Problem with DNS on Windows 2008 R2

active-directorydomain-name-systemwindows-server-2008-r2

I have two domain controllers with DNS/DHCP enabled on both. Both are Windows 2008 R2 (migrated from Windows 2003 a while back). Best practices analyzer seems to be showing couple of errors I can't figure out. Both controllers are Virtual Machines with 1 NIC only. First AD is 192.168.1.16, secondary is 192.168.1.17

  1. DNS servers on <interface> should include the loopback address, but not as the first entry.I have added 127.0.0.1 as 3rd dns server to the interface that the problem occurs on, but still BPA complains. Any thoughts why?

  2. Zone PRIVATEZONE secondary servers must respond to queries for the zone. It seems to me DNS/AD server works fine on secondary controller. I can nslookup to it from first AD controller and check external and internal names. Why it's complaining then ?

  3. The DNS server 192.168.1.16 on <interface> must resolve names in the forest root domain name zone. This shows multiple times for 192.168.1.17 and 127.0.0.1 as well (since it's added). Not sure what could be the problem, everything seems fine?

  4. The DNS server 192.168.1.16 on <interface> must resolve names in the primary DNS domain zone

  5. Warning: Zone PRIVATEZONE secondary server 192.168.1.16 should respond to queries for the zone. Same stuff appears for 192.168.1.17.

DCDIAG shows everything is ok.

repadmin /showrepl <controler2> shows everything is good.

Best Answer

After reading some of the BPA stuff, BPA is possibly complaining too much.

  1. According to the doc, "The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller." You've done this. False fail.
  2. This step checks the list of servers on the "Zone Transfers" tab and checks those. Verify THAT lists only valid secondaries. Remove any that don't belong.
  3. The failure here is, "A DNS server that is configured on the network adapter was unable to resolve the start of authority (SOA) record for the forest root domain name." If you're using NSLOOKUP, set your type to SOA (set type=SOA) and see if you can get the forest root. If all of the DNS servers on your tabs will resolve the SOA record, this is a false fail.
  4. This is the same as the previous point, but with a different DNS domain.
  5. This checks the DNS servers listed in the Zone Transfers tab for ability to resolve the primary zones. If point 2 failed, this is likely to fail too.

The Best Practices Analyzer documentation for Server 2008R2 is located here: http://technet.microsoft.com/en-us/library/dd392255%28WS.10%29.aspx

Why is it doing the false-fails? I couldn't tell you. If you've verified that it works using manual methods, it's time to contact Microsoft.

Related Topic