Odd behavior for DC records

Discussion in 'DNS Server' started by Library Sysadmin, Jul 6, 2007.

  1. In tracking down a different problem, I've come across some odd behavior
    regarding the DNS records for our Domain Controllers.

    A few weeks ago, we added new servers with Win 2003 R2 as domain
    controllers. We also run DNS, DHCP and WINS on these servers. Both servers
    only have one of their NICs enabled at this point. There were no problems
    encountered while migrating the domain or these services to the new servers.

    DNS on these servers is AD Integrated. Currently, Aging/Scavenging is
    disabled, however I had been looking into enabling this - which is what made
    me find this odd behavior.

    When checking the Forward lookup zone host record for the DCs, I always find
    that the box is checked to 'Delete this record when it becomes stale'. I
    uncheck this box; close DNS MMC; open DNS MMC and the box is checked again.
    I tried logging on DCs and unchecking box for the enabled NIC so that it
    doesn't register in DNS, but this didn't change anything. The box to
    Delete-when-stale is always checked.

    Similarly, the PTR records for these servers are removed constantly. I add
    the Reverse record manually, making sure to uncheck the box to 'Delete this
    Several minutes later, the records are gone.

    The first issue makes me wary of enabling Aging/Scavenging, as I think this
    would remove the records for the DCs with every cleanup and cause havoc in
    the domain. I've also had to go through and uncheck the Delete-when-stale
    box on every SRV record for every local zone.

    The second issue is already causing problems. If I try NSLookup from my PC,
    I'm getting the "Can't find server name for address <IP>: Non-existent
    domain" message.

    Can anyone shed some light on why these things are occurring and how to make
    the PTR records permanent in DNS?

    Library Sysadmin, Jul 6, 2007
    1. Advertisements

  2. In
    When you added the new DCs and installed DNS on them, did you manually
    create the zones?


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, try using OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. Anonymous access. It's free - no username or password
    required nor do you need a Newsgroup Usenet account with your ISP. It
    connects directly to the Microsoft Public Newsgroups. OEx allows you
    o easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject. It's easy:

    How to Configure OEx for Internet News

    "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
    Ace Fekay [MVP], Jul 7, 2007
    1. Advertisements

  3. Ace,

    No, I didn't enter the zones manually. I followed a Knowledge Base article
    that described a migration process, where the original Win2000 DNS primary is
    not AD Integrated and you want the new Win2003 DNS to be AD Integrated:

    Add DNS on then new Win2003 server as a secondary;
    Transfer the zone data to the new DNS server from the old master;
    Deactivate DNS on the old Win2000 primary;
    Change the new 2003 secondary to be the primary and AD Integrated.
    After this was completed, I added the second Win2003 DNS server.

    This process worked fine for me, with no errors or problems.
    Library Sysadmin, Jul 9, 2007
  4. In
    Those steps are fine if the new server is not a DC. If it is a DC, just
    install DNS and sit back and wait. The zone will auto-appear. I believe what
    happened is that since you created the zone as a secondary on a DC, it may
    have caused a dupe error. The only way to find out and clean it up is to
    look in two places: ADUC (advanced view\system container) and in ADSI Edit.
    If you see anything with a CNF as a prefix, that indicates a conflict based
    on a dupe zone and needs to be deleted. Follow the steps below to either
    determine if this is the case, and if so, to fix it. Post back with your
    findings please.


    Conflicting AD Integrated zones if they exist in both the Domain NC and
    one of the Application Partitions or if you get a weird error message
    "The name limit for the local computer network adapter card was exceeded."

    Under Windows 2000, the physcial AD database is broken up into 3 logical
    partitions, the DomainNC (Domain Name Context, or some call the Domain Name
    Container), the Configuration Partition, and the Schema Partition. The
    Schema and Config partitions replicate to all DCs in a forest. However, the
    DomainNC is specific only to the domain the DC belongs to. That's where a
    user, domain local or global group is stored. The DomainNC only replicates
    to the DCs of that specific domain. When you create an AD INtegrated zone in
    Win 2000, it gets stored in the DomainNC. This causes a limitation if you
    want this zone to be available on a DC/DNS server that belongs to a
    different domain. The only way to get around that is for a little creative
    designing using either delegation, or secondary zones. This was a challenge
    for the _msdcs zone, which must be available forest wide to resolve the
    forest root domain, which contains the Schema and Domain Name Masters FSMO

    In Windows 2003, there were two additional partitions added, they are called
    the DomainDnsZones and ForestDnsZones Application Partitions, specifically
    to store DNS data. They were conceived to overcome the limitation of Windows
    2000's AD Integrated zones. Now you can store an AD Integrated zone in
    either of these new partitions instead of the DomainNC. If stored in the
    DomainDnsZones app partition, it is available only in that domain's
    DomainDnsZones partition. If you store it in the ForestDnsZones app
    partition, it will be available to any DC/DNS server in the whole forest.
    This opens many more design options. It also ensures the availability of the
    _msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
    zone is stored in the ForestDnsZones application partition.

    When selecting a zone replication scope in Win2003, in the zone's
    properties, click on the "Change" button. Under that you will see 3 options:
    To choose the ForestDnsZones:
    "To all DNS serer in the AD forest example.com"

    To choose DomainDnsZones:
    "To all DNS serer in the AD domain example.com"

    To choose the DomainNC (only for compatibility with Win2000):
    "To all domain controllers in the AD domain example.com"

    If you have a duplicate, that's telling me that there is a zone that exists
    in the DomainNC and in the DomainDnsZones Application partition. This means
    at one time, or currently, you have a mixed Win2000/2003 environment and you
    have DNS installed on both operating systems. On Win2000, if the zone is AD
    Integrated, it is in the DomainNC, and should be set the same in Win2003's
    DC/DNS server to keep compatible. Someone must have attempted to change it
    in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
    implications, hence the duplicate. In a scenario such as this where you want
    to use the Win2003 app partitions, you then must insure the zone on the
    Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
    then once that's done, you can then go to the Win2003 DNS and change the
    partition's replication scope to one of the app partitions.

    In ADSI Edit, you can view all five partitions. You were viewing the app
    partitions, but not the main partitions. You need to add the DomainNC
    partition in order to delete that zone. But you must uninstall DNS off the
    Win2000 server first, unless you want to keep the zone in the DomainNC. But
    that wouldn't make much sense if you want to take advantage of the _msdcs
    zone being available forest wide in the ForestDnsZones partition, which you
    should absolutley NOT delete. I would just use the Win2003 DNS servers only.

    In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
    on "Well known Naming Context", then in the drop-down box, select "Domain".
    Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
    see the zone in there.

    But make sure to decide FIRST which way to go before you delete anything.

    Some reading for you...
    Directory Partitions:

    kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions

    How to fix it?

    What I've done in a few cases with my clients that have issues with
    'duplicate' zone entries in AD (because the zone name was in the Domain NC
    (Name Container) Partition, and also in the DomainDnsZones App partition),
    was first to change the zone on one of the DCs to a Primary zone, and
    allowed zone transfers. Then I went to the other DCs and changed the zone to
    a Secondary, and using the first DC as the Master. Then I went into ADSI
    Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
    reference to the domain name. Then I added the DomainDnsZones partition to
    the ADSI Edit console, and deleted any reference to the zone name in there
    as well. If you see anything saying something to the extent of a phrase that
    "In Progress...." or "CNF" with a long GUID number after it, delete them
    too. Everytime
    you may have tried tochange the replication scope, it creates one of them.
    Delete them all.

    Then I forced replication. If there were Sites configured, I juggled around
    the servers and subnet objects so all of the servers are now in one site,
    then I forced replication (so I didn't have to wait for the next site
    replication schedule). Once I've confirmed that replication occured, and the
    zones no longer existed in either the Domain NC or DomainDnsZones, then I
    changed the zone on the first server back to AD Integrated, choosing the
    middle button for it's replication scope (which puts it in the
    DomainDnsZones app partition). Then I went to the other servers and changed
    the zone to AD Integrated choosing the same replication scope. Then I reset
    the sites and subnet objects, and everything was good to go.

    Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
    problems and is located in the ForestDnsZones (default) in all of my client
    cases I've come across with so far.

    It seems like alot of steps, but not really. Just read it over a few times
    to get familiar with the procedure. You may even want to change it into a
    numbered step by step list if you like. If you only have one DC, and one
    Site, then it's much easier since you don't have to mess with secondaries or
    play with the site objects.

    I hope that helped!


    Ace Fekay [MVP], Jul 10, 2007
  5. Ace,

    Thanks for the response.
    I'm afraid I got lost in the fix portion that you described, but that may
    not be important, as I don't see any duplicates anywhere that I can tell.

    There are no CNF... records in ADUC.
    Using ADSIEdit, I don't see five partitions. I only see the Domain,
    Configuraiton and Schema partitions. I can't connect to the DomainDSNZones
    or ForestDNSZones, using ADSIEdit, either. Following the instruction in the
    kbAlertz article you linked, when I attempt the connection I just receive a
    message box saying that a "referral" was returned from the server. I can see
    these containers in dnsmgmt.msc under the zone <domain>.local (which is the
    name of our default first site) This is also the only place I can see the
    _msdcs container, which is also carried under the <domain>.local zone. Your
    description seemed to indicate this is a separate zone that is on its own
    somewhere and shouldn't be touched or moved, but from what I can see, this
    isn't a DNS zone, but a container and any change to <domain>.local zone
    woiuld affect the _msdcs container.

    Much of what you outlined assumed that I still had Win2000 DNS servers
    active. I don't. After the migration, the Win2000 DNS servers were
    deactivated. This leaves me with one forest, with one domain and two DCs/DNS
    servers that are Win 2003 R2 and the DNS is AD-Integrated.

    In reading through the information on the differences in the Replication
    parameter for the zones, I'm not sure there is any advantage to us in
    selecting any of these over the other. These are the only two DCs/DNS
    servers in the forest and domain, so replicating the AD Integrated zones to
    all domain controllers should be sufficient. This is the replication setting
    on our DNS zones. There was mention that there would be less network traffic
    using one of the first two, so I attempted changing a zone's replication
    parameter to the 'all DNS servers in the forest' parameter. There were
    warning boxes in the Event log that the zone was removed from Active
    Directory, even though the zone was still defined as an AD Integrated zone.
    I didn't want this, because these are AD Integrated, so I changed it back to
    the 'all domain controllers' replication setting and it was restored in
    Active Directory.

    So, I guess that I'm still back where I started.
    The A and PTR DNS records for the DCs/DNS cannot be changed so that the
    "Delete when stale" checkbox is cleared.
    What would be the effect of enabling Aging/Scavenging when these records
    will most assuredly be deleted routinely from DNS?

    Library Sysadmin, Jul 11, 2007
  6. In
    A referral means it was mistyped.

    Click in the custom context box and type in:

    For DomainDnsZones"

    For ForestDnsZones:

    Don't forget to givce it a unique name in the top name box.

    Ace Fekay [MVP], Jul 12, 2007
  7. In
    Sorry, meant to address the other stuff.

    Even though you are all 2003, there still may be a zone mismatch causing a
    conflict or dupe. Only way to tell is to use ADSI Edit. Please follow the
    directions very closely to get to those partitions. If you changed it and
    changed it back, depending on the timing, it could have left a dupe, which
    will cause this. If you did it really fast thinking 'if i click no real
    quick it will go away', that may have caused it. Usually you will need to
    wait to allow replication to happen, then go back and change it back.

    If you are creating data and it is disappearing, either the DC updating
    itself is doing it or there is a conflict. I am guessing beause I do not
    know your config. If you can, please post the following to get me up to
    speed. I really need you to get into ADSI Edit to see as well into both the
    forestdnszones and domaindnszones partitions. This is IMPORTANT. Remember to
    not edit the results. You have private subnets and a private domain name so
    don't worry about security.

    1. Unedited ipconfig /all from two of your DCs, and one of your clients..
    2. The exact zone name spellng in DNS and whether updates are allowed on the
    3. The AD DNS domain name as it shows up in ADUC.
    4. If the SRV records exist under your zone.
    5. Any errors in the Event logs on the DC under System, Replication Service
    and Directory Services (post the Event ID# and source please)
    6. Dcdiag /v /fix > c:\dcdiag.txt (post the dcdiag.txt as an attachment)
    7. Netdiag /v /fix > c:\netdiag.txt (post the dcdiag.txt as an attachment)
    8. More than one subnet?
    9. Forwarder(s) configured?


    Ace Fekay [MVP], Jul 12, 2007
  8. Ace,

    Here's the info you asked about:

    IPconfig /all output for DC1:
    Windows IP Configuration
    Host Name . . . . . . . . . . . . : dc1
    Primary Dns Suffix . . . . . . . : scdl.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : scdl.local

    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . : scdl.local
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-18-8B-7D-B5-B7
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    Primary WINS Server . . . . . . . :
    Secondary WINS Server . . . . . . :

    IPConfig /all output for DC2:
    Windows IP Configuration
    Host Name . . . . . . . . . . . . : dc2
    Primary Dns Suffix . . . . . . . : scdl.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : scdl.local

    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . : scdl.local
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-18-8B-7D-B5-B4
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    Primary WINS Server . . . . . . . :
    Secondary WINS Server . . . . . . :

    DNS Forward Lookup zone spelling:

    AD DNS Name in ADUC:
    scdl.local -> System -> MicrosoftDNS -> scdl.local

    SRV records exist for zone scdl.local. In dnsmgmt.msc, under zone
    scdl.local there are 6 containers: _msdcs, _sites, _tcp, _udp,
    DomainDNSZones, ForestDNSZones. Drilling down deeply into each of these
    shows the SRV records existing.

    There are no Event log errors on either DC in the System, File Replication
    Service or Directory Service logs that apply. The only errors occurring in
    the System log are for Terminal Services, Printing warnings and a recurring
    Netlogon error for a proxy server administrative logon.

    Dcdiag.txt and netdiag.txt - did not see any way to attach these to the reply.

    We do have more than one subnet defined. We use these with several VLANs in

    We do have forwarders defined. They are our ISPs DNS servers.
    Library Sysadmin, Jul 14, 2007
  9. In
    Looks like everything is in-line. Also from your description, the
    infrastructure seems Ok as well. The only thing I see that you can change in
    the ipconfig is only specify itself for WINS and also to it's partner. This
    is because of record ownership. Otherwise issues may develope if pointing to
    another for it will then think it owns those records too.

    You will need to get into ADSI Edit to check for dupes, specifically looking
    for anything in the DomainDnsZones and ForestDnsZones partitions that have
    "CNF..." in it.

    Ace Fekay [MVP], Jul 16, 2007
  10. Ace,

    I did manage to access the ForestDNSZones and DomainDNSZones with ADSIEdit.
    I had been entering a trailing period after the dc=local and this was causing
    the "referral" message.

    There are no CNF... records in either the Forest or Domain DNSZones, or any
    of their containers.
    The only records that exist are an CN=Infrastructure record in both; a
    CN=LostAndFound container in both; a CN=NTDSQuotas container in both; and a
    CN=Microsoft DNS in the ForestDNSZones container. There are no objects in
    any of the containers.

    Library Sysadmin, Jul 16, 2007
  11. In
    Good to hear. How about int he Domain partition (not DomainDnsZones)? Check
    in there too?

    Ace Fekay [MVP], Jul 17, 2007
  12. Ace,

    I'd checked those before, because I could access the Domain partition in
    ADSIEdit by default. There are no CNF... records.

    So, after all this, we're left with the original question... why can't you
    make the DC A and PTR DNS records permanent by unchecking the
    Delete-When-Stale box?

    Also, I wanted to check about the warning messages while changing the
    Replication parameter for the zone. With the zone configured to be
    AD-Integrated and changing the Replication parm from "all domain controllers"
    to either "all DNS in forest" or domain, is it normal to receive the messages
    that the zones are being removed from Active Directory?


    Library Sysadmin, Jul 17, 2007
  13. In
    My questioning of CNFs started when you said data you created would not
    stay. That is the only thing I can think of. The only thing I can think of
    at this time is if data you are tryuing to create is data that automatically
    gets updated by the DNS dynamic registration process, then it will go way or
    get overwritten.

    Changing replicaiton scope and getting that message should be ok, because
    after all you are essentially 'removing' it from one part of AD only to put
    it into another. The way it was originally described and possibly the way I
    interpreted it, I thought it may have been beacuse of poissible dupe zones
    in AD. You will be surprised at how many issues from posters in here are
    based on selecting one scope on one machine only to choose a different scope
    on another or better yet, change it on one, then not waiting for replication
    to happen and changing it on another that would have normally been taking
    care of by replication, will cause major issues.

    DC records are dynamic and will CONSTANTLY change. That is evident by
    looking at the zone version number. It constantly changes, especially if you
    have multiple DCs yuou can see ownership change. That is default and is
    telling you that a DC just made a change (an update) and it is now the
    owner, even though nothing actually got changed, rather a refresh of a
    record. If you were to create a record for the DC that it will autoupdate,
    then it will change it no matter what.

    Are you just trying to permanently create a record for the DC? May I ask
    why? If you want to do that, you can make certain registry entries to kill
    dynamic updates of the interfaces and for the netlogon service, but it
    really not advised. Sometimes that is reserved for multihomed DCs to control
    which NIC registers, but then again, a multihomed DC is not recommended at
    all anyway.

    Ace Fekay [MVP], Jul 17, 2007
  14. Ace,

    So, if I'm reading you correctly, it is normal for DC (or any server) DNS A
    and PTR records to be set for "Delete-when-stale".

    My original question was/is, if aging/scavenging is enabled, won't these
    records be deleted? Why would I want the DNS and reverse DNS records for my
    domain controllers (or any other server) to be removed from DNS? With
    statically assigned IP addresses, they should be permanent fixtures in DNS,

    Library Sysadmin, Jul 19, 2007
  15. In
    They get re-registered every 2 hours, if I remember correctly. It's the
    nature of a DC ensuring it's entity exists. So even if scavenging is
    enabled, it won't matter, they will come back.

    Sorry I didn;t pick up on this earlier in the thread.

    Ace Fekay [MVP], Jul 20, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.