DNS - A Record Disappears while AAAA Record for Host is registered
Hi,
I have a strange issue. Recently we have noticed dynamically registered IPv4 addresses disappearing from our internal Windows DNS forward lookup zones.
I don't run our very large DNS environment, so unfortunately, I can't examine the configuration. The problem seems to be tied to Windows servers with IPv6 enabled (windows 2008 and Windows 2008 R2 servers).
In our Windows server configuration, we allow the check mark for "Allow this connection to be registered in DNS" to be selected in the TCP/IP settings of the production IP address for the server.
Periodically, we have noticed that the IPv4 A records disappears from DNS while the AAAA IPv6 address for the server remains in tact.
I have been troubleshooting this problem from the server side (DNS client side). It appears that if I disable 6TO4 IPv6 addresses from the server and then restart the server, the problem goes away (IPv4 address comes back in DNS after the reboot).
To disable IPv6 transition technologies, we implement DISABLECOMPONENTS = 1.
Although, this work around seems to solve all of our problems, I don't understand why the IPv4 address gets removed in the first place? I suspect a misconfiguration on the DNS server.
More information:
Overall IPv6 Problem: By default, the 6to4 tunneling protocol is enabled in Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 when an interface is assigned a public IPv4 address (that is, an IPv4 address that is not in the ranges
10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). 6to4 will automatically assign an IPv6 address to the 6to4 tunneling interface for each such address that is assigned, and 6to4 will dynamically register these IPv6 addresses on the assigned DNS server. If this
behavior is not desired, we recommend disabling IPv6 tunnel interfaces on the affected hosts. In the company network, it also appears that IPv6 registration sometimes causes IPv4 A records to be removed in DNS. Microsoft has informed us that this http://support.microsoft.com/kb/2782438
might be the reason for the behavior. But I am still pressing to root cause because we are not using DHCP in our server vlans.
Using the options to disable IPv6 described in article 929852 is fully supported by Microsoft: Microsoft Answer: "Disabling IPv6 is not recommended but it's completely supported, but you might have to enable it back in future if you are going to implement
new technologies like DirectAccess etc, which needs IPv6."
Microsoft recommends that we use DisabledComponents = 1 for all Windows 2008 and Windows 2008 R2 servers that are problematic: This will disable IPv6 transition technologies and Servers will not get IPv6 address
It has also been asked that instead of disabling IPv6 on all of our Windows servers can we just disable IPv6 on the DNS servers: Microsoft Answer: disabling IPv6 only on DNS Servers will not help, as it will not stop clients from registering their IPv6 address.
Disabling IPv6 will impact applications that require IPv6. The known application services are: HomeGroup and DirectAccess -- we do not believe our company is currently using these technologies.
Disappearing DNS records may point to duplicate AD zones, so the first thing to do, is let's eliminate if there are any duplicate AD zones.
Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
Additional reading:
DNS Records Disappearing and DNS Auditing
http://msmvps.com/blogs/acefekay/archive/2010/12/09/dns-records-disappearing-and-dns-auditing.aspx
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Similar Messages
-
Trying to configure BIND in Snow Leopard Server so I can migrate current DNS to an XServe. My goal is to be able to use Server Admin for as much as possible, but I know this won't be entirely possible in my setup (wildcards, bizarre reverse delegation limit my options here). I've used generic names here on purpose, but yes, I do know what I am doing.
Currently, I'm trying to create an A record for a domain so that I users will hit my website whether they enter domain.com or www.domain.com. I have the following entry to my domain in SA:
+domain.com. Machine 1.2.3.4+
I verified that this entry was correct in the zone file itself. Indeed, I found the following entry in the appropriate zone file:
+domain.com. IN A 1.2.3.4+
However, when I attempt to query the server using dig, I do not get an answer:
dig a domain.com @server.domain.com
; <<>> DiG 9.6.0-APPLE-P2 <<>> a domain.com @server.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16570
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;domain.com. IN A
;; AUTHORITY SECTION:
domain.com. 10800 IN SOA server.domain.com. admin.domain.com. 2010070702 86400 3600 604800 345600
;; Query time: 10 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Fri Jul 9 06:02:13 2010
;; MSG SIZE rcvd: 95
What am I missing here?Be aware that this is not a production server yet, and I acknowledge that this isn't fully kosher yet. I am just testing the config to see if it will work.
Server is 206.123.100.18. Zone is a3dtech.com. Zone file:
;GUID=4EAE5E10-15F4-457B-8CAC-D9702FB1E186
;selfResolvingHostname=0
$TTL 10800
a3dtech.com. IN SOA ns1.a3dauto.com. admin.a3dauto.com. (
2010070901 ;Serial
86400 ;Refresh
3600 ;Retry
604800 ;Expire
345600 ;Negative caching TTL
a3dtech.com. IN NS ns1.a3dauto.com.
a3dtech.com. IN NS ns2.a3dauto.com.
* IN A 206.123.100.18
a3dtech.com. IN A 206.123.100.18
mail IN CNAME mail.a3dauto.com.
svn IN CNAME daniel.a3dauto.com.
a3dtech.com. IN MX 10 mail.a3dauto.com. -
The spf record for Microsoft has a “ ~ALL “. What does this do and how do we make use of the same for our domain names?
NSLOOKUP Output for Microsoft.com:
> server 4.2.2.1
Default Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
> set type=ANY
> microsoft.com
Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
Non-authoritative answer:
microsoft.com text =
"v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com inc
lude:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com ~all"
microsoft.com
primary name server = dns.cp.msft.net
responsible mail addr = msnhst.microsoft.com
serial = 2007053102
refresh = 300 (5 mins)
retry = 600 (10 mins)
expire = 2419200 (28 days)
default TTL = 3600 (1 hour)
microsoft.com MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailc.microsoft.com
microsoft.com internet address = 207.46.232.182
microsoft.com internet address = 207.46.197.32
microsoft.com nameserver = ns4.msft.net
microsoft.com nameserver = ns5.msft.net
microsoft.com nameserver = ns1.msft.net
microsoft.com nameserver = ns2.msft.net
microsoft.com nameserver = ns3.msft.net
==
Thanks,Mechanisms are prefixed with qualifiers:
"+" Pass
"-" Fail
"~" SoftFail
"?" Neutral
Mechanisms are evaluated in order and when no matche, the default will be "Neutral".
If there is no SPF for a domain, the result is "None". If a domain has a temp error during DNS processing, you get the result "TempError" (called "error" in earlier drafts). If some kind of syntax or evaluation error occurs (eg. the domain specifies an unrecognized
mechanism) the result is "PermError" (formerly "unknown").
Evaluation of an SPF record can return any of these results:
Pass -The SPF record designates the host to be allowed to send accept
Fail -The SPF record has designated the host as NOT being allowed to send reject
SoftFail - The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral - The SPF record specifies explicitly that nothing can be said about validity accept
None - The domain does not have an SPF record or the SPF record does not evaluate to a result accept
PermError - A permanent error has occured (eg. badly formatted SPF record) unspecified
TempError - A transient error has occured accept or reject
Marcus @ www.wormy.com -
Creating a DNS Record for a Host with Two or More IP???
Can we create DNS A Record for a Host with Two or More IP ... ( we like to use my website "mysite.com" pointing to two Ips )
Please help...Sure, no worries.
In a production environment DNS will query always the first record it will stores in cache, you need to find a dynamic or NLB way to achieve the automatic fail over else when you will have an outage with the first IP, then you need to ask your clients to
clear the cache and register to DNS again, this i will not suggest in a production environment, lots of manual efforts and doesnt sound like a solution in a production environment, i would suggest you to explore windows NLB, it's easy to set and use the OS
license.
Thanks
Inderjit -
SRV Record for TC Software(SX20,C20)
Hi all,
We tested DNS SRV record for two VCS-Cs that are not clustered.
MCU works fine with those SRV records, but C20, SX20 do not work.
Can't TC endpoints receive SRV records?
VCS:X8.2.1
MCU5300:4.5(1.45)
C20,SX20:TC7.2.0
Best Regards,
KotaroHi Patrick,
Sorry for the late reply.
I mentioned "MCU works fine with those SRV records, " but actually it didn't work.
The MCU just received two GKs IP addresses as Alternative Gatekeeper.
Now we use records below.
We configure "vcs1.test.local" as an SX20's Gatekeeper.
But when "vcs1.test.local" fails, the SX20 never register with "vcs2.test.local".
=====DNS Records=====
vcs1.test.local(A) and its Pointer record.
vcs2.test.local(A) and its Pointer record.
_h323cs._tcp.test.local
priority=1
weight=0
port=1720
svr hostname=vcs1.test.local
_h323cs._tcp.test.local
priority=10
weight=0
port=1720
svr hostname=vcs2.test.local
_h323ls._udp.test.local
priority=1
weight=0
port=1719
svr hostname=vcs1.test.local
_h323ls._udp.test.local
priority=10
weight=0
port=1719
svr hostname=vcs2.test.local
_h323rs._udp.test.local
priority=1
weight=0
port=1719
svr hostname=vcs1.test.local
_h323rs._udp.test.local
priority=10
weight=0
port=1719
svr hostname=vcs2.test.local
Best Regards,
Kotaro -
While running dcdiag /test:dns getting Warning: The AAAA record for this DC was not found
DCDIAG /test:dns result is pested here.
C:\Users\administrator.SUD>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MUM-ADS-01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: Connectivity
......................... MUM-ADS-01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... MUM-ADS-01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sud
Running enterprise tests on : sud.in
Starting test: DNS
Test results for domain controllers:
DC: MUM-ADS-01.sud.in
Domain: sud.in
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server:
a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server:
b.root-servers.net. (128.9.0.107)
Error: Root hints list has invalid root hint server:
c.root-servers.net. (192.33.4.12)
Error: Root hints list has invalid root hint server:
d.root-servers.net. (128.8.10.90)
Error: Root hints list has invalid root hint server:
e.root-servers.net. (192.203.230.10)
Error: Root hints list has invalid root hint server:
f.root-servers.net. (192.5.5.241)
Error: Root hints list has invalid root hint server:
g.root-servers.net. (192.112.36.4)
Error: Root hints list has invalid root hint server:
h.root-servers.net. (128.63.2.53)
Error: Root hints list has invalid root hint server:
i.root-servers.net. (192.36.148.17)
Error: Root hints list has invalid root hint server:
j.root-servers.net. (192.58.128.30)
Error: Root hints list has invalid root hint server:
k.root-servers.net. (193.0.14.129)
Error: Root hints list has invalid root hint server:
l.root-servers.net. (198.32.64.12)
Error: Root hints list has invalid root hint server:
m.root-servers.net. (202.12.27.33)
TEST: Delegations (Del)
Error: DNS server: sud-ad.sud.in. IP:<Unavailable>
[Missing glue A record]
TEST: Records registration (RReg)
Network Adapter
[00000006] Intel(R) PRO/1000 MT Network Connection:
Warning:
Missing AAAA record at DNS server 10.1.6.132:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.132:
gc._msdcs.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
gc._msdcs.sud.in
Warning: Record Registrations not found in some network adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
DNS server: 128.9.0.107 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: sud.in
MUM-ADS-01 PASS WARN FAIL FAIL PASS WARN n/a
......................... sud.in failed test DNSHi Meinolf,
Please find the IP Details as well as DNS test results.
C:\Users\Administrator.SCI>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MDCDCDNS
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: Connectivity
......................... MDCDCDNS passed test Connectivity
Doing primary tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
ERROR: NO DNS servers for IPV6 stack was found
......................... MDCDCDNS passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sci
Running enterprise tests on : sci.com
Starting test: DNS
Test results for domain controllers:
DC: MDCDCDNS.sci.com
Domain: sci.com
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Records registration (RReg)
Network Adapter
[00000009] Microsoft Virtual Network Switch Adapter:
Warning:
Missing AAAA record at DNS server 10.64.7.32:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.32:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
gc._msdcs.sci.com
Warning: Record Registrations not found in some network adapters
MDCDCDNS PASS WARN PASS PASS PASS WARN n/a
......................... sci.com passed test DNS
C:\Users\Administrator.SCI>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MDCDCDNS
Primary Dns Suffix . . . . . . . : sci.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sci.com
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : External Internal Virtual Network
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.64.7.32(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.64.7.1
DNS Servers . . . . . . . . . . . : 10.64.7.32
10.64.7.35
10.20.33.72
10.20.33.71
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TEAM : Team #1
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IPv4 Address. . : 169.254.105.163(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{2D5A4A27-298F-48E5-A376-EA886EF1E
42A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{14FA7CD4-8B69-4C86-A58B-056793B7D
901}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Please check and revert back for any queries..
Thanks...
Deva Self-trust is the first secret of success. -
DNS on Server 2008 R2: DNS A records strangely disappear
Hello,
I am experiencing very strange problems with my DNS (Server 2008 R2, AD integrated). Several A records for Windows clients are missing, and even if I register them as static they somehow disappear again. However, the AAAA records are still around (IPv6 is
running in default configuration, I haven't touched that at all), but another strange thing here is, most of them are listed as STATIC records.
At present, the DHCP server is set to NOT register the clients with DNS. DNS accepts only secure updates, scavenging is disabled. (I am somewhat reluctant to disable dynamic updates on the DNS server completely because I think the DCs register and update
lots of records dynamically). When I register all missing A records, most affected clients loose it again within an hour or so but some seem be fine. It seems to me that about 20 % of the clients are affected.
I have enabled Directory Service Changes auditing, and its in fact the machine account which appears to be responsible. Clients with A records generate 10 entries (ID 5136) in the DC's security log while the problematic clients generate only the
first 5 events. So it appears to me that they can delete the record but not create a new one. All clients are set to register themselves with DNS.
As far as I remember I had Windows clients with missing A records in the past once in a while but the problem became really serious only about one and half weeks ago.
Does anyone have an idea of what might be going on here? Can I safely disable DNS dynamic updates without adversely affecting AD/DC functionality? Generally, we don't actually need dynamic updates.
Cheers, Georg.What operating system are the clients?
I would like to first point out how registration works with static and DHCP, and the differences depending on how DHCP is configured.
=====================================================
1. By default, Windows 2000 and newer statically configured machines will
register their own A record (hostname) and PTR (reverse entry) into DNS.
2. If set to DHCP, a Windows 2000, 2003 or XP machine, will request DHCP to allow
the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
(reverse entry) record.
3. If Windows 2008/Vista, or newer, the DHCP server always registers and updates client information in DNS.
Note: "This is a modified configuration supported for DHCP servers
running Windows Server 2008 and DHCP clients. In this mode,
the DHCP server always performs updates of the client's FQDN,
leased IP address information, and both its host (A) and
pointer (PTR) resource records, regardless of whether the
client has requested to perform its own updates."
Quoted from, and more info on this, see:
http://technet.microsoft.com/en-us/library/dd145315(v=WS.10).aspx
4. The entity that registers the record in DNS, owns the record.
Note "With secure dynamic update, only the computers and users you specify
in an ACL can create or modify dnsNode objects within the zone.
By default, the ACL gives Create permission to all members of the
Authenticated User group, the group of all authenticated computers
and users in an Active Directory forest. This means that any
authenticated user or computer can create a new object in the zone.
Also by default, the creator owns the new object and is given full control of it."
Quoted from, and more info on this:
http://technet.microsoft.com/en-us/library/cc961412.aspx
=====================================================
Therefore, based on that, even if you have DHCP set to not register, and the clients are 2008/Vista and newer, then DHCP is doing it. That explains why you see the system account doing it.
Now, I think it will actually help you if you configure DHCP to register everything, configure credentials, and add the DHCP server computer object to the DnsUpdateProxy group. Don't add anything else to this group.
This way DHCP controls everything and it's easier to track AND more importantly, DHCP can update already registered records.
====================================================
In summary:
DHCP DNS Update summary:
- Configure DHCP Credentials.
The credentials only need to be a plain-Jane, non-administrator, user account.
But give it a really strong password.
- Set DHCP to update everything, whether the clients can or cannot.
- Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
- Add the DHCP server(s) computer account to the Active Directory, Built-In DnsUpdateProxy security group.
Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group.
For example, some folks believe that the DNS servers or other DCs not be
running DHCP should be in it.
They must be removed or it won't work.
Make sure that NO user accounts are in that group, either.
(I hope that's crystal clear - you would be surprised how many
will respond asking if the DHCP credentials should be in this group.)
- On Windows 2008 R2 or newer, DISABLE Name Protection.
- If DHCP is co-located on a Windows 2008 R2, Windows 2012, Windows 2012 R2,
or NEWER DC, you can and must secure the DnsUpdateProxy group by running
the following command:
dnscmd /config /OpenAclOnProxyUpdates 0
- Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
- Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.
References:
This blog covers the following:
DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM 3758 2
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
Good summary
How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27
Another good Summary:
Thread: "DNS problem" December 18, 2013
http://social.technet.microsoft.com/Forums/windowsserver/en-US/37b8b6b3-6cb1-496c-8492-09ded13bab18/dns-problem?forum=winserverNIS
Another good discussion that Microsoft support concurred with my settings for a poster that called in to Support, which verified my configuration suggestions in my blog are correct:
DHCP Server Not Registering A Records for Windows Clients
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e4b285d6-5795-4045-83ff-3a3c793b2cfc/
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
#554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
Hi,
This is my first post here.
My exchange server of late is facing a peculiar problem. I get the error message that I have posted below when sending mails to any outside domain. However when I restart the server the mails can be resend to the address without any issue. After a certain
time again the issue pops up upon which I am forced to restart the server again. I am running 2007 Exchange on Windows 2003.
Generating server: name.mydomain.com
[email protected]
#554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
[email protected]
#554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
Original message headers:
Received: from name.mydomain.com ([1xx.xxx.xxx.xx5]) by MHDMAILS.mouwasat.com
([1xx.xxx.xxx.xx5]) with mapi; Wed, 19 Oct 2011 08:56:29 +0300
From: <[email protected]>
To: <[email protected]>
CC: "Al Alami,Tareq" <[email protected]>
Date: Wed, 19 Oct 2011 08:56:27 +0300
Subject: RE:
Thread-Topic:
Thread-Index: AcyAQ5tu8z9CvBfdT5+1pcGQkk6x0AIuwczAAAGZjeABQyW5sAADeeJQAAETNDA=
Message-ID: <[email protected]>
References: <[email protected]com>
<[email protected]com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
boundary="_004_EEC8FA6B3B286A4E90D709FECDF51AA06C0588CA11namedomain_";
type="multipart/alternative"
MIME-Version: 1.0On Sun, 23 Oct 2011 15:05:15 +0000, Jobin Jacob wrote:
>
>
>Even af
>
>ter removing my domain from the send connector I continue to receive the error. I would like to say I do have a firewall, Cyberoam. However, it was the same configuration till now in the firewall. I did try Mx lookup and found the following.
>
>Could there be any other solution to this issue ?
Sure, but it's necessary to ask a lot of questions since none of us
know how your organization is set up.
I see you also have "Use the External DNS Lookup settings on the
transport server" box checked. How have you configured the "External
DNS Lookups" on the HT server's property page? Is there any good
reason why you aren't just using your internal DNS servers? If the
internal DNS servers are configured to resolve (or forward) queries
for "external" domains then there's no reason to use that checkbox. In
most cases checking that box is a mistake.
http://technet.microsoft.com/en-us/library/aa997166(EXCHG.80).aspx
The behavior you describe (it works for a while and then fails;
restarting the server returns it to a working state) sure sounds like
some sort of DNS problem.
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
AD DS Config problem (The AAAA record for this DC was not found) Cannot connect to ADUC
I am trying to figure out what is wrong with my AD DS Config. I ran dcdiag. The results were:
C:\Users\Administrator>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = R210_1_2K12
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\R210_1_2K12
Starting test: Connectivity
......................... R210_1_2K12 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\R210_1_2K12
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... R210_1_2K12 passed test DNS
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : bcas-tbf
Running enterprise tests on : bcas-tbf.local
Starting test: DNS
Test results for domain controllers:
DC: R210_1_2K12.bcas-tbf.local
Domain: bcas-tbf.local
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Records registration (RReg)
Network Adapter [00000017] Hyper-V Virtual Ethernet Adapter:
Warning:
Missing AAAA record at DNS server 172.16.0.202:
R210_1_2K12.bcas-tbf.local
Warning:
Missing AAAA record at DNS server 172.16.0.202:
gc._msdcs.bcas-tbf.local
Warning:
Missing AAAA record at DNS server ::1:
R210_1_2K12.bcas-tbf.local
Warning:
Missing AAAA record at DNS server ::1:
gc._msdcs.bcas-tbf.local
Warning: Record Registrations not found in some network adapters
R210_1_2K12 PASS WARN PASS PASS PASS WARN n/a
......................... bcas-tbf.local passed test DNS
IPCONFIG info:
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : R210_1_2K12
Primary Dns Suffix . . . . . . . : bcas-tbf.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bcas-tbf.local
Ethernet adapter vEthernet (Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client
) #36 - Virtual Switch):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-26-B9-7E-81-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::bda9:1a28:974a:5fc3%19(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.0.202(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.0.1
DHCPv6 IAID . . . . . . . . . . . : 335554233
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-0A-52-45-00-26-B9-7E-81-75
DNS Servers . . . . . . . . . . . : ::1
172.16.0.202
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{AE70C63E-0A8A-4461-A789-8E4CD99CEA46}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:1cf5:1d4f:53ef:ff35(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::1cf5:1d4f:53ef:ff35%15(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
I'm unsure of what the problem is or what to do next. Thank You.Disable IPv6 according to Pauls blog:
Disabling
IPv6 on Windows 2008
After disabling run:
ipconfig /flushdns
ipconfig /registerdns
restart the netlogon service or reboot.
For co-existence from IPv4 and IPv6 see:
Configuring DNS for IPv6/IPv4
Coexistence
IPv6
for the Windows Administrator: How Name Resolution Works in a Dual IPv4/IPv6 Scenario
IPv6 for the Windows Administrator: IPv6 Fundamentals
Hopefully, that fixes your issue. Added some links to read in cause you want to.
If it answered your question, remember to “Mark as Answer”.
If you found this post helpful, please “Vote as Helpful”.
Postings are provided “AS IS” with no warranties, and confers no rights.
Active Directory: Ultimate Reading Collection -
What are the main steps to be taken care while doing recording for LSMW
Hi,
I am facing problem in LSMW.
Can anybody suggest me that What are the main steps to be taken care while doing recording for LSMW for recording mm01 ?
thanks'
nareshHi,
Recording in LSMW is similar as SHDB.
in LSMW after you give Project-Subproject and Object.
1)Go to-> Maintain Object Attributes -> double click
2)Press Display/Change Button at top left to make editable mode.
3)Select radiobuton -> Batch Input -> Give Recording name say Z_mm01
4) Click the Recording Overview boton on right -> Give TCode which u want to record....
Rest refer the Document link attached.
Please find the links to various threads on the same.
Re: LSMW - Using a BAPI
BAPI, IDOC in LSMW
Upload the data in LSMW using BAPI
This one is the most complete document for the same
http://sapabap.iespana.es/sapabap/manuales/pdf/lsmw.pdf
http://service.sap.com/lsmw.
Regards
Kiran -
Tables for Defect type and its description while defect recording for a MIC
Dear Experts,
Kindly suggest the tables name in system by which we can get Defect type and its description that we have used while performing defect recording for a MIC in system at the time of result reording for an inspection lot.
Thanks in advance for your inputs ...
Best regards ,
Nitishjhii,
Check
QPAC - Inspection catalog codes for selected sets
QPAM - Inspection catalog selected sets
QPMK-CODEQUAL- Defect code grp for rejection at MIC level
Link above table field name with QAVE for UD code & QAMR for Results recording
Edited by: Lokesh K on Sep 29, 2010 10:43 AM
Edited by: Lokesh K on Sep 29, 2010 10:45 AM -
When do I have to update my DNS records for my URLs, such as mail and autodiscover?
We currently have EX2010, with autodiscover.domain, owa.domain, and outlook.domain records in DNS. The outlook.domain is used for the CAS array and would not be modified during this.
We are going to install new EX2013 servers soon. When we do that, we plan to set all the URLs to be the same as EX2010 (like above).
From what I can tell, I do not have to change the DNS records until we actually start to migrate mailboxes. Would that be correct? I would rather do some additional testing, and get our load balancers configured correctly, before pointing autodiscover
and owa at EX2013.
Most of the documentation I have seen says change the DNS records at the end of your installation, but that would be if I was ready to migrate mailboxes I would think.
Thanks for any help or assistance on this. I have read all of the articles on the Exchange Blog site, but nothing really says make this change immediately.Hi DarlonJeel,
Based on your description, I know you want to upgrade Exchange 2010 to Exchange 2013.
After you've completed the installation of Exchange 2013, you could update the MX record and the Autodiscover record to the Exchange 2013 CAS Server.
Don’t worry about that the users whose mailboxes are located in Exchange 2010 server. When a user uses OWA or OutlookAnywhere, Exchange 2013 CAS server will redirect to the Exchange 2010
CAS server automatically.
Hope it helps,
Best regards,
Eric -
Imovie disappears while recording
I dont know if anyone else has experieced this. I havent tried anything to fix it yet. I have a macbook and when i open imovie and start recording with my built in isight, if i click on another window then use expose to view all windows the imovie window diappears and the only way to access my recording movie is to click on the icon on dashboard. anyone experience this?
Welcome to Discussions, DearOlivejuice
DearOlivejuice wrote:
I record videos weekly and this recently started happening. After I finish capturing footage from the iSight and play it back I notice that it cuts and skips through the footage. So even though I was recording for 5 minutes only 4 minutes will be there with random bit cut out. It just skips around.
I originally thought my macbook was overheating as it only seemed to happen sometimes and shutting it down for awhile would fix it. But it's happening more and more frequently and now skips in about every 10 seconds of footage.
Any thoughts on things I could try?
Message was edited by: DearOlivejuice
Consider the suggestions offered here:
http://discussions.apple.com/thread.jspa?messageID=13274102#13274102
I think you need to free up as much hard disk space as possible:
http://docs.info.apple.com/article.html?path=Mac/10.6/en/8358.html
I like to keep at least half (no less than one third) of my startup disk free for best OS X and video performance. You can do with less, but, generally, the more space (and RAM) you have, the better things work.
EZ Jim
Mac Pro Quad Core (Early 2009) 2.93Ghz Mac OS X (10.6.6); MacBook Pro (13 inch, Mid 2009) 2.26GHz (10.6.6)
LED Cinema Display; G4 PowerBook 1.67GHz (10.4.11); iBookSE 366MHz (10.3.9); External iSight; iPod4touch4.2.1 -
I started using OSX Server on Mountain Lion a few days ago and it looks promising.
I do however measure my ignorance in DNS matters...
I defined two websites in addition to the the Default Server, so I have three names to deal with.
For argument's sake
- www.main.com is the default site
- www.sitea.com is the first site
- www.siteb.com is the second site
I define a virtual host for www.sitea.com and another for www.siteb.com
The resulting apache conf is what I would expect, I am pretty sure it is correct.
So I modified my DNS entries (they were A records) to point to my new OSX Server.
My result is:
- www.main.com shows the default site
- www.sitea.com shows the first site
- www.siteb.com shows...the default site
Any ideas?
CheersThanks MrHoffman!
My problem ended up being a name but not in the DNS!...In Apache.
Your information allowed me to rule out possibilities and zoom in to the culprit faster.
I just report here the conclusion hoping it can help someone else.
When I installed OSX Server last week, I had in mind to principally run siteb.
During the initial install, this is what I must have entered and then forgot about it.
Then I defined my virtual hosts sitea and siteb and realised my machine was called siteb and changed its name to main to avaid a name collision. At which time I remember OSX Server telling me that changing the name could have consequences...But it apparently went ok, and it did except for one little thing.
The consequence was this:
in the main configuration file /Library/Server/Web/Config/apache2/http_server_app.conf the ServerName directive had remained siteb (instead of main). I manually updated it with TextEdit (could do vi from bash, its the same) and replaced siteb with main.
There is a way to detect it.
In Server.app, there is a "logs" panel, which displays all sorts of logs for everything including the websites.
Each website's logs are presented as "access" and "error" logs. The information was there, but I could not see it because the viewing window in remarkably small for so much information in raw text...
web logs are actually written to only two files in /var/log/apache2 (error.log and access.log)
I openned two bash windows and run tail -f on error.log in one and tail -f access.log in the other.
When I started the web service, apache threw a warning stating from mod_ssl saying that the certificate did not match the serve name...I the certificate was what I expected, I checked http_server_app.conf and found the ServerName directive that was not changed when I renamed my server...
Easily fixed when its found, but it can take a while to find.
BTW, I was using A DNS records for and it works, but I find your method of using CNAME records documents the administrator's intent better than with A records; I started to do the same. (A records a useful though, they can run a domain across multiple machines)
Cheers mate! -
DNS "A" Record Preventing Networked Users from Seeing Own Website
I just set up a DNS "a" record in Server Admin to point "mail.xyz.com" to my server's internal ip (10.0.1.1).
I did this so users could stay on the network with sending and receiving mail, as opposing to going out onto the web to do so. (I have MX records on Network Solutions point "mail.xyz.com" to my server's external ip.) All of their mail clients list "mail.xyz.com" as the mail server, instead of the server's internal ip.
Trouble is, when users on the network try to access our website, "xyz.com," their browsers now return an error, saying they cannot find the server.
Any idea?
Lost count Mac OS X (10.4.9)Steve and David --
This works. I am using Server Admin. To reiterate, I
added a zone "mysite.com" and a primary server "mail"
and pointed it at my server's internal ip so my users
can stay "inside" while checking mail.
Then, to follow your suggestion, I added a machine
named "www" to zone "mysite.com" pointed to my
server's external ip.
Some questions: How can I be sure the client's
machines are going interally to the server for mail?
(When I dig it in terminal, "mail.mysite.com" returns
an "a" record for the server's internal ip -- I
suppose that is sufficient.)
Yep!
Should the primary name server for the zone be "mail"
with "www" as an added machine, or vice versa?
The primary name server just identifies the machine which is responsible for holding records for that zone (domain). Add www as a 'machine' - think of each 'machine' as a specific IP address which identifies a host, hence IP / Name partnership. Any other hostname on same IP is an 'alias' (which becomes a CNAME record in the dns file).
You say I have to do this with "any record hosted in
my public dns as a mirror." I am running three
websites from my server, all with public dns pointed
at my server. (I use the same mail
server--mail.mysite.com--for all three.) Do I need to
set up a "www" record for each website? I have no
problem accessing the sites from internal client
machines.
the basic issue is that any zone (domain) defined in your own dns becomes 'authoritative' for that domain. So when clients ask your internal dns about any zone (domain) which is defined in it, and your server does not have that record, it will respond with "no such record" and your clients must take that on face value.
Therefore, you only need to mirror records for domains which you have defined in your own dns. If you have external www.domain1.com and www.domain2.com but only have domain1.com established on your internal dns, then you only need that domain's www record mirrored. Your server will therefore not be authoritative for domain2.com and will pass all requests out to whichever external dns is authoritative for it.
-david
Maybe you are looking for
-
MBP to HDTV won't work - mini displayport to dvi - belkin dvi to hdmi
Hey, I'm trying to get my laptop hooked up to my tv, using the apple mini displayport to DVI -> belkin DVI to HDMI cable setup (as recommended by the dude int eh apple store - which i knew and planned on doing anyway :P). anyway, when i first plugged
-
How do I turn off iCloud Match on my Mac? I don't like it
Please help. I have turned it off on my phone, but I can not find a way to turn it off on my computer....when I download a new song I don't want it sent to the cloud.
-
Help w/ clicking on leaves of tree node
Hello, I am fairly new to Flex and coding in general, so please bare with me if my problems seems like a trivial one. I am trying to create a tree list, where the contents of the tree are actually links. For example, the top level of the tree node wo
-
Replace command is not working
Hi, I am using below code, but it is not replacing correctly. data DWORK_VAL(510) type C. DWORK_VAL = 'DWORK_VAL ~~~efghijklmnopqrstuvxyz~~~'. loop at text_content assigning <fs>. search <fs> for DWORK_VAL. if sy-subrc = 0. replace DWORK_VAL in <fs>
-
Change FILE to IDOC by HTTP to IDOC scenario
Hi !!! We have a txt FILE to IDOC scenario. Now we want to implement a HTTP to IDOC scenario, but taking advantage of the mappings existing and avoid re-implement it. The HTTP calls must contain the text of the actual FILE. What is the best way to d