Always need to re-register DC DNS entry!

itman · 11-02-2008

For the past months I have found that our domain controllers "lose" their DNS
registrations with each other regularly. It has not had a sever impact as
clients have no issues communicating with DCs or DNS servers. Running a
dcdiag will always result in full successes, however, a netdiag /q will
result in the following (on most, if not all domain controllers in the
enterprise):

C:\>netdiag /q
..........................................

Computer Name: DC1
DNS Host Name: DC1.company.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB911564
KB921503
KB924667-v2
KB925398_WMP64
KB925902
KB926122
KB927891
KB929123
KB930178
KB931768
KB931784
KB932168
KB933566
KB933729
KB933854
KB935839
KB935840
KB935966
KB936021
KB936357
KB936782
KB937143
KB938127
KB939653
KB941202
KB941568
KB941644
KB941672
KB942615
KB943460
KB943485
Q147222

Per interface results:

Adapter : Local Area Connection

Host Name. . . . . . . . . : DC1
IP Address . . . . . . . . : 192.168.0.252
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.249
Primary WINS Server. . . . : 192.168.0.252
Secondary WINS Server. . . : 192.168.1.251
Dns Servers. . . . . . . . : 192.168.0.252

Global results:

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.0.252'
.. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

IP Security test . . . . . . . . . : Skipped

The command completed successfully

The problem is resolved after issuing "netdiag /fix". Any ideas why this
happens every couple of days? Is it related to DNS scavenging? Our domain
controllers and DNS servers will have static entries in DNS so I can't see
DNS scavenging affecting this.

Any help appreciated.

Meinolf Weber · 12-02-2008

Hello itman,

If i see your ipconfig the secondary WINS is from a different subnet which
you can not reach from your subnet. Why this configuration?

Also you talk about DOMAIN CONTROLLERS, so is DC1 the only DNS server and
how are the others located and setup?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> For the past months I have found that our domain controllers "lose"
> their DNS registrations with each other regularly. It has not had a
> sever impact as clients have no issues communicating with DCs or DNS
> servers. Running a dcdiag will always result in full successes,
> however, a netdiag /q will result in the following (on most, if not
> all domain controllers in the enterprise):
>
> C:\>netdiag /q
> .........................................
> Computer Name: DC1
> DNS Host Name: DC1.company.com
> System info : Windows 2000 Server (Build 3790)
> Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
> List of installed hotfixes :
> KB911564
> KB921503
> KB924667-v2
> KB925398_WMP64
> KB925902
> KB926122
> KB927891
> KB929123
> KB930178
> KB931768
> KB931784
> KB932168
> KB933566
> KB933729
> KB933854
> KB935839
> KB935840
> KB935966
> KB936021
> KB936357
> KB936782
> KB937143
> KB938127
> KB939653
> KB941202
> KB941568
> KB941644
> KB941672
> KB942615
> KB943460
> KB943485
> Q147222
> Per interface results:
>
> Adapter : Local Area Connection
>
> Host Name. . . . . . . . . : DC1
> IP Address . . . . . . . . : 192.168.0.252
> Subnet Mask. . . . . . . . : 255.255.255.0
> Default Gateway. . . . . . : 192.168.0.249
> Primary WINS Server. . . . : 192.168.0.252
> Secondary WINS Server. . . : 192.168.1.251
> Dns Servers. . . . . . . . : 192.168.0.252
> Global results:
>
> DNS test . . . . . . . . . . . . . : Failed
> [WARNING] The DNS entries for this DC are not registered correctly
> on
> DNS server '192.168.0.252'
> . Please wait for 30 minutes for DNS server replication.
> [FATAL] No DNS servers have the DNS records for this DC
> registered.
> IP Security test . . . . . . . . . : Skipped
>
> The command completed successfully
>
> The problem is resolved after issuing "netdiag /fix". Any ideas why
> this happens every couple of days? Is it related to DNS scavenging?
> Our domain controllers and DNS servers will have static entries in DNS
> so I can't see DNS scavenging affecting this.
>
> Any help appreciated.
>

itman · 12-02-2008

This is my scenario:

..4 x offices in different cities.
..each office has its own subnet which is an AD site.
..each office has one domain controller which also functions as a WINS and
DNS server.
..the server in the "head office" is set up as the secondary DNS and WINS
server for every client and server.
..the domain controller in the "head office" has a secondary DNS and WINS
server as a server in another site.

Also, 9/10 client computers are mobile computers and will log in to any site
on any day. Therefore, the DHCP leases are short (less than 24 hours) and DNS
scavenging is set to run every day to ensure that DNS records are accurate.

If you think any part of this setup is a problem, please advise. All help,
comments and suggestions are appreciated.

-------------------------

"Meinolf Weber" wrote:

> Hello itman,
>
> If i see your ipconfig the secondary WINS is from a different subnet which
> you can not reach from your subnet. Why this configuration?
>
> Also you talk about DOMAIN CONTROLLERS, so is DC1 the only DNS server and
> how are the others located and setup?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > For the past months I have found that our domain controllers "lose"
> > their DNS registrations with each other regularly. It has not had a
> > sever impact as clients have no issues communicating with DCs or DNS
> > servers. Running a dcdiag will always result in full successes,
> > however, a netdiag /q will result in the following (on most, if not
> > all domain controllers in the enterprise):
> >
> > C:\>netdiag /q
> > .........................................
> > Computer Name: DC1
> > DNS Host Name: DC1.company.com
> > System info : Windows 2000 Server (Build 3790)
> > Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
> > List of installed hotfixes :
> > KB911564
> > KB921503
> > KB924667-v2
> > KB925398_WMP64
> > KB925902
> > KB926122
> > KB927891
> > KB929123
> > KB930178
> > KB931768
> > KB931784
> > KB932168
> > KB933566
> > KB933729
> > KB933854
> > KB935839
> > KB935840
> > KB935966
> > KB936021
> > KB936357
> > KB936782
> > KB937143
> > KB938127
> > KB939653
> > KB941202
> > KB941568
> > KB941644
> > KB941672
> > KB942615
> > KB943460
> > KB943485
> > Q147222
> > Per interface results:
> >
> > Adapter : Local Area Connection
> >
> > Host Name. . . . . . . . . : DC1
> > IP Address . . . . . . . . : 192.168.0.252
> > Subnet Mask. . . . . . . . : 255.255.255.0
> > Default Gateway. . . . . . : 192.168.0.249
> > Primary WINS Server. . . . : 192.168.0.252
> > Secondary WINS Server. . . : 192.168.1.251
> > Dns Servers. . . . . . . . : 192.168.0.252
> > Global results:
> >
> > DNS test . . . . . . . . . . . . . : Failed
> > [WARNING] The DNS entries for this DC are not registered correctly
> > on
> > DNS server '192.168.0.252'
> > . Please wait for 30 minutes for DNS server replication.
> > [FATAL] No DNS servers have the DNS records for this DC
> > registered.
> > IP Security test . . . . . . . . . : Skipped
> >
> > The command completed successfully
> >
> > The problem is resolved after issuing "netdiag /fix". Any ideas why
> > this happens every couple of days? Is it related to DNS scavenging?
> > Our domain controllers and DNS servers will have static entries in DNS
> > so I can't see DNS scavenging affecting this.
> >
> > Any help appreciated.
> >
>
>
>

Kevin D. Goodknecht Sr. [MVP] · 12-02-2008

Read inline please.

In news:[email protected],
itman <[email protected]> typed:
> This is my scenario:
>
> .4 x offices in different cities.
> .each office has its own subnet which is an AD site.
> .each office has one domain controller which also functions as a WINS
> and
> DNS server.
> .the server in the "head office" is set up as the secondary DNS and
> WINS server for every client and server.
> .the domain controller in the "head office" has a secondary DNS and
> WINS server as a server in another site.
>
> Also, 9/10 client computers are mobile computers and will log in to
> any site on any day. Therefore, the DHCP leases are short (less than
> 24 hours) and DNS scavenging is set to run every day to ensure that
> DNS records are accurate.
>
> If you think any part of this setup is a problem, please advise. All
> help, comments and suggestions are appreciated.

IF the DC at the main site is a WINS server itself, do not use a Secondary
WINS address. WINS servers have different rules from DNS servers, WINS
servers must point only to themselves for WINS, this prevents another WINS
server from taking ownership of its records.
DNS servers can point to themselves, and another DNS server that holds its
zone. this is especially true for ADI zones, it makes sure each DC has its
records registered in all DNS servers. In Win2k DCs, this prevents a DNS
server from becoming an island, where it may cause DNS replication to break
and its records are only registered in itself.

Your issue, seems to be that one or more DNS servers have scavenging enabled
at to short of a time period on the zone.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

itman · 14-02-2008

Thank you for your comments. Could you elaborate further on "too short of a
time" with reference to DNS scavenging? Is there a minimum time to set for
scavenging before it goes "wrong"? It is important for us to get this right.
Since implementing scavenging (on one DNS server) we have had a much better
success rate at managing client machines as the DNS/IP records are kept
up-to-date. Without scavenging and with client computers moving from one site
to another (one subnet to another) within the same day makes client computer
administration very difficult. I still cannot see how or why scavenging
should affect domain controllers in this way. All DCs have static DNS entries
and should not be affected by scavenging, right?

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:[email protected],
> itman <[email protected]> typed:
> > This is my scenario:
> >
> > .4 x offices in different cities.
> > .each office has its own subnet which is an AD site.
> > .each office has one domain controller which also functions as a WINS
> > and
> > DNS server.
> > .the server in the "head office" is set up as the secondary DNS and
> > WINS server for every client and server.
> > .the domain controller in the "head office" has a secondary DNS and
> > WINS server as a server in another site.
> >
> > Also, 9/10 client computers are mobile computers and will log in to
> > any site on any day. Therefore, the DHCP leases are short (less than
> > 24 hours) and DNS scavenging is set to run every day to ensure that
> > DNS records are accurate.
> >
> > If you think any part of this setup is a problem, please advise. All
> > help, comments and suggestions are appreciated.
>
>
> IF the DC at the main site is a WINS server itself, do not use a Secondary
> WINS address. WINS servers have different rules from DNS servers, WINS
> servers must point only to themselves for WINS, this prevents another WINS
> server from taking ownership of its records.
> DNS servers can point to themselves, and another DNS server that holds its
> zone. this is especially true for ADI zones, it makes sure each DC has its
> records registered in all DNS servers. In Win2k DCs, this prevents a DNS
> server from becoming an island, where it may cause DNS replication to break
> and its records are only registered in itself.
>
> Your issue, seems to be that one or more DNS servers have scavenging enabled
> at to short of a time period on the zone.
>
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Kevin D. Goodknecht Sr. [MVP] · 14-02-2008

Read inline please.

In news:[email protected],
itman <[email protected]> typed:
> Thank you for your comments. Could you elaborate further on "too
> short of a time" with reference to DNS scavenging?

Scavenging time must be longer than registration refresh interval.

The registry value below can be found in this KB:
How to configure DNS dynamic updates in Windows Server 2003
http://support.microsoft.com/kb/816592/en-us

By default, Windows XP and Windows Server 2003 reregister their A and PTR
resource records every 24 hours regardless of the computer's role. To change
this time, add the DefaultRegistrationRefreshInterval registry entry under
the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

All netlogon records are registered every hour.

> Is there a minimum
> time to set for scavenging before it goes "wrong"?

You would not want to set scavenging to less than the DHCP lease time, or
the DNS registration time.

> It is important
> for us to get this right. Since implementing scavenging (on one DNS
> server) we have had a much better success rate at managing client
> machines as the DNS/IP records are kept up-to-date. Without
> scavenging and with client computers moving from one site to another
> (one subnet to another) within the same day makes client computer
> administration very difficult. I still cannot see how or why
> scavenging should affect domain controllers in this way. All DCs have
> static DNS entries and should not be affected by scavenging, right?

The IP addresses should be static, but the DHCP client service is
responsible for all TCPIP DNS registrations, so that service must be running
at all times, even on clients with static addresses. If you manually create
the records, make sure you did not set the record to be deleted when it
becomes stale. Also, on DNS servers, the IP address record with the server's
name is set by the listener address on the interfaces tab in the DNS
management console.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

itman · 03-03-2008

Thanks for this. I had not realised that static IP clients and servers
registered their resource records every 24 hours. The DHCP leases and
scavenging settings were amended to allow for at least 24 hours to pass to
ensure that resource record registration was not disturbed. The issue seems
to have stopped occurring which suggests that the issue WAS with DNS
scavenging settings!

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:[email protected],
> itman <[email protected]> typed:
> > Thank you for your comments. Could you elaborate further on "too
> > short of a time" with reference to DNS scavenging?
>
> Scavenging time must be longer than registration refresh interval.
>
> The registry value below can be found in this KB:
> How to configure DNS dynamic updates in Windows Server 2003
> http://support.microsoft.com/kb/816592/en-us
>
> By default, Windows XP and Windows Server 2003 reregister their A and PTR
> resource records every 24 hours regardless of the computer's role. To change
> this time, add the DefaultRegistrationRefreshInterval registry entry under
> the following registry subkey:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
>
> All netlogon records are registered every hour.
>
> > Is there a minimum
> > time to set for scavenging before it goes "wrong"?
>
> You would not want to set scavenging to less than the DHCP lease time, or
> the DNS registration time.
>
> > It is important
> > for us to get this right. Since implementing scavenging (on one DNS
> > server) we have had a much better success rate at managing client
> > machines as the DNS/IP records are kept up-to-date. Without
> > scavenging and with client computers moving from one site to another
> > (one subnet to another) within the same day makes client computer
> > administration very difficult. I still cannot see how or why
> > scavenging should affect domain controllers in this way. All DCs have
> > static DNS entries and should not be affected by scavenging, right?
>
> The IP addresses should be static, but the DHCP client service is
> responsible for all TCPIP DNS registrations, so that service must be running
> at all times, even on clients with static addresses. If you manually create
> the records, make sure you did not set the record to be deleted when it
> becomes stale. Also, on DNS servers, the IP address record with the server's
> name is set by the listener address on the interfaces tab in the DNS
> management console.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>