Announcement

Collapse
No announcement yet.

DNS Reverse/forward oddity!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS Reverse/forward oddity!

    Hi there...

    I'm experiencing an oddity with Win2k SP4 (up to date hotfixes) DNS Server. Hopefully someone out there may have come across this and can help.

    I have two DC's in a single labeled domain (yeah I know it shouldn't be a single label but I inherited this domain ). The domain is called...wait for it... 'domain' .... (how embaressing huh). The first DC is also the DNS server.

    I have DNS set up to be dynamically updated through DHCP (quite normal) so I would expect to see host records for all the machines in the domain in the 'forward lookup zone' but I don't.

    What I am seeing, and this took me by surprise, that the DHCP clients are registering PTR (Pointer) records in the 'reverse lookup zone' with nothing in the forward lookup zone.

    I've never seen this before... as far as I knew, Win2k DNS Server when installed using all the default options from the zone setup wizard, it would create a forward lookup zone which the dynamic DNS updates are stored in, not PTR records in the reverse!. If I delete a PTR record, and from the client machine do ipconfig /registerdns the record is re-added to the reverse lookup.

    Has me a bit bemused

    Thing is, what drew me to look in DNS was this application event log warning:

    Code:
    Event Type:	Warning
    Event Source:	NETLOGON
    Event Category:	None
    Event ID:	5781
    Date:		23/06/2005
    Time:		22:37:06
    User:		N/A
    Computer:	SERVER01
    Description:
    Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available. 
    Data:
    0000: 2a 23 00 00               *#..
    This obviously indicates something is screwy with DNS somewhere, and I can only think it's to do with the missing host records in 'forward' and the additions of PTR's in the reverse zone. The DNS Server replies to nslookup fine (with HOST and PTR's in place for the two DC's) though.

    I have tried removing the DNS zones and re-added just the forward lookup zone but this hasn't helped at all...

    This in turn is also stopping the other DC from replicating with the first DC - so the domain is currently wide open to a failure which could cause me to have to reinstall the DC's and a new domain (and I guess you all know the pain of re-adding 100 PC's to a new domain, moving/recreating profiles/logins/OU's etc etc etc etc ...)

    The rep error is:

    Code:
    Event Type:	Warning
    Event Source:	NTDS KCC
    Event Category:	(1)
    Event ID:	1265
    Date:		24/06/2005
    Time:		00:34:28
    User:		N/A
    Computer:	SERVER02
    Description:
    The attempt to establish a replication link with parameters
     
     Partition: CN=Schema,CN=Configuration,DC=domain
     Source DSA DN: CN=NTDS Settings,CN=SERVER02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain
     Source DSA Address: ea23a972-d017-4335-8a26-3e0a0daff9ed._msdcs.domain
     Inter-site Transport (if any): 
     
     failed with the following status:
     
     The DSA operation is unable to proceed because of a DNS lookup failure.
     
     The record data is the status code.  This operation will be retried. 
    Data:
    0000: 4c 21 00 00               L!..
    Again this points to DNS not being happy and I'm seeing SAM errors on this DC too:

    Code:
    Event Type:	Error
    Event Source:	SAM
    Event Category:	None
    Event ID:	16650
    Date:		24/06/2005
    Time:		00:45:25
    User:		N/A
    Computer:	SERVER02
    Description:
    The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure. 
    Data:
    0000: a7 02 00 c0               ..À
    I think these errors all stem from the DNS problem, but the DNS event log doesn't report any problems.

    I've been round a number of MS articles for the event IDs above but nothing or has worked.

    I'd like to trying fixing this before it falls over and I end up working through a night to fix it. I'm planning to reinstall the entire domain but only after I've done some lab testing to ensure the install will go cleanly and quickly which I'm not getting much of a chance to do with other commitments.

    Any help would be massively appreciated...

    Cheers all

    Stoo
    1 + 1 = 11 ... honest!

  • #2
    i suggest you read this article and learn about single name space http://support.microsoft.com/kb/300684
    Good Luck

    Shai

    MCSE 2003+Security;MCSE 2003+Messaging
    HP ASE;HP AIS;HP APS

    So, from me to all of you out there, wherever you are, remember:
    the light at the end of the tunnel may be you. Good Day!

    Comment


    • #3
      Hi...

      Yes, been through that article previously (deployed the reg changes via login scripts) but this doesn't seem to have solved the issue with DNS records being created in the reverse lookup.

      Thanks

      S
      1 + 1 = 11 ... honest!

      Comment


      • #4
        Anyone ?...*sniff*sniff*
        1 + 1 = 11 ... honest!

        Comment


        • #5
          Have you deployed the UpdateTopLevelDomainZones registry value on the DCs ?

          Do the DCs register their A records ?
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Originally posted by stoo.mp
            Anyone ?...*sniff*sniff*

            Check this URL:

            http://www.eventid.net/
            MCSE w2k
            MCSA w2k - MCSA w2k MESSAGING
            MCDBA SQL2k

            Comment


            • #7
              Hi Windux, thanks, but yep I know eventID well and been round the houses with the event log errors but still not found anything that actually fixes the issue.

              I have a sinking feeling that a new domain is in order....

              arses...

              1 + 1 = 11 ... honest!

              Comment


              • #8
                Originally posted by guyt
                Have you deployed the UpdateTopLevelDomainZones registry value on the DCs ?

                Do the DCs register their A records ?
                Hi Guyt...

                Yes, I've added the single domain label fix to DNScache for all machines in the domain... but no, none of the DC's register their own A records either.. I've had to manually add them to the forward lookup in order for anything to remotely work.

                At the mo, I'm having to use WINS to keep name resolution working to a degree...

                /me slaps head!
                1 + 1 = 11 ... honest!

                Comment


                • #9
                  On the DCs have you used the registry or the GPO ?
                  I would try to set the "Update Top Level Domain Zones" setting in the DC's GPO (Default Domain Controllers Policy) and reboot the DCs.

                  Also, my understanding is that the replication currently is not working, so I would suggest to isolate one of the DCs and troubleshoot it locally till it starts registering it's own SRV/A records (make sure the DC points to itself as primary DNS resolver) and only after that I would start looking at the client issues.
                  Guy Teverovsky
                  "Smith & Wesson - the original point and click interface"

                  Comment


                  • #10
                    Cheers Guy,

                    I've deployed the reg changes in KIX scripts which I've confirmed are in place and working. I'll try the GPO route though just to make sure.

                    Like you say, it looks more like a server issue here than client side and as such I'm trying to resolve the DNS forward/reverse thing which I'd say will resolve replication. I can then have the domain sync'd etc at least.

                    The odd thing is though that these DNS registrations are being entered in to the reverse lookup... I've never come across this before tbh.

                    Cheers for your help though, I'll do some changes and restart the DC's tonight (remotely) and see what happens!

                    Ta
                    1 + 1 = 11 ... honest!

                    Comment


                    • #11
                      Sadly, I can't find a fix for this or any info about why it could be happening. All I can think is that DNS is screwed. I've tried removing DNS and readding it etc but to no joy.

                      Guess it's time to replace the clunky old domain with a nice shiney new one that's clean and free from problems which I inherited from the last sys admin

                      Ah well... thanks anyway guys...
                      1 + 1 = 11 ... honest!

                      Comment


                      • #12
                        Yes I inherited one of those domains called DOMAIN with an exchange server called EXCHANGE too!

                        New install and domain, you'll be much happier

                        Comment

                        Working...
                        X