Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



DNS signature failed to verify error

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 23-03-2007
Don
 
Posts: n/a
DNS signature failed to verify error

I have two servers, one w/Win Srv SBS Prem Ed 2K3 (Srv 1) and the other Win
Srv Std Ed 2K3 (Srv 2). All updates have been applied. Srv 1 was up and in
production for several months before Srv 2 came on-line.

Srv 1 was installed and config'd with an internal domain (domain.local) and
Srv 2 was joined to the .local domain then dcpromo'd with plans to make Srv 2
a BDC. The dcpromo was uneventful. AD installed on Srv 2 as a result of the
dcpromo and the user accounts replicated. DNS was installed on Srv 2 via
Add/Remove. Both servers are config'd to allow secure updates.

As an aside the Srv 1 does have two NIC's with one pointing to the LAN on
one subnet and the other to the WAN on another subnet. And Srv 2 has one NIC
on the same subnet as Srv 1 LAN NIC. Per a MS KB I have made the primary DNS
on Srv 1 the IP address of Srv 2 and Srv 2's primary DNS the IP address of
Srv 1. Wth the secondary being their own IP address.

At this time both servers DNS reflect their own and the others A records
however I'm getting a Netlogon error on both servers when they try to perform
a dynamic registration of thier respective DNS record on the other server. I
have run DCDiag /test:connectivity /s:dcname and netdiag /test:dns and all
responses are passed. I have stopped and started DNS and the Net Logon
service as indicated in KB's and I have walked the DNS trees on each server
but I have not been able to find the problem. When the Net Logon service is
restarted more errors are listed in the System Log.

The error is Netlogon
Event ID: 5774

The dynamic registration of the DNS record
'97adc2e7-9a51-4006-a405-061daec8f2fd._msdcs.domain.local. 600 IN CNAME
srv1.domain.local.' failed on the following DNS server:

DNS server IP address: 192.168.2.132
Returned Response Code (RCODE): 5
Returned Status Code: 9016

The above IP address is the IP address of Srv 2. Likewise there is a similar
error on Srv 2 when it tries to update Srv 1. Obviously the appropriate info
is changed in the error msg.

Any thoughts on this would be appreciated.
Don

Reply With Quote
  #2  
Old 25-03-2007
Kevin D. Goodknecht Sr. [MVP]
 
Posts: n/a
Re: DNS signature failed to verify error

Read inline please.

In news:4C12EDA0-953B-435C-8898-945C1E53F970@microsoft.com,
Don <Don@discussions.microsoft.com> typed:
> I have two servers, one w/Win Srv SBS Prem Ed 2K3 (Srv 1) and the
> other Win Srv Std Ed 2K3 (Srv 2). All updates have been applied. Srv
> 1 was up and in production for several months before Srv 2 came
> on-line.


> The error is Netlogon
> Event ID: 5774
>
> The dynamic registration of the DNS record
> '97adc2e7-9a51-4006-a405-061daec8f2fd._msdcs.domain.local. 600 IN
> CNAME srv1.domain.local.' failed on the following DNS server:
>
> DNS server IP address: 192.168.2.132
> Returned Response Code (RCODE): 5
> Returned Status Code: 9016
>
> The above IP address is the IP address of Srv 2. Likewise there is a
> similar error on Srv 2 when it tries to update Srv 1. Obviously the
> appropriate info is changed in the error msg.
>


Win2k3 did things slightly different from Win2k, on Win2k the _msdcs is a
subdomain and all Netlogon records are located in this sub domain. Win2k3
split the _msdcs off into its own forward lookup zone, _msdcs.domain.local,
where all Domain controllers in the AD Forest register forest level Netlogon
records.

Do both DNS servers have a zone named _msdcs.domain.local, with dynamic
updates allowed?

In the domain.local zone, there should be a delegation named _msdcs, with NS
records for all DNS servers in the forest running on DCs. All DCs in the
Forest should have this _msdcs.domain.local forward lookup zone

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Reply With Quote
  #3  
Old 28-03-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

Thanks for your input on this issue.

Both DNS servers have the zone named _msdcs.domain.local with Dynamic
updates and secure only. Also AD Integrated on both servers.

On both servers DNS, in the domain.local zone there is a delegation named
_msdcs with one NS record which refers to srv1.domain.local (SBS). You
indicate that there should be an NS record for both DNS servers on both DNS
servers if I understand you correctly.

I also took note since having to reboot srv2 after a failure by the Symantec
Corp Ed product to open, that there were several DNS errors logged during the
reboot, Event 4015 logged one time followed by serveral Event 4004. Research
indicates an LDAP issue but I'm unable to see any issues here. This may be
related to my original post or completely unrelated or it could be a timing
issue.

Any other thoughts would be appreciated.
Thanks in advance,
Don
"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:4C12EDA0-953B-435C-8898-945C1E53F970@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > I have two servers, one w/Win Srv SBS Prem Ed 2K3 (Srv 1) and the
> > other Win Srv Std Ed 2K3 (Srv 2). All updates have been applied. Srv
> > 1 was up and in production for several months before Srv 2 came
> > on-line.

>
> > The error is Netlogon
> > Event ID: 5774
> >
> > The dynamic registration of the DNS record
> > '97adc2e7-9a51-4006-a405-061daec8f2fd._msdcs.domain.local. 600 IN
> > CNAME srv1.domain.local.' failed on the following DNS server:
> >
> > DNS server IP address: 192.168.2.132
> > Returned Response Code (RCODE): 5
> > Returned Status Code: 9016
> >
> > The above IP address is the IP address of Srv 2. Likewise there is a
> > similar error on Srv 2 when it tries to update Srv 1. Obviously the
> > appropriate info is changed in the error msg.
> >

>
> Win2k3 did things slightly different from Win2k, on Win2k the _msdcs is a
> subdomain and all Netlogon records are located in this sub domain. Win2k3
> split the _msdcs off into its own forward lookup zone, _msdcs.domain.local,
> where all Domain controllers in the AD Forest register forest level Netlogon
> records.
>
> Do both DNS servers have a zone named _msdcs.domain.local, with dynamic
> updates allowed?
>
> In the domain.local zone, there should be a delegation named _msdcs, with NS
> records for all DNS servers in the forest running on DCs. All DCs in the
> Forest should have this _msdcs.domain.local forward lookup zone
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #4  
Old 29-03-2007
Kevin D. Goodknecht Sr. [MVP]
 
Posts: n/a
Re: DNS signature failed to verify error

Read inline please.

In news:483FF285-27F9-4FA0-9CE1-91B59913EC52@microsoft.com,
Don <Don@discussions.microsoft.com> typed:
> Hey Kevin,
>
> Thanks for your input on this issue.
>
> Both DNS servers have the zone named _msdcs.domain.local with Dynamic
> updates and secure only. Also AD Integrated on both servers.
>
> On both servers DNS, in the domain.local zone there is a delegation
> named _msdcs with one NS record which refers to srv1.domain.local
> (SBS). You indicate that there should be an NS record for both DNS
> servers on both DNS servers if I understand you correctly.


Yes, there should be an NS record for each DNS server with the
_msdcs.domain.local zone. This zone is or should replicate to all DNS
servers in the AD Forest running on Win2k3 DCs. Because this zone is in the
ForestDNSZones replication partition, it won't replicate to Win2k DCs at
all, Win2k DCs would need a Secondary of the zone, or you would have to move
the zone to the MicrosoftDNS replication partition. In which case, only
Win2k3 DCs that are in the Forest Root Domain would get the zone.


>
> I also took note since having to reboot srv2 after a failure by the
> Symantec Corp Ed product to open, that there were several DNS errors
> logged during the reboot, Event 4015 logged one time followed by
> serveral Event 4004. Research indicates an LDAP issue but I'm unable
> to see any issues here. This may be related to my original post or
> completely unrelated or it could be a timing issue.


These errors typically only appear when there is only one DC with DNS
installed.
The missing Delegation might be responsible for these errors, but you might
check the Properties of the _msdcs.domain.local zone and make sure there are
configured to "Replicate to all DNS servers in the Active Directory Forest
<domain.local>" If they are not both set this way, change one to standard
Primary to preserve it zone data, then delete the zone on the other DC. Then
open AD Site & Services expand down to, and select NTDS Settings in the left
hand pane, then right click on the server connection and select Replicate
now.
Then change the Standard Primary back to ADI, and replicate to a DNS servers
in the forest. Failing to wait until the zone that is not in the correct
partition is gone from AD, will cause an error that says the zone exists in
two replication partitions.

If you have not already done so, install the server support tools from the
server CD, (CD2 IIRC on SBS) Then get to know and use the DCdiag and Netdiag
command line tools. In your case the dcdiag tool is the one you need, it
will test the delegation and replication partitions.

Use Dcdiag /e /c /v on both DCs.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Reply With Quote
  #5  
Old 29-03-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

Again thanks for your input on this.

Since DNS on both servers only contains the NS record of the SBS (srv1)
under the delegation _msdcs, what is the solution to getting the missing NS
record corrected?
Remember this is a Win 2K3 enviroment only.

With regards to the Events 4015 and 4004 I did the homework earlier and yes
the _msdcs.domain.local zone on both DNS's are set to replicate to "All DNS
servers in the Active Directory forest". While the Domain.local zone is set
to "All DNS servers in the ACtive Directory domain". This were default
settings not settings that I had to adjust.

Notwithstanding, if I make the changes you indicate concerning preserving
the Primary zone and deleting the zone off of the non-SBS DC and then letting
DND replicate will that corect the issues that are present with things such
as the missing NS record?

Thanks for the DCDiag syntax suggestion. I did run a DCDiag test earlier but
all came back good. I did not however run the syntax you offered. I'll take a
look.

Let me know your thoughts about the zone suggestion above.

Thanks again,
Don


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:483FF285-27F9-4FA0-9CE1-91B59913EC52@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > Hey Kevin,
> >
> > Thanks for your input on this issue.
> >
> > Both DNS servers have the zone named _msdcs.domain.local with Dynamic
> > updates and secure only. Also AD Integrated on both servers.
> >
> > On both servers DNS, in the domain.local zone there is a delegation
> > named _msdcs with one NS record which refers to srv1.domain.local
> > (SBS). You indicate that there should be an NS record for both DNS
> > servers on both DNS servers if I understand you correctly.

>
> Yes, there should be an NS record for each DNS server with the
> _msdcs.domain.local zone. This zone is or should replicate to all DNS
> servers in the AD Forest running on Win2k3 DCs. Because this zone is in the
> ForestDNSZones replication partition, it won't replicate to Win2k DCs at
> all, Win2k DCs would need a Secondary of the zone, or you would have to move
> the zone to the MicrosoftDNS replication partition. In which case, only
> Win2k3 DCs that are in the Forest Root Domain would get the zone.
>
>
> >
> > I also took note since having to reboot srv2 after a failure by the
> > Symantec Corp Ed product to open, that there were several DNS errors
> > logged during the reboot, Event 4015 logged one time followed by
> > serveral Event 4004. Research indicates an LDAP issue but I'm unable
> > to see any issues here. This may be related to my original post or
> > completely unrelated or it could be a timing issue.

>
> These errors typically only appear when there is only one DC with DNS
> installed.
> The missing Delegation might be responsible for these errors, but you might
> check the Properties of the _msdcs.domain.local zone and make sure there are
> configured to "Replicate to all DNS servers in the Active Directory Forest
> <domain.local>" If they are not both set this way, change one to standard
> Primary to preserve it zone data, then delete the zone on the other DC. Then
> open AD Site & Services expand down to, and select NTDS Settings in the left
> hand pane, then right click on the server connection and select Replicate
> now.
> Then change the Standard Primary back to ADI, and replicate to a DNS servers
> in the forest. Failing to wait until the zone that is not in the correct
> partition is gone from AD, will cause an error that says the zone exists in
> two replication partitions.
>
> If you have not already done so, install the server support tools from the
> server CD, (CD2 IIRC on SBS) Then get to know and use the DCdiag and Netdiag
> command line tools. In your case the dcdiag tool is the one you need, it
> will test the delegation and replication partitions.
>
> Use Dcdiag /e /c /v on both DCs.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #6  
Old 29-03-2007
Kevin D. Goodknecht Sr. [MVP]
 
Posts: n/a
Re: DNS signature failed to verify error

Read inline please.

In news:152BACEE-B323-431E-829E-5F393D402449@microsoft.com,
Don <Don@discussions.microsoft.com> typed:
> Hey Kevin,
>
> Again thanks for your input on this.
>
> Since DNS on both servers only contains the NS record of the SBS
> (srv1)
> under the delegation _msdcs, what is the solution to getting the
> missing NS record corrected?
> Remember this is a Win 2K3 environment only.
>
> With regards to the Events 4015 and 4004 I did the homework earlier
> and yes the _msdcs.domain.local zone on both DNS's are set to
> replicate to "All DNS servers in the Active Directory forest". While
> the Domain.local zone is set to "All DNS servers in the Active
> Directory domain". This were default settings not settings that I had
> to adjust.
>
> Notwithstanding, if I make the changes you indicate concerning
> preserving
> the Primary zone and deleting the zone off of the non-SBS DC and then
> letting DND replicate will that correct the issues that are present
> with things such as the missing NS record?
>
> Thanks for the DCDiag syntax suggestion. I did run a DCDiag test
> earlier but all came back good. I did not however run the syntax you
> offered. I'll take a look.
>


If you use the switches referred to, dcdiag will test the delegation for
_msdcs, adding the /fix switch, it might fix the missing delegation. You can
fix the delegation manually by double clicking on the NS record, then click
the "Add" button, enter the Fully-qualified name of the missing NS record,
then click resolve, if it does not resolve check that there is an A record
on both DNS servers for the missing NS record. You can also click the
"Browse" button and browse to the A record for the missing DNS server's NS
record.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Reply With Quote
  #7  
Old 31-03-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

Thanks for the dcdiag syntax. I ran it on both DC's just in case. On the SBS
(srv1) the services ISMSERV was stopped while this same service on the Std Ed
(srv2) was running, so I started it on srv1. The /fix parm did not appear to
correct any issues according to the output results.

Back to the NS record issue.

In our last we discussed the need for there to be a NS record for each DNS
srv. I want to make sure we're on the same page. In the zone
_msdcs.domain.local there are NS records for each DNS srv on both servers.
Under the zone domain.local there is a delegation _msdcs which only has one
NS record and it refers to the SBS (srv1). This is the case on both servers.

If I have understood correctly, there should be an NS record for each DNS
srv under the zone domain.local, delegation _msdcs. Please confirm.

Also with regards to replication, you suggested to make sure that zone
_msdcs.domain.local is configured the "Replicate to all DNS servers in the AD
Forest". Both servers were all ready set as you indicated.



"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:152BACEE-B323-431E-829E-5F393D402449@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > Hey Kevin,
> >
> > Again thanks for your input on this.
> >
> > Since DNS on both servers only contains the NS record of the SBS
> > (srv1)
> > under the delegation _msdcs, what is the solution to getting the
> > missing NS record corrected?
> > Remember this is a Win 2K3 environment only.
> >
> > With regards to the Events 4015 and 4004 I did the homework earlier
> > and yes the _msdcs.domain.local zone on both DNS's are set to
> > replicate to "All DNS servers in the Active Directory forest". While
> > the Domain.local zone is set to "All DNS servers in the Active
> > Directory domain". This were default settings not settings that I had
> > to adjust.
> >
> > Notwithstanding, if I make the changes you indicate concerning
> > preserving
> > the Primary zone and deleting the zone off of the non-SBS DC and then
> > letting DND replicate will that correct the issues that are present
> > with things such as the missing NS record?
> >
> > Thanks for the DCDiag syntax suggestion. I did run a DCDiag test
> > earlier but all came back good. I did not however run the syntax you
> > offered. I'll take a look.
> >

>
> If you use the switches referred to, dcdiag will test the delegation for
> _msdcs, adding the /fix switch, it might fix the missing delegation. You can
> fix the delegation manually by double clicking on the NS record, then click
> the "Add" button, enter the Fully-qualified name of the missing NS record,
> then click resolve, if it does not resolve check that there is an A record
> on both DNS servers for the missing NS record. You can also click the
> "Browse" button and browse to the A record for the missing DNS server's NS
> record.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #8  
Old 31-03-2007
Kevin D. Goodknecht Sr. [MVP]
 
Posts: n/a
Re: DNS signature failed to verify error

Read inline please.

In news:746714B5-6FDB-4F5D-82BF-E96E17A4D9BC@microsoft.com,
Don <Don@discussions.microsoft.com> typed:
> Hey Kevin,
>
> Thanks for the dcdiag syntax. I ran it on both DC's just in case. On
> the SBS (srv1) the services ISMSERV was stopped while this same
> service on the Std Ed (srv2) was running, so I started it on srv1.
> The /fix parm did not appear to correct any issues according to the
> output results.
>
> Back to the NS record issue.
>
> In our last we discussed the need for there to be a NS record for
> each DNS srv. I want to make sure we're on the same page. In the zone
> _msdcs.domain.local there are NS records for each DNS srv on both
> servers. Under the zone domain.local there is a delegation _msdcs
> which only has one NS record and it refers to the SBS (srv1). This is
> the case on both servers.
>
> If I have understood correctly, there should be an NS record for each
> DNS
> srv under the zone domain.local, delegation _msdcs. Please confirm.


Yes, add the NS record to the delegation, I'm surprised dcdiag didn't report
it as a broken delegation.


> Also with regards to replication, you suggested to make sure that zone
> _msdcs.domain.local is configured the "Replicate to all DNS servers
> in the AD Forest". Both servers were all ready set as you indicated.


This is as it should be.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Reply With Quote
  #9  
Old 31-03-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

I added the NS record for the Std Ed srv to the DNS of the SBS srv under
zone domain.local delegation _msdcs. I indicated the FQ name and resolved it
without issue. The record replicated from the SBS to Std Ed DNS. But Netlogon
is still rpting 5774 events.

I noted in the event properties besides dcdiag a recommendation to run
nltest /dsregdns. This was done and it rpt'd sucessful completion. Again
Netlogon still rpt's 5774 and DNS is still also logging 4004 errors as well.

Mind you, I ran the nltest on both servers and both servers are still rpting
Netlogon and DNS errors.

Thoughts?
Thanks,
Don

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:746714B5-6FDB-4F5D-82BF-E96E17A4D9BC@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > Hey Kevin,
> >
> > Thanks for the dcdiag syntax. I ran it on both DC's just in case. On
> > the SBS (srv1) the services ISMSERV was stopped while this same
> > service on the Std Ed (srv2) was running, so I started it on srv1.
> > The /fix parm did not appear to correct any issues according to the
> > output results.
> >
> > Back to the NS record issue.
> >
> > In our last we discussed the need for there to be a NS record for
> > each DNS srv. I want to make sure we're on the same page. In the zone
> > _msdcs.domain.local there are NS records for each DNS srv on both
> > servers. Under the zone domain.local there is a delegation _msdcs
> > which only has one NS record and it refers to the SBS (srv1). This is
> > the case on both servers.
> >
> > If I have understood correctly, there should be an NS record for each
> > DNS
> > srv under the zone domain.local, delegation _msdcs. Please confirm.

>
> Yes, add the NS record to the delegation, I'm surprised dcdiag didn't report
> it as a broken delegation.
>
>
> > Also with regards to replication, you suggested to make sure that zone
> > _msdcs.domain.local is configured the "Replicate to all DNS servers
> > in the AD Forest". Both servers were all ready set as you indicated.

>
> This is as it should be.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #10  
Old 01-04-2007
Kevin D. Goodknecht Sr. [MVP]
 
Posts: n/a
Re: DNS signature failed to verify error

Read inline please.

In news:78541D9F-2F21-47F6-AC43-F10E1F7D9E3E@microsoft.com,
Don <Don@discussions.microsoft.com> typed:
> Hey Kevin,
>
> I added the NS record for the Std Ed srv to the DNS of the SBS srv
> under
> zone domain.local delegation _msdcs. I indicated the FQ name and
> resolved it without issue. The record replicated from the SBS to Std
> Ed DNS. But Netlogon is still rpting 5774 events.
>
> I noted in the event properties besides dcdiag a recommendation to run
> nltest /dsregdns. This was done and it rpt'd sucessful completion.
> Again Netlogon still rpt's 5774 and DNS is still also logging 4004
> errors as well.
>
> Mind you, I ran the nltest on both servers and both servers are still
> rpting Netlogon and DNS errors.
>
> Thoughts?
> Thanks,
> Don


Have I asked for an unedited ipconfig /all yet?
If not, please post one.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Reply With Quote
  #11  
Old 04-04-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

Hear are the unedited version of the ipconfig's ou asked for.

This for for the SBS server

Windows IP Configuration
Host Name . . . . . . . . . . . . : scoo
Primary Dns Suffix . . . . . . . : SmileOO.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : SmileOO.local

Ethernet adapter Server WAN 254.101 Jack 31:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter
(PILA8470B)
Physical Address. . . . . . . . . : 00-E0-81-05-36-A4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.254.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.254.1
DNS Servers . . . . . . . . . . . : 192.168.2.100
Primary WINS Server . . . . . . . : 192.168.2.100
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server LAN 2.100 Jack 30:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter
(PILA8470B) #2
Physical Address. . . . . . . . . : 00-E0-81-05-36-A3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.2.100
192.168.2.132
Primary WINS Server . . . . . . . : 192.168.2.100

This is for the Std Ed server

Windows IP Configuration
Host Name . . . . . . . . . . . . : eagle1
Primary Dns Suffix . . . . . . . : SmileOO.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : SmileOO.local

Ethernet adapter LAN 2.132:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
Physical Address. . . . . . . . . : 00-04-23-D8-00-35
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.132
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.100
DNS Servers . . . . . . . . . . . : 192.168.2.100
192.168.2.132

Hope his helps.
Thanks in advance.
Don


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:78541D9F-2F21-47F6-AC43-F10E1F7D9E3E@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > Hey Kevin,
> >
> > I added the NS record for the Std Ed srv to the DNS of the SBS srv
> > under
> > zone domain.local delegation _msdcs. I indicated the FQ name and
> > resolved it without issue. The record replicated from the SBS to Std
> > Ed DNS. But Netlogon is still rpting 5774 events.
> >
> > I noted in the event properties besides dcdiag a recommendation to run
> > nltest /dsregdns. This was done and it rpt'd sucessful completion.
> > Again Netlogon still rpt's 5774 and DNS is still also logging 4004
> > errors as well.
> >
> > Mind you, I ran the nltest on both servers and both servers are still
> > rpting Netlogon and DNS errors.
> >
> > Thoughts?
> > Thanks,
> > Don

>
> Have I asked for an unedited ipconfig /all yet?
> If not, please post one.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #12  
Old 06-04-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

Did I loose ya?

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:78541D9F-2F21-47F6-AC43-F10E1F7D9E3E@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > Hey Kevin,
> >
> > I added the NS record for the Std Ed srv to the DNS of the SBS srv
> > under
> > zone domain.local delegation _msdcs. I indicated the FQ name and
> > resolved it without issue. The record replicated from the SBS to Std
> > Ed DNS. But Netlogon is still rpting 5774 events.
> >
> > I noted in the event properties besides dcdiag a recommendation to run
> > nltest /dsregdns. This was done and it rpt'd sucessful completion.
> > Again Netlogon still rpt's 5774 and DNS is still also logging 4004
> > errors as well.
> >
> > Mind you, I ran the nltest on both servers and both servers are still
> > rpting Netlogon and DNS errors.
> >
> > Thoughts?
> > Thanks,
> > Don

>
> Have I asked for an unedited ipconfig /all yet?
> If not, please post one.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #13  
Old 08-04-2007
Kevin D. Goodknecht Sr. [MVP]
 
Posts: n/a
Re: DNS signature failed to verify error

Read inline please.

In news:DFFC32DD-9E75-45E0-B320-20EC078BDF71@microsoft.com,
Don <Don@discussions.microsoft.com> typed:
> Hey Kevin,
>
> Did I loose ya?


No, but I did get side-tracked for a couple of days, I'm sorry for not
getting back sooner I've had a couple of really long days in a row.

If you haven't already, install the server support tools from the CDs, or
download the latest versions from Microsoft and try netdiag /fix /v on both
servers.

If it makes the DNS registration fix force a replication and see if it
clears the errors. If not use netdiag /test:dns /debug to see what records
on which servers are missing. Post the entire DNS test if it doesn't.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Reply With Quote
  #14  
Old 10-04-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

Thanks for getting back. No need to be sorry. Your help is appreciated. I
know all about the long days as anyone who has worked in this industry will
eventially experience many times over.

I'll check out your suggestions and get back to you.

Thanks again,
Don

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:DFFC32DD-9E75-45E0-B320-20EC078BDF71@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > Hey Kevin,
> >
> > Did I loose ya?

>
> No, but I did get side-tracked for a couple of days, I'm sorry for not
> getting back sooner I've had a couple of really long days in a row.
>
> If you haven't already, install the server support tools from the CDs, or
> download the latest versions from Microsoft and try netdiag /fix /v on both
> servers.
>
> If it makes the DNS registration fix force a replication and see if it
> clears the errors. If not use netdiag /test:dns /debug to see what records
> on which servers are missing. Post the entire DNS test if it doesn't.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #15  
Old 13-04-2007
Don
 
Posts: n/a
Re: DNS signature failed to verify error

Hey Kevin,

Sorry to rpt the error still exist. I attempted to post the debug rpts here
but they are too long to post.

Thoughts?
Don

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:DFFC32DD-9E75-45E0-B320-20EC078BDF71@microsoft.com,
> Don <Don@discussions.microsoft.com> typed:
> > Hey Kevin,
> >
> > Did I loose ya?

>
> No, but I did get side-tracked for a couple of days, I'm sorry for not
> getting back sooner I've had a couple of really long days in a row.
>
> If you haven't already, install the server support tools from the CDs, or
> download the latest versions from Microsoft and try netdiag /fix /v on both
> servers.
>
> If it makes the DNS registration fix force a replication and see if it
> clears the errors. If not use netdiag /test:dns /debug to see what records
> on which servers are missing. Post the entire DNS test if it doesn't.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "DNS signature failed to verify error"
Thread Thread Starter Forum Replies Last Post
Windows 7 cannot verify digital signature error code 0xc0000428 Rufta Operating Systems 4 02-02-2011 10:30 AM
Windows cannot verify the digital signature for the drivers code 52 Amigot Fuyhen Operating Systems 4 08-12-2010 11:32 PM
Failed to verify the integrity of the CAT file Windows 7 Upgrade Kalanidhi Portable Devices 4 09-04-2010 12:59 AM
Microsoft game error "Failed to verify media. Installation cancelled" ApplePowerPC Video Games 3 31-10-2009 06:13 PM
Unknown publisher / cannot verify digital signature. Leonhart Vista Help 0 27-11-2007 04:07 AM


All times are GMT +5.5. The time now is 07:38 AM.