DNS Passed But Errors on New Domain Controller

Question

I had an old domain controller, that had been original for the domain, fail without opportunity for proper demotion. I cleaned up AD/DNS/etc... on remaining DC which is running Win Server 2008R2. Migrated DC/Domain to 2008R2 level and then promoted a new Win Server 2019 box as a second DC. Had to then resolve some DNS issues, but appear to have that sorted now and both DCs show proper info in DNS.
My question is, when I run dcdiag /test:dns it comes back quick and short and pass on the original DC, but although passed on new DC, have a lot of extra entries that appear to be external queries that stated failed. Again, overall says passed DNS test, but wonder what the extra is..?

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = DCAPCLD
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DCAPCLD
Starting test: Connectivity
......................... DCAPCLD passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DCAPCLD

  Starting test: DNS

     DNS Tests are running and not hung. Please wait a few minutes...
     ......................... DCAPCLD passed test DNS

Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : presenceus

Running enterprise tests on : presenceus.org
Starting test: DNS
Summary of test results for DNS servers used by the above domain controllers:

        DNS server: 128.63.2.53 (h.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
        DNS server: 128.8.10.90 (d.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
        DNS server: 128.9.0.107 (b.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
        DNS server: 198.32.64.12 (l.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
        DNS server: 2001:500:12::d0d (g.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:12::d0d
        DNS server: 2001:500:1::53 (h.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::53
        DNS server: 2001:500:200::b (b.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:200::b
        DNS server: 2001:500:2::c (c.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c
        DNS server: 2001:500:2d::d (d.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
        DNS server: 2001:500:2f::f (f.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
        DNS server: 2001:500:9f::42 (l.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:9f::42
        DNS server: 2001:500:a8::e (e.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:a8::e
        DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
        DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
        DNS server: 2001:7fd::1 (k.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
        DNS server: 2001:7fe::53 (i.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
        DNS server: 2001:dc3::35 (m.root-servers.net.)
           1 test failure on this DNS server
           PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
     ......................... presenceus.org passed test DNS

Answer 1

Domain controller's own address should be primary

you have duplicates so just remove the four invalid ones.

                 Name: a.root-servers.net. IP: 198.41.0.4 [Valid]
           ->  Name: b.root-servers.net. IP: 128.9.0.107 [Invalid (unreachable)]
                 Name: b.root-servers.net. IP: 199.9.14.201 [Valid]
                 Name: c.root-servers.net. IP: 192.33.4.12 [Valid]
           ->  Name: d.root-servers.net. IP: 128.8.10.90 [Invalid (unreachable)]
                 Name: d.root-servers.net. IP: 199.7.91.13 [Valid]
                 Name: e.root-servers.net. IP: 192.203.230.10 [Valid]
                 Name: f.root-servers.net. IP: 192.5.5.241 [Valid]
                 Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
           ->  Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
                 Name: h.root-servers.net. IP: 198.97.190.53 [Valid]
                 Name: i.root-servers.net. IP: 192.36.148.17 [Valid]
                 Name: j.root-servers.net. IP: 192.58.128.30 [Valid]
                 Name: k.root-servers.net. IP: 193.0.14.129 [Valid]
           ->  Name: l.root-servers.net. IP: 198.32.64.12 [Invalid (unreachable)]
                 Name: l.root-servers.net. IP: 199.7.83.42 [Valid]
                 Name: m.root-servers.net. IP: 202.12.27.33 [Valid]

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Ok, all that is fine and some problems were likely fixed by doing the non-authoritative restore. The PTR record failures are caused by the invalid root hint servers. You can see them towards the end of dcdiag output and also here.

you'll just need to delete these four IPv4 duplicate and invalid ones (don't worry about the IPv6 root hints)

                 Name: a.root-servers.net. IP: 198.41.0.4 [Valid]  
           ->  Name: b.root-servers.net. IP: 128.9.0.107 [Invalid (unreachable)]  
                 Name: b.root-servers.net. IP: 199.9.14.201 [Valid]  
                 Name: c.root-servers.net. IP: 192.33.4.12 [Valid]  
           ->  Name: d.root-servers.net. IP: 128.8.10.90 [Invalid (unreachable)]  
                 Name: d.root-servers.net. IP: 199.7.91.13 [Valid]  
                 Name: e.root-servers.net. IP: 192.203.230.10 [Valid]  
                 Name: f.root-servers.net. IP: 192.5.5.241 [Valid]  
                 Name: g.root-servers.net. IP: 192.112.36.4 [Valid]  
           ->  Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]  
                 Name: h.root-servers.net. IP: 198.97.190.53 [Valid]  
                 Name: i.root-servers.net. IP: 192.36.148.17 [Valid]  
                 Name: j.root-servers.net. IP: 192.58.128.30 [Valid]  
                 Name: k.root-servers.net. IP: 193.0.14.129 [Valid]  
           ->  Name: l.root-servers.net. IP: 198.32.64.12 [Invalid (unreachable)]  
                 Name: l.root-servers.net. IP: 199.7.83.42 [Valid]  
                 Name: m.root-servers.net. IP: 202.12.27.33 [Valid]  

--please don't forget to Accept as answer if the reply is helpful--

Answer 3

Where are they duplicated besides in the DNS server Root Hints?

It's stored in a file named \cache.dns and displayed here.

A domain controller should have its own static ip address plus loopback listed for DNS on connection properties as minimum. It's also fine to add the other domain controller ip address.

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

Hello, I don't have OneDrive setup at the moment, so have attached the files requested. Hopefully you'll just need to rename dcdiag-log.txt to dcdiag.log

18891-dcampres.txt18892-dcapcld.txt18807-dcdiag-log.txt18777-repl.txt

Thanks

Answer 5

It looks like domain health was not good prior to adding the new domain controller. I'd suggest moving roles back, decommission / demote new one, then work through this one.
https://support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares

make sure domain health is 100% and system event log is clear of errors before trying again. If problems persist put up a new set of files to look at.

--please don't forget to Accept as answer if the reply is helpful--