Lately, my forest root DC, which is also hosting an AD integrated DNS zone, is getting its DNS event log filled up with 5504 warnings. I've looked at all of them and they're all from the a through l root DNS servers on the Internet. Not m though for some reason *shrug*. I've looked at all of my other child DCs which are also hosting AD integrated DNS zones for their respective domain names and only two of them show 5504 warnings and only a handful at that. And those few list the forest root DNS server as the source of the bad packet. Please note single DCs for all domains

I have secure cache against pollution enabled on all servers. They are all set to receive only secure updates. There are no computers at all, DCs included, that I can find anywhere on the network with an invalid character in the name. I see no packet loss on the Internet connection serving the forest root DNS. And DNS has been functioning correctly for 2 years on all these servers until just recently. I'm also not aware of any Windows security updates this month that affected DNS.

In news:E934F0B9-42B6-4100-B0BD-(E-Mail Removed),
Allen Davis <(E-Mail Removed)> posted a question
Then Kevin replied below:
> Lately, my forest root DC, which is also hosting an AD integrated DNS
> zone, is getting its DNS event log filled up with 5504 warnings. I've
> looked at all of them and they're all from the a through l root DNS
> servers on the Internet. Not m though for some reason *shrug*. I've
> looked at all of my other child DCs which are also hosting AD
> integrated DNS zones for their respective domain names and only two
> of them show 5504 warnings and only a handful at that. And those few
> list the forest root DNS server as the source of the bad packet.
> Please note single DCs for all domains.
>
> I have secure cache against pollution enabled on all servers. They
> are all set to receive only secure updates. There are no computers at
> all, DCs included, that I can find anywhere on the network with an
> invalid character in the name. I see no packet loss on the Internet
> connection serving the forest root DNS. And DNS has been functioning
> correctly for 2 years on all these servers until just recently. I'm
> also not aware of any Windows security updates this month that
> affected DNS.

If you could post the complete event we can tell more about the cause it is
usually caused by an invalid character on a machine name. Usaully from a
Win9x because users can change the machine name and may not use valid
characters.
But there are other causes, sometimes a single label name in the DNS search
list or Suffix can cause this.

Post the complete event unedited and an ipconfig /all unedited.

http://www.eventid.net/display.asp?eventid=5504&source=

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

Event Type: Warnin
Event Source: DN
Event Category: Non
Event ID: 550
Date: 4/1/200
Time: 10:31:5
User: N/
Computer: URB-FNG-DC-0
Description
The DNS server encountered an invalid domain name in a packet from 192.33.4.12. The packet is rejected.

Windows 2000 IP Configuratio

Host Name . . . . . . . . . . . . : urb-fng-dc-0
Primary DNS Suffix . . . . . . . : flex-n-gate.co
Node Type . . . . . . . . . . . . : Hybri
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : flex-n-gate.co

Ethernet adapter Local Area Connection 3

Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Intel(R) Advanced Network Services
irtual Adapte
Physical Address. . . . . . . . . : 00-02-55-C7-CA-1
DHCP Enabled. . . . . . . . . . . : N
IP Address. . . . . . . . . . . . : 192.9.201.15
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 192.9.201.25
DNS Servers . . . . . . . . . . . : 192.9.201.15
Primary WINS Server . . . . . . . : 192.9.201.157

In news:3E1E4BB2-A215-4B15-B646-(E-Mail Removed),
Allen Davis <(E-Mail Removed)> posted a question
Then Kevin replied below:
> Event Type: Warning
> Event Source: DNS
> Event Category: None
> Event ID: 5504
> Date: 4/1/2004
> Time: 10:31:54
> User: N/A
> Computer: URB-FNG-DC-01
> Description:
> The DNS server encountered an invalid domain name in a packet from
> 192.33.4.12. The packet is rejected.
>
> Windows 2000 IP Configuration
>
> Host Name . . . . . . . . . . . . : urb-fng-dc-01
> Primary DNS Suffix . . . . . . . : flex-n-gate.com
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : flex-n-gate.com
>
> Ethernet adapter Local Area Connection 3:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Intel(R) Advanced Network
> Services V
> irtual Adapter
> Physical Address. . . . . . . . . : 00-02-55-C7-CA-1A
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.9.201.157
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.9.201.254
> DNS Servers . . . . . . . . . . . : 192.9.201.157
> Primary WINS Server . . . . . . . : 192.9.201.157

There is no invalid character on this machine. But looking at where the
packet is coming from 192.33.4.12 reverses to one of the root servers.
QUESTION SECTION:

12.4.33.192.in-addr.arpa. IN PTR

ANSWER SECTION:

12.4.33.192.in-addr.arpa. 10800 IN PTR c.root-servers.net.

It could be a number of things, maybe even an invalid domain name in a DNS
suffix search list on one of your machines or just a lost packet if your
internet connection is getting congested.

Sometimes they go away if you give the DNS server a forwarder, is there a
forwarder for this DNS server?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

In news:3E1E4BB2-A215-4B15-B646-(E-Mail Removed),
Allen Davis <(E-Mail Removed)> posted their thoughts, then I
offered mine
> Event Type: Warning
> Event Source: DNS
> Event Category: None
> Event ID: 5504
> Date: 4/1/2004
> Time: 10:31:54
> User: N/A
> Computer: URB-FNG-DC-01
> Description:
> The DNS server encountered an invalid domain name in a packet from
> 192.33.4.12. The packet is rejected.
>
> Windows 2000 IP Configuration
>
> Host Name . . . . . . . . . . . . : urb-fng-dc-01
> Primary DNS Suffix . . . . . . . : flex-n-gate.com
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : flex-n-gate.com
>
> Ethernet adapter Local Area Connection 3:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Intel(R) Advanced Network
> Services V
> irtual Adapter
> Physical Address. . . . . . . . . : 00-02-55-C7-CA-1A
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.9.201.157
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.9.201.254
> DNS Servers . . . . . . . . . . . : 192.9.201.157
> Primary WINS Server . . . . . . . : 192.9.201.157


Is this address range you are using internally (192.9.20.0/24) supposed to
be a private range or a public range the ISP gave you to use?

Reason why I ask is that this is a public range. I tried to do a lookup on
it at www.arin.net, but their system seems to be down so I can't determine
who it belongs to.

Valid ranges, FYI, for private NAT networks are:
192.168.0.0/16
172.16.0.0/19
10.0.0.0/8

I apologize if this assumption is incorrect.

If these are your private ranges, and were assumed to be private and not
public, it *may* account for what you are seeing.

Sometimes I also see this when one doesn't use a forwarder, or using a
reserved name (like com, net, prt, etc) but not sure if 'gate' is one or
not, but I don't think so, other than the illegal character issue.

It could also be an attack as well, which I've seen too.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

In news:2492DAFF-FA6A-4B0E-AF2C-(E-Mail Removed),
Allen Davis <(E-Mail Removed)> posted a question
Then Kevin replied below:
> No, there is no forwarder on this DNS server, the forest root. All of
> the child DC/DNS servers use the forest root DC/DNS server as their
> forwarder and sole root hint.
>
> I also asked the ISP providing Internet service to this server to
> analyze the line for dropped or corrupted packets. Still waiting for
> the results of that.

Add your ISP's DNS as a forwarder, this can reduce the number of packets
across the link. If it reduces the 5504s then you can almost bet congested
link.
If the 5504s continue but come from the ISP's DNS then it is an invalid name
somewhere on your network.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

In news:6D52C1C3-172E-4745-801C-(E-Mail Removed),
Allen Davis <(E-Mail Removed)> posted their thoughts, then I
offered mine
> Yeah, I know. Don't tease me about that please. I inherited this
> network when I came on board with this company. I'm trying to get
> this company in a position to clean up a whole host of network
> inefficiencies and design flaws but it's a tough row to hoe.


Hmm, I was correct. Ok, no teasing... you got your work cut out for yourself
(as hard as it is).

About the 5504, follow what Kevin said to use a forwarder. I've seen that
clean the 5504's up if they're not on your network. You can use 4.2.2.2,
it's a good one for a forwarder.

:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

I added two forwarders to the forest root DNS server shortly after your post. Between then and now, only two more 5504 errors have crept into the DNS event log. Both report bad packets from the new forwarders, one each. I find that there was scheduled router maintenance at the edge of the ISP's network where we connect at about the same time these warnings started. So it will be interesting to see what their diagnostics find

Thanks for your guidance. I'll post any supporting or conclusive follow up information as it becomes available.