The first time I posted this in the DNS forums I didn't get a response,
however I didn't have a full comprehension of the problem. Somebody pointed
me in the direction of DNS problem, and that led us to discover outdated host
record entries in our forward and reverse lookup zones. For those hosts with
duplicate entries (i.e. multiple IP addresses for 1 host) there was an issue
with RDP going to the wrong machine. You typed PC6, you got PC46. It seemed
that the dup entry is an outdated host record, and it just so happens to have
the same IP as a different host that actually does have the IP that the
outdated dup contains. We had to look at the DHCP lease list to get the
correct host address, then delete the inacurrate record in the forward and
reverse lookup zones. Once the records no longer conflicted, we had no RDP
issues (and I should also mention that we never have RDP issues when using
IP's for the host name, however we use DHCP for all of our XP clients, so we
need to be able to get around the network by machine name, rather than always
having to lookup the IP). So the issue it seems, is that our DNS is not
properly updating the records in it's lookup zones. Now we can correct this
manually, however (a) we feel this is risky procedure as we have little
knowledge of DNS server (b) we have around 40 - 50 hosts and we don't have
time to manually update the DNS. So we need to resolve the issue with our
DNS not recieving updates, and I believe the clues are in the log files.
There are paterns of errors and warnings in our DNS Event Log that repeat
over and over:

4515 - Warning
2 - Information

It alternates this combo of events 5 times (for a total of 10 entries) then
shows this:

4015 - Error

Then it throws 5 of these:

4004 - Error

Then it starts up with another set of 10 of the first two events and repeats
the whole thing again over and over. Any resolving this would be great,
this seems to cause us more problems as time goes on. See below for the
details of the log event IDs(note - any domain name reference to our company
name has been changed to organization.local, in place of our true
organizationname.local, in order to keep anonymity):

2 - Information
The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "". The event data contains the
error.

4004 - Error
The DNS server was unable to complete directory service enumeration of zone
... This DNS server is configured to use information obtained from Active
Directory for this zone and is unable to load the zone without it. Check
that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "".
The event data contains the error.

4015 - Error
The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "". The event data contains the
error.

4515 - Warning
The zone organization.local was previously loaded from the directory
partition MicrosoftDNS but another copy of the zone has been found in
directory partition DomainDnsZones.ORGANIZATION.LOCAL. The DNS Server will
ignore this new copy of the zone. Please resolve this conflict as soon as
possible.

If an administrator has moved this zone from one directory partition to
another this may be a harmless transient condition. In this case, no action
is necessary. The deletion of the original copy of the zone should soon
replicate to this server.

If there are two copies of this zone in two different directory partitions
but this is not a transient caused by a zone move operation then one of these
copies should be deleted as soon as possible to resolve this conflict.

To change the replication scope of an application directory partition
containing DNS zones and for more details on storing DNS zones in the
application directory partitions, please see and Support.


--
Thanks for your time.

-Kettle

Read inline please.

In news:22648002-0E2B-48EE-AA25-797CBD460108@microsoft.com,
kettlnaut <kettlnaut@discussions.microsoft.com> typed:
> The first time I posted this in the DNS forums I didn't get a
> response, however I didn't have a full comprehension of the problem.
> Somebody pointed me in the direction of DNS problem, and that led us
> to discover outdated host record entries in our forward and reverse
> lookup zones. For those hosts with duplicate entries (i.e. multiple
> IP addresses for 1 host) there was an issue with RDP going to the
> wrong machine. You typed PC6, you got PC46. It seemed that the dup
> entry is an outdated host record, and it just so happens to have the
> same IP as a different host that actually does have the IP that the
> outdated dup contains. We had to look at the DHCP lease list to get
> the correct host address, then delete the inacurrate record in the
> forward and reverse lookup zones. Once the records no longer
> conflicted, we had no RDP issues (and I should also mention that we
> never have RDP issues when using IP's for the host name, however we
> use DHCP for all of our XP clients, so we need to be able to get
> around the network by machine name, rather than always having to
> lookup the IP). So the issue it seems, is that our DNS is not
> properly updating the records in it's lookup zones. Now we can
> correct this manually, however (a) we feel this is risky procedure as
> we have little knowledge of DNS server (b) we have around 40 - 50
> hosts and we don't have time to manually update the DNS. So we need
> to resolve the issue with our DNS not recieving updates, and I
> believe the clues are in the log files. There are paterns of errors
> and warnings in our DNS Event Log that repeat over and over:

How many DCs?
Probably the easiest and most sure way to clear this up, is to point all DCs
to one DC only for DNS, then on the DC that you have pointed the others to
for DNS, change the zone to Standard Primary, with updates allowed. Force a
replication cycle, run ipconfig /flushdns && ipconfig /registerdns and
restart the Netlogon Service on all DCs.
Use The DNS console to connect to DNS on all other DCs and make sure the ADI
zone has been deleted, if not, delete it. Use netdiag /fix on all DCs, and
restart the DNS service on all DCs to make sure the errors are gone.

Once it appears the zone has been deleted from AD on all DCs, go back to the
DC with the standard Primary zone, set the Store in AD and Replication
scope, BEFORE clicking the Apply button. Force another replication cycle,
the zone should appear in DNS on all DCs in the replication scope within 15
minutes, but depending on the Links between the DCs it could take an hour or
more. IMO, if it takes more than 15-30 min, you should take a look at your
network infrastructure.

After the zone has replicated to all DCs, change them to point to one other
DC then themselves for DNS. You should not restart a DC, that does not have
at least one other DC/DNS in its TCP/IP properties, up and running.




--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Okay wow, you are a bit over my head here as I am learning the server side of
Windows on the fly. I guess what I am saying is, I am good at learning this
stuff, but there is a lot I don't know so please bare with me. In doing some
reading, I found that the primary forward and reverse lookup zones were
accepting secure updates only, which I read may cause an issue with the DNS
updating. So I changed my Update setting to Secure and Nonsecure. Now, back
to your post, currently we only have on DC, we had two for redunancy, but our
3rd party support group could not properly set that up (we have had many
issues with them, which is why I am posting in forums, so we can stop using
them) so we demoted it to a member server. So we have one DC, which also
happens to be the Exchange, DNS, and DHCP server all wrapped up in one.

So in regards to your steps. Do I run the registerdns and flushdns commands
on the server? Would you suggest trying that after I changed the update
settings to see if that fixes the issue. If it DNS is updating properly,
will it then flush all of the outdated HOST (A) entries (or is that what
flushdns is for on the server). The NETLOGON service, will restarting this
interupt user access to mapped network drives and resources (this I ask as I
take any action during our production hours that will interupt our employees).

K, so that's just the start of the noob q's, but here's a biggie:

What is an ADI zone, and how can I safely identify which one I am supposed
to get rid of (as I gather from the logs and your instructions I have some
kind of duplicate zone info that might be interfering with the DNS updates)?

Even more noob, how do I go about using the netdiag tool, like if you know
any technet docs that I could read to get a clue?

Last but not least, I see that you say never to restart a DC that does not
point to another DNS, so should we have 2 DNS servers minimum, and can we run
a DNS server on a member server that is not a DC (and if so, are there
pre-reqs, like a lightweight version of AD or something along those lines
that needs to be present).

Kevin I realize that this is a ton I am asking here, but I sure appreciate
answers to as many of these questions as you have time for. If I could
resolve the errors in our DNS log and clear up our RDP qwerks, my boss in
will sure have a heck of a lot less problems managing our infrastruture,
small as it may be. Thanks again!

--

-Kettle


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:22648002-0E2B-48EE-AA25-797CBD460108@microsoft.com,
> kettlnaut <kettlnaut@discussions.microsoft.com> typed:
> > The first time I posted this in the DNS forums I didn't get a
> > response, however I didn't have a full comprehension of the problem.
> > Somebody pointed me in the direction of DNS problem, and that led us
> > to discover outdated host record entries in our forward and reverse
> > lookup zones. For those hosts with duplicate entries (i.e. multiple
> > IP addresses for 1 host) there was an issue with RDP going to the
> > wrong machine. You typed PC6, you got PC46. It seemed that the dup
> > entry is an outdated host record, and it just so happens to have the
> > same IP as a different host that actually does have the IP that the
> > outdated dup contains. We had to look at the DHCP lease list to get
> > the correct host address, then delete the inacurrate record in the
> > forward and reverse lookup zones. Once the records no longer
> > conflicted, we had no RDP issues (and I should also mention that we
> > never have RDP issues when using IP's for the host name, however we
> > use DHCP for all of our XP clients, so we need to be able to get
> > around the network by machine name, rather than always having to
> > lookup the IP). So the issue it seems, is that our DNS is not
> > properly updating the records in it's lookup zones. Now we can
> > correct this manually, however (a) we feel this is risky procedure as
> > we have little knowledge of DNS server (b) we have around 40 - 50
> > hosts and we don't have time to manually update the DNS. So we need
> > to resolve the issue with our DNS not recieving updates, and I
> > believe the clues are in the log files. There are paterns of errors
> > and warnings in our DNS Event Log that repeat over and over:
>
> How many DCs?
> Probably the easiest and most sure way to clear this up, is to point all DCs
> to one DC only for DNS, then on the DC that you have pointed the others to
> for DNS, change the zone to Standard Primary, with updates allowed. Force a
> replication cycle, run ipconfig /flushdns && ipconfig /registerdns and
> restart the Netlogon Service on all DCs.
> Use The DNS console to connect to DNS on all other DCs and make sure the ADI
> zone has been deleted, if not, delete it. Use netdiag /fix on all DCs, and
> restart the DNS service on all DCs to make sure the errors are gone.
>
> Once it appears the zone has been deleted from AD on all DCs, go back to the
> DC with the standard Primary zone, set the Store in AD and Replication
> scope, BEFORE clicking the Apply button. Force another replication cycle,
> the zone should appear in DNS on all DCs in the replication scope within 15
> minutes, but depending on the Links between the DCs it could take an hour or
> more. IMO, if it takes more than 15-30 min, you should take a look at your
> network infrastructure.
>
> After the zone has replicated to all DCs, change them to point to one other
> DC then themselves for DNS. You should not restart a DC, that does not have
> at least one other DC/DNS in its TCP/IP properties, up and running.
>
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>

Read inline please.

In news:5D5A0587-7766-4B31-BC84-5258B48C12CB@microsoft.com,
kettlnaut <kettlnaut@discussions.microsoft.com> typed:
> Okay wow, you are a bit over my head here as I am learning the server
> side of Windows on the fly. I guess what I am saying is, I am good
> at learning this stuff, but there is a lot I don't know so please
> bare with me. In doing some reading, I found that the primary
> forward and reverse lookup zones were accepting secure updates only,
> which I read may cause an issue with the DNS updating. So I changed
> my Update setting to Secure and Nonsecure. Now, back to your post,
> currently we only have on DC, we had two for redunancy, but our 3rd
> party support group could not properly set that up (we have had many
> issues with them, which is why I am posting in forums, so we can stop
> using them) so we demoted it to a member server. So we have one DC,
> which also happens to be the Exchange, DNS, and DHCP server all
> wrapped up in one.
>
> So in regards to your steps. Do I run the registerdns and flushdns
> commands on the server? Would you suggest trying that after I
> changed the update settings to see if that fixes the issue. If it
> DNS is updating properly, will it then flush all of the outdated HOST
> (A) entries (or is that what flushdns is for on the server). The
> NETLOGON service, will restarting this interupt user access to mapped
> network drives and resources (this I ask as I take any action during
> our production hours that will interupt our employees).


Restarting the Netlogon service will not affect the clients, but it will
re-register the DC's Netlogon records.

>
> K, so that's just the start of the noob q's, but here's a biggie:
>
> What is an ADI zone, and how can I safely identify which one I am
> supposed
> to get rid of (as I gather from the logs and your instructions I have
> some kind of duplicate zone info that might be interfering with the
> DNS updates)?

An ADI (Active Directory Integrated) zone is one which is stored in AD. When
you change it Standard Primary, clear the check from Stored in Active
Directory box. Doing this will remove the zone from AD. As long as you
change all zones to ADI, you can then use ADSIEdit to delete any zone
objects still in AD.

Also, go through your zone, and delete any remaining records from the DC
that was demoted.

>
> Even more noob, how do I go about using the netdiag tool, like if you
> know any technet docs that I could read to get a clue?

The Netdiag tool is in the Support Tools on the CD, or you can download
updated Tools here: http://support.microsoft.com/kb/926027

There isn't a Win2k3 How to use Netdiag version of this KB but the Win2k
version will give you the basics, the two version have the same basics but
are not interchangeable. http://support.microsoft.com/kb/321708/en-us

>
> Last but not least, I see that you say never to restart a DC that
> does not point to another DNS, so should we have 2 DNS servers
> minimum, and can we run a DNS server on a member server that is not a
> DC (and if so, are there pre-reqs, like a lightweight version of AD
> or something along those lines that needs to be present).

You actually need a second DC w/DNS and Global Catalog. If you have a Win2k3
Member server, promote it to a DC, then after the AD zone replicates to it,
then enter both DCs into TCP/IP properties for DNS. Do not do this before
the zone replicates.

This will also give you two DNS server to use for your clients, too.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

I think I spit out too many questions at once there (bit off more than I
could chew I should say), but I have taken what I gleaned from your response
Kevin, and looked at some more of the DNS settings. From what I have
gathered, you have given me answers more relevant to clearing up the log file
events. So I am going to put down my interpretation here of what you are
suggesting that I do so I can be crystal clear in when I try to get my
manager to approve this attempt to fix our DNS. Before I lay that out, let
me state what I found on our DNS server, as it is relevant to how I interpret
this procedure needing to be done. All of the zones in our DNS server show
that they are already Primary Zones, and they have a check in the "Store in
Active Directory Box", and the menu that has the change button that takes you
into the screen I was just referring to, states that the zone is Active
Directory Integrated. That being said, this is what I think needs to be done
(based on that info and your instructions):

(1.0)Go into the "Change" menu, uncheck the box for "Store in AD", then use
ADSIEdit to delete any remnants of the zone that were not successfully
removed by AD.
(1.1) This next part raises a question to me, as you say to delete any
records left over from the demoted DC. Do those reside on the demoted DC, or
the current DC? Also, if they are supposed to reside on the demoted DC, is
there something else that needs to be done with the DNS server to
successfully remove it's records from the current (or demoted) DC's DNS,
because the DNS server on the demoted DC shows that it cannot be contacted,
though it does show the current DC's DNS server instance as running.
(1.2) Thus I am assuming this is the portion that you intend will resolve
the errors in the event log. So what is the next step. Do I have to recheck
the "Store in AD" box to get the DNS info back into AD (or do we even have to
store our DNS zones in AD, what purpose does that serve)? I guess I am not
clear on exactly what steps need to be taken to correct how our DNS server is
currently configured.
(2.0) If we have to restart our DC, is it going to cause more of the same
qwerks with our DNS or other server services down the line, without having a
second DC in place? In other words, is it just for the convenience of not
having our client networking services go down, or does a second DC play a
critical role in having AD and DNS function correctly. If this is so, I
really need to know where the white paper or best practices document is kept,
because we would have a serious bone to pick with our support company.
(3.0) I am assuming from what I have had a chance to read so far, that the
main role of the netdiag tool is to simply get a status check on what
information the client machines are getting when they are looking for their
needed networking services. Or is their something that I need to use this
for in conjunction with correcting the ADI zones. Also, I am still unclear
how the ipconfig /flushdns and /registerdns commands tie into the whole
affair. I am assuming this is just an additional preparation step to ensure
that the client NICs are getting the most current info (like a more in depth
release / renew), or is that something that needs to be done on the server as
part of correcting the zones. I know I am asking a lot here, but as I said
my understanding of DNS and AD is quite limited, so I need very specific
instructions in these matters. Thanks again for all of you Kevin,
picking your brain seems to finally have me pointing in the right direction.
I really appreciate your time.

--
-Kettle


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:5D5A0587-7766-4B31-BC84-5258B48C12CB@microsoft.com,
> kettlnaut <kettlnaut@discussions.microsoft.com> typed:
> > Okay wow, you are a bit over my head here as I am learning the server
> > side of Windows on the fly. I guess what I am saying is, I am good
> > at learning this stuff, but there is a lot I don't know so please
> > bare with me. In doing some reading, I found that the primary
> > forward and reverse lookup zones were accepting secure updates only,
> > which I read may cause an issue with the DNS updating. So I changed
> > my Update setting to Secure and Nonsecure. Now, back to your post,
> > currently we only have on DC, we had two for redunancy, but our 3rd
> > party support group could not properly set that up (we have had many
> > issues with them, which is why I am posting in forums, so we can stop
> > using them) so we demoted it to a member server. So we have one DC,
> > which also happens to be the Exchange, DNS, and DHCP server all
> > wrapped up in one.
> >
> > So in regards to your steps. Do I run the registerdns and flushdns
> > commands on the server? Would you suggest trying that after I
> > changed the update settings to see if that fixes the issue. If it
> > DNS is updating properly, will it then flush all of the outdated HOST
> > (A) entries (or is that what flushdns is for on the server). The
> > NETLOGON service, will restarting this interupt user access to mapped
> > network drives and resources (this I ask as I take any action during
> > our production hours that will interupt our employees).
>
>
> Restarting the Netlogon service will not affect the clients, but it will
> re-register the DC's Netlogon records.
>
> >
> > K, so that's just the start of the noob q's, but here's a biggie:
> >
> > What is an ADI zone, and how can I safely identify which one I am
> > supposed
> > to get rid of (as I gather from the logs and your instructions I have
> > some kind of duplicate zone info that might be interfering with the
> > DNS updates)?
>
> An ADI (Active Directory Integrated) zone is one which is stored in AD. When
> you change it Standard Primary, clear the check from Stored in Active
> Directory box. Doing this will remove the zone from AD. As long as you
> change all zones to ADI, you can then use ADSIEdit to delete any zone
> objects still in AD.
>
> Also, go through your zone, and delete any remaining records from the DC
> that was demoted.
>
> >
> > Even more noob, how do I go about using the netdiag tool, like if you
> > know any technet docs that I could read to get a clue?
>
> The Netdiag tool is in the Support Tools on the CD, or you can download
> updated Tools here: http://support.microsoft.com/kb/926027
>
> There isn't a Win2k3 How to use Netdiag version of this KB but the Win2k
> version will give you the basics, the two version have the same basics but
> are not interchangeable. http://support.microsoft.com/kb/321708/en-us
>
> >
> > Last but not least, I see that you say never to restart a DC that
> > does not point to another DNS, so should we have 2 DNS servers
> > minimum, and can we run a DNS server on a member server that is not a
> > DC (and if so, are there pre-reqs, like a lightweight version of AD
> > or something along those lines that needs to be present).
>
> You actually need a second DC w/DNS and Global Catalog. If you have a Win2k3
> Member server, promote it to a DC, then after the AD zone replicates to it,
> then enter both DCs into TCP/IP properties for DNS. Do not do this before
> the zone replicates.
>
> This will also give you two DNS server to use for your clients, too.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>

Read inline please.

In news:EC5EC3B5-F90F-44B0-BD8E-9E51B791649A@microsoft.com,
kettlnaut <kettlnaut@discussions.microsoft.com> typed:
> I think I spit out too many questions at once there (bit off more
> than I could chew I should say), but I have taken what I gleaned from
> your response Kevin, and looked at some more of the DNS settings.
> From what I have gathered, you have given me answers more relevant to
> clearing up the log file events. So I am going to put down my
> interpretation here of what you are suggesting that I do so I can be
> crystal clear in when I try to get my manager to approve this attempt
> to fix our DNS. Before I lay that out, let me state what I found on
> our DNS server, as it is relevant to how I interpret this procedure
> needing to be done. All of the zones in our DNS server show that
> they are already Primary Zones, and they have a check in the "Store
> in Active Directory Box", and the menu that has the change button
> that takes you into the screen I was just referring to, states that
> the zone is Active Directory Integrated. That being said, this is
> what I think needs to be done (based on that info and your
> instructions):
>
> (1.0)Go into the "Change" menu, uncheck the box for "Store in AD",
> then use ADSIEdit to delete any remnants of the zone that were not
> successfully removed by AD.

Correct

> (1.1) This next part raises a question to me, as you say to delete any
> records left over from the demoted DC. Do those reside on the
> demoted DC, or the current DC?

They would be in the DNS Zone records, themselves. You are looking fo0r any
DNS record that refers to the other DC by name or IP address.
As for the AD data is concerned, as long as the DC was properly demoted,
you'll be ok. If it were not properly demoted, you would know because this
DC would still be trying to replicate with it, and it would be logging
replication errors in the event log.

Also, if they are supposed to reside
> on the demoted DC, is there something else that needs to be done with
> the DNS server to successfully remove it's records from the current
> (or demoted) DC's DNS, because the DNS server on the demoted DC shows
> that it cannot be contacted, though it does show the current DC's DNS
> server instance as running.

In the DNS Console on the current DC, open the zone or zones, expand all
nodes, delete any record that reffers to the demoted DC by name or IP, of
course the DC should have removed them, but it there was connection or
replications issues, you need to make sure.

This includes the _msdcs.ADDomain zone if you have one. If you don't have a
separate _msdcs.addomain zone, make sure the _msdcs sub domain within the
ADDomain zone is cleared of any record referring to the old DC.


(1.2) Thus I am assuming this is the
> portion that you intend will resolve
> the errors in the event log. So what is the next step. Do I have to
> recheck the "Store in AD" box to get the DNS info back into AD (or do
> we even have to store our DNS zones in AD, what purpose does that
> serve)?

Storing the zone in AD will store the zone data in the Active Directory
database, instead of a text based file as standard zones are. By keeping the
database in AD, it is much more secure than it would be in the text based
file.

I guess I am not clear on exactly what steps need to be
> taken to correct how our DNS server is currently configured.
> (2.0) If we have to restart our DC, is it going to cause more of the
> same qwerks with our DNS or other server services down the line,
> without having a second DC in place?
In other words, is it just for
> the convenience of not having our client networking services go down,
> or does a second DC play a critical role in having AD and DNS
> function correctly. If this is so, I really need to know where the
> white paper or best practices document is kept, because we would have
> a serious bone to pick with our support company.

The second DC is for redundacy and failover. If you lose one DC, the second
is still up, it doesn't put your office out of work until the first is back
up.


(3.0) I am assuming
> from what I have had a chance to read so far, that the main role of
> the netdiag tool is to simply get a status check on what information
> the client machines are getting when they are looking for their
> needed networking services. Or is their something that I need to use
> this for in conjunction with correcting the ADI zones. Also, I am
> still unclear how the ipconfig /flushdns and /registerdns commands
> tie into the whole affair. I am assuming this is just an additional
> preparation step to ensure that the client NICs are getting the most
> current info (like a more in depth release / renew), or is that
> something that needs to be done on the server as part of correcting
> the zones. I know I am asking a lot here, but as I said my
> understanding of DNS and AD is quite limited, so I need very specific
> instructions in these matters. Thanks again for all of you
> Kevin, picking your brain seems to finally have me pointing in the
> right direction. I really appreciate your time.

Netdiag /fix will check al DNS registrations and fix them if they are not
there.
It is the same with dcdiag /fix, it checks Active Directory functions on a
DC and domain and fixes minor issues.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Keven, thanks again for all of the ful clarifications and pointers.
Based on those and google, I am slowly gaining a cohesive picture of how DNS
functions on a real basic level. I am still a bit reluctant to uncheck the
AD box and take the DNS info out of the Domain untill I discuss it with my
manager. In the meantime, I have been making efforts to ensure that other
facets of DNS are configured correctly.

-First I checked the update settings, which are highly recommended to be
secure only, so I switched back to that after trying the Non-secure and
Secure setting (this did nothing to clear the stale records anyway). The
docs I found said that DNS should be getting updates from DHCP and client
PCs. Now, the new records are getting into the DNS, as there was always a
record for the current IP of any given client, however their outdated record
does not seem to get deleted in the same event for some reason (maybe it's
not supposed to). So I still wonder if it is accepting updates properly, as
the DHCP server has correct info, and I would think that it would update the
DNS to have proper RR's.

-After tweaking and testing the update settings and getting no results, I
attempted to run the netdiag /fix command. I ran it and restarted the
netlogon service with net start and net stop commands, but found no change in
the amount of outdated records in the zone.

-In my research I found that the main reason you get the 4004 and 4015
events together in the DNS log, is if you have only one DC, and it's hosting
DNS, and it gets restarted, the errors will occur until the point AD has been
successfully loaded to memory and is running, as it stores the info the DNS
server needs to use. Thus, during startup the errors will recur until the DC
is completely running, and that is the current scenario that our
infrastructure has setup. So it is very possible that those errors have
nothing to do with the stale RR's that I am encountering, which leads into my
next procedure.

-I found out about scavenging through the docs, and upon checking the
DNS server, found that it was not configured. I also found that it says
right in the docs that if the RR's are not being scavenged for stale
entires, they can build-up and cause networking qwerks and issues that can
even prevent a host from being accessed (exactly what I am experiencing).
That being said, I set up some scavenging critiria and did a manual scavenge.
Now this also had no effect, but upon looking back at the scavenging
settings, I found that it reported the zone would not be eligible for
scavenging until 2:00pm this afternoon (even though I actually setup
scavenging yesterday). My thoughts are that the manual scavenge will do
nothing until after that point. Thus I am going to belay any further actions
on the DNS until a couple of hours after that point (I set the refresh
intervals to an hour to start with, then once the dup RR's are gone I'll
change it to every 4 hours). After that point, I will have taken what I feel
are the potientially low-risk actions. If this last attempt has no effect I
will go to my manager about changing the zone type to get the info out of AD
and resolve the zone enumeration issue.

Kevin, Thanks again for all of your . If you have any thoughts on my
situation after the facts presented here, sure appreciate it. Thanks again!
--

-Kettle


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:EC5EC3B5-F90F-44B0-BD8E-9E51B791649A@microsoft.com,
> kettlnaut <kettlnaut@discussions.microsoft.com> typed:
> > I think I spit out too many questions at once there (bit off more
> > than I could chew I should say), but I have taken what I gleaned from
> > your response Kevin, and looked at some more of the DNS settings.
> > From what I have gathered, you have given me answers more relevant to
> > clearing up the log file events. So I am going to put down my
> > interpretation here of what you are suggesting that I do so I can be
> > crystal clear in when I try to get my manager to approve this attempt
> > to fix our DNS. Before I lay that out, let me state what I found on
> > our DNS server, as it is relevant to how I interpret this procedure
> > needing to be done. All of the zones in our DNS server show that
> > they are already Primary Zones, and they have a check in the "Store
> > in Active Directory Box", and the menu that has the change button
> > that takes you into the screen I was just referring to, states that
> > the zone is Active Directory Integrated. That being said, this is
> > what I think needs to be done (based on that info and your
> > instructions):
> >
> > (1.0)Go into the "Change" menu, uncheck the box for "Store in AD",
> > then use ADSIEdit to delete any remnants of the zone that were not
> > successfully removed by AD.
>
> Correct
>
> > (1.1) This next part raises a question to me, as you say to delete any
> > records left over from the demoted DC. Do those reside on the
> > demoted DC, or the current DC?
>
> They would be in the DNS Zone records, themselves. You are looking fo0r any
> DNS record that refers to the other DC by name or IP address.
> As for the AD data is concerned, as long as the DC was properly demoted,
> you'll be ok. If it were not properly demoted, you would know because this
> DC would still be trying to replicate with it, and it would be logging
> replication errors in the event log.
>
> Also, if they are supposed to reside
> > on the demoted DC, is there something else that needs to be done with
> > the DNS server to successfully remove it's records from the current
> > (or demoted) DC's DNS, because the DNS server on the demoted DC shows
> > that it cannot be contacted, though it does show the current DC's DNS
> > server instance as running.
>
> In the DNS Console on the current DC, open the zone or zones, expand all
> nodes, delete any record that reffers to the demoted DC by name or IP, of
> course the DC should have removed them, but it there was connection or
> replications issues, you need to make sure.
>
> This includes the _msdcs.ADDomain zone if you have one. If you don't have a
> separate _msdcs.addomain zone, make sure the _msdcs sub domain within the
> ADDomain zone is cleared of any record referring to the old DC.
>
>
> (1.2) Thus I am assuming this is the
> > portion that you intend will resolve
> > the errors in the event log. So what is the next step. Do I have to
> > recheck the "Store in AD" box to get the DNS info back into AD (or do
> > we even have to store our DNS zones in AD, what purpose does that
> > serve)?
>
> Storing the zone in AD will store the zone data in the Active Directory
> database, instead of a text based file as standard zones are. By keeping the
> database in AD, it is much more secure than it would be in the text based
> file.
>
> I guess I am not clear on exactly what steps need to be
> > taken to correct how our DNS server is currently configured.
> > (2.0) If we have to restart our DC, is it going to cause more of the
> > same qwerks with our DNS or other server services down the line,
> > without having a second DC in place?
> In other words, is it just for
> > the convenience of not having our client networking services go down,
> > or does a second DC play a critical role in having AD and DNS
> > function correctly. If this is so, I really need to know where the
> > white paper or best practices document is kept, because we would have
> > a serious bone to pick with our support company.
>
> The second DC is for redundacy and failover. If you lose one DC, the second
> is still up, it doesn't put your office out of work until the first is back
> up.
>
>
> (3.0) I am assuming
> > from what I have had a chance to read so far, that the main role of
> > the netdiag tool is to simply get a status check on what information
> > the client machines are getting when they are looking for their
> > needed networking services. Or is their something that I need to use
> > this for in conjunction with correcting the ADI zones. Also, I am
> > still unclear how the ipconfig /flushdns and /registerdns commands
> > tie into the whole affair. I am assuming this is just an additional
> > preparation step to ensure that the client NICs are getting the most
> > current info (like a more in depth release / renew), or is that
> > something that needs to be done on the server as part of correcting
> > the zones. I know I am asking a lot here, but as I said my
> > understanding of DNS and AD is quite limited, so I need very specific
> > instructions in these matters. Thanks again for all of you
> > Kevin, picking your brain seems to finally have me pointing in the
> > right direction. I really appreciate your time.
>
> Netdiag /fix will check al DNS registrations and fix them if they are not
> there.
> It is the same with dcdiag /fix, it checks Active Directory functions on a
> DC and domain and fixes minor issues.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>