DNS and Active Directory

[ping]

Hi,

I have some problem with DNS Server in W2K AD. It is a single domain
environment and active directory is installed. The previous
configuration is not done by me.

I couldn't understand why the DNS in Network Connection setting(TCP/IP)
is pointed to ISP, which does not provides SRV records, yet the current
AD still works. There is no DNS Server service currently installed.

The problem arise when I try to migrate the 2000 Server AD to 2003 AD.
I try to extend the schema, join the 2003 server to 2000 domain, and
transfer the FSMO roles.

Unexpected things happens. There is no DNS Server service that provides
SRV records, and therefore the joining of 2003 AD failed, with error
message indicating SRV record cannot be found. I try to install DNS
Server service in Windows 2000 Server. After installation, I found out
there is no zones configured in forward lookup zones. I created one,
and enabled dynamic updates, as some guides says, then proceed to
netdiag /fix. But it returned error and the four lines that is suppose
to be in the DNS entries:
_msdcs
_sites
_tcp
_udp
doesn't come out. I am lost and I have no idea how should I manually
create DNS entries so that the Active Directory can recognize it, and
to facilitate my 2003 server to join the 2000 domain.

Can any of you guide me how to setup the DNS Server services with
Active Directory already in place? I can't demote the Active Directory
since there are users and policy, permission, etc.

Thanks.

 

[ping]

These are the errors when I run netdiag:
Computer Name: SUNCITYSVR
DNS Host Name: suncitysvr.local
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 8 Stepping 10, GenuineIntel
List of installed hotfixes :
KB329115
KB820888
KB822831
KB823182
KB823559
KB824105
KB825119
KB826232
KB828035
KB828741
KB828749
KB835732
KB837001
KB839643-DirectX9
KB839645
KB840315
KB841872
KB841873
KB842526
Q147222
Q828026

Netcard queries test . . . . . . . : Passed

Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : suncitysvr
IP Address . . . . . . . . : 192.168.100.1
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.100.3
Dns Servers. . . . . . . . : 192.168.100.1
165.21.100.88

AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{DCAB9168-37C1-4A7A-9E56-50ACF4673B1A}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for
the name
'suncitysvr.local.'. [RCODE_SERVER_FAILURE]
The name 'suncitysvr.local.' may not be registered in DNS.
[FATAL] Failed to fix: DC DNS entry local. re-registeration on DNS
server '1
92.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.local.
re-registeration on DN
S server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._site
s.local. re-registeration on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.local.
re-register
ation on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.local.
re-registera
tion on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._site
s.gc._msdcs.local. re-registeration on DNS server '192.168.100.1'
failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.f67a7e60-8cfc-4bdb-b96d-03a78
c9a2396.domains._msdcs.local. re-registeration on DNS server
'192.168.100.1' fai
led.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.local.
re-registeration on DNS
server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
6f1134d1-de26-4311-a000-a2878e369b90._ms
dcs.local. re-registeration on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.local.
re-regis
teration on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._
sites.dc._msdcs.local. re-registeration on DNS server '192.168.100.1'
failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.local.
re-registera
tion on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._site
s.dc._msdcs.local. re-registeration on DNS server '192.168.100.1'
failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.local.
re-registeration o
n DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._
sites.local. re-registeration on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _gc._tcp.local.
re-registeration on DNS
server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_gc._tcp.Default-First-Site-Name._sites.
local. re-registeration on DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.local.
re-registeration o
n DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.local.
re-registeration on
DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.local.
re-registeration on
DNS server '192.168.100.1' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Fix Failed: netdiag failed to re-register missing DNS
entries for th
is DC on DNS server '192.168.100.1'.
[FATAL] No DNS servers have the DNS records for this DC registered.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{DCAB9168-37C1-4A7A-9E56-50ACF4673B1A}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{DCAB9168-37C1-4A7A-9E56-50ACF4673B1A}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.

The command completed successfully
C:\PROGRA~1\SUPPOR~1>NetBT name test. . . . . . . . . . : Passed
'NetBT' is not recognized as an internal or external command,
operable program or batch file.
C:\PROGRA~1\SUPPOR~1>
C:\PROGRA~1\SUPPOR~1>
C:\PROGRA~1\SUPPOR~1>Winsock test . . . . . . . . . . . : Passed
'Winsock' is not recognized as an internal or external command,
operable program or batch file.
C:\PROGRA~1\SUPPOR~1>
C:\PROGRA~1\SUPPOR~1>
C:\PROGRA~1\SUPPOR~1>DNS test . . . . . . . . . . . . . : Failed

 

[Enkidu]

It's hard to say what is wrong, but to update the AD records
in DNS, firstly the DNS has to be set to allow updates (as
you have done) and, I believe, that the clients must be set
to update DNS dynamically. I believe that this is enable in
the TCP/IP properties of the NIC. It's certainly so for XP
clients.

You don't say whether or not you rebooted or restarted any
services. I think, (and I may be wrong) that you would at
least need to restart the NetLogon service.

In the DNS properties of the NIC on the DC it should point
to itself if it is the DNS server or to the DNS server for
the Domain.

Cheers,

Cliff

 

[Dmitry Korolyov [MVP]]

Fix up your dns before anything else. Install and configure a DNS server on
your internal network, create appropriate zones related to your AD domains,
make sure the records are registered and so on.

Incorrect DNS configuration is the source of about 90% of all AD-related
problems.

 

[Ace Fekay [MVP]]

In

Hi,

I have some problem with DNS Server in W2K AD. It is a single domain
environment and active directory is installed. The previous
configuration is not done by me.

I couldn't understand why the DNS in Network Connection
setting(TCP/IP) is pointed to ISP, which does not provides SRV
records, yet the current AD still works. There is no DNS Server
service currently installed.

The problem arise when I try to migrate the 2000 Server AD to 2003 AD.
I try to extend the schema, join the 2003 server to 2000 domain, and
transfer the FSMO roles.

Unexpected things happens. There is no DNS Server service that
provides SRV records, and therefore the joining of 2003 AD failed,
with error message indicating SRV record cannot be found. I try to
install DNS Server service in Windows 2000 Server. After
installation, I found out there is no zones configured in forward
lookup zones. I created one, and enabled dynamic updates, as some
guides says, then proceed to netdiag /fix. But it returned error and
the four lines that is suppose to be in the DNS entries:
_msdcs
_sites
_tcp
_udp
doesn't come out. I am lost and I have no idea how should I manually
create DNS entries so that the Active Directory can recognize it, and
to facilitate my 2003 server to join the 2000 domain.

Can any of you guide me how to setup the DNS Server services with
Active Directory already in place? I can't demote the Active Directory
since there are users and policy, permission, etc.

Thanks.

First, you multiposted this post to multiple newsgroups. It would have been
to YOUR advantage to "cross-post". This allows any responses to go to ALL
the newsgroups you posted to. Otherwise you have to manually check each one.
___________________________
Second, there are two problems with your configuration that is preventing
registration:
1. Your AD DNS Domain name is a single label name, "local".
2. There is an ISP's DNS address in your IP configuration.
___________________________
How to fix these issues?
1. Either a domain rename, (difficulty depends on the operating system), or
modifying the registry on each and every machine in your domain to allow
single label name DNS registration.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

2. Remove the ISP's DNS. ONLY use the internal DNS, which appears to be
192.168.100.1.

___________________________
Also, a little background on AD and DNS, and how registration works:
If you have your ISP's DNS addresses in your IP configuration (DCs and
clients), they need to be REMOVED. This is what is causing *part* of the
problem.

AD uses DNS. DNS stores AD's resource and service locations in the form of
SRV records, hence how everything that is part of the domain will find
resources in the domain. If the ISP's DNS is configured in the any of the
internal AD member machines' IP properties, (including all client machines
and DCs), the machines will be asking the ISP's DNS 'where is the domain
controller for my domain?", whenever it needs to perform a function, (such
as a logon request, replication request, querying and applying GPOs, etc).
Unfortunately, the ISP's DNS does not have that info and they reply with an
"I dunno know", and things just fail.

Therefore, you cannot use your ISP's DNS addresses anymore in your client or
any other machines. You cannot use your router as a DNS or DHCP server
either. If you are using your NT4 as a DNS server, that all needs to be
changed over to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD's SRV
requirements and dynamic updates.

If your current scenario is using your NT4 DNS, your ISP's DNS or your
router's DNS, it is strongly suggested and recommended to only use the
internal DNS servers on the network that is hosting the AD zone name. This
applies to all machines, (DCs and clients). Believe me, Internet resolution
will still work with the use of the Root hints (as long as the root zone
doesn't exist).

For more effcient Internet resolution, it's HIGHLY recommended to configure
a forwarder. If the forwarding option is grayed out, delete the Root zone
(looks like a period). If not sure how to preform these two tasks, please
follow one of the two articles listed below, depending on your operating
system. They show a step by step on how to perform these tasks:

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
http://support.microsoft.com/?id=323380

300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000 :
http://support.microsoft.com/?id=300202

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/?id=291382

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Andrei Ungureanu]

I've did some searches and this might be appropriate for your case:
http://support.microsoft.com/default.aspx?scid=kb;en-us;260371

It even sais how to recreate your zone and the missing records (netlogon
stop/start).

and as Dmitry said, if DNS is not working properly, neither your AD will
work properly.

Andrei Ungureanu
www.eventid.net

Fix up your dns before anything else. Install and configure a DNS server
on your internal network, create appropriate zones related to your AD
domains, make sure the records are registered and so on.

Incorrect DNS configuration is the source of about 90% of all AD-related
problems.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Directory Services

Hi,

I have some problem with DNS Server in W2K AD. It is a single domain
environment and active directory is installed. The previous
configuration is not done by me.

I couldn't understand why the DNS in Network Connection setting(TCP/IP)
is pointed to ISP, which does not provides SRV records, yet the current
AD still works. There is no DNS Server service currently installed.

The problem arise when I try to migrate the 2000 Server AD to 2003 AD.
I try to extend the schema, join the 2003 server to 2000 domain, and
transfer the FSMO roles.

Unexpected things happens. There is no DNS Server service that provides
SRV records, and therefore the joining of 2003 AD failed, with error
message indicating SRV record cannot be found. I try to install DNS
Server service in Windows 2000 Server. After installation, I found out
there is no zones configured in forward lookup zones. I created one,
and enabled dynamic updates, as some guides says, then proceed to
netdiag /fix. But it returned error and the four lines that is suppose
to be in the DNS entries:
_msdcs
_sites
_tcp
_udp
doesn't come out. I am lost and I have no idea how should I manually
create DNS entries so that the Active Directory can recognize it, and
to facilitate my 2003 server to join the 2000 domain.

Can any of you guide me how to setup the DNS Server services with
Active Directory already in place? I can't demote the Active Directory
since there are users and policy, permission, etc.

Thanks.

 

[ping]

Hi Ace,

Thanks for your prompt reply. The problem is yet to be resolved.

I read through the knowledge base you provided, and understood that
single-label domain name is causing the problem.

quote: "The DNS Server service might not be used to locate domain
controllers in domains that have single-label DNS names"

I understood from the article that registry changes can be done so that
dynamic updates can be performed by clients. However, the issues now is
that the new Windows 2003 server could not join the Win2k Server domain
because SRV, etc DNS record is not there. If dynamic updates done by
the domain client, the DNS server still do not have the SRV record
right?

In this case, how do I generate the SRV records? How do I change the
domain name since it is a Win2k Server(not 2003)?

Thanks.

 

[Ace Fekay [MVP]]

In

Hi Ace,

Thanks for your prompt reply. The problem is yet to be resolved.

I read through the knowledge base you provided, and understood that
single-label domain name is causing the problem.

quote: "The DNS Server service might not be used to locate domain
controllers in domains that have single-label DNS names"

I understood from the article that registry changes can be done so
that dynamic updates can be performed by clients. However, the issues
now is that the new Windows 2003 server could not join the Win2k
Server domain because SRV, etc DNS record is not there. If dynamic
updates done by the domain client, the DNS server still do not have
the SRV record right?

In this case, how do I generate the SRV records? How do I change the
domain name since it is a Win2k Server(not 2003)?

Thanks.

Hmm, your post is in another newsgroup too that I just replied to. It would
have been better off if you had cross-posted instead of multiposted so
everyone could collaborate together. Plus all you had to do is check one
group for all the responses. Maybe next time...

As far as the SRVs, did you make the reg changes? Are updates allowed? Is
the server pointing only to itself for DNS?

Other than that, I suggested to create a brand new domain in a new forest
and use ADMT.

Ace

 

[ping]

Hi,

I have made changes in the registry on Windows 2000 Server. I have
double checked the registry entry is correctly modified. The Netlogon
failure still occur, as recorded by eventlog, until I rename the
netlogon.dns and dnb file in the Winnt\system32\config. Netlogon issues
is now resolved.

However, I can't locate the key in Win2k03 Server - >
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient

I can only locate the registry tree
->HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

Therefore I create a DNSClient key and add the appropriate DWORD
UpdateTopLevelDomainZones and its value (1).

After the registry modification on Windows 2000 Server & Windows 2003
Server, I restart the netlogon services.

I proceed to join Windows2003 Server to the Win2K domain(previously ran
adprep on it). I received the error, as shown below. I entered the
domain name 'Local', not netbios domain name(SUNCITYSVR). I tried to
ping the host local.ibmtest and no problem on it. I have enabled the
dynamic updates on Win2K server. Included also the netdiag result.
Please help.

--------------
The domain name local might be a NetBIOS domain name. If this is the
case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the
following information can help you troubleshoot your DNS configuration.

DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain local:

The query was for the SRV record for _ldap._tcp.dc._msdcs.local

The following domain controllers were identified by the query:

ibmdesk.local

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP
addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network
or are not running.

For information about correcting this problem, click Help.

----
C:\Documents and Settings\Administrator.IBMDESK.000>netdiag

......................................

Computer Name: IBMDESK
DNS Host Name: ibmdesk.local
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB822343
KB823182
KB823559
KB824105
KB824151
KB825119
KB826232
KB828035
KB828741
KB828749
KB832353
KB832359
KB835732
KB837001
KB839643
KB839645
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB842773
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890046
KB890859
KB891781
KB893066
KB893086
KB893756
KB893803v2
KB894320
KB896358
KB896422
KB896423
KB896688-IE501SP4-20050909.233456
KB896727-IE501SP4-20050719.165544
KB897715-OE55SP2-20050503.113444
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905749
Q147222
Q828026
Update Rollup 1


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : ibmdesk
IP Address . . . . . . . . : 192.168.1.199
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.10
Dns Servers. . . . . . . . : 192.168.1.199


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{A78B74B7-C592-4C0A-8F22-4F774A8D77CA}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.1.19
9'.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{A78B74B7-C592-4C0A-8F22-4F774A8D77CA}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{A78B74B7-C592-4C0A-8F22-4F774A8D77CA}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'ibmdesk.local'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.