single-label or disjoint namespace?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

How do I figure out if I have a single-label dns name or a disjoint
namespace? And when I figure out which one it is, is it correctable?

Thanks for any suggestions/help.

Background info:

dhcp xp clients not dynamically updating on w2k3 server.

More background info:

Is my system unusual as far as on the XP clients, the FQDN or Full computer
name = "name." not "name.domain.com". And this is the same for my 2003
servers. I have for sometime believed that I have a disjoint namespace issue
or aka single-label dns name. I have tried to fix it, but with no luck. What
happened on the 2003 servers is once I dcpromoed them, they lost there FQDN
and reverted to "name." I believe that this is my problem. My SOA for my 2003
servers are all "name." but for my 2000 servers they are "name.domain.com".
 
In
pingboy said:
How do I figure out if I have a single-label dns name or
a disjoint namespace? And when I figure out which one it
is, is it correctable?

Thanks for any suggestions/help.

Background info:

dhcp xp clients not dynamically updating on w2k3 server.

More background info:

Is my system unusual as far as on the XP clients, the
FQDN or Full computer name = "name." not
"name.domain.com". And this is the same for my 2003
servers. I have for sometime believed that I have a
disjoint namespace issue or aka single-label dns name. I
have tried to fix it, but with no luck. What happened on
the 2003 servers is once I dcpromoed them, they lost
there FQDN and reverted to "name." I believe that this is
my problem. My SOA for my 2003 servers are all "name."
but for my 2000 servers they are "name.domain.com".
Click to expand...

If the domain name in ADU&C is a single-label name (domain vs. domain.com)
you have a single-label DNS domain name.
From what you said, this sounds like a dis-jointed namespace because the DC
is "name" and not "name.domain.com"

You are in luck though MSPSS released a script last year in a KB article and
it works great for fixing an incorrect primary DNS suffix on a DC, yours is
incorrect since it doesn't have one.

257623 Domain Controller's Domain Name System Suffix Does Not Match Domain
Name
http://support.microsoft.com/?id=257623&sd=RMVP

I'm not sure how this happened unless you didn't join the Win2k3 as a member
before you dcpromoed it.
 
In
pingboy said:
Thanks Kevin,

I've run that script in the past, but it didn't change
anything. I have even tried suggestion from this article,
http://support.microsoft.com/default.aspx?scid=kb;en-us;888048
, but that didn't work either. The server was definately
a member server before being dcpromoed.
Click to expand...

As this article stated maybe those keys are corrupted in the registry. Did
you delete and recreate the keys as the article states?

You might even be able to delete those keys and use the script to re-create
them.
 
Kevin,

Thanks for hanging in there with me. You helped my yesterday also regarding
the dns not dynamically updating on the w2k3 server. This problem is just an
extension of the other and I know are related. I did try deleting the keys
and recreating them.

Yesterday, I did the credential suggestion, and created a new user and made
the user a member of DHCP administrators, DNSAdmins, and a domain user. I
don't know if it needs more than that. The article didn't specify. Also when
I put in the information for the dhcp dns credentials, I put the user name
for the user name, and the short domain name for the domain, not the
example.com domain name, if you know what I mean.

The other thing I did yesterday, which was suggested by someone else on
anther board was to add the server as a member of the dnsupdateproxy group.

Have you ever looked at your dhcp log in c:\windows\system32\dhcp? Mine
looks like this:

Microsoft DHCP Service Activity Log


Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.
14 A lease request could not be satisfied because the scope's
address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired.
20 A BOOTP address was leased to a client.
21 A dynamic BOOTP address was leased to a client.
22 A BOOTP request could not be satisfied because the scope's
address pool for BOOTP was exhausted.
23 A BOOTP IP address was deleted after checking to see it was
not in use.
24 IP address cleanup operation has began.
25 IP address cleanup statistics.
30 DNS update request to the named DNS server
31 DNS update failed
32 DNS update successful
50+ Codes above 50 are used for Rogue Server Detection information.

ID,Date,Time,Description,IP Address,Host Name,MAC Address
00,02/17/05,14:25:27,Started,,,,

55,02/17/05,14:25:28,Authorized(servicing),,americantaxfunding.com,,

30,02/17/05,14:28:34,DNS Update Request,57.1.168.192,HEATHER.,,

30,02/17/05,14:28:34,DNS Update
Request,57.1.168.192,HEATHER.americantaxfunding.com,,

11,02/17/05,14:28:34,Renew,192.168.1.57,HEATHER.americantaxfunding.com,006097B54042,

32,02/17/05,14:43:37,DNS Update Successful,192.168.1.57,HEATHER.,,

31,02/17/05,14:43:37,DNS Update
Failed,192.168.1.57,HEATHER.americantaxfunding.com,-1,
 
In
pingboy said:
Kevin,

Thanks for hanging in there with me. You helped my yesterday also
regarding the dns not dynamically updating on the w2k3 server. This
problem is just an extension of the other and I know are related. I
did try deleting the keys and recreating them.

Yesterday, I did the credential suggestion, and created a new user
and made the user a member of DHCP administrators, DNSAdmins, and a
domain user. I don't know if it needs more than that. The article
didn't specify. Also when I put in the information for the dhcp dns
credentials, I put the user name for the user name, and the short
domain name for the domain, not the example.com domain name, if you
know what I mean.

The other thing I did yesterday, which was suggested by someone else
on anther board was to add the server as a member of the
dnsupdateproxy group.

Have you ever looked at your dhcp log in c:\windows\system32\dhcp?
Mine looks like this:

Microsoft DHCP Service Activity Log
Click to expand...
<snippe>

Looks like your domain name is:
americantaxfunding.com

Is that correct? That name, if it is the AD DNS domain name, is not a single
label name, However, if that is not your Primary DNS Suffix on ALL of your
machines, including (and especially) your DCs, then you have a disjointed
namespace. The script provided by Kevin should be able to fix it, but if
there are other mitigating cirucumstances, such as an incorrectly spelled
zone, corruption, etc, that will cause more probs than we can list.

To better assist you and help diagnose it and give you recommendations,
we'll need some specifi config info, such as:

1. An unedited ipconfig /all from one of your DCs and a client. You can copy
and paste that from the command prompt into your reply to the newsgroup.
2. The Domain name that shows up in your ADUC (Active Dir Users & Computers)
3. The name (exact spelling of the zone in DNS
4. Are updates are set to allow in the properties of that zone in #3?
5. Any and all pertinent Event Log errors from all of the Event logs from
the DC (post the Event ID #s please).

Thanks

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
 
Thanks the both of you for your help. I do appreciate your expertise.

1. my workstation:

Windows IP Configuration

Host Name . . . . . . . . . . . . : JON
Primary Dns Suffix . . . . . . . : americantaxfunding.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : americantaxfunding.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : americantaxfunding.com
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
Ethe
rnet NIC
Physical Address. . . . . . . . . : 00-50-BF-60-ED-90
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.65
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.246
DNS Servers . . . . . . . . . . . : 192.168.1.246
192.168.1.254
Primary WINS Server . . . . . . . : 192.168.1.246
Lease Obtained. . . . . . . . . . : Thursday, February 17, 2005
12:46:55
PM
Lease Expires . . . . . . . . . . : Friday, February 18, 2005
12:46:55 A
M



A Windows 2003 server running dns but not a dhcp:

Windows IP Configuration

Host Name . . . . . . . . . . . . : npbts01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C90
5B-TX) #2
Physical Address. . . . . . . . . : 00-10-4B-68-83-C8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.251
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.251
192.168.1.254
Primary WINS Server . . . . . . . : 192.168.1.254


A Windows 2000 Server running dns and dhcp (has two network adapters):

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : npbfs05
Primary DNS Suffix . . . . . . . : americantaxfunding.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : americantaxfunding.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Adapter
#2
Physical Address. . . . . . . . . : 00-30-48-70-76-6B
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.254
192.168.1.246
Primary WINS Server . . . . . . . : 192.168.1.254

Ethernet adapter Local Area Connection 1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Adapter

Physical Address. . . . . . . . . : 00-30-48-70-76-6A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.253
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.253
192.168.1.246
Primary WINS Server . . . . . . . : 192.168.1.253


A Windows 2003 server running dns and dhcp (the culprit):

Windows IP Configuration

Host Name . . . . . . . . . . . . : npbex01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : americantaxfunding.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : americantaxfunding.com
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C90
5B-TX)
Physical Address. . . . . . . . . : 00-10-5A-9A-7B-68
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.246
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.246
192.168.1.254
Primary WINS Server . . . . . . . : 192.168.1.246



Note: Please remember that the Windows 2003 servers all had a correct FQDN
before being dcpromed into Active Directory. Also, if you look at the More
Setting
in Computer Name tab (after the warning about changing a domain controllers
name)
you see that the Primary Dns Suffix is correct: americantaxfunding.com


2. americantaxfunding.com

3. Under Forward Lookup Zones, americantaxfunding.com
(I also have Reverse Lookup Zones)

4. "Secure" updates are allowed

5. Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 2/17/2005
Time: 3:56:03 PM
User: N/A
Computer: NPBEX01
Description:
The Security System could not establish a secured connection with the server
ldap/njfs02.americantaxfunding.com. No authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ‹..À

Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5781
Date: 2/17/2005
Time: 12:16:49 PM
User: N/A
Computer: NPBEX01
Description:
Dynamic registration or deletion of one or more DNS records associated with
DNS domain 'americantaxfunding.com.' failed. These records are used by other
computers to locate this server as a domain controller (if the specified
domain is an Active Directory domain) or as an LDAP server (if the specified
domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain
wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone
authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration
or deletion of the DNS records by running 'nltest.exe /dsregdns' from the
command prompt or by restarting Net Logon service. Nltest.exe is available in
the Microsoft Windows Server Resource Kit CD.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
 
In
pingboy said:
Thanks the both of you for your help. I do appreciate
your expertise.
Click to expand...

It looks like both of the Win2k3 machines are in trouble, neither have a
Primary DNS suffix. Is there any way to make a remote desktop connection to
these servers?
The reason I ask is that below you stated this:
Also, if you look at the More Setting
in Computer Name tab (after the warning about changing a
domain controllers name)
you see that the Primary Dns Suffix is correct:
americantaxfunding.com
Click to expand...

The problem is that this setting is supposed to be grayed out on A DC and
you should not have access this part anyway.


A Windows 2003 server running dns but not a dhcp:

Windows IP Configuration

Host Name . . . . . . . . . . . . : npbts01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL
10/100 PCI TX NIC (3C90
5B-TX) #2
Physical Address. . . . . . . . . : 00-10-4B-68-83-C8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.251
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.251
192.168.1.254
Primary WINS Server . . . . . . . : 192.168.1.254
Click to expand...
 
In
Kevin D. Goodknecht Sr. said:
In

It looks like both of the Win2k3 machines are in trouble, neither
have a Primary DNS suffix. Is there any way to make a remote desktop
connection to these servers?
The reason I ask is that below you stated this:

The problem is that this setting is supposed to be grayed out on A DC
and you should not have access this part anyway.
Click to expand...

Kevin, I would like to add, IIRC, on a Win2003 DC, it is possible to change
that name (shouldn't be grayed out), but I do not have an installation in
front of me to confirm that, and also I believe it depends on functional
levels too.

As for the SPNEGO error on NPBEX01, that is probably due to no PTR in the
reverse zone, since it has no Primary DNS Suffix to register into the
forward zone. I am willing to bet that is happening on NPBTS01 as well for
the same reason.

Also, want to mention that the multihomed NPBFS05 is problematic with two
NICs on the same subnet, unless of course, the NICs are teamed. If they are
teamed, no problem, if not, then we may have an issue there since they are
on the same subnet.

Pingboy, may I ask why they are on the same subnet?
Is teaming possible with these NICs? (Look at the NIC documentation).

Look in the registry on NPBTS01 and NPBEX01 for these entries below. Can you
tell me what they are? I'm expecting to find "americantaxfunding.com".

"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain" (should say
americantaxfunding.com).

"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain" (should
say americantaxfunding.com).

"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SyncDomainWithMembership",
(should be a value of 1)

Thanks

Ace
 
Thank you again for sticking in there.

As far as the reg settings they are what you wrote.

As far as the nics, I'm not and have never been crazy about having
two nics, but that is the way it was when I got here. There was
even another server with two nics, but that was just retired for
the new 2003 server. I have read numerous articles on multihomed
computer issues with browsing and so forth, but in my humble
opinion, I don't think this is the issue here.


As far as the reverse lookup zones, in the 192.168.1.x zone, I have
two workstations with PTR records, both have the FQDN format. These
are getting their IPs from the 2000 server, as mentioned before, that
server is DDNS fine. The other records are all server PTR records and
server NS records. On a side note, in the past, to get rid of other
errors, when I first noticed the disjoint namespace issue months ago,
and in order to get AD replication working (it is still working fine),
I would add extra records to conteract the disjoint name. Whereever I
would see a "name." for a 2003 server, I would add a "name.domain.com"
record. So I do have a PTR record for all three 2003 servers in the
192.168.1.x reverse lookup zone, but for two(npbex01 and npbts01)
out of the three 2003 servers, they are in the "name.domain.com" format,
not the "name." format. Do I need to add a "name." PTR record?

On a sort of side note, two days ago, when trying to diagnose the issue
I tried using Group Policy to force the dns suffix. Actually, it is
forcing the dns suffix. I know it is working for two reasons. One, the
two workstations that are updating from the 2000 server have changed
from "name." to "name.domain.com" just after the change in the group
policy. Two, when I look at the dhcp log, I notice all of the other
workstations have changed from "name." to "name.domain.com".

Thanks again guys.
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
commented
Then Kevin replied below:
Kevin, I would like to add, IIRC, on a Win2003 DC, it is
possible to change
that name (shouldn't be grayed out), but I do not have an
installation in
front of me to confirm that, and also I believe it
depends on functional
levels too.
Click to expand...

I don't have a Win2k3 DC in front of me either, but I do manage a couple
remotely. Those settings are grayed out in the remote desktop, that is what
I have to go on. I'm not sure of the functional level of one, but I know the
other is Windows 2000 functional level because it has a Win2k replica. (You
remember the two I was telling you about last week) Maybe the setting is
just grayed out in the remote desktop, or maybe it is the functional level.
I would like to verify this though, I really hate to tell someone wrong
information.
 
Kevin,

I think I may have confused the whole matter when I
mentioned that information. You are correct, on a DC
it is grayed out and on a non dc it isn't grayed
out, remote or not remote. I was just mentioning
it because, even though it is grayed out, you can still
click on change, you will get a warning stating that
you cannot change a DC's name, but you can ignore the
warning and move on to the next window "computer name
changes" and then click More, and move on to the
"DNS suffix and Netbios computer name" window.

Thanks again. Hope this helps.
 
In
pingboy said:
Kevin,

I think I may have confused the whole matter when I
mentioned that information. You are correct, on a DC
it is grayed out and on a non dc it isn't grayed
out, remote or not remote. I was just mentioning
it because, even though it is grayed out, you can still
click on change, you will get a warning stating that
you cannot change a DC's name, but you can ignore the
warning and move on to the next window "computer name
changes" and then click More, and move on to the
"DNS suffix and Netbios computer name" window.
Click to expand...

Did you delete and recreate those registry keys noted in that article?
These keys may be corrupted.
 
In
pingboy said:
Kevin,

I sure did.
Click to expand...

This one is totally off the wall, I've never seen or heard of any Domain
Controllers exhibiting this behavior. Make a call to MS PSS. It may be
something silly, but we've covered everything concerning the Primary DNS
suffix on a DC and it still isn't right.

Without connecting remotely, which MS PSS will do, I don't know what to tell
you to do.
 
In
This one is totally off the wall, I've never seen or heard of any
Domain Controllers exhibiting this behavior. Make a call to MS PSS.
It may be something silly, but we've covered everything concerning
the Primary DNS suffix on a DC and it still isn't right.

Without connecting remotely, which MS PSS will do, I don't know what
to tell you to do.
Click to expand...

I agree. If this is exhibiting this sort of behavior, it seems this would be
a new one to me too, unless we're missing something in the diagnosis.

Just to try something out, I would try to change the domain name in the GUI
to a blank, then change it again back to what it is supposed to be. Or
maybem just demote it and promote it back into the domain with prior to
that, set the Primary DNS Suffix first.

Ace
 
Back
Top