reverse lookup zone corrupt

I have a reverse lookup zone that is corrupt. I tryed to delete but it tells
me I am not allowed. so here are my questions.

How do i fix it? I was just going to delete it and create a new one
Would this prevent people from pinging outsided IPs?


I get errors in the event log with ID of 4015 and 4521.

"newguy" <> wrote in message
news:F69F6626-F7E6-49C9-AD67-...
>I have a reverse lookup zone that is corrupt. I tryed to delete but it
>tells
> me I am not allowed. so here are my questions.
>
> How do i fix it? I was just going to delete it and create a new one
> Would this prevent people from pinging outsided IPs?
>
>
> I get errors in the event log with ID of 4015 and 4521.


Well, it's difficult to tell with the limited info you provided. This could
be caused by a number of factors. If it simply cannot contact AD, that can
cause it. What will stop it from contacting AD? A host of reasons. One of
the main reason is a DNS misconfiguration in the DC's IP configuration,
meaning if you are using the ISP's DNS server in its IP configuration.

Please post an unedited ipconfig /all from the DC to better assist.

Some questions, if you can respond to them, please:

Is the "DHCP Client Service" disabled on this DC? (It's a required service
even if the machine has a static IP configuration).

Does this DC have more than one NIC (multihomed)?

Is this DC using an ISP's DNS address in it's IP configuration?

Are you logged on with an administrator account of the domain?

How many DCs do you have? If more than one, keep in mind, if you delete any
AD integrated zone, the deletion is domain or forest wide, depending ont he
zone's replication scope, and not just on that DC. So was it already deleted
on another DC and the console hasn't been refreshed to show it was deleted?

If you delete it, no, it will not prevent Internet resolution. Pings,
however can be stopped by firewall rules or security software. The key to it
here is you are concerned with resolution. Nslookup is the better tool to
test resolution, not ping.

If you are having problems deleting it, try and see if you can change the
zone to a Primary zone. But keep in mind, this is another domain/forest wide
change, where it will remove the zone from all other DCs. If this works,
then try to delete that zone.

Please read the following to see if it helps.
http://eventid.net/display.asp?event...ce=DNS&phase=1
http://eventid.net/display.asp?event...ce=DNS&phase=1

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Windows IP Configuration
Host Name . . . . . . . . . . . . : DDRW58B1
Primary Dns Suffix . . . . . . . : jco.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : jco.local



Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-13-72-FD-F5-F8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.205.20.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.205.20.254
DNS Servers . . . . . . . . . . . : 4.2.2.1
4.2.2.2
Primary WINS Server . . . . . . . : 10.205.20.10

DHCP client is running

Two NICs one doesn't have TCP/IP check but is connected. I guess thats why
it only shows the one adapter in the ipconfig.

Is this DC using an ISP's DNS address in it's IP configuration? No but it
does have the 4.2.2.1

logged in with domain admin accounts.

Its a 2003 SBS server so its the only DC.

I am not going to try to remove it until Monday becuase I have limited
remote access from home.


NSLOOKUP is working correctly but I still can't ping things I used like
www.google.com. it does the first line where it shows the IP then the rest
times out. DNS interneally is still working I can map drives with
\\computername.



"Ace Fekay [MCT]" wrote:

> "newguy" <> wrote in message
> news:F69F6626-F7E6-49C9-AD67-...
> >I have a reverse lookup zone that is corrupt. I tryed to delete but it
> >tells
> > me I am not allowed. so here are my questions.
> >
> > How do i fix it? I was just going to delete it and create a new one
> > Would this prevent people from pinging outsided IPs?
> >
> >
> > I get errors in the event log with ID of 4015 and 4521.
>
>
> Well, it's difficult to tell with the limited info you provided. This could
> be caused by a number of factors. If it simply cannot contact AD, that can
> cause it. What will stop it from contacting AD? A host of reasons. One of
> the main reason is a DNS misconfiguration in the DC's IP configuration,
> meaning if you are using the ISP's DNS server in its IP configuration.
>
> Please post an unedited ipconfig /all from the DC to better assist.
>
> Some questions, if you can respond to them, please:
>
> Is the "DHCP Client Service" disabled on this DC? (It's a required service
> even if the machine has a static IP configuration).
>
> Does this DC have more than one NIC (multihomed)?
>
> Is this DC using an ISP's DNS address in it's IP configuration?
>
> Are you logged on with an administrator account of the domain?
>
> How many DCs do you have? If more than one, keep in mind, if you delete any
> AD integrated zone, the deletion is domain or forest wide, depending ont he
> zone's replication scope, and not just on that DC. So was it already deleted
> on another DC and the console hasn't been refreshed to show it was deleted?
>
> If you delete it, no, it will not prevent Internet resolution. Pings,
> however can be stopped by firewall rules or security software. The key to it
> here is you are concerned with resolution. Nslookup is the better tool to
> test resolution, not ping.
>
> If you are having problems deleting it, try and see if you can change the
> zone to a Primary zone. But keep in mind, this is another domain/forest wide
> change, where it will remove the zone from all other DCs. If this works,
> then try to delete that zone.
>
> Please read the following to see if it helps.
> http://eventid.net/display.asp?event...ce=DNS&phase=1
> http://eventid.net/display.asp?event...ce=DNS&phase=1
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum to benefit from collaboration
> among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>
>
>
>

"newguy" <> wrote in message
news:790354BD-B76F-498D-9928-...
> Windows IP Configuration
> Host Name . . . . . . . . . . . . : DDRW58B1
> Primary Dns Suffix . . . . . . . : jco.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : Yes
> WINS Proxy Enabled. . . . . . . . : Yes
> DNS Suffix Search List. . . . . . : jco.local
>
>
>
> Ethernet adapter Server Local Area Connection:
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection
> Physical Address. . . . . . . . . : 00-13-72-FD-F5-F8
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.205.20.10
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.205.20.254
> DNS Servers . . . . . . . . . . . : 4.2.2.1
> 4.2.2.2
> Primary WINS Server . . . . . . . : 10.205.20.10
>
> DHCP client is running
>
> Two NICs one doesn't have TCP/IP check but is connected. I guess thats why
> it only shows the one adapter in the ipconfig.
>
> Is this DC using an ISP's DNS address in it's IP configuration? No but it
> does have the 4.2.2.1
>
> logged in with domain admin accounts.
>
> Its a 2003 SBS server so its the only DC.
>
> I am not going to try to remove it until Monday becuase I have limited
> remote access from home.
>
>
> NSLOOKUP is working correctly but I still can't ping things I used like
> www.google.com. it does the first line where it shows the IP then the rest
> times out. DNS interneally is still working I can map drives with
> \\computername.
>

Hello "newguy,"

Actually 4.2.2.2 and 4.2.2.1 are ISP DNS addresses, well more specifically,
they are external DNS servers that have no idea of your internal AD
information. I'm not sure if you are aware of this or not, but AD relies on
DNS. AD registers information into DNS about itself so clients can logon,
DCs communicate to other DCs and to client machines, authenticaiton and a
list of about 50 other things.

And mapping a drive to \\computername\sharename is using NetBIOS, not DNS,
hence why you can map it, but the client won't be able to authenticate to
use it because of DNS.

The first thing to do is remove the 4.x's DNS servers. Replace it with only
10.205.20.10.

Then go into DNS console, right click the DNS server name (10.205.20.10),
choose properties, Forwarder tab, and enter those two 4.x numbers. This will
provide efficient internet name resolution.

Do your workstations use DHCP? What are you using for a DHCP server, the DC
or the router? If the router, disable it, please. Use Windows DHCP and set
the following options:

003 <router IP address)
006 <internal DC IP addresses>
015 <internal DNS domain name>
044 <internal WINS addresses>
046 "0x8" (without the quotes)

So basically what I'm trying to stress, is to make sure that in DHCP, and in
all internal machines, the DNS address set is to ONLY 10.205.20.10, and NOT
the 4.x numbers or any other ISP's or external DNS server that has no idea
about your AD.

Then restart the DC. Once the DC is up, restart the workstations.

Let me know how you make out.

Ace

"Ace Fekay [MCT]" wrote:

> "newguy" <> wrote in message
> news:790354BD-B76F-498D-9928-...
> > Windows IP Configuration
> > Host Name . . . . . . . . . . . . : DDRW58B1
> > Primary Dns Suffix . . . . . . . : jco.local
> > Node Type . . . . . . . . . . . . : Unknown
> > IP Routing Enabled. . . . . . . . : Yes
> > WINS Proxy Enabled. . . . . . . . : Yes
> > DNS Suffix Search List. . . . . . : jco.local
> >
> >
> >
> > Ethernet adapter Server Local Area Connection:
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> > Connection
> > Physical Address. . . . . . . . . : 00-13-72-FD-F5-F8
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 10.205.20.10
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 10.205.20.254
> > DNS Servers . . . . . . . . . . . : 4.2.2.1
> > 4.2.2.2
> > Primary WINS Server . . . . . . . : 10.205.20.10
> >
> > DHCP client is running
> >
> > Two NICs one doesn't have TCP/IP check but is connected. I guess thats why
> > it only shows the one adapter in the ipconfig.
> >
> > Is this DC using an ISP's DNS address in it's IP configuration? No but it
> > does have the 4.2.2.1
> >
> > logged in with domain admin accounts.
> >
> > Its a 2003 SBS server so its the only DC.
> >
> > I am not going to try to remove it until Monday becuase I have limited
> > remote access from home.
> >
> >
> > NSLOOKUP is working correctly but I still can't ping things I used like
> > www.google.com. it does the first line where it shows the IP then the rest
> > times out. DNS interneally is still working I can map drives with
> > \\computername.
> >
>
> Hello "newguy,"
>
> Actually 4.2.2.2 and 4.2.2.1 are ISP DNS addresses, well more specifically,
> they are external DNS servers that have no idea of your internal AD
> information. I'm not sure if you are aware of this or not, but AD relies on
> DNS. AD registers information into DNS about itself so clients can logon,
> DCs communicate to other DCs and to client machines, authenticaiton and a
> list of about 50 other things.
>
> And mapping a drive to \\computername\sharename is using NetBIOS, not DNS,
> hence why you can map it, but the client won't be able to authenticate to
> use it because of DNS.
>
> The first thing to do is remove the 4.x's DNS servers. Replace it with only
> 10.205.20.10.
>
> Then go into DNS console, right click the DNS server name (10.205.20.10),
> choose properties, Forwarder tab, and enter those two 4.x numbers. This will
> provide efficient internet name resolution.
>
> Do your workstations use DHCP? What are you using for a DHCP server, the DC
> or the router? If the router, disable it, please. Use Windows DHCP and set
> the following options:
>
> 003 <router IP address)
> 006 <internal DC IP addresses>
> 015 <internal DNS domain name>
> 044 <internal WINS addresses>
> 046 "0x8" (without the quotes)
>
> So basically what I'm trying to stress, is to make sure that in DHCP, and in
> all internal machines, the DNS address set is to ONLY 10.205.20.10, and NOT
> the 4.x numbers or any other ISP's or external DNS server that has no idea
> about your AD.
>
> Then restart the DC. Once the DC is up, restart the workstations.
>
> Let me know how you make out.
>
> Ace
>
>
>


I changed the DNS server to your suggestion. DHCP is beening provided by the
SBS server and all those options are set. I think the issue with ping my be
some place upstream from our firewall (am going to double check the config of
it in the morning) because I still cannot ping external but I can surf the
web and use ftp. NSLOOKUP is returning the correct answers. I still cannot
load the reverse dns zone but I havent tried your suggestions for deleting
it. I think it will have to wait until after hours tomorrow. All the
workstation where getting the correct info it was just someone put both
external DNS servers as static in the SBS TCP/IP setting.

I didn't set this up. Its one of those things where we are the new IT staff
and no one knows how things are setup or if they where ever working right.

Thanks for the help. I will post back what I find.

"newguy" <> wrote in message news:88D32D18-37F5-4363-A6B1-...
>
> I changed the DNS server to your suggestion. DHCP is beening provided by the
> SBS server and all those options are set. I think the issue with ping my be
> some place upstream from our firewall (am going to double check the config of
> it in the morning) because I still cannot ping external but I can surf the
> web and use ftp. NSLOOKUP is returning the correct answers. I still cannot
> load the reverse dns zone but I havent tried your suggestions for deleting
> it. I think it will have to wait until after hours tomorrow. All the
> workstation where getting the correct info it was just someone put both
> external DNS servers as static in the SBS TCP/IP setting.
>
> I didn't set this up. Its one of those things where we are the new IT staff
> and no one knows how things are setup or if they where ever working right.
>
> Thanks for the help. I will post back what I find.

If pings are note returning, it means ICMP Echo is blocked at the firewall, whatever is being used as a firewall.

Looking forward to your results when you post back.

Ace

I have been recently facing exactly similar issue as the first poster, only thing different is
this happens without receiving any error message in event log, i tried all hints that serve
as clue in this posts and other similar posts but to no avail, anyone knows what could be the reason,
problem is this happened with me for second time and I don't know how that time it got fixed by itself it seems am giving up!
_____________________
Jonathan Smith
reverse phone number lookup|reverse phone number lookup|reverse phone number lookup|reverse phone number lookup