How to prevent DC from trying to register on root DNS servers
Tim
non-AD domain for web pages, email, etc. I've noticed recently that i'm
getting the following error on a few DCs in my domains (Event ID is 5774,
source is Netlogon):
The dynamic registration of the DNS record '<domain name>. 600 IN A <DC IP
address>' failed on the following DNS server:
DNS server IP address: 217.19.248.20 (Root DNS Server - dns1.idp365.net)
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must
be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and
initiate registration of the DNS records by the domain controller. To
determine what might have caused this failure, run DCDiag.exe. You can find
this program on the Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and
Support Center. To initiate registration of the DNS records by this domain
controller, run 'nltest.exe /dsregdns' from the command prompt on the domain
controller or restart Net Logon service. Nltest.exe is available in the
Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
These DC's are not NAT'd, have no external IP registered with SafeNames (our
DNS regitration vendor), and the only external DNS records for the root
domain are an A record to redirect www.domain.net to www.domain.net and an MX
5 record pointing to mail.idp365.net. Can someone point me in the right
direction to correct my internal DNS so that it doesn't try to register with
any other external root DNS servers? Is it the MX record?
Thanks in advance for your help.
![Ace Fekay [MVP Direcrtory Services]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXqqVhI7EaT7_gXkhFKCFQ8nhaZIbo-OzClrbzK6ofJwb4uPA=s40-c)
Ace Fekay [MVP Direcrtory Services]
Tim <T...@discussions.microsoft.com> requesting assistance, typed the
following:
Curious, why even bother creating an MX record internally? If you are
hosting a public domain on the internet, and you host your own email, then I
would create an MX record to tell the rest of the world what the mail
exchanger is. Otherwise, nothing internally will use an MX record. They are
only for MTA to MTA (mail server to mail server) communication. Internal
mail clients, whether MAPI, POP3, or IMAP4 do not use them, unless of course
you have some sort of application running that needs to look up the mail
exchanger or your internal mail server? APps are usually just configured to
use the mail server directly by IP to send mail, such as notifications,
alerts, etc. Therefore the MX record for your publicly registered domain
name will only exist on your public zone.
So if this server is not hosting public records, I would delete the MX.
Next, I think your "redirect" is incorrect. Matter of fact, DNS does not
offer any sort of redirection features or options. That is an IIS feature.
What is the purpose of the "redirect?" Is your internal domain name and
external domain name the same? If so, it's called a split zone. To allow
your internal users to get to your external webserver in such a scenario,
simply create a "A" www record and provide the IP address of the external
web server. If your ISP uses more than one web servers, such as a server
farm, instead of an "A" record, I suggest to create a delegation for 'www'
to the public name servers. This can be done by rt-clicking your zone, new
delegation, type in www, and provide the SOA of your public domain.
As for getting to the domain with http://domain.com (without the www in
front of it), is problematic because EACH domain controller registers
themselves into DNS with an IP address as:
(same as parent) A IpOfTheDomainController
It's actually called the LdapIpAddress. AD uses that record for a number of
things, such as GPOs and DFS. Don't mess with it please.
To get around that, on EACH DC, install IIS. In the default website
properties, directory tab, redirect it to www.domain.com.
I hope that helps.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.
Infinite Diversities in Infinite Combinations
Ace Fekay [MVP Direcrtory Services]
Tim <T...@discussions.microsoft.com> requesting assistance, typed the
following:
Forgot to add, make absolutely sure that all DCs, member servers and
workstations are only using the internal DNS. If not, the machines may be
trying to register into the external DNS server. It also causes numerous
issues with AD and domain communication issues.
Ace