AW: MS AD 2008R2 and bind
Hi The only updates (according to messages log) are deletes. view default: updating zone 'internal.wienit.at/IN': deleting rrset at 'DC1.internal.wienit.at' There are no records for the DC. And it's never creating any, just deleting them once a day. And after the delete the DC continues to update A, CNAME and SRV records... I don't think that's the problem thanks --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: bind-users-bounces+christian.melbinger=wienit...@lists.isc.org [mailto:bind-users-bounces+christian.melbinger=wienit...@lists.isc.org] Im Auftrag von Vbvbrj Gesendet: Dienstag, 03. Jänner 2012 20:49 An: Bind-User support Betreff: Re: MS AD 2008R2 and bind There is a bug in Windows 2008 R2 which prevents correct registration to BIND dns servers. See http://support.microsoft.com/kb/2002490 for the hotfix to apply. Unfortunately, this hotfox still does not correct the behavior. Windows 2008 R2 registers the record first. This record is registered correctly on BIND, but the response from BIND is interpreted by the windows incorrectly, so it stops registering the following records, like the A record. However, the DCs with this patch successfully registers all records related to the AD. This is a strange behavior. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
MS AD 2008R2 and bind
Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one... With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: MS AD 2008R2 and bind
Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one. With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian christian.melbin...@wienit.at wrote: Hi ** ** My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: ** ** *Title*: This domain controller must register its correct IP addresses with the DNS server *Severity*: Error *Category*: Configuration *Issue*: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. *Impact*: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. *Resolution*: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 ** ** ** ** All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. ** ** ** ** ** ** So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn’t find one… ** ** With regards Christian Melbinger ** ** ** ** --- Ing. Christian Melbinger Netzwerk Security ** ** WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at ** ** WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- I'm just going to throw out a few ideas, not sure any or all of them will get you in the right direction...but I had significant issues with DCs and dynamic updates following a migration from AD integrated DNS to BIND. What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? Are there any same as zone records that point to your DC IPs? (this is common if DNS is AD integrated) Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last). I know you said it was the case, but your BIND config has one of the following options set? - allow-update { address_match_list }; -- If the DC is pointing to the master BIND server - allow-update-forwarding { address_match_list }; -- if the DC is pointing to the slave BIND server What happens if you issue the ipconfig /registerdns command from the DCs? - Will ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: MS AD 2008R2 and bind
The DC must not only be allow to update his A, (if applicable) and PTR records, he must also be able to update his SRV and TXT records. Please add the DC to the ACL for allow-updates on the zone that corresponds to the AD Domain/Kerberos zone, and then confirm that it is working by restarting Netlogon service (necessary, because IPCONFIG /registerdns only updates A, (if applicable) and PTR records, while the former regenerates the SRV records, et al). Hope that helps, -DTK Sent via BlackBerry from T-Mobile -Original Message- From: Melbinger Christian christian.melbin...@wienit.at Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 13:47:30 To: Carsten Strotmann (private)c...@strotmann.de Cc: bind-users@lists.isc.orgbind-users@lists.isc.org Subject: AW: MS AD 2008R2 and bind Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one. With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG
AW: MS AD 2008R2 and bind
What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? only their own name, nothing more Are there any same as zone records that point to your DC IPs? (this is common if DNS is AD integrated) yes internal.wienit.at is a round robbin to all DC IPs gc._msdcs.internal.wienit.at is also a round robbin to all DC IPs I don't know if long time ago it was AD integrated, but in the last few years it certainly was not. Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last). yes that's working too, otherwise there would be a lot more errors I even see every update in the messages log on the dns-server, all working I know you said it was the case, but your BIND config has one of the following options set? - allow-update { address_match_list }; -- If the DC is pointing to the master BIND server - allow-update-forwarding { address_match_list }; -- if the DC is pointing to the slave BIND server updates are working What happens if you issue the ipconfig /registerdns command from the DCs? I think I did that some time ago... the DC kicked all of its own Records and then put them back in... --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at Von: Will Lists [mailto:listsw...@gmail.com] Gesendet: Dienstag, 03. Jänner 2012 14:07 An: bind-users@lists.isc.org Cc: Melbinger Christian Betreff: Re: MS AD 2008R2 and bind On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian christian.melbin...@wienit.atmailto:christian.melbin...@wienit.at wrote: Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one... With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188tel:%2B43%20%281%29%2090405%2047188 fax: +43 (1) 90405 88 47188tel:%2B43%20%281%29%2090405%2088%2047188 mailto:christian.melbin...@wienit.atmailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- I'm just going to throw out a few ideas, not sure any or all of them will get you in the right direction...but I had significant issues with DCs and dynamic updates following a migration from AD integrated DNS to BIND. What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? Are there any same as zone records that point to your DC IPs? (this is common if DNS is AD integrated) Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last). I know you said it was the case, but your BIND config has one of the following options set? - allow-update { address_match_list }; -- If the DC is pointing to the master BIND server
AW: AW: MS AD 2008R2 and bind
According to syslog the DCs do update tons of records all the time... A, PTR, SRV. I didn't regulate them. Their IPs are allowed to do any updates. --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: r...@nachtmaus.us [mailto:r...@nachtmaus.us] Gesendet: Dienstag, 03. Jänner 2012 14:17 An: Melbinger Christian; bind-users-bounces+root=nachtmaus...@lists.isc.org; Carsten Strotmann (private) Cc: bind-users@lists.isc.org Betreff: Re: AW: MS AD 2008R2 and bind The DC must not only be allow to update his A, (if applicable) and PTR records, he must also be able to update his SRV and TXT records. Please add the DC to the ACL for allow-updates on the zone that corresponds to the AD Domain/Kerberos zone, and then confirm that it is working by restarting Netlogon service (necessary, because IPCONFIG /registerdns only updates A, (if applicable) and PTR records, while the former regenerates the SRV records, et al). Hope that helps, -DTK Sent via BlackBerry from T-Mobile -Original Message- From: Melbinger Christian christian.melbin...@wienit.at Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 13:47:30 To: Carsten Strotmann (private)c...@strotmann.de Cc: bind-users@lists.isc.orgbind-users@lists.isc.org Subject: AW: MS AD 2008R2 and bind Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server
Re: MS AD 2008R2 and bind
There is a bug in Windows 2008 R2 which prevents correct registration to BIND dns servers. See http://support.microsoft.com/kb/2002490 for the hotfix to apply. Unfortunately, this hotfox still does not correct the behavior. Windows 2008 R2 registers the record first. This record is registered correctly on BIND, but the response from BIND is interpreted by the windows incorrectly, so it stops registering the following records, like the A record. However, the DCs with this patch successfully registers all records related to the AD. This is a strange behavior. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users