According to syslog the DCs do update tons of records all the time... A, PTR, SRV. I didn't regulate them. Their IPs are allowed to do any updates.
--- Ing. Christian Melbinger Netzwerk & Security WienIT EDV Dienstleistungsgesellschaft mbH & Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -----Ursprüngliche Nachricht----- Von: r...@nachtmaus.us [mailto:r...@nachtmaus.us] Gesendet: Dienstag, 03. Jänner 2012 14:17 An: Melbinger Christian; bind-users-bounces+root=nachtmaus...@lists.isc.org; Carsten Strotmann (private) Cc: bind-users@lists.isc.org Betreff: Re: AW: MS AD 2008R2 and bind The DC must not only be allow to update his A, AAAA (if applicable) and PTR records, he must also be able to update his SRV and TXT records. Please add the DC to the ACL for allow-updates on the zone that corresponds to the AD Domain/Kerberos zone, and then confirm that it is working by restarting Netlogon service (necessary, because IPCONFIG /registerdns only updates A, AAAA (if applicable) and PTR records, while the former regenerates the SRV records, et al). Hope that helps, -DTK Sent via BlackBerry from T-Mobile -----Original Message----- From: Melbinger Christian <christian.melbin...@wienit.at> Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 13:47:30 To: Carsten Strotmann (private)<c...@strotmann.de> Cc: bind-users@lists.isc.org<bind-users@lists.isc.org> Subject: AW: MS AD 2008R2 and bind Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like "nslookup internal.wienit.at", I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message >The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk & Security WienIT EDV Dienstleistungsgesellschaft mbH & Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -----Ursprüngliche Nachricht----- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: > > So this is presumably not a problem of the bind servers themselves, > but still, does anyone have an idea how to get rid of the error > messages? > > Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with "ipconfig /registerdns" from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -----END PGP SIGNATURE----- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one. With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk & Security WienIT EDV Dienstleistungsgesellschaft mbH & Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at ____________________________________________________________________________ WienIT EDV Dienstleistungsgesellschaft mbH & Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
