Most excellent. Thank you very much. I'll give this a whirl at home and see how it goes.
Much obliged, RS On Tue, Mar 9, 2010 at 4:41 PM, Tim Evans <[email protected]> wrote: > I run this batch file: > > ****** begin batch file ***** > > @echo off > > set server=mydnsserver > > set /p delold=Delete old domains? > > if /I "%delold%" NEQ "Y" goto getit > > echo Deleting old domains... > > pause > > for /F %%f in (mal_list.txt) do dnscmd %server% /zonedelete %%f /dsdel /f > > :getit > > if exist domains.txt del domains.txt > > wget http://www.malwaredomains.com/files/domains.txt || goto end > > if exist mal_list.txt del mal_list.txt > > rem ignore lines beginning with # & echo 1st word only > > for /F "eol=# tokens=1 " %%i in (domains.txt) do @echo %%i >>mal_list.txt > > for /F %%f in (mal_list.txt) do (dnscmd %server% /zoneadd %%f /DsPrimary > /DP /forest && dnscmd %server% /recordadd %%f * A 192.168.0.6) > > :end > > ****** end batch file ***** > > > > This adds a wildcard zone for each domain which points to an internal web > server at 192.168.0.6. It displays a "web site blocked due to malware" page > whenever anyone hits it. I go thru the logs regularly and investigate any > host on that server. It's a bit crude in that it just attempts to add all > the domains each time it is run, but it works from me. Occasionally, they > delete a bunch of domains and I couldn't figure out a better way to handle > it, so if I answer Y to tor prompt, it deletes all domains and readds them > from the downloaded list. > > > > ...Tim > > > > *From:* Richard Stovall [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 1:13 PM > > *To:* NT System Admin Issues > *Subject:* Re: DNS Server service shuts down shortly after the DC boots > > > > Very intriguing. > > > > How do you accomplish the loading of the domain list? Using a boot file > per the directions here: > http://www.malwaredomains.com/wordpress/?page_id=6#MS? Do you refresh the > list manually every once and a while? > > > > Thanks, > RS > > On Tue, Mar 9, 2010 at 3:58 PM, Tim Evans <[email protected]> wrote: > > FWIW, I load the entire domain list from http://www.malwaredomains.com/into > my AD integrated DNS without any problems. over 18000 domains are > currently included. I've got a 2003 native domain/forest too. DC's include > WS08R2, WS08, & WS03 SP2. I have not seen anything like this here. > > > > ...Tim > > > > *From:* Carl Houseman [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 11:53 AM > > > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > It appears that background zone loading is a feature of 2008 and later... > maybe I just need to hurry up the upgrade to 2008. > > > > Carl > > > > *From:* Michael B. Smith [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 2:44 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > Oh! Yes, now that you say that…. > > > > I bet what’s happening is that it’s timing out. > > > > There is a flag (and I’m sorry that I don’t remember the details) that says > “do the initial zone load in the background”. You probably need to set that. > That should be enough to biggle with… > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > *From:* Carl Houseman [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 2:40 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > "Debug logging" will log DNS packets to a text file. I guess the last DNS > packet received before the shutdown could tell me something if it was > shutting down randomly at any time. But the fact that the service stays > running forever after restarting suggests that bad DNS packets on the wire > aren't likely causing this. So if bad DNS traffic is the problem, the only > explanation would be a DNS query from the DC to itself. DC DOS's its own > DNS server service? > > > > One thing I may have that is less common is a lot of DNS authoritative > zones for well known bad (malware hosting) domain names. There's over 1000 > of 'em. > > > > I have to say I'm not up for an extended debugging journey on this one, > just wondering if this behavior triggered any memories for anyone. > > > > Carl > > > > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 1:53 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > *It should be able to kick out more info to a text file.* > > * * > > *The scenario you mention of branch DCs not having connectivity is > completely normal. * > > * * > > *Thanks,* > > *Brian Desmond* > > *[email protected]* > > * * > > *c – 312.731.3132* > > * * > > *From:* Carl Houseman [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 12:46 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > Good idea, but the DNS Server's event logging option has been on "all > events" all this time. That must be the default, I don't recall ever > changing it. > > > > Carl > > > > *From:* Michael B. Smith [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 1:39 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > This would seem to indicate to me that while the DNS Server service was > initiated, it never actually finished initializing. > > > > Aren’t there some logging options on the DNS server property tab? I’d > probably ratchet those up to max for a while and see if they helped gather > more info… > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > *From:* Carl Houseman [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 1:22 PM > *To:* NT System Admin Issues > *Subject:* DNS Server service shuts down shortly after the DC boots > > > > Curious thing, started a few months ago after I moved the FSMO roles from > this DC to another one. This DC frequently boots "in a vacuum" – no other > DC's can be contacted, so it takes a long time sniffing around before it > finally starts Active Directory and its own DNS Server service. A few > minutes after that, the DNS Server service shuts down. There's nothing in > the System or Application event log to explain it, and the DNS Server event > log records simply that " The DNS server has shutdown." (event ID 3). > > > > The recovery options are set to restart the service, but that doesn't > happen because the service appears to have been shut down on purpose. But > no human (for sure) and 99.9% sure no software is issuing the command. > > > > Another interesting thing from the event logs, under System, when I start > the service there's an event 7036 logged "The DNS Server has entered the > running state". But I see NO event 7036 for DNS at the time of booting. > Obviously, it must be started, else the DNS event log wouldn't record that > it had shut down! And I see no 7036 events for it stopping either. > > > > When this happens, I can manually start the DNS Server service and all is > well until the next boot, which may or may not have the problem. I think > it's happening about 50% of the time. > > > > I've scripted a solution to recover from the problem, but I'm just curious > if anyone has noticed something similar. I'm guessing the instances of > branch offices booting their DC without network connectivity back to the > FSMO holder at HQ is fairly rare, but not unheard of. > > > > And this is Windows 2003 SP2, native 2003 domain/forest. Almost left that > off, yikes! > > > > TIA, > > Carl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
