unable to resolve dns 1

[sugu]

Hi,

I have a problem with the dns for my organisation.

whenever we tried to access anything that with my company's domain name in the internet, i get the dns error.

i did a netdiag /fix and the following is the result:

DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry nxgencomms.com.sg. re-registeration on D
NS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.nxgencomms.com.sg. re-registe
ration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.nxgencomms.com.sg.
re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.nxgencomms.com.sg.
re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.gc._msdcs.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34' fai
led.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.330c6a9f-6af8-4a06-84cb-848ef
8bc4fad.domains._msdcs.nxgencomms.com.sg. re-registeration on DNS server '210.19
3.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry gc._msdcs.nxgencomms.com.sg. re-register
ation on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry c0ddda7f-2a59-42ea-9e13-463e913aeb1d._ms
dcs.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.nxgencomms.com.
sg. re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._
sites.dc._msdcs.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34'
failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.nxgencomms.com.sg.
re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.dc._msdcs.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34' fai
led.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.nxgencomms.com.sg. re-reg
isteration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._
sites.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _gc._tcp.nxgencomms.com.sg. re-registera
tion on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites.
nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.nxgencomms.com.sg. re-reg
isteration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.nxgencomms.com.sg. re-regi
steration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.nxgencomms.com.sg. re-regi
steration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry DomainDnsZones.nxgencomms.com.sg. re-reg
isteration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.DomainDnsZones.nxgencomms.com
.sg. re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.DomainDnsZones.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34
' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry ForestDnsZones.nxgencomms.com.sg. re-reg
isteration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.ForestDnsZones.nxgencomms.com
.sg. re-registeration on DNS server '210.193.2.34' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.ForestDnsZones.nxgencomms.com.sg. re-registeration on DNS server '210.193.2.34
' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for th
is DC on DNS server '210.193.2.34'.
[FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{42D92FC0-C25B-44D8-895F-4A0973C3AE8E}
NetBT_Tcpip_{76CBBE35-0513-4D16-BAF1-84222F9A841D}
The redir is bound to 2 NetBt transports.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{42D92FC0-C25B-44D8-895F-4A0973C3AE8E}
NetBT_Tcpip_{76CBBE35-0513-4D16-BAF1-84222F9A841D}
The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed

Its a win 2003 Sp1 server. In the tcp/ip configuration the dns server is pointing to the ip address of the ISP.

What should i do to solve this problem?

Thanks in advance!
-su

 

[justin42279]

If your trying to access your domain from the internet using your domain name, your going to have to do more than just configure dns to query your ISP's DNS servers. Doing that only tells the computer lookup those servers to find the ip address that corresponds with a certain domain.

If your wanting to setup say a webserver or e-mail server, you will need to register the domain and have a DNS server setup on our location available to the public.

Justin

 

[jpm121]

sugu, your Windows DNS server should always point to itself. Then, in the DNS settings, you set up your ISP's DNS servers under Forwarding. Otherwise your server is trying to register itself with your ISP's servers, which won't be allowed. Then nothing will work.

 

[sugu]

Jpm121,

How do i go abt doin that? in the dns manager or tcp/ip?

 

[jpm121]

Both! In the TCP property page of your network adaptor, type the IP address of the server itself.

Then, in DNS manager properties (under Administrator Tools) find the Forwarders tab and list your ISP's DNS servers.

It's a common mistake, and it thoroughly breaks Windows 2000/2003 AD.

 

[sibawe2000]

jpm121, a DNS server can work without forwarders, provided it can freely access the internet. The DNS host file contains sufficient info to process queries to the DNS root servers directly. forwarders compel your DNS server to ask only a limited number of "trusted" DNS servers over the internet. But that's another issue.

Subu, your problem seems to be a "split DNS" problem. the easiest debugging tool is nslookup, that you can use by opening a console (run cmd.exe)

Could you give us the output of the following, when logged onto your DNS server :

nslookup -q=all your_domain

nslookup -q=all your_domain ns.sun.com

the first command tells you where your DNS server thinks your_domain is
the second command tells you where the internet thinks your_domainis

 

[sibawe2000]

OK, my first guess wasn't correct. It seems you haven't activated Dynamic DNS (DDNS) on your DNS servers (pridns and secdns) and that your AD fails to connect correctly to his DNS servers.

Let me explain: your AD is NOT a (primary) DNS server for your domain, so he's trying to register his SRVs entries on nxgencomms.com.sg's DNS (SRVs are explained below). But then, he gets an error message... because he can't write on the DNS server.

A few solutions:

1/ allow DDNS on your DNS servers. Beware!! given your architecture, this can be a major security flaw: unless you're careful, anyone on the internet could declare his machine in your domain and he would be automatically registered

2/ hardwire the AD data in your DNS servers. I don't quite remember how you do that, I know there's a text file somewhere on AD with all the required SRV entries; you're supposed to copy in your DNS server. It's not optimal since you'd need to copy this file every time you change your AD . More later if you're interested

3/ make your AD a DNS server. Beware, given your architecture, this can get complicated and very unsecure (your AD could be queried directly from the internet if you're not careful ...)

SRVs : DNS initial purpose to is relate machines with ip addresses; this has evolved a little, now DNS also relates machines to services: for instance, you might need to know who's the web server in your domain. with old DNS servers, you'd need to guess that the machine would be called "www" or something like that before you query the DNS server. What would your guess be if you were looking for a time server? a key server? not obvious... that's where SRVs are useful: in these examples, you'd simply query the DNS server for machines that host http (tcp/80), ntp(udp/123), kerberos(tcp/88), etc.. no need to know the exact name of the machine. This is really important for AD: When a W2000 client logs in, he asks his DNS servers where to find an authentication service (Kerberos). That's why your AD needs to write stuff in the DNS.


By the way, a last remark on safety: when I asked the output, I didn't mean the "exact" output The stuff you wrote is kind of ... confidential. Don't forget to replace names whenever appropriate.
example: nxgencomms.com.sg <-> toto.com

Or you can write directly to me if you really need to get into private stuff. Your problem seems pretty fun so it could interest this forum

 

[sugu]

How do i go about doing the option 2:to copy the SRV entries from AD?

Thanks!

 

[sugu]

I have found the txt file in the AD which is the Netlogon.dns

Do i just copy the file to primary zone file?

 

[sibawe2000]

Hi sugu,

Sorry I wasn't available. Yes, you found the hard part
Here's the procedure

1/Backup your DNS configuration. I usually copy the configuration file in the same directory with another name. Be careful to also copy file ownership rights ( `cp --preserve` under UNIX)
2/Stop the DNS daemon
3/open the DNS zone file for nxgencomms.com.sg
4/ copy the lines of netlogon.dns in the zone
5/ increment the serial number of your zone by 1, to ensure propagation to the other DNS servers
6/ save the file
7/restart the DNS daemon

This should have fixed the issue with netdiag/fix. If it doesn't, roll-back. Something might be missing.

Try to figure out if this solved the initial problem. If not, try to give us more information.

CAUTION !! I must warn you, I don't like this solution, but just mention it for the fun of it... You're about to put sensitive material (SRV settings for your internal architecture) on the Internet through a DNS server open on the internet. This is not advisable.

Actually, the real question is: why do want to keep an internal domain with the name you use over the internet? This is not safe. We can talk about that later if you want if you're interested in "split DNS"

Good luck!

Idriss

 

[sugu]

Hi Idriss,

Can pls share with me on how i could configure/setup up dns server?? i think the current configuration is not correct. And my colleagues and i are not able to surf the net at home using our office laptop (always recieve error-unable to resolve dns.) but the ip and dns address are set to obtain automatically.

can i communicate with u in private (via emails) regarding the dns server?

thanks!

-su

 

[sibawe2000]

sure Sugu,
You can email me
tek-tips@bennani.net