Win2k AD DNS and VPN's oh my..

[Will]

Hi folks Thanks in advance for any help.
BACKGROUND:
A friend of mine and I setup a test domain at home. I setup a Windows 2000
advanced server box with a domain of testprep.mcse
I configured DNS and DHCP so that my network is happy and all clients in my
home can get addresses and get to the web and ping and resolve and all the
happy things PC's do on a network. (192.168.1.x) (255.255.255.0) is my
range/site
I then setup an VPN server for my friend to connect to (same box as AD DNS
and my DHCP).

Once connected he (also on Win2k advanced server) ran DCpromo and joined up
as a 2nd DC on he same domain, no sub-domain. He has setup DHCP for his
home. (192.168.2.x) (255.255.255.0) is his range/site. We ran a few tests
(ping, AD replication, DNS ADI zone replication, file shares, remote
management) And his DC seems to be connected to my domain just fine.

PROBLEM:
He now tries to add PC's in his site to the domain. He is told that the
domain testprep.mcse is not valid or cannot be found in DNS.
We tried using netdiag /fix with no solution. We deleted his forward lookup
zone and recreated it. Ran ipconfig /registerdns on his server. He is
pointing to himself for DNS so it did add a SRV record fro his ldap. We
again ran NETDIAG /FIX.

Here is the log:
The DNS test section is what catches my eye. Any ideas?

......................................

Computer Name: STIMSON-DC
DNS Host Name: stimson-dc.testprep.mcse
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 0 Stepping 0, CyrixInstead
List of installed hotfixes :
KB329115
KB823182
KB823559
KB824105
KB824151
KB825119
KB826232
KB828035
KB828741
KB828749
KB835732
KB837001
KB839643
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB867282-IE501SP4-20050107.164742
KB867282-IE6SP1-20050127.163319
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890047
KB890175
KB891711
KB891781
Q147222
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : stimson-dc.testprep.mcse
IP Address . . . . . . . . : 192.168.2.104
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.2.1
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 192.168.2.104
204.127.204.8
216.148.227.204


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Skipped
NetBT is disabled on this interface. [Test skipped]

WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].

Adapter : {B46AD091-4D55-4656-BFFD-B1928170ED7A}

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : stimson-dc.testprep.mcse
IP Address . . . . . . . . : 192.168.1.202
Subnet Mask. . . . . . . . : 255.255.255.255
Default Gateway. . . . . . : 192.168.1.202
Dns Servers. . . . . . . . : 216.148.227.79
192.168.1.5
192.168.1.5


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'stimson-dc.testprep.mcse.'. [RCODE_SERVER_FAILURE]
The name 'stimson-dc.testprep.mcse.' may not be registered in
DNS.
PASS - All the DNS entries for DC are registered on DNS server
'192.168.2.104'.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'TESTPREP' is broken.
[ERROR_NO_LOGON_SERVERS]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Passed
Entry Name: Ohio
Device Type: Framing protocol : PPP
LCP Extensions : Disabled
Software Compression : Enabled
Network protocols :
NetBEUI
IPX
TCP/IP
IP Address : Specified
Name Server: Specified
IP Header compression : Enabled
Use default gateway on remote network : Enabled

Connection Statistics:
Bytes Transmitted : 138335
Bytes Received : 1270059
Frames Transmitted : 1182
Frames Received : 1477
CRC Errors : 1477
Timeout Errors : 0
Alignment Errors : 0
H/W Overrun Errors : 0
Framing Errors : 0
Buffer Overrun Errors : 0
Compression Ratio In : 62
Compression Ratio Out : 8
Baud Rate ( Bps ) : 10000000
Connection Duration : 296717


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.


The command completed successfully

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Here is the log:
The DNS test section is what catches my eye. Any ideas?

Yes.
Remove all external DNS entries from all interfaces, no matter which way the
interface points, use only the internal DNS.

Hi folks Thanks in advance for any help.
BACKGROUND:
A friend of mine and I setup a test domain at home. I
setup a Windows 2000 advanced server box with a domain of
testprep.mcse
I configured DNS and DHCP so that my network is happy and
all clients in my home can get addresses and get to the
web and ping and resolve and all the happy things PC's do
on a network. (192.168.1.x) (255.255.255.0) is my
range/site
I then setup an VPN server for my friend to connect to
(same box as AD DNS and my DHCP).

Once connected he (also on Win2k advanced server) ran
DCpromo and joined up as a 2nd DC on he same domain, no
sub-domain. He has setup DHCP for his home.
(192.168.2.x) (255.255.255.0) is his range/site. We ran
a few tests (ping, AD replication, DNS ADI zone
replication, file shares, remote management) And his DC
seems to be connected to my domain just fine.

PROBLEM:
He now tries to add PC's in his site to the domain. He
is told that the domain testprep.mcse is not valid or
cannot be found in DNS.
We tried using netdiag /fix with no solution. We deleted
his forward lookup zone and recreated it. Ran ipconfig
/registerdns on his server. He is pointing to himself
for DNS so it did add a SRV record fro his ldap. We
again ran NETDIAG /FIX.

Here is the log:
The DNS test section is what catches my eye. Any ideas?

.....................................

Computer Name: STIMSON-DC
DNS Host Name: stimson-dc.testprep.mcse
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 0 Stepping 0,
CyrixInstead List of installed hotfixes :
KB329115
KB823182
KB823559
KB824105
KB824151
KB825119
KB826232
KB828035
KB828741
KB828749
KB835732
KB837001
KB839643
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB867282-IE501SP4-20050107.164742
KB867282-IE6SP1-20050127.163319
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890047
KB890175
KB891711
KB891781
Q147222
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . :
stimson-dc.testprep.mcse IP Address . . . . . . .
. : 192.168.2.104 Subnet Mask. . . . . . . . :
255.255.255.0 Default Gateway. . . . . . :
192.168.2.1 NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 192.168.2.104
204.127.204.8
216.148.227.204


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Skipped
NetBT is disabled on this interface. [Test
skipped]

WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test
skipped].

Adapter : {B46AD091-4D55-4656-BFFD-B1928170ED7A}

Netcard queries test . . . : Passed

Host Name. . . . . . . . . :
stimson-dc.testprep.mcse IP Address . . . . . . .
. : 192.168.1.202 Subnet Mask. . . . . . . . :
255.255.255.255 Default Gateway. . . . . . :
192.168.1.202 Dns Servers. . . . . . . . :
216.148.227.79
192.168.1.5
192.168.1.5


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this
interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative
DNS server for the name
'stimson-dc.testprep.mcse.'.
[RCODE_SERVER_FAILURE] The name
'stimson-dc.testprep.mcse.' may not be registered in
DNS.
PASS - All the DNS entries for DC are registered on
DNS server '192.168.2.104'.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the
browser
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'TESTPREP' is broken.
[ERROR_NO_LOGON_SERVERS]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Passed
Entry Name: Ohio
Device Type: Framing protocol : PPP
LCP Extensions : Disabled
Software Compression : Enabled
Network protocols :
NetBEUI
IPX
TCP/IP
IP Address : Specified
Name Server: Specified
IP Header compression : Enabled
Use default gateway on remote network : Enabled

Connection Statistics:
Bytes Transmitted : 138335
Bytes Received : 1270059
Frames Transmitted : 1182
Frames Received : 1477
CRC Errors : 1477
Timeout Errors : 0
Alignment Errors : 0
H/W Overrun Errors : 0
Framing Errors : 0
Buffer Overrun Errors : 0
Compression Ratio In : 62
Compression Ratio Out : 8
Baud Rate ( Bps ) : 10000000
Connection Duration : 296717


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is
assigned.


The command completed successfully

 

[Will]

We tried this and went a step farther. We severed the VPN, removed his DNS
service totally (add/remove) reinstalled and he created a new Primary (non
ADI) zone for the domain on his DNS. We verified that his SRV records were
in, even ran netdiag /fix for good measure, no luck. Same error. This is
making us nuts.

In

Here is the log:
The DNS test section is what catches my eye. Any ideas?

Yes.
Remove all external DNS entries from all interfaces, no matter which way
the
interface points, use only the internal DNS.

Hi folks Thanks in advance for any help.
BACKGROUND:
A friend of mine and I setup a test domain at home. I
setup a Windows 2000 advanced server box with a domain of
testprep.mcse
I configured DNS and DHCP so that my network is happy and
all clients in my home can get addresses and get to the
web and ping and resolve and all the happy things PC's do
on a network. (192.168.1.x) (255.255.255.0) is my
range/site
I then setup an VPN server for my friend to connect to
(same box as AD DNS and my DHCP).

Once connected he (also on Win2k advanced server) ran
DCpromo and joined up as a 2nd DC on he same domain, no
sub-domain. He has setup DHCP for his home.
(192.168.2.x) (255.255.255.0) is his range/site. We ran
a few tests (ping, AD replication, DNS ADI zone
replication, file shares, remote management) And his DC
seems to be connected to my domain just fine.

PROBLEM:
He now tries to add PC's in his site to the domain. He
is told that the domain testprep.mcse is not valid or
cannot be found in DNS.
We tried using netdiag /fix with no solution. We deleted
his forward lookup zone and recreated it. Ran ipconfig
/registerdns on his server. He is pointing to himself
for DNS so it did add a SRV record fro his ldap. We
again ran NETDIAG /FIX.

Here is the log:
The DNS test section is what catches my eye. Any ideas?

.....................................

Computer Name: STIMSON-DC
DNS Host Name: stimson-dc.testprep.mcse
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 0 Stepping 0,
CyrixInstead List of installed hotfixes :
KB329115
KB823182
KB823559
KB824105
KB824151
KB825119
KB826232
KB828035
KB828741
KB828749
KB835732
KB837001
KB839643
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB867282-IE501SP4-20050107.164742
KB867282-IE6SP1-20050127.163319
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890047
KB890175
KB891711
KB891781
Q147222
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . :
stimson-dc.testprep.mcse IP Address . . . . . . .
. : 192.168.2.104 Subnet Mask. . . . . . . . :
255.255.255.0 Default Gateway. . . . . . :
192.168.2.1 NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 192.168.2.104
204.127.204.8
216.148.227.204


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Skipped
NetBT is disabled on this interface. [Test
skipped]

WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test
skipped].

Adapter : {B46AD091-4D55-4656-BFFD-B1928170ED7A}

Netcard queries test . . . : Passed

Host Name. . . . . . . . . :
stimson-dc.testprep.mcse IP Address . . . . . . .
. : 192.168.1.202 Subnet Mask. . . . . . . . :
255.255.255.255 Default Gateway. . . . . . :
192.168.1.202 Dns Servers. . . . . . . . :
216.148.227.79
192.168.1.5
192.168.1.5


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this
interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative
DNS server for the name
'stimson-dc.testprep.mcse.'.
[RCODE_SERVER_FAILURE] The name
'stimson-dc.testprep.mcse.' may not be registered in
DNS.
PASS - All the DNS entries for DC are registered on
DNS server '192.168.2.104'.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the
browser
NetBT_Tcpip_{B46AD091-4D55-4656-BFFD-B1928170ED7A}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'TESTPREP' is broken.
[ERROR_NO_LOGON_SERVERS]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Passed
Entry Name: Ohio
Device Type: Framing protocol : PPP
LCP Extensions : Disabled
Software Compression : Enabled
Network protocols :
NetBEUI
IPX
TCP/IP
IP Address : Specified
Name Server: Specified
IP Header compression : Enabled
Use default gateway on remote network : Enabled

Connection Statistics:
Bytes Transmitted : 138335
Bytes Received : 1270059
Frames Transmitted : 1182
Frames Received : 1477
CRC Errors : 1477
Timeout Errors : 0
Alignment Errors : 0
H/W Overrun Errors : 0
Framing Errors : 0
Buffer Overrun Errors : 0
Compression Ratio In : 62
Compression Ratio Out : 8
Baud Rate ( Bps ) : 10000000
Connection Duration : 296717


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is
assigned.


The command completed successfully

 

[Kevin D. Goodknecht Sr. [MVP]]

In

We tried this and went a step farther. We severed the
VPN, removed his DNS service totally (add/remove)
reinstalled and he created a new Primary (non ADI) zone
for the domain on his DNS. We verified that his SRV
records were in, even ran netdiag /fix for good measure,
no luck. Same error. This is making us nuts.

Do this, Leave the VPN connected, point the remote DC to this DC for DNS
only. Convert the zone on this DC to Standard Primary (not stored in AD)
with dynamic updates set to Yes on Win2k) Use the DNS managment console to
connect to the other DC, delete any zone for the AD domain from it.
Use ADU&C to connect to each DC, expand to the Sytems\MicrosoftDNS container
and delete any zone objects from the container.
With the remote DC still using this DNS server and this DC using only its
own address for DNS, run this command on both DCs.
net stop netlogon & net start netlogon & ipconfig /flushdns & ipconfig
/registerdns
Then run netdiag /fix on both DCs look for errors.

If the DNS registration errors are gone, convert the primary zone to AD
integrated and wait for it to replicate to the remote DC. Do NOT manually
create the zone on the remote DC, let this zone replicate to it. creating a
zone for this domain on the other DC, of any type, will cause a zone
conflict with the zone in AD.

 

[Will]

Okies prior to your reply, great info btw, we did some more testing with
netdiag and dcdiag. We are now able to connect PC's on his home network to
the domain, except one of them. It is a win2k pro box. At first it had a
static IP, 192.168.2.100 subnet 255.255.255.0 gateway of 192.168.2.1 and DNS
of 192.168.2.104 (his DC/DHCP/DNS) We have tried letting it pull an ip from
DHCP it gets 192.168.2.10 all other scope options are the same as listed
above. Othe PC's on his domain joined ok with static IP's. The problem PC
gives the error " The specified domain does not exist or could not be
contacted " Odd that other PC's have no issue finding it. This PC can ping
the server, and can be pinged from the server. No firewall is up. It
registers in DNS (I guess DHCP may have done that)

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Okies prior to your reply, great info btw, we did some
more testing with netdiag and dcdiag. We are now able to
connect PC's on his home network to the domain, except
one of them. It is a win2k pro box. At first it had a
static IP, 192.168.2.100 subnet 255.255.255.0 gateway of
192.168.2.1 and DNS of 192.168.2.104 (his DC/DHCP/DNS)

He has a DNS server on his home network?

If he does let him pull a secondary zone from yours.

 

[Will]

Thanks for all the help, both DNS servers are hosting a zone for
testprep.mcse and they are both ADI. Things seems to be working well, for
now.