NSLOOKUP

[Guest]

I promoted the only server on my network to a domain controller via dcpromo.
The wizzard prompted me to setup DNS, which seemed to go off with out a
hitch. I also configuered dhcp. I don't have a problem finding sites on the
web, but when I do a nslookup on the LAN i can only resolve hosts that are
joined to the domain.

 

[Ace Fekay [MVP]]

In

I promoted the only server on my network to a domain controller via
dcpromo. The wizzard prompted me to setup DNS, which seemed to go off
with out a hitch. I also configuered dhcp. I don't have a problem
finding sites on the web, but when I do a nslookup on the LAN i can
only resolve hosts that are joined to the domain.

You're saying nslookup is only resolving IPs in your own reverse zone and
not the public side?

Is this Windows 2000 or 2003?
Is there a forwarder set?
Can you give us an example nslookup output please?
Are you only using your internal DNS on your machines?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Sorry about the lack of details, I'm still a little new to this.
I am running 2000 server. I do have forwarders enable and a couple forwader
IPs. When I do a nslookup on a machine that is not joined to the domain I
get "***server1.mydomain.com can't find computer1: Non-existent domain", but
if I do a nslookup for a machine that I have joined to the domain I get
"name: server1.mydomain.com
address: 192.168.0.1
It works fine. It seems like a rights issue to me, but I really have no
idea. Which is why I have brought my issue to you the experts.
Thank you in advance

 

[Guest]

I am only using my internal DNS on my machines. As a side note I can ping
host names and IPs with the -a switch with succesfull replys

 

[Ace Fekay [MVP]]

In

Sorry about the lack of details, I'm still a little new to this.
I am running 2000 server. I do have forwarders enable and a couple
forwader IPs. When I do a nslookup on a machine that is not joined
to the domain I get "***server1.mydomain.com can't find computer1:
Non-existent domain", but if I do a nslookup for a machine that I
have joined to the domain I get "name: server1.mydomain.com
address: 192.168.0.1
It works fine. It seems like a rights issue to me, but I really have
no idea. Which is why I have brought my issue to you the experts.
Thank you in advance

I see. Then my next question is, "What DNS server IP address is the machine
that is "not part of the domain", using in it's IP properties?

Can we see an ipconfig /all of both machines please?

Believe me, it is NOT a rights or permissions issue. No such thing when it
comes to resolving.

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

Sorry about the lack of details, I'm still a little new to this.
I am running 2000 server. I do have forwarders enable and a couple
forwader IPs. When I do a nslookup on a machine that is not joined
to the domain I get "***server1.mydomain.com can't find computer1:
Non-existent domain", but if I do a nslookup for a machine that I
have joined to the domain I get "name: server1.mydomain.com
address: 192.168.0.1
It works fine. It seems like a rights issue to me, but I really have
no idea. Which is why I have brought my issue to you the experts.
Thank you in advance

This is probably because the non-member machines are not able to register in
DNS becaue you only allow secure updates, and the non-member machines do not
have the proper rights to update the secure zone.

 

[Ace Fekay [MVP]]

In

I am only using my internal DNS on my machines. As a side note I can
ping host names and IPs with the -a switch with succesfull replys

Then it doesn't make sense. As long as all machines are only using the
internal DNS (no mixing up DNS addresse on the clients), I cannot see why
this happening.

Can we see the ipconfig /all please? It could also be a search suffix issue.

Ace

 

[Guest]

I believe you are on to something. So, because my forward/reverse zones are
active directory integrated machines not joined to the domain do not have
write acces to the zones? Does this mean I should give elevated rights to
anonymous account for both the forward and reverse lookup zones? If so,
would this require write access? That sounds a little scary, but am open to
sugestions. Thanks again to everyone who is helping me figure this out.
GNATinOKC

 

[Ace Fekay [MVP]]

In

I believe you are on to something. So, because my forward/reverse
zones are active directory integrated machines not joined to the
domain do not have write acces to the zones? Does this mean I should
give elevated rights to anonymous account for both the forward and
reverse lookup zones? If so, would this require write access? That
sounds a little scary, but am open to sugestions. Thanks again to
everyone who is helping me figure this out. GNATinOKC

I think you can just allow secure and non-secure updates would do the trick
for the time being just to test it, instead of altering permissions. Once
you've verified that works, then you can try the permission route.

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

I believe you are on to something. So, because my forward/reverse
zones are active directory integrated machines not joined to the
domain do not have write acces to the zones? Does this mean I should
give elevated rights to anonymous account for both the forward and
reverse lookup zones? If so, would this require write access? That
sounds a little scary, but am open to sugestions. Thanks again to
everyone who is helping me figure this out. GNATinOKC

I'm not sure I'd allow non-secure updates or alter permissions. You can
always let DHCP handle the DNS registrations.

 

[Ace Fekay [MVP]]

In

I'm not sure I'd allow non-secure updates or alter permissions. You
can always let DHCP handle the DNS registrations.

If that's the case, the clients will either need the Primary DNS Suffix set,
or the suffix set in NIC properties, or force DHCP to upate all clients.

Ace

 

[Chris Nicholas]

I believe the option in the DNS tab on the DHCP Server Properties page
addresses this exactly. The "Enable DNS dynamic updates according to the
settings below:" option with the "Always dynamically update DNS A and PTR
Records" produces the expected updates. I have not tested this since all my
systems are a part of the domain but in my corporate environment DNS is
resolving Win98 and NT 4 systems that are not apart of the domain as well as
W2k and W2k3 systems. Unless there is a WINS server that is not listed in
our configurations that I don't know of.

Chris

Not tested just my .02...
"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

I believe the option in the DNS tab on the DHCP Server Properties page
addresses this exactly. The "Enable DNS dynamic updates according to
the settings below:" option with the "Always dynamically update DNS A
and PTR Records" produces the expected updates. I have not tested
this since all my systems are a part of the domain but in my
corporate environment DNS is resolving Win98 and NT 4 systems that
are not apart of the domain as well as W2k and W2k3 systems. Unless
there is a WINS server that is not listed in our configurations that
I don't know of.
Chris

Not tested just my .02...

That is exactly what I mentioned, "force DHCP to update all clients".

Just an FYI, the DNS tab in DHCP properties is actually Option 081.

Ace