Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, May 10, 2012 12:08 PM
Hi all,
I have a very annoying issue. Here is the background: 1 forest with 1 parent domain and 2 child domain.
In one of the child domains, let's say child1.root.net i added an aditional DC while ago. Now during a maintenance i noticed that when running nslookup i get this:
C:\Users\administrator>nslookup
Default Server: UnKnown
Address: 192.168.59.250
> exit
Any query works but the name is not listed next to Deafult Server.
The IP is the IP of the DC and is listed as Preferred DNS Server.
As soon as i change the Preferred DNS Server to loopback IP:127.0.0.1 i get this
C:\Users\administrator>nslookup
Default Server: localhost
Address: 127.0.0.1
> exit
I've tried to restart the NetLogon Service or reboot the server, no change at all.
So, i've tried to restart the DNS Service. Right after i've started to get,each time, three NETLOGON Events 5781, saying this, respectivelly:
****1st Event*****
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'child1.root.net.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
***************
****2nd Event*****
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'root.net.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
***************
****3rd Event*****
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.child1.root.net.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
***************
In the event is mention that one should run nltest /dsregdns or restart NETLOGON service.
Doing nltest /dsregdns i get this:
C:\Users\administrator>nltest.exe /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
Doing a restart of NETLOGON didnt change anything.
This issue is only with one DC from child1.root.net domain, the other one is fine. Ths diffrence is that they are in diffrent VLANS over a Firewall, and communication is open.
Any help/idea or advice will be really apreciated.
Thanks,
All replies (2)
Friday, May 11, 2012 2:27 AM ✅Answered
Hi,
In order to troubleshoot, please not reference themselves as a primary DNS server in TCP/IP properties. Using other DC/DNS server as preferred DNS server, and restart Netlogon services on the problematic DC. To see if all records were successful register in DNS. In addition, please also verify that a 192.168.59.250 PTR child1.rrot.net record listed in the Reverse Lookup zone.
Best Regards,
Aiden
Aiden Cao
TechNet Community Support
Friday, May 11, 2012 3:37 AM ✅Answered
Aiden provided the way to look for that record.
I would like to add, if you're only worried about the Unkown message nslookup gives you when it's invoked or when you run a query, there is really NOTHING to worry about. Nslookup is only simply trying to resolve the DNS server name for you that it's using. It does NOT affect its query capabilities.
If you don't have a reverse zone for 192.168.59.250, simply create it and make sure there's a PTR entry in the zone for whatever that server's FQDN is.
.
Understanding Reverse Lookup
http://technet.microsoft.com/en-us/library/cc730980.aspx
How to configure a subnetted reverse lookup zone on Windows NT, Windows 2000, or Windows Server 2003
http://support.microsoft.com/kb/174419
.
If the subnet is less than or more than /24, see the following discussion for specifics on how to do it:
Technet Thread title: "Reverse DNS smaller than /24 (v4)"
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4147e8fe-43d8-4eff-a890-a0e1e31a96ea/#bd664835-05b3-4d53-9b08-d845b177d9d2
Technet Thread: "How to setup a Reverse lookup zone on windows 2008 server with IP address 65.19.134.173 and subnetmask 255.255.255.224."
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/7c81a129-efa2-4b88-80bb-591c4119beb4/
.
.
Regarding the EventID 5781:
Iif you're saying it's on a separate VLAN, and the other DC is working fine, then it may indicate either a firewall block, or an antivirus software on the DC itself blocking necessary traffic. You can test if the necessary traffic is being blocked by using PortQry by running the Domains and Trusts test, as shown in the pic after the PortQry download link below:
PortQryUI - GUI - Version 2.0 8/2/2004
http://www.microsoft.com/download/en/details.aspx?id=24009
.
.
And note about the results:
If you get return codes 0x0000002 or 0x0000001, it may simply mean that PortQRY is checking the UDP port and not TCP, which that service may be listening on. Quoted from the blog in the following link:
"[...] If you get a LISTENING or FILTERED response, check and see whether we are checking TCP or UDP, most likely it was attempting to use UDP and this would be a normal response as UDP is connectionless. An example of this would be if you query port 88 for Kerberos against a DC and use the following syntax:
Portqry –n server1 –e 88 –p both [...]"
Using PortQry for Troubleshooting, by the DS Team [MSFT]
http://blogs.technet.com/b/askds/archive/2009/01/22/using-portqry-for-troubleshooting.aspx
.
Also, curious, how do you have your parent-child DNS designed for your forest? This can also have a factor in DNS resolution in the forest. Please read the following and let us know which design your system is using:
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This post is provided AS-IS with no warranties or guarantees and confers no rights.