Bad packets and invalid domain names Please help

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Ken D - 26 Jul 2005 17:35 GMT

I am having some issues with DNS. here is my situation, i am unable to
authenticate any shares or printers on my domain, kerebos logins work fine
however the user to share SID check is not working. upon inspection my dns
log is filling with the following errors.

Event ID: 3000
Source DNS
The DNS server has encountered numerous run-time events. To determine the
initial cause of these run-time events, examine the DNS server event log
entries that precede this event. To prevent the DNS server from filling the
event log too quickly, subsequent events with Event IDs higher than 3000 will
be suppressed until events are no longer being generated at a high rate.

Event ID: 5501
Source DNS
The DNS server encountered a bad packet from X.X.X.X. Packet processing
leads beyond packet length. The event data contains the DNS packet.

Where X.X.X.X is the internal IP of my router.

Event ID: 5506
Source DNS
The DNS server encountered an invalid domain name offset in a packet from
X.X.X.X. The event data contains the DNS packet.

Event ID: 5504
Source DNS
The DNS server encountered an invalid domain name in a packet from X.X.X.X.
The packet will be rejected. The event data contains the DNS packet.

I am at a complete loss as to what i need to do next as i have never seen
this problem before.

all of the information i can find related to these event IDs typically have
to do with a problem with the ISP dns servers IP address causing the problem,
not a router.

Reply to this Message

Steve Duff [MVP] - 26 Jul 2005 22:30 GMT

The 5504 errors are usually from Exchange Server and if so are (more or less) benign. If you think the errors are from outside
resolutions through your ISPs DNS, disable forwarders in your DNS and just resolve with the root hints - this can correct the bad
packet errors and is a little more secure anyway. If you still can't track them down, you can load up Etherreal or netmon and filter
on port 53 to see what they are. However I wouldn't spend a lot of time wandering down that road unless you can determine that is
the source of the problems you are having.

At any rate, it isn't clear whether these errors, or DNS at all, has anything to do with your issues. It also isn't entirely clear
from your post what the specific problems are.

If you can post a "netdiag /fix" log from a DC and any client-side events that are being logged contemporaneiously with the
problems, it might help determine better what is going on. As a general (not absolute) rule, if a netdiag comes up clean, your
internal DNS is probably configured properly for AD.

Steve Duff,. MCSE, MVP
Ergodic Systems, Inc.

>I am having some issues with DNS. here is my situation, i am unable to
> authenticate any shares or printers on my domain, kerebos logins work fine
[quoted text clipped - 32 lines]
> to do with a problem with the ISP dns servers IP address causing the problem,
> not a router.

Reply to this Message

Ken D - 27 Jul 2005 18:17 GMT

ok here is a situation, I am use to netdiag and dcdiag being in the
tools\support directory on the CD, however this server is SBS2003. where can
i locate these files

> The 5504 errors are usually from Exchange Server and if so are (more or less) benign. If you think the errors are from outside
> resolutions through your ISPs DNS, disable forwarders in your DNS and just resolve with the root hints - this can correct the bad
[quoted text clipped - 48 lines]
> > to do with a problem with the ISP dns servers IP address causing the problem,
> > not a router.

Reply to this Message

Ken D - 27 Jul 2005 18:49 GMT

Here Is dcdiag /fix

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SERVER1

Starting test: Connectivity
......................... SERVER1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVER1
Starting test: Replications
......................... SERVER1 passed test Replications
Starting test: NCSecDesc
......................... SERVER1 passed test NCSecDesc
Starting test: NetLogons
......................... SERVER1 passed test NetLogons
Starting test: Advertising
Warning: SERVER1 is not advertising as a time server.
......................... SERVER1 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVER1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER1 passed test RidManager
Starting test: MachineAccount
......................... SERVER1 passed test MachineAccount
Starting test: Services
IsmServ Service is stopped on [SERVER1]
......................... SERVER1 failed test Services
Starting test: ObjectsReplicated
......................... SERVER1 passed test ObjectsReplicated
Starting test: frssysvol
......................... SERVER1 passed test frssysvol
Starting test: frsevent
......................... SERVER1 passed test frsevent
Starting test: kccevent
......................... SERVER1 passed test kccevent
Starting test: systemlog
......................... SERVER1 passed test systemlog
Starting test: VerifyReferences
......................... SERVER1 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidati

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidati

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : HOC
Starting test: CrossRefValidation
......................... HOC passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... HOC passed test CheckSDRefDom

Running enterprise tests on : HOC.Hutchinsonoil.com
Starting test: Intersite
......................... HOC.Hutchinsonoil.com passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1
5
A Good Time Server could not be located.
......................... HOC.Hutchinsonoil.com failed test FsmoCheck

here is a netdiag /fix

......................................

Computer Name: SERVER1
DNS Host Name: server1.HOC.Hutchinsonoil.com
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
List of installed hotfixes :
KB819696
KB822132
KB822742
KB822743
KB822744
KB822745
KB822925
KB823182
KB823353
KB823559
KB823980
KB824073
KB824105
KB824139
KB824141
KB824146
KB824151
KB825117
KB825119
KB826238
KB826936
KB828035
KB828741
KB833987
KB834707
KB835732
KB837001
KB837272
KB839645
KB840315
KB840374
KB840987
KB841356
KB841533
KB842773
KB867460
KB870763
KB871250
KB873333
KB873376
KB883935
KB883939
KB885250
KB885834
KB885835
KB885836
KB885881
KB886903
KB887797
KB888113
KB890046
KB890175
KB890859
KB890923
KB891711
KB891781
KB893066
KB893086
KB893803v2
KB896358
KB896422
KB896426
KB896428
KB897715
KB901214
KB903235
Q147222
Q828026

Netcard queries test . . . . . . . : Failed
GetStats failed for 'Intel(R) PRO/1000 MT Network Connection'. [ERROR
D_FUNCTION]
[FATAL] - None of the netcard drivers provided satisfactory results.

Per interface results:

Adapter : Server Local Area Connection

Netcard queries test . . . : Failed
NetCard Status: UNKNOWN

Host Name. . . . . . . . . : server1
IP Address . . . . . . . . : 128.127.2.2
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 128.127.2.3
Primary WINS Server. . . . : 192.168.16.5
Dns Servers. . . . . . . . : 128.127.2.2

IpConfig results . . . . . : Failed
Pinging the Primary WINS server 192.168.16.5 - not reachable

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Failed
The test failed. We were unable to query the WINS servers.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{35B3C83C-B68D-4155-96C4-A15832A28911}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '128.1
.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{35B3C83C-B68D-4155-96C4-A15832A28911}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{35B3C83C-B68D-4155-96C4-A15832A28911}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information

and here is a netdiag /test:dns /v

Gathering IPX configuration information.
Querying status of the Netcard drivers... Failed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'128.127.2.2'
.

Tests complete.

Computer Name: SERVER1
DNS Host Name: server1.HOC.Hutchinsonoil.com
DNS Domain Name: HOC.Hutchinsonoil.com
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
Hotfixes :
Installed? Name
Yes KB819696
Yes KB822132
Yes KB822742
Yes KB822743
Yes KB822744
Yes KB822745
Yes KB822925
Yes KB823182
Yes KB823353
Yes KB823559
Yes KB823980
Yes KB824073
Yes KB824105
Yes KB824139
Yes KB824141
Yes KB824146
Yes KB824151
Yes KB825117
Yes KB825119
Yes KB826238
Yes KB826936
Yes KB828035
Yes KB828741
Yes KB833987
Yes KB834707
Yes KB835732
Yes KB837001
Yes KB837272
Yes KB839645
Yes KB840315
Yes KB840374
Yes KB840987
Yes KB841356
Yes KB841533
Yes KB842773
Yes KB867460
Yes KB870763
Yes KB871250
Yes KB873333
Yes KB873376
Yes KB883935
Yes KB883939
Yes KB885250
Yes KB885834
Yes KB885835
Yes KB885836
Yes KB885881
Yes KB886903
Yes KB887797
Yes KB888113
Yes KB890046
Yes KB890175
Yes KB890859
Yes KB890923
Yes KB891711
Yes KB891781
Yes KB893066
Yes KB893086
Yes KB893803v2
Yes KB896358
Yes KB896422
Yes KB896426
Yes KB896428
Yes KB897715
Yes KB901214
Yes KB903235
Yes Q147222
Yes Q828026

Netcard queries test . . . . . . . : Failed

Information of Netcard drivers:

---------------------------------------------------------------------------
Description: Intel(R) PRO/1000 MT Network Connection
Device: \DEVICE\{35B3C83C-B68D-4155-96C4-A15832A28911}
GetStats failed for 'Intel(R) PRO/1000 MT Network Connection'.
[ERROR_INVALI
D_FUNCTION]

---------------------------------------------------------------------------
[FATAL] - None of the netcard drivers provided satisfactory results.

Per interface results:

Adapter : Server Local Area Connection
Adapter ID . . . . . . . . : {35B3C83C-B68D-4155-96C4-A15832A28911}

Netcard queries test . . . : Failed
NetCard Status: UNKNOWN

Global results:

Domain membership test . . . . . . : Passed
Machine is a . . . . . . . . . : Primary Domain Controller Emulator
Netbios Domain name. . . . . . : HOC
Dns domain name. . . . . . . . : HOC.Hutchinsonoil.com
Dns forest name. . . . . . . . : HOC.Hutchinsonoil.com
Domain Guid. . . . . . . . . . : {AC6663A5-C1B5-4D4B-BD49-7AEEB070A1B2}
Domain Sid . . . . . . . . . . : S-1-5-21-2040972775-2088865363-4077242360
Logon User . . . . . . . . . . : .admin
Logon Domain . . . . . . . . . : HOC

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{35B3C83C-B68D-4155-96C4-A15832A28911}
1 NetBt transport currently configured.

DNS test . . . . . . . . . . . . . : Passed
Interface {35B3C83C-B68D-4155-96C4-A15832A28911}
DNS Domain:
DNS Servers: 128.127.2.2
IP Address: Expected registration with PDN (primary DNS
domain n
ame):
Hostname: server1.HOC.Hutchinsonoil.com.
Authoritative zone: HOC.Hutchinsonoil.com.
Primary DNS server: server1.HOC.Hutchinsonoil.com 128.127.2.2
Authoritative NS:128.127.2.2
Check the DNS registration for DCs entries on DNS server '128.127.2.2'
The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

The Record is correct on DNS server '128.127.2.2'.

PASS - All the DNS entries for DC are registered on DNS server
'128.127.2.2'
.

The command completed successfully

Thank You For Your Help

Reply to this Message

Steve Duff [MVP] - 28 Jul 2005 06:02 GMT

Ken:

We need to get the time service problem fixed. The lack of a reliable time source for the domain
will cause all sorts of obscure problems with functions that depend on an accurate time source.
Either the time service isn't working or the PDC role server itself is missing or misconfigured in AD.

First, check that the server's date, time and time zone are all correct. Be sure to check the time zone
as this is easy to overlook and will cause trouble if wrong.

Next, check that the "Windows Time Service" is set to "Automatic" in services, and running. If not, see
if you can start it. If it will not stay running there should be an event in the system event log giving a reason.

Finally, we need to sync the DC to an outside time source. The command "net time /setsntp:<server>"
will set the external time source to an outside server (e.g. net time /setsntp:ntp.ucsd.edu ). You can use
the w32tm command to check the time service, but there are some differences between 2000 and 2003,
the details are here, depending (watch the URL wrap):

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html
/TimeWin2K.asp
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu
rity/ws03mngd/26_s3wts.mspx

If you've fixed the time service problem then a dcdiag should now pass the advertising test and FSMO role
check. (I'm not concerned about the netcard test since the network - I am assuming - is working, but you may
want to look into this as a driver update issue.)

If the time service isn't the problem, then it the PDC emulator "FSMO" role itself is likely the problem.

Open AD Users and Computers, and right-click on the domain name at the top of the tree. Select
"operations masters" and click the "PDC" tab. This will show you FQDN of the server that active
directory has assigned as the PDC emulator. If this is not a functioning DC it will have to be fixed, so post
back in that case.

At the moment I don't see any DNS-related configuration problems. It is possible there is something
else underneath your time service problem, but that has to be corrected first.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

> Here Is dcdiag /fix
>
[quoted text clipped - 449 lines]
>
> Thank You For Your Help

Reply to this Message

Ace Fekay [MVP] - 29 Jul 2005 16:00 GMT

> Ken:
>
[quoted text clipped - 43 lines]
> Steve Duff, MCSE, MVP
> Ergodic Systems, Inc.

Steve, good point about the time service and AD's Kerberos service's
reliance on it.

But just to point out, I saw a mix of referenced public IPs and private IPs
in the ipconfig in the netdiag:

Host Name. . . . . . . . . : server1
IP Address . . . . . . . . : 128.127.2.2
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 128.127.2.3
Primary WINS Server. . . . : 192.168.16.5
Dns Servers. . . . . . . . : 128.127.2.2

IpConfig results . . . . . : Failed
Pinging the Primary WINS server 192.168.16.5 - not reachable

If this is the case, where two DCs (or a DC on one side, and clients on the
other) are on opposite sides of a NAT device, AD communication will not
function across a NAT, unless there's a VPN created between them to allow
communication.

Just for the poster's benefit, NAT cannot traverse LDAP, RPC and Kerberos
calls.

Signature

Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

Reply to this Message

Steve Duff [MVP] - 29 Jul 2005 19:24 GMT

Way good catch - completely missed that.

Since it's the only place where that address shows up and isn't reachable my guess is
that it is probably just a dud IP leftover from days of yore. I don't think it would
explain the other symptoms, but it definitely should be pulled out. WINS is
unnecessary to resolve any of these problems.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

>> Ken:
>>
[quoted text clipped - 51 lines]
>
> Just for the poster's benefit, NAT cannot traverse LDAP, RPC and Kerberos calls.

Reply to this Message

Ace Fekay [MVP] - 30 Jul 2005 06:23 GMT

> Way good catch - completely missed that.
>
[quoted text clipped - 7 lines]
> Steve Duff, MCSE, MVP
> Ergodic Systems, Inc.

Thanks.

I agree WINS is useless here and should be removed. But I'm curious if
there's another card on the machine or if the machine is or was on a
multi-subnetted wire?

Not that it would make a difference, but would the bad WINS address
contribute to the netdiag [ERROR D_FUNCTION] of the NIC test in the results?
I originally thought netdiag uses DNS, but maybe not, but since the WINS
server is not reachable, I don't think it matters and wouldn have anything
to do with failing the NIC test. I searched on that error, but couldn't find
what it is or what can cause it.

Back to the original post with the 5504 errors, that usually indicates an
illegal character in a host name. But what's strange is it's coming from the
router, so maybe an outside source is causing it and causing the NIC test to
fail.
http://www.eventid.net/display.asp?eventid=5504&eventno=642&source=DNS&phase=1

I've also seen *similar* issues (not saying it's the cause here), in the
past with NICs when an SQL server got slammed with the Slammer and it just
flooded the entire network and affected every machine due to the useless UDP
broadcasts.

Ace

Reply to this Message