MY DNS TROUBLES

When we installed AD and DNS togather we used our company.com for internal
AD-DNS server. I think this is a bad practice. We had to create "www" host
record pointing to our website public IP address to be resolved everytime we
type our companyname.com in the browser. If had not done that they DNS query
will try to resolve the website at the AD-DNS server and show me error page.
So this work fine for year. I have my DNS forwarder set to ISP then on our
Firewall recommendation I changed it to 4.2.2.3. and 4.2.2.3. So both of my
DC1 and DC2 DNS forwarders pointing to public DNS address for external
queries.

MY DHCP server which also runs on MY DC1 only has its SCOPE option Router to
be the Firewall LAP IP=10.1.10.1, DNS servers= 10.1.10.20 and 10, 1, 10, 21
and DNS DOMAIN NAME= Companyname.com.

Clients happily get the above settied from DHCP. I didn't have any major
issues with DNS until recently.

I have always get this issue in my DNS which I thought is not a big deal
because I never have DNS authetication issues with Windows XP clients or any
other major issue.

IN MY DNS LOG I Have notices this Informational message manytimes but igore
since it is just an information:
The DNS server encountered an invalid domain name in a packet from
222.191.251.132. The packet will be rejected. The event data contains the DNS
packet.

anothing i notices is with my forward and reverse lookup zones for some odd
reason pointing to multiple ip addressess for the same Machine.
For example: TAG-255 would be 10.1.10.150 , 10.1.10, 163, 10.1.10.90 so , I
used to go and do clean up but never really understand why the heck it is
doing it.

MOST important recent issues which I'm having and very wierd one:
When I go to my compay website we have this JAVA SCRIPT that do slide show
of multiple images. IT never work but give me JAVA SCRIP ERROR on the page.

After spending several hours with Firewall Vendor we found it is not the
Firewall, IT is again THE DNS causing this issue.

This website page work fine when there is no Firewall and i have access this
from home and other folks home and it workd great.

It seems to work When I MANUALLY ASSIGN DSN TO MY XP MACHINE = 4.2.2.2. It
work like a charm.

It doesn't work when DHCP assign IP address = 10.1.10.20 and 10.1.10.21
But when I don't understand is both of my Local AD-DNS server forwarders are
pointing to 4.2.2.2 and 4.2.2.3.....


Hope someone can point me to right direction, it is a pain.......

 

"Kashif" <Kashif@discussions.microsoft.com> wrote in message
newsB215008-E19D-4A5E-8BE9-143C6464D3E9@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> When we installed AD and DNS togather we used our company.com for internal
> AD-DNS server. I think this is a bad practice. We had to create "www" host
> record pointing to our website public IP address to be resolved everytime
> we
> type our companyname.com in the browser. If had not done that they DNS
> query
> will try to resolve the website at the AD-DNS server and show me error
> page.
> So this work fine for year. I have my DNS forwarder set to ISP then on our
> Firewall recommendation I changed it to 4.2.2.3. and 4.2.2.3. So both of
> my
> DC1 and DC2 DNS forwarders pointing to public DNS address for external
> queries.
>
> MY DHCP server which also runs on MY DC1 only has its SCOPE option Router
> to
> be the Firewall LAP IP=10.1.10.1, DNS servers= 10.1.10.20 and 10, 1, 10,
> 21
> and DNS DOMAIN NAME= Companyname.com.
>
> Clients happily get the above settied from DHCP. I didn't have any major
> issues with DNS until recently.
>
> I have always get this issue in my DNS which I thought is not a big deal
> because I never have DNS authetication issues with Windows XP clients or
> any
> other major issue.
>
> IN MY DNS LOG I Have notices this Informational message manytimes but
> igore
> since it is just an information:
> The DNS server encountered an invalid domain name in a packet from
> 222.191.251.132. The packet will be rejected. The event data contains the
> DNS
> packet.
>
> anothing i notices is with my forward and reverse lookup zones for some
> odd
> reason pointing to multiple ip addressess for the same Machine.
> For example: TAG-255 would be 10.1.10.150 , 10.1.10, 163, 10.1.10.90 so ,
> I
> used to go and do clean up but never really understand why the heck it is
> doing it.
>
> MOST important recent issues which I'm having and very wierd one:
> When I go to my compay website we have this JAVA SCRIPT that do slide show
> of multiple images. IT never work but give me JAVA SCRIP ERROR on the
> page.
>
> After spending several hours with Firewall Vendor we found it is not the
> Firewall, IT is again THE DNS causing this issue.
>
> This website page work fine when there is no Firewall and i have access
> this
> from home and other folks home and it workd great.
>
> It seems to work When I MANUALLY ASSIGN DSN TO MY XP MACHINE = 4.2.2.2. It
> work like a charm.
>
> It doesn't work when DHCP assign IP address = 10.1.10.20 and 10.1.10.21
> But when I don't understand is both of my Local AD-DNS server forwarders
> are
> pointing to 4.2.2.2 and 4.2.2.3.....
>
>
> Hope someone can point me to right direction, it is a pain.......
>
><!--colorc--><!--/colorc-->


Not sure about the Java error, but if the website is trying to get to
, without the 'www', then that will be a problem. The
way it is with the same internal/external name, to create that record takes
a little more changes to the DCs, because a record already exists, but it
points to all the DCs. Check the coding in the website to see if it is
referencign your domain name with that name (without the www).

But for the other things going on with DNS and the multiple records, it
sounds like to me one of the DCs is multihomed, has more than one IP, or
RRAS is installed on it.

Please post an unedited ipconfig /all from both DCs, to better assist you.

Also, with the firewall, does it allow EDNS0? By default, Windows 2003 and
newer uses ENDS0, a relatively new industry implementation (that many other
vendors now use as well), that allows DNS UDP packets greater than 512
bytes. For Cisco firewalls (ASA and Pix), run the following:

protocol fixup dns 1280

If another vendor, check the docs.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
for regional support phone numbers.

 

Thank for the Tip.

You were right web developer hard coded in the java
script. Although, I have in the DNS "www" CNAME pointing to the webserver ip
address. The coding was causing the issue.

I am not following your comments "DCs is multihomed, has more than one IP, or
RRAS is installed on it.

C:\Program Files\Support Tools>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc1
Primary Dns Suffix . . . . . . . : Mycompany.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Mycompany.com

Ethernet adapter Broadcom-1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS VBD Client)
Physical Address. . . . . . . . . : 00-19-B9-D9-70-BF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.10.20
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.20
10.1.10.200

C:\>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DC2
Primary Dns Suffix . . . . . . . : Mycompany.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Mycompany.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-11-85-D4-34-F4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.10.21
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.20
10.1.10.21

I couldn't find RRAS service in the service console for both DC's.
What is RRAS ?
I will also check with my Firewall company and get back to you soon.

Thanks for all your help!!!!



"Ace Fekay [MCT]" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Kashif" <Kashif@discussions.microsoft.com> wrote in message
> newsB215008-E19D-4A5E-8BE9-143C6464D3E9@microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
> > When we installed AD and DNS togather we used our company.com for internal
> > AD-DNS server. I think this is a bad practice. We had to create "www" host
> > record pointing to our website public IP address to be resolved everytime
> > we
> > type our companyname.com in the browser. If had not done that they DNS
> > query
> > will try to resolve the website at the AD-DNS server and show me error
> > page.
> > So this work fine for year. I have my DNS forwarder set to ISP then on our
> > Firewall recommendation I changed it to 4.2.2.3. and 4.2.2.3. So both of
> > my
> > DC1 and DC2 DNS forwarders pointing to public DNS address for external
> > queries.
> >
> > MY DHCP server which also runs on MY DC1 only has its SCOPE option Router
> > to
> > be the Firewall LAP IP=10.1.10.1, DNS servers= 10.1.10.20 and 10, 1, 10,
> > 21
> > and DNS DOMAIN NAME= Companyname.com.
> >
> > Clients happily get the above settied from DHCP. I didn't have any major
> > issues with DNS until recently.
> >
> > I have always get this issue in my DNS which I thought is not a big deal
> > because I never have DNS authetication issues with Windows XP clients or
> > any
> > other major issue.
> >
> > IN MY DNS LOG I Have notices this Informational message manytimes but
> > igore
> > since it is just an information:
> > The DNS server encountered an invalid domain name in a packet from
> > 222.191.251.132. The packet will be rejected. The event data contains the
> > DNS
> > packet.
> >
> > anothing i notices is with my forward and reverse lookup zones for some
> > odd
> > reason pointing to multiple ip addressess for the same Machine.
> > For example: TAG-255 would be 10.1.10.150 , 10.1.10, 163, 10.1.10.90 so ,
> > I
> > used to go and do clean up but never really understand why the heck it is
> > doing it.
> >
> > MOST important recent issues which I'm having and very wierd one:
> > When I go to my compay website we have this JAVA SCRIPT that do slide show
> > of multiple images. IT never work but give me JAVA SCRIP ERROR on the
> > page.
> >
> > After spending several hours with Firewall Vendor we found it is not the
> > Firewall, IT is again THE DNS causing this issue.
> >
> > This website page work fine when there is no Firewall and i have access
> > this
> > from home and other folks home and it workd great.
> >
> > It seems to work When I MANUALLY ASSIGN DSN TO MY XP MACHINE = 4.2.2.2. It
> > work like a charm.
> >
> > It doesn't work when DHCP assign IP address = 10.1.10.20 and 10.1.10.21
> > But when I don't understand is both of my Local AD-DNS server forwarders
> > are
> > pointing to 4.2.2.2 and 4.2.2.3.....
> >
> >
> > Hope someone can point me to right direction, it is a pain.......
> >
> ><!--colorc--><!--/colorc-->
>
>
> Not sure about the Java error, but if the website is trying to get to
> , without the 'www', then that will be a problem. The
> way it is with the same internal/external name, to create that record takes
> a little more changes to the DCs, because a record already exists, but it
> points to all the DCs. Check the coding in the website to see if it is
> referencign your domain name with that name (without the www).
>
> But for the other things going on with DNS and the multiple records, it
> sounds like to me one of the DCs is multihomed, has more than one IP, or
> RRAS is installed on it.
>
> Please post an unedited ipconfig /all from both DCs, to better assist you.
>
> Also, with the firewall, does it allow EDNS0? By default, Windows 2003 and
> newer uses ENDS0, a relatively new industry implementation (that many other
> vendors now use as well), that allows DNS UDP packets greater than 512
> bytes. For Cisco firewalls (ASA and Pix), run the following:
>
> protocol fixup dns 1280
>
> If another vendor, check the docs.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum to benefit from collaboration
> among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> for regional support phone numbers.
>
> <!--colorc--><!--/colorc-->

 

"Kashif" <Kashif@discussions.microsoft.com> wrote in message
newsA263455-3C9F-4EBE-B0F1-0BE9C341E4B9@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Thank for the Tip.
>
> You were right web developer hard coded in the java
> script. Although, I have in the DNS "www" CNAME pointing to the webserver
> ip
> address. The coding was causing the issue.
>
> I am not following your comments "DCs is multihomed, has more than one IP,
> or
> RRAS is installed on it.
>
> Crogram FilesSupport Tools>ipconfig/all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : dc1
> Primary Dns Suffix . . . . . . . : Mycompany.com
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : Mycompany.com
>
> Ethernet adapter Broadcom-1:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
> (NDIS VBD Client)
> Physical Address. . . . . . . . . : 00-19-B9-D9-70-BF
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.1.10.20
> Subnet Mask . . . . . . . . . . . : 255.0.0.0
> Default Gateway . . . . . . . . . : 10.1.10.1
> DNS Servers . . . . . . . . . . . : 10.1.10.20
> 10.1.10.200
>
> C:>ipconfig/all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : DC2
> Primary Dns Suffix . . . . . . . : Mycompany.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : Mycompany.com
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
> Physical Address. . . . . . . . . : 00-11-85-D4-34-F4
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.1.10.21
> Subnet Mask . . . . . . . . . . . : 255.0.0.0
> Default Gateway . . . . . . . . . : 10.1.10.1
> DNS Servers . . . . . . . . . . . : 10.1.10.20
> 10.1.10.21
>
> I couldn't find RRAS service in the service console for both DC's.
> What is RRAS ?
> I will also check with my Firewall company and get back to you soon.
>
> Thanks for all your help!!!!
>
><!--colorc--><!--/colorc-->

Thanks for posting that. It looks good. I assume your DC/DNS servers are
10.1.10.20, 10.1.10.21 and 10.1.10.200.

Do you have a reverse zone created for 10.1.10.x?

As for the 5504 invalid domain errors from> 222.191.251.132, have you seen
the following article?

Event 5504 is logged when a Windows Server 2003-based DNS server receives a
packet that contains a DNAME resource record


You don't have a multihomed DC, from what I can see with your ipconfig. A
multihomed DC would have two interfaces and/or RRAS installed on it.

Also, in your previous post, you noticed the same hostname with multiple IP
addresses. It sounds like you need to enable Scavenging, as well as force
your DHCP servers to own the record that it registers. This way, the DHCP
server can update a machine when it's IP changes instead of creating a new
record. I'm not sure if you are aware of how to do that, therefore I'm
posting (below) how to setup both Scavenging and DHCP credentials setup to
make this work.

I hope it helps!!
Ace

==================================================================
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the
DnsProxyUpdate Group
---
By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
First compiled 4/2006
Updated 7/2009
---

Keep in mind, the entity that registers the record in DNS, owns the record.
By default, a machine will update it's record with default DHCP settings,
however what we want to do to keep DNS clean without additional records
with the same name but different IP address in DNS, is to configure
DHCP to own the record, so it can keep it up to date.

The nice thing about DHCP
owning the record is it will update it if DHCP gives the machine a new IP.
Otherwise you'll see multiples of the same in DNS whether scavenging is
enabled or not. I would force DHCP to own the record as well as enable
scavenging to keep it clean. To force DHCP to own the record, you will need
to do the following:

1. Add the DHCP server to the DnsUpdateProxy Group.
2. Force DHCP to register all records, Forward and PTR, (whether a client
machine can do it or not) in the Option 081 tab (DHCP properties, DNS tab).
3. Set Option 015 to the AD domain name (such as example.com).
4. Set Option 006 to only the internal DNS servers.
5. If the zone is set for Secure Updates Only, then DHCP cannot update
non-Microsoft clients and Microsoft clients that are not joined to the
domain. In this case, you will need to create and configure a user account
for use as credentials for DHCP to register such clients.

If your DHCP servers are Windows 2003 or WIndows 2008, Configure a
dedicated the user account you created as credentials in DHCP by going into
DHCP Console, DHCP server properties, and on the Advanced tab of the DHCP
Server
Properties sheet click the Credentials button, and provide this account
info.
The user account does not need any elevated rights, a normal user account
is fine, however I recommend using a Strong non-expiring password on the
account.

This will also allow DHCP to register Win9x machines, as well as non-Windows
machines, such as Linux, OSx (BIND based), and other Unix flavors.

Once you implement scavenging, you will need to wait at least a week for it
to
take effect. You can quicken it up by manually deleting the incorrect
records to
get started.

But more importantly, if DHCP is on a DC, it will not overwrite the
original host record for a machine getting a new lease with an IP
formerly belonging to another. To overcome this, either configure the
credentials
account, as indicated above.

There is another alternative if a DHCP server is on a DC. YOu can add the DC
to
the DnsProxyUpdate group. This will force DHCP to own all records it will
create
moving forward and will update an IP with a new name in DNS.

With regards to the DnsProxyUpdate Group, as said, this is one method, but
normally, for
the most part, it is not advised to use it as it weakens security INCLUDING
the
DC records if DHCP is on a DC. Preferably configure DHCP with an account.
This can be done in w2k and w2k3 and up. Windows 2000 requires Netsh command
to do it,
but Windows 2003 can be done in the GUI or with the netsh command.

If you set this, but when a record shows up in the DHCP Lease list with a
pen icon
(which means that a write is pending), it may mean it is trying to register
into a zone that does not exist on the DNS servers. This happens in cases
where
the client machine is not joined to the domain and has a missing or
different
suffix than the zone in DNS. It can only register into a zone that exists on
DNS and that zone updates have been configured to allow updates.
If this is the case, go into the client machine's IP properties, and
on the DNS tab in TCP/IP properties, clear the "Register this connection's
addresses in DNS" as well as the "Use this connection's DNS suffix in DNS
registration"
check boxes, the DHCP Server will fill these in for you and register using
the domain name in Option 015.

===

Concerning records and timestamps, and lack of timestamps:

If the record was manually created, it won't show a time stamp, however, if
the record was dynamically registered, it will show a time stamp. My guess
is the records you are referring to were manually created. If you manually
create a record, the checkbox will not be checked to scavenge, however if it
was dynamically registered, it will be checked. I just tested this
withWindows 2003 DNS. When I had built a few servers for a customer and let
them auto register, they had a timestamp and the scavenge checkbox was
checked. For the records I manually created, such as internal www records,
and others, they did not have a time stamp and were not checked to scavenge.

Even if you allow auto registration, which I do by default, and it gets
scavenged, it gets re-registered anyway by the OS. Unless you are seeing
something going on that is affecting your environment, the default settings
work fine, at least they do for me for all of my customers and installations
I've worked in that I've set scavenging and forced DHCP to own the records
so it can update the records it had registered at lease refresh time.

==========

Now if you reduce the DHCP lease to say, 8 hours instead of the default 8
days,
a number of things can occur, such as increased Tombstoning of DNS entries,
which will increase the AD NTDS.dit file size, as well as possibly an
inconsistency
with the records in DNS, as well as issues with WINS trying to keep up with
the
changes, which will be evident with WINS Event log error entries.

Regarding the WINS issue, I've seen this once at a customer site years ago.
It's always stuck to the back of my mind to keep this in mind when such as
short
lease is desired. I found a default lease works fine, as long as scavenging
is enabled (default as well), including if the DHCP server is on a DC,
adding
the DHCP server to the DnsUpdateProxy group, or to alleviate the security
issues with such as move, to rather supplying credentials for DHCP, so it
owns all records it registers into DNS, in order so it can update the
records
as they change. Otherwise, expect issues to occur.

---

Read the following for more info, which was compiled by Chris Dent
concerning
short leases.

-

A high rate of change in DNS will lead to a large number of tombstoned
DNS entries.

It would seem reasonable to reconsider the DHCP Lease duration, 8 hours
is, after all, extremely short.

Essentially you have:

* The amount of Tombstoned Data is increasing because of Stale DNS records
* The number of Stale DNS Records is high because of the (potential)
rate of change of records in both Forward and Reverse Lookup
* The rate of change must be somewhat proportional to changing leases in
DHCP

The DNS Record lifecycle is this:

1. Record Created (as dnsNode)
2. When Timestamp is no longer updated and Aging Intervals pass Record
becomes Stale
3. Stale Record is removed from the active DNS system and dnsTombstoned
is set to TRUE
4. Tombstoned record exists for value of DsTombstoneInterval (7 days by
default)
5. DnsNode object is moved to Deleted Objects for value of
tombstoneLifetime (120 days by default for domains built with 2003 SP1;
60 days prior to that)

Therefore, you either reduce the rate of change by increasing the lease
duration, or put up with inaccuracy in DNS (by limiting Aging /
Scavenging), or put up with increasing directory size.

The directory size should level out eventually, when you reach the point
where the number of tombstoned records being flushed is equal to the
number being created.

==========

The following links provide additional information on how it all works.

How to configure DNS dynamic updates in Windows Server 2003.


Using DNS Aging and ScavengingAging and scavenging of stale resource records
are features of Domain Name System (DNS) that are available when you deploy
your

server with primary zones.


Microsoft Enterprise Networking Team : Don't be afraid of DNS ...Mar 19,
2008 ... DNS Scavenging is a great answer to a problem that has been nagging
everyone

since RFC 2136 came out way back in 1997.


DHCP, DNS and the DNSUpdateProxy-Group - Directory Services/Active ...I had
a discussion in the Newsgroups lately about DHCP and the
DNSUpdateProxy-Group which is

used to write unsecured DNS-Entries to a DNS-Zone which only ...


And from Kevin Goodnecht:
Setting up DHCP for DNS registrations


317590 - HOW TO Configure DNS Dynamic Update in Windows 2000 and
DNSUpdateProxy Group:


816592 - How to configure DNS dynamic updates in Windows Server 2003:


Follow up discussion on the DNSUpdateProxy-Group:

==================================================================

Ace

 

Thanks a bunch for all your Help!!!!!!!!


Event 5504 is logged when a Windows Server 2003-based DNS server receives a
packet that contains a DNAME resource record


I didn't apply the hotfix because of the following comments in the Article.
Microsoft has confirmed that this is a problem in the Microsoft products
that are listed in the "Applies to" section. This problem was first corrected
in Windows Server 2003 Service Pack 2.
I have Windows 2003 Service Pack 2 installed.

If I had this problem in SP1 and never got fixed and I upgraded to SP2. I
should still apply hotfix?
My understanding was Service pack are designed to fix previous service pack
and all the other previous problems.

I still don't know What is RRAS ? Where should look for it. I didn't find
any name in the services.

It sounds like you need to enable Scavenging, as well as force
your DHCP servers to own the record that it registers. This way, the DHCP
server can update a machine when it's IP changes instead of creating a new
record. I'm not sure if you are aware of how to do that, therefore I'm
posting (below) how to setup both Scavenging and DHCP credentials setup to
make this work.

I have had turned on scaenging 3 months ago with the following settings:
No-refresh interval 7 days.
Refresh interval 7 days.

As far as force DHCP to own the record, I have had followed the instructions
you posted 3 months ago.
It didn't change anything.

I do have forward and reverse zones.

I am keep playing with DHCP lease settings to see if I can fix the issue.
Last friday I change the settings from 8 hours lease expiration to unlimited.

What if I delete all computers records from my forward and reverse zone
excluding DC's records? Turn off all the computers. Delete all the DHCP
records, turn the computers on will the DHCP server register computers again
in the DNS correctly. I also see some computers with PEN icon in DHCP.

What if I want to re-install the DNS and DHCP again, will that fix the
problem and what do I need to be carefull doing that.



"Ace Fekay [MCT]" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Kashif" <Kashif@discussions.microsoft.com> wrote in message
> newsA263455-3C9F-4EBE-B0F1-0BE9C341E4B9@microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
> > Thank for the Tip.
> >
> > You were right web developer hard coded in the java
> > script. Although, I have in the DNS "www" CNAME pointing to the webserver
> > ip
> > address. The coding was causing the issue.
> >
> > I am not following your comments "DCs is multihomed, has more than one IP,
> > or
> > RRAS is installed on it.
> >
> > Crogram FilesSupport Tools>ipconfig/all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : dc1
> > Primary Dns Suffix . . . . . . . : Mycompany.com
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : Mycompany.com
> >
> > Ethernet adapter Broadcom-1:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
> > (NDIS VBD Client)
> > Physical Address. . . . . . . . . : 00-19-B9-D9-70-BF
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 10.1.10.20
> > Subnet Mask . . . . . . . . . . . : 255.0.0.0
> > Default Gateway . . . . . . . . . : 10.1.10.1
> > DNS Servers . . . . . . . . . . . : 10.1.10.20
> > 10.1.10.200
> >
> > C:>ipconfig/all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : DC2
> > Primary Dns Suffix . . . . . . . : Mycompany.com
> > Node Type . . . . . . . . . . . . : Unknown
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : Mycompany.com
> >
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
> > Physical Address. . . . . . . . . : 00-11-85-D4-34-F4
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 10.1.10.21
> > Subnet Mask . . . . . . . . . . . : 255.0.0.0
> > Default Gateway . . . . . . . . . : 10.1.10.1
> > DNS Servers . . . . . . . . . . . : 10.1.10.20
> > 10.1.10.21
> >
> > I couldn't find RRAS service in the service console for both DC's.
> > What is RRAS ?
> > I will also check with my Firewall company and get back to you soon.
> >
> > Thanks for all your help!!!!
> >
> ><!--colorc--><!--/colorc-->
>
> Thanks for posting that. It looks good. I assume your DC/DNS servers are
> 10.1.10.20, 10.1.10.21 and 10.1.10.200.
>
> Do you have a reverse zone created for 10.1.10.x?
>
> As for the 5504 invalid domain errors from> 222.191.251.132, have you seen
> the following article?
>
> Event 5504 is logged when a Windows Server 2003-based DNS server receives a
> packet that contains a DNAME resource record
>
>
> You don't have a multihomed DC, from what I can see with your ipconfig. A
> multihomed DC would have two interfaces and/or RRAS installed on it.
>
> Also, in your previous post, you noticed the same hostname with multiple IP
> addresses. It sounds like you need to enable Scavenging, as well as force
> your DHCP servers to own the record that it registers. This way, the DHCP
> server can update a machine when it's IP changes instead of creating a new
> record. I'm not sure if you are aware of how to do that, therefore I'm
> posting (below) how to setup both Scavenging and DHCP credentials setup to
> make this work.
>
> I hope it helps!!
> Ace
>
> ==================================================================
> DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the
> DnsProxyUpdate Group
> ---
> By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
> First compiled 4/2006
> Updated 7/2009
> ---
>
> Keep in mind, the entity that registers the record in DNS, owns the record.
> By default, a machine will update it's record with default DHCP settings,
> however what we want to do to keep DNS clean without additional records
> with the same name but different IP address in DNS, is to configure
> DHCP to own the record, so it can keep it up to date.
>
> The nice thing about DHCP
> owning the record is it will update it if DHCP gives the machine a new IP.
> Otherwise you'll see multiples of the same in DNS whether scavenging is
> enabled or not. I would force DHCP to own the record as well as enable
> scavenging to keep it clean. To force DHCP to own the record, you will need
> to do the following:
>
> 1. Add the DHCP server to the DnsUpdateProxy Group.
> 2. Force DHCP to register all records, Forward and PTR, (whether a client
> machine can do it or not) in the Option 081 tab (DHCP properties, DNS tab).
> 3. Set Option 015 to the AD domain name (such as example.com).
> 4. Set Option 006 to only the internal DNS servers.
> 5. If the zone is set for Secure Updates Only, then DHCP cannot update
> non-Microsoft clients and Microsoft clients that are not joined to the
> domain. In this case, you will need to create and configure a user account
> for use as credentials for DHCP to register such clients.
>
> If your DHCP servers are Windows 2003 or WIndows 2008, Configure a
> dedicated the user account you created as credentials in DHCP by going into
> DHCP Console, DHCP server properties, and on the Advanced tab of the DHCP
> Server
> Properties sheet click the Credentials button, and provide this account
> info.
> The user account does not need any elevated rights, a normal user account
> is fine, however I recommend using a Strong non-expiring password on the
> account.
>
> This will also allow DHCP to register Win9x machines, as well as non-Windows
> machines, such as Linux, OSx (BIND based), and other Unix flavors.
>
> Once you implement scavenging, you will need to wait at least a week for it
> to
> take effect. You can quicken it up by manually deleting the incorrect
> records to
> get started.
>
> But more importantly, if DHCP is on a DC, it will not overwrite the
> original host record for a machine getting a new lease with an IP
> formerly belonging to another. To overcome this, either configure the
> credentials
> account, as indicated above.
>
> There is another alternative if a DHCP server is on a DC. YOu can add the DC
> to
> the DnsProxyUpdate group. This will force DHCP to own all records it will
> create
> moving forward and will update an IP with a new name in DNS.
>
> With regards to the DnsProxyUpdate Group, as said, this is one method, but
> normally, for
> the most part, it is not advised to use it as it weakens security INCLUDING
> the
> DC records if DHCP is on a DC. Preferably configure DHCP with an account.
> This can be done in w2k and w2k3 and up. Windows 2000 requires Netsh command
> to do it,
> but Windows 2003 can be done in the GUI or with the netsh command.
>
> If you set this, but when a record shows up in the DHCP Lease list with a
> pen icon
> (which means that a write is pending), it may mean it is trying to register
> into a zone that does not exist on the DNS servers. This happens in cases
> where
> the client machine is not joined to the domain and has a missing or
> different
> suffix than the zone in DNS. It can only register into a zone that exists on
> DNS and that zone updates have been configured to allow updates.
> If this is the case, go into the client machine's IP properties, and
> on the DNS tab in TCP/IP properties, clear the "Register this connection's
> addresses in DNS" as well as the "Use this connection's DNS suffix in DNS
> registration"
> check boxes, the DHCP Server will fill these in for you and register using
> the domain name in Option 015.
>
> ===
>
> Concerning records and timestamps, and lack of timestamps:
>
> If the record was manually created, it won't show a time stamp, however, if
> the record was dynamically registered, it will show a time stamp. My guess
> is the records you are referring to were manually created. If you manually
> create a record, the checkbox will not be checked to scavenge, however if it
> was dynamically registered, it will be checked. I just tested this
> withWindows 2003 DNS. When I had built a few servers for a customer and let
> them auto register, they had a timestamp and the scavenge checkbox was
> checked. For the records I manually created, such as internal www records,
> and others, they did not have a time stamp and were not checked to scavenge.
>
> Even if you allow auto registration, which I do by default, and it gets
> scavenged, it gets re-registered anyway by the OS. Unless you are seeing
> something going on that is affecting your environment, the default settings
> work fine, at least they do for me for all of my customers and installations
> I've worked in that I've set scavenging and forced DHCP to own the records
> so it can update the records it had registered at lease refresh time.
>
> ==========
>
> Now if you reduce the DHCP lease to say, 8 hours instead of the default 8
> days,
> a number of things can occur, such as increased Tombstoning of DNS entries,
> which will increase the AD NTDS.dit file size, as well as possibly an
> inconsistency
> with the records in DNS, as well as issues with WINS trying to keep up with
> the
> changes, which will be evident with WINS Event log error entries.
>
> Regarding the WINS issue, I've seen this once at a customer site years ago.
> It's always stuck to the back of my mind to keep this in mind when such as
> short
> lease is desired. I found a default lease works fine, as long as scavenging
> is enabled (default as well), including if the DHCP server is on a DC,
> adding
> the DHCP server to the DnsUpdateProxy group, or to alleviate the security
> issues with such as move, to rather supplying credentials for DHCP, so it
> owns all records it registers into DNS, in order so it can update the
> records
> as they change. Otherwise, expect issues to occur.
>
> ---
>
> Read the following for more info, which was compiled by Chris Dent
> concerning
> short leases.
>
> -
>
> A high rate of change in DNS will lead to a large number of tombstoned
> DNS entries.
>
> It would seem reasonable to reconsider the DHCP Lease duration, 8 hours
> is, after all, extremely short.
>
> Essentially you have:
>
> * The amount of Tombstoned Data is increasing because of Stale DNS records
> * The number of Stale DNS Records is high because of the (potential)
> rate of change of records in both Forward and Reverse Lookup
> * The rate of change must be somewhat proportional to changing leases in
> DHCP
>
> The DNS Record lifecycle is this:
>
> 1. Record Created (as dnsNode)
> 2. When Timestamp is no longer updated and Aging Intervals pass Record
> becomes Stale
> 3. Stale Record is removed from the active DNS system and dnsTombstoned
> is set to TRUE
> 4. Tombstoned record exists for value of DsTombstoneInterval (7 days by
> default)
> 5. DnsNode object is moved to Deleted Objects for value of
> tombstoneLifetime (120 days by default for domains built with 2003 SP1;
> 60 days prior to that)
>
> Therefore, you either reduce the rate of change by increasing the lease
> duration, or put up with inaccuracy in DNS (by limiting Aging /
> Scavenging), or put up with increasing directory size.
>
> The directory size should level out eventually, when you reach the point
> where the number of tombstoned records being flushed is equal to the
> number being created.
>
> ==========
>
> The following links provide additional information on how it all works.
>
> How to configure DNS dynamic updates in Windows Server 2003.
>
>
> Using DNS Aging and ScavengingAging and scavenging of stale resource records
> are features of Domain Name System (DNS) that are available when you deploy
> your
>
> server with primary zones.
>
>
> Microsoft Enterprise Networking Team : Don't be afraid of DNS ...Mar 19,
> 2008 ... DNS Scavenging is a great answer to a problem that has been nagging
> everyone
>
> since RFC 2136 came out way back in 1997.
>
>
> DHCP, DNS and the DNSUpdateProxy-Group - Directory Services/Active ...I had
> a discussion in the Newsgroups lately about DHCP and the
> DNSUpdateProxy-Group which is
>
> used to write unsecured DNS-Entries to a DNS-Zone which only ...
>
>
> And from Kevin Goodnecht:
> Setting up DHCP for DNS registrations
> <!--colorc--><!--/colorc-->

 

"Kashif" <Kashif@discussions.microsoft.com> wrote in message
news:0BDD7213-6478-4442-BD15-07A2633E1DFC@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Thanks a bunch for all your Help!!!!!!!!
>
>
> Event 5504 is logged when a Windows Server 2003-based DNS server receives
> a
> packet that contains a DNAME resource record
>
>
> I didn't apply the hotfix because of the following comments in the
> Article.
> Microsoft has confirmed that this is a problem in the Microsoft products
> that are listed in the "Applies to" section. This problem was first
> corrected
> in Windows Server 2003 Service Pack 2.
> I have Windows 2003 Service Pack 2 installed.
>
> If I had this problem in SP1 and never got fixed and I upgraded to SP2. I
> should still apply hotfix?
> My understanding was Service pack are designed to fix previous service
> pack
> and all the other previous problems.
>
> I still don't know What is RRAS ? Where should look for it. I didn't find
> any name in the services.
>
> It sounds like you need to enable Scavenging, as well as force
> your DHCP servers to own the record that it registers. This way, the DHCP
> server can update a machine when it's IP changes instead of creating a new
> record. I'm not sure if you are aware of how to do that, therefore I'm
> posting (below) how to setup both Scavenging and DHCP credentials setup to
> make this work.
>
> I have had turned on scaenging 3 months ago with the following settings:
> No-refresh interval 7 days.
> Refresh interval 7 days.
>
> As far as force DHCP to own the record, I have had followed the
> instructions
> you posted 3 months ago.
> It didn't change anything.
>
> I do have forward and reverse zones.
>
> I am keep playing with DHCP lease settings to see if I can fix the issue.
> Last friday I change the settings from 8 hours lease expiration to
> unlimited.
>
> What if I delete all computers records from my forward and reverse zone
> excluding DC's records? Turn off all the computers. Delete all the DHCP
> records, turn the computers on will the DHCP server register computers
> again
> in the DNS correctly. I also see some computers with PEN icon in DHCP.
>
> What if I want to re-install the DNS and DHCP again, will that fix the
> problem and what do I need to be carefull doing that.
><!--colorc--><!--/colorc-->



I wouldn't suggest an 8 hour lease. I would leave it to the default 8 day
lease. Why do you want such a short lease? 8 hours is too short.

I don't think uninstalling and reinstalling DNS or DHCP will do the trick.
You can delete the old A and PTR records out of DNS.

Service packs are not always the answer. That's why hotfixes were released.
You can try the hotfix, it won't hurt.

Ace