unable to resolve DNS

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Where do I start. I have no idea when it comes to DNS. We us a 3rd party
system to manage our DNS, the system point to your router on the internet and
the router passes it to our server. so for the conversation the dns is
mybiz.com the server on our side of the firewall is called mybizsvr and if
you ping it it comes up a mybizsvr.mybiz.com.au and the computers attached
to the server are named in a similar fashion pc1.mybiz.com.au etc...

I can only ping the pc that i am pinging from using its full name
pc1.mybiz.com.au

if I'm on pc1 and trying to ping mybizsvr.mybiz.com.au it wont find the
machine but if i ping mybizsvr it returns the pings but does not show its
full name mybizsvr.mybiz.com.au it only shows mybizsvr

The DNS console on the server shows mybizsvr as the server.

I dont understand why when Im adding pcs to the network it attaches the new
pc using the full address newpc.mybiz.com.au but then cant use it!?

What do I need to do to enable the cascading of the addredd throughtout the
network


thanks marcel
 
You say you are using a 3rd party to host your DNS. This would normally be
only your public namespace, and you would have to manage your internal
namespace yourself. Since you talked about the server's DNS console, you
must be running DNS. When you say "adding pcs to the network" I assume you
mean joining them to your AD domain? Both the server and clients must point
to your local DNS server (not the 3rd party's) for name resolution. If they
are members of your AD local domain, the DNS domain suffix will
automatically be added to dns queries. If they are not domain members, you
can add the DNS suffix manually in TCP/IP properties, click the "advanced"
button, DNS tab. If your internal DNS domain is the same as your external,
you'll have to manually add the records for any public servers (i.e. "www").
As far as why you can ping by computername but not fqdn, that pretty much
says that you are not resolving using the correct DNS server. More than
likely yo are resolving using WINS, which also explains how you might be
able to join the computers to the domain without the proper DNS settings. If
this is a new AD domain and you don't have public IP addresses and a need
for Internet entities to directly access your computers, I would seriously
consider renaming your internal domain to mybiz.au.local or something.

....kurt
 
Marcel said:
Where do I start. I have no idea when it comes to DNS. We us a 3rd
party system to manage our DNS, the system point to your router on
the internet and the router passes it to our server. so for the
conversation the dns is mybiz.com the server on our side of the
firewall is called mybizsvr and if you ping it it comes up a
mybizsvr.mybiz.com.au and the computers attached to the server are
named in a similar fashion pc1.mybiz.com.au etc...

I can only ping the pc that i am pinging from using its full name
pc1.mybiz.com.au

if I'm on pc1 and trying to ping mybizsvr.mybiz.com.au it wont find
the machine but if i ping mybizsvr it returns the pings but does not
show its full name mybizsvr.mybiz.com.au it only shows mybizsvr

The DNS console on the server shows mybizsvr as the server.

I dont understand why when Im adding pcs to the network it attaches
the new pc using the full address newpc.mybiz.com.au but then cant
use it!?

What do I need to do to enable the cascading of the addredd
throughtout the network
Click to expand...

You can join a Win2k or later OS to a domain using the NetBIOS name of the
domain. However once joined and authenticated to a Win2k or Win2k3 domain,
the Win2k and later client will always use DNS to locate the domain
controller.

That said, what do you mean when you say you use a third party system for
DNS?

It is highly recommended to use your Domain Controller for DNS and allow
only secure dynamic updates to the AD domain zone. Then use the DC's IP
address only for DNS on all AD domain members and no other ISP or external
DNS in TCP/IP properties.
You can use the router as a forwarder for the DNS server. However, if you
want the router to resolve all external names for internal clients, you
would still use the DCs address for DNS only, then on the Forwarders tab
select the check box for "Do not use recursion" (Do not confuse with
"Disable recursion" on the Advanced tab).
By using the check box on the forwarders tab, it forces the DNS server to
ignore its root hints and send all external queries to the forwarder.

Now, for getting DNS to resolve single-label host names, e.g. 'mybizsvr'
make sure the AD domain name is listed in the DNS suffix search list of all
local clients. Also, in your example you mentioned "mybiz.com.au" is that
the real representation of your AD domain name?
If it is you will notice that if you look at your ipconfig /all, you will
have two suffixes in your DNS suffix search list, "mybiz.com.au" and
"com.au", the problem is that if the name is not in "mybiz.com.au" the DNS
client (and nslookup) will also search com.au for any non-FQDN you query for
(Queries not ending with a dot "." are non-FQDN). You should use a custom
DNS suffix search list with only the local AD domain name "mybiz.com.au" in
the DNS suffix search list.

Now, the problem with ping, when you ping a single label name "mybizsvr"
ping is using NetBIOS resolution to resolve the server's NetBIOS name and
the likely reason the DNS lookup fails is because you aren't using the AD
DNS server for DNS resolution, then letting DNS forward to the router,
instead you are trying to get the router to find your AD domain name. Which
apparently it cannot do.

In simple terms, you should use DNS on the DCs to get all local DNS
resolution, then let DNS on the DC forward to the router. This is a very
common mis-configuration, it is not a common as it used to be, due to users
passing their experience on to new users, in effect learning from mistakes
of others.
But still there are some that stick to thinking that getting internet
resolution is the most important function of DNS and will always attempt to
use an ISP or router's address for DNS in TCP/IP on Active Directory domain
members. Don't use this thinking. If properly configured, you will have no
problems with running DNS on your DC which can handle thousands of queries
per minute with out even making a noticeable dent in your DC's performance.
 
Here Here!

I recently took a contract and found this same misconfiguration in 9 out
of 10 clients I serviced.

I learned the right way fom you guys a few years back-
and I've told many people about it.

you can put the domain name in the dhcp scope as well,
so they always get it wether they are already joined or just
being joined.

James Long
 
Back
Top