I ask this question because I ran it against my PDCe from my
workstation, and also "dciag /test:dns" on the PDCe itself.
I got a pass from dcdiag, but dnslint gives me the following, and I
don't see what's missing, based on the snippet below. We've got a
single domain forest, and there is an msdcs zone at the root, with a
delegated _msdcs zone underneath example.com - it has only the PDCe
(usdc01p) in it.
All DCs are 2012 R2, and the FFL/DFL is 2008 R2.
Alias (CNAME) and glue (A) records for forest GUIDs from server:
Total number of CNAME records found on this server: 4
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 4
Glue (A) records are missing for the following CNAME records:
At least one glue (A) record for an AD forest CNAME record could not be found
Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx
Is dnslint still a preferred diagnostic too?
- 275 Views
- Last Post 25 March 2016
Sorry - should have noted the incantation I used for DNSLint:
dnslint /ad 192.168.10.13 /s 192.168.10.13 /v
"Glue" DNS records are what's needed to generally help a DNS client (resolver) find the right authority for a given DNS zone.
In your example below, you have 4 DCs (which in this context are DNS servers) hosting the DNS zone example.com. Those DCs are authoritative for example.com, which means they are the authority on where to go to resolve anything under example.com. But unless you happen to already be using those DCs as your DNS server, you have no reason to believe them unless you make changes elsewhere. For any general DNS client, their authority comes from the com zone. Which is where the glue records enter in. The com zone needs at least one DNS record pointing at one of your DCs in order for DNS clients to know who to consult about .example.com lookups. That is the glue record--the one record about example.com for which the example.com DNS servers can not directly be the authority for themselves. Ideally you'd have all four records in place so you don't have a single point of failure. Without at least one of those glue records in the com zone, general DNS clients do not know where to go to find the authority on the example.com zone. The exception are clients who are explicitly configured to use one of your 4 DCs as their DNS server. They don't need any DNS referrals to find the authority on example.com. Microsoft DNS servers will automatically create glue records if the parent zone is also hosted by a DNS server for which they are authorized to make a DDNS change. But that feature has limited usefulness because eventually you run into a DNS parent zone above you for which your Microsoft DNS servers can not make a DDNS change.
It's been a long time since I used dnslint, so I can't answer your question, but hopefully this indirect explanation is useful.