Keep in mind that with this script (particularly recycle bin enabled), I'd expect to see quite a bit of DIT growth. Every single time you delete all these zones and start again, they're going to sit hidden in the DIT for 180 days, and then an additional 180 days as stripped down tombstones.
Thanks, Brian Desmond br...@briandesmond.com<mailto:br...@briandesmond.com> c - 312.731.3132 From: Richard Stovall [mailto:rich...@gmail.com] Sent: Wednesday, March 10, 2010 3:05 PM To: NT System Admin Issues Subject: Re: DNS Server service shuts down shortly after the DC boots I just set this up on a sandboxed test VM and it was effective. I had to chuckle, though, because it took over an hour to create the zones. This VM is also a DC for a 5 machine domain and the ntds.dit file went from around 38MB to 106MB. On Tue, Mar 9, 2010 at 4:41 PM, Tim Evans <tev...@sparling.com<mailto:tev...@sparling.com>> wrote: I run this batch file: ****** begin batch file ***** @echo off set server=mydnsserver set /p delold=Delete old domains? if /I "%delold%" NEQ "Y" goto getit echo Deleting old domains... pause for /F %%f in (mal_list.txt) do dnscmd %server% /zonedelete %%f /dsdel /f :getit if exist domains.txt del domains.txt wget http://www.malwaredomains.com/files/domains.txt || goto end if exist mal_list.txt del mal_list.txt rem ignore lines beginning with # & echo 1st word only for /F "eol=# tokens=1 " %%i in (domains.txt) do @echo %%i >>mal_list.txt for /F %%f in (mal_list.txt) do (dnscmd %server% /zoneadd %%f /DsPrimary /DP /forest && dnscmd %server% /recordadd %%f * A 192.168.0.6) :end ****** end batch file ***** This adds a wildcard zone for each domain which points to an internal web server at 192.168.0.6. It displays a "web site blocked due to malware" page whenever anyone hits it. I go thru the logs regularly and investigate any host on that server. It's a bit crude in that it just attempts to add all the domains each time it is run, but it works from me. Occasionally, they delete a bunch of domains and I couldn't figure out a better way to handle it, so if I answer Y to tor prompt, it deletes all domains and readds them from the downloaded list. ...Tim From: Richard Stovall [mailto:rich...@gmail.com<mailto:rich...@gmail.com>] Sent: Tuesday, March 09, 2010 1:13 PM To: NT System Admin Issues Subject: Re: DNS Server service shuts down shortly after the DC boots Very intriguing. How do you accomplish the loading of the domain list? Using a boot file per the directions here: http://www.malwaredomains.com/wordpress/?page_id=6#MS? Do you refresh the list manually every once and a while? Thanks, RS On Tue, Mar 9, 2010 at 3:58 PM, Tim Evans <tev...@sparling.com<mailto:tev...@sparling.com>> wrote: FWIW, I load the entire domain list from http://www.malwaredomains.com/ into my AD integrated DNS without any problems. over 18000 domains are currently included. I've got a 2003 native domain/forest too. DC's include WS08R2, WS08, & WS03 SP2. I have not seen anything like this here. ...Tim From: Carl Houseman [mailto:c.house...@gmail.com<mailto:c.house...@gmail.com>] Sent: Tuesday, March 09, 2010 11:53 AM To: NT System Admin Issues Subject: RE: DNS Server service shuts down shortly after the DC boots It appears that background zone loading is a feature of 2008 and later... maybe I just need to hurry up the upgrade to 2008. Carl From: Michael B. Smith [mailto:mich...@smithcons.com<mailto:mich...@smithcons.com>] Sent: Tuesday, March 09, 2010 2:44 PM To: NT System Admin Issues Subject: RE: DNS Server service shuts down shortly after the DC boots Oh! Yes, now that you say that.... I bet what's happening is that it's timing out. There is a flag (and I'm sorry that I don't remember the details) that says "do the initial zone load in the background". You probably need to set that. That should be enough to biggle with... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Carl Houseman [mailto:c.house...@gmail.com<mailto:c.house...@gmail.com>] Sent: Tuesday, March 09, 2010 2:40 PM To: NT System Admin Issues Subject: RE: DNS Server service shuts down shortly after the DC boots "Debug logging" will log DNS packets to a text file. I guess the last DNS packet received before the shutdown could tell me something if it was shutting down randomly at any time. But the fact that the service stays running forever after restarting suggests that bad DNS packets on the wire aren't likely causing this. So if bad DNS traffic is the problem, the only explanation would be a DNS query from the DC to itself. DC DOS's its own DNS server service? One thing I may have that is less common is a lot of DNS authoritative zones for well known bad (malware hosting) domain names. There's over 1000 of 'em. I have to say I'm not up for an extended debugging journey on this one, just wondering if this behavior triggered any memories for anyone. Carl From: Brian Desmond [mailto:br...@briandesmond.com<mailto:br...@briandesmond.com>] Sent: Tuesday, March 09, 2010 1:53 PM To: NT System Admin Issues Subject: RE: DNS Server service shuts down shortly after the DC boots It should be able to kick out more info to a text file. The scenario you mention of branch DCs not having connectivity is completely normal. Thanks, Brian Desmond br...@briandesmond.com<mailto:br...@briandesmond.com> c - 312.731.3132 From: Carl Houseman [mailto:c.house...@gmail.com<mailto:c.house...@gmail.com>] Sent: Tuesday, March 09, 2010 12:46 PM To: NT System Admin Issues Subject: RE: DNS Server service shuts down shortly after the DC boots Good idea, but the DNS Server's event logging option has been on "all events" all this time. That must be the default, I don't recall ever changing it. Carl From: Michael B. Smith [mailto:mich...@smithcons.com<mailto:mich...@smithcons.com>] Sent: Tuesday, March 09, 2010 1:39 PM To: NT System Admin Issues Subject: RE: DNS Server service shuts down shortly after the DC boots This would seem to indicate to me that while the DNS Server service was initiated, it never actually finished initializing. Aren't there some logging options on the DNS server property tab? I'd probably ratchet those up to max for a while and see if they helped gather more info... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Carl Houseman [mailto:c.house...@gmail.com<mailto:c.house...@gmail.com>] Sent: Tuesday, March 09, 2010 1:22 PM To: NT System Admin Issues Subject: DNS Server service shuts down shortly after the DC boots Curious thing, started a few months ago after I moved the FSMO roles from this DC to another one. This DC frequently boots "in a vacuum" - no other DC's can be contacted, so it takes a long time sniffing around before it finally starts Active Directory and its own DNS Server service. A few minutes after that, the DNS Server service shuts down. There's nothing in the System or Application event log to explain it, and the DNS Server event log records simply that " The DNS server has shutdown." (event ID 3). The recovery options are set to restart the service, but that doesn't happen because the service appears to have been shut down on purpose. But no human (for sure) and 99.9% sure no software is issuing the command. Another interesting thing from the event logs, under System, when I start the service there's an event 7036 logged "The DNS Server has entered the running state". But I see NO event 7036 for DNS at the time of booting. Obviously, it must be started, else the DNS event log wouldn't record that it had shut down! And I see no 7036 events for it stopping either. When this happens, I can manually start the DNS Server service and all is well until the next boot, which may or may not have the problem. I think it's happening about 50% of the time. I've scripted a solution to recover from the problem, but I'm just curious if anyone has noticed something similar. I'm guessing the instances of branch offices booting their DC without network connectivity back to the FSMO holder at HQ is fairly rare, but not unheard of. And this is Windows 2003 SP2, native 2003 domain/forest. Almost left that off, yikes! TIA, Carl ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
