| Author | Messages | |
kbatkbslpcom
Posts:216
 | | 06/15/2012 9:46 PM |
| I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
| | | |
| alpeshshinde
Posts:49
| | 06/16/2012 3:19 AM |
| Hi Ken,
I have had the same issue but only for one domain controller. The
strange part is that this issue happened to the same DC when it was
2003 and after I upgraded it to 2008 R2 I still had the same problem.
Just this one domain controller.
I manually created the host A record of the DC and it would go missing
again. This happened 4-5 times and I had auditing enabled. But I
couldn't get through the logs and by that time they were overwritten.
Since this is a new domain and not yet in full production I am yet to
configure event log forwarding to our Splunk Infra to trace the reason
of deletion.
However, from last month or so the issue has not occurred. Strange but
true. Have you tried manually creating the Host A record as I guess
that is the last thing I remember I did for this DC.
And by the way we have scavenging set same as your Infra.
Regards,
Alpesh
Sent from my iPhone
On 16-Jun-2012, at 4:45 AM, "Brown, Ken F." <Ken.Brown@xxxxxxxxxxxxxxxx> wrote:
> I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
>
> Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
>
> The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
>
> When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
>
> So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
>
> Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
>
> At first, I thought I thought it was the DNS server list
> #1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
> #2 is itself or a DC/DNS in datacenter #1
> #3 is a DC/DNS in datacenter #2
>
> At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
>
> None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
>
> Any suggestions on where to look?
>
> I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
>
>
> List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
| | | |
| sl
Posts:114
| | 06/16/2012 6:33 AM |
| The easiest way to eliminate DNS scavenging as the cause is to register
the A record manually.
regards
Slav
On 16/06/2012 6:43 AM, Brown, Ken F. wrote:
> I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
>
> Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
>
...
> Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
>
List info: http://www.activedir.org/List.aspx
| | | |
| davyp
Posts:45
| | 06/16/2012 4:54 PM |
| Can you verify that the "register this interface in DNS" checkbox is checked on the Network card of your Domain Controller.
Best regards,
DavyP
----- Oorspronkelijk e-mail -----
Van: "Ken F. Brown" <Ken.Brown@xxxxxxxxxxxxxxxx>
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Vrijdag 15 juni 2012 22:43:40
Onderwerp: [ActiveDir] DC's "A" record missing
I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
| | | |
| kbatkbslpcom
Posts:216
| | 06/19/2012 1:47 PM |
| Yes, that checkbox is enabled (to allow it to dynamically register)
I know I can manually add the A record - but I shouldn't need to (and becomes one more step as part of any dc demotion/meta data cleanup to perform).
I'm leaning towards a once-a-day 'ipconfig /registerdns' - I already have a script running on the DC's that I can add that to...that will resolve the issue, but doesn't solve the "problem" 
I'm almost wondering if it is a D-DNS issue...we get a D-DNS error when attempting to do a dynamic PTR registration (PTR zones are configured to prevent dynamic updates...they are SOA'd from a 3rd party IPAM/DNS and that product is authoritative for the PTR zones [it is authoritative for some non-ADI DNS zones that we zone xfer into the MS/DNS environment]). I'm wondering if the PTR update perhaps occuring 'first', the D-DNS fails, and the D-DNS registration fails to continue. The problem with that scenario is that is works _most_ of the time, for the 150+ DC's in the forest. [fyi...we are looking at upgrading the IPAM product...the latest version is supposed to have much better integration with AD...in years past in testing {including the current version} it is horrific]
I'm confused in that we didn't have this issue with Win2000 DC's - and the basic DNS hierarchy, D-DNS configuration, zone configuration, IPAM product SOA'd for PTR zones, etc, etc - basically haven't changed.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of davyp@xxxxxxxxxxxxxxxx
Sent: Saturday, June 16, 2012 11:51 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DC's "A" record missing
Can you verify that the "register this interface in DNS" checkbox is checked on the Network card of your Domain Controller.
Best regards,
DavyP
----- Oorspronkelijk e-mail -----
Van: "Ken F. Brown" <Ken.Brown@xxxxxxxxxxxxxxxx>
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Vrijdag 15 juni 2012 22:43:40
Onderwerp: [ActiveDir] DC's "A" record missing
I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
.+-��0�+ޢ�?.+- | | | |
| kbatkbslpcom
Posts:216
| | 06/19/2012 9:45 PM |
| Actually, I had already updated the script last year...thinking this would do it...but it doesn't. It does a
nltest /dsregdns
but apparently that doesn't register the A records (I guess I thought it would) - so now the script also does a 'ipconfig /registerdns'.
The ipconfig/registerdns "fixes" the issue when it occurs (I had one DC's "A" records go away last night - the ipconfig/registerdns brought it back) - so this should "fix" this.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Brown, Ken F.
Sent: Tuesday, June 19, 2012 8:45 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Yes, that checkbox is enabled (to allow it to dynamically register)
I know I can manually add the A record - but I shouldn't need to (and becomes one more step as part of any dc demotion/meta data cleanup to perform).
I'm leaning towards a once-a-day 'ipconfig /registerdns' - I already have a script running on the DC's that I can add that to...that will resolve the issue, but doesn't solve the "problem"
I'm almost wondering if it is a D-DNS issue...we get a D-DNS error when attempting to do a dynamic PTR registration (PTR zones are configured to prevent dynamic updates...they are SOA'd from a 3rd party IPAM/DNS and that product is authoritative for the PTR zones [it is authoritative for some non-ADI DNS zones that we zone xfer into the MS/DNS environment]). I'm wondering if the PTR update perhaps occuring 'first', the D-DNS fails, and the D-DNS registration fails to continue. The problem with that scenario is that is works _most_ of the time, for the 150+ DC's in the forest. [fyi...we are looking at upgrading the IPAM product...the latest version is supposed to have much better integration with AD...in years past in testing {including the current version} it is horrific]
I'm confused in that we didn't have this issue with Win2000 DC's - and the basic DNS hierarchy, D-DNS configuration, zone configuration, IPAM product SOA'd for PTR zones, etc, etc - basically haven't changed.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of davyp@xxxxxxxxxxxxxxxx
Sent: Saturday, June 16, 2012 11:51 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DC's "A" record missing
Can you verify that the "register this interface in DNS" checkbox is checked on the Network card of your Domain Controller.
Best regards,
DavyP
----- Oorspronkelijk e-mail -----
Van: "Ken F. Brown" <Ken.Brown@xxxxxxxxxxxxxxxx>
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Vrijdag 15 juni 2012 22:43:40
Onderwerp: [ActiveDir] DC's "A" record missing
I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
��b��!���
0i�b��b��������)
.+-��0�+ޢ�?.+- | | | |
| jeremyts
Posts:44
| | 06/20/2012 2:40 AM |
| Hi Ken,
Difficult to tell if the challenges that I'm experiencing with some Win 2008 R2 servers and Win 7 workstations in a new build is the same as yours. I haven't yet got a conclusive answer, but am trailing KB2520155.
You've already confirmed that the "Register this connection's address in DNS" is enabled, which is essential.
I've setup the DNS Servers for Aging (7 days), and Scavenging (7 days). I'm yet to get enough debugging enabled to know if this is an issue.
However, we were having no luck at all with "ipconfig/registerdns". i.e. Some machines don't register at all no matter what we try.
The difference in this build, and a reason why we are trialling KB2520155, is that all clients point to two load balanced VIPs on the F5's for DNS. This then load balances DNS requests to Domain Controllers that are also DNS servers. This is an implementation at a large University. So rather than clients hitting the DNS servers directly, we're letting the F5's take the hit and manage the load. I was trying to be clever, but not sure if this has introduced more problems than it's worth.
>From an IPAM point of view, we're using InfoBlox for DHCP, but AD Integrated DNS Zones for DNS...fronted by the F5's.
Cheers,
Jeremy.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Brown, Ken F.
Sent: Wednesday, 20 June 2012 4:44 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Actually, I had already updated the script last year...thinking this would do it...but it doesn't. It does a
nltest /dsregdns
but apparently that doesn't register the A records (I guess I thought it would) - so now the script also does a 'ipconfig /registerdns'.
The ipconfig/registerdns "fixes" the issue when it occurs (I had one DC's "A" records go away last night - the ipconfig/registerdns brought it back) - so this should "fix" this.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Brown, Ken F.
Sent: Tuesday, June 19, 2012 8:45 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Yes, that checkbox is enabled (to allow it to dynamically register)
I know I can manually add the A record - but I shouldn't need to (and becomes one more step as part of any dc demotion/meta data cleanup to perform).
I'm leaning towards a once-a-day 'ipconfig /registerdns' - I already have a script running on the DC's that I can add that to...that will resolve the issue, but doesn't solve the "problem"
I'm almost wondering if it is a D-DNS issue...we get a D-DNS error when attempting to do a dynamic PTR registration (PTR zones are configured to prevent dynamic updates...they are SOA'd from a 3rd party IPAM/DNS and that product is authoritative for the PTR zones [it is authoritative for some non-ADI DNS zones that we zone xfer into the MS/DNS environment]). I'm wondering if the PTR update perhaps occuring 'first', the D-DNS fails, and the D-DNS registration fails to continue. The problem with that scenario is that is works _most_ of the time, for the 150+ DC's in the forest. [fyi...we are looking at upgrading the IPAM product...the latest version is supposed to have much better integration with AD...in years past in testing {including the current version} it is horrific]
I'm confused in that we didn't have this issue with Win2000 DC's - and the basic DNS hierarchy, D-DNS configuration, zone configuration, IPAM product SOA'd for PTR zones, etc, etc - basically haven't changed.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of davyp@xxxxxxxxxxxxxxxx
Sent: Saturday, June 16, 2012 11:51 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DC's "A" record missing
Can you verify that the "register this interface in DNS" checkbox is checked on the Network card of your Domain Controller.
Best regards,
DavyP
----- Oorspronkelijk e-mail -----
Van: "Ken F. Brown" <Ken.Brown@xxxxxxxxxxxxxxxx>
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Vrijdag 15 juni 2012 22:43:40
Onderwerp: [ActiveDir] DC's "A" record missing
I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
��b��!���
0i�b��b��������)
.+-�w��i��0��-�����+���֬
List info: http://www.activedir.org/List.aspx
| | | |
| danj
Posts:54
| | 06/20/2012 12:12 PM |
| Jeremy run a trace on the client and also on any DC where the F5 could send the request, then see whether the update packet gets through, and if it does whether you get a 'refused' packet back.
Interested what made you choose to do it this way. If you invested in Infoblox for DHCP, and are concerned about AD DNS performance, why not go Infoblox for DNS too?
Dan Johnson
DJJ Consulting Ltd
________________________________________
From: activedir-owner@xxxxxxxxxxxxxxxx [activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Jeremy Saunders [jeremy@xxxxxxxxxxxxxxxx]
Sent: 20 June 2012 02:39
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Hi Ken,
Difficult to tell if the challenges that I'm experiencing with some Win 2008 R2 servers and Win 7 workstations in a new build is the same as yours. I haven't yet got a conclusive answer, but am trailing KB2520155.
You've already confirmed that the "Register this connection's address in DNS" is enabled, which is essential.
I've setup the DNS Servers for Aging (7 days), and Scavenging (7 days). I'm yet to get enough debugging enabled to know if this is an issue.
However, we were having no luck at all with "ipconfig/registerdns". i.e. Some machines don't register at all no matter what we try.
The difference in this build, and a reason why we are trialling KB2520155, is that all clients point to two load balanced VIPs on the F5's for DNS. This then load balances DNS requests to Domain Controllers that are also DNS servers. This is an implementation at a large University. So rather than clients hitting the DNS servers directly, we're letting the F5's take the hit and manage the load. I was trying to be clever, but not sure if this has introduced more problems than it's worth.
>From an IPAM point of view, we're using InfoBlox for DHCP, but AD Integrated DNS Zones for DNS...fronted by the F5's.
Cheers,
Jeremy.
List info: http://www.activedir.org/List.aspx
| | | |
| kbatkbslpcom
Posts:216
| | 06/20/2012 1:53 PM |
| Jeremy-
Thanks - that scenario from that article could be the issue. It is possible that the of the 3 DNS servers listed, one could be too busy/network packets drop and so the system tries to connect to a different DNS server for the registration.
However, I've had the "A" record be gone for a few days at a time - and the system should be trying to re-register the A records at least every 24 hours.
But...I'll have to get that hotfix and see about getting it deployed...we are in the process of upgrading 2 other forests (from 2003 DC's) and that may help resolve similar issues in those forests.
I could see where it could be an issue (primarily) for laptops that roam from wireless AP to AP, that maybe get leases from different DHCP servers serving the same subnet (the 50%/50% setup for active/active DHCP servers for a scope) - if the scopes are configured differently (from a DNS server order perspective) - their A record may disappear if their lease renews.
Ken
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Jeremy Saunders
Sent: Tuesday, June 19, 2012 9:39 PM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Hi Ken,
Difficult to tell if the challenges that I'm experiencing with some Win 2008 R2 servers and Win 7 workstations in a new build is the same as yours. I haven't yet got a conclusive answer, but am trailing KB2520155.
You've already confirmed that the "Register this connection's address in DNS" is enabled, which is essential.
I've setup the DNS Servers for Aging (7 days), and Scavenging (7 days). I'm yet to get enough debugging enabled to know if this is an issue.
However, we were having no luck at all with "ipconfig/registerdns". i.e. Some machines don't register at all no matter what we try.
The difference in this build, and a reason why we are trialling KB2520155, is that all clients point to two load balanced VIPs on the F5's for DNS. This then load balances DNS requests to Domain Controllers that are also DNS servers. This is an implementation at a large University. So rather than clients hitting the DNS servers directly, we're letting the F5's take the hit and manage the load. I was trying to be clever, but not sure if this has introduced more problems than it's worth.
>From an IPAM point of view, we're using InfoBlox for DHCP, but AD Integrated DNS Zones for DNS...fronted by the F5's.
Cheers,
Jeremy.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Brown, Ken F.
Sent: Wednesday, 20 June 2012 4:44 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Actually, I had already updated the script last year...thinking this would do it...but it doesn't. It does a
nltest /dsregdns
but apparently that doesn't register the A records (I guess I thought it would) - so now the script also does a 'ipconfig /registerdns'.
The ipconfig/registerdns "fixes" the issue when it occurs (I had one DC's "A" records go away last night - the ipconfig/registerdns brought it back) - so this should "fix" this.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Brown, Ken F.
Sent: Tuesday, June 19, 2012 8:45 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Yes, that checkbox is enabled (to allow it to dynamically register)
I know I can manually add the A record - but I shouldn't need to (and becomes one more step as part of any dc demotion/meta data cleanup to perform).
I'm leaning towards a once-a-day 'ipconfig /registerdns' - I already have a script running on the DC's that I can add that to...that will resolve the issue, but doesn't solve the "problem"
I'm almost wondering if it is a D-DNS issue...we get a D-DNS error when attempting to do a dynamic PTR registration (PTR zones are configured to prevent dynamic updates...they are SOA'd from a 3rd party IPAM/DNS and that product is authoritative for the PTR zones [it is authoritative for some non-ADI DNS zones that we zone xfer into the MS/DNS environment]). I'm wondering if the PTR update perhaps occuring 'first', the D-DNS fails, and the D-DNS registration fails to continue. The problem with that scenario is that is works _most_ of the time, for the 150+ DC's in the forest. [fyi...we are looking at upgrading the IPAM product...the latest version is supposed to have much better integration with AD...in years past in testing {including the current version} it is horrific]
I'm confused in that we didn't have this issue with Win2000 DC's - and the basic DNS hierarchy, D-DNS configuration, zone configuration, IPAM product SOA'd for PTR zones, etc, etc - basically haven't changed.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of davyp@xxxxxxxxxxxxxxxx
Sent: Saturday, June 16, 2012 11:51 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DC's "A" record missing
Can you verify that the "register this interface in DNS" checkbox is checked on the Network card of your Domain Controller.
Best regards,
DavyP
----- Oorspronkelijk e-mail -----
Van: "Ken F. Brown" <Ken.Brown@xxxxxxxxxxxxxxxx>
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Vrijdag 15 juni 2012 22:43:40
Onderwerp: [ActiveDir] DC's "A" record missing
I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
��b��!���
0i�b��b��������)
.+-�w��i��0��-�����+���֬
List info: http://www.activedir.org/List.aspx
.+-��0�+ޢ�?.+- | | | |
| jeremyts
Posts:44
| | 06/21/2012 11:01 AM |
| Hi Dan and Ken,
Yep, this is a task I am pushing the operations team to do next week after
the current exam period change freeze.
I'm also trying to get them to follow:
- Tracking DNS Record Deletion:
http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record
-deletion.aspx
- Cumulative list of reasons that DNS records disappear from DNS zones in
windows server 2008:
http://techyglobal.com/blog1/2011/06/22/cumulative-list-of-reasons-that-dns-
records-disappear-from-dns-zones-in-windows-server-2008/
- Windows 2008R2 failing to update DDNS records:
http://myitpath.blogspot.com.au/2011/05/windows-2008r2-failing-to-update-ddn
s.html
I too was disappointed with the initial investment in InfoBlox. They were
already using Nixu appliances for DNS, but the Nixu DHCP service (and API
functionality) is not great and did not meet our requirements. So after some
research, Gartner whitepapers, and discussions with other Universities, they
invested in InfoBlox for DHCP, and will revisit for the DNS (rest of the
IPAM) solution when they are ready to retire Nixu.
Also, personally I have never designed/implemented an AD using Bind, so was
not comfortable hosting the AD zones on the Nixu appliances. And I also
didn't think that they needed to be.
The F5's are not there for performance concerns as such. It's more so for
giving the University flexibility on where they ultimately host DNS, and
gives us the opportunity to move or take down DC's without effecting client
settings, etc.
Cheers,
Jeremy.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx
[mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Dan Johnson
Sent: Wednesday, 20 June 2012 7:10 PM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Jeremy run a trace on the client and also on any DC where the F5 could send
the request, then see whether the update packet gets through, and if it does
whether you get a 'refused' packet back.
Interested what made you choose to do it this way. If you invested in
Infoblox for DHCP, and are concerned about AD DNS performance, why not go
Infoblox for DNS too?
Dan Johnson
DJJ Consulting Ltd
________________________________________
From: activedir-owner@xxxxxxxxxxxxxxxx
[activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Jeremy Saunders
[jeremy@xxxxxxxxxxxxxxxx]
Sent: 20 June 2012 02:39
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Hi Ken,
Difficult to tell if the challenges that I'm experiencing with some Win 2008
R2 servers and Win 7 workstations in a new build is the same as yours. I
haven't yet got a conclusive answer, but am trailing KB2520155.
You've already confirmed that the "Register this connection's address in
DNS" is enabled, which is essential.
I've setup the DNS Servers for Aging (7 days), and Scavenging (7 days). I'm
yet to get enough debugging enabled to know if this is an issue.
However, we were having no luck at all with "ipconfig/registerdns". i.e.
Some machines don't register at all no matter what we try.
The difference in this build, and a reason why we are trialling KB2520155,
is that all clients point to two load balanced VIPs on the F5's for DNS.
This then load balances DNS requests to Domain Controllers that are also DNS
servers. This is an implementation at a large University. So rather than
clients hitting the DNS servers directly, we're letting the F5's take the
hit and manage the load. I was trying to be clever, but not sure if this has
introduced more problems than it's worth.
>From an IPAM point of view, we're using InfoBlox for DHCP, but AD
Integrated DNS Zones for DNS...fronted by the F5's.
Cheers,
Jeremy.
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
| | | |
| arun
Posts:27
| | 06/24/2012 10:19 AM |
| Did you recently change the Primary DNS server setting on the DCs? See this KB article - http://support.microsoft.com/kb/2520155; pretty interesting bug, actually.
Regards,
Arun
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of davyp@xxxxxxxxxxxxxxxx
Sent: Saturday, June 16, 2012 8:51 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DC's "A" record missing
Can you verify that the "register this interface in DNS" checkbox is checked on the Network card of your Domain Controller.
Best regards,
DavyP
----- Oorspronkelijk e-mail -----
Van: "Ken F. Brown" <Ken.Brown@xxxxxxxxxxxxxxxx>
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Vrijdag 15 juni 2012 22:43:40
Onderwerp: [ActiveDir] DC's "A" record missing
I've been running across a recurring issue with Win2008 - one we didn't have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing". Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are configured for secure updates only and only my team (domain admins) can administer the DNS servers or zones. (I haven't changed the zones to be replicated to all DNS servers, they replicate within each domain at this point).
When this is noticed (usually because AD replication fails with the DC with the missing A record) I'll check the netlogon.dns file - and it has the A record (and other srv records as appropriate). (FYI...I've compared the netlogon.dns before/after restarting netlogon, and the entries are the same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for no-refresh/refresh, scavenging running every 2 days on the DNS server responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP address to a non-DC/DNS server, coded into the build script) - so even when I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns once a day - just to stop having to do this manually (probably 4 or 5 times a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
.+-��0�+ޢ�?.+- | | | |
| Caceman
Posts:4
| | 06/26/2012 8:38 PM |
| I recently had a similar situation. Turns out something had glitched on
the DNS server on the domain controller. When I looked at the Interface
tab on the server properties, it was set to listen on all IP addresses, but
none of the addresses were listed. (See attached screenshot). I added an
additional IP address to the NIC and the DNS server properties now showed
both IPs. I was then able to remove the additional IP address and the
expected IP address remained in the list.
-Andrew
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:
activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Arun K. Iyer
Sent: Sunday, June 24, 2012 4:18 AM
To: ken.brown@xxxxxxxxxxxxxxxx
Cc: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DC's "A" record missing
Did you recently change the Primary DNS server setting on the DCs? See this
KB article - http://support.microsoft.com/kb/2520155; pretty interesting
bug, actually.
Regards,
Arun
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:
activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of davyp@xxxxxxxxxxxxxxxx
Sent: Saturday, June 16, 2012 8:51 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DC's "A" record missing
Can you verify that the "register this interface in DNS" checkbox is
checked on the Network card of your Domain Controller.
Best regards,
DavyP
----- Oorspronkelijk e-mail -----
Van: "Ken F. Brown" <Ken.Brown@xxxxxxxxxxxxxxxx>
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Vrijdag 15 juni 2012 22:43:40
Onderwerp: [ActiveDir] DC's "A" record missing
I've been running across a recurring issue with Win2008 - one we didn't
have with Win2000 DC's.
Randomly, we have Windows 2008 Sp2 DC's "A" records go "missing".
Domain/forest functional level is 2003.
The MS/DNS zones (multiple domains) are all AD integrated and are
configured for secure updates only and only my team (domain admins) can
administer the DNS servers or zones. (I haven't changed the zones to be
replicated to all DNS servers, they replicate within each domain at this
point).
When this is noticed (usually because AD replication fails with the DC with
the missing A record) I'll check the netlogon.dns file - and it has the A
record (and other srv records as appropriate). (FYI...I've compared the
netlogon.dns before/after restarting netlogon, and the entries are the
same).
So I'll do either a ipconfig /registerdns or restart netlogon, the A record
re-registers, and all is well.
Scavenging is set to 7 days, 7 days, 2 days (7 days each for
no-refresh/refresh, scavenging running every 2 days on the DNS server
responsible for scavenging DNS)
At first, I thought I thought it was the DNS server list
#1 is a single DC/DNS in the domain - all DC's point to this (this
is also the one doing the scavenging)
#2 is itself or a DC/DNS in datacenter #1
#3 is a DC/DNS in datacenter #2
At first I thought it was related to #3 being "wrong" (typo in the IP
address to a non-DC/DNS server, coded into the build script) - so even when
I corrected that, I'll have DC's lose their A records.
None of these DC's were "off the network" for 14 days - so they shouldn't
have been scavenged because of that.
Any suggestions on where to look?
I'm about to configure a scheduled task to just do an ipconfig /registerdns
once a day - just to stop having to do this manually (probably 4 or 5 times
a month, with about 150 DC's in the forest).
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
��b��!�� �
0i�b��b��������)
--
Andrew Cace
210-279-9387
| | | |
|
|