Thanks for article 300202

[George Hester]

I think I did this right for the first time. I installed Windows 2000 Advanced Server (twice). The first time I got
an error that I was using dynamic IP addressing. Anyway I didn't like that installation so I started over. But this
time I used my Router's IP address for the System. And I followed the article I mentioned:

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

and "pointed the DNS server to myself." (I like that to myself). I made the thing a domain controller because I
could. After all that was done I went and configured a forwarder top my ISP's DNS Server. But something tells
me that really wasn't necessary.

First off I didn't have a * zone anymore. That was nice so I didn't have to, "Right-click the '*' zone, and then
click Delete." Was that right for a correctly installed DNS server? Didn't have that "*" zone? And when I went
to check the Root Hints in the DNS Properties I had a nice list. So I think I fnally did this right? But I don't
know why I am getting Netlogon errors:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5775
Date: 11/28/2004
Time: 3:33:01 AM
User: N/A
Computer: HESTER
Description:
Deregistration of the DNS record '_ldap._tcp.gc._msdcs.hesterloli.com. 600 IN SRV 0 100 3268 hester.hesterloli.com.' failed with the following error:
DNS bad key.
Data:
0000: 39 23 00 00 9#..

all of them like this. Any suggestions how to address these. I get 5 at every boot. I don't understand why I get
these if I set the DNS up correctly...or maybe I didn't? Thanks.

 

[Herb Martin]

I think I did this right for the first time. I installed Windows 2000

Advanced Server (twice). The first time I got

an error that I was using dynamic IP addressing. Anyway I didn't like that

installation so I started over. But this

time I used my Router's IP address for the System. And I followed the

article I mentioned:

It is generally a poor practice to put a DC "on the Internet"
(e.g., as your router to the Internet), especially if you are
inexperienced with Win2000 and AD.

It is possible to secure such systems but requires very
careful management over the entire lifely of the system.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

and "pointed the DNS server to myself." (I like that to myself). I made

the thing a domain controller because I

could. After all that was done I went and configured a forwarder top my

ISP's DNS Server. But something tells

me that really wasn't necessary.

Usually not "necessary", but usually the CORRECT thing
to do.

DCs shouldn't be ON the Internet, neither should they "visit"
the Internet at large to resolve arbitrary DNS requests. By
using a forwarder you can stop the physical recursion from
the DC and let the forwarder take all the chances.

First off I didn't have a * zone anymore.

Do you mean "." or ROOT zone?

That was nice so I didn't have to, "Right-click the '*' zone, and then
click Delete." Was that right for a correctly installed DNS server?

Practically always right.

Didn't have that "*" zone? And when I went
to check the Root Hints in the DNS Properties I had a nice list.
So I think I fnally did this right? But I don't
know why I am getting Netlogon errors:

General DNS checklist:

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I think I did this right for the first time. I installed
Windows 2000 Advanced Server (twice). The first time I
got
an error that I was using dynamic IP addressing. Anyway
I didn't like that installation so I started over. But
this
time I used my Router's IP address for the System. And I
followed the article I mentioned:

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

and "pointed the DNS server to myself." (I like that to
myself). I made the thing a domain controller because I
could. After all that was done I went and configured a
forwarder top my ISP's DNS Server. But something tells
me that really wasn't necessary.

First off I didn't have a * zone anymore. That was nice
so I didn't have to, "Right-click the '*' zone, and then
click Delete." Was that right for a correctly installed
DNS server? Didn't have that "*" zone? And when I went
to check the Root Hints in the DNS Properties I had a
nice list. So I think I fnally did this right? But I
don't
know why I am getting Netlogon errors:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5775
Date: 11/28/2004
Time: 3:33:01 AM
User: N/A
Computer: HESTER
Description:
Deregistration of the DNS record
'_ldap._tcp.gc._msdcs.hesterloli.com. 600 IN SRV 0 100
3268 hester.hesterloli.com.' failed with the following
error:
DNS bad key.
Data:
0000: 39 23 00 00 9#..

all of them like this. Any suggestions how to address
these. I get 5 at every boot. I don't understand why I
get
these if I set the DNS up correctly...or maybe I didn't?
Thanks.

Is the DC using only the local DNS server for DNS? It must!
Dynamic updates on the AD domain zone allowed? Should be.
Go to the %systemroot%\system32\config directory and delete the Netlogon.dns
and Netlogon.dnb files the restart the netlogon service.
Since you built this server twice it's a good guess that the files were
still left over from before. It is OK to delete these files the netlogon
service will recreate them.

 

[George Hester]

Hi Kevin. No I didn't install again like that. I wiped the drive first. If I hadn't I would have gotten Administrator and
Administrator.MachineName profiles which is why I removed the first installation.

No the DC is NOT using only its DNS Server. The router has one and that is in my Forwarders. It is my ISPs. There is
only one DNS Server in the TCP\IP Properties | Use the following DNS Server addresses | Preferred DNS |
192.168.2.16 (My IP from the Router). No Alternates.

Dynamic Updates on the AD domain allowed??? - How do I check?

Delete those files and Reboot? Think that will fix it?

I believe it is working correctly because I added my other system Windows XP to the domain.

Windows 2000 Advanced Server no SP (SP3 now) Windows XP SP1 in the domain. Don't know if it using my Server
DNS.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Kevin. No I didn't install again like that. I wiped
the drive first. If I hadn't I would have gotten
Administrator and
Administrator.MachineName profiles which is why I removed
the first installation.

No the DC is NOT using only its DNS Server. The router
has one and that is in my Forwarders. It is my ISPs.
There is
only one DNS Server in the TCP\IP Properties | Use the
following DNS Server addresses | Preferred DNS |
192.168.2.16 (My IP from the Router). No Alternates.

Dynamic Updates on the AD domain allowed??? - How do I
check?

Delete those files and Reboot? Think that will fix it?

Remove your router's address from the DNS list, use only the internal DNS,
even if you only have one. The router's address in your DNS server list is
what is causing this. All member clients and DCs must use the local DNS,
period.

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

 

[George Hester]

Kevin I just wanted to give you a update (Windows 2000 Advanced Server SP3) on this issue. Seems I was able to fix
this just by making sure stuff was working correctly. I no longer have those errors in my Event Viewer. I have only three
total now. In fact they are all Warnings and all occurring in the System log

(11) W32Time:

Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 11
Date: 11/28/2004
Time: 8:01:16 PM
User: N/A
Computer: HESTER
Description:
The NTP server didn't respond
Data:
0000: 49 27 00 00 I'..

I wish the US Navy would get their act together. Do you happen to have a better NTP Server?

(5781) Netlogon:

Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5781
Date: 11/28/2004
Time: 8:01:15 PM
User: N/A
Computer: HESTER
Description:
Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
Data:
0000: b4 05 00 00 ´...

This one I don't quite understand. It look like Depends on Service is not correctly set. What do you think? Believe me the DNS Server is there.

(34) Disk:

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 34
Date: 11/28/2004
Time: 7:59:24 PM
User: N/A
Computer: HESTER
Description:
The driver disabled the write cache on device \Device\Harddisk1\DR1.
Data:
0000: 0f 00 04 00 01 00 62 00 ......b.
0008: 00 00 00 00 22 00 04 80 ...."..€
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 00 00 ....

I wish Microsoft could find it in their hearts to fix this one.

So all in all looks pretty good. The first and last are out of your domain. But maybe you have a suggestion on the middle
one? Thanks.

-
George Hester
_________________________________

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Kevin I just wanted to give you a update (Windows 2000
Advanced Server SP3) on this issue. Seems I was able to
fix
this just by making sure stuff was working correctly. I
no longer have those errors in my Event Viewer. I have
only three
total now. In fact they are all Warnings and all
occurring in the System log

Did you remove the router's address from the DNS server list and point it to
the local DNS server?

 

[George Hester]

Not sure what you are asking here. The local DNS Server has an IP addresse that is assigned by the Router. There are no other IP addresses that I know of other than the others provided by the Router and those are assigned to the other systems in the Network. There is only one IP address for DNS in the TCP\IP Properties | Use the following DNS Server addresses | Preferred DNS | 192.168.2.16 (My IP from the Router). No alternates. There is a forwader to my ISP's DNS and that value is seen in the Router config. I believe this was
the way:

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

suggested I set this up. In any case do you think when the machine is firing up the IP address for the system has
not yet been provided by the Router and that's the issue? Thanks.

The local DNS Server has no IP address other than what the Router is providing it with. If I removed the
Router's assigned IP address in the TCP\IP Properties of the Server, what would I be left with? All I can imagine
is 127.0.0.1. Thanks.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Not sure what you are asking here. The local DNS Server
has an IP addresse that is assigned by the Router. There
are no other IP addresses that I know of other than the
others provided by the Router and those are assigned to
the other systems in the Network. There is only one IP
address for DNS in the TCP\IP Properties | Use the
following DNS Server addresses | Preferred DNS |
192.168.2.16 (My IP from the Router). No alternates.
There is a forwader to my ISP's DNS and that value is
seen in the Router config. I believe this was
the way:

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

suggested I set this up. In any case do you think when
the machine is firing up the IP address for the system
has
not yet been provided by the Router and that's the issue?
Thanks.

The local DNS Server has no IP address other than what
the Router is providing it with. If I removed the
Router's assigned IP address in the TCP\IP Properties of
the Server, what would I be left with? All I can imagine
is 127.0.0.1. Thanks.

You have totally lost me.
Use the IP address of the Domain Controller for DNS on all machines. I don't
know what you saying about the router, unless you are using the router for
DHCP and it is assigning the addresses for your clients. This is not
recommended anyway, use the Win2k for DHCP.
Also, if your saying that the DC does not have a static IP assigned to it,
you need to fix that it needs a static address so that you can assign that
address to all clients for DNS.

 

[Herb Martin]

No the DC is NOT using only its DNS Server.

The router has one and that is in my Forwarders.
It is my ISPs. There is
only one DNS Server in the TCP\IP Properties

That's fine -- you can ONLY put the internal DNS
server (set) in the NIC->IP properties, but it is
perfectly fine (in fact the correct method) to put
the external DNS forwarder into the DNS server
forwarding tab.

 

[George Hester]

Yes the Router is assigning the IP address for every computer in the Network (2). I did not install DHCP. The reason
being that I believe I would need another Network card. I don't (not yet) and so chose not to install DHCP.

The DNS Server has a practically static IP address. I say "practically" because it is really dynamic although hasn't changed
for over a year now. I doubt it ever will. But if it does I know what to do in that case. Not hard.

I suppose you are saying assign the DNS server in Windows 2000 ADVSvr to Windows XP to get rid of that last
warning. I'll give that a go.

You know one thing about a Router may be true. The Router gets the IP address from the ISP and then uses its own
method to assign the specific address to the clients in the Network. If the ISP address changed why would that effect what
the Router delivers out to the clients? I suspect the Router is going to always assign the same IP address no matter if that
dynamic IP address changes or not. Maybe not but I can tell you I probably won't be able to test it for the next 5 yrs.
Dang thing never changes.

Thanks for all your help here Kevin.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Yes the Router is assigning the IP address for every
computer in the Network (2). I did not install DHCP.
The reason
being that I believe I would need another Network card.
I don't (not yet) and so chose not to install DHCP.

The DNS Server has a practically static IP address. I
say "practically" because it is really dynamic although
hasn't changed
for over a year now. I doubt it ever will. But if it
does I know what to do in that case. Not hard.

Practically is not good enough, it must be static for the machine the DNS
server is on.

I suppose you are saying assign the DNS server in Windows
2000 ADVSvr to Windows XP to get rid of that last
warning. I'll give that a go.

Read this article for the best way to setup your DNS clients, keep in mind
that the machine the DNS server sits on is a client machine, too.
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

 

[George Hester]

Hi Kevin. OK oh well then. I suppose one warning is pratically not good enough but I can live with it for now. I really
don't have a choice in the matter.