Weird Alert
Alright, so starting with the new years our monitoring system started spitting this alert out for all 40 of our clients, seemingly random with no pattern.
1) Evenvwr is clean in all situations
2) AD is replicating fine
Just sorta poking the alert with a stick here and there but nothing seems broken. I am inclined to just set the alert to ignore, but I would like to know what they are talking about. Any clues?
Description Type Category
SAAZ Intellimon has discovered that the NetDiag DNS test failed with error "No DNS servers have the DNS records for this DC registered". If DNS records are not registered in the DNS server, no other computer or user is able to locate the domain controller. Others Active Directory Monitoring
Knowledge Base Details
DNS Registration and Consistency
A good practice following the installation of Active Directory is to verify that the DNS resource records for the domain controller are written to the DNS server. This is known as registration .
There are two specific types of registration; registration for the computer A and PTR records and registration for the domain controller SRV records, A records, and CNAME records in the DNS server. It is recommended you check both types of registrations.
Note
If DNS records are not registered in the DNS server, no other computer or user is able to locate the domain controller. If DNS records of a computer are not registered, you see DNS errors in the System log in Event Viewer.
To review, the Net Logon service registers records when the domain controller is restarted and when the Net Logon service starts. The Net Logon service sends DNS dynamic update queries for its SRV records, A records, and CNAME records every hour to ensure that the DNS server always has these records registered.
For Active Directory-integrated zones, the DNS server stores all the records in the zone in Active Directory. It is possible that a record is updated in Active Directory, but has not replicated to all DNS servers loading the zone. This might cause consistency problems. By default, all DNS servers that load zones from Active Directory, poll Active Directory at a set interval — typically every five minutes — and update the directory for any incremental changes to the zone. In most cases, a DNS update takes no more than 20 minutes to replicate to all DNS servers used in an Active Directory domain environment employing default replication settings and reliable high-speed links. Thus, it is vital to ensure the consistency of directory-integrated zone data.
1) Evenvwr is clean in all situations
2) AD is replicating fine
Just sorta poking the alert with a stick here and there but nothing seems broken. I am inclined to just set the alert to ignore, but I would like to know what they are talking about. Any clues?
Description Type Category
SAAZ Intellimon has discovered that the NetDiag DNS test failed with error "No DNS servers have the DNS records for this DC registered". If DNS records are not registered in the DNS server, no other computer or user is able to locate the domain controller. Others Active Directory Monitoring
Knowledge Base Details
DNS Registration and Consistency
A good practice following the installation of Active Directory is to verify that the DNS resource records for the domain controller are written to the DNS server. This is known as registration .
There are two specific types of registration; registration for the computer A and PTR records and registration for the domain controller SRV records, A records, and CNAME records in the DNS server. It is recommended you check both types of registrations.
Note
If DNS records are not registered in the DNS server, no other computer or user is able to locate the domain controller. If DNS records of a computer are not registered, you see DNS errors in the System log in Event Viewer.
To review, the Net Logon service registers records when the domain controller is restarted and when the Net Logon service starts. The Net Logon service sends DNS dynamic update queries for its SRV records, A records, and CNAME records every hour to ensure that the DNS server always has these records registered.
For Active Directory-integrated zones, the DNS server stores all the records in the zone in Active Directory. It is possible that a record is updated in Active Directory, but has not replicated to all DNS servers loading the zone. This might cause consistency problems. By default, all DNS servers that load zones from Active Directory, poll Active Directory at a set interval — typically every five minutes — and update the directory for any incremental changes to the zone. In most cases, a DNS update takes no more than 20 minutes to replicate to all DNS servers used in an Active Directory domain environment employing default replication settings and reliable high-speed links. Thus, it is vital to ensure the consistency of directory-integrated zone data.
-Daniel
Comments
-
aiw726
Registered Users Posts: 4 ■□□□□□□□□□
Just discovered this in one of our servers.
Same issue as original post. Will like to get info about message if anyone shares it here. -
forkvoid
Member Posts: 317
Exactly what monitoring software is this?The beginning of knowledge is understanding how little you actually know. -
darkerosxx
Banned Posts: 1,343
Is it unable to pull your SRV records? It's saying it can't find your Domain Controller DNS records.
What DNS servers is it querying?
Do those have your A/PTR/SRV records set up correctly?
Is your DC inserting DNS records for all of the hosts you're getting alerts on? Are those records being created correctly in DNS?
On the flipside, what DC is it searching for? Maybe it somehow got switched to search for a different registered DC and that sounds like it would cause it to alert on all hosts. -
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
Has there been a change to dns lately? And can the hosts perform reverse lookups? -
undomiel
Member Posts: 2,818
Have you gone ahead and run dcdiag and netdiag on the DCs in question? It will report whether there are some DNS issues going on. What DNS servers is the monitoring software querying from? Assuming the DNS records are correct it is sounding like something isn't pointed to the correct DNS server out there somewhere.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
aiw726
Registered Users Posts: 4 ■□□□□□□□□□
Thanks to all for your replies!
darkerosxx - I tried look for answers to your questions, but to be honest with you I'm starting to learn DNS and don't really know where to find all that info. Sorry!
phoeneous - no changes on dns according to our notes (records) for the server. Reverse lookups are working properly.
undomiel - ran dcdiag. Found the following info:
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server: l.root-se
rvers.net. (198.32.64.12)
TEST: Delegations (Del)
Error: DNS server: 2003server.xxxxxx.local. IP:192.168.1.15 [Broken delegated domain _msdcs.xxxxxx.local.]
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 192.168.1.15 (2003server.xxxxxx.local.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.15
Delegation is broken for the domain _msdcs.Coover.local. on the DNS server 192.168.1.15
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
________________________________________________________________
Domain: xxxxxx.local
dellserver PASS PASS PASS FAIL PASS PASS n/a
......................... xxxxxx.local failed test DNS
DCDIAG gave the following results:
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{2D51B895-9F46-4770-A813-DEC93B6B3BDA}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{2D51B895-9F46-4770-A813-DEC93B6B3BDA}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to 'coover*' via browser. [ERROR_INVALI
D_FUNCTION]
Not sure if these results provide any good info. Regardless, please let me know your thoughts. Thanks again! -
darkerosxx
Banned Posts: 1,343
Immediate things to check on:
Error: Root hints list has invalid root hint server: l.root-se
Error: DNS server: 2003server.xxxxxx.local. IP:192.168.1.15 [Broken delegated domain _msdcs.xxxxxx.local.]
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 192.168.1.15 (2003server.xxxxxx.local.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.15
Delegation is broken for the domain _msdcs.Coover.local. on the DNS server 192.168.1.15
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
[FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.
[FATAL] No DNS servers have the DNS records for this DC registered.
I would check these individual things before moving forward. -
aiw726
Registered Users Posts: 4 ■□□□□□□□□□
Thanks again for the info.
This is what I was able to do and find out.
Resolved IP for l.rootserver.net. It was changed to 199.7.83.42
Seems like the 2003server is offline. Perhaps old server that's no longer working. Can't ping it or it's IP address. Can't access shares listed on the server. Is it safe to delete from the dnsmgmt console?
Was able to open netlogon.dns with notepad. Not sure what to look for there if anything at all.
Not sure how to check this last one: [FATAL] No DNS servers have the DNS records for this DC registered. -
undomiel
Member Posts: 2,818
Is the server pointing to itself via 127.0.0.1 for DNS? You can ignore the 1.0.0.127.in-addr.arpa error.
Is this a multi-homed DC?
Also, make sure that the DHCP Client service is running and then run an ipconfig /registerdns to get the records properly registered. netdiag /fix would correct DNS entries as well.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
Mishra
Member Posts: 2,468 ■■■■□□□□□□
You can turn on netlogon debug logging by running this.
nltest /dbflag:0x2000ffff
It will help you figure out DC/DNS problems.
