DNS signature failed to verify error

Discussion in 'DNS Server' started by Don, Mar 23, 2007.

  1. Don

    Don Guest

    I have two servers, one w/Win Srv SBS Prem Ed 2K3 (Srv 1) and the other Win
    Srv Std Ed 2K3 (Srv 2). All updates have been applied. Srv 1 was up and in
    production for several months before Srv 2 came on-line.

    Srv 1 was installed and config'd with an internal domain (domain.local) and
    Srv 2 was joined to the .local domain then dcpromo'd with plans to make Srv 2
    a BDC. The dcpromo was uneventful. AD installed on Srv 2 as a result of the
    dcpromo and the user accounts replicated. DNS was installed on Srv 2 via
    Add/Remove. Both servers are config'd to allow secure updates.

    As an aside the Srv 1 does have two NIC's with one pointing to the LAN on
    one subnet and the other to the WAN on another subnet. And Srv 2 has one NIC
    on the same subnet as Srv 1 LAN NIC. Per a MS KB I have made the primary DNS
    on Srv 1 the IP address of Srv 2 and Srv 2's primary DNS the IP address of
    Srv 1. Wth the secondary being their own IP address.

    At this time both servers DNS reflect their own and the others A records
    however I'm getting a Netlogon error on both servers when they try to perform
    a dynamic registration of thier respective DNS record on the other server. I
    have run DCDiag /test:connectivity /s:dcname and netdiag /test:dns and all
    responses are passed. I have stopped and started DNS and the Net Logon
    service as indicated in KB's and I have walked the DNS trees on each server
    but I have not been able to find the problem. When the Net Logon service is
    restarted more errors are listed in the System Log.

    The error is Netlogon
    Event ID: 5774

    The dynamic registration of the DNS record
    '97adc2e7-9a51-4006-a405-061daec8f2fd._msdcs.domain.local. 600 IN CNAME
    srv1.domain.local.' failed on the following DNS server:

    DNS server IP address: 192.168.2.132
    Returned Response Code (RCODE): 5
    Returned Status Code: 9016

    The above IP address is the IP address of Srv 2. Likewise there is a similar
    error on Srv 2 when it tries to update Srv 1. Obviously the appropriate info
    is changed in the error msg.

    Any thoughts on this would be appreciated.
    Don
     
    Don, Mar 23, 2007
    #1
    1. Advertisements

  2. Read inline please.

    In
    Win2k3 did things slightly different from Win2k, on Win2k the _msdcs is a
    subdomain and all Netlogon records are located in this sub domain. Win2k3
    split the _msdcs off into its own forward lookup zone, _msdcs.domain.local,
    where all Domain controllers in the AD Forest register forest level Netlogon
    records.

    Do both DNS servers have a zone named _msdcs.domain.local, with dynamic
    updates allowed?

    In the domain.local zone, there should be a delegation named _msdcs, with NS
    records for all DNS servers in the forest running on DCs. All DCs in the
    Forest should have this _msdcs.domain.local forward lookup zone

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 24, 2007
    #2
    1. Advertisements

  3. Don

    Don Guest

    Hey Kevin,

    Thanks for your input on this issue.

    Both DNS servers have the zone named _msdcs.domain.local with Dynamic
    updates and secure only. Also AD Integrated on both servers.

    On both servers DNS, in the domain.local zone there is a delegation named
    _msdcs with one NS record which refers to srv1.domain.local (SBS). You
    indicate that there should be an NS record for both DNS servers on both DNS
    servers if I understand you correctly.

    I also took note since having to reboot srv2 after a failure by the Symantec
    Corp Ed product to open, that there were several DNS errors logged during the
    reboot, Event 4015 logged one time followed by serveral Event 4004. Research
    indicates an LDAP issue but I'm unable to see any issues here. This may be
    related to my original post or completely unrelated or it could be a timing
    issue.

    Any other thoughts would be appreciated.
    Thanks in advance,
    Don
     
    Don, Mar 28, 2007
    #3
  4. Read inline please.

    In
    Yes, there should be an NS record for each DNS server with the
    _msdcs.domain.local zone. This zone is or should replicate to all DNS
    servers in the AD Forest running on Win2k3 DCs. Because this zone is in the
    ForestDNSZones replication partition, it won't replicate to Win2k DCs at
    all, Win2k DCs would need a Secondary of the zone, or you would have to move
    the zone to the MicrosoftDNS replication partition. In which case, only
    Win2k3 DCs that are in the Forest Root Domain would get the zone.

    These errors typically only appear when there is only one DC with DNS
    installed.
    The missing Delegation might be responsible for these errors, but you might
    check the Properties of the _msdcs.domain.local zone and make sure there are
    configured to "Replicate to all DNS servers in the Active Directory Forest
    <domain.local>" If they are not both set this way, change one to standard
    Primary to preserve it zone data, then delete the zone on the other DC. Then
    open AD Site & Services expand down to, and select NTDS Settings in the left
    hand pane, then right click on the server connection and select Replicate
    now.
    Then change the Standard Primary back to ADI, and replicate to a DNS servers
    in the forest. Failing to wait until the zone that is not in the correct
    partition is gone from AD, will cause an error that says the zone exists in
    two replication partitions.

    If you have not already done so, install the server support tools from the
    server CD, (CD2 IIRC on SBS) Then get to know and use the DCdiag and Netdiag
    command line tools. In your case the dcdiag tool is the one you need, it
    will test the delegation and replication partitions.

    Use Dcdiag /e /c /v on both DCs.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 29, 2007
    #4
  5. Don

    Don Guest

    Hey Kevin,

    Again thanks for your input on this.

    Since DNS on both servers only contains the NS record of the SBS (srv1)
    under the delegation _msdcs, what is the solution to getting the missing NS
    record corrected?
    Remember this is a Win 2K3 enviroment only.

    With regards to the Events 4015 and 4004 I did the homework earlier and yes
    the _msdcs.domain.local zone on both DNS's are set to replicate to "All DNS
    servers in the Active Directory forest". While the Domain.local zone is set
    to "All DNS servers in the ACtive Directory domain". This were default
    settings not settings that I had to adjust.

    Notwithstanding, if I make the changes you indicate concerning preserving
    the Primary zone and deleting the zone off of the non-SBS DC and then letting
    DND replicate will that corect the issues that are present with things such
    as the missing NS record?

    Thanks for the DCDiag syntax suggestion. I did run a DCDiag test earlier but
    all came back good. I did not however run the syntax you offered. I'll take a
    look.

    Let me know your thoughts about the zone suggestion above.

    Thanks again,
    Don
     
    Don, Mar 29, 2007
    #5
  6. Read inline please.

    In
    If you use the switches referred to, dcdiag will test the delegation for
    _msdcs, adding the /fix switch, it might fix the missing delegation. You can
    fix the delegation manually by double clicking on the NS record, then click
    the "Add" button, enter the Fully-qualified name of the missing NS record,
    then click resolve, if it does not resolve check that there is an A record
    on both DNS servers for the missing NS record. You can also click the
    "Browse" button and browse to the A record for the missing DNS server's NS
    record.



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 29, 2007
    #6
  7. Don

    Don Guest

    Hey Kevin,

    Thanks for the dcdiag syntax. I ran it on both DC's just in case. On the SBS
    (srv1) the services ISMSERV was stopped while this same service on the Std Ed
    (srv2) was running, so I started it on srv1. The /fix parm did not appear to
    correct any issues according to the output results.

    Back to the NS record issue.

    In our last we discussed the need for there to be a NS record for each DNS
    srv. I want to make sure we're on the same page. In the zone
    _msdcs.domain.local there are NS records for each DNS srv on both servers.
    Under the zone domain.local there is a delegation _msdcs which only has one
    NS record and it refers to the SBS (srv1). This is the case on both servers.

    If I have understood correctly, there should be an NS record for each DNS
    srv under the zone domain.local, delegation _msdcs. Please confirm.

    Also with regards to replication, you suggested to make sure that zone
    _msdcs.domain.local is configured the "Replicate to all DNS servers in the AD
    Forest". Both servers were all ready set as you indicated.
     
    Don, Mar 30, 2007
    #7
  8. Read inline please.

    In
    Yes, add the NS record to the delegation, I'm surprised dcdiag didn't report
    it as a broken delegation.

    This is as it should be.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 31, 2007
    #8
  9. Don

    Don Guest

    Hey Kevin,

    I added the NS record for the Std Ed srv to the DNS of the SBS srv under
    zone domain.local delegation _msdcs. I indicated the FQ name and resolved it
    without issue. The record replicated from the SBS to Std Ed DNS. But Netlogon
    is still rpting 5774 events.

    I noted in the event properties besides dcdiag a recommendation to run
    nltest /dsregdns. This was done and it rpt'd sucessful completion. Again
    Netlogon still rpt's 5774 and DNS is still also logging 4004 errors as well.

    Mind you, I ran the nltest on both servers and both servers are still rpting
    Netlogon and DNS errors.

    Thoughts?
    Thanks,
    Don
     
    Don, Mar 31, 2007
    #9
  10. Read inline please.

    In
    Have I asked for an unedited ipconfig /all yet?
    If not, please post one.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 1, 2007
    #10
  11. Don

    Don Guest

    Hey Kevin,

    Hear are the unedited version of the ipconfig's ou asked for.

    This for for the SBS server

    Windows IP Configuration
    Host Name . . . . . . . . . . . . : scoo
    Primary Dns Suffix . . . . . . . : SmileOO.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : SmileOO.local

    Ethernet adapter Server WAN 254.101 Jack 31:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter
    (PILA8470B)
    Physical Address. . . . . . . . . : 00-E0-81-05-36-A4
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.254.101
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.254.1
    DNS Servers . . . . . . . . . . . : 192.168.2.100
    Primary WINS Server . . . . . . . : 192.168.2.100
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Ethernet adapter Server LAN 2.100 Jack 30:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter
    (PILA8470B) #2
    Physical Address. . . . . . . . . : 00-E0-81-05-36-A3
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.2.100
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.2.100
    192.168.2.132
    Primary WINS Server . . . . . . . : 192.168.2.100

    This is for the Std Ed server

    Windows IP Configuration
    Host Name . . . . . . . . . . . . : eagle1
    Primary Dns Suffix . . . . . . . : SmileOO.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : SmileOO.local

    Ethernet adapter LAN 2.132:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
    Physical Address. . . . . . . . . : 00-04-23-D8-00-35
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.2.132
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.2.100
    DNS Servers . . . . . . . . . . . : 192.168.2.100
    192.168.2.132

    Hope his helps.
    Thanks in advance.
    Don
     
    Don, Apr 3, 2007
    #11
  12. Don

    Don Guest

    Hey Kevin,

    Did I loose ya?

     
    Don, Apr 6, 2007
    #12
  13. Read inline please.

    In
    No, but I did get side-tracked for a couple of days, I'm sorry for not
    getting back sooner I've had a couple of really long days in a row.

    If you haven't already, install the server support tools from the CDs, or
    download the latest versions from Microsoft and try netdiag /fix /v on both
    servers.

    If it makes the DNS registration fix force a replication and see if it
    clears the errors. If not use netdiag /test:dns /debug to see what records
    on which servers are missing. Post the entire DNS test if it doesn't.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 8, 2007
    #13
  14. Don

    Don Guest

    Hey Kevin,

    Thanks for getting back. No need to be sorry. Your help is appreciated. I
    know all about the long days as anyone who has worked in this industry will
    eventially experience many times over.

    I'll check out your suggestions and get back to you.

    Thanks again,
    Don
     
    Don, Apr 10, 2007
    #14
  15. Don

    Don Guest

    Hey Kevin,

    Sorry to rpt the error still exist. I attempted to post the debug rpts here
    but they are too long to post.

    Thoughts?
    Don
     
    Don, Apr 13, 2007
    #15
  16. Read inline please.

    In
    Follow the directions in my signature line and send it to me.



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 13, 2007
    #16
  17. Don

    Don Guest

    Hey Kevin,

    Sorry but the icq truncates a lot of the debug rpt. If you can sent up a
    temp hotmail acct I can send the rpts there.

    Don
     
    Don, Apr 13, 2007
    #17
  18. Read inline please.

    In
    I do have an e-mail address, you can't use reply, but you have to remove the
    nospam from my email address and I'll get it.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 13, 2007
    #18
  19. Don

    Don Guest

    Kevin,

    Done, thanks

    Have a great weekend.

    Don

     
    Don, Apr 14, 2007
    #19
  20. Don

    Don Guest

    Hey Kevin,

    I was reading some of the other post and noted the one about Add second DNS
    server which you also contributed to.

    In the post after yours on the thread the Hank noted that after DCPROMO on
    his 2nd srv he waited a while for replication to occur before running the DNS
    wizard. Frankly, I don;t recall on my 2nd DC if AD replication had occurred
    before the DNS wizard was run. Could this be the root cause of my problem?

    Thanks,
    Don
     
    Don, Apr 14, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.