Active Directory and DNS Issues

  • Thread starter Thread starter ping
  • Start date Start date
P

ping

Hi,

I am opening new thread for this discussion.

Current Scenario:
Win2K Server machine with Active Directory, single-label domain called
'local'

Implementation:
Join Win2003 Server machine to the Active Directory, as an additional
domain controller.

Problem:
Unable to join Windows 2003 Server to domain 'local', even after making
registry changes.

I have done some registry changes according to the KB:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

However I could not locate the key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient in
Windows 2003 Server. Only the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT is available.
So I create a subkey called DNSClient and assigned the DWORDS
UpdateTopLevelDomainZones and its value.

After registry changes on Win2K server and Win2003 server, I proceed to
rename netlogon.dns and dnb, and restarted netlogon services. No
Netlogon failure in eventlog for win2k Server.

But, when I try to join Win2003 Server to the Win2K domain(with
Single-label 'local' domain), it failed. In the previous discussion,
SRV record is not created. After recreate the zone with domain name and
restarted the netlogon, SRV record is in place. DNS Host 'A' mapping to
DC ip address is correct. a ping using FQDN from Win2003 server to
Win2K do not encounter any problem.

I have set the DNS of Win2K Server pointed back to the server's IP,
enabled dynamic updates.

Attached below are the error messanges by Win2003 Server when joining
Win2003 Server to domain 'local' on Win2000 Server machine. The second
portion is the result on netdiag of Windows 2000 Server.

Thanks.
 
Computer Name: IBMDESK
DNS Host Name: ibmdesk.local
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB822343
KB823182
KB823559
KB824105
KB824151
KB825119
KB826232
KB828035
KB828741
KB828749
KB832353
KB832359
KB835732
KB837001
KB839643
KB839645
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB842773
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890046
KB890859
KB891781
KB893066
KB893086
KB893756
KB893803v2
KB894320
KB896358
KB896422
KB896423
KB896688-IE501SP4-20050909.233456
KB896727-IE501SP4-20050719.165544
KB897715-OE55SP2-20050503.113444
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905749
Q147222
Q828026
Update Rollup 1


Netcard queries test . . . . . . . : Passed


Per interface results:


Adapter : Local Area Connection


Netcard queries test . . . : Passed


Host Name. . . . . . . . . : ibmdesk
IP Address . . . . . . . . : 192.168.1.199
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.10
Dns Servers. . . . . . . . : 192.168.1.199


AutoConfiguration results. . . . . . : Passed


Default gateway test . . . : Passed


NetBT name test. . . . . . : Passed


WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{A78B74B7-C592-4C0A-8F22-4F774A8D77CA}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.1.19
9'.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{A78B74B7-C592-4C0A-8F22-4F774A8D77CA}
The redir is bound to 1 NetBt transport.


List of NetBt transports currently bound to the browser
NetBT_Tcpip_{A78B74B7-C592-4C0A-8F22-4F774A8D77CA}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'ibmdesk.local'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed


IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
 
The domain name local might be a NetBIOS domain name. If this is the
case, verify that the domain name is properly registered with WINS.


If you are certain that the name is not a NetBIOS domain name, then the

following information can help you troubleshoot your DNS configuration.



DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain local:


The query was for the SRV record for _ldap._tcp.dc._msdcs.local


The following domain controllers were identified by the query:


ibmdesk.local


Common causes of this error include:


- Host (A) records that map the name of the domain controller to its IP

addresses are missing or contain incorrect addresses.


- Domain controllers registered in DNS are not connected to the network

or are not running.


For information about correcting this problem, click Help.
 
Sorry,

The first portion is the result on netdiag of Windows 2000 Server

Second portion is the error messanges by Win2003 Server when joining
Win2003 Server to domain 'local' on Win2000 Server machine.

And do this " [WARNING] Failed to query SPN registration on DC
'ibmdesk.local'. " contributes to my problem?
 
ping said:
I have done some registry changes according to the KB:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684
Click to expand...


I think you have to do the Domain Controller locator entry. too.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
In the right pane, locate the AllowSingleLabelDnsDomain entry. If the
AllowSingleLabelDnsDomain entry does not exist, follow these steps:
On the Edit menu, point to New, and then click DWORD Value.
Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.

Double-click the AllowSingleLabelDnsDomain entry.
In the Value data box, type 1, and then click OK
 
Hi Kevin,

Thanks. I didn't know that registry entry need to be added. Thought it
is for WinXP Client only. I am now able to join Windows 2003 to
'local' domain.
 
In
ping said:
Hi Kevin,

Thanks. I didn't know that registry entry need to be added. Thought it
is for WinXP Client only. I am now able to join Windows 2003 to
'local' domain.
Click to expand...

Just an FYI for future reference in addition to Kevin's provided link
(300684):
826743 - Clients cannot dynamically register DNS records in a single-label
forward lookup zone:
http://web.archive.org/web/20040518224908/support.microsoft.com/?kbid=826743

XP and Win2003 are similar in that extent with single label name
registration. I mentioned in a response to your other thread. Here's an
elaboration on it in a re-post from Alan Woods of Microsoft that he made
last year about single label names:

=========================
Single label name from Alan Woods, MS: (2004)

"We really would preffer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.
=========================

Thank you,

Alan Wood[MSFT]"
 
Back
Top