AW: MS AD 2008R2 and bind

Melbinger Christian Christian.Melbinger at wienit.at
Tue Jan 3 15:28:53 UTC 2012 

>What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)?
only their own name, nothing more

>Are there any "same as zone" records that point to your DC IPs?  (this is common if  DNS is AD integrated)
yes
internal.wienit.at is a round robbin to all DC IPs
gc._msdcs.internal.wienit.at is also a round robbin to all DC IPs

I don't know if long time ago it was  AD integrated, but in the last few years it certainly was not.

>Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records?  (not sure what log this is in, been a little while since I looked last).
yes that's working too, otherwise there would be a lot more errors
I even see every update in the messages log on the dns-server, all working

>I know you said it was the case, but your BIND config has one of the following options set?
> - allow-update { address_match_list }; <-- If the DC is pointing to the master BIND server
> - allow-update-forwarding { address_match_list }; <-- if the DC is pointing to the slave BIND server
updates are working

>What happens if you issue the ipconfig /registerdns command from the DCs?
I think I did that some time ago... the DC kicked all of its own Records and then put them back in...


---
Ing. Christian Melbinger
Netzwerk & Security

WienIT EDV Dienstleistungsgesellschaft mbH & Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbinger at wienit.at

Von: Will Lists [mailto:listswill at gmail.com]
Gesendet: Dienstag, 03. Jänner 2012 14:07
An: bind-users at lists.isc.org
Cc: Melbinger Christian
Betreff: Re: MS AD 2008R2 and bind

On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian <Christian.Melbinger at wienit.at<mailto:Christian.Melbinger at wienit.at>> wrote:
Hi

My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log:

Title: This domain controller must register its correct IP addresses with the DNS server
Severity: Error
Category: Configuration
Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2.
Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.
Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain.
More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229


All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works.
My DNS-Servers are running BIND 9.7.3-P3.



So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages?
Anyone know the checkbox to unset? I didn't find one...

With regards
Christian Melbinger


---
Ing. Christian Melbinger
Netzwerk & Security

WienIT EDV Dienstleistungsgesellschaft mbH & Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188<tel:%2B43%20%281%29%2090405%2047188>
fax: +43 (1) 90405 88 47188<tel:%2B43%20%281%29%2090405%2088%2047188>
mailto:christian.melbinger at wienit.at<mailto:christian.melbinger at wienit.at>

____________________________________________________________________________
WienIT EDV Dienstleistungsgesellschaft mbH & Co KG, A-1030 Wien, Thomas-Klestil-Platz 6,
FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824
Persönlich haftender Gesellschafter:
WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6,
FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users



--

I'm just going to throw out a few ideas, not sure any or all of them will get you in the right direction...but I  had significant issues with DCs and dynamic updates following a migration from AD integrated DNS to BIND.


What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)?

Are there any "same as zone" records that point to your DC IPs?  (this is common if  DNS is AD integrated)

Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records?  (not sure what log this is in, been a little while since I looked last).

I know you said it was the case, but your BIND config has one of the following options set?
 - allow-update { address_match_list }; <-- If the DC is pointing to the master BIND server
 - allow-update-forwarding { address_match_list }; <-- if the DC is pointing to the slave BIND server

What happens if you issue the ipconfig /registerdns command from the DCs?


- Will




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120103/454edb09/attachment.html>

More information about the bind-users mailing list