BPuhl’s Blog

A little bit of everything without actually being much of anything

A story of Dnscmd.exe

Posted by BPuhl on January 10, 2008

One of my teammates came by my office asking about a DNS record for our PKI service.  First thing I did, was pull up a command prompt and tried to find the records with dnscmd.exe:

C:\Windows\system32>dnscmd red-dc-11 /enumrecords redmond.corp.microsoft.com corppki /detail
DNS Server failed to enumerate records for node corppki.redmond.corp.microsoft.com.
    Status = 5 (0x00000005)

Command failed:  ERROR_ACCESS_DENIED     5  (00000005)

Well that just kind of sucks.  So I tried again with a different account, that has admin rights, and still recieved ERROR_ACCESS_DENIED.  Next I busted out my DA account, just to see what happened and got the same thing.  The DNS gods had seemingly decided that I didn’t need to resolve names anymore.  Weird.

Then something really interesting happened.  I tried a different server and it worked:

C:\Windows\system32>dnscmd red-dc-02 /enumrecords redmond.corp.microsoft.com corppki /detail
Returned records:
RPC Node:
        ptr          = 0026F4C0
        wLength      = 16
        wRecordCount = 1
        dwChildCount = 0
        dwFlags      = 00800000
        Node Name    = @
  A Record info:
        ptr          = 0026F4D0
        wType        = A (1)
        wDataLength  = 4
        dwFlags      = f0
        rank         = f0
        dwSerial     = 00000000
        dwTtlSeconds = 1200
        dwTimeStamp  = 3567200 ([ 8: 0: 0] [12/12/2007])
A      157.54.52.21
Command completed successfully.

Fortunately our resident DNS guy came walking by – not that unusual as his office is right down the hall, but still pretty fortuitous.  He explained to me that there had been a change in Longhorn Server, and that to use DNSCMD now required putting the full FQDN into the “server” field.  Apparently he found this out months ago, when all of the scripts we use simultaneously broke.   He updated them all to use FQDN’s, and they work fine now. 

Sure enough, going back to the original server, using the FQDN worked:

C:\Windows\system32>dnscmd red-dc-11.redmond.corp.microsoft.com /enumrecords redmond.corp.microsoft.com corppki /detail
Returned records:
RPC Node:
        ptr          = 000B0CB0
        wLength      = 16
        wRecordCount = 1
        dwChildCount = 0
        dwFlags      = 00800000
        Node Name    = @
  A Record info:
        ptr          = 000B0CC0
        wType        = A (1)
        wDataLength  = 4
        dwFlags      = f0
        rank         = f0
        dwSerial     = 00000000
        dwTtlSeconds = 1200
        dwTimeStamp  = 3567200 ([ 8: 0: 0] [12/12/2007])
A      157.54.52.21
Command completed successfully.

Ok, fair enough (I thought to myself), I must have been lucky, and when I decided to try a “different server”, I probably just picked one which was Server 2003 which is why it worked.

HEY WAIT A SECOND – THAT DOMAIN IS IN WINDOWS SERVER 2008 DOMAIN MODE!  THERE AREN’T ANY SERVER 2003 DC’S IN THERE!!!

Now I was curious, so I walked back down the hallway, where I got the rest of the story.  Apparently at least MS IT, and possibly (but who knows) other customers, pushed back enough about this change, that it was “fixed” in a later build.

Sure enough, it turned out that the DC which was giving me the access denied message is running RC0, and the DC which worked is running RC1.  Apparently this dogfooding stuff does pay off.

The question of the day though, was:  “Is it really that unreasonable to expect that the DNS command line tool require a DNS formatted name?” 

Advertisements

3 Responses to “A story of Dnscmd.exe”

  1. 0xG said

    Doesn’t work in 2008R2 at all!
    Same error message…

    • Vegas Admin said

      Ditto on the 2008r2. After figuring out how to re-enable RPC, DNSCMD.EXE still fails with an “Error_Access_Denied” message when used from another machine (in my case, a 2003 server in the same domain, using Domain Admin credentials). It works fine locally, but that totally kills my scripting..

  2. Oliver said

    I’ve made the same experience as Vegas Admin with 2008R2, doesn’t work remotely with DNSCMD.exe from 2003…

    Any known solutions, yet?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: