In
The Zack said:
Thanks Ace,
I figured I had a bad egg on my hands. I just inherited this network
and new at DNS. Now, can you tell me how to reinstall AD? Or point
me to a 'How To"?
Zack
Zack, this is a loaded question, believe it or not because of the vast
possiblities. If you search back, you can see this issue strewn about in
various threads. I have a bunch of them archived and I'm going to paste it
below and you can see the reasons behind it and possible options to
resintall. Basically to save your user accounts, if you're still in mixed
mode and still have an NT4 BDC, or if not, you can still install an NT4 BDC,
then you can physically remove your server (unplug it), promote the NT4 to a
PDC and upgraded it following the correct naming structure. .
If not in mixed mode, then it's a little more difficult. You can isntall a
new AD domain with the correct name and use ADMT to migrate the users. If
you have Exchange, then it complicates it.
Read this stuff about it... hope you got time to read
this.....................
===========================================
The BIGGEST problem is that the domain is a single label name. That is NOT
good at all and creates mutliple problems. Your domain name is called "SOL".
It should be in the form of "sol.com" or "sol.net" or "sol.michael", but
not just "SOL". The single name does not follow the hierarchal tree
structure of DNS.
A single label named domain was probably due to (with all due respect) lack
of research and knowledge with the way AD and DNS must be designed PRIOR to
an upgrade/migration. It's very important to do your homework on this
because it becomes difficult to change. However, since you have W2k3 being
used, you may be able to change the name. But in order to do this, you must
upgrade the W2k server frst to W2k3 and raise the Forest Functional Level to
Native Mode. Here's a link on how to do that with W2k3:
Forest andDomain Functional Levels Explained:
http://www.microsoft.com/technet/tr...server2003/proddocs/datacenter/sag_levels.asp
Renaming domains - rendom.exe found in valueadd-msft-mgmt-domren folder on
CD:
http://www.microsoft.com/technet/tr...rver2003/proddocs/datacenter/domainrename.asp
SP4 changed/stopped the fact of letting registrations work because MS found
that excessive DNS traffic was hitting the ISC Root servers with any machine
that had a single label name. It was just too much. So they stopped it. Now,
you can use a regsitry entry to force registration but this must be done on
ALL the machines in your domain.
Here is the fix that you can use for now. It's more of a bandaid, but will
not totally solve certain issues, but it will force registration of the SRV
records:
http://support.microsoft.com/?id=300684
This has to be done on all machines.
One BIG problem, however, if using single label names, GPOs will not work,
whether you use the registry entry metioned in that link above or not. This
is because they look for the domain name when the GetGPOList function runs
on a client when it tries to "find" the GPO. The path it looks for is such
as this because the policies are found in the domain share:
\\domain.com\sysvol\domain.COM\Policies
In your case, it would be querying for:
\\SOL\sysvol\SOL\policies
In that case, it will not be able to find that domain name because it;s
treating it as a HOST name. You can try to force this by ensuring there is a
blank HOST name called SOL with the IP addresses of one of the DCs, but from
other posters and tests, it doesn;t appear to really work correctly. Also,
XP clients have difficulty querying this method, whether you put the
registration fix in it or not.
Sorry to be the bearer of bad news. I hope this helps in understanding your
dilemma and what your options are.
========================================
========================================
========================================
========================================
========================================
========================================
Here's more...
========================================
========================================
========================================
----- Original Message -----
From: Ace Fekay [MVP]
Newsgroups:
microsoft.public.windows.server.dns,microsoft.public.windows.server.sbs
Sent: Tuesday, January 13, 2004 9:26 PM
Subject: Re: DNS, Single Label Domains and SBS2K3
In
Aaron said:
Firstly, I would HAVE to convince my boss that this is REALLY, REALLY
necessary.
Just to play devils advocate here for a moment:
My Boss would say: Why re-install? everything is working. The clients
are registering in local DNS (with registry hacks),
\\domain\sysvol\domain is accesable and group policies/scripts are
being applied to the clients,Web browsing /e-mail is working to the
outside world, VPN is working, Exchange is working, we can access all
our files, etc. Where is the need?
And I don't have a good argument to counter this, because it is true.
This is SBS, so there is no need to have access to other AD/DNS
servers for replication, zone transfers, etc. There are no forest, or
trees, just SBS. We're not running an external DNS that needs to be
RFC compliant (we use forwrders to the ISP for external resolution),
and we still have legacy O.S.'s (95/98 - actually legacy O.S.'s was
the reason our consultant gave for "maintaining" a single label
domain - funny thing is those legacy O.S.'s seem to work just fine on
my SBS testbed at home with "domain.lan" as my domain - go figure
huh).
But things do appear to be working. I need something to point to and
say :
"see it's SUSPOSED to do this, but because the DNS is BROKEN, it
ISN'T doing what it should be doing"
What is my SBS not doing that it should be?
I need convincing arguments (as much to convince myself as my boss -
this would be a really big deal to have to force the company to go
through this again so soon). I need some TEST to show /prove, that if
this isn't fixed "X" will be the result, and it ain't pretty if "X"
happens (i.e. the network will come to a total, screeching, train
wrecking halt)!
I don't like the fact that the domain is semi-broken, but I believe I
can live with it. I just really need to know what the downside
is/will be.
Any thoughts/arguments/recommendations greatly appreciated.
Aaron
Aaron,
This has been a real big issue lately. Here's a copy/paste of a recent
thread (just search back on single label name and a whole bunch of them will
turn up). But go ahead and read it, including (way below) a re-post from one
of the MS guys, Alan Wood, with the company's take on it. Excessive queries
to the ISC Root Servers, AD doesn't work correctly, etc etc etc.
The whole thing is basically caused by, with all due respect, from not
properly planning or researching prior to your migration or upgrade .
/begin paste...
=================================
In
Joe said:
How do I rename my domain. I don't know how. I want to
rename my domain without modifying other configurations
like active directory.
Well, that's the whole thing. It's all about AD.
Instead of typing it all out again, check this post (below) from a recent
post I made. This is a common problem due to lack of proper pre-installation
planning and research into AD. Sorry to say that, with all due respect.
I hope it helps in understanding what is in front of you.
Begin:
=================================================
continued.....
This is a common problem lately. Many posts on it. Recently (yesterday) I
posted something similar that will apply to you. I copied/pasted it below.
Yes, The DC is Windows Server 2000 SP4.
And, yes, the computer in question is the only one having this issue.
And, no, when I ping our domain I get "Unknown host"
C:\>ping CREDENTALS
Unknown host CREDENTALS.
I have entered the two registry entries that were suggested in
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
in the DC now, although I have not had a chance to reboot that
machine yet. Once I do will this fix the "Unknown host CREDENTALS."
problem as well or could this all be very simply fixed by adding a
".com" to my domain?
-Scott Elgram
To ping a domain name, it would need the TLD suffix, since it will look
under the zone name for the (same as parent) record. If pinging a single
name, it will treat it as a host and may even suffix it with your Search
Suffix List, which is in your case, baswed on your ipconfig, "CREDENTIALS",
so it may be trying to ping, credentials.credentials.
Ideally, it would be advised to rename the domain, eitehr installing a new
domain in a new forest and migrate the users/groups/and computer accounts to
the new domain with ADMT. The user profiles will be translated to the new
domain user account on their workstations and will be automatically joined
to the new domain for you. This way you won;t have to disjoin/rejoin the
machines in the domain and lose the user profiles. Once that's done, you can
trash the old DC and rebuild it as a new DC in the new existing domain you
created.
Single label domain names are problematic, at best. Certain clients, such as
XP may balk at it and cause additional errors since they have problems
querying single lable name records in DNS.
--
Regards,
Ace
First of all, you can try using
http://support.microsoft.com/?id=300684
for a reg entry to force it to update. Need to do it on your clients too,
but XP won;t work properly. You may still get problems with GPOs applying
since the GetGPOList function onthe client side references the domain FQDN,
such as:
\\domain.com\sysvol\domain.COM\Policies
But when it tries to go to what you have, such as:
\\DOM\etc...
It perceives DOM as a host name, and may not resolve properly.
Here's my other post that may help in resolving this to help rename
it....Read the whole thing so you'll know what's involved.
==========================================
Ace Fekay,
If I were to just rename the domain from CREDENTALS to
CREDENTALS.net and disjoin all the affected workstations from
CREDENTALS and join it to CREDENTALS.net would it reset the user
profiles?
First, you can't just rename a domain, unless you're still in mixed mode
with an NT4 BDC still present. If still in mixed mode, you can add an NT4
BDC, trash the W2k DC, promote the NT4 BDC to a PDC, then manually set the
DNS Suffix in TCP/IP properties to the new domain name, credentials.net,
(which would be the name you choose for the AD DNS domain name, but keep the
NetBIOS domain name as CREDENTIALS for backward capatilibity), then upgrade
it to a W2k DC. This way the machines that are still joined will still be
joined to the same domain.
Otherwise if the domain is in Native mode, you'll need to follow the ADMT
method I previously mentioned.
And no about disjoining and rejoining to the new domain with the old
profiles. When you manually rejoin, a new profile is created. You may find
that you can manually force the new profiles to use the old profile one
machine at a time, but I don;t think that's what you want to do. ADMT will
do that for you.
Keep in mind you want to follow DNS naming methods. One thing I noticed is
you're using uppercase. It's not that it won't work, but to keep things
consistent with DNS RFCs (looks good too), name it credentials.net, not
CREDENTIALS.net.
From what I have read in researching this problem it sure does seem
that single label domains cause lots of problems and sometimes even
questionable and/or slow connections. But, likewise, I have also
read things that lead me to think migrating AD off CREDENTALS and
over to CREDENTALS.net could possibly cause more problems domain wide
than just the one machine I have now. If I ever have to set up a new
domain or rebuild the old one for some reason other than one machine
I'll defiantly use the appropriate formatting (I wasn't the one who
set this up anyway, that guy quit ). For now should the 2
registry entries discussed previously in
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
fix this problem for the one machine?
-Scott Elgram
If the domain is in mixed mode, it will be alot easier for you. If not, the
ADMT will work, but I would read up on it first and test it. I can provide
links if needed. I've migrated quite a few domains and have to say it's the
easier method if the domain is presently in mixed mode. To find the present
mode, rt-click the domain name in ADUC, properties. Look at the bottom of
the general tab.
Also, Kevin has a big point about GPOs and how the GetGPOList function works
when a machine logs on and looks for the GPOs. That reg entry has to be made
system wide....
***************************************
***************************************
Here's a repost by Alan Wood from Microsoft describing the issue and
ramifications and the recommendations to rename it properly. I hope it helps
in understanding the issue at hand.
***************************************
***************************************
----- Original Message -----
From: "Alan Wood" [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS
Hi Roger,
We really would preffer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.
Example: Single Labeled domain domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA
If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.
Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.
Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.
Thank you,
Alan Wood[MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
****************************************
=================================
/end
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
