GenesisCraigM
MIS
We presently have an active directory forest with two domain trees:
Forest's DNS Name: forest.
Forest's NetBIOS Name: FOREST
Domain Trees:
DNS Name: corporation1.com.
NetBIOS Name: CORP1
DNS Name: corporation2.com.
NetBIOS Name: CORP2
Before you say anything, our internal DNS namespace is isolated from the outside world and our DNS servers are authoritative for the domain "forest." This is a perfectly valid usage of DNS. In fact, our forest has been working for two years. By using this DNS name, the only thing I lose is the ability to establish trusts with other domains via the Internet, which isn't going to be happening anyway.
All of our domain controllers in the forest have one DNS server configured in their TCP/IP settings -- the one which is authoritative for our internal active directory DNS zones "forest." "corporation1.com." and "corporation2.com."
Recently, we added some new Domain Controllers (which we've done many times before) to both domain trees. We noticed that the forest level records that the DCs should register (such as the GC records, also the aliases under guid.domains._msdcs.forest.)were not registering. The DCs would properly register their records in their own respective AD zones, but not the necessary records in the forest zone.
I was using MS DNS for hosting the AD DNS zones. After rebuilding the forest zone file, trying both AD integrated and standard primary, and reinstalling MSDNS, (also verified all security settings on the zone, including trying unsecure and secure dynamic updates), it still wouldn't work.
We migrated our AD zones to BIND 9, enabled dynamic updates, etc. This seems to have solved our dynamic update problems. All of our DCs in the forest are now successfully updating their records in their own domain zones and in the forest zones.
So that problem is solved. I am, however, experiencing something strange.
When I run a netdiag /test:dns on any DC in the forest zone, I get the following error:
[WARNING] Cannot find a primary authoritative DNS server for the name 'DC1.FOREST.'. [RCODE_SERVER_FAILURE] The name 'DC1.FOREST.' may not be registered in DNS.
PASS - All the DNS entries for DC are registered on DNS server '10.0.0.2' and other DCs also have some of the names registered.
If I /manually/ perform an SOA, NS, or A query on both "DC1.FOREST." and "FOREST." I receive the correct response indicating the start of authority is properly configured and the DNS server is properly responding.
C:\Program Files\Support Tools>nslookup
Default Server: ns1.company.com
Address: 10.0.0.2
*** SOA QUERY on Domain Controller that netdiag /test:dns reported an error on:
> set qtype=soa
> dc1.forest.
Server: ns1.company.com
Address: 10.0.0.2
forest
primary name server = ns1.company.com
responsible mail addr = hostmaster.company.com
serial = 2003110212
refresh = 1800 (30 mins)
retry = 600 (10 mins)
expire = 5184000 (60 days)
default TTL = 18000 (5 hours)
*** SOA QUERY on forest domain:
> forest.
Server: ns1.company.com
Address: 10.0.0.2
forest
primary name server = ns1.company.com
responsible mail addr = hostmaster.company.com
serial = 2003110212
refresh = 1800 (30 mins)
retry = 600 (10 mins)
expire = 5184000 (60 days)
default TTL = 18000 (5 hours)
forest nameserver = ns1.company.com
ns1.company.com internet address = 10.0.0.2
>
As you can see, DNS is functioning 100% perfectly for this zone "forest.". Dynamic updates proceed, and DCs are able to be located, etc. Everything is fine. The only indication to any problem is the netdiag /test:dns error reporting an inability to find an authoritative DNS server (even though it can be found just fine).
Any ideas what's going on?
Thanks!
Craig J Matthews
System Administrator, Genesis Group
craigm@genesisgroup.com
Forest's DNS Name: forest.
Forest's NetBIOS Name: FOREST
Domain Trees:
DNS Name: corporation1.com.
NetBIOS Name: CORP1
DNS Name: corporation2.com.
NetBIOS Name: CORP2
Before you say anything, our internal DNS namespace is isolated from the outside world and our DNS servers are authoritative for the domain "forest." This is a perfectly valid usage of DNS. In fact, our forest has been working for two years. By using this DNS name, the only thing I lose is the ability to establish trusts with other domains via the Internet, which isn't going to be happening anyway.
All of our domain controllers in the forest have one DNS server configured in their TCP/IP settings -- the one which is authoritative for our internal active directory DNS zones "forest." "corporation1.com." and "corporation2.com."
Recently, we added some new Domain Controllers (which we've done many times before) to both domain trees. We noticed that the forest level records that the DCs should register (such as the GC records, also the aliases under guid.domains._msdcs.forest.)were not registering. The DCs would properly register their records in their own respective AD zones, but not the necessary records in the forest zone.
I was using MS DNS for hosting the AD DNS zones. After rebuilding the forest zone file, trying both AD integrated and standard primary, and reinstalling MSDNS, (also verified all security settings on the zone, including trying unsecure and secure dynamic updates), it still wouldn't work.
We migrated our AD zones to BIND 9, enabled dynamic updates, etc. This seems to have solved our dynamic update problems. All of our DCs in the forest are now successfully updating their records in their own domain zones and in the forest zones.
So that problem is solved. I am, however, experiencing something strange.
When I run a netdiag /test:dns on any DC in the forest zone, I get the following error:
[WARNING] Cannot find a primary authoritative DNS server for the name 'DC1.FOREST.'. [RCODE_SERVER_FAILURE] The name 'DC1.FOREST.' may not be registered in DNS.
PASS - All the DNS entries for DC are registered on DNS server '10.0.0.2' and other DCs also have some of the names registered.
If I /manually/ perform an SOA, NS, or A query on both "DC1.FOREST." and "FOREST." I receive the correct response indicating the start of authority is properly configured and the DNS server is properly responding.
C:\Program Files\Support Tools>nslookup
Default Server: ns1.company.com
Address: 10.0.0.2
*** SOA QUERY on Domain Controller that netdiag /test:dns reported an error on:
> set qtype=soa
> dc1.forest.
Server: ns1.company.com
Address: 10.0.0.2
forest
primary name server = ns1.company.com
responsible mail addr = hostmaster.company.com
serial = 2003110212
refresh = 1800 (30 mins)
retry = 600 (10 mins)
expire = 5184000 (60 days)
default TTL = 18000 (5 hours)
*** SOA QUERY on forest domain:
> forest.
Server: ns1.company.com
Address: 10.0.0.2
forest
primary name server = ns1.company.com
responsible mail addr = hostmaster.company.com
serial = 2003110212
refresh = 1800 (30 mins)
retry = 600 (10 mins)
expire = 5184000 (60 days)
default TTL = 18000 (5 hours)
forest nameserver = ns1.company.com
ns1.company.com internet address = 10.0.0.2
>
As you can see, DNS is functioning 100% perfectly for this zone "forest.". Dynamic updates proceed, and DCs are able to be located, etc. Everything is fine. The only indication to any problem is the netdiag /test:dns error reporting an inability to find an authoritative DNS server (even though it can be found just fine).
Any ideas what's going on?
Thanks!
Craig J Matthews
System Administrator, Genesis Group
craigm@genesisgroup.com
