finding a domain controller not listed in the dns

[mike gisonda]

Hello all,
I have a particular problem. I am running several XP
machines on a network running active directory. I need to
set the primary DNS on the client machines to a different
DNS then the domain controller. However, this dns server
does not list the domain controller in it. I am currently
having problems with the clients with opening network
resources. It takes an extremely long time. Under the old
PDS setup, I would just put a listing in the host file for
the controller. But that doesn't work under Active
directory.

Here is my question. How can I tell the xp client where
the domain controller is with out using DNS? Is there
something that I can place in the host file with the ip
address of the domain controller? There has to be someway
to point the XP machines to the domain controller without
using DNS.

Thanks
Mike

 

[Ron Lowe]

Hello all,
I have a particular problem. I am running several XP
machines on a network running active directory. I need to
set the primary DNS on the client machines to a different
DNS then the domain controller. However, this dns server
does not list the domain controller in it. I am currently
having problems with the clients with opening network
resources. It takes an extremely long time. Under the old
PDS setup, I would just put a listing in the host file for
the controller. But that doesn't work under Active
directory.

Here is my question. How can I tell the xp client where
the domain controller is with out using DNS? Is there
something that I can place in the host file with the ip
address of the domain controller? There has to be someway
to point the XP machines to the domain controller without
using DNS.

Thanks
Mike

No, that won't work.
HOSTS only supports static mapping of DNS 'A' records.
To locate AD resources, the client needs to query DNS for SRV records.

You MUST point the clients to a DNS server that holds the AD's zone.

Why exactly do you need to point the clients elsewhere?

If it's for external Internet Name Resolution, then point the clients at the
domain's internal DNS and then set up the domain's DNS server to forward
unresolved queries out to the ISP's DNS.

If it's for some other obscure reason, then you could set up a secondary
zone on the 'other' DNS server, and have the AD zone records transferred
from the primary.

Here's my usual lecture on the topic....

XP differs from previous versions of windows in that it uses
DNS as it's primary name resolution method for finding domain
controllers:

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

If DNS is misconfigured, XP will spend a lot of time waiting for it to
timeout before it tries using legacy NT4 sytle NetBIOS.
( Which may or may not work. )

1) Ensure that the XP clients are all configured to point to the local
DNS server which hosts the AD domain. That will probably be the
win2k server itself.
They should NOT be pointing an an ISP's DNS server.
An 'ipconfig /all' on the XP box should reveal ONLY the domain's
DNS server.

( you should use the DHCP server to push out the local DNS server
address. )

2) Ensure DNS server on win2k is configured to permit dynamic updates.

3) Ensure the win2k server points to itself as a DNS server.

4) For external ( internet ) name resolution, specify your ISP's DNS server
not on the clients, but in the 'forwarders' tab of the local win2k DNS
server.

On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints'
tabs because they are greyed out, that is because there is a root zone (".")
present on the DNS server. You MUST delete this root zone to permit the
server to forward unresolved queries to yout ISP or the root servers.
Accept any nags etc, and let it delete any corresponding reverse lookuop
zones if it asks.


The following articles may assist you in setting up DNS correctly:

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;237675
HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202
DNS and AD FAQs:
http://support.microsoft.com/?id=291382

 

[Michael Gisonda]

Ron,
Thank you for your help. The reason why I have this
convoluted setup is to control internet access. As you
deem, I have an internet and an intranet. Most of my users
are not allowed access to the Internet but all have access
to the Intranet. However, (this is where it gets crazy)
some of my users are allowed access to the internet. To
facillitate which user are allowed access and which are
not, I use the DNS setting on the client. Those machines
with access to the internet have the DNS of my isp and
those that dont have my internal DNS address. Obviously,
my internal DNS does not allow recursion. Thus how I
control internet access.

But now comes my problem. On those XP machines on my
network that are allowed internet access, they are
experiencing a slow down whenever they access any network
resource. This happen especially after a long period of
inactivity. What is obviously happening is the client is
trying to re-authenticate from the server proir to
accessing the resource. All well and good except that it
does not have the ip address of the domain controller. And
the ISP DNS has no record for it either. The client is
then forced to do a NETBIOS call for the server and at
busy periods, is not finding it.

In my reading and research, I have read that LDAP acts as
a mini DNS server on the local client. DNS queries are
first looked up locally and if not found cached there,
will then query the server. I have also read that the host
file is loaded into the client's local cache of the LDAP.
I am wondering if I were to form the entry correctly in
the host file, could I spoof the client's LDAP to think
that it already knows where the domain controller is and
use the local cache for the find? And if that is possible
what would the form of the entry take? Could I place into
the host file the following:

172.22.18.2 _ldap._tcp.dc._msdcs.domainname.com

If I placed the above in the host file, would that work?

What do you think?

Mike

 

[Ron Lowe]

[.....]

If I placed the above in the host file, would that work?

What do you think?

Mike

IMHO you are paddling up the wrong creek trying to controll Internet access
by sabotaging DNS, and trying to get the AD domain working using HOSTS
files.

It's just the wrong tool for the job.

You need to find a better way of controlling Internet access.

Playing games with DNS is not a good way.
It breaks your AD domain; and it's not very secure.
All the prohibited clients need to do is type in the external DNS and off
they go.
( If they have admin accounts. )

The best way would be to block the prohibited users at the firewall.

Failing that, then why not feed the prohibited clients no default gateway
address?
That would block them as much as your existing scheme, but do less
damage to your Internal AD domain.
Of course, they could type in a Default GW address if they have admin
accounts...

Then have all users point to the Internal DNS, have it permit forwarding,
and block prohibited users at the firewall or by sabotaging their Default
Gateway setting.

 

[Michael Gisonda]

One other thought. Is there a way based on group
membership to allow or disallow recursion. If that is
possible, then I can just point all my users to the same
DNS and based on what group they belong to, they will then
be able to see the outside world or not. Again, what are
your thoughts?

Mike