Re: MY DNS TROUBLES

Thanks a bunch for all your Help!!!!!!!!


Event 5504 is logged when a Windows Server 2003-based DNS server receives a
packet that contains a DNAME resource record
http://support.microsoft.com/kb/920162

I didn't apply the hotfix because of the following comments in the Article.
Microsoft has confirmed that this is a problem in the Microsoft products
that are listed in the "Applies to" section. This problem was first corrected
in Windows Server 2003 Service Pack 2.
I have Windows 2003 Service Pack 2 installed.

If I had this problem in SP1 and never got fixed and I upgraded to SP2. I
should still apply hotfix?
My understanding was Service pack are designed to fix previous service pack
and all the other previous problems.

I still don't know What is RRAS ? Where should look for it. I didn't find
any name in the services.

It sounds like you need to enable Scavenging, as well as force
your DHCP servers to own the record that it registers. This way, the DHCP
server can update a machine when it's IP changes instead of creating a new
record. I'm not sure if you are aware of how to do that, therefore I'm
posting (below) how to setup both Scavenging and DHCP credentials setup to
make this work.

I have had turned on scaenging 3 months ago with the following settings:
No-refresh interval 7 days.
Refresh interval 7 days.

As far as force DHCP to own the record, I have had followed the instructions
you posted 3 months ago.
It didn't change anything.

I do have forward and reverse zones.

I am keep playing with DHCP lease settings to see if I can fix the issue.
Last friday I change the settings from 8 hours lease expiration to unlimited.

What if I delete all computers records from my forward and reverse zone
excluding DC's records? Turn off all the computers. Delete all the DHCP
records, turn the computers on will the DHCP server register computers again
in the DNS correctly. I also see some computers with PEN icon in DHCP.

What if I want to re-install the DNS and DHCP again, will that fix the
problem and what do I need to be carefull doing that.



"Ace Fekay [MCT]" wrote:

"Kashif" <Kashif@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DA263455-3C9F-4EBE-B0F1-0BE9C341E4B9@xxxxxxxxxxxxxxxx
Thank for the Tip.

You were right web developer hard coded http://CompanyName.com in the java
script. Although, I have in the DNS "www" CNAME pointing to the webserver
ip
address. The coding was causing the issue.

I am not following your comments "DCs is multihomed, has more than one IP,
or
RRAS is installed on it.

C:\Program Files\Support Tools>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc1
Primary Dns Suffix . . . . . . . : Mycompany.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Mycompany.com

Ethernet adapter Broadcom-1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS VBD Client)
Physical Address. . . . . . . . . : 00-19-B9-D9-70-BF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.10.20
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.20
10.1.10.200

C:\>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DC2
Primary Dns Suffix . . . . . . . : Mycompany.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Mycompany.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-11-85-D4-34-F4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.10.21
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.20
10.1.10.21

I couldn't find RRAS service in the service console for both DC's.
What is RRAS ?
I will also check with my Firewall company and get back to you soon.

Thanks for all your help!!!!



Thanks for posting that. It looks good. I assume your DC/DNS servers are
10.1.10.20, 10.1.10.21 and 10.1.10.200.

Do you have a reverse zone created for 10.1.10.x?

As for the 5504 invalid domain errors from> 222.191.251.132, have you seen
the following article?

Event 5504 is logged when a Windows Server 2003-based DNS server receives a
packet that contains a DNAME resource record
http://support.microsoft.com/kb/920162

You don't have a multihomed DC, from what I can see with your ipconfig. A
multihomed DC would have two interfaces and/or RRAS installed on it.

Also, in your previous post, you noticed the same hostname with multiple IP
addresses. It sounds like you need to enable Scavenging, as well as force
your DHCP servers to own the record that it registers. This way, the DHCP
server can update a machine when it's IP changes instead of creating a new
record. I'm not sure if you are aware of how to do that, therefore I'm
posting (below) how to setup both Scavenging and DHCP credentials setup to
make this work.

I hope it helps!!
Ace

==================================================================
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the
DnsProxyUpdate Group
---
By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
First compiled 4/2006
Updated 7/2009
---

Keep in mind, the entity that registers the record in DNS, owns the record.
By default, a machine will update it's record with default DHCP settings,
however what we want to do to keep DNS clean without additional records
with the same name but different IP address in DNS, is to configure
DHCP to own the record, so it can keep it up to date.

The nice thing about DHCP
owning the record is it will update it if DHCP gives the machine a new IP.
Otherwise you'll see multiples of the same in DNS whether scavenging is
enabled or not. I would force DHCP to own the record as well as enable
scavenging to keep it clean. To force DHCP to own the record, you will need
to do the following:

1. Add the DHCP server to the DnsUpdateProxy Group.
2. Force DHCP to register all records, Forward and PTR, (whether a client
machine can do it or not) in the Option 081 tab (DHCP properties, DNS tab).
3. Set Option 015 to the AD domain name (such as example.com).
4. Set Option 006 to only the internal DNS servers.
5. If the zone is set for Secure Updates Only, then DHCP cannot update
non-Microsoft clients and Microsoft clients that are not joined to the
domain. In this case, you will need to create and configure a user account
for use as credentials for DHCP to register such clients.

If your DHCP servers are Windows 2003 or WIndows 2008, Configure a
dedicated the user account you created as credentials in DHCP by going into
DHCP Console, DHCP server properties, and on the Advanced tab of the DHCP
Server
Properties *** click the Credentials button, and provide this account
info.
The user account does not need any elevated rights, a normal user account
is fine, however I recommend using a Strong non-expiring password on the
account.

This will also allow DHCP to register Win9x machines, as well as non-Windows
machines, such as Linux, OSx (BIND based), and other Unix flavors.

Once you implement scavenging, you will need to wait at least a week for it
to
take effect. You can quicken it up by manually deleting the incorrect
records to
get started.

But more importantly, if DHCP is on a DC, it will not overwrite the
original host record for a machine getting a new lease with an IP
formerly belonging to another. To overcome this, either configure the
credentials
account, as indicated above.

There is another alternative if a DHCP server is on a DC. YOu can add the DC
to
the DnsProxyUpdate group. This will force DHCP to own all records it will
create
moving forward and will update an IP with a new name in DNS.

With regards to the DnsProxyUpdate Group, as said, this is one method, but
normally, for
the most part, it is not advised to use it as it weakens security INCLUDING
the
DC records if DHCP is on a DC. Preferably configure DHCP with an account.
This can be done in w2k and w2k3 and up. Windows 2000 requires Netsh command
to do it,
but Windows 2003 can be done in the GUI or with the netsh command.

If you set this, but when a record shows up in the DHCP Lease list with a
pen icon
(which means that a write is pending), it may mean it is trying to register
into a zone that does not exist on the DNS servers. This happens in cases
where
the client machine is not joined to the domain and has a missing or
different
suffix than the zone in DNS. It can only register into a zone that exists on
DNS and that zone updates have been configured to allow updates.
If this is the case, go into the client machine's IP properties, and
on the DNS tab in TCP/IP properties, clear the "Register this connection's
addresses in DNS" as well as the "Use this connection's DNS suffix in DNS
registration"
check boxes, the DHCP Server will fill these in for you and register using
the domain name in Option 015.

===

Concerning records and timestamps, and lack of timestamps:

If the record was manually created, it won't show a time stamp, however, if
the record was dynamically registered, it will show a time stamp. My guess
is the records you are referring to were manually created. If you manually
create a record, the checkbox will not be checked to scavenge, however if it
was dynamically registered, it will be checked. I just tested this
withWindows 2003 DNS. When I had built a few servers for a customer and let
them auto register, they had a timestamp and the scavenge checkbox was
checked. For the records I manually created, such as internal www records,
and others, they did not have a time stamp and were not checked to scavenge.

Even if you allow auto registration, which I do by default, and it gets
scavenged, it gets re-registered anyway by the OS. Unless you are seeing
something going on that is affecting your environment, the default settings
work fine, at least they do for me for all of my customers and installations
I've worked in that I've set scavenging and forced DHCP to own the records
so it can update the records it had registered at lease refresh time.

==========

Now if you reduce the DHCP lease to say, 8 hours instead of the default 8
days,
a number of things can occur, such as increased Tombstoning of DNS entries,
which will increase the AD NTDS.dit file size, as well as possibly an
inconsistency
with the records in DNS, as well as issues with WINS trying to keep up with
the
changes, which will be evident with WINS Event log error entries.

Regarding the WINS issue, I've seen this once at a customer site years ago.
It's always stuck to the back of my mind to keep this in mind when such as
short
lease is desired. I found a default lease works fine, as long as scavenging
is enabled (default as well), including if the DHCP server is on a DC,
adding
the DHCP server to the DnsUpdateProxy group, or to alleviate the security
issues with such as move, to rather supplying credentials for DHCP, so it
owns all records it registers into DNS, in order so it can update the
records
as they change. Otherwise, expect issues to occur.

---

Read the following for more info, which was compiled by Chris Dent
concerning
short leases.

-

A high rate of change in DNS will lead to a large number of tombstoned
DNS entries.

It would seem reasonable to reconsider the DHCP Lease duration, 8 hours
is, after all, extremely short.

Essentially you have:

* The amount of Tombstoned Data is increasing because of Stale DNS records
* The number of Stale DNS Records is high because of the (potential)
rate of change of records in both Forward and Reverse Lookup
* The rate of change must be somewhat proportional to changing leases in
DHCP

The DNS Record lifecycle is this:

1. Record Created (as dnsNode)
2. When Timestamp is no longer updated and Aging Intervals pass Record
becomes Stale
3. Stale Record is removed from the active DNS system and dnsTombstoned
is set to TRUE
4. Tombstoned record exists for value of DsTombstoneInterval (7 days by
default)
5. DnsNode object is moved to Deleted Objects for value of
tombstoneLifetime (120 days by default for domains built with 2003 SP1;
60 days prior to that)

Therefore, you either reduce the rate of change by increasing the lease
duration, or put up with inaccuracy in DNS (by limiting Aging /
Scavenging), or put up with increasing directory size.

The directory size should level out eventually, when you reach the point
where the number of tombstoned records being flushed is equal to the
number being created.

==========

The following links provide additional information on how it all works.

How to configure DNS dynamic updates in Windows Server 2003.
http://support.microsoft.com/kb/816592

Using DNS Aging and ScavengingAging and scavenging of stale resource records
are features of Domain Name System (DNS) that are available when you deploy
your

server with primary zones.
http://technet.microsoft.com/en-us/library/cc757041.aspx

Microsoft Enterprise Networking Team : Don't be afraid of DNS ...Mar 19,
2008 ... DNS Scavenging is a great answer to a problem that has been nagging
everyone

since RFC 2136 came out way back in 1997.
http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

DHCP, DNS and the DNSUpdateProxy-Group - Directory Services/Active ...I had
a discussion in the Newsgroups lately about DHCP and the
DNSUpdateProxy-Group which is

used to write unsecured DNS-Entries to a DNS-Zone which only ...
http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx

And from Kevin Goodnecht:
Setting up DHCP for DNS registrations
http://support.wftx.us/setting_up_dhcp_for_dns_registra.htm
.

Loading