suppose that this cause the errors in my first post also!

          P.S.

          Regarding the KDC error in the event log I notice the following:

          On W2K3 Domain Controller the command: certutil -dcinfo verify returns the error:

          The certificate is not valid for the requested usage. 0x800b0110 (-2146762480)

          On the W2K8 the same command return NO error!!!

          Regarding on manuals about this i do:

          certutil -dcinfo deleteBad

          This command deletes the Domain Controller certificates from both domain controllers and auto enrollment retrieve new ones after this!

          In other hand both Domain Controllers certificates seems OK (according the information about certificates and CA logs)!!! CA is located on a separate server, that is not a DC.

          Comment


          • #6
            Re: DNS configuration in AD environment

            Did you get this sorted?

            Can you perform a DCDIAG on your 2003 Domain Controller and post the full output on here please? That might give us a few more clues as to how to help you.

            Comment

            Working...
            X