dcdiag.exe /test:DNS > Delegation is broken for the domain

[hugoelopezp@gmail.com]

hi guys! (windows 2003+3 DCs+1domain+DNS Integrated zone)

After every restart, all of my DCs are deadly slow to show up the
domain and allow users to logon. Giving a look at the events, i found
that the DNS service is delaying 22 minutes to get started. That made
me try dcdiag.exe /test:DNS and got the following weird error message:

DNS server: 192.168.12.5 (dc1.mydomain.com.)
1 test failure on this DNS server
Delegation is broken for the domain
mydomain.com.MYDOMAIN.COM. on the DNS server 192.168.12.5

DNS server: 192.168.2.6 (dc2.mydomain.com.)
1 test failure on this DNS server
Delegation is broken for the domain
mydomain.com.MYDOMAIN.COM. on the DNS server 192.168.2.6

DNS server: 192.168.21.110 (dc3.mydomain.com.)
1 test failure on this DNS server
Delegation is broken for the domain
mydomain.com.MYDOMAIN.COM. on the DNS server 192.168.21.110

Any clue about this? This "mydomain.com.MYDOMAIN.COM" seems quite
weird to me.

Thanks beforehand!

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In news:1183141459.884949.97070@o61g2000hsh.googlegroups.com,
hugoelopezp@gmail.com <hugoelopezp@gmail.com> typed:
> hi guys! (windows 2003+3 DCs+1domain+DNS Integrated zone)
>
> After every restart, all of my DCs are deadly slow to show up the
> domain and allow users to logon. Giving a look at the events, i found
> that the DNS service is delaying 22 minutes to get started. That made
> me try dcdiag.exe /test:DNS and got the following weird error message:
>
> DNS server: 192.168.12.5 (dc1.mydomain.com.)
> 1 test failure on this DNS server
> Delegation is broken for the domain
> mydomain.com.MYDOMAIN.COM. on the DNS server 192.168.12.5
>
> DNS server: 192.168.2.6 (dc2.mydomain.com.)
> 1 test failure on this DNS server
> Delegation is broken for the domain
> mydomain.com.MYDOMAIN.COM. on the DNS server 192.168.2.6
>
> DNS server: 192.168.21.110 (dc3.mydomain.com.)
> 1 test failure on this DNS server
> Delegation is broken for the domain
> mydomain.com.MYDOMAIN.COM. on the DNS server 192.168.21.110
>
> Any clue about this? This "mydomain.com.MYDOMAIN.COM" seems quite
> weird to me.
>
> Thanks beforehand!

Something is obviously missing, to properly diagnose this problem, we'll
need to see this information:

1. Ipconfig /all from your DCs (unedited).
2. Active Directory domain name from AD Users & Computers.
3. List of forward lookup zones in your local DNS server.

These three pieces of information usually tell us the most common causes of
your errors.
If you want to try to fix it yourself, here is what you need to look at:

Your ipconfig /all should have a Primary DNS suffix that matches exactly
your Active Directory Domain name, and your Forward Lookup zone in DNS.
DNS should also have one additional Forward Lookup zone named
_msdcs.<ADDNSName>.

Also, in your ipconfig /all the DCs will need to point to another DC for the
Preferred DNS, and itself for Alternate. As with all AD Domain members, DCs
should also never have an ISP or other external DNS in TCP/IP properties.
Another issue you could be dealing with is a Single-label DNS domain name.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

[help]

Hi guys,
Just figured it out the broken delegation. Someone created a
delegation of mydomain.com in mydomain.com zone and deleted the NS
record, don't know how the heck!.

Therefore, i got the issues about a delegation being broken for
mydomain.com.mydomain.com. Just deleted the crap the previous guy did
and voila!

The issue about my DCs booting deadly slow is still there 20MINUTES TO
BOOT UP and show up the domain.... any help will be appreciated.

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In news:1185327563.102763.94470@d55g2000hsg.googlegroups.com,
help <hugoelopezp@gmail.com> typed:
> Hi guys,
> Just figured it out the broken delegation. Someone created a
> delegation of mydomain.com in mydomain.com zone and deleted the NS
> record, don't know how the heck!.
>
> Therefore, i got the issues about a delegation being broken for
> mydomain.com.mydomain.com. Just deleted the crap the previous guy did
> and voila!
>
> The issue about my DCs booting deadly slow is still there 20MINUTES TO
> BOOT UP and show up the domain.... any help will be appreciated.

If you have more than one DC, each DC should point to for Preferred DNS,
another DC w/DNS and the AD Domain zone that is always running when itself
is rebooted.
All DNS servers must be able to resolve the AD domain name, and in addition,
if the _msdcs.ForestRoot has been delegated, all DNS servers must have this
zone.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

[help]

Hi Kevin,
I always knew this about the DNS setup and it's always worked setup
that way on my current LAN. But I'm still curious about the fact that
in networks with only 1 DC this delay does not happen.

I'm even more curious yet when I see the event log and the DNS service
takes at least 20 minutes to start.

Regards!