DNS Server Setup

[Tim Smith]

I am having trouble getting my DNS server setup.

in the DNS zone I created i don't have the following
entries

_msdcs

_sites

_tcp

How are these created.

Thanks

 

[Danny Slye - [MSFT}]

The _msdcs, _sites, _tcp, and _udp subfolders are created by the netlogon
service of a domain controller when it registers itself in DNS. The
requires that the parent zone support dynamic updates. See:
291382 Frequently Asked Questions About Windows 2000 DNS and Windows Server
http://support.microsoft.com/?id=291382
For a good overview
If this is the first DC in the domain, it should be pointing to itself for
DNS

--------------------

I am having trouble getting my DNS server setup.

in the DNS zone I created i don't have the following
entries

_msdcs

_sites

_tcp

How are these created.

Thanks

__
Danny Slye
Microsoft Support Professional
MCSE

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

 

[Richard]

Tim those sub zones are created by Active Directory when
you delegate the zone in AD.

 

[Ace Fekay [MVP]]

In

I am having trouble getting my DNS server setup.

in the DNS zone I created i don't have the following
entries

_msdcs

_sites

_tcp

How are these created.

Thanks

In addition to the other responses, here are some guidelines for insuring
proper registration:

1. Point only to your internal DNS.
2. Do not use your ISP's DNS in any internal machine IP properties (DCs or
clients).
3. The machine's Primary DNS Suffix must match:
a. The AD DNS domain name
b, The zone name in DNS
4. Updates set to at least "YES" in the zone's properties
5. Your domain is NOT a single label name (such as 'domain' instead of the
required 'domain.com' format) and you have W2k SP4 or W2k3. If a single
label name domain, this will cause other errors as well.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Dave Baldridge]

Good afternoon Tim,

These records are created when netlogon starts and registers the SRV
records.

A reboot will restart all services and register the required records or you
can just run "net stop netlogon", then "net start netlogon" from a cmd
prompt to register the records. Once you do that, just refresh the DNS
console and you should see that the _zones have been created.

To further verify that DNS is working OK, install the server tools from the
server installation CD (\support\tools\setup.exe). Then run netdiag /v

c:\netdiag.txt from a cmd prompt. Open the netdiag.txt file and check to

see if DNS registration was successful.

Thanks and have a great day.

Dave Baldridge MCSE 2000
MPS Protocols Support Professional

 

[jbond_13any]

In this respone Ace made a reference to the DNS pointing
to the internal system not to the DNS of the ISP. I am
very new to this and wondering how you would get out ot
the internet if the DNS only points to the internal
systems. I was trained that the ISP DNS would go on the
DC and client computers so they could find the wedsites.
What have I missed.

James

 

[Ace Fekay [MVP]]

In

In this respone Ace made a reference to the DNS pointing
to the internal system not to the DNS of the ISP. I am
very new to this and wondering how you would get out ot
the internet if the DNS only points to the internal
systems. I was trained that the ISP DNS would go on the
DC and client computers so they could find the wedsites.
What have I missed.

James

James,

With all due respect, I would suggest to take a course in AD and DNS. The
MOC 2154 W2k AD or the MOC 2208 W2k3 AD coursed are good choices to learn
all of this, with plenty of lecture and hand on labs. I think this would be
of benefit for any administrator running an IT center to understand how
Active Directory works and it's absolute DNS requirements.

It's imperative you only use the internal DNS server(s) for AD and it's
members. If you don't, numerous errors WILL occur, too many to mention, but
to mention a few: long logon times, GPOs do not apply, 5781 errors, 5774
errors, FRS errors, etc. If you search back in the newsgroup, you can see
some of stuff that goes on from the folks posting that are getting errors
due to this old school thought.

AD stores it's service locations and their respective resource locations in
DNS in the form of SRV records. Anytime a domain member, such as a DC or a
client, or even a directory enabled application (Exchange) needs to find a
service, it queries DNS. DNS will then provide that location, as long as the
SRVs exist. If there are any problems with Dynamic registration, or if you
have a single label name ("domain" instead of the required format
"domain.com"), or you are pointing to an external DNS that does not have
your domain records, then unpredicatable results will ensue, guaranteed.
Even if you supply the internal DNS and an ISP's DNS, due to the way the
client side resolver works, it may not work, because it will ask the first
address, if that times out or no answer, it removes that from the eligible
resolvers list, then goes to the next one, not to ever go back to the first
one unless you either restart the machine or restart the DNS client service.

Read more on this...
Querying DNS Servers - how the resolver service works:
http://www.microsoft.com/technet/tr...prodtechnol/winxppro/reskit/prjj_ipa_bsmz.asp

DNS by default, as long as the Root zone doesn't exist (or has been
deleted), will perform a recursion to the Root hints for resolution of zones
that it;s not authorative for (zones that have not been created in your DNS
Forward and Reverse Lookup Zones). THis is by default on any DNS server, MS,
BIND, etc...

So if you point to only your server, then you will get outside resolution.
You can make this more efficient by configuring a forwarder.

Here's a couple links to read up on to better help you out...

HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202

291382 - Frequently Asked Questions About Windows 2000 DNS and Windows
Server 2003 DNS:
http://support.microsoft.com/?id=291382

There are other links, but these should suffice for now... If you have any
questions, please post back.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

I'm having the same problem. Can somebody please walk me through this. I just inherited this network and am a novice at DNS. Here is my ipconfig/all info

Windows 2000 IP Configuratio

Host Name . . . . . . . . . . . . : OFFICESERVE
Primary DNS Suffix . . . . . . . : DAEOFFIC
Node Type . . . . . . . . . . . . : Broadcas
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : DAEOFFIC

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix . : DAEOFFIC
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adap
er (10/100
Physical Address. . . . . . . . . : 00-B0-D0-AB-0D-3
DHCP Enabled. . . . . . . . . . . : N
IP Address. . . . . . . . . . . . : 192.168.0.
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 192.168.0.
DNS Servers . . . . . . . . . . . : 206.13.29.1
206.13.30.1

I am also behind a firewall. I need to know how to run an internal DNS. Please reply as if you were explaining this to a child. I am very new at this. Thank you in advance for you time and effort

Zac

----- Ace Fekay [MVP] wrote: ----

In

In this respone Ace made a reference to the DNS pointin
to the internal system not to the DNS of the ISP. I a
very new to this and wondering how you would get out o
the internet if the DNS only points to the interna
systems. I was trained that the ISP DNS would go on th
DC and client computers so they could find the wedsites
What have I missed

James

With all due respect, I would suggest to take a course in AD and DNS. Th
MOC 2154 W2k AD or the MOC 2208 W2k3 AD coursed are good choices to lear
all of this, with plenty of lecture and hand on labs. I think this would b
of benefit for any administrator running an IT center to understand ho
Active Directory works and it's absolute DNS requirements

It's imperative you only use the internal DNS server(s) for AD and it'
members. If you don't, numerous errors WILL occur, too many to mention, bu
to mention a few: long logon times, GPOs do not apply, 5781 errors, 577
errors, FRS errors, etc. If you search back in the newsgroup, you can se
some of stuff that goes on from the folks posting that are getting error
due to this old school thought

AD stores it's service locations and their respective resource locations i
DNS in the form of SRV records. Anytime a domain member, such as a DC or
client, or even a directory enabled application (Exchange) needs to find
service, it queries DNS. DNS will then provide that location, as long as th
SRVs exist. If there are any problems with Dynamic registration, or if yo
have a single label name ("domain" instead of the required forma
"domain.com"), or you are pointing to an external DNS that does not hav
your domain records, then unpredicatable results will ensue, guaranteed
Even if you supply the internal DNS and an ISP's DNS, due to the way th
client side resolver works, it may not work, because it will ask the firs
address, if that times out or no answer, it removes that from the eligibl
resolvers list, then goes to the next one, not to ever go back to the firs
one unless you either restart the machine or restart the DNS client service

Read more on this..
Querying DNS Servers - how the resolver service works
http://www.microsoft.com/technet/tr.../prodtechnol/winxppro/reskit/prjj_ipa_bsmz.as

DNS by default, as long as the Root zone doesn't exist (or has bee
deleted), will perform a recursion to the Root hints for resolution of zones
that it;s not authorative for (zones that have not been created in your DNS
Forward and Reverse Lookup Zones). THis is by default on any DNS server, MS,
BIND, etc...

So if you point to only your server, then you will get outside resolution.
You can make this more efficient by configuring a forwarder.

Here's a couple links to read up on to better help you out...

HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202

291382 - Frequently Asked Questions About Windows 2000 DNS and Windows
Server 2003 DNS:
http://support.microsoft.com/?id=291382

There are other links, but these should suffice for now... If you have any
questions, please post back.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Can somebody with the information I provided in my other post please give me the step by step process for doing this? I'm a newbie to DNS! Particually, the DNS is already setup but, obviously it's not setup correctly. The DNS doesn't seem to be pointing to an IP and I don't know how to change that if needed. If you don't use your ISP's DNS on your internal machines, do you leave the DNS blank or do you put in the Internal DNS? I believe my firewall is functioning properly. Everybody can get out to the Inet

Zac

1. Point only to your internal DNS
2. Do not use your ISP's DNS in any internal machine IP properties (DCs o
clients)
3. The machine's Primary DNS Suffix must match
a. The AD DNS domain nam
b, The zone name in DN
4. Updates set to at least "YES" in the zone's propertie
5. Your domain is NOT a single label name (such as 'domain' instead of th
required 'domain.com' format) and you have W2k SP4 or W2k3. If a singl
label name domain, this will cause other errors as well



--
Regards
Ac

Please direct all replies to the newsgroup so all can benefit
This posting is provided "AS IS" with no warranties

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MV
Microsoft Windows MVP - Active Director

 

[Ace Fekay [MVP]]

Zack,

You have multiple problems going on here. As I said in my previous post, do
not use your ISP's DNS. Only use your internal ones and use a forwarder.
Check below in this post for the link I posted that shows you how to do
that.

On top of that, you have a huge problem with your domain name. It;s a single
label DNS name. Your domain is called "DAEOFFICE" and is not in the proper
format of, such as "daeoffice.com" or "daeoffice.zack", etc. Doesn't matter
what you choose, but it needs that format. Also recommend not to use the
same name as your external domain name.

WIth single label names, DNS doesn't know how to handle that and multiple
issues will arise due to it. The proper way to fix it is to resintall AD
with the proper name.

Plus with single label names, DNS and SP4 on W2k and W2k3 will not allow
dynamic registration. THis is due to DNS not knowing what to do with the
name, since it can't search the hierarchy (there is no hierarchy with a
single name) so therefore it excessively queries the inernet root servers.
That's why it was stopped by SP4.

Here's a bandaid to get registration to work, but still, W2k and XP clients
will have problems finding resources.
http://support.microsoft.com/?id=300684

Sorry for the bad news.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Thanks Ace,

I figured I had a bad egg on my hands. I just inherited this network and new at DNS. Now, can you tell me how to reinstall AD? Or point me to a 'How To"?

Zack

----- Ace Fekay [MVP] wrote: -----

Zack,

You have multiple problems going on here. As I said in my previous post, do
not use your ISP's DNS. Only use your internal ones and use a forwarder.
Check below in this post for the link I posted that shows you how to do
that.

On top of that, you have a huge problem with your domain name. It;s a single
label DNS name. Your domain is called "DAEOFFICE" and is not in the proper
format of, such as "daeoffice.com" or "daeoffice.zack", etc. Doesn't matter
what you choose, but it needs that format. Also recommend not to use the
same name as your external domain name.

WIth single label names, DNS doesn't know how to handle that and multiple
issues will arise due to it. The proper way to fix it is to resintall AD
with the proper name.

Plus with single label names, DNS and SP4 on W2k and W2k3 will not allow
dynamic registration. THis is due to DNS not knowing what to do with the
name, since it can't search the hierarchy (there is no hierarchy with a
single name) so therefore it excessively queries the inernet root servers.
That's why it was stopped by SP4.

Here's a bandaid to get registration to work, but still, W2k and XP clients
will have problems finding resources.
http://support.microsoft.com/?id=300684

Sorry for the bad news.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Thanks Ace,

I figured I had a bad egg on my hands. I just inherited this network
and new at DNS. Now, can you tell me how to reinstall AD? Or point
me to a 'How To"?

Zack

Zack, this is a loaded question, believe it or not because of the vast
possiblities. If you search back, you can see this issue strewn about in
various threads. I have a bunch of them archived and I'm going to paste it
below and you can see the reasons behind it and possible options to
resintall. Basically to save your user accounts, if you're still in mixed
mode and still have an NT4 BDC, or if not, you can still install an NT4 BDC,
then you can physically remove your server (unplug it), promote the NT4 to a
PDC and upgraded it following the correct naming structure. .

If not in mixed mode, then it's a little more difficult. You can isntall a
new AD domain with the correct name and use ADMT to migrate the users. If
you have Exchange, then it complicates it.

Read this stuff about it... hope you got time to read
this.....................
===========================================
The BIGGEST problem is that the domain is a single label name. That is NOT
good at all and creates mutliple problems. Your domain name is called "SOL".
It should be in the form of "sol.com" or "sol.net" or "sol.michael", but
not just "SOL". The single name does not follow the hierarchal tree
structure of DNS.

A single label named domain was probably due to (with all due respect) lack
of research and knowledge with the way AD and DNS must be designed PRIOR to
an upgrade/migration. It's very important to do your homework on this
because it becomes difficult to change. However, since you have W2k3 being
used, you may be able to change the name. But in order to do this, you must
upgrade the W2k server frst to W2k3 and raise the Forest Functional Level to
Native Mode. Here's a link on how to do that with W2k3:

Forest andDomain Functional Levels Explained:
http://www.microsoft.com/technet/tr...server2003/proddocs/datacenter/sag_levels.asp

Renaming domains - rendom.exe found in valueadd-msft-mgmt-domren folder on
CD:
http://www.microsoft.com/technet/tr...rver2003/proddocs/datacenter/domainrename.asp

SP4 changed/stopped the fact of letting registrations work because MS found
that excessive DNS traffic was hitting the ISC Root servers with any machine
that had a single label name. It was just too much. So they stopped it. Now,
you can use a regsitry entry to force registration but this must be done on
ALL the machines in your domain.

Here is the fix that you can use for now. It's more of a bandaid, but will
not totally solve certain issues, but it will force registration of the SRV
records:
http://support.microsoft.com/?id=300684

This has to be done on all machines.

One BIG problem, however, if using single label names, GPOs will not work,
whether you use the registry entry metioned in that link above or not. This
is because they look for the domain name when the GetGPOList function runs
on a client when it tries to "find" the GPO. The path it looks for is such
as this because the policies are found in the domain share:
\\domain.com\sysvol\domain.COM\Policies

In your case, it would be querying for:
\\SOL\sysvol\SOL\policies

In that case, it will not be able to find that domain name because it;s
treating it as a HOST name. You can try to force this by ensuring there is a
blank HOST name called SOL with the IP addresses of one of the DCs, but from
other posters and tests, it doesn;t appear to really work correctly. Also,
XP clients have difficulty querying this method, whether you put the
registration fix in it or not.

Sorry to be the bearer of bad news. I hope this helps in understanding your
dilemma and what your options are.


========================================
========================================
========================================
========================================
========================================
========================================
Here's more...


========================================
========================================
========================================

----- Original Message -----
From: Ace Fekay [MVP]
Newsgroups:
microsoft.public.windows.server.dns,microsoft.public.windows.server.sbs
Sent: Tuesday, January 13, 2004 9:26 PM
Subject: Re: DNS, Single Label Domains and SBS2K3


In

Firstly, I would HAVE to convince my boss that this is REALLY, REALLY
necessary.

Just to play devils advocate here for a moment:

My Boss would say: Why re-install? everything is working. The clients
are registering in local DNS (with registry hacks),
\\domain\sysvol\domain is accesable and group policies/scripts are
being applied to the clients,Web browsing /e-mail is working to the
outside world, VPN is working, Exchange is working, we can access all
our files, etc. Where is the need?

And I don't have a good argument to counter this, because it is true.
This is SBS, so there is no need to have access to other AD/DNS
servers for replication, zone transfers, etc. There are no forest, or
trees, just SBS. We're not running an external DNS that needs to be
RFC compliant (we use forwrders to the ISP for external resolution),
and we still have legacy O.S.'s (95/98 - actually legacy O.S.'s was
the reason our consultant gave for "maintaining" a single label
domain - funny thing is those legacy O.S.'s seem to work just fine on
my SBS testbed at home with "domain.lan" as my domain - go figure
huh).




But things do appear to be working. I need something to point to and
say :

"see it's SUSPOSED to do this, but because the DNS is BROKEN, it
ISN'T doing what it should be doing"

What is my SBS not doing that it should be?

I need convincing arguments (as much to convince myself as my boss -
this would be a really big deal to have to force the company to go
through this again so soon). I need some TEST to show /prove, that if
this isn't fixed "X" will be the result, and it ain't pretty if "X"
happens (i.e. the network will come to a total, screeching, train
wrecking halt)!


I don't like the fact that the domain is semi-broken, but I believe I
can live with it. I just really need to know what the downside
is/will be.

Any thoughts/arguments/recommendations greatly appreciated.


Aaron

Aaron,

This has been a real big issue lately. Here's a copy/paste of a recent
thread (just search back on single label name and a whole bunch of them will
turn up). But go ahead and read it, including (way below) a re-post from one
of the MS guys, Alan Wood, with the company's take on it. Excessive queries
to the ISC Root Servers, AD doesn't work correctly, etc etc etc.

The whole thing is basically caused by, with all due respect, from not
properly planning or researching prior to your migration or upgrade .

/begin paste...
=================================
In

How do I rename my domain. I don't know how. I want to
rename my domain without modifying other configurations
like active directory.

Well, that's the whole thing. It's all about AD.

Instead of typing it all out again, check this post (below) from a recent
post I made. This is a common problem due to lack of proper pre-installation
planning and research into AD. Sorry to say that, with all due respect.

I hope it helps in understanding what is in front of you.
Begin:
=================================================


continued.....
This is a common problem lately. Many posts on it. Recently (yesterday) I
posted something similar that will apply to you. I copied/pasted it below.

Yes, The DC is Windows Server 2000 SP4.
And, yes, the computer in question is the only one having this issue.
And, no, when I ping our domain I get "Unknown host"

C:\>ping CREDENTALS
Unknown host CREDENTALS.

I have entered the two registry entries that were suggested in
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
in the DC now, although I have not had a chance to reboot that
machine yet. Once I do will this fix the "Unknown host CREDENTALS."
problem as well or could this all be very simply fixed by adding a
".com" to my domain?

-Scott Elgram

To ping a domain name, it would need the TLD suffix, since it will look
under the zone name for the (same as parent) record. If pinging a single
name, it will treat it as a host and may even suffix it with your Search
Suffix List, which is in your case, baswed on your ipconfig, "CREDENTIALS",
so it may be trying to ping, credentials.credentials.

Ideally, it would be advised to rename the domain, eitehr installing a new
domain in a new forest and migrate the users/groups/and computer accounts to
the new domain with ADMT. The user profiles will be translated to the new
domain user account on their workstations and will be automatically joined
to the new domain for you. This way you won;t have to disjoin/rejoin the
machines in the domain and lose the user profiles. Once that's done, you can
trash the old DC and rebuild it as a new DC in the new existing domain you
created.

Single label domain names are problematic, at best. Certain clients, such as
XP may balk at it and cause additional errors since they have problems
querying single lable name records in DNS.

--
Regards,
Ace



First of all, you can try using
http://support.microsoft.com/?id=300684
for a reg entry to force it to update. Need to do it on your clients too,
but XP won;t work properly. You may still get problems with GPOs applying
since the GetGPOList function onthe client side references the domain FQDN,
such as:
\\domain.com\sysvol\domain.COM\Policies
But when it tries to go to what you have, such as:
\\DOM\etc...
It perceives DOM as a host name, and may not resolve properly.

Here's my other post that may help in resolving this to help rename
it....Read the whole thing so you'll know what's involved.

==========================================

Ace Fekay,
If I were to just rename the domain from CREDENTALS to
CREDENTALS.net and disjoin all the affected workstations from
CREDENTALS and join it to CREDENTALS.net would it reset the user
profiles?

First, you can't just rename a domain, unless you're still in mixed mode
with an NT4 BDC still present. If still in mixed mode, you can add an NT4
BDC, trash the W2k DC, promote the NT4 BDC to a PDC, then manually set the
DNS Suffix in TCP/IP properties to the new domain name, credentials.net,
(which would be the name you choose for the AD DNS domain name, but keep the
NetBIOS domain name as CREDENTIALS for backward capatilibity), then upgrade
it to a W2k DC. This way the machines that are still joined will still be
joined to the same domain.

Otherwise if the domain is in Native mode, you'll need to follow the ADMT
method I previously mentioned.

And no about disjoining and rejoining to the new domain with the old
profiles. When you manually rejoin, a new profile is created. You may find
that you can manually force the new profiles to use the old profile one
machine at a time, but I don;t think that's what you want to do. ADMT will
do that for you.

Keep in mind you want to follow DNS naming methods. One thing I noticed is
you're using uppercase. It's not that it won't work, but to keep things
consistent with DNS RFCs (looks good too), name it credentials.net, not
CREDENTIALS.net.

From what I have read in researching this problem it sure does seem
that single label domains cause lots of problems and sometimes even
questionable and/or slow connections. But, likewise, I have also
read things that lead me to think migrating AD off CREDENTALS and
over to CREDENTALS.net could possibly cause more problems domain wide
than just the one machine I have now. If I ever have to set up a new
domain or rebuild the old one for some reason other than one machine
I'll defiantly use the appropriate formatting (I wasn't the one who
set this up anyway, that guy quit ). For now should the 2
registry entries discussed previously in
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
fix this problem for the one machine?

-Scott Elgram

If the domain is in mixed mode, it will be alot easier for you. If not, the
ADMT will work, but I would read up on it first and test it. I can provide
links if needed. I've migrated quite a few domains and have to say it's the
easier method if the domain is presently in mixed mode. To find the present
mode, rt-click the domain name in ADUC, properties. Look at the bottom of
the general tab.

Also, Kevin has a big point about GPOs and how the GetGPOList function works
when a machine logs on and looks for the GPOs. That reg entry has to be made
system wide....

***************************************
***************************************
Here's a repost by Alan Wood from Microsoft describing the issue and
ramifications and the recommendations to rename it properly. I hope it helps
in understanding the issue at hand.

***************************************
***************************************
----- Original Message -----
From: "Alan Wood" [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS


Hi Roger,
We really would preffer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.


Thank you,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
****************************************

=================================
/end


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Thanks Ace

Here are a few things I thought of and would like more input. If I understand correctly, I see that I have a few options. Also, I am not running Exchange and I don't know if I'm in mixed mode??? I do have a 2nd file server. Here are my thoughts

1. I thought of just removing DHCP from the Firewall, running it from my DC and then removing the ISP DNS from the clients and pointing them to the DC to see if that 'fixes' it. However, this is just a bandaid I know

2. I have a file server on the network running Win2k server. I can use ADMT (don 't know how to use or how to save/export/import my user accts.) to migrate the users to the file server and correctly install AD then, fix my single label server by reinstalling AD and then I'll have 2 servers running AD in a user environment of about 20 clients. A bit overboad but, I'll be adding 15 more clients by years end. Why not

3. Just export the files to the file server temporaily, fix my single label name AD on the DC and and import the users back into the AD

4. Follow KBA 300684. Another 'bandaid'

However, I still want to remove DHCP from the firewall and run it from the DC

What are your thoughts on this



Zack, this is a loaded question, believe it or not because of the vas
possiblities. If you search back, you can see this issue strewn about i
various threads. I have a bunch of them archived and I'm going to paste i
below and you can see the reasons behind it and possible options t
resintall. Basically to save your user accounts, if you're still in mixe
mode and still have an NT4 BDC, or if not, you can still install an NT4 BDC
then you can physically remove your server (unplug it), promote the NT4 to
PDC and upgraded it following the correct naming structure.

If not in mixed mode, then it's a little more difficult. You can isntall
new AD domain with the correct name and use ADMT to migrate the users. I
you have Exchange, then it complicates it

Read this stuff about it... hope you got time to rea
this....................

 

[Ace Fekay [MVP]]

In

Thanks Ace!

Here are a few things I thought of and would like more input. If I
understand correctly, I see that I have a few options. Also, I am
not running Exchange and I don't know if I'm in mixed mode??? I do
have a 2nd file server. Here are my thoughts.

1. I thought of just removing DHCP from the Firewall, running it from
my DC and then removing the ISP DNS from the clients and pointing
them to the DC to see if that 'fixes' it. However, this is just a
bandaid I know.

2. I have a file server on the network running Win2k server. I can
use ADMT (don 't know how to use or how to save/export/import my user
accts.) to migrate the users to the file server and correctly install
AD then, fix my single label server by reinstalling AD and then I'll
have 2 servers running AD in a user environment of about 20 clients.
A bit overboad but, I'll be adding 15 more clients by years end. Why
not?

3. Just export the files to the file server temporaily, fix my single
label name AD on the DC and and import the users back into the AD.

4. Follow KBA 300684. Another 'bandaid'.

However, I still want to remove DHCP from the firewall and run it
from the DC.

What are your thoughts on this?

I wouldn't use the router's DHCP since it doesn't work with Dynamic updates
and MS DNS.

Let's first determine what mode you're in....rt-click your domain name in
ADUC, properties. It will tell you what mode you're in. If the option to
change mode exists, then you're in mixed, if not, then you're in native.

The bandaid doesn't really help your clients, especially XP.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

1. I thought of just removing DHCP from the Firewall, running it from
my DC and then removing the ISP DNS from the clients and pointing
them to the DC to see if that 'fixes' it. However, this is just a
bandaid I know.

This is not a bandaid, this is actually the required configuration for
members and recommended for non members.

 

[Guest]

I may have fixed my problem. I changed the ISP DNS settings in TCP/IP to my DC and here is my OLD and NEW ipconfig/all settings

OLD

Windows 2000 IP Configuratio

Host Name . . . . . . . . . . . . : OFFICESERVE
Primary DNS Suffix . . . . . . . : DAEOFFIC
Node Type . . . . . . . . . . . . : Broadcas
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : DAEOFFIC

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix . : DAEOFFIC
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adap
er (10/100
Physical Address. . . . . . . . . : 00-B0-D0-AB-0D-3
DHCP Enabled. . . . . . . . . . . : N
IP Address. . . . . . . . . . . . : 192.168.0.
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 192.168.0.
DNS Servers . . . . . . . . . . . : 206.13.29.1
206.13.30.1

NEW

Windows IP Configuratio

Host Name . . . . . . . . . . . . : IT-Admi
Primary Dns Suffix . . . . . . . : DAEOFFICE.LOCA
Node Type . . . . . . . . . . . . : Hybri
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : DAEOFFICE.LOCA

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connec
io
Physical Address. . . . . . . . . : 00-0D-56-15-AD-6
Dhcp Enabled. . . . . . . . . . . : Ye
Autoconfiguration Enabled . . . . : Ye
IP Address. . . . . . . . . . . . : 192.168.0.4
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 192.168.0.
DHCP Server . . . . . . . . . . . : 192.168.0.
DNS Servers . . . . . . . . . . . : 192.168.0.
Lease Obtained. . . . . . . . . . : Monday, March 08, 2004 11:35:34 A
Lease Expires . . . . . . . . . . : Thursday, March 18, 2004 11:35:34 A

Does this look like it solves my problem

 

[Ace Fekay [MVP]]

In

I may have fixed my problem. I changed the ISP DNS settings in
TCP/IP to my DC and here is my OLD and NEW ipconfig/all settings:

OLD:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : OFFICESERVER
Primary DNS Suffix . . . . . . . : DAEOFFICE
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DAEOFFICE

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : DAEOFFICE
Description . . . . . . . . . . . : Intel 8255x-based PCI
Ethernet Adapt
er (10/100)
Physical Address. . . . . . . . . : 00-B0-D0-AB-0D-39
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 206.13.29.12
206.13.30.12

NEW:

Windows IP Configuration

Host Name . . . . . . . . . . . . : IT-Admin
Primary Dns Suffix . . . . . . . : DAEOFFICE.LOCAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DAEOFFICE.LOCAL

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT
Network Connect
ion
Physical Address. . . . . . . . . : 00-0D-56-15-AD-61
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.2
Lease Obtained. . . . . . . . . . : Monday, March 08, 2004
11:35:34 AM Lease Expires . . . . . . . . . . : Thursday,
March 18, 2004 11:35:34 AM

Does this look like it solves my problem?

I thought I mentioned to remove those addresses and only use your own DNS?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Ace,

You may have, although I don't remember nor can I find it in any
previous posts. What do you mean by using my own DNS? The address
of the DC is 192.168.0.2. Now, I believe all I have to do is move
the DHCP from 0.1 to 0.2.? I am still monitoring for problems.

Thanks Ace!

I thought I mentioned to remove those addresses and only use
your own DNS?

Yes, definitely want to use MS DHCP, not your router's. And alwasy only use
your internal DNS, not your ISP.

Looking back, I posted a bunch of guidelines for Tim Smith;s original post
that started this thread. I thought you may have read it since you posted
under his post in this thread. Here, I'll repost it for you....
(from 2/25/04):
============================
In addition to the other responses, here are some guidelines for insuring
proper registration:

1. Point only to your internal DNS.
2. Do not use your ISP's DNS in any internal machine IP properties (DCs or
clients).
3. The machine's Primary DNS Suffix must match:
a. The AD DNS domain name
b, The zone name in DNS
4. Updates set to at least "YES" in the zone's properties
5. Your domain is NOT a single label name (such as 'domain' instead of the
required 'domain.com' format) and you have W2k SP4 or W2k3. If a single
label name domain, this will cause other errors as well.
============================


Keep an eye on any issues..

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Ace

I put in the correct DNS settings on the server and I'm still getting the dreaded 5781. Here is my ipconfig/all for my server

Windows 2000 IP Configuratio

Host Name . . . . . . . . . . . . : OFFICESERVE
Primary DNS Suffix . . . . . . . : DAEOFFIC
Node Type . . . . . . . . . . . . : Broadcas
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : DAEOFFIC

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix . : DAEOFFIC
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Ada
er (10/100
Physical Address. . . . . . . . . : 00-B0-D0-AB-0D-3
DHCP Enabled. . . . . . . . . . . : N
IP Address. . . . . . . . . . . . : 192.168.0.
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 192.168.0.
DNS Servers . . . . . . . . . . . : 192.168.0.

Notice still a single label domain. What do I need to do from here? Reinstall AD? Also, here is the ipcofig from my machine

Windows IP Configuratio

Host Name . . . . . . . . . . . . : IT-Admi
Primary Dns Suffix . . . . . . . : DAEOFFICE.LOCA
Node Type . . . . . . . . . . . . : Hybri
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : DAEOFFICE.LOCA

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connec
io
Physical Address. . . . . . . . . : 00-0D-56-15-AD-6
Dhcp Enabled. . . . . . . . . . . : Ye
Autoconfiguration Enabled . . . . : Ye
IP Address. . . . . . . . . . . . : 192.168.0.4
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 192.168.0.
DHCP Server . . . . . . . . . . . : 192.168.0.
DNS Servers . . . . . . . . . . . : 192.168.0.
Lease Obtained. . . . . . . . . . : Tuesday, March 09, 2004 12:16:42 P
Lease Expires . . . . . . . . . . : Friday, March 19, 2004 12:16:42 P

I am confused

Thanks

Zac

----- Ace Fekay [MVP] wrote: ----

In

Ace
previous posts. What do you mean by using my own DNS? The addres
of the DC is 192.168.0.2. Now, I believe all I have to do is mov
the DHCP from 0.1 to 0.2.? I am still monitoring for problems
your own DNS

Yes, definitely want to use MS DHCP, not your router's. And alwasy only us
your internal DNS, not your ISP

Looking back, I posted a bunch of guidelines for Tim Smith;s original pos
that started this thread. I thought you may have read it since you poste
under his post in this thread. Here, I'll repost it for you...
(from 2/25/04)
===========================
In addition to the other responses, here are some guidelines for insurin
proper registration

1. Point only to your internal DNS
2. Do not use your ISP's DNS in any internal machine IP properties (DCs o
clients)
3. The machine's Primary DNS Suffix must match
a. The AD DNS domain nam
b, The zone name in DN
4. Updates set to at least "YES" in the zone's propertie
5. Your domain is NOT a single label name (such as 'domain' instead of th
required 'domain.com' format) and you have W2k SP4 or W2k3. If a singl
label name domain, this will cause other errors as well
===========================


Keep an eye on any issues.

--
Regards
Ac

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

Ace,

I put in the correct DNS settings on the server and I'm still getting
the dreaded 5781. Here is my ipconfig/all for my server:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : OFFICESERVER
Primary DNS Suffix . . . . . . . : DAEOFFICE
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DAEOFFICE

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : DAEOFFICE
Description . . . . . . . . . . . : Intel 8255x-based PCI
Ethernet Adap
er (10/100)
Physical Address. . . . . . . . . : 00-B0-D0-AB-0D-39
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.2

Notice still a single label domain. What do I need to do from here?
Reinstall AD? Also, here is the ipcofig from my machine:

Windows IP Configuration

Host Name . . . . . . . . . . . . : IT-Admin
Primary Dns Suffix . . . . . . . : DAEOFFICE.LOCAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DAEOFFICE.LOCAL

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT
Network Connect
ion
Physical Address. . . . . . . . . : 00-0D-56-15-AD-61
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.2
Lease Obtained. . . . . . . . . . : Tuesday, March 09, 2004
12:16:42 PM
Lease Expires . . . . . . . . . . : Friday, March 19, 2004
12:16:42 PM

I am confused!

Thanks!

Zack

If you don't mind if I jump in here, yes your primary DNS suffix is a single
label name on the server. But is that the actual domain name in ADU&C?
I ask because your client machine is daeoffice.local, which leads me to
believe that your AD domain name is daeoffice.local. If daeoffice.local is
the domain name in ADU&C then you would have a disjointed namespace, which
can also cause 5781s to be logged..
Please verify your AD domain name in ADU&C, if it is daeoffice.local then
email Ace or me direct for a script to correct the Primary DNS suffix of the
DC.
Ace's email is firstnamelastname at hotmail.com for mine remove the nospam.
from the domain.