Cannot Delete DNS Zone - Access was Denied

Description:

You have several DNS Zone listed in your Active Directory Integrated DNS Server.

One day, you want to remove one of the DNS Zone there. However you got an error message saying Access was Denied.

You are already using a Domain Admins account.

Resolution:

You or other Admin probably already set the protection from accidental deletion for those DNS Zones.

On the DNS Manager Console, go to the DNS Zone that you want to delete. Open the properties and go to Security Tab. Open Advanced and Edit the Everyone (Deny) permission. Remove the check mark on the Delete Objects and Delete All Child Objects permission. Click Apply, click Ok.

You should be able to delete the DNS Zone.

Error while creating Windows 2016 Cluster at "Find a suitable Domain Controller"

Description:

You want to create Windows 2016 cluster on Windows 2012 R2 Domain. You run the Wizard, however encountered error and the cluster cannot be created. 

During investigation, you saw several error message such as:
"Check whether the computer object "clustername" for node "hostnameFQDN" exists in the domain. More data is available".

At event viewer (after enabling Debug Log) you could see:
"Failed to find suitable DC. Error 234"
"Searching for object "clustername" on first choice DC failed. Error 234"
"Couldn't resolve RPC binding to cluster, Status = 1753"

You then try to run the Cluster Validation wizard but everything seems to pass. You validated that the required AD permission for the User Account creating the Cluster are already meet. You also verify the Group Policy setting for "Deny Access to this computer from the Network" is correct. You check the network port requirement and verify all the necessary port are open.

Resolution:

First, verified the DNS record in your DNS Server. Especially the record for all of your Domain Controllers. Make sure the Active Directory required Zones has the correct NS records, CNAME records, A Records, and also SRV DNS records. Remove the stale records for old or unknown broken Domain Controllers.

Second, check the Application partition (DomainDnsZone and ForestDnsZone) in your Active Directory. Use ADSIedit to connect to the application partition and try to browse the content. If you encountered error, you may need to delete the application partition using NTDSUtil.

You should be able to create the Windows Cluster afterwards.

DNS Event 4015 on Windows 2012 R2 Domain Controller

Description:

At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.

The DNS server has encountered a critical error from the Active Directory. 
Check that the Active Directory is functioning properly. 
The extended error debug information (which may be empty) is 0000051B: AtrErr: DSID-031508EF, #1:0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).

Resolution:

Enabled AD diagnostic logging, Enabled Directory access key and set the value to 5.
Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to change the ownership of that AD Object to SYSTEM and restarted the DNS service on the domain controller.

DNS Tombstones in Windows 2003 and 2008

When DNS records are deleted from AD integrated zones, they are not immediately tombstoned in the way normal AD object deletions are. Instead, they go through a DNS tombstone process. This includes setting dnsTombstoned=True for the object.

When set to True, the DNS console and tools will ignore the presence of the record. You will still see the objects through LDP/ADSIEDIT/LDIFDE alongside the other DNS records. Each DNS server is hard coded to perform a cleanup process every morning at 2 a.m. to delete any dnsTombstoned=True records that are seven days old or older.

It is at this time that the objects are tombstoned like normal AD deletions (isDeleted=True) and moved to the Deleted Objects container. This is important to know in case someone deletes records, such as enabling scavenging for the first time, and wants to know why they still see the objects in Active Directory. The reason for the seven days of dnsTombstoned=True is to prevent frequent database churn. This is because workstation records may get de-registered or scavenged and then re-created within a short period of time.

Prevent Registration of Certain Domain Controller DNS Records

There are times when you want to restrict a Domain Controller from registering certain resource records in the DNS. One of the scenario is when you have hub - spoke topology, it is preferable that if all domain controllers/global catalogs in a satellite site become unavailable, a client that is searching for a domain controller/global catalog in that site will fail over to a domain controller/global catalog in a central hub and not in another satellite site.
To achieve this behavior, the domain controllers/global catalogs in the satellite offices should not register generic (non-site-specific) domain controller locator DNS records

To restrict the DNS resource records that are updated by NetlLogon

1. Open Registry Editor.
2. In Registry Editor, navigate to the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Add the following multistring value (REG_MULTI_SZ) value:
   DnsAvoidRegisterRecords
4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The following table contains the list of data.

<>

<>

Domain Controller -Specific Records

Mnemonic	Type	DNS Record
LdapIpAddress	A
Ldap	SRV	_ldap._tcp.
DcByGuid	SRV	_ldap._tcp..domains._msdcs.
Kdc	SRV	_kerberos._tcp.dc._msdcs.
Dc	SRV	_ldap._tcp.dc._msdcs.
Rfc1510Kdc	SRV	_kerberos._tcp.
Rfc1510UdpKdc	SRV	_kerberos._udp.
Rfc1510Kpwd	SRV	_kpasswd._tcp.
Rfc1510UdpKpwd	SRV	_kpasswd._udp.

Global Catalog-Specific Records

Mnemonic	Type	DNS Record
Gc	SRV	_ldap._tcp.gc._msdcs.
GcIpAddress	A	gc._msdcs.
GenericGc	SRV	_gc._tcp.

Checklists when promoting a Windows Domain Controller

Here are some of the things that you must configure when promoting a domain controller at a forest with multi sites and multi domains topology. 

If this is a new Domain Controller at new site: 

a. At Active Directory Sites and Services, create a new site. 

b. Create a new subnet and link it to the newly created site. 

c. Configure the IP site link for Active Directory replication. 

· Promote the Windows Server to become Domain Controller. 

· Configure the Domain Controller to become a DNS server – Active Directory Integrated (Domaindnszones). 

· Configure the Domain Controller to become a Global Catalog server. 

· Configure DNS Forwarders. 

· Configure the Domain Controller to be the Authoritative Name Servers in the domain. 

· Enable Strict Replication Consistency. (more) 

· Disable Windows Scalable Networking Pack Components. (more) 

· Change Windows Time Service MaxNegPhaseCorrection and MaxPosPhaseCorrection value to 48 hours. (more)

Missing PTR Record in DNS

Description

You create a PTR record on your Active Directory Integrated DNS Server. After a while the PTR record suddenly missing. Your Active Directory and your DNS server are working fine. Replication between Domain Controller also working normally.

Resolution

Be sure the "register this connection's addresses to the DNS" checkbox option is enable, the server than will automatically register its ptr record to the DNS server.

A duplicate name exist error when connecting to SMB share using CNAME alias

Description
When you are setting up CNAME alias in DNS for a Windows 2003 Server and then try to connect to server using CNAME alias, you may encounter "a duplicate name exists on the network" error.

Resolution
To resolve this problem in Windows Server 2003, complete the following steps:
1. Create the CNAME record for the file server on the appropriate DNS server, if the CNAME record is not already present.
2. Apply the following registry change to the file server. To do so, follow these steps:
a. Start Registry Editor (Regedt32.exe).
b. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
c. On the Edit menu, click Add Value, and then add the following registry value:
Value name: DisableStrictNameCheckingData
type: REG_DWORD
Radix: Decimal
Value: 1
d. Quit Registry Editor.
3. Restart your computer.

Tools For DNS Testing and Validation

Here are some of the websites that I often use for DNS validation or testing from external network perimeter.
Whenever you do email troubleshooting, website lookup, and or domain whois, you will find that these websites are quite helpful.

1. www.dnsstuff.com > This is the best one I think. It has a lot of tools and the result are very accurate and fast. You can query and get almost every information here. However you have to pay to get the service. They are not free anymore. Trial period are available.
2. www.zonedit.com/smtp.html > You can send email testing from this website for validation or troubleshooting. All you have to do is put the email server MX record, sender address, and recipient address.
3. www.mxtoolbox.com > Through this tool you can query MX record from a domain name.
4. http://network-tools.com/nslook > You can do NSLookup query for A record, CNAME, PTR, MX, NS, etc to certain server through this tool.
5. http://www.dnstools.com/ > Besides getting IP whois information, you can also do port checking status from this website.