6

On Friday I changed a public DNS A-record to a new IP address on our provider's DNS service for our public web-domain. To make these changes populate faster in our intranet (for our intranet clients/users) I used the powershell command Clear-DnsServerCache on our Windows 2012R2 DNS Server machine.

My understanding of the command is that only the cache will be deleted. No records or anything else will be touched. Therefore (so I thought) the only negative implications of deleting the whole cache might be lower speed performance in resolving names. Hence I did not bother only deleting the cached records for the affected domain name, but deleted the whole cache. As we are only having around 20 people working on this site, I considered the performance penalties of a deleted cache as negligible.

Note: The machine on which the DNS server is running, is also a synchronized AD Domain Controller. It is a Windows 2012 R2 Standard machine. This DNS server hosts AD-integrated zones. Replication is active with two other DNS/ActiveDirectory-servers located in our headquarter. On this server we also have reverse DNS lookup set up and we have query-forwarding active to all replicated servers (each DNS Server has the other two replicated servers as query-forward servers set up).

Today (after the weekend) we have massive DNS problems. _gc, _kerberos and _ldap forward-lookup entries in the AD integrated zones are missing in the DNS server. Hence we got problems of people not being able to find the domain name server et cetera. My team discusses now what the reason could be.

Can it be, that the Clear-DnsServerCache did cause this? The Technet article at https://technet.microsoft.com/en-us/library/jj649893(v=wps.630).aspx did not help either.

Side-question: is Clear-DnsServerCache doing the same as dnscmd /clearcache and also the same as in the GUI (DNS Management Console, View -> Advanced, then right-click on Cached Lookups and then Clear Cache)?

Update 2017-02-08 Thanks to all the commenters. Based on your input I am now confident that our problems have nothing to do with Clear-DnsServerCache. Which leaves the question what caused our loss of multiple AD-relevant SRV records. If I find out I will come back and write another update. Though I have my doubts whether we will ever find out.

reto
  • 63
  • 7
  • Does your DNS server host AD integrated zone for your local Active Directory domain? Is your DNS server configured to forward DNS queries, or it perform reverse DNS lookups? What OS version on the your DNS server? – Slipeer Feb 07 '17 at 09:41
  • Yes, the DNS server hosts AD integrated zones. It is actually does zones that _lost_ records. I updated the question above to clarify and integrate the answers to your questions. – reto Feb 07 '17 at 13:47
  • Problems with missing SRV records are observed only on one domain controller? – Slipeer Feb 07 '17 at 13:50
  • Actually the problem is on all servers. As the affected zone is replicated on all AD/DNS servers, the missing entries propagated I assume. This made it very hard to fix this morning, as we did not know exactly what entries we need to create or where there before. To me this seems to have nothing to do with `Clear-DnsServerCache`. But we are not aware of anything else DNS related we changed in the last week. Hence the question whether this is normal behavior of `Clear-DnsServerCache` or whether we can continue using this command in the future. – reto Feb 07 '17 at 13:56
  • 1
    @reto The problem you describe is *not* caused by normal, expected, behavior of `Clear-DnsServerCache`. I've tested the cmdlet on a number of separate AD domains to verify. Has anything been changed with DNS scavenging settings? -- even if more than a week ago. – jscott Feb 07 '17 at 14:17
  • 1
    @reto: I don't think Clear-DnsServerCache would cause this. Do you have an _msdcs zone? If so, is Scavenging enabled? – Greg Askew Feb 07 '17 at 16:13
  • @jscott and GregAskew: Thanks for the help. We have scavenging settings (and we have a _msdcs zone). They are set to 7 days everywhere. Not sure, but 7 days could be default. As far as I know we did not change scavenging settings ever (at least not that the current team is aware of). The ActiveDirectory Domain is probably 10 years old (or more), updated/synced on to younger servers though. – reto Feb 07 '17 at 18:00

1 Answers1

2

Q: Side-question: is Clear-DnsServerCache doing the same as dnscmd /clearcache and also the same as in the GUI (DNS Management Console, View -> Advanced, then right-click on Cached Lookups and then Clear Cache)?

A: Yes.

That command should not have had any affect on the AD SRV records.

That being said, you can recreate the missing SRV records by using one of the following methods:

  1. Restarting the Netlogon service on one of your DC's.

  2. Importing the SRV records from C:\SystemRoot\Config\NetLogon.dns on one of your DC's.

  3. Running DCDiag /Fix

  4. Running NetDiag /Fix

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks a lot. I was not aware of these tools. My colleague did fix most of the missing SRV records before your post. Will read about DCDiag and NetDiag. My DNS know-how is little, and that little is mostly with Linux/Bind9. I am relatively new to Windows DNS (and AD for that matter). – reto Feb 07 '17 at 18:14