upgrade to win2000 adv server and DNS

[James W. Long]

Hi all!
Dear Kevin and Ace,

I have three questions.
I have a Win NT 4.0 PDC and BDC.

I am going to ugrade to Win2kadv server but I am aprehensive about a couple
things.
I'm having trouble defining the right questions.

You and Ace mentioned that the Win2kadv server uses the tcpip DNS tab Host
and domain
fields as the basis for its DNS name. Mine are currently not the same as the
internal names.
they are "made up" and I want it the same way as I have it, is this
possible?

You and/or Ace said that I need a fully qualified domain name with
a suffix such as .net or .org or I will have trouble with DNS hierarchy.
I do not run this way now, it works great as is, I never had a problem in 5
years
using WinNT DNS, I would prefer to keep what I have, can I do it?

I want to upgrade WinNT to Win2kadv, totally replacing the old os
on the same box and have no difference. will my clients still be able
to be domain authenticateded with thier same accounts to the new
installation?
This wont change anything (about logging in or thier accounts) on the
clients will it?
For instance...one time, I converted one of my clients to a workgroup
membership from
a domain memership. This got it a totally different desktop and account
where nothing was installed. I hope I dont have to go thru that do I ?


here is my setup:

PDC
Win NT 4.0 Server
name jewelntserver
domain jewelconsulting
(jewelntserver.jewelconsulting)

has 2 nics

inside nic:
static Private IP address in 10.0.0.x range

outside nic:
dynamic ip - get from ISP via DHCP . Is not "public" or associated with
a public internet name. changes.

tcpip dns hostname tab: dynamic
tcpip dns domain name tab: ip

protocols:
tcpip, netbios and file and printer sharing run on the inside nic
and only tcpip runs on the outside nic.

BDC
Win NT 4.0 Server
name: littlehal
domain jewelconsulting
(littlehal.jewelconsulting)
2 nics

inside nic: static Private IP 10.0.0.x range
outside nic: dhcp dynamic IP
tcpip dns hostname tab: dynamic2
tcpip dns domain tab: ip

protocols: same way as jewelntserver.

All my clients are win2000 the same way, 2 nics.
same way with protocols.

They authenticate to the PDC.

All inside nics goto a shared hub
All outside nics goto a different shared hub.
The outside hub is connected to the internet.

I have extensive file rights specified (acl's) on all drives/folders/files
in my systems.
services such as runas, remote registry, remote desktop etc are permanently
disabled.


from any machine in the domain I can ping the following:
jewelntserver
jewelntserver.jewelconsulting
jewelconsulting
(these all result in the same internal private ip for jewelntserver at
10.0.0.x)

on jewelntserver If I ping dynamic.ip I get ITS outside dynamically assigned
address (today).
on littlehal if I ping dynamic2.ip I get ITS outside dynamic ip address
(today).

There is no web server, no public ip, no need to vpn, no other location
etc. This is simply
a multihomed domain runing PDC/BDC and DNS only on the inside and that is
all.

I have the DNS files if you need them.

Thank you,

 

[Ace Fekay [MVP]]

In

Hi all!
Dear Kevin and Ace,

I have three questions.
I have a Win NT 4.0 PDC and BDC.

I am going to ugrade to Win2kadv server but I am aprehensive about a
couple things.
I'm having trouble defining the right questions.

You and Ace mentioned that the Win2kadv server uses the tcpip DNS
tab Host and domain
fields as the basis for its DNS name. Mine are currently not the same
as the internal names.
they are "made up" and I want it the same way as I have it, is this
possible?

You and/or Ace said that I need a fully qualified domain name with
a suffix such as .net or .org or I will have trouble with DNS
hierarchy.
I do not run this way now, it works great as is, I never had a
problem in 5 years
using WinNT DNS, I would prefer to keep what I have, can I do it?

I want to upgrade WinNT to Win2kadv, totally replacing the old os
on the same box and have no difference. will my clients still be able
to be domain authenticateded with thier same accounts to the new
installation?
This wont change anything (about logging in or thier accounts) on the
clients will it?
For instance...one time, I converted one of my clients to a workgroup
membership from
a domain memership. This got it a totally different desktop and
account where nothing was installed. I hope I dont have to go thru
that do I ?


here is my setup:

PDC
Win NT 4.0 Server
name jewelntserver
domain jewelconsulting
(jewelntserver.jewelconsulting)

has 2 nics

inside nic:
static Private IP address in 10.0.0.x range

outside nic:
dynamic ip - get from ISP via DHCP . Is not "public" or associated
with
a public internet name. changes.

tcpip dns hostname tab: dynamic
tcpip dns domain name tab: ip

protocols:
tcpip, netbios and file and printer sharing run on the inside nic
and only tcpip runs on the outside nic.

BDC
Win NT 4.0 Server
name: littlehal
domain jewelconsulting
(littlehal.jewelconsulting)
2 nics

inside nic: static Private IP 10.0.0.x range
outside nic: dhcp dynamic IP
tcpip dns hostname tab: dynamic2
tcpip dns domain tab: ip

protocols: same way as jewelntserver.

All my clients are win2000 the same way, 2 nics.
same way with protocols.

They authenticate to the PDC.

All inside nics goto a shared hub
All outside nics goto a different shared hub.
The outside hub is connected to the internet.

I have extensive file rights specified (acl's) on all
drives/folders/files in my systems.
services such as runas, remote registry, remote desktop etc are
permanently disabled.


from any machine in the domain I can ping the following:
jewelntserver
jewelntserver.jewelconsulting
jewelconsulting
(these all result in the same internal private ip for jewelntserver at
10.0.0.x)

on jewelntserver If I ping dynamic.ip I get ITS outside dynamically
assigned address (today).
on littlehal if I ping dynamic2.ip I get ITS outside dynamic ip
address (today).

There is no web server, no public ip, no need to vpn, no other
location etc. This is simply
a multihomed domain runing PDC/BDC and DNS only on the inside and
that is all.

I have the DNS files if you need them.

Thank you,

HI John,

I remember something about the binding order in your mutlihomed machines.
But I'll tell you this much. DO NOT USE A SINGLE LABEL NAME. If you do, go
right ahead, and we;ll definitely be hearing from you again with all the
problems that you WILL be getting from choosing that name.

Now, let;s sit back and have a beer and discuss this.

NT4 is a different animal. Now we're talking W2k and W2k3, which uses AD for
it;s directory services which is TOTALLY based on DNS. DNS is a hierarchal
structure. A single label name does not follow any sort of hierarchy,
therefore, DNS will fail, therefore AD will fail. With me so far?

Here's some reading on it:
Clients cannot dynamically register DNS records in a single-label forward
lookup zone:
http://support.microsoft.com/?kbid=826743

251384 - Delays in Name Resolution Using Microsoft DNS Server Forwarder
Option {more than likely due to single label name]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;251384

DNS Domain Name System and Domain Name Service Protocol (RFC 1034 2535):
http://www.javvin.com/protocolDNS.html

Also, with all due respect, please do not mutlihome all your machines. You
are creating an administrative nightmare when it comes to AD, if you don't
already have one. All you need is one machine mutlihomed (preferably NOT a
DC or a server running a service such as Exchange, SQL, etc). Or better yet,
get yourself a $50.00 Linksys router that will work like a charm. They have
one with a firewall version for about $70.00. Otherwise, with your current
config, I;m putting my paycheck on this that you will definitely have
serious problems.

Please, take my word of advise and strip the extra NICs. I'm no trying to be
facetious, just pointing out the facts, and I've seen config issues that
will blow your mind. This seems like it may turn into one if you keep this
config due to DNS registration with your AD data. Removing the extra NICs
will eliminate these config issues and also security issues since they are
directly on the Internet.

And don't forget, with AD you must only use your own internal DNS ONLY. YOu
cannot use your ISP's address, no matter what your ISP will tell you or
expect addition administrative issues, complaints and generally
malfunctioning AD services. My paycheck is on this too.

Hope that helps. If you need any AD design links and upgrade or migration
links, let me know.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[James W. Long]

Dear Ace:

I had a nice beer. Very good idea. Yes I did have a binding order
problem and you guys seriously helped me out with that,
Thank You very much again.


I honestly _used_ to have some of those error messages at one time
about registering DNS on my client machines. but I solved that
in this manner.

in Win2000 (my client machines) I made these settings in the DNS tab
for ONLY the Inside cards.

1. unchecking "append primary and connection specific DNS suffix"
2. checking "append these DNS suffixes" and filling in jewelconsulting
3. adding jewelconsulting to "DNS suffix for this connection"
4. checking "Register this connection's addresses in DNS"
5. unchecking "Use this connections DNS suffix in DNS registration"

so now its not dynamic, it just gets done on the client by default I think.

my clients are able to find the domain (jewelconsulting), the domain server
(jewelntserver) and (jewelntserver.jewelconsulting) via DNS running
on that NT server box, and those settings on thier respective inside cards.

The clients (and servers for that matter) OUTside cards get thier
DNS server specified by the DHCP server of my ISP.
They never use the inside DNS server at all (for internet).
This is proven by the fact that my inside DNS server isnt even
UP half the time, and internet operates fine. So here are the advantages
of having multihomed machines.
A. I dont need the internet to have a lan.
B. I dont need a lan to have the internet.
C. All my clients and servers have domain level account and file security on
them which
is definaltely better than being single user and belonging to the workgroup
"workgroup" or "mshome".


so I wonder if I will actually be ok. but hold on a sec for your answer,
I'm going to make the conditions even different yet. I like to do
the homework so I know how it will go and thank you for your every word so
far.



I did read this. I see the rules changed re 2000 svc pack 4.

Clients cannot dynamically register DNS records in a single-label forward
lookup zone:
http://support.microsoft.com/?kbid=826743

Does this mean it applies to the _client_ or were they saying that
Microsoft changed the WAY DNS operates on a DNS server as of 2000 server,
service pack 4? because if its just in the clients then the fixes I made
above cover
the dynmaic DNS registration problem with single label domains,
(at least it works ok here, ) I think.

I'm not trying to disagree with you, I'm just hoping to get what I need.


Ok next let me ask you one more thing about w2kadv AD DNS.

its possible to have a Dommain Controller under win2kADV
running a DNS Server and possibly an inside Webserver that is
NOT AD integrated, correct?

Because I can't for the life of me come up with a good reason
why I would want my DNS or WEB server AD integrated, if its only
for small inside DNS and small private webs available on the inside.
(actually I only need win2000 server I think)

As far as the topology is concerned, I know exactly what you say about
a router. Acknowledged and fully understood. I elect to keep the current
topology and am forewarned.

So NOW, the question becomes, running a NON AD Integrated DNS Server
on this upgraded DC, if (IF!) my clients set up are ok, and IF I am willing
to put up with
administrating multihomed boxes which I do very well already,
and my security has always been excellent, NOW can I do an upgrade
and will it work or, the alternave being to rename my entire domain?

I am not trying to be difficult. honest. I am just looking for the way
to ugrade my PDC and BDC to 2000 and for all intensive puposes
have the domain and clients remain intact as they are. I am willing
to make changes but I hope not as drastic as renaming the domain
or is that easy?

lets say you say yes, it can work but it wont be easy. NP. my very first
question
remains about the tcpip hostname and doman being something like
"dymanic.ip" on my NT server. I see no way to accomplish this in the 2000
server
tcpip properties like you could on Win NT unless one enters it into the 2000
server
registry under HKLM\ccs\services\tcpip\parameters is my best guess.



Thank you for reading all that and for your help in advance,
James W. Long.








"Ace Fekay [MVP]"

In

Hi all!
Dear Kevin and Ace,

I have three questions.
I have a Win NT 4.0 PDC and BDC.

I am going to ugrade to Win2kadv server but I am aprehensive about a
couple things.
I'm having trouble defining the right questions.

You and Ace mentioned that the Win2kadv server uses the tcpip DNS
tab Host and domain
fields as the basis for its DNS name. Mine are currently not the same
as the internal names.
they are "made up" and I want it the same way as I have it, is this
possible?

You and/or Ace said that I need a fully qualified domain name with
a suffix such as .net or .org or I will have trouble with DNS
hierarchy.
I do not run this way now, it works great as is, I never had a
problem in 5 years
using WinNT DNS, I would prefer to keep what I have, can I do it?

I want to upgrade WinNT to Win2kadv, totally replacing the old os
on the same box and have no difference. will my clients still be able
to be domain authenticateded with thier same accounts to the new
installation?
This wont change anything (about logging in or thier accounts) on the
clients will it?
For instance...one time, I converted one of my clients to a workgroup
membership from
a domain memership. This got it a totally different desktop and
account where nothing was installed. I hope I dont have to go thru
that do I ?


here is my setup:

PDC
Win NT 4.0 Server
name jewelntserver
domain jewelconsulting
(jewelntserver.jewelconsulting)

has 2 nics

inside nic:
static Private IP address in 10.0.0.x range

outside nic:
dynamic ip - get from ISP via DHCP . Is not "public" or associated
with
a public internet name. changes.

tcpip dns hostname tab: dynamic
tcpip dns domain name tab: ip

protocols:
tcpip, netbios and file and printer sharing run on the inside nic
and only tcpip runs on the outside nic.

BDC
Win NT 4.0 Server
name: littlehal
domain jewelconsulting
(littlehal.jewelconsulting)
2 nics

inside nic: static Private IP 10.0.0.x range
outside nic: dhcp dynamic IP
tcpip dns hostname tab: dynamic2
tcpip dns domain tab: ip

protocols: same way as jewelntserver.

All my clients are win2000 the same way, 2 nics.
same way with protocols.

They authenticate to the PDC.

All inside nics goto a shared hub
All outside nics goto a different shared hub.
The outside hub is connected to the internet.

I have extensive file rights specified (acl's) on all
drives/folders/files in my systems.
services such as runas, remote registry, remote desktop etc are
permanently disabled.


from any machine in the domain I can ping the following:
jewelntserver
jewelntserver.jewelconsulting
jewelconsulting
(these all result in the same internal private ip for jewelntserver at
10.0.0.x)

on jewelntserver If I ping dynamic.ip I get ITS outside dynamically
assigned address (today).
on littlehal if I ping dynamic2.ip I get ITS outside dynamic ip
address (today).

There is no web server, no public ip, no need to vpn, no other
location etc. This is simply
a multihomed domain runing PDC/BDC and DNS only on the inside and
that is all.

I have the DNS files if you need them.

Thank you,

HI John,

I remember something about the binding order in your mutlihomed machines.
But I'll tell you this much. DO NOT USE A SINGLE LABEL NAME. If you do, go
right ahead, and we;ll definitely be hearing from you again with all the
problems that you WILL be getting from choosing that name.

Now, let;s sit back and have a beer and discuss this.

NT4 is a different animal. Now we're talking W2k and W2k3, which uses AD for
it;s directory services which is TOTALLY based on DNS. DNS is a hierarchal
structure. A single label name does not follow any sort of hierarchy,
therefore, DNS will fail, therefore AD will fail. With me so far?

Here's some reading on it:
Clients cannot dynamically register DNS records in a single-label forward
lookup zone:
http://support.microsoft.com/?kbid=826743

251384 - Delays in Name Resolution Using Microsoft DNS Server Forwarder
Option {more than likely due to single label name]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;251384

DNS Domain Name System and Domain Name Service Protocol (RFC 1034 2535):
http://www.javvin.com/protocolDNS.html

Also, with all due respect, please do not mutlihome all your machines. You
are creating an administrative nightmare when it comes to AD, if you don't
already have one. All you need is one machine mutlihomed (preferably NOT a
DC or a server running a service such as Exchange, SQL, etc). Or better yet,
get yourself a $50.00 Linksys router that will work like a charm. They have
one with a firewall version for about $70.00. Otherwise, with your current
config, I;m putting my paycheck on this that you will definitely have
serious problems.

Please, take my word of advise and strip the extra NICs. I'm no trying to be
facetious, just pointing out the facts, and I've seen config issues that
will blow your mind. This seems like it may turn into one if you keep this
config due to DNS registration with your AD data. Removing the extra NICs
will eliminate these config issues and also security issues since they are
directly on the Internet.

And don't forget, with AD you must only use your own internal DNS ONLY. YOu
cannot use your ISP's address, no matter what your ISP will tell you or
expect addition administrative issues, complaints and generally
malfunctioning AD services. My paycheck is on this too.

Hope that helps. If you need any AD design links and upgrade or migration
links, let me know.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi all!
Dear Kevin and Ace,

I have three questions.
I have a Win NT 4.0 PDC and BDC.

I am going to ugrade to Win2kadv server but I am aprehensive about a
couple things.
I'm having trouble defining the right questions.

You and Ace mentioned that the Win2kadv server uses the tcpip DNS
tab Host and domain
fields as the basis for its DNS name. Mine are currently not the same
as the internal names.
they are "made up" and I want it the same way as I have it, is this
possible?

You and/or Ace said that I need a fully qualified domain name with
a suffix such as .net or .org or I will have trouble with DNS
hierarchy.

Yes you will need to add a Top Level Domain name, it can be .net, .org, or
even .local. It does not need to be a registered domain name, you can choose
any TLD you want.

I do not run this way now, it works great as is, I never had a
problem in 5 years
using WinNT DNS, I would prefer to keep what I have, can I do it?

That is because NT4 does not use DNS for network connectivity or domain
authentication. You can use the same NetBIOS name, but you should use DNS
compatible name. If you use a single-label DNS name, it will cause you many
problems, some of which there is no fix for.

I want to upgrade WinNT to Win2kadv, totally replacing the old os
on the same box and have no difference. will my clients still be able
to be domain authenticateded with thier same accounts to the new
installation?

Once you upgrade the NT4 to Win2k, if you do not have an NT4 BDC the NT4
domain will no longer exist. The NT4 domain accounts are converted to local
accounts on the Win2k server. Then you must DCPROMO the Win2k to create the
new Active Directory domain, which converts the now local accounts to Active
Directory domain accounts.
When you run DCPROMO you can then choose the NetBIOS name of the AD Domain
and the DNS name of the AD domain. You can use the same NetBIOS name that
you have now, this is the name that will appear in Network Places. The DNS
name should be DNS compatible with a multi-labeled name such as
"jewelconsulting.local"

This wont change anything (about logging in or thier accounts) on the
clients will it?

IIRC when I upgraded from NT4 to Winn2k, users kept the same profiles and
desktops.

For instance...one time, I converted one of my clients to a workgroup
membership from
a domain memership. This got it a totally different desktop and
account where nothing was installed. I hope I dont have to go thru
that do I ?

Like I said it was a few years ago since I upgraded my domain, but I think
it migrated the accounts properly, at least it did on my Win2k clients which
by the time I upgraded my server, that is all I had.


I don't know the TCP/IP settings you have on your clients, but once you
upgrade your domain _all_ NICs on _all_ clients must use the local DNS
address. Do _not_ use your ISP's DNS or any other DNS on any NIC in any
position on any domain member, period. This includes the External NIC you
have on all your clients. The clients are not required to register in DNS
and you certainly don't want you clients registering the external Addresses
in DNS, but the DNS on the external NIC must be the internal DNS.

 

[James W. Long]

Dear Ace,

Here's an after-thought but it did catch me once.

k, I forgot to mention the way I'll work the multihomed problem,
I already tried this experimentally on a different box,

But essentially,
I'll remove the outside card before I upgrade,
so it only sees the inside domain.
Do the upgrade. Lie and say no internet.
after THATS working (with DNS),
THEN re-add the second (the outside) card
and let the Internet Connection Wizard set the new
connection up.
presto. basically.

It is nothing less than a mid sized nightmare
to install with 2 cards intact in the first place, agreed,
because you have to jump thru hoops with ICW
and disabling/reenabling cards until windows figgures
out which card is for what. Add AD on top of that
and forget it, bye bye. You gotta take out AD and
start over. forget that. been there done that.


James W. Long.



"Ace Fekay [MVP]"

In

Hi all!
Dear Kevin and Ace,

I have three questions.
I have a Win NT 4.0 PDC and BDC.

I am going to ugrade to Win2kadv server but I am aprehensive about a
couple things.
I'm having trouble defining the right questions.

You and Ace mentioned that the Win2kadv server uses the tcpip DNS
tab Host and domain
fields as the basis for its DNS name. Mine are currently not the same
as the internal names.
they are "made up" and I want it the same way as I have it, is this
possible?

You and/or Ace said that I need a fully qualified domain name with
a suffix such as .net or .org or I will have trouble with DNS
hierarchy.
I do not run this way now, it works great as is, I never had a
problem in 5 years
using WinNT DNS, I would prefer to keep what I have, can I do it?

I want to upgrade WinNT to Win2kadv, totally replacing the old os
on the same box and have no difference. will my clients still be able
to be domain authenticateded with thier same accounts to the new
installation?
This wont change anything (about logging in or thier accounts) on the
clients will it?
For instance...one time, I converted one of my clients to a workgroup
membership from
a domain memership. This got it a totally different desktop and
account where nothing was installed. I hope I dont have to go thru
that do I ?


here is my setup:

PDC
Win NT 4.0 Server
name jewelntserver
domain jewelconsulting
(jewelntserver.jewelconsulting)

has 2 nics

inside nic:
static Private IP address in 10.0.0.x range

outside nic:
dynamic ip - get from ISP via DHCP . Is not "public" or associated
with
a public internet name. changes.

tcpip dns hostname tab: dynamic
tcpip dns domain name tab: ip

protocols:
tcpip, netbios and file and printer sharing run on the inside nic
and only tcpip runs on the outside nic.

BDC
Win NT 4.0 Server
name: littlehal
domain jewelconsulting
(littlehal.jewelconsulting)
2 nics

inside nic: static Private IP 10.0.0.x range
outside nic: dhcp dynamic IP
tcpip dns hostname tab: dynamic2
tcpip dns domain tab: ip

protocols: same way as jewelntserver.

All my clients are win2000 the same way, 2 nics.
same way with protocols.

They authenticate to the PDC.

All inside nics goto a shared hub
All outside nics goto a different shared hub.
The outside hub is connected to the internet.

I have extensive file rights specified (acl's) on all
drives/folders/files in my systems.
services such as runas, remote registry, remote desktop etc are
permanently disabled.


from any machine in the domain I can ping the following:
jewelntserver
jewelntserver.jewelconsulting
jewelconsulting
(these all result in the same internal private ip for jewelntserver at
10.0.0.x)

on jewelntserver If I ping dynamic.ip I get ITS outside dynamically
assigned address (today).
on littlehal if I ping dynamic2.ip I get ITS outside dynamic ip
address (today).

There is no web server, no public ip, no need to vpn, no other
location etc. This is simply
a multihomed domain runing PDC/BDC and DNS only on the inside and
that is all.

I have the DNS files if you need them.

Thank you,

HI John,

I remember something about the binding order in your mutlihomed machines.
But I'll tell you this much. DO NOT USE A SINGLE LABEL NAME. If you do, go
right ahead, and we;ll definitely be hearing from you again with all the
problems that you WILL be getting from choosing that name.

Now, let;s sit back and have a beer and discuss this.

NT4 is a different animal. Now we're talking W2k and W2k3, which uses AD for
it;s directory services which is TOTALLY based on DNS. DNS is a hierarchal
structure. A single label name does not follow any sort of hierarchy,
therefore, DNS will fail, therefore AD will fail. With me so far?

Here's some reading on it:
Clients cannot dynamically register DNS records in a single-label forward
lookup zone:
http://support.microsoft.com/?kbid=826743

251384 - Delays in Name Resolution Using Microsoft DNS Server Forwarder
Option {more than likely due to single label name]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;251384

DNS Domain Name System and Domain Name Service Protocol (RFC 1034 2535):
http://www.javvin.com/protocolDNS.html

Also, with all due respect, please do not mutlihome all your machines. You
are creating an administrative nightmare when it comes to AD, if you don't
already have one. All you need is one machine mutlihomed (preferably NOT a
DC or a server running a service such as Exchange, SQL, etc). Or better yet,
get yourself a $50.00 Linksys router that will work like a charm. They have
one with a firewall version for about $70.00. Otherwise, with your current
config, I;m putting my paycheck on this that you will definitely have
serious problems.

Please, take my word of advise and strip the extra NICs. I'm no trying to be
facetious, just pointing out the facts, and I've seen config issues that
will blow your mind. This seems like it may turn into one if you keep this
config due to DNS registration with your AD data. Removing the extra NICs
will eliminate these config issues and also security issues since they are
directly on the Internet.

And don't forget, with AD you must only use your own internal DNS ONLY. YOu
cannot use your ISP's address, no matter what your ISP will tell you or
expect addition administrative issues, complaints and generally
malfunctioning AD services. My paycheck is on this too.

Hope that helps. If you need any AD design links and upgrade or migration
links, let me know.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Ace Fekay [MVP]]

James, this was from January, 2004

Ace

----- Original Message -----
From: Ace Fekay [MVP]
Newsgroups:
microsoft.public.windows.server.dns,microsoft.public.windows.server.sbs
Sent: Tuesday, January 13, 2004 9:26 PM
Subject: Re: DNS, Single Label Domains and SBS2K3


In

Firstly, I would HAVE to convince my boss that this is REALLY, REALLY
necessary.

Just to play devils advocate here for a moment:

My Boss would say: Why re-install? everything is working. The clients
are registering in local DNS (with registry hacks),
\\domain\sysvol\domain is accesable and group policies/scripts are
being applied to the clients,Web browsing /e-mail is working to the
outside world, VPN is working, Exchange is working, we can access all
our files, etc. Where is the need?

And I don't have a good argument to counter this, because it is true.
This is SBS, so there is no need to have access to other AD/DNS
servers for replication, zone transfers, etc. There are no forest, or
trees, just SBS. We're not running an external DNS that needs to be
RFC compliant (we use forwrders to the ISP for external resolution),
and we still have legacy O.S.'s (95/98 - actually legacy O.S.'s was
the reason our consultant gave for "maintaining" a single label
domain - funny thing is those legacy O.S.'s seem to work just fine on
my SBS testbed at home with "domain.lan" as my domain - go figure
huh).




But things do appear to be working. I need something to point to and
say :

"see it's SUSPOSED to do this, but because the DNS is BROKEN, it
ISN'T doing what it should be doing"

What is my SBS not doing that it should be?

I need convincing arguments (as much to convince myself as my boss -
this would be a really big deal to have to force the company to go
through this again so soon). I need some TEST to show /prove, that if
this isn't fixed "X" will be the result, and it ain't pretty if "X"
happens (i.e. the network will come to a total, screeching, train
wrecking halt)!


I don't like the fact that the domain is semi-broken, but I believe I
can live with it. I just really need to know what the downside
is/will be.

Any thoughts/arguments/recommendations greatly appreciated.


Aaron

Aaron,

This has been a real big issue lately. Here's a copy/paste of a recent
thread (just search back on single label name and a whole bunch of them will
turn up). But go ahead and read it, including (way below) a re-post from one
of the MS guys, Alan Wood, with the company's take on it. Excessive queries
to the ISC Root Servers, AD doesn't work correctly, etc etc etc.

The whole thing is basically caused by, with all due respect, from not
properly planning or researching prior to your migration or upgrade .

/begin paste...
=================================
In

How do I rename my domain. I don't know how. I want to
rename my domain without modifying other configurations
like active directory.

Well, that's the whole thing. It's all about AD.

Instead of typing it all out again, check this post (below) from a recent
post I made. This is a common problem due to lack of proper pre-installation
planning and research into AD. Sorry to say that, with all due respect.

I hope it helps in understanding what is in front of you.
Begin:
=================================================


continued.....
This is a common problem lately. Many posts on it. Recently (yesterday) I
posted something similar that will apply to you. I copied/pasted it below.

Yes, The DC is Windows Server 2000 SP4.
And, yes, the computer in question is the only one having this issue.
And, no, when I ping our domain I get "Unknown host"

C:\>ping CREDENTALS
Unknown host CREDENTALS.

I have entered the two registry entries that were suggested in
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
in the DC now, although I have not had a chance to reboot that
machine yet. Once I do will this fix the "Unknown host CREDENTALS."
problem as well or could this all be very simply fixed by adding a
".com" to my domain?

-Scott Elgram

To ping a domain name, it would need the TLD suffix, since it will look
under the zone name for the (same as parent) record. If pinging a single
name, it will treat it as a host and may even suffix it with your Search
Suffix List, which is in your case, baswed on your ipconfig, "CREDENTIALS",
so it may be trying to ping, credentials.credentials.

Ideally, it would be advised to rename the domain, eitehr installing a new
domain in a new forest and migrate the users/groups/and computer accounts to
the new domain with ADMT. The user profiles will be translated to the new
domain user account on their workstations and will be automatically joined
to the new domain for you. This way you won;t have to disjoin/rejoin the
machines in the domain and lose the user profiles. Once that's done, you can
trash the old DC and rebuild it as a new DC in the new existing domain you
created.

Single label domain names are problematic, at best. Certain clients, such as
XP may balk at it and cause additional errors since they have problems
querying single lable name records in DNS.

--
Regards,
Ace



First of all, you can try using
http://support.microsoft.com/?id=300684
for a reg entry to force it to update. Need to do it on your clients too,
but XP won;t work properly. You may still get problems with GPOs applying
since the GetGPOList function onthe client side references the domain FQDN,
such as:
\\domain.com\sysvol\domain.COM\Policies
But when it tries to go to what you have, such as:
\\DOM\etc...
It perceives DOM as a host name, and may not resolve properly.

Here's my other post that may help in resolving this to help rename
it....Read the whole thing so you'll know what's involved.

==========================================

Ace Fekay,
If I were to just rename the domain from CREDENTALS to
CREDENTALS.net and disjoin all the affected workstations from
CREDENTALS and join it to CREDENTALS.net would it reset the user
profiles?

First, you can't just rename a domain, unless you're still in mixed mode
with an NT4 BDC still present. If still in mixed mode, you can add an NT4
BDC, trash the W2k DC, promote the NT4 BDC to a PDC, then manually set the
DNS Suffix in TCP/IP properties to the new domain name, credentials.net,
(which would be the name you choose for the AD DNS domain name, but keep the
NetBIOS domain name as CREDENTIALS for backward capatilibity), then upgrade
it to a W2k DC. This way the machines that are still joined will still be
joined to the same domain.

Otherwise if the domain is in Native mode, you'll need to follow the ADMT
method I previously mentioned.

And no about disjoining and rejoining to the new domain with the old
profiles. When you manually rejoin, a new profile is created. You may find
that you can manually force the new profiles to use the old profile one
machine at a time, but I don;t think that's what you want to do. ADMT will
do that for you.

Keep in mind you want to follow DNS naming methods. One thing I noticed is
you're using uppercase. It's not that it won't work, but to keep things
consistent with DNS RFCs (looks good too), name it credentials.net, not
CREDENTIALS.net.

From what I have read in researching this problem it sure does seem
that single label domains cause lots of problems and sometimes even
questionable and/or slow connections. But, likewise, I have also
read things that lead me to think migrating AD off CREDENTALS and
over to CREDENTALS.net could possibly cause more problems domain wide
than just the one machine I have now. If I ever have to set up a new
domain or rebuild the old one for some reason other than one machine
I'll defiantly use the appropriate formatting (I wasn't the one who
set this up anyway, that guy quit ). For now should the 2
registry entries discussed previously in
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
fix this problem for the one machine?

-Scott Elgram

If the domain is in mixed mode, it will be alot easier for you. If not, the
ADMT will work, but I would read up on it first and test it. I can provide
links if needed. I've migrated quite a few domains and have to say it's the
easier method if the domain is presently in mixed mode. To find the present
mode, rt-click the domain name in ADUC, properties. Look at the bottom of
the general tab.

Also, Kevin has a big point about GPOs and how the GetGPOList function works
when a machine logs on and looks for the GPOs. That reg entry has to be made
system wide....

***************************************
***************************************
Here's a repost by Alan Wood from Microsoft describing the issue and
ramifications and the recommendations to rename it properly. I hope it helps
in understanding the issue at hand.

***************************************
***************************************
----- Original Message -----
From: "Alan Wood" [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS


Hi Roger,
We really would preffer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.


Thank you,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
****************************************

=================================
/end

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

James, inline...

In

Dear Ace:

I had a nice beer. Very good idea. Yes I did have a binding order
problem and you guys seriously helped me out with that,
Thank You very much again.

No problem...

I honestly _used_ to have some of those error messages at one time
about registering DNS on my client machines. but I solved that
in this manner.

in Win2000 (my client machines) I made these settings in the DNS tab
for ONLY the Inside cards.

1. unchecking "append primary and connection specific DNS suffix"
2. checking "append these DNS suffixes" and filling in jewelconsulting
3. adding jewelconsulting to "DNS suffix for this connection"
4. checking "Register this connection's addresses in DNS"
5. unchecking "Use this connections DNS suffix in DNS registration"

so now its not dynamic, it just gets done on the client by default I
think.

I think we're skewing terms here. Dynamic updates is a feature a DNS server
can perform. Clients aren't "dynamic". A Win2k or newer client will attempt
to register to the DNS address(es) in it's properties. ALl of them. So if
you have your ISP's in there, it will try that too, unless you did what you
did above in step 5.

my clients are able to find the domain (jewelconsulting), the domain
server (jewelntserver) and (jewelntserver.jewelconsulting) via DNS
running
on that NT server box, and those settings on thier respective inside
cards.

Win2k clients, correct? That's nice. But wait until you install XP or goto
Win2003.

You're probably already familiar with this having done it on all your
clients I believe:
826743 - Clients cannot dynamically register DNS records in a single-label
forward lookup zone:
http://support.microsoft.com/default.aspx?scid=kb;en-us;826743

The huge reason MS stopped single label registration is due to DNS not being
able to interpret the registration request because it believes you are
trying to register a TLD (Top Level Domain). Examples of a TLD are: com,
edu, mil, net, gov, etc. If you have one single name, then that's what it
thinks.

So guess what DNS does with a single name? It starts querying the 13 root
DNS servers on the Internet excessively trying to understand what the client
is asking for. After which those queries are exhausted only then does it
take the registration request for the client. ISC (the ones who govern the
Root servers) conducted a study. They determined that there is excessive
traffic coming from DNS servers that have single name registration requests.
They knew they weren't coming from BIND servers, since most BIND admins
understand DNS and it's hierarchal naming structure and would never use
single name in their naming strategy.

They found out that all the requests were coming from MS DNS servers that
had a single name that it was trying to register. They consulted with MS on
this and MS discovered they were mostly from NT4 to W2k upgrades where the
admins were not properly naming their AD DNS domain names. Why? Who knows,
maybe lack of research, training, etc.

So Microsoft wanted to be a 'good Internet citizen" and to help the ISC
reduces this excessive traffic, they stopped registration with Win 2000 SP4,
XP, and Win 2003. Here's an excerpt from an MS engineer in the newsgroups
outlining this:

Here, read this by a Microsoft engineer, Alan Wood, and why MS doesn't want
you to do this. Mutliple engineers commented on this.


/begin repost:
***************************************
***************************************
***************************************

----- Original Message -----
From: "Alan Wood" [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS


Hi Roger,
We really would preffer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.


Thank you,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
****************************************
***************************************
***************************************

/end repost

The clients (and servers for that matter) OUTside cards get thier
DNS server specified by the DHCP server of my ISP.
They never use the inside DNS server at all (for internet).
This is proven by the fact that my inside DNS server isnt even
UP half the time, and internet operates fine. So here are the
advantages
of having multihomed machines.
A. I dont need the internet to have a lan.
B. I dont need a lan to have the internet.
C. All my clients and servers have domain level account and file
security on them which
is definaltely better than being single user and belonging to the
workgroup "workgroup" or "mshome".

The A & B things make no sense at all, and seem contradictory, sorry.
As for C, that's the advantage of a domain, among other things.

so I wonder if I will actually be ok. but hold on a sec for your
answer, I'm going to make the conditions even different yet. I like
to do
the homework so I know how it will go and thank you for your every
word so far.



I did read this. I see the rules changed re 2000 svc pack 4.


Does this mean it applies to the _client_ or were they saying that
Microsoft changed the WAY DNS operates on a DNS server as of 2000
server, service pack 4? because if its just in the clients then the
fixes I made above cover
the dynmaic DNS registration problem with single label domains,
(at least it works ok here, ) I think.

Microsoft never changed the way DNS works. Its designed based on the RFCs
that define DNS. No matter what DNS brand you use, they all follow the RFCs
(to an extent). SIngle label names do not follow the RFCs.

Yes, this applies TO ALL MACHINES.

I'm not trying to disagree with you, I'm just hoping to get what I
need.

No problem here. No argument. If it were an argument, the way I was taught
to conduct an argument (my Critical Thinking course was awesome!!), is to
have a premise based on facts, not hearsay or an appeal to emotion or the
masses. I'm just trying to present the facts to you here, based on my
experience and why the engineers DO NOT WANT YOU TO DO THIS.

Ok next let me ask you one more thing about w2kadv AD DNS.

its possible to have a Dommain Controller under win2kADV
running a DNS Server and possibly an inside Webserver that is
NOT AD integrated, correct?

Because I can't for the life of me come up with a good reason
why I would want my DNS or WEB server AD integrated, if its only
for small inside DNS and small private webs available on the inside.
(actually I only need win2000 server I think)

I believe we're skewing terminology once again.

AD Integration just means that DNS is storing its zone data in the
physical Active DIrectory database. This database gets replicated to
other DCs. So the zone is available on other DCs when you install DNS
on those other DCs and then create the zone, and then make the zone
AD Integrated, the zone data populates because its pulling the data
from the AD database.

AD Integration benefits are with security and a multimaster feature. The AD
Integratiuon option is only available on a DC. But if it were a public
web/DNS server, I wouldn't have a DC running it anyway. Internally, its your
call.

As far as the topology is concerned, I know exactly what you say about
a router. Acknowledged and fully understood. I elect to keep the
current topology and am forewarned.

Ok, its your network. As a design, its something that isn't followed and as
you've already found out, additional administrative overhead. How many users
did you say you have?

So NOW, the question becomes, running a NON AD Integrated DNS Server
on this upgraded DC, if (IF!) my clients set up are ok, and IF I am
willing to put up with
administrating multihomed boxes which I do very well already,
and my security has always been excellent,

Well, with all due respect, that's difficult to ascertain 100%.
One would always need an
outsider to perform tests as an unbiased player. Security is one of
the things that I deal with and have seen loopholes in numerous
configurations.

NOW can I do an upgrade
and will it work or, the alternave being to rename my entire domain?

As for an upgrade and your available options, check out that other post.

I am not trying to be difficult. honest. I am just looking for the way
to ugrade my PDC and BDC to 2000 and for all intensive puposes
have the domain and clients remain intact as they are. I am willing
to make changes but I hope not as drastic as renaming the domain
or is that easy?

lets say you say yes, it can work but it wont be easy. NP. my very
first question
remains about the tcpip hostname and doman being something like
"dymanic.ip" on my NT server. I see no way to accomplish this in the
2000 server
tcpip properties like you could on Win NT unless one enters it into
the 2000 server
registry under HKLM\ccs\services\tcpip\parameters is my best guess.

James, that's actually done by rt-clicking My Computer, choose
properties, then choose Network ID tab, properties, "more'. If it's
joined to the domain, it will automatically take the name of the
domain its joined to.

Thank you for reading all that and for your help in advance,
James W. Long.

No problem. I'm just trying to helpyou understand what's really going
on behind the scenes. Its your choice if you want to keep what you
have.

For you benefit, I'm going to repost a long post from a previous
thread from about 6 months ago. You'll see it in reply to the post
I'm replying here with.

Now honestly, I would like to sit down and have a beer and discuss the
Eagles or something else sometimes....





--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[James W. Long]

"Ace Fekay [MVP]"

James, inline...

Dear Ace:

Thanks for your help, I have been learning alot.

I newly installed an available box with w2kadv with svc pak4 slipped.
first nic is static ip on intranet lan.
created disjointed domain name: bean.
created server name jelly. netbios name jelly.
created an AD DNS DC out of it. (jelly.bean)
then added a second nic card making it multihomed.
the 2nd nic is dhcp, conected via hub to cable modem. (direct).
pointed DNS on the 2nd nic to the ip of jelly.bean.
killed the (.) root domain in DNS.
came up fresh.

I ran this test using network monitor to examine ethernet traffic on the
DHCP enabled 2nd nic which is connected to the internet.
This way I can see what really goes out and what stays in.

1. ipconfig/renew-> causes {reverse-ip.arpa} to go to external DNS.
2. ping jelly-> does not cause DNS to go external to resolve.
3. ping jelly.bean -> does not cause DNS to go external to resolve.
4. ping yahoo.com -> goes to external DNS to resolve.
5. ping microsoft.com -> goes to external dns to resolve.
6. ping bootdisks.com -> goes to external dns to resolve.
7. ping (a different internal client) -> goes to external DNS to resolve
only the first time.


Just so I am totally sure I understand the problem could you
please indicate where the problem is here.
I have read everything you presented.
Thank you
James W. Long

 

[Ace Fekay [MVP]]

In

"Ace Fekay [MVP]"


Dear Ace:

Thanks for your help, I have been learning alot.

I newly installed an available box with w2kadv with svc pak4 slipped.
first nic is static ip on intranet lan.
created disjointed domain name: bean.
created server name jelly. netbios name jelly.
created an AD DNS DC out of it. (jelly.bean)
then added a second nic card making it multihomed.
the 2nd nic is dhcp, conected via hub to cable modem. (direct).
pointed DNS on the 2nd nic to the ip of jelly.bean.
killed the (.) root domain in DNS.
came up fresh.

I ran this test using network monitor to examine ethernet traffic on
the DHCP enabled 2nd nic which is connected to the internet.
This way I can see what really goes out and what stays in.

1. ipconfig/renew-> causes {reverse-ip.arpa} to go to external DNS.
2. ping jelly-> does not cause DNS to go external to resolve.
3. ping jelly.bean -> does not cause DNS to go external to resolve.
4. ping yahoo.com -> goes to external DNS to resolve.
5. ping microsoft.com -> goes to external dns to resolve.
6. ping bootdisks.com -> goes to external dns to resolve.
7. ping (a different internal client) -> goes to external DNS to
resolve only the first time.


Just so I am totally sure I understand the problem could you
please indicate where the problem is here.
I have read everything you presented.
Thank you
James W. Long

Hi James,

Try looking at registration traffic. According to the studies, it's
registration traffic.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[James W. Long]

inline....


"Ace Fekay [MVP]"

In


Hi James,

Try looking at registration traffic. According to the studies, it's
registration traffic.

If I am not wrong and please correct me, step 1 was a dns registration
to my isp. this would also happen normally
(without typing the manual ipconfig/renew command)
during bootup as part of a normal boot sequence to acquire an address
and dns servers ips. yes?

 

[Ace Fekay [MVP]]

In

If I am not wrong and please correct me, step 1 was a dns registration
to my isp. this would also happen normally
(without typing the manual ipconfig/renew command)
during bootup as part of a normal boot sequence to acquire an address
and dns servers ips. yes?

No, step 1:is just a DHCP renewal request. I'm talking about DNS Dynamic Updates, when
you type in:
ipconfig /registerdns

This also happens automatically with AD when Dynamic Updates occur ever 60
min with W2k AD DCs, and every 24 hours with W2k3 AD DCs.

James, do not forget GPO applications. Remember how the clientside
extensions ferret out the GPOs. This fails with single label names. We've
tried different ways to fake it out with search suffixes, etc, but doesn't
work.

I'm not sure why, but you seem very adamant about keeping the single label
name. Is my assumption correct?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[James W. Long]

Ace ,inline...

"Ace Fekay [MVP]"

In

No, step 1:
is just a DHCP renewal request. I'm talking about DNS Dynamic Updates, when
you type in:
ipconfig /registerdns

This also happens automatically with AD when Dynamic Updates occur ever 60
min with W2k AD DCs, and every 24 hours with W2k3 AD DCs.

James, do not forget GPO applications. Remember how the clientside
extensions ferret out the GPOs. This fails with single label names. We've
tried different ways to fake it out with search suffixes, etc, but doesn't
work.

Ok, I'm following, yes I see the difference in pathed accesses.

setting the gpo problem aside for a just a moment....
and understanding that gpos become broken this way,

when dynamic updates are done on the server end, this wouldcause
hklm\system\ccs\services\tcpip\parameters\DNSRegisteredAdapters
to be refreshed/repopulated again? Causing all those DNS queries
for each host to happen again periodically? maybe I have the wrong specific
key. maybe AD has a key similar to this one that maintains its list?

this dynamic update would make available to AD DNS the names
of each host {card} that appeared
in that list, so that DNS would handle them first before netbios?
or at least DNS would know them, regardless of the search order?

could I go to the properties of the forward zones in the dns manager
and turn dynamic updates off and this causes that to not happen anymore?
is that the same thing as we have been talking about all along,
i.e. an ipconfig/registerdns?





I have a question about an odd DNS/netbios behaivor I saw in that last test.
It's about step 7:

7. ping (a different internal client) -> goes to external DNS to resolve,
only the first time. its cached after that.

I pinged hal9000 which is a w2k machine and a member of the
jewelconsulting domain from jelly.bean, a w2kadv DC DNS server.
Both share the same physical ethernet network.
Both are in the same exact 10 subnet. I thought that netbios
should have resolved the name hal9000 before DNS did.

Instead, jelly.bean went all the way thru DNS out to the internet
to attempt to resolve hal9000, before deciding hal9000 is acutally local.

There is something really wrong with that behavior,
netbios should have resolved first, the query should never
go outside to resolve in the first place, how do I fix it?
is it because the two machines are in different domains?

I'm not sure why, but you seem very adamant about keeping the single label
name. Is my assumption correct?

for my lan, me, here, Yes. in this case. otherwise I would set it up and/or
upgrade it suffixed.


Thanks,
James W. Long

 

[Ace Fekay [MVP]]

In

Ok, I'm following, yes I see the difference in pathed accesses.

setting the gpo problem aside for a just a moment....
and understanding that gpos become broken this way,

when dynamic updates are done on the server end, this wouldcause
hklm\system\ccs\services\tcpip\parameters\DNSRegisteredAdapters
to be refreshed/repopulated again? Causing all those DNS queries
for each host to happen again periodically? maybe I have the wrong
specific key. maybe AD has a key similar to this one that maintains
its list?

It's actually the Netlogon service key.

this dynamic update would make available to AD DNS the names
of each host {card} that appeared
in that list,

Actually it gets the name to register into from the Primary DNS Suffix. If
the suffix is incorrectly spelled or different than the actual AD domain
name, then it;s called a disjointed namespace and it will not register.

so that DNS would handle them first before netbios?

NetBIOS has NOTHING TO DO WITH AD.

or at least DNS would know them, regardless of the search order?

could I go to the properties of the forward zones in the dns manager
and turn dynamic updates off and this causes that to not happen
anymore?

You're still trying to fight it.....

is that the same thing as we have been talking about all along,
i.e. an ipconfig/registerdns?

That command is the manual registration of the host record ONLY. Not the
AD's required SRV records that Netlogon registers, which causes the issue.

I have a question about an odd DNS/netbios behaivor I saw in that
last test. It's about step 7:

7. ping (a different internal client) -> goes to external DNS to
resolve, only the first time. its cached after that.

Sure, that's the way it does it.

I pinged hal9000 which is a w2k machine and a member of the
jewelconsulting domain from jelly.bean, a w2kadv DC DNS server.
Both share the same physical ethernet network.
Both are in the same exact 10 subnet. I thought that netbios
should have resolved the name hal9000 before DNS did.

Nope. W2k and newer use the HOSTS method FIRST. Then NetBIOS.

Instead, jelly.bean went all the way thru DNS out to the internet
to attempt to resolve hal9000, before deciding hal9000 is acutally
local.

There you go. There's another example of the single label issue. The DNS
client side resolver will suffix the search suffix to the name in the ping.
If it's a single label name.... (nuf said).

There is something really wrong with that behavior,
netbios should have resolved first,

NO NO NO. Legacy -> Yes, W2k and newer, NO.

the query should never
go outside to resolve in the first place, how do I fix it?
is it because the two machines are in different domains?

Here's the old:
172218 - Microsoft TCP-IP Host Name Resolution Order:
http://support.microsoft.com/default.aspx?scid=kb;en-us;172218

250662 - Description of the TCP-IP Registry Entries in the
MSTCPServiceProvider Subkey:
http://support.microsoft.com/default.aspx?scid=kb;en-us;250662

I wouldn't really suggest to change these. But go for it! You seem to have
the spirit to try new things.

for my lan, me, here, Yes. in this case. otherwise I would set it up
and/or upgrade it suffixed.

It's your network!

Thanks,
James W. Long

Cheers!

Ace

 

[James W. Long]

Dear Ace:

Thank you again for your excellent advice.

Ok. to upgrade my nt4 server, I do what? correct me if I miss something.

get all my clients and servers up, the pdc and bdc, the clients.
set the DNS hostname in tcpip properties to jewelntserver on the nt4 pdc
set the DNS domain in tcpip properties to jewelconsulting.org on the nt4 pdc
slap in the w2kadv cd on the nt4 pdc
tell it I want to upgrade right over nt4
it reboots and it installs w2kadv but its not a DC yet.
im a new forest
w2k mode not backwards compliant
set the computer netbios name to jewelntserver.
set the netbios domain name as jewelconsulting
(does this new upgrade take on the same SID?)

I do a dcpromo
questions about DNS server:
do I fix up my dns or does the AD install?
from jewelconsulting domain to jewelconsulting.org
(does it read my old nt4 dns files?)

I'm not keeping my nt4 BDC as a NT4 BDC so I
take that offline when?

Then the clients.
something about ADMT? not sure.


Thanks
James W. Long



"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Dear Ace:

Thank you again for your excellent advice.

Ok. to upgrade my nt4 server, I do what? correct me if I miss
something.

get all my clients and servers up, the pdc and bdc, the clients.
set the DNS hostname in tcpip properties to jewelntserver on the nt4
pdc set the DNS domain in tcpip properties to jewelconsulting.org on

Excellent choice!!

the nt4 pdc slap in the w2kadv cd on the nt4 pdc
tell it I want to upgrade right over nt4
it reboots and it installs w2kadv but its not a DC yet.

The next step is when dcpromo runs...

im a new forest
w2k mode not backwards compliant

Yes, as long as you don't have any more NT4 domain controllers.

set the computer netbios name to jewelntserver.
set the netbios domain name as jewelconsulting
(does this new upgrade take on the same SID?)

Nope, SID remains the same.

I do a dcpromo

Well, if you;re running an upgrade, that's automatic. You can test it (and
actually better to do it this way) by creating a BDC in your domain, takje
your current PDC offline, promote the BDC to the PDC, and upgrade that. If
any problems, just trash the box and start over again.

questions about DNS server:
do I fix up my dns or does the AD install?

Dcpromo will upgrade DNS for you if already installed. So set it up now.

from jewelconsulting domain to jewelconsulting.org
(does it read my old nt4 dns files?)

No, dcpromo will create a new zone for your new domain. YOu can also do it
before hand. Take the text file, and change the references to the new name,
then create the new zone and tell it to use the new text file.

I'm not keeping my nt4 BDC as a NT4 BDC so I
take that offline when?

See, if you have this BDC, you need to stay in mixed mode. If everything
works, trash it (unplug it, etc). If in Mixed mode, change it to Native.

Then the clients.
something about ADMT? not sure.

Not required in an "upgrade".

Thanks
James W. Long

Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[James W. Long]

Dear Ace,


Thanks, need a bit more help, and couple more qustions then I'm ready,


I dont know how to promote a nt bdc to a pdc never did that,
could you point me to that one? Thanks.


if I have IIS4 on the nt4 pdc and I do not even want it present
after the upgrade, I should remove it from NT PDC first I assume?

for test,
I take my NT PDC (jewelntserver) offline then promote the bdc who is named
littlehal,
would I have to reconfig dns on the promoted bdc as the pdcs hostname
(jewelntserver)?
should I dcpromo the promoted bdc's name to the same name as my pdc
(jewelntserver) ?
or just leave it all as littlehal? does this even matter in terms of when I
ultimately
upgrade the REAL bdc or not?


also, I wonder if, just to make things more difficult, when upgrading the
REAL NT4 pdc,
is it possible to rename the PDC during upgrade by changing its netbios/host
name
during dcpromo and get that all that straight in dns tcpip properties and
DNS beforehand?

Ready at last.

Thank You,
James W. long



"Ace Fekay [MVP]"

In

Excellent choice!!


The next step is when dcpromo runs...


Yes, as long as you don't have any more NT4 domain controllers.


Nope, SID remains the same.


Well, if you;re running an upgrade, that's automatic. You can test it (and
actually better to do it this way) by creating a BDC in your domain, takje
your current PDC offline, promote the BDC to the PDC, and upgrade that. If
any problems, just trash the box and start over again.



Dcpromo will upgrade DNS for you if already installed. So set it up now.



No, dcpromo will create a new zone for your new domain. YOu can also do it
before hand. Take the text file, and change the references to the new name,
then create the new zone and tell it to use the new text file.

don't forget to delete the root domain (.)

 

[Ace Fekay [MVP]]

In

Dear Ace,


Thanks, need a bit more help, and couple more qustions then I'm ready,


I dont know how to promote a nt bdc to a pdc never did that,
could you point me to that one? Thanks.

It's done thru Server Manager. Make sure the PDC is offline when you do it.

if I have IIS4 on the nt4 pdc and I do not even want it present
after the upgrade, I should remove it from NT PDC first I assume?

Yes and no, your call.

for test,
I take my NT PDC (jewelntserver) offline then promote the bdc who is
named littlehal,
would I have to reconfig dns on the promoted bdc as the pdcs hostname
(jewelntserver)?
Yes.

should I dcpromo the promoted bdc's name to the same name as my pdc
(jewelntserver) ?

No, need to use the same computer name. Later you can kill the other
machine, reformat it, name it jewelntserver, and then promote it as an
additional DC in the domain, then demote the original one if you don;t want
it. It's suggested to have a minimum of two DCs in a domain.

or just leave it all as littlehal? does this even matter in terms of
when I ultimately
upgrade the REAL bdc or not?

Nope, no matter.

also, I wonder if, just to make things more difficult, when upgrading
the REAL NT4 pdc,
is it possible to rename the PDC during upgrade by changing its
netbios/host name

Nope. Have to settle on a name first.

during dcpromo and get that all that straight in dns tcpip properties
and DNS beforehand?
YES.



Ready at last.

Thank You,
James W. long

Here's a little reading...
HOW TO: Upgrade a Windows NT 4.0-Based PDC to a Windows 2000-Based Domain
Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;296480



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================