DNS registration for PDC only correct on some DNS servers?

[Kim Noer]

Hi there...

Running netdiag I get this warning :


DNS test . . . . . . . . . . . . . : Passed
[WARNING]: The DNS registration for 'server.domain' is correct only on some
DNS servers.
Please wait 15 min for replication and run the test again.
PASS - All the DNS entries for DC are registered on DNS server '10.0.0.200'.

It confuses me slightly since there is only one DNS server in the domain,
and it's running on the PDC (server.domain). Could this warning be related
to external NS servers I've configured? With external I mean NS servers that
look up on internet.

I've configured those to NS servers under "forward lookup zones"->domain as
NS.

Presumeably that's not a correct setup? If so, then how do I correct setup
external NS servers, whos sole purpose is to lookup domains on the internet
(default route)?

PS. server.domain is not the real name.

 

[Steve Duff [MVP]]

If you want to query external name servers for public names, you normally name their IP addresses as forwarders in the DNS server's
properties dialog.

I'm not quite sure what you're saying about putting NS entries under forward lookup zones. In Server 2003 you can name "conditional
forwarders" for specific domains that are different than the global forwarders. You are certainly free to add public zones to your
own DNS - I don't think it will do what you might expect, but as long as these zone names don't conflict with your internal AD
domain it shouldn't cause any problem there.

Are you sure you're not naming other, outside-the-domain DNS servers in the server's own DNS IP configuration? That would be the
most obvious reason for the error you're seeing, and can open the door to significant network problems.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Ace Fekay [MVP]]

In

PS. server.domain is not the real name.

You may be hiding the real name, which is no problem, but is it actually in
that form (single label DNS domain name), or is it in the legit form of
server.domain.com (not a single label name)?

If not, then you've got a single label name and that may be the cause of the
whole thing. among other possible problems. Read this please:

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

Follow Steve's recommendations for Forwarders for efficient Internet
resolution.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Kim Noer]

If you want to query external name servers for public names, you
normally name their IP addresses as forwarders in the DNS server's
properties dialog.

I've already configured that, but I also (let's say accidently) configured
the external NS in the forward lookup zone. Presumeably that's why my DNS
tries to update the external NS (combined with that I don't currently
restrict the zone transfer in any way)?

Can I see what forwarders are in use with nslookup?

I'm not quite sure what you're saying about putting NS entries under
forward lookup zones. In Server 2003 you can name "conditional

With NS entries under the forward lookup zones I meant the same as "ls -t NS
domain.domain" in nslookup.

Are you sure you're not naming other, outside-the-domain DNS servers
in the server's own DNS IP configuration? That would be the most
obvious reason for the error you're seeing, and can open the door to
significant network problems.

Yes, fortunately I was clever enough to avoid that .

 

[Steve Duff [MVP]]

You are right that you should not normally be naming outside name servers in your inside domain zone's NS set -- unless these
servers answer directly for the zone. These servers are (I will assume) not authoritative for the zone, so you have to take those NS
RRs out of the zone to achieve a correct DNS configuration.

Now if the purpose of that was to permit secondary zone transfers to those servers, you can configure those specific server IPs in
the primary zone's properties dialog - you don't have to implicitly name allowed transfer servers via NS records. OTOH if these
really ARE functioning secondaries for the zone then naming them with NS records should be fine. But in that case an nslookup should
show you all of the AD registrations on the secondary replica and you wouldn't be getting the netstat error you are seeing. I
suppose this all means I need to know a little more about the situation.

nslookup has its own independent lookup logic (that is what makes it useful for debugging dns problems). So it does not show your
configured forwarders. But that is easy enough to check in the properties dialog for the DNS root in the mmc console. In most cases
you can just disable forwarders completely and use the supplied root hints to resolve public names.

Best wishes

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Kim Noer]

You are right that you should not normally be naming outside name
servers in your inside domain zone's NS set -- unless these servers
answer directly for the zone. These servers are (I will assume) not
authoritative for the zone, so you have to take those NS RRs out of
the zone to achieve a correct DNS configuration.

Which did the trick - the server passes the DNS test as well, which is nice
indeed.

nslookup has its own independent lookup logic (that is what makes it
useful for debugging dns problems). So it does not show your
configured forwarders. But that is easy enough to check in the
properties dialog for the DNS root in the mmc console. In most cases
you can just disable forwarders completely and use the supplied root
hints to resolve public names.

Which I tried out, and it worked as you predicted, so now I have a
nicer-than-before DNS setup. Thanks a bundle for your help.