The following DNS server that is authoritative for the DNS DC locator records does not support dynam

Discussion in 'DNS Server' started by Spin, Sep 3, 2004.

  1. Spin

    Spin Guest

    Experts,

    Re-post from yesterday, but with more details. Problem is still occurring.
    I know you experts can solve this. Running Windows Server 2003, dual-homed
    server with one Internet-facing NIC and one internal NIC. The IP address of
    the internal NIC is the address used for the machine's DNS server. This
    machine, a DC, has an AD-integrated, secure dynamic updates-only DNS zone.
    Bad idea to install an Internet-facing DC but I'm on a tight budget. I have
    a few other standard primary zones on this server for a couple of very small
    internet domains (web sites). The two standard primary DNS zones are not
    configured for dynamic updates. I verified that the FQDN of this DC exists
    in the AD-integrated zone, and that the FQDN of this DC is configured
    correctly in the System properties as seen via My Computer. Thoughts?

    Event Type: Warning
    Event Source: NETLOGON
    Event Category: None
    Event ID: 5773
    Date: 9/2/2004
    Time: 6:04:09 AM
    User: N/A
    Computer: MyServer
    Description:
    The following DNS server that is authoritative for the DNS domain controller
    locator records of this domain controller does not support dynamic DNS
    updates:

    DNS server IP address: 192.168.0.4
    Returned Response Code (RCODE): 4
    Returned Status Code: 9004

    USER ACTION
    Configure the DNS server to allow dynamic DNS updates or manually add the
    DNS records from the file '%SystemRoot%\System32\Config\Netlogon.dns' to the
    DNS database.

    Computer NetBIOS name: MyServer

    E:\>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : MyServer
    Primary Dns Suffix . . . . . . . : MyServer.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : MyServer.local

    Ethernet adapter LAN Connection:

    Connection-specific DNS Suffix . : MyServer.local
    Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter
    Physical Address. . . . . . . . . : 00-02-B3-EC-2B-DG
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.0.4
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.0.4

    Ethernet adapter Internet Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter #2
    Physical Address. . . . . . . . . : 00-02-B3-EC-2C-15
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : MyPublicIP
    Subnet Mask . . . . . . . . . . . : 255.255.255.248
    Default Gateway . . . . . . . . . : MyRouterIP
    DNS Servers . . . . . . . . . . . : MyPublicIP
     
    Spin, Sep 3, 2004
    #1
    1. Advertisements

  2. In
    Hi Spin,

    I remember we've talked about this before, I think (didn't we?). :)
    Let's go over it again.

    First, 5773's mean that this DNS does not support dynamic updates. That
    means either you have dynamic updates not allowed, or its the ISP DNS
    address in your outside NIC. I'm putting my paycheck on the outside NIC.

    So I guess you know by now that mutli homed DNS/DCs are problematic? I guess
    a $39.00 Linksys router to handle NAT for you is out of your budget? It
    will eliminate the overhead that is necessary to clean this up, as you will
    see all the steps below. This is pretty much standard procedure for a
    mutlihomed DC/DNS or other errors will abound down the line, besides your
    machine directly connected to the Internet.

    Here are the steps to 'clean' up a single DC/DNS server acting as a NAT.

    1. From your ipconfig /all, this thing here:
    Change that to 192.168.0.4. Do not use your ISP's DNS server anywhere other
    than a forwarder. This will stop the 5773.

    2. Configure a forwarder. How? Rt-click DNS servername, properties,
    forwarders tab, configure a forwarder to your ISP's. If the forwarding
    option is grayed out, delete the Root zone in DNS. If not sure how to do
    these two parts, see:
    http://support.microsoft.com/?id=300202

    3. While in DNS properties, goto the interface tab, tell it to only listen
    to the internal IP address, since this DNS is only for internal use.

    4. Goto Network & Dialup Connections, Advanced Menu, then click on Advanced
    settings, then move the internal NIC to the top of the list (which is your
    binding order). The internal one needs to be first.

    5. The outside IP is registering into DNS as the LdapIpAddress and the
    GcIpAddress. The LdapIpAddress looks like "(same as parent)", and the
    GcIpAddress is your GC address, which is a folder called "GC" found under
    the "_msdcs" folder in your SRV records. That needs to be stopped because it
    causes issues with AD functionality. To kill the external IP registering as
    these two records, go into regedit and do this:

    Add the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    Registry value: DnsAvoidRegisterRecords
    Data type: REG_MULTI_SZ
    Value: LdapIpAddress
    Value: GcIpAddress

    Do this on all DCs and restart netlogon or restart the machine.
    This will prevent the DC from adding the domain A records from netlogon.
    And you can add multiple Blank Domain A record and the GC address under the
    _msdcs folder as you need. In your case, just add 192.168.0.4 as the GC
    record.

    6. Then you need to stop the outside address from registering at all in DNS
    under your zone. Identify your outside NIC and then follow this article to
    disable that external NIC's registration:
    246804 - Disable Windows 2000 Dynamic DNS Registrations:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;246804

    Let us know how you make out.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Sep 3, 2004
    #2
    1. Advertisements

  3. In
    <snip>

    You are also hosting zones for Internet use as well?

    Ace
     
    Ace Fekay [MVP], Sep 3, 2004
    #3
  4. Spin

    Omer maydan Guest

    do as the event tells you... if you have only one server, and it is sitting
    on an internet facing Machine, open the Netlogon.DNS, and those SRV records,
    into your Domain DNS Zone. the A record of the server which you see in dns,
    is insufficient for AD, as he publish resources in order that other Domain
    Members, can locate him, and authenticate with him. also, you can Enable
    Dynamic Updateds, but it's up to you...
     
    Omer maydan, Sep 3, 2004
    #4
  5. Spin

    Spin Guest

    Yes, I'm trying to hosts zones for Internet use as well, it's not working
    yet, but I'm getting there --- I think!

    "Ace Fekay [MVP]"
     
    Spin, Sep 3, 2004
    #5
  6. Spin

    Roger Abell Guest

    and above all else, as Ace indicated, remove all use of any
    DNS server other than your own in the NIC configs

    DNS Servers . . . . . . . . . . . : MyPublicIP

    is just plain wrong.
     
    Roger Abell, Sep 3, 2004
    #6
  7. Spin

    Roger Abell Guest

    Is your server really named
    MyServer.MyServer.com
    ??
    Sure you did not make a goof ni doctoring the ipconfig /all
    output you showed us, and the host name is actually MyServer
    and the domain is actually .local ??

    Host Name . . . . . . . . . . . . : MyServer
    Primary Dns Suffix . . . . . . . : MyServer.local
     
    Roger Abell, Sep 3, 2004
    #7
  8. In
    Actually its not recommended to do it this way. YOu would honeslty need a
    separate DNS server to host external data. You could get it to work, but its
    a HUGE security risk, for one, and this is all assuming that the zone you
    are hosting externally is NOT your AD zone, or you would be mixing private
    and public records and will cause problems.

    Since you are trying to host externally, in the interface tab, let it listen
    to both IPs. If you want to do it right, get another DNS server (an old
    desktop machine will work fine for this function), and eliminate all
    unnecessary services, IIS, etc. But you would need to port remap UDP and TCP
    53 to this server and with your present config, it will conflict since your
    server is a dual homed machine running DNS and listening on those ports.

    I guess $39.00 for a Linksys router is out of budget and out of the
    question? You would be vastly surprised on how EASILY everything would just
    work with one of those things and eliminate the extra card out of your
    server and you won't need to alter the reg or anything else I mentioned.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Sep 3, 2004
    #8
  9. In
    Also, did you ever register your nameserver with the registrar? You do know,
    they *require* two nameservers for each domain being registered?
     
    Ace Fekay [MVP], Sep 3, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.