Single-label root domain & W2K3 child domain

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Good day,

I have a Windows 2000 AD forest with one DC (also a DNS server) in the root domain. This domain is a single-label domain name. I am aware of the problems this can cause: I have read several of Kevin's and Ace's very helpful posts about this. So far, I have apparently been able to avoid most of the problems by configuring all of our client machines with UpdateTopLevelDomainZones and AllowSingleLabelDnsDomain. At this stage, there is really no way we can change our single-label domain name to something else. The root domain contains several child domains, also running in Windows 2000 native mode.

Our DNS is configured as follows: each child domain has a DC that is also a DNS server. The root domain's DNS server has delegations for each child domain configured to point to that child domain's DNS server. Each child domain's DNS server points to itself for DNS resolution and is configured with a forwarder pointing back to the root domain's DNS server. The workstations in each domain point to the DNS server for that domain.

Last week, I ran adprep (/forest & /domain) to prepare the forest and one child domain for the addition of our first w2k3 DC. After transferring the FSMO roles and setting up DNS on the w2k3 server, I used dcpromo to bring down the old w2k DC for this child domain. I then raised the functionality of the child domain to Windows 2003. After renaming the old w2k DC and giving time for replication, I used netdom to rename the new w2k3 domain controller to the name of the old w2k DC.

At this point, when users that are members of the root domain log on to a workstation in the w2k3 child domain they can access shares in the root domain by \\servername\share, but not by \\domainname\share. This means that group policies for the root domain users are not being applied when they log on to the child domain computers. This also means that DFS shares are not accessible. This does not happen to the same users logging on to workstations in the root (w2k) domain or any other child (w2k) domains. It also does not affect the same users attempting to access shares in any child domains by \\domainname\share, regardless of which workstations/domains they log on to.

Is this a security problem between w2k3 and w2k, or is there a DNS problem? I can provide results from netdiag, dcdiag, etc. if it would be helpful. I have verified that Bypass Traverse Checking rights are correctly configured. I have checked share and NTFS permissions on the shares that need to be accessed.

Thank you,
-jdm

To respond directly to me, remove the letters ns from my email address.
 
In Joshua D. McConnaughey <[email protected]> posted a question
Then Kevin replied below:
: Good day,
:
: I have a Windows 2000 AD forest with one DC (also a DNS server) in
: the root domain. This domain is a single-label domain name. I am
: aware of the problems this can cause: I have read several of Kevin's
: and Ace's very helpful posts about this. So far, I have apparently
: been able to avoid most of the problems by configuring all of our
: client machines with UpdateTopLevelDomainZones and
: AllowSingleLabelDnsDomain. At this stage, there is really no way we
: can change our single-label domain name to something else. The root
: domain contains several child domains, also running in Windows 2000
: native mode.
:
: Our DNS is configured as follows: each child domain has a DC that is
: also a DNS server. The root domain's DNS server has delegations for
: each child domain configured to point to that child domain's DNS
: server. Each child domain's DNS server points to itself for DNS
: resolution and is configured with a forwarder pointing back to the
: root domain's DNS server. The workstations in each domain point to
: the DNS server for that domain.
:
: Last week, I ran adprep (/forest & /domain) to prepare the forest and
: one child domain for the addition of our first w2k3 DC. After
: transferring the FSMO roles and setting up DNS on the w2k3 server, I
: used dcpromo to bring down the old w2k DC for this child domain. I
: then raised the functionality of the child domain to Windows 2003.
: After renaming the old w2k DC and giving time for replication, I used
: netdom to rename the new w2k3 domain controller to the name of the
: old w2k DC.
:
: At this point, when users that are members of the root domain log on
: to a workstation in the w2k3 child domain they can access shares in
: the root domain by \\servername\share, but not by \\domainname\share.
: This means that group policies for the root domain users are not
: being applied when they log on to the child domain computers. This
: also means that DFS shares are not accessible. This does not happen
: to the same users logging on to workstations in the root (w2k) domain
: or any other child (w2k) domains. It also does not affect the same
: users attempting to access shares in any child domains by
: \\domainname\share, regardless of which workstations/domains they log
: on to.
:
: Is this a security problem between w2k3 and w2k, or is there a DNS
: problem? I can provide results from netdiag, dcdiag, etc. if it
: would be helpful. I have verified that Bypass Traverse Checking
: rights are correctly configured. I have checked share and NTFS
: permissions on the shares that need to be accessed.
:
: Thank you,
: -jdm
:
: To respond directly to me, remove the letters ns from my email
: address.

The parent domain is still a single label domain name?
This is one of the problems with Single label domains, there has been some
discussion over the topic of GPOs not being applied. This is because the
single label name will not resolve. There are some theories for some fixes
that are in discussion between myself and Ulf B. Simon-Weidner If you want
to test my theory I'd like to know if it works. In the Zone for the single
label name create a host with the name of your single label name then give
it the IP of your DCs.
 
Kevin D. Goodknecht said:
In Joshua D. McConnaughey <[email protected]> posted a question
Then Kevin replied below:
: Good day,
:
: I have a Windows 2000 AD forest with one DC (also a DNS server) in
: the root domain. This domain is a single-label domain name. I am
: aware of the problems this can cause: I have read several of Kevin's
: and Ace's very helpful posts about this. So far, I have apparently
: been able to avoid most of the problems by configuring all of our
: client machines with UpdateTopLevelDomainZones and
: AllowSingleLabelDnsDomain. At this stage, there is really no way we
: can change our single-label domain name to something else. The root
: domain contains several child domains, also running in Windows 2000
: native mode.
:
: Our DNS is configured as follows: each child domain has a DC that is
: also a DNS server. The root domain's DNS server has delegations for
: each child domain configured to point to that child domain's DNS
: server. Each child domain's DNS server points to itself for DNS
: resolution and is configured with a forwarder pointing back to the
: root domain's DNS server. The workstations in each domain point to
: the DNS server for that domain.
:
: Last week, I ran adprep (/forest & /domain) to prepare the forest and
: one child domain for the addition of our first w2k3 DC. After
: transferring the FSMO roles and setting up DNS on the w2k3 server, I
: used dcpromo to bring down the old w2k DC for this child domain. I
: then raised the functionality of the child domain to Windows 2003.
: After renaming the old w2k DC and giving time for replication, I used
: netdom to rename the new w2k3 domain controller to the name of the
: old w2k DC.
:
: At this point, when users that are members of the root domain log on
: to a workstation in the w2k3 child domain they can access shares in
: the root domain by \\servername\share, but not by \\domainname\share.
: This means that group policies for the root domain users are not
: being applied when they log on to the child domain computers. This
: also means that DFS shares are not accessible. This does not happen
: to the same users logging on to workstations in the root (w2k) domain
: or any other child (w2k) domains. It also does not affect the same
: users attempting to access shares in any child domains by
: \\domainname\share, regardless of which workstations/domains they log
: on to.
:
: Is this a security problem between w2k3 and w2k, or is there a DNS
: problem? I can provide results from netdiag, dcdiag, etc. if it
: would be helpful. I have verified that Bypass Traverse Checking
: rights are correctly configured. I have checked share and NTFS
: permissions on the shares that need to be accessed.
:
: Thank you,
: -jdm
:
: To respond directly to me, remove the letters ns from my email
: address.

The parent domain is still a single label domain name?
This is one of the problems with Single label domains, there has been some
discussion over the topic of GPOs not being applied. This is because the
single label name will not resolve. There are some theories for some fixes
that are in discussion between myself and Ulf B. Simon-Weidner If you want
to test my theory I'd like to know if it works. In the Zone for the single
label name create a host with the name of your single label name then give
it the IP of your DCs.
Click to expand...

Thank you Kevin for replying,

I had seen your discussion with Aaron and the suggestion you had given him
involving a CNAME record and the shouts of joy when it seemed to work. I
tried to follow the suggestions you gave him, but couldn't seem to interpret
it for use with clients of a child domain having trouble resolving the root
domain. I had hoped you would see this question and might be of help to me.
Thanks for tackling it!

I tried what you suggested to me: In the single label domain zone, I created
an A record named casd, which is my single label domain name. For that
record, I put in the IP address of the DC for that domain. When I run
'nslookup casd' from a workstation that is a member of casd, I get a reply
from the DNS server for casd showing that casd.casd points to the IP address
of the DC. However, when I run the same command from a workstation on the
child domain (e1.casd), which is pointing to e1.casd's DNS server, I get
"<e1 DNS server> can't find casd: Non-existent domain". I can ping casd
successfully from both domains.

What did Aaron actually do that made it so he could browse to
\\singlelabeldomainname\share? I can browse to \\casd\share from any of my
other child domains -- all w2k native mode. Just not from workstations on
the newly upgraded w2k3 domain.

Thanks,
-jdm
 
In JoshuaDM <[email protected]> posted a question
Then Kevin replied below:
: :: In :: Joshua D. McConnaughey <[email protected]> posted a question
:: Then Kevin replied below:
::: Good day,
:::
::: I have a Windows 2000 AD forest with one DC (also a DNS server) in
::: the root domain. This domain is a single-label domain name. I am
::: aware of the problems this can cause: I have read several of Kevin's
::: and Ace's very helpful posts about this. So far, I have apparently
::: been able to avoid most of the problems by configuring all of our
::: client machines with UpdateTopLevelDomainZones and
::: AllowSingleLabelDnsDomain. At this stage, there is really no way we
::: can change our single-label domain name to something else. The root
::: domain contains several child domains, also running in Windows 2000
::: native mode.
:::
::: Our DNS is configured as follows: each child domain has a DC that is
::: also a DNS server. The root domain's DNS server has delegations for
::: each child domain configured to point to that child domain's DNS
::: server. Each child domain's DNS server points to itself for DNS
::: resolution and is configured with a forwarder pointing back to the
::: root domain's DNS server. The workstations in each domain point to
::: the DNS server for that domain.
:::
::: Last week, I ran adprep (/forest & /domain) to prepare the forest
::: and one child domain for the addition of our first w2k3 DC. After
::: transferring the FSMO roles and setting up DNS on the w2k3 server, I
::: used dcpromo to bring down the old w2k DC for this child domain. I
::: then raised the functionality of the child domain to Windows 2003.
::: After renaming the old w2k DC and giving time for replication, I
::: used netdom to rename the new w2k3 domain controller to the name of
::: the old w2k DC.
:::
::: At this point, when users that are members of the root domain log on
::: to a workstation in the w2k3 child domain they can access shares in
::: the root domain by \\servername\share, but not by
::: \\domainname\share. This means that group policies for the root
::: domain users are not being applied when they log on to the child
::: domain computers. This also means that DFS shares are not
::: accessible. This does not happen to the same users logging on to
::: workstations in the root (w2k) domain or any other child (w2k)
::: domains. It also does not affect the same users attempting to
::: access shares in any child domains by \\domainname\share,
::: regardless of which workstations/domains they log on to.
:::
::: Is this a security problem between w2k3 and w2k, or is there a DNS
::: problem? I can provide results from netdiag, dcdiag, etc. if it
::: would be helpful. I have verified that Bypass Traverse Checking
::: rights are correctly configured. I have checked share and NTFS
::: permissions on the shares that need to be accessed.
:::
::: Thank you,
::: -jdm
:::
::: To respond directly to me, remove the letters ns from my email
::: address.
::
:: The parent domain is still a single label domain name?
:: This is one of the problems with Single label domains, there has
:: been some discussion over the topic of GPOs not being applied. This
:: is because the single label name will not resolve. There are some
:: theories for some fixes that are in discussion between myself and
:: Ulf B. Simon-Weidner If you want to test my theory I'd like to know
:: if it works. In the Zone for the single label name create a host
:: with the name of your single label name then give it the IP of your
:: DCs.
::
::
:: --
:: Best regards,
:: Kevin D4 Dad Goodknecht Sr. [MVP]
:: Hope This Helps
:: ============================
:: --
:: When responding to posts, please "Reply to Group" via your
:: newsreader so that others may learn and benefit from your issue.
:: To respond directly to me remove the nospam. from my email.
:: ==========================================
:: http://www.lonestaramerica.com/
:: ==========================================
:: Use Outlook Express?... Get OE_Quotefix:
:: It will strip signature out and more
:: http://home.in.tum.de/~jain/software/oe-quotefix/
:: ==========================================
:: Keep a back up of your OE settings and folders with
:: OEBackup:
:: http://www.oehelp.com/OEBackup/Default.aspx
:: ==========================================
::
::
:
: Thank you Kevin for replying,
:
: I had seen your discussion with Aaron and the suggestion you had
: given him involving a CNAME record and the shouts of joy when it
: seemed to work. I tried to follow the suggestions you gave him, but
: couldn't seem to interpret it for use with clients of a child domain
: having trouble resolving the root domain. I had hoped you would see
: this question and might be of help to me. Thanks for tackling it!
:
: I tried what you suggested to me: In the single label domain zone, I
: created an A record named casd, which is my single label domain name.
: For that record, I put in the IP address of the DC for that domain.
: When I run 'nslookup casd' from a workstation that is a member of
: casd, I get a reply from the DNS server for casd showing that
: casd.casd points to the IP address of the DC. However, when I run
: the same command from a workstation on the child domain (e1.casd),
: which is pointing to e1.casd's DNS server, I get "<e1 DNS server>
: can't find casd: Non-existent domain". I can ping casd successfully
: from both domains.
:
: What did Aaron actually do that made it so he could browse to
: \\singlelabeldomainname\share? I can browse to \\casd\share from any
: of my other child domains -- all w2k native mode. Just not from
: workstations on the newly upgraded w2k3 domain.
:
: Thanks,
: -jdm

We are in test mode here I guess you know. Try this on delete the "A" record
and create a CNAME with the same name, but in the FQDN field put in the same
name followed by a "." (casd.)
The clients will need CASD added to the domain search field on the DNS tab.
I remember now that the host doesn't work because it resolves to casd.casd
but the CNAME casd wshile it wil resolve to casd.casd it will point to casd.
It is important that casd be in the domain search field though.
What you want to see is for you to open \\casd\sysvol\casd\policies that is
the share that GPOs are in.
 
Back
Top