<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-reply;
font-family:"Verdana","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
.MsoPapDefault
{mso-style-type:export-only;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='line-height:115%'><span lang=EN-US>>What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? <o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>only their own name, nothing more<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>>Are there any "same as zone" records that point to your DC IPs? (this is common if DNS is AD integrated) <o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>yes<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>internal.wienit.at is a round robbin to all DC IPs<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>gc._msdcs.internal.wienit.at is also a round robbin to all DC IPs<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>I don’t know if long time ago it was AD integrated, but in the last few years it certainly was not.<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>>Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last).<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>yes that’s working too, otherwise there would be a lot more errors<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>I even see every update in the messages log on the dns-server, all working<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>>I know you said it was the case, but your BIND config has one of the following options set?<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>> - allow-update { address_match_list }; <-- If the DC is pointing to the master BIND server<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>> - allow-update-forwarding { address_match_list }; <-- if the DC is pointing to the slave BIND server<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>updates are working<o:p></o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='line-height:115%'><span lang=EN-US>>What happens if you issue the ipconfig /registerdns command from the DCs?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>I think I did that some time ago… the DC kicked all of its own Records and then put them back in…<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>---<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>Ing. Christian Melbinger<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>Netzwerk & Security<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>WienIT EDV Dienstleistungsgesellschaft mbH & Co KG<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>A-1030 Wien, Thomas-Klestil-Platz 6<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>tel: +43 (1) 90405 47188<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>fax: +43 (1) 90405 88 47188<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:gray'>mailto:christian.melbinger@wienit.at<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Will Lists [mailto:listswill@gmail.com] <br><b>Gesendet:</b> Dienstag, 03. Jänner 2012 14:07<br><b>An:</b> bind-users@lists.isc.org<br><b>Cc:</b> Melbinger Christian<br><b>Betreff:</b> Re: MS AD 2008R2 and bind<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='line-height:115%'>On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian <<a href="mailto:Christian.Melbinger@wienit.at">Christian.Melbinger@wienit.at</a>> wrote:<o:p></o:p></p></div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE-AT style='font-size:10.0pt'>Hi</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE-AT style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt'>Title</span></b><span lang=EN-US style='font-size:10.0pt'>: This domain controller must register its correct IP addresses with the DNS server</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt'>Severity</span></b><span lang=EN-US style='font-size:10.0pt'>: Error</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt'>Category</span></b><span lang=EN-US style='font-size:10.0pt'>: Configuration</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt'>Issue</span></b><span lang=EN-US style='font-size:10.0pt'>: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt'>Impact</span></b><span lang=EN-US style='font-size:10.0pt'>: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt'>Resolution</span></b><span lang=EN-US style='font-size:10.0pt'>: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>More information about this best practice and detailed resolution procedures: <a href="http://go.microsoft.com/fwlink/?LinkId=131229" target="_blank">http://go.microsoft.com/fwlink/?LinkId=131229</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>My DNS-Servers are running BIND 9.7.3-P3.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>Anyone know the checkbox to unset? I didn’t find one…</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>With regards</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'>Christian Melbinger</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>---</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>Ing. Christian Melbinger</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>Netzwerk & Security</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>WienIT EDV Dienstleistungsgesellschaft mbH & Co KG</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>A-1030 Wien, Thomas-Klestil-Platz 6</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>tel: <a href="tel:%2B43%20%281%29%2090405%2047188" target="_blank">+43 (1) 90405 47188</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>fax: <a href="tel:%2B43%20%281%29%2090405%2088%2047188" target="_blank">+43 (1) 90405 88 47188</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;color:gray'>mailto:<a href="mailto:christian.melbinger@wienit.at" target="_blank">christian.melbinger@wienit.at</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE-AT> </span><o:p></o:p></p></div><p class=MsoNormal style='line-height:115%'><span style='font-size:8.5pt;line-height:115%;font-family:"Verdana","sans-serif"'>____________________________________________________________________________<br>WienIT EDV Dienstleistungsgesellschaft mbH & Co KG, A-1030 Wien, Thomas-Klestil-Platz 6,<br>FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824<br>Persönlich haftender Gesellschafter:<br>WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6,<br>FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118</span><o:p></o:p></p></div><p class=MsoNormal style='line-height:115%'><br>_______________________________________________<br>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br><br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><o:p></o:p></p></blockquote></div><p class=MsoNormal style='line-height:115%'><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><p class=MsoNormal style='line-height:115%'>-- <br><br>I'm just going to throw out a few ideas, not sure any or all of them will get you in the right direction...but I had significant issues with DCs and dynamic updates following a migration from AD integrated DNS to BIND.<o:p></o:p></p><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'><br>What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? <o:p></o:p></p><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'>Are there any "same as zone" records that point to your DC IPs? (this is common if DNS is AD integrated) <o:p></o:p></p></div><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'>Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last).<o:p></o:p></p></div><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'>I know you said it was the case, but your BIND config has one of the following options set?<o:p></o:p></p></div><div><div><p class=MsoNormal style='line-height:115%'> - allow-update { address_match_list }; <-- If the DC is pointing to the master BIND server<o:p></o:p></p></div><div><p class=MsoNormal style='line-height:115%'> - allow-update-forwarding { address_match_list }; <-- if the DC is pointing to the slave BIND server<o:p></o:p></p></div><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'>What happens if you issue the ipconfig /registerdns command from the DCs?<o:p></o:p></p></div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'>- Will<o:p></o:p></p></div><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div><p class=MsoNormal style='line-height:115%'><o:p> </o:p></p></div></div></div></body></html>