Re: Strange DNS problem

From: C Hall (someone_at_microsoft.com)
Date: 04/18/05 

Date: Mon, 18 Apr 2005 16:32:45 -0400

Steven,

Thanks for the post. It's looking like a rebuild of one DC (not a FSMO role
holder). I didn't allow enough disk space and that's causing problems. Aside
from that, there are a bunch of errors in the logs, I can't open ADU&C to
follow the guidance of the the dns group (Kevin). Armed with new info, I
don't think this is a security problem at this point. I will look at the
links below. Thanks again.

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uQgM2LFRFHA.1528@TK2MSFTNGP09.phx.gbl...
> See the link below which may help in rebuilding you dns zones. I suggest
> that unless your organization requires otherwise, use only AD integrated
> zones, do not allow zone transfers to other dns servers if not needed[
this
> is not needed for AD integrated dns zones and never select "to any"], and
> require secure updates unless you have a need to not use that. You may
also
> want to post in the win2000.dns newsgroup. Keep in mind that if you delete
> an AD dns zone, that zone will be totally deleted from Active Directory
and
> not just that server. You also need to have some patience when rebuilding
> your dns as replication will not be immediate to other dns servers/domain
> controllers. Another alternative could be an authoritative restore of
Active
> Directory from a recent System State backup of a domain controller for AD
> integrated dns zones. --- Steve
>
> http://support.microsoft.com/?kbid=260371 -- see To repair the Active
> Directory DNS record registration
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
DNS
> best practices.
>
>
> "C Hall" <someone@microsoft.com> wrote in message
> news:%233giL7BRFHA.904@tk2msftngp13.phx.gbl...
> > Good morning,
> >
> > This past Friday, I was having problems with my DNS. The short version
is
> > that I ended up deleting our zones and am in the process of resolving
that
> > problem. However, when I went to do this last Friday, a DNS server from
> > another organization showed up as the SOA for the newly created zone. I
> > had
> > been receiving alerts most of the day that this ip address was doing a
> > nmap
> > udp port sweep. I talked to the vendor this morning and they had no
idea.
> > For more details, I'm providing the post to the dns forum where I'm
trying
> > to resolve the issue of being able to recreate the zone. It seemed like
we
> > were getting compromised.
> >
> > DNS Post:
> > We have three DCs--DC1, DC2, and DC3. We had an AD Integrated zone for
our
> > forward lookup zone. On DC3, the zone showed as a secondary zone, so I
> > tried
> > to change the type to an AD integrated zone (right-click, properties,
> > etc...), but it wouldn't allow it. I didn't write down the actual
message,
> > but I was given two options: use the current zone or use the AD zone.
> > Neither option would work. I decided to delete the zone, thinking that
> > since
> > the zone was a secondary zone that it would just die and I would be able
> > to
> > create an AD zone or that the AD zone would replicate over. That didn't
> > work. In fact, the AD zone disappeared on both DC1 and DC2.
> >
> > Next, I panicked and posted my previous thread ("Urgent!!!").
> >
> > I have just tried creating a Primary zone on DC1 and created secondary
> > zones
> > on DC2 & DC3. Then I ran Netdiag /fix. I wish I could say that I saved
the
> > results to a text file, but I didn't. I did get it printed, though. The
> > DNS
> > test shows it failed (surprise) with several FATAL errors trying to
> > recreate
> > dns entries. I had set the zone to allow dynamic updates, accept updates
> > from all servers and had manually entered NS, A and PTR records for all
> > DCs.
> > At this point, all zones have once again disappeared--the primary on the
> > master and the two secondary zones.
> >
> >
> > Any clues would be appreciated.
> >
> >
> >
>
>

Relevant Pages

  • Re: DNS signature failed to verify error
    ... In our last we discussed the need for there to be a NS record for each DNS ... Under the zone domain.local there is a delegation _msdcs which only has one ... _msdcs.domain.local is configured the "Replicate to all DNS servers in the AD ... Thanks for the DCDiag syntax suggestion. ...
    (microsoft.public.windows.server.dns)
  • Re: 2 Questions...
    ... In one post you asked about the value of the empty root. ... With a multi-domain forest one has a few choices for DNS ... One could use standard zone transfer to these, ... as already stated or by having the DNS servers of corp forward to ...
    (microsoft.public.windows.server.dns)
  • Re: Question re: DNS forwarding best practices
    ... change rate of the root DNS zone's content. ... to a primary of the zone, so hopefully you have at least one ... as the case might allow) to the DNS servers of the root. ...
    (microsoft.public.windows.server.dns)
  • Re: sys vol check
    ... You've 3 DC DNS servers one in each Site with different subnets. ... You've A forward lookup Zone named CORP.DLECINC.COM and a reverse lookup ... The clients should use only their local DNSserver in ther NIC ...
    (microsoft.public.windows.server.active_directory)
  • RE: exchange server cannot mount mailbox store
    ... What's the exact detailed DNS Events ... Type desired internal IP address of your SBS server. ... it will delete the reverse lookup zone if the zone no longer ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)