It starts with DNS...

  • 670 Views
  • Last Post 21 September 2015
kurtbuff posted this 15 September 2015

All,

I'm looking for a way forward with my troubleshooting. I outline the
problems I'm seeing below, but I'll ask my questions up front:
o- Can/should I just delete the extraneous msdcs zone, and will that
fix some/all of the problems I'm seeing?
o- If no on the first count, how should I proceed?
o- If no on the second count, what else should I be looking at?

Thanks,

Kurt

I've been noticing errors in the DNS event log, which I started
investigating after some firewall and other anomalies. What I'm seeing
are 4010 and 4015 errors.

4010 (DNS-Server-Service) unable to create resource record for
6801a104-1998-42ac-adc0-6c5054859430.
msdcs.example.com.
in zone example.com. The Active Directory definition of this
resource record is corrupt or contains an invalid DNS name.

4015 (DNS-Server-Service) The DNS server has encountered
a critical error from the Active Directory. Check that the Active
Directory is functioning properly.

I'm also seeing an extraneous and grayed-out _msdcs zone underneath
the forward zone for example.com. This extra zone has only a single
record in it, for the DC that's currently holding all of the FSMO
roles.

We have three offices, the US office (one 2008R2 DC, one 2012R2 DC),
and the overseas offices (each with a single 2008R2 DC), and have a
single forest, single domain environment.

We recently (within the past 4 months) elevated our FFL/DFL 2003
Native to 2008R2. What I was not aware of at the time was that prior
to this the _msdcs zone was only under the domain zone, and was not
out at the forest root. The other admin manually created the _msdcs
zone at the forest root - it's likely he didn't follow good procedure
for this.

I've run 'dcdiag /e /c /f:c:\temp\diag.txt' on the DC with all of the
FSMO roles on it (it's USDC5, a 2008R2 machine) and have that
available in toto if required - I've sanitized it to change the domain
name, but have not changed internal IP addresses, etc. There are some
errors in it, but I didn't want to clog the list with the entire
output. However, the errors below concern me:

I see this for all of the DCs, and I can't make sense of the KB
article after looking it over:
[1] Problem: Missing Expected Value
Base Object: CN=USDC5,OU=Domain Controllers,DC=example,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

The rest of these errors are scattered throughout the log file:
LDAP Error 0x20 (32) - No Such Object.
......................... USDC5 failed test VerifyEnterpriseReferences

LDAP Error 0x20 (32) - No Such Object.
......................... AUDC01P failed test
VerifyEnterpriseReferences

Starting test: FrsEvent
The event log File Replication Service on server
UKDC01p.example.com could not be queried, error 0x6ba
"The RPC server is unavailable."
......................... UKDC01P failed test FrsEvent

Starting test: KccEvent
The event log Directory Service on server UKDC01p.example.com
could not be queried, error 0x6ba
"The RPC server is unavailable."
......................... UKDC01P failed test KccEvent

Starting test: SystemLog
The event log System on server UKDC01p.example.com could not
be queried, error 0x6ba
"The RPC server is unavailable."
......................... UKDC01P failed test SystemLog

LDAP Error 0x20 (32) - No Such Object.
......................... UKDC01P failed test
VerifyEnterpriseReferences

LDAP Error 0x20 (32) - No Such Object.
......................... USDC01P failed test
VerifyEnterpriseReferences

show

Order By: Standard | Newest | Votes
jeremyts posted this 16 September 2015

Hi Kurt,

Use the following article to create/review the independent Active Directory integrated Forest Root zone: http://itcalls.blogspot.com.au/2011/11/active-directory-integrated-dns-zone.html. It is a known issue for Active Directory Forests built before Windows Server 2003 SP1 that the Forest Root Zone could be missing. Whomever created it, may have not followed all the steps as mentioned. The instructions in this article work perfectly if followed!

One of the other issues I see a lot is that the msdcs zone is not set to replicate at the forest level, which means that it's in the DomainDNSZones partition instead of the ForestDNSZones partition.

The other thing you may find is that you'll have the old GUID records, such as 6801a104-1998-42ac-adc0-6c5054859430.
msdcs.example.com, still located in the main FQDN zone (example.com), which causes some errors when the Netlogon service is starts on Domain Controllers. We fix this using Use ADSIEdit.msc

Connect to the DC=ForestDNSZones,DC=example,DC=com
Expand CD=MicrosoftDNS
Expand DC=msdcs.example.com
Verify that a GUID for each Domain Controller exists here. Right click on each one and select Properties. Select the Security tab and voila, the name of the Domain Controller will be there.

Connect to the DC=DomainDNSZones,DC=example,DC=com
Expand CD=MicrosoftDNS
Expand DC=example.com
Look for all the DC=6801a104-1998-42ac-adc0-6c5054859430.
msdcs.example.com type records and delete them ONLY if you've first verified that they are in the ForestDNSZones location.

A final task would be to verify that the Infrastructure Master for the DomainDNSZones and ForestDNSZones partitions are valid as per the following article: http://blogs.msmvps.com/ulfbsimonweidner/2008/07/31/how-many-infrastructure-masters-do-you-have/

These are remediation tasks I've had to do for many customers.

Cheers,
Jeremy

show

kurtbuff posted this 16 September 2015

Thank you very much for the references. I will study them intently
over the next couple of days, and post back to the list.

Kurt

show

kurtbuff posted this 16 September 2015

Comments and questions in line...

show

kurtbuff posted this 17 September 2015

A correction, a progress report, and a couple more questions...

The correction:
o- The references to USDC4 as Infrastructure Master lead me to
look at my notes again. USDC4 was not cleanly demoted. It freaked
out in some fashion I don't understand (about a year ago), so I nuked
it and performed a metadata cleanup, which looked successful. I don't
know if that makes any difference to this problem/discussion.

The progress:
o- I changed replication on msdcs to forest replication, rather
than domain. Nearly instantly, _msdcs.zetron.com in ADSIEdit moved
from DC=DomainDNSZones,dc=example,dc=com to
DC=ForestDNSZones,dc=example,dc=com. Very nice.

o- In the root-level _msdcs in the DNS console, I do see the
GUIDs listed as CNAMEs for the DCs. Is that expected/correct?

o- In ADSIEdit, under DC=DomainDNSZones,dc=example,dc=com, under
CN=MicrosoftDNS, there are no GUIDs. All I see are what look to be the
reverse zones (*.in-addr.arpa), and something odd called
DC=..InProgress-448EE3E41985B7B6-example.com.

That leads me to my next set of questions:
o- DC=..InProgress-448EE3E41985B7B6-zetron.com shows lots and
lots of dead machine accounts (like DC=andyr, including entries for
old NT4 DCs(!)), along with LDAP and Kerberos things I don't
recognize, such as "DC=
gc.tcp",
"DC=
gc.tcp.default-first-site-name.sites",
"DC=gc.tcp.default-first-site-name.sites.ssgtest" (where ssgtest
was a really old machine that's long dead),
"DC=0f2b65b4-83a4-4c64-91da-f0a058ec2fec.
msdcs" and things like that.
What is all that stuff, and should I leave it alone or delete it? (I
think I just answered my own question:
http://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/)

o- Similarly under ADSIEdit, I see under DomainDNSZones a container
called DC=RootDNSServers - should that be there, or under
ForestDNSZones?

Kurt

show

kurtbuff posted this 18 September 2015

Jeremy,

I believe I've walked through all of this, though I did a bunch of
STFW for further explanations and elaborations. Things look much
cleaner now, and name resolution seems snappier (but I don't have hard
data on that.) Thanks very much for your pointers on this.

However, I'm still seeing 4010 errors, though I've cleaned up the IM
FSMO roles for the DomainDNSZones and ForestDNSZones application
partitions, and verified that the owner has replicated to all 4 DCs -
it's the same 2008R2 DC that holds all of the other FSMO roles. I saw
the 4010s emitted on each DC during the restart of its own DNS
service. The 4010 error states:

unable to create a resource record for
23668d50-8f0b-4807-b984-4806e74e7425.msdcs.example.com. in zone
example.com. The Active Directory definition of this resource record
is corrupt or contains an invalid DNS name.

There is an event log entry for each of my 2008R2 DCs - but there
isn't one for my 20102R2 DC.

Additionally, on my 2012R2 DC I saw a single instance of a warning in
the event log (5781/Netlogon) that was coincident with restarting the
DNS Server service on that machine - but it's only happened once, and
not again when restarting the DNS Server service, which I've done
twice more. I'm willing to believe it's transient, but wanted to
mention it for sake of completeness.

Log Name: System
Source: NETLOGON
Date: 2015-09-18 3:13:52 PM
Event ID: 5781
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: zUSDC01p.zetron.com
Description:
Dynamic registration or deletion of one or more DNS records associated
with DNS domain 'zetron.com.' failed. These records are used by other
computers to locate this server as a domain controller (if the
specified domain is an Active Directory domain) or as an LDAP server
(if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer
contain wrong IP address(es) of the preferred and alternate DNS
servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone
authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate
registration or deletion of the DNS records by running 'nltest.exe
/dsregdns' from the command prompt on the domain controller or by
restarting Net Logon service on the domain controller.

show

kurtbuff posted this 21 September 2015

In the DNS event log, I'm still seeing 4010s for DNS when restarting
the DNS Server service, and additionally I see a 4013 upon reboot of
the DC, along with a 5781/Netlogon on reboot sometimes.

I see the GUIDs mentioned in the 4010s as aliases (CNAMEs) in DNS
under the root msdcs, but not under _msdcs.example.com. In ADSIEdit,
I see the GUIDs under the
DC=ForestDNSZones,dc=example,dc=com\CN=MicrosoftDNS, in
DC=
msdcs,example.com.

The only thing that exists in
DC=DomainDNSZones,DC=example,dc=com\CN=MicrosoftDNS is an empty
DC=RootDNSServers.

Should I delete the GUIDs from the 4010s in the DNS GUI, or in
ADSIEdit in ForestDNSZones under msdcs.example.com - or both, or
neither?

Kurt

show

Close