Re: DNS service Failure Error 6
From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 04/16/04
- Next message: Ace Fekay [MVP]: "Re: Remove AD-Integrated Zone from one server"
- Previous message: Ace Fekay [MVP]: "Re: DNS Question - newbie!"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 15 Apr 2004 23:21:54 -0400
In news:1d33801c422d9$b6a068b0$a101280a@phx.gbl,
Crownu <crownu@rediffmail.com> posted their thoughts, then I offered mine
> Hi All,
> My setup goes something like this, I've an win2K Domain
> Controller with an ADC too, both have DNS servers
> configured on them, On the ADC we have 2 NIC cards one for
> the LAN and another for the Internet connection. The DNS
> server on the ADC is configured as an secondary server.
> The Local area connection in the Network Neighborhood on
> the ADC is configred with the Primary DNS server entry
> being the Domain controller IP , and the Secondary
> pointing to itself. In the DNS server Forwarders have been
> configured with the ISP's DNS server entries. Everything
> works fine except for whne we restart the ADC we get an
> Application pop up saying atleast one device or service
> failed, When i check the Event viewer for this it shows
> that the DNS server is not available, when i go to
> Services the DNS server service is stopped, when i try to
> restart it it throws an error no 6 saying Invalid Handle,
> i go on trying to restart it and after some time it starts
> usually 3-4 mins later. This happens everytime the ADC
> restarts, we have to manally restart the DNS server
> service. Does anyone know as to what causes this and how
> do i come out of it???? Any help would be greatly
> appreciated. I had posted this msg earlier too and someone
> had replied back saying to check my forwarders i have
> checked them out and everything is fine.
>
> Thanks in Advance,
> Crownu
Not sure if it's causing it or not, but willing to put some money on it,
that is if no other services may be causing it on the DC, is that mutlihomed
DC/DNS servers are *problematic*.
Check your binding order, make sure the internal NIC is at the top. Tell DNS
to listen only to the internal NIC. I would also suggest, since you have two
DCs running DNS, to make your zone AD Integrated. Disable MS Client and F&P
services on the outer NIC. Disable NetBIOS on the outer NIC. You may also
need to trim what records get registered from the mutlihomed DC in terms of
the LdapIpAddress and if it's the GC, also the GcIpAddress. Here's a repost
of past issues that I've answered in this group concerning this issue, some
may or maynot apply to your scenario (such as RRAS), but most will.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Actually most of these are strewn about in this newsgroup between myself and
others posting responses. Steps include to kill the registration of your NIC
cards thru the registry. You first identify the GUID for each NIC. Then you
would publish (thru reg) what IPs you want in DNS, then you need to adjust
the binding order to insure the NIC you want to respond on. Then another reg
entry to kill the GcIpAddress and the LdapIpAddress. Then you publish once
again thru the reg which IP you want for those two values. But need to
insure that the SRVs get registered properly., Then if RRAS is on it, it
complicates it a bit. Then if this is also a NAT server, then there can be
problems with routing between subnets because of the PDU size. LDAP requires
a PDU or 300kb, but once enabled as a NAT, and you have multiple private
interfaces, AD communication gets thwarted and requires another change. This
can cause client logon trouble as well as GPOs to fail because of mutliple
GC addresses come up, as they do on a multi homed DC/GC, then with round
robin, you never know which one will answer and if it;s one on another
subnet, then the system may not route it properly so therefore it can't get
to it, even though the machine is on the same subnet.
Here's a repost of past posts I sent to explain some of it to others. They
maybe mixed a bit, but you can see the jest of it. ALl the instructions are
here to make it work. But it;s something you have to monitor to make sure it
doesn;t cause any other issues. I've setup a couple machines thru this
method, but it's a pain. If you had a member server doing this, (doesn't
have to be an expensive box, just a cheapo desktop will do the trick), you
would be better off.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Suggestions, and keep in mind, when mentioning "other NICs", they are the
subnets that the NICs are on that your AD infrastructure is not on.
1. Insure that all the NICS only point to your internal DNS server(s) only
and none others.
2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
move the internal NIC (the network that AD is on) to the top of the binding
order (top of the list).
3. Disable NetBIOS on the outer NICs. May want
to take a look at this to stop NetBIOS on the RRAS interfaces (if it
applies):
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface [Reg
Entry]:
http://support.microsoft.com/?id=296379
Otherwise, RRAS or not, it will cause duplicate name errors because Windows
sees itself with multi names thru the Browser service but with different
IPs.
4. Disable File and Print services and disable MS Client on the other NICs.
Uncheck reg this connection in DNS tab of IP properties/Advanced. Now if you
need these for whatever reason for resource access from clients, then you
would probably have to keep them on.
5. In DNS, delete the other NIC references for the LdapIpAddress - the blank
domain FQDN - that looks like (same as parent). If this is a GC, you need
to
also stop the GC record as well.
To stop these from registering that info, use this method (this was taken
from):
http://support.microsoft.com/?id=295328)
==========================
To disable only the registration of the local IP addresses, set the
following registry value:
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress
GcIpAddress
After you set this value, you must manually register your publicly available
IP addresses for your domain to appear as:
Same as parent folder Host "publicIP" DO that by just rt-clicking, new host,
leave the hostname blank, and enter the IP of the internal NIC.
You need to also manually create the GcIpAddress as well, if this is a GC.
That would be under the _msdcs._gc SRV record under the zone.
==========================
6. In DNS, _msdcs.gc, delete the IP addresses referencing the other NICs. I
would follow this article to stop the GC records from the other NICs
registering sine this is a major cause of concern for logons. You would need
to manually create the GC entry of the internal NIC.
Restrict the DNS SRV resource records updated by the Net Logon service
[including GC]:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_dns_pro_no_rr_in_ad.asp
7. Since this is a DNS server, the IPs from all NICs will register, even if
you tell it not to in the NIC properties. See this to show you how to stop
that behavior (for W2K, but may work):
275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address:
http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- Regards, Ace Please direct all replies to the newsgroup so all can benefit. This posting is provided "AS-IS" with no warranties and confers no rights. Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP Microsoft Windows MVP - Active Directory HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a pig. -- =================================
- Next message: Ace Fekay [MVP]: "Re: Remove AD-Integrated Zone from one server"
- Previous message: Ace Fekay [MVP]: "Re: DNS Question - newbie!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
