Please Urgent DNS nameserver disaster recovery

[Guest]

Hi all,

My company network worked well until yesterday since an american company
decided to register on internet the same name of my internal network.
Now every request from any internal computer (tested with ping and tracert
and confirmed by nslookup) is forwarded to this new external network.
We use a windows 2000 domain and i know that this OS cannot help me to
rename the domain name (without losing computer, users, profiles and so on).
I am thinking about to install a new Windows 2000, configure a new domain
and try to migrate informations to this one but i have not clear the
conseguences of this.

Someone can help me? Any other idea to suggest?

Thanks to all in advance

Walter

 

[Herb Martin]

My company network worked well until yesterday since an american company

decided to register on internet the same name of my internal network.

If you didn't register it then it is NOT 'your name' as far as the Internet
goes.

Now every request from any internal computer (tested with ping and tracert
and confirmed by nslookup) is forwarded to this new external network.

If you have internal nameservers holding that zone they are setup
incorrectly
in all likelyhood.

If you don't have that zone internally then the above is the correct
behavior.
(They aren't really 'forwarded' though -- the name resolves to that network;
there is a difference.)

We use a windows 2000 domain and i know that this OS cannot help me to
rename the domain name (without losing computer, users, profiles and so

on).

You cannot rename the domain. You would have to create a new domain.

But if you are seeing this problem (you report) you internal
DNS CLIENTS are setup WRONG anyway.

Internal DNS clients must point SOLELY at your INTERNAL DNS
server (set).

If your internal DNS server set holds that zone it will NEVER see the
new Internet commercial zone/domain -- your users will not be able
to contact (easily) that domain but they will NOT have trouble with
your internal names and domains.

I am thinking about to install a new Windows 2000, configure a new domain
and try to migrate informations to this one but i have not clear the
conseguences of this.

That might be the long term solution but unless the 'new' domain is
important to you the problem is NOT CRITICAL.

Someone can help me? Any other idea to suggest?

Fix your internal DNS servers and clients and not only will this
solve OTHER (authentication and replication) problems it will
HIDE this specific external issue:


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Chris Dugan]

Hi all,

My company network worked well until yesterday since an american company
decided to register on internet the same name of my internal network.
Now every request from any internal computer (tested with ping and tracert
and confirmed by nslookup) is forwarded to this new external network.
We use a windows 2000 domain and i know that this OS cannot help me to
rename the domain name (without losing computer, users, profiles and so on).
I am thinking about to install a new Windows 2000, configure a new domain
and try to migrate informations to this one but i have not clear the
conseguences of this.

Someone can help me? Any other idea to suggest?

Thanks to all in advance

Walter

A quick fix to get you working whilst you work out a permanent solution
would be to turn off forwarding lookups on the DNS server/s i.e. so that the
DNS server/s don't know where to look apart from themselves for DNS lookups.

Of course this will kill off internet access but you could always use a
proxy server of some kind to get that back and working if you can't rename
the domain quickly.

I'm planning a domain rename at work at the moment for a Win2k3 migration
here's how it should work:

1. setup new dc and DNS domain
2. establish trust between the two
3. migrate data, user accounts, pc's
4. dcpromo out all original dc's except last one and rebuild on new domain
5. dissolve the trust and then rebuild the last remianing DC on the old
domain

Did you name your AD domain using a tld? e.g. company.com?

Chris

 

[Herb Martin]

A quick fix to get you working whilst you work out a permanent solution

would be to turn off forwarding lookups on the DNS server/s i.e. so that the
DNS server/s don't know where to look apart from themselves for DNS

lookups.

That is NOT necessary. (See my other post).

And it will cause the Internet problems you mention below.

Of course this will kill off internet access but you could always use a
proxy server of some kind to get that back and working if you can't rename
the domain quickly.

All this complication and disabling is completely unnecessary if
he sets up his INTERNAL DNS CLIENTS and servers correctly.

Which he needed to do before this problem.

He likely has clients with both external AND internal DNS servers
listed -- they are resolving the Internet names BEFORE resolving
internal names or he would not even be aware of the problem
(until someone complained about the "new company" being unreachable.)

He needs the NICs on his internal clients to specify ONLY the
inernal DNS servers and then he NEEDS FORWARDING ENABLED
for resolving the rest of the Internet (except the conflicting zone.)

I'm planning a domain rename at work at the moment for a Win2k3 migration
here's how it should work:

1. setup new dc and DNS domain
2. establish trust between the two
3. migrate data, user accounts, pc's
4. dcpromo out all original dc's except last one and rebuild on new domain
5. dissolve the trust and then rebuild the last remianing DC on the old
domain

Did you name your AD domain using a tld? e.g. company.com?

Chris

 

[Ace Fekay [MVP]]

In

Hi all,

My company network worked well until yesterday since an american
company decided to register on internet the same name of my internal
network.
Now every request from any internal computer (tested with ping and
tracert and confirmed by nslookup) is forwarded to this new external
network.

It looks like to me you are mixing your internal DNS address and an external
DNS address in your machines' IP properties (DCs and clients). Otherwise, if
you have all machines configured to ONLY your internal DNS server, and have
configured a forwarder, you would not be experiencing this problem at all.

Here's some info on AD and DNS. Please take a few moments to read thru them.


323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
http://support.microsoft.com/?id=323380

300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000 :
http://support.microsoft.com/?id=300202

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/?id=291382



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Thanks to all for yor answers and ideas but they arrived to me to late when i
needed to start my recovery program:

0) Unplug network cable from routers
1)Add a new domain controller (using vmware ) with a new domain with
endind name .local
2)Add a trust between the domains
3)Migrate users,computers and profiles using ADMT (very nice app)
4)Delete the old domain from the old DC using dcpromo
5)Add the old DC as a replica to the new domain

It is a long work but give satisfaction

Now i need to elige the replica DC to master but when i try to shutdown the
actual DC, leaving the replica alone, my network connections delay to much. I
discovered an error request related to objects in AD. For example, When i try
to add a new user selecting its group from the groups list in AD, search
windows take a long time and instead of the list it displays an error message
saying that there are not any domain controller for this OU.
Then i tried to ping the domain name and it shows me the IP address of this
DC.

Of course, Everything works fine if my DC is online.

How to solve?

Thanks again
Walter

"Herb Martin" ha scritto:

My company network worked well until yesterday since an american company
decided to register on internet the same name of my internal network.

If you didn't register it then it is NOT 'your name' as far as the Internet
goes.

Now every request from any internal computer (tested with ping and tracert
and confirmed by nslookup) is forwarded to this new external network.

If you have internal nameservers holding that zone they are setup
incorrectly
in all likelyhood.

If you don't have that zone internally then the above is the correct
behavior.
(They aren't really 'forwarded' though -- the name resolves to that network;
there is a difference.)

We use a windows 2000 domain and i know that this OS cannot help me to
rename the domain name (without losing computer, users, profiles and so

on).

You cannot rename the domain. You would have to create a new domain.

But if you are seeing this problem (you report) you internal
DNS CLIENTS are setup WRONG anyway.

Internal DNS clients must point SOLELY at your INTERNAL DNS
server (set).

If your internal DNS server set holds that zone it will NEVER see the
new Internet commercial zone/domain -- your users will not be able
to contact (easily) that domain but they will NOT have trouble with
your internal names and domains.

I am thinking about to install a new Windows 2000, configure a new domain
and try to migrate informations to this one but i have not clear the
conseguences of this.

That might be the long term solution but unless the 'new' domain is
important to you the problem is NOT CRITICAL.

Someone can help me? Any other idea to suggest?

Fix your internal DNS servers and clients and not only will this
solve OTHER (authentication and replication) problems it will
HIDE this specific external issue:


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Ace Fekay [MVP]]

In

Thanks to all for yor answers and ideas but they arrived to me to
late when i needed to start my recovery program:

0) Unplug network cable from routers
1)Add a new domain controller (using vmware ) with a new domain with
endind name .local
2)Add a trust between the domains
3)Migrate users,computers and profiles using ADMT (very nice app)
4)Delete the old domain from the old DC using dcpromo
5)Add the old DC as a replica to the new domain

It is a long work but give satisfaction

Now i need to elige the replica DC to master but when i try to
shutdown the actual DC, leaving the replica alone, my network
connections delay to much. I discovered an error request related to
objects in AD. For example, When i try to add a new user selecting
its group from the groups list in AD, search windows take a long time
and instead of the list it displays an error message saying that
there are not any domain controller for this OU.
Then i tried to ping the domain name and it shows me the IP address
of this DC.

Of course, Everything works fine if my DC is online.

How to solve?

Thanks again
Walter

To eiliminate guess work, and to better assist, can you post:

1. an ipconfig /all of this server,
2. the AD DNS name,
3. the zone name in DNS,
4. whether dynamic updates have been allowed
5. errors in the Event log

Thanks
Ace