Re: How to prevent DC from trying to register on root DNS servers
- From: "Ace Fekay [MVP Direcrtory Services]" <firstnamelastname@xxxxxxxxxxx>
- Date: Sat, 30 Aug 2008 02:20:29 -0400
Tim <Tim@xxxxxxxxxxxxxxxxxxxxxxxxx> requesting assistance, typed the following:
I work in an AD environment - 1 forest/root domain, 2 domains,
separate non-AD domain for web pages, email, etc. I've noticed
recently that i'm getting the following error on a few DCs in my
domains (Event ID is 5774, source is Netlogon):
The dynamic registration of the DNS record '<domain name>. 600 IN A
<DC IP address>' failed on the following DNS server:
DNS server IP address: 188.8.131.52 (Root DNS Server -
dns1.idp365.net) Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record
must be registered in DNS.
Determine what might have caused this failure, resolve the problem,
and initiate registration of the DNS records by the domain
controller. To determine what might have caused this failure, run
DCDiag.exe. You can find this program on the Windows Server 2003
installation CD in Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To initiate registration of
the DNS records by this domain controller, run 'nltest.exe
/dsregdns' from the command prompt on the domain controller or
restart Net Logon service. Nltest.exe is available in the Microsoft
Windows Server Resource Kit CD. Or, you can manually add this
record to DNS, but it is not recommended.
Error Value: DNS bad key.
For more information, see Help and Support Center at
These DC's are not NAT'd, have no external IP registered with
SafeNames (our DNS regitration vendor), and the only external DNS
records for the root domain are an A record to redirect
www.domain.net to www.domain.net and an MX 5 record pointing to
mail.idp365.net. Can someone point me in the right direction to
correct my internal DNS so that it doesn't try to register with any
other external root DNS servers? Is it the MX record?
Thanks in advance for your help.
Curious, why even bother creating an MX record internally? If you are hosting a public domain on the internet, and you host your own email, then I would create an MX record to tell the rest of the world what the mail exchanger is. Otherwise, nothing internally will use an MX record. They are only for MTA to MTA (mail server to mail server) communication. Internal mail clients, whether MAPI, POP3, or IMAP4 do not use them, unless of course you have some sort of application running that needs to look up the mail exchanger or your internal mail server? APps are usually just configured to use the mail server directly by IP to send mail, such as notifications, alerts, etc. Therefore the MX record for your publicly registered domain name will only exist on your public zone.
So if this server is not hosting public records, I would delete the MX.
Next, I think your "redirect" is incorrect. Matter of fact, DNS does not offer any sort of redirection features or options. That is an IIS feature.
What is the purpose of the "redirect?" Is your internal domain name and external domain name the same? If so, it's called a split zone. To allow your internal users to get to your external webserver in such a scenario, simply create a "A" www record and provide the IP address of the external web server. If your ISP uses more than one web servers, such as a server farm, instead of an "A" record, I suggest to create a delegation for 'www' to the public name servers. This can be done by rt-clicking your zone, new delegation, type in www, and provide the SOA of your public domain.
As for getting to the domain with http://domain.com (without the www in front of it), is problematic because EACH domain controller registers themselves into DNS with an IP address as:
(same as parent) A IpOfTheDomainController
It's actually called the LdapIpAddress. AD uses that record for a number of things, such as GPOs and DFS. Don't mess with it please.
To get around that, on EACH DC, install IIS. In the default website properties, directory tab, redirect it to www.domain.com.
I hope that helps.
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
Infinite Diversities in Infinite Combinations
- Prev by Date: Re: Handles and Threads
- Previous by thread: How to prevent DC from trying to register on root DNS servers