which dns records should be present

Hi,

Trying to track down some wierd AD replication problem that may be dns related.
I've seen some wierd records that should not be there like 192.168.x.y records where we don't use
those ranges, but... that might be due to VPN connected computers registering their local ip number.

Right now I'm looking at all the domain A records for the domains we have.
Where can I find documentation which records should be present for Domain controlers and dns
servers?
Looking at a domain it has several A records, should those only be the current DCs for that domain?
Or might there be other ip-numbers listed as well?
Which records should be listed at _msdc.rootdomain
Stuff like that I need to find the documentation for, but so far I have not found it. My searches
either show up to much noice or non relevant documents. :-(

Bonno Bloksma

Hi Bonno,

> Where can I find documentation which records should be present for Domain controlers and dns
> servers?
>
The records listed in %SystemRoot%\System32\config\netlogon.dns will be
registered in DNS. Registration of service records can be controlled
using Group Policy (Computer Configuration \ System \ Net Logon \ DC
Locator DNS Records).

You should also have Host (A) records for the server name itself.

> Looking at a domain it has several A records, should those only be the current DCs for that domain?
> Or might there be other ip-numbers listed as well?
>
No, you should only have the DCs listed there (used for group policy and
DFS processing).

> Which records should be listed at _msdc.rootdomain
>
See netlogon.dns above.

Chris

On Mon, 17 May 2010 12:01:10 +0200, "Bonno Bloksma" <>
wrote:

>Hi,
>
>Trying to track down some wierd AD replication problem that may be dns related.
>I've seen some wierd records that should not be there like 192.168.x.y records where we don't use
>those ranges, but... that might be due to VPN connected computers registering their local ip number.
>
>Right now I'm looking at all the domain A records for the domains we have.
>Where can I find documentation which records should be present for Domain controlers and dns
>servers?
>Looking at a domain it has several A records, should those only be the current DCs for that domain?
>Or might there be other ip-numbers listed as well?
>Which records should be listed at _msdc.rootdomain
>Stuff like that I need to find the documentation for, but so far I have not found it. My searches
>either show up to much noice or non relevant documents. :-(
>
>Bonno Bloksma
>

In addition to Chris' response, if you are not sure of the correct
records, which the netlogon.dns file should provide, rename the
netlogon.dns and netlogon.dnb records by placeing '.old' on the end of
them, then run the following:

ipconfig /registerdns
net stop netlogon
net start netlogon

This will recreate the files and register that data into DNS.

This is provided that of course, the domain is not a single label
name. I'm prompted to state that since you've stated your _msdcs name
is "_msdcs.rootdomain." It should be in at least the form of
'rootdomain.local,' 'rootdomain.com,' etc.

The netlogon service will read the data that it created in the
netlogon.dns file, look at the Primary DNS Suffix zone name, then send
the data in the file to the DNS address configured in NIC properties
to register that data into the zone name that matches the Primary DNS
Suffix. This is the basis of AD DNS SRV registration. As I said, if it
is a single label name, expect problems. If using an ISP or the router
as a DNS address, expect problems. If the Primary DNS Suffix does not
match the AD zone name, (called a disjointed namespace), expect
problems.

If you are having any issues with AD, please post the eventID# and
Source names to better help. Also, an ipconfig /all will help.

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Hi,

>> Where can I find documentation which records should be present for Domain controlers and dns
>> servers?
>>
> The records listed in %SystemRoot%\System32\config\netlogon.dns will be registered in DNS.
> Registration of service records can be controlled using Group Policy (Computer Configuration \
> System \ Net Logon \ DC Locator DNS Records).
>
> You should also have Host (A) records for the server name itself.

Debugged a few old stale records and decided to give the server a restart this morning. Now I'm
realy baffled. I have errors in my system event logs stating the server could not update it's dns
records at server 77.222.73.2 but... that server is nowhere in my dns server list. It is in fact not
even an internal dns server, nor is it mine. I've checked the dns server config on the NIC, I've ran
an ipconfig/all command and that server is listed nowhere in my config, not even as a WINS server.
What the heck is going on?

Where do I start debugging this? How can Windows try to updates it's dns records on a server nowhere
in my config? Are there any other places dns servers might be listed?

Bonno Bloksma

Bonno Bloksma wrote:
> Hi,
>
>
>>> Where can I find documentation which records should be present for Domain controlers and dns
>>> servers?
>>>
>>>
>> The records listed in %SystemRoot%\System32\config\netlogon.dns will be registered in DNS.
>> Registration of service records can be controlled using Group Policy (Computer Configuration \
>> System \ Net Logon \ DC Locator DNS Records).
>>
>> You should also have Host (A) records for the server name itself.
>>
>
> Debugged a few old stale records and decided to give the server a restart this morning. Now I'm
> realy baffled. I have errors in my system event logs stating the server could not update it's dns
> records at server 77.222.73.2 but... that server is nowhere in my dns server list. It is in fact not
> even an internal dns server, nor is it mine. I've checked the dns server config on the NIC, I've ran
> an ipconfig/all command and that server is listed nowhere in my config, not even as a WINS server.
> What the heck is going on?
>
> Where do I start debugging this? How can Windows try to updates it's dns records on a server nowhere
> in my config? Are there any other places dns servers might be listed?
>
> Bonno Bloksma
>
>

Hi Bonno,

When a server considers how to update DNS it first looks up the SOA
record for the zone (because that tells it where to find a writeable
version of the zone). This is done for Host (A), Domain Pointer (PTR -
Reverse Lookup), and the service records.

I guarantee that the address you've found is the result of a query for
an SOA record. Either because DNS servers have been incorrectly assigned
to the interface (systems on an AD domain must only point to DNS servers
that can answer for the DNS domain name(s)), or because you don't have a
reverse lookup zone (as that's the most likely to be missing).

If you want to test this out, for forward lookup:

nslookup -q=soa somedomain.com

And for reverse lookup (IP is written in reverse, so this would apply to
1.2.3.x Subnet):

nslookup -q=soa 3.2.1.in-addr.arpa

If you find that you don't have the reverse lookup zone, adding one will
fix the registration error there.

Chris