Herb,
Thanks for the reply.
A few things: -
Do they have their DNS name configured in the SYSTEM CONTROL
panel? (Don't depend on trying to override this on the NIC, but rather
set the System computer name properties.)
Make sure they use ONLY the INTERNAL DNS (don't try to mix
the ISPs DNS server.)
They do have their names configured int he system control panel, the
settings on the NIC are untouched (as you say they are configured correctly
for most instances by default). What I failed to mention earlier was that
we also have a single label domain name which really confounds our miseries
further!! I have thought about tackling this and have downloaded MS KBs on
the subject of domain renaming but wouldnt fancy trying it without some
consultation on the likelyhood of it screwing up our network completely.
Have you got first hand experience of attempting this?
Fine. Maybe not best use of your time. Is there just one WINS
Server? Usually the entries only get left (after cleanup) if you have
more than one WINS server (or had one that disappeared.)
There used to be a different WINS server on the network before a new DC was
installed 2 years ago. The old DC was demoted and is now a member server.
WINS is no longer configured on this server. Replication of anything (can you
replicate WINS like DNS?) does not take place on our network, are we being
niave thinking that if DNS isnt functioning properly then we dont really need
to have a back up system in place?
I dont live in the US, im here in sunny Britain but I would like to take you
up on your offer, your obviously very enthusiastic about your work so your
knowledge will be invaluable to me. Many thanks for the offer
Upon further investigation, it seems that only 2000 clients are registering
in DNS, XP clients down seem to (see example below)
Netdiag on the DC: -
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Rougemont\PLATO
Starting test: Connectivity
......................... PLATO passed test Connectivity
Doing primary tests
Testing server: Rougemont\PLATO
Starting test: Replications
......................... PLATO passed test Replications
Starting test: NCSecDesc
......................... PLATO passed test NCSecDesc
Starting test: NetLogons
......................... PLATO passed test NetLogons
Starting test: Advertising
......................... PLATO passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PLATO passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PLATO passed test RidManager
Starting test: MachineAccount
......................... PLATO passed test MachineAccount
Starting test: Services
......................... PLATO passed test Services
Starting test: ObjectsReplicated
......................... PLATO passed test ObjectsReplicated
Starting test: frssysvol
......................... PLATO passed test frssysvol
Starting test: frsevent
......................... PLATO passed test frsevent
Starting test: kccevent
......................... PLATO passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 12/13/2005 21:01:31
(Event String could not be retrieved)
......................... PLATO failed test systemlog
Starting test: VerifyReferences
......................... PLATO passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : rougemont
Starting test: CrossRefValidation
......................... rougemont passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... rougemont passed test CheckSDRefDom
Running enterprise tests on : rougemont
Starting test: Intersite
......................... rougemont passed test Intersite
Starting test: FsmoCheck
......................... rougemont passed test FsmoCheck
Netdiag on a sample non-registering XP client
........................................
Computer Name: BQR1
DNS Host Name: BQR1.rougemont
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB893803v2
KB898461
Q147222
Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working because it
has not received any packets.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : BQR1.rougemont
IP Address . . . . . . . . : 10.0.10.54
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.0.0.2
Primary WINS Server. . . . : 10.0.0.3
Dns Servers. . . . . . . . : 10.0.0.3
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{C010AE27-A5BF-4E33-B64F-60FF08B13C43}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'BQR1.rougemont.'. [RCODE_SERVER_FAILURE]
The name 'BQR1.rougemont.' may not be registered in DNS.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{C010AE27-A5BF-4E33-B64F-60FF08B13C43}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{C010AE27-A5BF-4E33-B64F-60FF08B13C43}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'ROUGEMONT' is to '\\plato.rougemont'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information
The command completed successfully
I can see the failure there, but whats the fix?
Hope you can help me out
Cheers
Sambo
Herb Martin said:
Sambo said:
All clients are configured to automatically register theirself in DNS but
this doesn't seem to work.
Configured how? They do that by default.
Do they have their DNS name configured in the SYSTEM CONTROL
panel? (Don't depend on trying to override this on the NIC, but rather
set the System computer name properties.)
Make sure they use ONLY the INTERNAL DNS (don't try to mix
the ISPs DNS server.)
Thanks for all your comments Herb, I dont know a great deal about VLANs
apart from that they are used here to seperate the curriculum network and
the
admin network.
VLANs are conceptually just TWO SUBNETS separated by a ROUTER.
VLAN switches just let you 'custom configure' which machines/legs are
on the same VLAN (single subnet) and which must be routed.
Ive been told that this is futile anyway because it has 2
NICs so both networks can access it directly - is this true?
"This...futile" -- what "this"?
It may be unnecessary to have the server on "both nets" directly.
(Sometimes there are reasons for that however.)
It is not something that is ALWAYS required. Since all of the
things you need to do (AD Domain, DNS clients servers etc.)
can be routed from one VLAN to the other through the switch.
Do you know of
anywhere where I can get up to speed on this issue? I would be very
grateful
if you could let me know.
Well, you could attend my class but I suspect you are outside the
US -- and I don't have another class until late January anyway.
Also, I do FREE mentoring for MCSE self-study -- email me
privately from if you wish help with that.
Other than that, you can keep asking questions here and use the
BUILT-IN HELP plus searching at Microsoft A LOT.
We'll help. Just ask.
In terms of the WINS situation, I dont mind not fixing it, im just trying
to
get our systems back in some sort of order, I'll go through them and
manually
delete any old entries.
Fine. Maybe not best use of your time. Is there just one WINS
Server? Usually the entries only get left (after cleanup) if you have
more than one WINS server (or had one that disappeared.)
So would you agree that creating manual a records may be the way to go?
Not particularly. I will agree it will work. But it is generally
a lot of unnecessary work and chance are that you have some
other problem that it will just cover up.
Doesnt DHCP impact on this in terms of IP addresses changing after the
lease
expires and not updating the DNS record accordingly?
Perhaps -- if DCHP is doing the DNS registration.
Not for WINS. ANd not if the clients register themselves.
In regards to the MSCE, I started that about 18 months ago at great
expense
(i paid about £1,200 British pounds for the Win2k version) and I now seem
to
be in limbo.....i cant decide whether to go for it now or upgrade to XP
and
start over. Any suggestions?
If you haven't completed any (many) exams you should just do the
Win2003 with XP.
Run DCDiag on every DC. Report (here) by pasting the TEXT or fix any
errors.
Run NetDIAG on a few (representative) clients that are not registering
in DNS properly.
Reasons they won't register:
1) Not using STRICTLY the internal (dynamic) DNS server (set)
2) Not set with their DOMAIN name correctly (where would they register)
3) DNS server not dynamic
4) Client not authenticated if you use "Secure only"
(due usually to DC or client not using DNS correctly)
5) DHCP server trying to register FOR the clients with similar problems
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Herb Martin said:
Hello,
I hope someone out there will find the time to help me!
Our school has a Windows 2003 domain controller that is multihomed as
it
services 2 VLAN'ed networks. I know that this is a bad start, but Im
trying
to get the powers at be to pay to have this rectified.
Just fix it. It can service more than one VLAN as long as you
(the switch) routes between them.
As you can expect, we
do have various DNS issues and our event viewer is full on DNS errors
about
the DC trying to register its own IP and failing to do so etc. Our
last
IT
technician has left the school and we are trying to do what we can in
house
(I am the IT lecturer and have some skills as I used to work int he IT
industry but im a bit rusty to say the least!) so I have a few
questions
for
you all.
You probably should get your MCSE -- it won't make you
an expert but it will guarantee a certain minimum of knowledge,
and after all, you are one of the teachers.
Firstly, what is the correct way to go about taking a client off a
domain.
Is it ok to just place it into a workgroup?
Yes, but you should also delete the computer account from
the domain.
One wonders WHY you won't to remove a client though...
Secondly, When renaming a domain client, should the client be put into
a
work group, renamed and then put back on the domain? (These are all
win
2k
and XP clients)
Generally not necessary if your authentication is working
correctly. And not a good idea since it recreates the computers
SID (security ID.) Recreating a computer SID is not as bad as
doing that for a user but can matter in modern Windows domains.
Thirdly, our DNS forward lookup zone hardly has any registered clients
in
it. I presume this is from multihoming the DC, but is there a way to
remedy
this?
Make sure that dynamic updates are allowed, that all clients are
properly authenticating. Generally the latter is through making them
all domain computers (joining them to the domain) AND making
sure they use ONLY the internal DNS server on their NICs. (See
below "DNS for AD".)
Maybe by manually creating A records for each client?
This always works, but dynamic registration is easier, and since
you need that for the DCs anyway it might as well be used.
Our 2 reverse
lookup zones (for the 2 different networks) are fully populated as far
as
I
can see...is this true to form on a multihomed DC?
Reverse zones are generally (largely) irrelevant except perhaps for
public Email (SMTP) servers.
Next, the WINS database, even after scavaging, is full of
entries/records
(about 1850 in total most of them released/tombstaoned). We have about
250
clients in the school, surely this isnt right?
Sure it may well be since clients that register and don't get removed
(tombstoned) can add to the database.
This number of registrations is no big deal for a WINS server.
Either manually clean it up or don't worry about it unless you
identify some real problem.
Some records in there are
from old clients and even some ghost images created over a year
ago.....I
dont want to blame our old technician but is this bad management on his
behalf?
Maybe -- maybe not.
I know that the WINS is pretty much just turned on and it works
without too much configuration, am I able to just start WINS from
scratch
to
see if it helps?
Why mess with it if its working?
Also we have problems with some group policies (especially assigning
applications) do you think that any of the above problems could be the
root
cause of there failings?
DNS must be correct for authentication and (perhaps) for downloading
software (assignments).
Sorry about the long post, hopefully someone out there will help me!!
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or
indirectly)
netdiag /fix
....or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server
C-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Cheers
