question

Technet999-6630 avatar image
0 Votes"
Technet999-6630 asked DaisyZhou-MSFT answered

DNS Sub Domain GUID does not mach Domain GUID

I am noticing an issue when running dcdiag from our domain controllers. In the DNS tests for each DC there is a warning about missing SRV records. When looking through DNS I am seeing the SRV records for each DC but in a different location then what Dcdiag seems to be expecting. Searching for the SRV records of the domain through nslookup is also returning the records found in DNS. The location in which these records are held seem to be in a different spot then what dcdiag is expecting. The guid that dcdiag mentions in the errors matches the guid for the domain but is not what is seen in DNS. Right now functionality seems to be fine as no issues regarding this has come up. Is this mismatch of guids between what is seen in DNS and the domain going to be an issue? Is there a solution for this that can be easily resolved?

The warning from the dcdiag dns test reads:
Error:
Missing SRV record at DNS server XX.XX.XX.XX:
_ldap._tcp.b152358d-93c6-44e2-80e1-d924e906394c.domains._msdcs.domain.local
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
91778-technetsupport.png




UPDATE: It seems that the GUID seen in DNS is the GUID of the Domain when queried from CIM or WMI. Why would this be a different GUID from ADSI?

windows-active-directorywindows-dhcp-dns
technetsupport.png (13.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered Technet999-6630 commented

Hello @Technet999-6630,

Thank you for posting here.

To better understand our question, please confirm the following information below:
1.How many domains are there in this forest? We can check as below. Open AD domains and trusts.
For example:
91886-d1.png

2.How many DC in each domain? We can check as below. Run command: nltest /dclist:domain.com
For example:
91933-d2.png

3.Check root domain and child domains and domain trees by command Get-ADForest domain.com |select *
For example:

91908-domain.png

91952-d3.png


I guess maybe there is such a domain correspond the GUID in your AD forest before, but now it is deleted, but it can not be removed successfully.

We can try to check.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



d1.png (16.0 KiB)
d2.png (2.7 KiB)
d3.png (18.8 KiB)
domain.png (54.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Daisy,

 There is only one domain within this forest.

 At the moment there is 6 domain controllers with the plan to remove the 2 oldest ones once everything looks okay.

 There is no child domains for this domain.

There also may have been a time where this domain was renamed but this was before my time and I do not know of any way I can confirm this myself.

Is there any way this may cause issues in the future? Like I mentioned in my original post, I have not noticed any functional issues with DNS or with the domain right now but I am not sure if this will be a problem in the future. Would leaving this mismatch be okay or is it best to fix this? If so how can this be done?

Regards,

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @Technet999-6630,

Thank you so much for your confirmation.

As I know, you only have one forest with single domain without any child domain and without any domain tree.

Please check information below first:
1.Check whether all the DCs in this domain have the same domain GUID in DNS manager.
2.Check whether AD replication works fine by running the following commands on PDC.

repadmin /syncall /AdeP >c:\rep1.txt

repadmin /showrepl >c:\rep2.txt

repadmin /replsum >c:\rep3.txt


repadmin /showrepl * /csv >c:\repsum.csv


If all the results look OK without any error message, it seems AD replication works fine in your forest.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.