Windows Server - Cant add @ CNAME record

Asked By Scott Townsend on 30-Apr-07 10:36 PM
I want to add:
@                     CNAME svr-web.otherdomain.com.

I get an Error:
An alias (CNAME) record cannot be added to this DNS name. The DNS name
contains records that are incompatible with the CNAME record

I can add a
@                     A     10.1.22.22

What Gives?

Thank you,

Scott<-

Here is my Zone file:

;
;  Database file domain.com.dns for domain.com zone.
;      Zone version:  2007043001;
@                       IN  SOA ns1.domain.net.  hostmaster.domain.net. (
2005120604   ; serial number
21600        ; refresh
3600         ; retry
691200       ; expire
86400      ) ; default TTL
;
;  Zone NS records
;
@                       NS ns1.dnsdomain.net.
@                       NS ns1.otherdomain.net.
;
;  Zone records
;
@                       MX 10 mail.otherdomain.com.
www                     CNAME svr-web.otherdomain.com.




Kevin D. Goodknecht Sr. [MVP] replied on 01-May-07 12:09 AM
Read inline please.

Scott Townsend <scooter133@community.nospam> typed:

You cannot have a CNAME on the same node as an MX record.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
v-tozha replied on 01-May-07 05:11 AM
Hi Scott,

Thank you for using newsgroup!

According to your post, I noticed that you receive an error message that
the CNAME record cannot be created and based on my experience, this may
occur if you did not type any character in "Alias Name". To create a Blank
CNAME, you need to type "*" in Alias Name line so that system will resolve
doamin.com to the IP A record you specified.

However, this workaround will create problem in Active Directory integrated
DNS. In AD integrated DNS domain name is usually resolved to the DCs. If we
make a manual entry in AD integrated DNS pointing to a Web Server we will
end up in trouble with AD / Domain functions.

For example, client computers will apply group policy by address
\\domain.com\sysvol, in general cases, this address will be resolved to
\\DC1\sysvol or \\DC2\sysvol, because by default the domain.com will be
resolved to DCs. After we created Blank NNAME, \\domain.com\sysvol will be
resolved to the \\webserver\sysvol and if the web serer is not the DC, GPO
will be failed to apply.

So the best option is to serve a page on www.domain.com, you can create a
CNAME record WWW, point it to the web serer where the web sites are hosted.
You can create other CNAME record such as FTP also.

If you have any concerns, please feel free to post back.

Sincerely,
Tom Zhang, MCSE 2003
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Scott Townsend replied on 01-May-07 02:41 PM
So the domains that I would like to have the root domain mapped to the
webserver are not the AD Domain. They are AD Integrated domains in DNS, but
they are not the AD Domain.

So the only root records I have are the SOA, NS and MX.

When I add * CNAME webserver.domain.com  and then run NSLookup, it does not
find an IP for the domain. it does return info for webserver.domain.com.

Thanks,
Scott<-
Greg Lindsay [MSFT] replied on 01-May-07 05:19 PM
Hi Scott,

In your first post, you said you *could* add "@     A     10.1.22.22", but
when you listed the zone records I didn't see this entry.

A CNAME must point to an A record. Can you verify that you have this A
record created?

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
Kevin D. Goodknecht Sr. [MVP] replied on 01-May-07 11:18 PM
Read inline please.

Greg Lindsay [MSFT] <greglin@microsoft.com> typed:

This is irrelevant, you CANNOT have a CNAME record on the same node as an MX
record.
That is why he gets this error:


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
DevilsPGD replied on 02-May-07 12:31 AM
huh?  Does MSDNS actually enforce just a retarded rule?

There is no requirement in the DNS world at all that an MX record point
to an A-record.

--
Just sit through this NRA meeting Marge, and if  you still
don't think guns are great then we'll argue some more.
-- Homer Simpson
Kevin D. Goodknecht Sr. [MVP] replied on 02-May-07 07:54 AM
Read inline please.

DevilsPGD <spam_narf_spam@crazyhat.net> typed:


You are correct, it does not have to return an A record, there are other
record types the MX may return, but RFC2181 10.3 specifically states that MX
records never return a CNAME.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Greg Lindsay [MSFT] replied on 02-May-07 01:41 PM
You're right Kevin, for some reason I was thinking this was a dangling CNAME
problem. The host that would have to be missing an A record for that to be
the case is svr-web.otherdomain.com.

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
Kevin D. Goodknecht Sr. [MVP] replied on 02-May-07 07:40 PM
Read inline please.

Greg Lindsay [MSFT] <greglin@microsoft.com> typed:

I'm still not sure the OP has picked up on this yet. RFCs plainly state that
CNAMES cannot exist on the same node with any other record, and CNAMES must
point to Address records or you end up with a dangling CNAME.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Greg Lindsay [MSFT] replied on 03-May-07 05:28 PM
RFC 1034 states "If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.
This rule also insures that a cached CNAME can be used without checking with
an authoritative server for other RR types."

However, I think RFC 2181 (Clarifications to the DNS Specification) does a
better job of explaining why:

10.3. MX and NS records

The domain name used as the value of a NS resource record, or part of
the value of a MX resource record must not be an alias.  Not only is
the specification clear on this point, but using an alias in either
of these positions neither works as well as might be hoped, nor well
fulfills the ambition that may have led to this approach.  This
domain name must have as its value one or more address records.
Currently those will be A records, however in the future other record
types giving addressing information may be acceptable.  It can also
have other RRs, but never a CNAME RR.

Searching for either NS or MX records causes "additional section
processing" in which address records associated with the value of the
record sought are appended to the answer.  This helps avoid needless
extra queries that are easily anticipated when the first was made.

Additional section processing does not include CNAME records, let
alone the address records that may be associated with the canonical
name derived from the alias.  Thus, if an alias is used as the value
of an NS or MX record, no address will be returned with the NS or MX
value.  This can cause extra queries, and extra network burden, on
every query.  It is trivial for the DNS administrator to avoid this
by resolving the alias and placing the canonical name directly in the
affected record just once when it is updated or installed.  In some
particular hard cases the lack of the additional section address
records in the results of a NS lookup can cause the request to fail.

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
v-tozha replied on 08-May-07 08:02 AM
Hi Scott,

I apologize for the delay in response.

Based on my research, and also some related cases, you can perform the
following steps to turn off this feature:

1. Found that the deleted record had replicated back into the server, and
that was causing a conflict. This can also happen with mx and other alias
records.
2. Deleted the problem A record
3. Created CNAME record
4. Forced replication

If anything is unclear or you have any concerns, please feel free to let me
know. I am glad to be of assistance.

Have a nice day!

Sincerely,
Tom Zhang, MCSE 2003
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
v-tozha replied on 11-May-07 04:02 AM
Dear Customer,

I just wanted to say hi, and to see how things are going. I haven't heard
back from you yet and I was wondering if there are any updates on the
service request.

Thanks.

Sincerely,
Tom Zhang
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.