When Computer Logins Fail Randomly, Look at DNS Delegation 2


Post to Twitter Post to Facebook Post to StumbleUpon

This post was submitted by Brian Higgins. Learn more about Brian at https://www.thirdtier.net/who/brian-higgins/

I recently came across a network that was experiencing some odd DNS problems. Client machines just randomly would fail to contact the domain controller at boot up for no apparent reason.  I ran dcdiag /test:DNS /v on the server and it showed in the summary that everything passed except for Del (delegation)

clip_image002

After reviewing the details of the delegation tests it turns out that when the domain was migrated from 2003 to 2008 R2 DC’s, the glue records for the _msdcs delegation did not get automatically updated, and were still pointing to the old DC. For those unfamiliar with what the _msdcs delegation is, see the image below.

clip_image004

If you click on the delegation you will see one or more Name Servers listed (your domain controllers in almost every case), but that is a little deceiving since what is actually recorded and used for the delegation is an IP address, which is not shown.  If you right click and go to properties on the delegation you can see the IP address associated with the server name, but if it has a * at the end of the name then it means it is a resolved name, and not a recorded name, which for a Name Server delegation, is invalid.

Remove any invalid entries from the list, you will be prompted at the end to confirm you want to remove the glue record associated with whatever IP address was shown, and add the correct server names (be sure to resolve them to the correct IP first) and that should fix your delegation problems, and the otherwise unexplainable client problems should (hopefully) go away as well.

I took a look through all of the other clients that I manage to see how many of them had invalid glue records and found that all but one other system was correct, that one had a DC that was still valid, but had changed IPs at one point, and the glue record still pointed to the old IP. A simple remove and re-add of the record cleared that problem right away.


So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN


Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.

2 thoughts on “When Computer Logins Fail Randomly, Look at DNS Delegation