unable to resolve domain name

[Guest]

After installing a new win2000 ad in a domain that has only one win2000 ad ,
and moving the operations master role to the new box. The front end system
are unable to login to the domain. Nslookup is unable to login to the domain
name even though I was able to ping the domain name from the front end. The
old box was taking off line because it has performance issues . I know it
has something to with dns , but I don’t how to resolve it. Thanks for the
help!

 

[Ace Fekay [MVP]]

In

After installing a new win2000 ad in a domain that has only one
win2000 ad , and moving the operations master role to the new box.
The front end system are unable to login to the domain. Nslookup is
unable to login to the domain name even though I was able to ping the
domain name from the front end. The old box was taking off line
because it has performance issues . I know it has something to with
dns , but I don't how to resolve it. Thanks for the help!

It sounds like to me you added a new domain controller, not a new domain, as
your post indicates.

If you did install a new domain controller, did you also install DNS on it?
Is the zone on the original domain controller/DNS server AD Integrated? If
so, just create the zone on the new DNS server, make it AD Integrated,
change all DNS addresses in IP properties (on the DC, member servers and
clients) to only use the new one, and you should be good to go. The reason
for 'can't find domain' or can't logon, is because it's asking DNS, 'where
is my domain?', but whatever DNS server is in IP properties, apparently
doesn't have that answer.

If you are using your ISP's DNS, that will cause this problem (among
numerous other issues), as well. Just use your interna; DNS only on all
machines, and it's suggested to configure a forwarder for efficient Internet
resolution. If not sure how to configure a forwarder, this article should
help you out:
http://support.microsoft.com/?id=300202.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Guest]

Hello Ace,

Yes, I only have one domain with 2 dcs(dc1,dc2) . I would like to get the
new box to be the master of operation and keep the old one around for a while
before demoting it to a member server .The DNS and FSMO on the new box has
configured and installed. By the way, Each AD has two Nics one for Lan and
the other for Wan (connect to WG SOHO 6tc then a router). Here is the ip
settings on DC1,DC2 and front end client.
DC1 has two nic cards with following settings

Nic 1 (lan)

Ip address 1921.168.1.1
SM 255.255.255.0
Default G 192.168.1.1
DNS 192.168.1.1


Nic 2 ( WAN) Connects to Watch Guard fire box SOHO 6tc(192.168.111.1) and
the router is connect to the Fire Box

IP 192.168.111.2
SM 255.255.255.0
DG 192.168.111.1

DNS 12.108.132.6
12.108.132.7
This is how Dc1 is setup and all the clients are able to logon to the
domain.I followed your instructions.I did point the client DNS to the new
DC2 ip address , after taking DC 1 off line,but with no success.

DC2 settings as follows
Nic1
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.2

DNS 192.168.1.2

Nic2
IP 192.168.111.2
SM 255.255.255.0
DG 192.168.111.1

DNS 12.108.132.6
12.108.132.7
Front End client
Ip 192.168.1.10
SM 255.255.255.0
DG 192.168.1.2

DNS 192.168.1.2

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hello Ace,

Yes, I only have one domain with 2 dcs(dc1,dc2) . I would
like to get the new box to be the master of operation and
keep the old one around for a while before demoting it to
a member server .The DNS and FSMO on the new box has
configured and installed. By the way, Each AD has two
Nics one for Lan and the other for Wan (connect to WG
SOHO 6tc then a router). Here is the ip settings on
DC1,DC2 and front end client.
DC1 has two nic cards with following settings

Nic 1 (lan)

Ip address 1921.168.1.1
SM 255.255.255.0
Default G 192.168.1.1
DNS 192.168.1.1


Nic 2 ( WAN) Connects to Watch Guard fire box SOHO
6tc(192.168.111.1) and the router is connect to the Fire
Box

IP 192.168.111.2
SM 255.255.255.0
DG 192.168.111.1

DNS 12.108.132.6
12.108.132.7
This is how Dc1 is setup and all the clients are able to
logon to the domain.I followed your instructions.I did
point the client DNS to the new DC2 ip address , after
taking DC 1 off line,but with no success.

DC2 settings as follows
Nic1
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.2

DNS 192.168.1.2

Nic2
IP 192.168.111.2
SM 255.255.255.0
DG 192.168.111.1

DNS 12.108.132.6
12.108.132.7
Front End client
Ip 192.168.1.10
SM 255.255.255.0
DG 192.168.1.2

DNS 192.168.1.2

You have a couple of problems, of equal severity. One, you are using your
ISP's DNS on your "external" NIC. Never do this, always use the internal DNS
no matter which way the interface faces. Two, both DCs are multi-homed are
always problematic and require extra configuration to prevent external
addresses from being publish in DNS. I don't understand why you are
multi-homing, anyway. Both interfaces are using private addreses. That said,
even at that you'll have to follow the directions posted below to sstop the
external inteface from being published in DNS and therefore causing
connection issues and errors. It would be easier to get rid of the external
interface.

1. In the DNS management console, on the properties of the DNS server,
interfaces tab, set DNS to only listen on the internal private IP you want
in DNS for
the server.

2. Add this registry entry with regedt32 to stop the (same as parent folder)
records.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress

(If the DC is also a Global Catalog see note below)

3. Create a new host in DNS, leave the name field blank, give it the IP of
the internal interface. Win2k barks at you saying (same as parent folder) is
not a valid host name, click OK to create the record anyway.

4. Right click on Network places, choose properties, in the Advanced menu
select Advanced settings. Make sure the internal interface is at the top of
the connections pane and File sharing is enabled on the internal interface.


Note-

If the DC is also a Global Catalog use this registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
GcIpAddress

And in addition to the (same as parent folder) record in the domain zone for
the domain name, expand _msdcs, open gc create new host with name field
blank and give it the IP of the internal interface. This resolves as
gc._msdcs.forestroot.

 

[Ace Fekay [MVP]]

In

Hello Ace,

Yes, I only have one domain with 2 dcs(dc1,dc2) . I would like to get
the new box to be the master of operation and keep the old one around
for a while before demoting it to a member server .The DNS and FSMO
on the new box has configured and installed. By the way, Each AD has
two Nics one for Lan and the other for Wan (connect to WG SOHO 6tc
then a router). Here is the ip settings on DC1,DC2 and front end
client.

<snip>

Hi kwise,

As Kevin pointed out, it really is problematic multihoming a DC, and it
requires additional adm,instrative overhead to alter default behavior to
force it to work.

Curious, why are you multihoming? Your watchguard is watchguarding your
network. You are already protected. Besides, if you feel you are not being
protected, why would you choose your DC to protect your network? In essence,
let's say you didn't have the watchguard, you would be exposing the DC to
the outside world. The watchguard works well protecting a network. If you
want to take it a step further, you can use a Linksys or Netgear box in
place of the DCs to perform NAT.

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

In

After installing a new win2000 ad in a domain that has
only one win2000 ad , and moving the operations master
role to the new box. The front end system are unable to
login to the domain. Nslookup is unable to login to the
domain name even though I was able to ping the domain
name from the front end. The old box was taking off line
because it has performance issues . I know it has
something to with dns , but I don't how to resolve it.

Nslookup does not login to anything, it only resolves addresses, as I said
in my other post using your ISP's DNS on any NIC in any position on any
member of an AD domain is going to cause connectivity issues. Do not use
your ISP's DNS anywhere except as a forwarder.
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

 

[Guest]

Hello everyone,

The setup of DC1 was done before I was to hire to clean the mess. DC1 has
Exchange 2000 with possible corrupted m drive ( no backup). Overall , DC1
performance warrented to bring a new dc to the domain and move everything to
it.

My guessing why it was setup that way, is because WG box will only see one
connection coming to it from the internal network. This org only has ten
licenses for that box.

This is only explansion that I can come up with. As you can tell , I am not
a gure guy like you guyes. Nor do I have adquate knowledge in AD.
I will do my best through your tips and advice to get this messy network up
and running in the proper way. I will keep you posted ! Thanks for your help

 

[Ace Fekay [MVP]]

In

Hello everyone,

The setup of DC1 was done before I was to hire to clean the mess. DC1
has Exchange 2000 with possible corrupted m drive ( no backup).
Overall , DC1 performance warrented to bring a new dc to the domain
and move everything to it.

My guessing why it was setup that way, is because WG box will only
see one connection coming to it from the internal network. This org
only has ten licenses for that box.

This is only explansion that I can come up with. As you can tell , I
am not a gure guy like you guyes. Nor do I have adquate knowledge in
AD.
I will do my best through your tips and advice to get this messy
network up and running in the proper way. I will keep you posted !
Thanks for your help

In place of a mutlihomed DC, you can use an inexpensive Linksys router. That
way your WG will be satisfied with the one license, and the Linksys will
take care of NAT. This way, the DC will do what it's designed to do best, be
a DC, without the dual NICs to complicate matters.

How did you determine the M: drive is corrupted? Keep in mind, the M: drive
is just a virtual drive showing you what is in the Information Store,
nothing else. You cannot alter permissions, make changes, scan it with AV
software or back it up. If you do any of these things to the M: drive, you
can corrupt Exchange. Matter of fact, follow this reg entry (in the article
below), to hide the M: drive, because you really do not need the M: drive
for the most part, unless you are offering webdav access to it thru a
browser to read the files (and I wouldn't even suggest that!). Hide it and
be done with it.

If you believe Exchange has a problem, concentrate on Exchange services, and
post back any Event log errors (the Event ID#), so we can better help you
out with Exchange.

Q281673 - Never Backup M: Drive
http://support.microsoft.com?id=281673

Q245822 - Do Not Use Antivirus to scan M: Drive
http://support.microsoft.com?id=245822

Q305145 - Hide M: Drive from Explorer
http://support.microsoft.com?id=305145



Ace