DNS and Group POlicies


Eric Portenier

I have a Windows 2000 DC running both DHCP and DNS for my
network. I also have about 30 XP machines that NEED to
have group policies enforced on them. Here is what has
been happening. On the XP clients, the group policy will
not apply itself. I had thought that maybe it was because
the domain policy was propegating down and overriding the
OU policy, so I checkemarked the "no override" button,
but to no avail. So, by just playing around a bit, I went
into my network connection settings, into the TCPIP
settings, and instead of assigning an IP AND DNS server
automatically, I only had it assign the IP, and I typed
in the IP address of my domain controller, which is also
acting as my DNS server. This worked to apply the group
policy, but now my internet access is gone from those XP
client machines. But when I take out the DNS IP, I get
internet, but no policy. Is there a setting in my DNS
configuration that I am missing? I have both a "." DNS
zone and my "prep" zone... is this what is causing my
problems? I have recently deleted the "." zone as per
another response I received, and tried applying
the "prep" zone settings to the DNS settings on the xp
clients, but that is not working. I have only just added
the dns suffix to be "prep" on the clients... this does
not seem to be working though. I have also recently run
into the situation where I have put the ISP's DNS IPs in
the forwarder area, but even when the client is pointed
to the internal DNS, it is applying the GPO, but not
allowing any outside internet traffic. I CAN put the
external DNS IPs on the client and I think it will work
both ways, applying the GPO and allowing outside traffic,
but I REALLY don't want to do this with the external DNS
addresses. Now I do also have an ISA firewall... could
this also be causing a problem with the DNS? In that I am
also not able to do any recursive queries on external
servers from my internal DNS server? It always comes back
with a "FAIL." ALSO, does my DNS zone have to be
cathedral-prep.com instead of just prep, because that is
what our domain is? Thanks very much for all your answers
and help... I do appreciate it! It is quite important
that I get this working very soon, so any help that
anyone can provide would be GREATLY appreciated.
THank you!
If you have any specifics, please email me at
(e-mail address removed)

Eric Portenier

Thank you for your response to my posting. but I now need
to ask a follow up question. I have deleted the "." Zone
and added the forwarders to my ISP's DNS servers, but the
other thing is that we are going through an ISA firewall.
Now, I have also tried to ping outside IP's from my DNS
server - in fact, I tried to ping the DNS IPs that I
entered into my forwarder area - and it timed out. This
seems now like a problem with my ISA server not allowing
connections through, and I cannot find an easy way to fix
this on the ISA server, if that is indeed where the
problem lies.

Thank you for your help with this. I do appreciate it.

-----Original Message-----
On your DNS server you will need to delete the "." root
zone and reboot. Once the reboot is complete, you can
either add forwarders to your ISP's DNS or you
can use root hints (the default). We typically
recommend forwarding to your ISP. Once this is done,
point the internal clients to your internal DNS server
Do not have them point to any other DNS except one that
explicitly knows about the AD DNS zone. That should
solve the problems you are experiencing.
Thank you,
Mike Johnston
Microsoft Network Support
confers no rights. Use of included script samples are
subject to the terms specified at

Note: For the benefit of the community-at-large, all
responses to this message are best directed to the
newsgroup/thread from which they originated.

Ace Fekay [MVP]

In Eric Portenier <[email protected]> posted their thoughts, then I
offered mine

One more point I forgot to mention about that "prep" suffix you mentioned in
your original post:

The single label domain name of "prep" is not advised for the Primary DNS
Suffix an any machine, is an invalid domain name, since it does not follow
the DNS RFCs (rules) on DNS naming conventions. It should be in the form of:
But not just "prep"

I hope that your AD domain name is not a single label name or many other
issues may result from this. W2k and newer clients will have problems with
this name. There is a registry "bandaid" to make this work, but it's
advised, that if your domain name is a single label name, to fix it one way
or another. If you like, to help you confirm this for you, please post the
following info and myself or someone else will respond with an quick
analysis and what to do about it if it is:

1. Unedited ipconfig /all from the DC and one of the clients.
2. Zone name in DNS
3. Is Dynamic Updates set to at least YES on the zone in DNS?
4. The actual AD domain name as it shows up in your ADUC.



Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Ace Fekay [MVP]

Hi Eric,

Thanks for posting this info. Really helpful. It seems you do have a single
label name. Unfortunate for this to have happened. The zone named called
"cathedral-prep.com" should have been your AD domain name, and not "prep".
Your DNS config looks good in the ipconfigs. They point to your internal DNS

Two choices to fix this:
1. Reinstall the domain from scratch using a Primary DNS Suffix or Set the
Primary DNS Suffix on all machines to be cathedral-prep.com.(needs to be set
first) before installing it.. This way you can get the new name working.
You'll lose all your user and group accounts with this method. Set the
Primary DNS Suffix on all machines to be cathedral-prep.com.

2. Install a new domain on the network with the proper name, and use ADMT
(AD Migration Tool) to migrate the user, groups and computer accounts to the
new domain, this will save your user accounts and their profiles. Then wipe
out the old box and reinstall it as a replica DC in the new domain. Set the
Primary DNS Suffix on all machines to be cathedral-prep.com.

3. There's a bandaid to allow registration for single label names. But keep
in mind, this will not work well with W2k and newer clients since they will
not register into DNS with a single label name.
Here it is:
300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names [needs the domain.com name and cannot be
just --domain--]:

Let me know what you think.


Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DNS client - DNS Servers Group Policy 5
conditional forwarding in DNS 1
DNS issue 1
New DNS server 4
DNS Resolve issues 19
DNS devolution 2
New Job, new DNS challange, need advise. 2
DNS and DHCP 1