DNS problem still

[bill s via WinServerKB.com]

I cannot get PC's to find the DC. There are no firewalls or anti-virus. I am
on a lab network. I think when AD is implemented, the DC should register
itself with DNS. It seems to not do so. Using ipconfig /flushdns and then
ipconfig /registerdns states that the commands worked but still no success.
In the forward zones I do have the _msdcs, _sites _tcp, and the _udp files. I
believe these are the SRV records and they seem to be in order. There is no ".
" record in my forwad zone.
I can ping the DC's IP
I can ping the DC's domain name
I can ping the DC's FQDN
Ipconfig/all from the PC shows the DNS IP and name.
nslookup shows the IP but says there is no DC matching the IP.
netdiag /debug displays the DNS information of the DC and it seems to be in
order, showing the DNS name and IP. The only thing that doesn't pass is the
gateway but there is none.
This is the third or so attempt. The first attempt was on a live network and
I tried to join 21 PC's to the domain. It was fine untill I got to the 19th
PC and I started to get the message "cannot find domain name". No matter what
I do now I still get this message. Even on the lab network and after several
demotions and promotions of AD.
Any advice would be appreciated. Many have tried to help before and I
appreciate the effort.
QUESTION: one thing I haven't asked.......are my zone records supposed to be
listed as Active Directory instead of Standard Primary? It is my
understanding that they should only be placed in Active Directory if there is
more than 1 DC in the network so that the DC's can replicate info. I only
have 1 DC.
Several tries ago I got a PC to join AFTER I took Norton completely out of
the PC. I then put the PC back into a workgroup to see if I could re-join the
domain. It would not. It's been the same message ever since. Is my place
haunted???
Bill...goin nuts....S.

 

[Steve Duff [MVP]]

I can not quite puzzle out how a netdiag can show pass without a DC host record being present in DNS, so I'm putting that mystery
aside for now.

The most likely problems are the two frequent fliers here: either a DNS zone isn't configured to accept dynamic updates, or
something on your network is pointing to an outside DNS server.

Check the properties of each zone and make sure that it is configured to accept dynamic DNS updates (either secure-only or all). And
check all network workstations and servers >>including<< this DC and make sure that the only DNS IP address listed is this DC's (I'm
presuming your DNS service is running on the DC.). Put another way, this means that on the DC itself, the DNS settings in TCP/IP
must list the same IP address as the DC itself has, and no other. The same is true for DHCP scope DNS assignments and any
statically-assigned PCs.

If that doesn't resolve it, change the dynamic updates property on the forward zone from secure-only to allow-all in case this is a
security problem. Then run a netdiag /fix and a dcdiag /fix on the DC. If the forward host record still doesn't appear something
unusual is wrong. Client-side firewalls, missing or incorrect primary DNS suffix, duplicate names, time sync/time zone problems,
multihomed DCs, failing services, etc etc - the list of candidates is really long at this point.

So if still unresolved I would suggest that you first check the system event logs on the client and server around the time you are
trying to join, as well as any "chronic" errors that are being logged - there are always things in there that will at least provide
a clue. If you you'll probably have to post back with the exact error text, netdiag/dcdiag/ipconfig listings and relevent events.

In your situation it won't matter whether you use standard primary or AD-integrated zones - most people here would recommend the
latter on general principle. There are various services on a DC that autoregister with DNS and so the A record should appear
regardless of whether you've configured the DC to autoregister in TCP/IP properties. However they all require that the zone allow
dynamic updates.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Ace Fekay [MVP]]

In

I cannot get PC's to find the DC. There are no firewalls or
anti-virus. I am on a lab network. I think when AD is implemented,
the DC should register itself with DNS. It seems to not do so. Using
ipconfig /flushdns and then ipconfig /registerdns states that the
commands worked but still no success. In the forward zones I do have
the _msdcs, _sites _tcp, and the _udp files. I believe these are the
SRV records and they seem to be in order. There is no ". " record in
my forwad zone.
I can ping the DC's IP
I can ping the DC's domain name
I can ping the DC's FQDN
Ipconfig/all from the PC shows the DNS IP and name.
nslookup shows the IP but says there is no DC matching the IP.
netdiag /debug displays the DNS information of the DC and it seems to
be in order, showing the DNS name and IP. The only thing that doesn't
pass is the gateway but there is none.
This is the third or so attempt. The first attempt was on a live
network and I tried to join 21 PC's to the domain. It was fine
untill I got to the 19th PC and I started to get the message "cannot
find domain name". No matter what I do now I still get this message.
Even on the lab network and after several demotions and promotions of
AD.
Any advice would be appreciated. Many have tried to help before and I
appreciate the effort.
QUESTION: one thing I haven't asked.......are my zone records
supposed to be listed as Active Directory instead of Standard
Primary? It is my understanding that they should only be placed in
Active Directory if there is more than 1 DC in the network so that
the DC's can replicate info. I only have 1 DC.
Several tries ago I got a PC to join AFTER I took Norton completely
out of the PC. I then put the PC back into a workgroup to see if I
could re-join the domain. It would not. It's been the same message
ever since. Is my place haunted???
Bill...goin nuts....S.

Steve's post pretty much covers the basics. If you followed the basics, this
pretty much *just works*.

I remember Kevin was helping you in a previous thread of yours. You stated
an expired copy of Norton Internet Security on it was causing the problem.
Now are you saying that all the clients are having difficulty or is it just
this one machine?

If the Norton Internet Security is anything like Zone Alarm (which is a
known issue) that leaves their remaining DLLs and registry entries that mess
things up with network communication and domain controller functions, you
may need to contact Norton on how to manually remove any registry entries
and such that may cause a problem.

Can you post an ipconfig /all from your DC(s) and of one of the clients
please? If we can take a look at your config, that may help us help you
better. I remember Kevin asking you for one, but one was never provided. If
you are on a private network, there is no security concern since it is
private.

If you have a single label domain name, that can cause problems as well. But
we need to take a look at your config first, please.

You can also run a dcdiag /v /fix and a netdiag /v /fix on the server. That
will give us any errors that may be on the system. If you can post those
results, that will be very helpful as well.

Thanks.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[bill s via WinServerKB.com]

In

I cannot get PC's to find the DC. There are no firewalls or
anti-virus. I am on a lab network. I think when AD is implemented,

[quoted text clipped - 30 lines]

ever since. Is my place haunted???
Bill...goin nuts....S.

Steve's post pretty much covers the basics. If you followed the basics, this
pretty much *just works*.

I remember Kevin was helping you in a previous thread of yours. You stated
an expired copy of Norton Internet Security on it was causing the problem.
Now are you saying that all the clients are having difficulty or is it just
this one machine?

If the Norton Internet Security is anything like Zone Alarm (which is a
known issue) that leaves their remaining DLLs and registry entries that mess
things up with network communication and domain controller functions, you
may need to contact Norton on how to manually remove any registry entries
and such that may cause a problem.

Can you post an ipconfig /all from your DC(s) and of one of the clients
please? If we can take a look at your config, that may help us help you
better. I remember Kevin asking you for one, but one was never provided. If
you are on a private network, there is no security concern since it is
private.

If you have a single label domain name, that can cause problems as well. But
we need to take a look at your config first, please.

You can also run a dcdiag /v /fix and a netdiag /v /fix on the server. That
will give us any errors that may be on the system. If you can post those
results, that will be very helpful as well.

Thanks.

Thanks much guys.....I will try all this and get back to you.
Thanks again

 

[Ace Fekay [MVP]]

In

Thanks much guys.....I will try all this and get back to you.
Thanks again

Hope to hear back from you soon with either a successful accomplishment or
your configuration data as asked, to further assist you.

Ace

 

[Vespassassina]

Look for DHCP client Service.
It Should be: STARTED and AUTOMATIC

DHCP Client Service is responsible for DDNS AutoRegistration.

Let Me Know


-
Vespassassin

 

[Kevin D. Goodknecht Sr. [MVP]]

Ace Fekay [MVP]

If the Norton Internet Security is anything like Zone Alarm (which is
a known issue) that leaves their remaining DLLs and registry entries
that mess things up with network communication and domain controller
functions, you may need to contact Norton on how to manually remove
any registry entries and such that may cause a problem.

Ace, just to add, if Norton Internet Security is anything like Norton
AntiVirus you can't fully uninstall it, have you ever tried to upgrade
Norton AV to a later version?

I have tried, every time I have to I end up having to search the Registry
for everything related to Symantec and delete them. It is always a real
PITA. I've moved to recommending Computer Associates antivirus. So for, I
haven't had a problem with upgrading the CA AV.

 

[Ace Fekay [MVP]]

In

Ace Fekay [MVP]


Ace, just to add, if Norton Internet Security is anything like Norton
AntiVirus you can't fully uninstall it, have you ever tried to upgrade
Norton AV to a later version?

I have tried, every time I have to I end up having to search the
Registry for everything related to Symantec and delete them. It is
always a real PITA. I've moved to recommending Computer Associates
antivirus. So for, I haven't had a problem with upgrading the CA AV.

Good point, for I've gone thru having to delete every Symantec reference as
well, and it is a true PITA. CA is a good one, as well as ETrust.

Ace

 

[PScyime via WinServerKB.com]

Hi

This is just FYI really,

Just to let you guys know - there is a tool from symantect to fully remove
their junk from your machine - ie the Norton Internet Securities and Norton
Antivirus - this tool is applicable to ALL 2004-2005 versions. It is called
symNRT.exe and can be downloaded from symantec's site

For version prior to 2004 there is a tool for NAV called rNAV2003.exe and a
similiarly and imaginitively named rNISupg.exe for NIS 2003 and prior

If you want a laugh check out the "manual removal routine" for NIS 2004 - its
like pages and pages of info!.It really says alot about the software if a
company has to release specific removal tools to just uninstall them fully

The only reason I know this is I have supported desktop amchines with these
apps preinstalled and there is almost no point in trying to setup any kind of
network with these apps installed - unless you want a headache

Ace Fekay [MVP]
<PleaseSubstituteMyActualFirstName&[email protected]> wrote:

[quoted text clipped - 13 lines]

always a real PITA. I've moved to recommending Computer Associates
antivirus. So for, I haven't had a problem with upgrading the CA AV.

Good point, for I've gone thru having to delete every Symantec reference as
well, and it is a true PITA. CA is a good one, as well as ETrust.

Ace

--
Simon Whyley
MCP XP,2Kpro
Comptia A+ (lol)


Message posted via http://www.winserverkb.com

 

[Ace Fekay [MVP]]

In

Hi

This is just FYI really,

Just to let you guys know - there is a tool from symantect to fully
remove their junk from your machine - ie the Norton Internet
Securities and Norton Antivirus - this tool is applicable to ALL
2004-2005 versions. It is called symNRT.exe and can be downloaded
from symantec's site

For version prior to 2004 there is a tool for NAV called rNAV2003.exe
and a similiarly and imaginitively named rNISupg.exe for NIS 2003 and
prior

If you want a laugh check out the "manual removal routine" for NIS
2004 - its like pages and pages of info!.It really says alot about
the software if a company has to release specific removal tools to
just uninstall them fully

The only reason I know this is I have supported desktop amchines with
these apps preinstalled and there is almost no point in trying to
setup any kind of network with these apps installed - unless you
want a headache

Yes, I know what you mean, it is a headache. Even upgrading from Corp 8.0 to
9.0. Some of the machines wouldn't take the upgrade and we had to manually
remove ever reference. I've used the step by step before, and to tell you
the truth, just finding every reference for "Symantec" and "Norton" and then
delete them, was easier than following the article.

Ace