Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Windows Server 2003 SP1 dcdiag DNS Changes

1 view
Skip to first unread message

Mike

unread,
Apr 5, 2005, 11:57:02 AM4/5/05
to
With Windows Server 2003 SP1, dcdiag now has more extensive DNS tests built
in. I have a forest design with an empty root domain which contains 2 sub
domains. Each domain runs AD integrated DNS, has 2 forwarders configured for
external name resolution, and in following best practices, does not have any
root hints configured. The forest root has a secondary lookup zone for each
of the sub domains, and each of the sub domains have a secondary lookup zone
for the forest root.

Up until I installed SP1, dcdiag never gave me any warnings or errors.
After installing SP1, the forest is still healthy, but when running extensive
dcdiag tests on my 2 sub domains, the new DNS tests are failing in one key
place.

From the dcdiag output, where [First Forwarder] and [Second Forwarder] are
the IP addresses of my 2 forwarders, and [Forest Root] is my forest root:

DNS server: [First Forwarder] (<name unavailable>)
1 test failure on this DNS server
Name resolution is not functional. _ldap._tcp.[Forest Root]. failed on
the DNS server [First Forwarder]

DNS server: [Second Forwarder] (<name unavailable>)
1 test failure on this DNS server
Name resolution is not functional. _ldap._tcp.[Forest Root]. failed on
the DNS server [Second Forwarder]

I'm not sure why the DnsForwarders test is failing. Why is dcdiag trying to
lookup the _ldap SRV record for my forest root on each of the forwarders I
have configured? Since each of the sub domains have secondary lookup zones
for the forest root, why would dcdiag not check the _ldap SRV record on the
DC's own DNS server?

Thanks,

Mike

Mike

unread,
Apr 5, 2005, 6:23:03 PM4/5/05
to
Just for the sake of trying it, I readded the root hints on the 2 sub domains
and reran the dcdiag DNS tests (dcdiag /test:DNS).

dcdiag also tries to lookup the _ldap SRV records for my forest root on each
of the defined root servers, where [Forest Root] is my forest root:

DNS server: 128.63.2.53 (h.root-servers.net.)


1 test failure on this DNS server

This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53


Name resolution is not functional. _ldap._tcp.[Forest Root].

failed on the DNS server 128.63.2.53

DNS server: 128.8.10.90 (d.root-servers.net.)


1 test failure on this DNS server

This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90


Name resolution is not functional. _ldap._tcp.[Forest Root].

failed on the DNS server 128.8.10.90

....

Can I assume this is just a bug in dcdiag and not a problem with my
configuration?

Kevin D. Goodknecht Sr. [MVP]

unread,
Apr 8, 2005, 7:02:37 PM4/8/05
to
Mike wrote:
> Just for the sake of trying it, I readded the root hints on the 2 sub
> domains and reran the dcdiag DNS tests (dcdiag /test:DNS).
>
> dcdiag also tries to lookup the _ldap SRV records for my forest root
> on each of the defined root servers, where [Forest Root] is my forest
> root:
>
> DNS server: 128.63.2.53 (h.root-servers.net.)
> 1 test failure on this DNS server
> This is not a valid DNS server. PTR record query for the
> 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
> Name resolution is not functional. _ldap._tcp.[Forest
> Root]. failed on the DNS server 128.63.2.53
>
> DNS server: 128.8.10.90 (d.root-servers.net.)
> 1 test failure on this DNS server
> This is not a valid DNS server. PTR record query for the
> 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
> Name resolution is not functional. _ldap._tcp.[Forest
> Root]. failed on the DNS server 128.8.10.90
>
> ....
>
> Can I assume this is just a bug in dcdiag and not a problem with my
> configuration?

It looks like you have a configuration problem, either you have your ISP's
DNS in TCP/IP properties, or you don't have a zone for your internal domain.
Either of these would cause your machine to start at the root servers to
find your AD domain.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


0 new messages