DNS problems - netdiag /fix

[Adam Marx]

When I try to run the program netdiag /fix on my DNS server I get the error
"[FATAL] Failed to get system information of this machine." I''m going to
guess that this is a problem? It's a Windows 2000 server running AD, it also
is the DC. I had some problems recently with a new domain that I installed
and the MX records still error when testing it from http://dnsreport.com.

I believe I may have installed DNS incorrectly when initially installing it
but it seems to resolve my domain name correctly. Is it possible for DNS to
partially work? So, now that I have this error I can't seem to fix I'm
thinking of re-installing my DNS and rebuilding it from the ground up. Is
there a way to fix this without re-installing?

My DNS in the snap in looks a bit like this...

W2K

Forward lookup Zones
Reverse Lookup Zones

"Note: If you name the zone "com" we will believe that we are authoritative
for the "com" domain and never forward any requests that we can not answer
out to the real "com" domain servers. The same would be true if you named it
"microsoft.com", you would never use your forwarder to resolve requests from
the real "microsoft.com" servers. "

So, assuming I'm re-installing the DNS the above statement confuses me. I've
registered the domain name lets say "Cars.com" and have used that as the
premise for establishing my DNS and webserver. My FQDN is w2k.ajm1.Cars.com
which I think is incorrect I think it should have been something shorter but
If I recall I ran into problems and that worked. Does anyone have a
suggestion for a FQDN? , maybe w2k.Cars.com?

Thanks for any help you can give.

AJM,

 

[Kevin D. Goodknecht [MVP]]

In

When I try to run the program netdiag /fix on my DNS server I get the
error "[FATAL] Failed to get system information of this machine."
I''m going to guess that this is a problem? It's a Windows 2000
server running AD, it also is the DC. I had some problems recently
with a new domain that I installed and the MX records still error
when testing it from http://dnsreport.com.

I believe I may have installed DNS incorrectly when initially
installing it but it seems to resolve my domain name correctly. Is it
possible for DNS to partially work? So, now that I have this error I
can't seem to fix I'm thinking of re-installing my DNS and rebuilding
it from the ground up. Is there a way to fix this without
re-installing?

My DNS in the snap in looks a bit like this...

W2K

Forward lookup Zones
Reverse Lookup Zones

"Note: If you name the zone "com" we will believe that we are
authoritative for the "com" domain and never forward any requests
that we can not answer out to the real "com" domain servers. The same
would be true if you named it "microsoft.com", you would never use
your forwarder to resolve requests from the real "microsoft.com"
servers. "

So, assuming I'm re-installing the DNS the above statement confuses
me. I've registered the domain name lets say "Cars.com" and have used
that as the premise for establishing my DNS and webserver. My FQDN is
w2k.ajm1.Cars.com which I think is incorrect I think it should have
been something shorter but If I recall I ran into problems and that
worked. Does anyone have a suggestion for a FQDN? , maybe
w2k.Cars.com?

Thanks for any help you can give.

AJM,

I take it that cars.com is your public name and ajm1.cars.com is your AD
internal name?
Do not make any NS or SOA changes in the ajm1.cars.com zone Active Directory
will create that zone for you.

Now, are you planning to make this DNS server authoritative for the cars.com
name on the internet?
Read the following very carefully if you want your DNS to work as you plan.

You can create NS records in the cars.com zone for any name you wish,
usually you would use ns1.cars.com then create a host for ns1 and give it
the public IP, that is your glue record. Register that name and IP with your
registrar as a name server, that is your glue record at the .com gTLD
servers.
You will need two NS records minimum, on the SOA page of your cars.com zone
in the primary server field put in "ns1.cars.com" and set the responsible
person's email for as "username.cars.com" do not use the @ symbol there.

Create a record named mail with the public IP of your mail server in the
cars.com zone.
For your MX records put it in the cars.com forward lookup zone leave the
"host or domain" field blank then in the mail server field put in
"mail.cars.com"

For your www record create a host named "www" and give it the public address
of your web server.

Now that I have said all that, be aware that if your mail and web server are
hosted locally you must put the public cars.com zone on another server, not
this one. Because this server is your internal DNS server and all internal
machines on your LAN must use this one. You will NOT be able to access you
internal servers by the public addresses. You need to put an internal zone
for cars.com on your internal DNS with the records named as you did in the
public zone but give the records in the internal zone private IP addresses.

 

[Guest]

Kevin, thanks for the reply and useful information. I have a couple of follow up questions if you don't mind, I'm sure that happens alot..

"I take it that cars.com is your public name and ajm1.cars.com is your AD internal name?

yes, you are correct. I would make a change to my internal name if that would be the preferred naming convention? Should my internal name be consistant and also be cars.com

"Now, are you planning to make this DNS server authoritative for the cars.com name on the internet?

yes, I currently host my own website. Not very well though... but I'm trying to learn

"Create a record named mail with the public IP of your mail server in the cars.com zone.

Is that just an A record? so that mail coming in finds an IP address

"if your mail and web server are hosted locally you must put the public cars.com zone on another server, no
this one.

Is this for security reasons

"You will NOT be able to access you internal servers by the public addresses. You need to put an internal zon
for cars.com on your internal DNS with the records named as you did in the public zone but give the records in
the internal zone private IP addresses.

I forgot to mention that I am behind a Linksys router using Nat to a private IP for my server. I am currently running all fro
a single server and am able to access my server also from my LAN, so I'm a little confused by this statement

Does the structure in my DNS that I provided appear to be the norm?

Sorry for so many questions but I'm trying to learn and just need a little guidance, maybe a a lot of guidance..

Thanks again

AJM

 

[Kevin D. Goodknecht [MVP]]

In

Kevin, thanks for the reply and useful information. I have a couple
of follow up questions if you don't mind, I'm sure that happens
alot...

"I take it that cars.com is your public name and ajm1.cars.com is
your AD internal name?"

yes, you are correct. I would make a change to my internal name if
that would be the preferred naming convention? Should my internal
name be consistant and also be cars.com?

No, especially if you want to host your authoritative DNS locally

"Now, are you planning to make this DNS server authoritative for the
cars.com name on the internet?"

yes, I currently host my own website. Not very well though... but I'm
trying to learn.

"Create a record named mail with the public IP of your mail server in
the cars.com zone."

Is that just an A record? so that mail coming in finds an IP address?

Yes make it an A record not an alias (CNAME) mail servers have to look these
records up and if you use a CNAME it has to do a lookup on the CNAME

"if your mail and web server are hosted locally you must put the
public cars.com zone on another server, not
this one."

Is this for security reasons?

No this is because you are behind NAT and you must access your servers by
their local address not the public address.
But people on the internet must access your servers by their public
addresses. You cannot put these records in the same zone. If you do your
local access will be inconsistant as will public access. Plus, your email
will not be routed to your mail server because of the private address in the
zone.

"You will NOT be able to access you internal servers by the public
addresses. You need to put an internal zone
for cars.com on your internal DNS with the records named as you did
in the public zone but give the records in
the internal zone private IP addresses."

I forgot to mention that I am behind a Linksys router using Nat to a
private IP for my server. I am currently running all from
a single server and am able to access my server also from my LAN, so
I'm a little confused by this statement.

OK lets stop and think about it, you know you cannot access your servers by
the public address because of NAT, right?
So you need records pointing to your local address so you can access them.
So how are you going to stop DNS from publishing the records with the
private addresses to the internet where they will do no good?
One way, put your public DNS on a different machine and NAT incoming DNS
request to it.
Then point all your internal machines to the DNS server you are using now
because it has your AD domain records on it and the zone for cars.com that
has the private records in it.

 

[Adam Marx]

"No, especially if you want to host your authoritative DNS locally"

Got it, any requests from the web will be forwarded to my DNS server where
it is "authoritive" for the domain. In other words "The Buck Stops here".

"Yes make it an A record not an alias (CNAME) mail servers have to look
these records up and if you use a CNAME it has to do a lookup on the CNAME"

Do they use the IP or the domain name?

"No this is because you are behind NAT and you must access your servers by
their local address not the public address.
But people on the internet must access your servers by their public
addresses. You cannot put these records in the same zone. If you do your
local access will be inconsistent as will public access. Plus, your email
will not be routed to your mail server because of the private address in the
zone."

I'm still having some issues with this one. This is my logic, If someone is
looking for the website cars.com (roughly) it hits the DNS servers where the
domain name is registered which has a public IP. It then forwards to my
router again on a public IP which port forwards from a public IP to a
private IP 192.168.1.100. The DNS server finds the Domain name cars.com and
replies. Doesn't my server then have a private IP and not a public IP?


"OK lets stop and think about it, you know you cannot access your servers by
the public address because of NAT, right?
So you need records pointing to your local address so you can access them."

Agree

"So how are you going to stop DNS from publishing the records with the
private addresses to the internet where they will do no good?"

If I'm authoritative for the domain cars.com why does it have to publish to
a server on the web?


I hope "D4 Dad" means that your patient and understanding....


Thanks.

 

[Kevin D. Goodknecht [MVP]]

In

"Yes make it an A record not an alias (CNAME) mail servers have to
look these records up and if you use a CNAME it has to do a lookup on
the CNAME"

Do they use the IP or the domain name?

They use the IP, but MX records cannot point to an IP address, they must
point to a FQDN that resolves to the public IP address that I need to
connect to your mail server.
If I ask for your MX record and it gives my mail server a CNAME, then my
mail server gets "mad" because it has to go resolve another name instead of
just getting an IP address that it can connect to.

"No this is because you are behind NAT and you must access your
servers by their local address not the public address.
But people on the internet must access your servers by their public
addresses. You cannot put these records in the same zone. If you do
your local access will be inconsistent as will public access. Plus,
your email will not be routed to your mail server because of the
private address in the zone."

I'm still having some issues with this one. This is my logic, If
someone is looking for the website cars.com (roughly) it hits the DNS
servers where the domain name is registered which has a public IP.

No DNS does not forward me, it gives me an IP address for the record I am
looking for that is all, no more, no less.

It

then forwards to my router again on a public IP which port forwards
from a public IP to a private IP 192.168.1.100. The DNS server finds
the Domain name cars.com and replies. Doesn't my server then have a
private IP and not a public IP?

For me to find your DNS server I need to know its public address, that would
be the address on the public side of your router. All I can see is the
public address, it is up to your router to translate my connection to port
53 of the public Ip to port 53 of the IP of your DNS server, but to me I
cannot tell if it is behind NAT or not, all I can see is the public address.

"OK lets stop and think about it, you know you cannot access your
servers by the public address because of NAT, right?
So you need records pointing to your local address so you can access
them."

Agree

"So how are you going to stop DNS from publishing the records with the
private addresses to the internet where they will do no good?"

If I'm authoritative for the domain cars.com why does it have to
publish to a server on the web?

When you ask DNS for the IP address for www.cars.com and if it has two
records in it named www but one has a private address and one has a public
address it will rotate handing out these IP addresses (round robin) first
one then the other. If it gives me the private address I will get an error,
the worst part is, that record is then cached in my machine's DNS cache and
in the DNS server that my machine is pointing to for DNS. It will stay there
until TTL runs out on the record, also it is in the DNS server's cache that
I am using.

Here is how it all works, say I type www.cars.com in my browser, the query
first goes to the root DNS servers, the root servers send me to the .com DNS
servers, the .com DNS servers send me to ns1.cars.com, which is your DNS
server, then I ask your DNS server for the IP of the www record in the
cars.com Forward Lookup Zone, that record must give me the public IP address
for www.cars.com. If it gives me the private IP for your web site then I
cannot access your web site because I cannot get to your web site by its
private IP.

Just the opposite goes for you, if you type in www.cars.com and your DNS
server gives you the public IP you will not be able access your own web site
because you need the private IP to access your web site.

I hope "D4 Dad" means that your patient and understanding....

I have six kids, the youngest is 12, the oldest is 25, do you think I might
need some patience?

 

[Guest]

Any ideas why the Netdiag /fix returns an error: "[FATAL] Failed to get system information of this machine."

I added the mail "A" record and that fixed my mail issue. Thanks for that

"When you ask DNS for the IP address for www.cars.com and if it has tw
records in it named www but one has a private address and one has a publi
address it will rotate handing out these IP addresses (round robin) firs
one then the other.

I currently do only have 1 www record with a public IP in the domain cars.com. So, I'm with you so far

"Just the opposite goes for you, if you type in www.cars.com and your DN
server gives you the public IP you will not be able access your own web sit
because you need the private IP to access your web site.

Does this mean that currently how I have the DNS setup that anytime my computer is trying to reach cars.com that it is going out to the web and resolving instead of directly going to the WebServer? Is that also the reason for the DNS looking like it does? Is it considering "ajm1.cars.com" as internal and "cars.com" external

W2

Forward lookup Zone
Reverse Lookup Zone

"I have six kids, the youngest is 12, the oldest is 25, do you think I might need some patience?

You have certainly passed that test..

AJM

 

[Kevin D. Goodknecht [MVP]]

In

Any ideas why the Netdiag /fix returns an error: "[FATAL] Failed to
get system information of this machine."?

I checked the KB on this and I found
SYMPTOMS
When you run the Netdiag tool, you receive the following error message:

[Fatal] Failed to get system information of this machine
CAUSE
This issue occurs because Netdiag depends on the Remote Registry service to
function properly. If the Remote Registry Service is stopped, Netdiag cannot
run.
RESOLUTION
To resolve this issue, start the Computer Management console, click
Services, and then start the Remote Registry service.
STATUS
This behavior is by design.

I added the mail "A" record and that fixed my mail issue. Thanks for
that.

"When you ask DNS for the IP address for www.cars.com and if it has
two
records in it named www but one has a private address and one has a
public
address it will rotate handing out these IP addresses (round robin)
first
one then the other."

I currently do only have 1 www record with a public IP in the domain
cars.com. So, I'm with you so far.

"Just the opposite goes for you, if you type in www.cars.com and your
DNS
server gives you the public IP you will not be able access your own
web site
because you need the private IP to access your web site."

Does this mean that currently how I have the DNS setup that anytime
my computer is trying to reach cars.com that it is going out to the
web and resolving instead of directly going to the WebServer? Is that
also the reason for the DNS looking like it does? Is it considering
"ajm1.cars.com" as internal and "cars.com" external?

Pretty much so, I guess you've already found that you cannot connect to your
web site locally with the public address.

If you do not have another machine to install DNS on, you will need to
access them by a name that will resolve to a private address. I can only
suggest that you use the machine records that are in the internal zone
ajm1.cars.com these records will have private addresses anyway. The only
problem will be the website address if your web site is using host headers.
Add a host header that has the private address that the web server is
listening on. such as www.ajm1.cars.com. You will have to add the www record
with the private webserver address to the ajm1.cars.com zone.

 

[Guest]

Thanks for all your help Kevin

Have a Happy Thanksgiving and I hope you get to enjoy it with all your family

Adam J. Marx

 

[Guest]

Kevin 1 last question. How can I verify that indeed my computer is resolving cars.com on the web and not locally

Does this mean that currently how I have the DNS setup that anytim
my computer is trying to reach cars.com that it is going out to th
web and resolving instead of directly going to the WebServer

p.s. you were correct on the netdiag /fix problem

 

[Kevin D. Goodknecht [MVP]]

In

Kevin 1 last question. How can I verify that indeed my computer is
resolving cars.com on the web and not locally?

www.dnsreport.com