Re: DCDiag /Test:DNS Root hints list has invalid root hint server

"tokyo7" <> wrote in message news:...
>
> I was wondering if you ever found a resolution to this. I have a very
> similar problem.
>
> I have 4 DNS servers, AD Integrated on one I get a clean DCdiag
> /testNS result, yet on three of them I don't. I get errors like this:
>
> IP address: 10.80.1.222
> DNS servers:
> Warning: 10.80.1.222 (<name unavailable>) [Invalid]
> Warning: 10.81.1.222 (<name unavailable>) [Invalid]
> Error: all DNS servers are invalid
> The A record for this DC was found
>
> and
>
>
> TEST: Records registration (RReg)
> Error: Record registrations cannot be found for all the
> network adapters
>
> and
>
> DNS server: 192.112.36.4 (g.root-servers.net.)
> 1 test failure on this DNS server
> This is not a valid DNS server. PTR record query for the
> 1.0.0.12
> 7.in-addr.arpa. failed on the DNS server 192.112.36.4
> [Error details: 9002 (Type: Win32 - Description: DNS
> server failure.)]
>
>
> However DNS seems to be working just fine.

Hello Tokyo,

You've replied to a thread/post that is older than 90 days that originated in the Microsoft Public Newsgroups. Microsoft newservers delete posts older than 90 days, therefore we cannot see what you replied to.

If you can help us to better help you, we will need additional information, such as:

Unedited ipconfig /all from your DCs
Unedited ipconfig /all from a sample client
Any event log errors from the DCs and clients.

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

In news:,
tokyo7 <>, posted the following, which I replied to down below...: Hello tokyo7
> SCENARIO:
>
> I HAVE 4 AD INTEGRATED DNS SERVERS ALL CONFIGURED THE SAME, NO
> FORWARDERS CONFIGURED, ROOT HINTS ARE GOOD ( I VERIFIED THEM). BOTH
> MONITORING TESTS SHOW PASS. SECURE ONLY DYNAMIC UPDATES. SCAVENGING
> SET TO 4 DAYS.
>
> I HAVE REVERSE LOOKUP ZONES FOR 127.X.X.X AND 10.X.X.X AND
> 172.17.X.X.X.
>
> I HAVE THE LATEST DCDIAG FROM THE SUPPORT TOOLS. ON 3 OF THE 4 DNS
> SERVERS DCDIAG GETS ERRORS SUCH AS THIS:
>
> ------------------------------------------------------------------
[snipped]
>
> I HAVE A SUSPICIAN THAT THIS TEST:
>
> Adapter [00000007] Intel(R) PRO/1000 EB Network Connection with I/O
> Acceleration:
> MAC address is 00:04:23E:5F:76
> IP address is static
> IP address: 10.80.1.222
> DNS servers:
> Warning: 10.80.1.222 (<name unavailable>)
> [Invalid]
> Warning: 10.81.1.222 (<name unavailable>)
> [Invalid]
>
> OR
>
> THIS TEST:
>
> TEST: Records registration (RReg)
> Error: Record registrations cannot be found for all the
> network adapters
>
>
> IS FAILING AND PERHAPS CAUSING FAILURES WITH THE OTHER TESTS???
>
>
> [B]In any case the only other errors I receive in the event logs are:
>
> DNS Server Event ID 3000 <--maybe once a day
> File Replication Service Event ID 13508 but it is followed by 13509
> and replication seems to work fine.
>
> Thanks..any help with this would be GREATLY appreciated.*




Do you have a reverse zone for 10.81.1.222? If so, does 10.81.1.222 have a PTR entry?

On the DCs with the invalid Roots, I suggest to delete the roots hints, and reload them from 4.2.2.2.

Asfor the 13508, which Source name is it? Click on the comments link in the following:
http://eventid.net/display.asp?eventid=13508&source=

And for 13509:
http://eventid.net/display.asp?event...=NtFrs&phase=1

These events say there is a replication problem.

Ace

In news:,
tokyo7 <>, posted the following, which I replied to down below...: Hello tokyo7
> I did a packet capture on a DNS server 10.9.1.2 and behold it really
> did go out and ask the root servers
>
> 1218 3.331939 10.9.1.2 192.203.230.10 DNS Standard query PTR
> 1.0.0.127.in-addr.arpa
> 1238 3.404205 192.203.230.10 10.9.1.2 DNS Standard query response, No
> such name
>
> So my assertion that these were false positives was perhaps wrong. I
> just don't get why a fresh reload of the root hints did not fix it. Or
> why a manual nslookup from command line works, or why I have another
> DNS server that the dcdiag test will show a PASS for everything.
>
> Also I even put in the host file a lookup for the IPs of itself and
> the other DNS servers just in case and it still failed in this manner:
>
> TEST: Records registration (RReg)
> Error: Record registrations cannot be found for all the network
> adapters
>
> and
>
> DNS server: 192.112.36.4 (g.root-servers.net.)
> 1 test failure on this DNS server
> This is not a valid DNS server. PTR record query for the 1.0.0.12
> 7.in-addr.arpa. failed on the DNS server 192.112.36.4
> [Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

Run the following please, and post the results.

nslookup d2
(post results)

then while in batch mode, enter 192.203.230.10, and post that result too, please.

I know you said you do not use Forwarders. In many cases, using Forwarders are suggested and some would say using them is 'best practice.' I'm not sure of your company's reasons to not use them, and I respect whatever reason it is, but if I may suggest, configure a forwarder and re-run your tests. Most of these root hint errors, and possibly all, do not occur with Forwarders, for obvious reasons.

I know you want to get it right, but I am suggesting to use Forwarders to get these errors out of the way, because they may be tainting other possible errors going on. I know you said that the 13508 and 13509 errors are now gone, but my curiosity is getting the best of me because these errors do not just pop up and disappear for no reason. I would like to know, and I'm sure you are curious as the administrator of your AD infrastructure, that if you eliminate these Root hint errors, I would like to know if there are any other errors going on concerning replication, which is a more serious issue.

And I am very surprised there was no glue record for one of your DC DNS servers, which is more of an idication that there is a replication issue that initially caused this, because these records, as well as everything else, automatically get registered without manual intervention.

Also, I know you said you have the latests dcdiag and netdiags versions. Curious, when you ran the tests, did you run them from one machine, or on each DC? Can you compare the versions on each DC to see if there are any discrepancies?

Here is the link for the latest. Try installing the tools on one DC and compare the versions:
Download and install the Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/d...ng=en#filelist

Also, in your edge firewalls, assuming you have more than one, do you have EDNS0 enabled?

Ace