No _msdcs or any other AD DNS entries

[Keeper]

Dear Group,

I'll try this fast and simple first.

I've set up two networks recently. The first one running a Windows
2000 server and another one running a Windows 2003 server.

The Windows 2000 domain hasn't any known problems with DNS. All of
the AD integration seems to be in place. Under the forward lookup
zone one their's the _msdcs, _sites, _tcp, and _udp records.

In the 2003 domain, their is only the forward lookup zone. It looks
like it's not even AD integrated, but it is. AD cannot communicate
with DNS. The dcdiag.exe tool claims that it cannot resolve the
servers GUID to an IP address. This is because it's not there.

The only differences between the two are that the 2000 domain has a
subdomain to help protect AD from the outside. The 2003 has just the
one primary domain.

Anybody got any ideas? I thought that first I would manually put the
entry's in. The other is to uninstall AD and reinstall. This is
painfull also and hopefully not necessary. I'm mostly curious as to
how this has happened.

Thanks,

Keeper

 

[Kevin D. Goodknecht [MVP]]

In

Dear Group,

I'll try this fast and simple first.

I've set up two networks recently. The first one running a Windows
2000 server and another one running a Windows 2003 server.

The Windows 2000 domain hasn't any known problems with DNS. All of
the AD integration seems to be in place. Under the forward lookup
zone one their's the _msdcs, _sites, _tcp, and _udp records.

In the 2003 domain, their is only the forward lookup zone. It looks
like it's not even AD integrated, but it is. AD cannot communicate
with DNS. The dcdiag.exe tool claims that it cannot resolve the
servers GUID to an IP address. This is because it's not there.

The only differences between the two are that the 2000 domain has a
subdomain to help protect AD from the outside. The 2003 has just the
one primary domain.

Anybody got any ideas? I thought that first I would manually put the
entry's in. The other is to uninstall AD and reinstall. This is
painfull also and hopefully not necessary. I'm mostly curious as to
how this has happened.

Thanks,

Keeper

Win2k3 puts the _msdcs in its own Forward Lookup zone, but from what you are
describing it is not there either.
Post back with an ipconfig /all and the AD domain name from ADUC.

 

[Keeper]

Dear Mr. Goodknecht Sr. [MVP],

Here's the requested info.

Active Directory Users And Computers - ndcserver.ndcdomain.com

IPCONFIG /ALL

Windows IP Configuration
Host Name . . . . . . . . . . . . : ndcserver
Primary Dns Suffix . . . . . . . : NDCDOMAIN.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : NDCDOMAIN.COM

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX
NIC (3C905B-TX)
Physical Address. . . . . . . . . : 00-01-02-CC-42-0A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.192.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.192.1
DNS Servers . . . . . . . . . . . : 64.81.159.2
216.231.41.2

Thank you,

Keeper

______________________________________________________

 

[Kevin D. Goodknecht [MVP]]

In

Dear Mr. Goodknecht Sr. [MVP],

Here's the requested info.

Active Directory Users And Computers - ndcserver.ndcdomain.com

IPCONFIG /ALL

Windows IP Configuration
Host Name . . . . . . . . . . . . : ndcserver
Primary Dns Suffix . . . . . . . : NDCDOMAIN.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : NDCDOMAIN.COM

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX
NIC (3C905B-TX)
Physical Address. . . . . . . . . : 00-01-02-CC-42-0A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.192.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.192.1
DNS Servers . . . . . . . . . . . : 64.81.159.2
216.231.41.2

Thank you,

You have two major problems, provided that the actual domain name in ADUC is
ndcserver.ndcdomain.com, you should double check that. At the very top will
be listed the DC you are connected to, then below that will be the AD Domain
name with the domain OUs and directories in it.
If the domain name is ndcserver.ndcdomain.com, this is a disjointed name
space. In that case, you have two choices remove AD and start over with the
correct domain name, or change the Primary DNS suffix to match that name.
You are probably not going to be able to demote this DC unless you change
the primary DNS suffix to match the current domain name. There is a script
available for fixing the DNS suffix on a Win2k DC, I don't know if it will
work on Win2k3.

Your other problem is a common mistake of using your ISP's DNS in your NIC,
you should only use the IP address of your local DNS server for this domain,
which is usually the DC's address.

 

[Keeper]

Kevin,

Kevin,

My mistake, The correct domain name as you described in the ADUC is
"ndcdomain.com". To be abundantly clear with sending a screen grab,
the ADUC screen resembles the following:
_________________________________________________________

Active Directory Users and Computers [ndcserver.NDCDOMAIN.COM]
+Saved Queries
+NDCDOMAIN.COM
+Builtin
+Computers
+Domain Controllers
+foreignSecurityPrincipals
+Users
_________________________________________________________

Also, if you look at the ipconfig.exe /all results, you can see that
the domain is ndcdomain.com.

Are you saying that this isn't the correct suffix? I'm more confused
now then ever.

Keeper

 

[Keeper]

Oh, Kevin,

One more thing that may be of help. I've been getting something new
in my DNS MMC. Theirs a "Cached Lookups" zone appearing. I've never
seen this before.

Lastely, Thanks for the advise. I've changed my ISP DNS settings on
my NIC. Some bad advise from somebody else. I will just use the
forwarders in DNS to resolve FQDN's.

Thanks again,

Keeper

----------------------------------------------------------------------------------------------------------------------

Kevin,

Kevin,

My mistake, The correct domain name as you described in the ADUC is
"ndcdomain.com". To be abundantly clear with sending a screen grab,
the ADUC screen resembles the following:
_________________________________________________________

Active Directory Users and Computers [ndcserver.NDCDOMAIN.COM]
+Saved Queries
+NDCDOMAIN.COM
+Builtin
+Computers
+Domain Controllers
+foreignSecurityPrincipals
+Users
_________________________________________________________

Also, if you look at the ipconfig.exe /all results, you can see that
the domain is ndcdomain.com.

Are you saying that this isn't the correct suffix? I'm more confused
now then ever.

Keeper

In

You have two major problems, provided that the actual domain name in ADUC is
ndcserver.ndcdomain.com, you should double check that. At the very top will
be listed the DC you are connected to, then below that will be the AD Domain
name with the domain OUs and directories in it.
If the domain name is ndcserver.ndcdomain.com, this is a disjointed name
space. In that case, you have two choices remove AD and start over with the
correct domain name, or change the Primary DNS suffix to match that name.
You are probably not going to be able to demote this DC unless you change
the primary DNS suffix to match the current domain name. There is a script
available for fixing the DNS suffix on a Win2k DC, I don't know if it will
work on Win2k3.

Your other problem is a common mistake of using your ISP's DNS in your NIC,
you should only use the IP address of your local DNS server for this domain,
which is usually the DC's address.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================

 

[Keeper]

Kevin,


Thanks again but I think I fixed it. I deleted the zone and recreated
it. I stopped and started the netlogon service and fixed! All of the
AD DNS resource records appeared. A couple of new ones that I can
only assume are Windows 2003 specific. I also did a ipconfig
/flushdns but I don't think that this did anything.

I'd also like to mention that since I've removed my ISP's DNS servers
from the local servers NICS, I've been getting time outs, and long
delays on DNS resolution. Usually a hit on the refresh button will
get the page to eventually build. Fix one problem, create another.

Keeper

 

[Kevin D. Goodknecht [MVP]]

In

Oh, Kevin,

One more thing that may be of help. I've been getting something new
in my DNS MMC. Theirs a "Cached Lookups" zone appearing. I've never
seen this before.

That means that your DNS server is resolving names and caching them.

Lastely, Thanks for the advise. I've changed my ISP DNS settings on
my NIC. Some bad advise from somebody else. I will just use the
forwarders in DNS to resolve FQDN's.

It is a pretty common mistake to use an ISP's DNS, a lot of this advice will
come from ISPs, for some reason ISP employees who themselves do not
understand DNS, will tell you this. Just make sure all domain members use
the DC only for DNS.

Set up a forwarder in DNS to your ISP's DNS, that should be the only
reference to an ISP's DNS in an AD domain.

My mistake, The correct domain name as you described in the ADUC is
"ndcdomain.com". To be abundantly clear with sending a screen grab,
the ADUC screen resembles the following:
_________________________________________________________

Active Directory Users and Computers [ndcserver.NDCDOMAIN.COM]
+Saved Queries
+NDCDOMAIN.COM
+Builtin
+Computers
+Domain Controllers
+foreignSecurityPrincipals
+Users
_________________________________________________________

Also, if you look at the ipconfig.exe /all results, you can see that
the domain is ndcdomain.com.

IPCONFIG /ALL

Windows IP Configuration
Host Name . . . . . . . . . . . . : ndcserver
Primary Dns Suffix . . . . . . . : NDCDOMAIN.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : NDCDOMAIN.COM

Are you saying that this isn't the correct suffix? I'm more confused
now then ever.

Actually this is correct, it must match the domain name in ADUC, in your
previous post you said the domain name was ndcserver.ndcdomain.com, in that
case iwould be wrong.
Changing DNS to your local DNS server will fix this right up.