DNS Domain Controller Problem

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

After upgrading a server from WINNT4.0 to WIN2K, I am
unable to get an additional DC to connect. It says it has
a problem with DNS Lookup. We weren't running our own DNS
server before (i.e. our domain was NTDOM.mycompany.com and
our DNS was handled by a UNIX server maintained by the
admins of mycompany.com) I think I added the forward
lookup zone correctly because an nslookup goes to the
correct DNS server. Any ideas on what the problem is?
Thanks.
 
In
Chris said:
After upgrading a server from WINNT4.0 to WIN2K, I am
unable to get an additional DC to connect. It says it has
a problem with DNS Lookup. We weren't running our own DNS
server before (i.e. our domain was NTDOM.mycompany.com and
our DNS was handled by a UNIX server maintained by the
admins of mycompany.com) I think I added the forward
lookup zone correctly because an nslookup goes to the
correct DNS server. Any ideas on what the problem is?
Thanks.
Click to expand...

Can you post an ipconfig /all for both the DC and the machine you're adding
as a DC?
Also post the Active Directory domain name.
 
ipconfig /all for DC

Hostname - upgrade
Primary DNS suffix - abc.cd.gov
Node Type - Hybrid
IP Routing Enabled - No
WINS proxy Enabled - No
DSN Suffix Search List - abc.cd.gov
cd.gov

ipconfig /all for machine trying to add

hostname - yogi
Primary DNS suffix - abc.cd.gov
Node Type - Hybrid
IP Routing Enabled - No
WINS proxy Enabled - No
DSN Suffix Search List - abc.cd.gov
cd.gov

The domain name is windom.

Thanks.
 
In
Chris said:
ipconfig /all for DC

Hostname - upgrade
Primary DNS suffix - abc.cd.gov
Node Type - Hybrid
IP Routing Enabled - No
WINS proxy Enabled - No
DSN Suffix Search List - abc.cd.gov
cd.gov

ipconfig /all for machine trying to add

hostname - yogi
Primary DNS suffix - abc.cd.gov
Node Type - Hybrid
IP Routing Enabled - No
WINS proxy Enabled - No
DSN Suffix Search List - abc.cd.gov
cd.gov

The domain name is windom.

Thanks.
Click to expand...


We'll actually need the rest of the config information that you left out, to
diagnose this for you. You can run the ipconfig in this manner to send it to
a text file to make it easier for you to post it here and then just
copy/paste here from the text file:

ipconfig /all > c:\ipconfig.txt

As far as what you've posted so far:

1. Is the AD DNS domain name actually called "windom" or is it in the proper
format of "windom'com" or "windom.net", etc or is it just "windom"?
2. Is that the domain name that shows up in your ADUC console?

If that is your AD name, then the machine apparently has a disjointed
namespace, from the info you posted so far. See, the AD domain MUST match
the Primary DNS Suffix of the machine. Take a look at your ipconfgs... but
please do post the remainder of the config and the answers to the above.

Thanks


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
First, answers to the questions..

1. It is just windom, no .com, .net, or .gov. The reason
it is like this is that is how the domain was set up in
NT. The network already has Win2K clients connecting via
that domain name.

2. Yes, this is the name that shows up in Active
Directory.

Remaining ipconfig info:
 
-----Original Message-----
In Chris <[email protected]> posted their thoughts, then I
offered mine


We'll actually need the rest of the config information that you left out, to
diagnose this for you. You can run the ipconfig in this manner to send it to
a text file to make it easier for you to post it here and then just
copy/paste here from the text file:

ipconfig /all > c:\ipconfig.txt

As far as what you've posted so far:

1. Is the AD DNS domain name actually called "windom" or is it in the proper
format of "windom'com" or "windom.net", etc or is it just "windom"?
2. Is that the domain name that shows up in your ADUC console?

If that is your AD name, then the machine apparently has a disjointed
namespace, from the info you posted so far. See, the AD domain MUST match
the Primary DNS Suffix of the machine. Take a look at your ipconfgs... but
please do post the remainder of the config and the answers to the above.

Thanks


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.
Click to expand...

Hit return at the wrong place on the last post...okay, so
here's the remaining ipconfig info:

On DC:

Ethernet adapter ATM ELAN Connection:

Connection-specific DNS Suffix . :abc.cd.gov
Description...................... :ATM Emulated LAN
(123atm)
Physical Address................. :00-20-28-23-05-2B
DHCP Enabled..................... :No
IP Address....................... : 133.192.47.185
Subnet Mask...................... : 255.255.255.0
Default Gateway.................. : 133.192.47.1
DNS Servers...................... : 133.192.147.32
133.192.147.65
Primary WINS Server.............. : 133.192.47.33
Secondary WINS Server............ : 133.192.47.64

On New machine

Ethernet adapter ATM ELAN Connection:

Connection-specific DNS Suffix . :abc.cd.gov
Description...................... :ATM Emulated LAN
(123atm)
Physical Address................. :00-30-22-42-05-2A
DHCP Enabled..................... :No
IP Address....................... : 133.192.47.135
Subnet Mask...................... : 255.255.255.0
Default Gateway.................. : 133.192.47.1
DNS Servers...................... : 133.192.147.32
133.192.147.65
Primary WINS Server.............. : 133.192.47.33
Secondary WINS Server............ : 133.192.47.64

Thanks, I appreciate all your help.
 
In
Chris said:
First, answers to the questions..

1. It is just windom, no .com, .net, or .gov. The reason
it is like this is that is how the domain was set up in
NT. The network already has Win2K clients connecting via
that domain name.

2. Yes, this is the name that shows up in Active
Directory.

Remaining ipconfig info:

On DC

Ethernet adapter ATM ELAN Connection:

Hit return at the wrong place on the last post...okay, so
here's the remaining ipconfig info:

On DC:

Ethernet adapter ATM ELAN Connection:

Connection-specific DNS Suffix . :abc.cd.gov
Description...................... :ATM Emulated LAN
(123atm)
Physical Address................. :00-20-28-23-05-2B
DHCP Enabled..................... :No
IP Address....................... : 133.192.47.185
Subnet Mask...................... : 255.255.255.0
Default Gateway.................. : 133.192.47.1
DNS Servers...................... : 133.192.147.32
133.192.147.65
Primary WINS Server.............. : 133.192.47.33
Secondary WINS Server............ : 133.192.47.64

On New machine

Ethernet adapter ATM ELAN Connection:

Connection-specific DNS Suffix . :abc.cd.gov
Description...................... :ATM Emulated LAN
(123atm)
Physical Address................. :00-30-22-42-05-2A
DHCP Enabled..................... :No
IP Address....................... : 133.192.47.135
Subnet Mask...................... : 255.255.255.0
Default Gateway.................. : 133.192.47.1
DNS Servers...................... : 133.192.147.32
133.192.147.65
Primary WINS Server.............. : 133.192.47.33
Secondary WINS Server............ : 133.192.47.64

Thanks, I appreciate all your help.
Click to expand...


Thanks Chris for the additional info. I actually combined your other answer
to the top of this post.

So there are a few things going on here...

1. As for the AD name, you have what we call a single label name. That's
very problematic with AD and DNS. AD follows the DNS naming convention. DNS
follows a hierarchal 'tree' naming convention. If it's a single label name,
then DNS (with SP4), will not allow dynamic registration, since they've
found that when a registration request is intiated, DNS doesn't know where
to put it, and therefore excessively queries the ISC Root servers on the
Internet, hence why Microsoft stopped that with SP4. See this info on how to
force registration:
http://support.microsoft.com/?id=300684

2. The machine's Primary DNS Suffix *MUST* match the AD DNS domain name. If
you notice your ipconfig /all, it doesn't match and therefore is in a
condition called a Disjointed Namespace. There's a script that can force the
AD name into this field. Here's info on this requirement and the script:

257623 - Domain COntroller's Domain Name Suffix Does Not Match Domain Name
[including a script to fix it]:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;257623

3. The name in #2 must also match the zone name in DNS.

4. That zone name in DNS must also allow dynamic updates in it's properties.

Those two DNS servers listed:
133.192.147.32
133.192.147.65
Do they have a zone called "windom" created and if so, are Dynamic Updates
enabled on it?

If these servers are infrastructure servers in your company/organization
that you do not have control over and the Unix admins have control and are
reluctant to help, it maybe beneficial for you to install DNS on your DC,
configure it for your users to use it only, and set a forwarder to your two
infrastructure Unix DNS servers.

Apparently your users are logging in with the legacy name method (NetBIOS)
and if on the same segment, they can get right in. DNS is used by AD to
store resource and location data. That's how DCs and other members find info
about DNS. So when you try to add a DC, it will query DNS asking, "Where's
the domain controller for domainX?". If DNS doesn't have that answer, then
you'll get what you're seeing.

Here's some FAQs about AD and DNS:
http://support.microsoft.com/?id=291382

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
-----Original Message-----
In Chris <[email protected]> posted their thoughts, then I
offered mine
First, answers to the questions..

1. It is just windom, no .com, .net, or .gov. The reason
it is like this is that is how the domain was set up in
NT. The network already has Win2K clients connecting via
that domain name.

2. Yes, this is the name that shows up in Active
Directory.

Remaining ipconfig info:

On DC

Ethernet adapter ATM ELAN Connection:

Hit return at the wrong place on the last post...okay, so
here's the remaining ipconfig info:

On DC:

Ethernet adapter ATM ELAN Connection:

Connection-specific DNS Suffix . :abc.cd.gov
Description...................... :ATM Emulated LAN
(123atm)
Physical Address................. :00-20-28-23-05-2B
DHCP Enabled..................... :No
IP Address....................... : 133.192.47.185
Subnet Mask...................... : 255.255.255.0
Default Gateway.................. : 133.192.47.1
DNS Servers...................... : 133.192.147.32
133.192.147.65
Primary WINS Server.............. : 133.192.47.33
Secondary WINS Server............ : 133.192.47.64

On New machine

Ethernet adapter ATM ELAN Connection:

Connection-specific DNS Suffix . :abc.cd.gov
Description...................... :ATM Emulated LAN
(123atm)
Physical Address................. :00-30-22-42-05-2A
DHCP Enabled..................... :No
IP Address....................... : 133.192.47.135
Subnet Mask...................... : 255.255.255.0
Default Gateway.................. : 133.192.47.1
DNS Servers...................... : 133.192.147.32
133.192.147.65
Primary WINS Server.............. : 133.192.47.33
Secondary WINS Server............ : 133.192.47.64

Thanks, I appreciate all your help.
Click to expand...


Thanks Chris for the additional info. I actually combined your other answer
to the top of this post.

So there are a few things going on here...

1. As for the AD name, you have what we call a single label name. That's
very problematic with AD and DNS. AD follows the DNS naming convention. DNS
follows a hierarchal 'tree' naming convention. If it's a single label name,
then DNS (with SP4), will not allow dynamic registration, since they've
found that when a registration request is intiated, DNS doesn't know where
to put it, and therefore excessively queries the ISC Root servers on the
Internet, hence why Microsoft stopped that with SP4. See this info on how to
force registration:
http://support.microsoft.com/?id=300684

2. The machine's Primary DNS Suffix *MUST* match the AD DNS domain name. If
you notice your ipconfig /all, it doesn't match and therefore is in a
condition called a Disjointed Namespace. There's a script that can force the
AD name into this field. Here's info on this requirement and the script:

257623 - Domain COntroller's Domain Name Suffix Does Not Match Domain Name
[including a script to fix it]:
http://support.microsoft.com/default.aspx?scid=kb;EN- US;257623

3. The name in #2 must also match the zone name in DNS.

4. That zone name in DNS must also allow dynamic updates in it's properties.

Those two DNS servers listed:
133.192.147.32
133.192.147.65
Do they have a zone called "windom" created and if so, are Dynamic Updates
enabled on it?

If these servers are infrastructure servers in your company/organization
that you do not have control over and the Unix admins have control and are
reluctant to help, it maybe beneficial for you to install DNS on your DC,
configure it for your users to use it only, and set a forwarder to your two
infrastructure Unix DNS servers.

Apparently your users are logging in with the legacy name method (NetBIOS)
and if on the same segment, they can get right in. DNS is used by AD to
store resource and location data. That's how DCs and other members find info
about DNS. So when you try to add a DC, it will query DNS asking, "Where's
the domain controller for domainX?". If DNS doesn't have that answer, then
you'll get what you're seeing.

Here's some FAQs about AD and DNS:
http://support.microsoft.com/?id=291382

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.
Click to expand...

Thank you very much.
 
In
Thank you very much.
Click to expand...

You're welcome.

I hope it all helped and gives you a guideline on how to fix it. A reinstall
of your domain is suggested based on the single label name issue. As far as
DNS, AD requires it's own DNS or collaboration with your Unix BIND DNS
admins.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top